New threats on the computer security front

It seams that month does not go by without another security threat or risk. This look at the threats and opportunities created by big data [Hattip to techcrunch] are with looking at.

We live in an exciting time, but unfortunately in the case of security, that is a double-edged sword. New technologies present new opportunities for criminals. We are optimistic that great new companies are emerging to rise to the challenge.

The old methods of identifying signatures based on simple actions or software is no longer as effective. As potential security breaches can occur over a long period of time from multiple sources. So applying behavioural analytics becomes important, but this needs data captured over an extended time to analyse the potential risks.

This is where big data steps in because it can produce security insights, identify how a breach occurred, and what the consequences are by tracing all the IT assets regardless of physical location. This allows a greater emphasis to be placed on finding solutions, instead of problems

All of this tracking of data in the name of security does lead to privacy issues for employees of the individual business, and larger questions about where this data tracking should end.

iOS/Mac threats

For the iFanatics out there. Malware Discovered In China Could Herald ‘New Era’ Of iOS And Mac Threats. It has just been a matter of time, before malware creators focus there attention on the apple ecosystem. For a long time Windows machines have been the best targets because of the numbers who use them (Windows is about 90%) without a real understanding of how to safely use it. For comparison Android and iOS devices are about 45% each.

Messaging Apps

It seams that the areas of privacy and security now overlap with companies looking for big data opportunities. Hat tips to TechCrunch and LifeHacker for the Secure Messaging Scorecard study by the Electronic Frontier Foundation. it asks some simple questions to interrogate the functionality of the various messaging apps out there.

  1. Encrypted in transit?
  2. Encrypted so the provider can’t read it?
  3. Can you verify contacts’ identities?
  4. Are past comms secure if your keys are stolen?
  5. Is the code open to independent review?
  6. Is security design properly documented?
  7. Has the code been audited?

The last three of allowing independent review, proper documentation, and auditing of the code make it less likely for problems like Heartbleed or Shellshock to go unnoticed. A story I remember from the early 2000s was Microsoft’s encryption, which was broken a few days the code was released. This demonstrates a weakness in all encryption forms, excluding one time message pads, and they serious need for more than a few people to consider important computer code. To paraphrase Linus’s Law, “with enough eyes all bugs are shallow“.

Here are all the messaging apps that tick the seven boxes, which does not mean they are secure but it does show they are going the right direction;

And finally a word about passwords

Please change them from the default. The following, Insecam Displays Unsecured Webcams From Around The World, shows the risks of not doing so and it also breaks some of the basic no’s of security, computer or otherwise.

The year of security flaws

It really is the year for big bugs in code!

First there was the heart-bleed exploit in the OpenSSL code, which allows the mining of sensitive data from the memory of remote servers. It is most commonly used in eCommerce circles to ensure encrypted (ie safe) transmission of financial records between computers, like when you buy something.  It has been around for at least 2 years before being discovered. It also now seams to have it’s own website, heartbleed.com

Then there was the shellshock flaw in the BASH shell, which allows the execution of arbitrary code, and had been around since 1989. It was discovered on the 12th of September, with fixes been released by Apple on the 29th of September, and Florian’s patch been confoirmed by Zalewski on the 1st of October.

And now there is bug in PowerPoint (See TechCrunch’s blog), which allows full control of the Windows machine by a PowerPoint document when opened!