September 2010 Archives

Google Android apps found to be sharing data

| No Comments | No TrackBacks
| More

Here's an interesting story that has recently emerged.

It's great to see some useful research into privacy issues and mobile phone applications. By "tainting" private data researchers were able to see exactly what happened to data once it left the confines of a user's mobile phone. Unsurprisingly two thirds of the applications studied used private data suspiciously - be it the SIM card serial number, phone number or device ID.

When users install these apps they are informed that their personal information may be accessed, but I wonder how many realise the wealth of information an application can get hold off? Due to the personal nature of mobile phones, which most of us carry all day and every day, unscrupulous applications are capable of getting to some of our most private data. This data is far richer than most as it contains important contextual data such as user location, a real valuable commodity to advertisers wanting to target their wares.

My real concern is for the bad guys. The blanket permissions a user gives on installing an app can give cart blanche to malware and spyware providers to collect as much private data as they want, under the protective nicety of a simplistic warning from the operating system.

The obvious advice would be to warn users to be very careful which applications they download, but we can't expect users to reverse engineer each application looking for security and privacy issues before they download it. A better solution would be for app store providers to "rinse" each application through an automatic code security test (such as the one provided by the folks at Veracode) to seek out problems before the software is published, thereby giving users a better degree of reassurance that apps they download are safer.

At least then we could believe an app store provider when they say they are trying to protect users.

Nigel Stanley
Practice Leader - Security
Bloor Research

Email archiving in the cloud webinar

| No Comments | No TrackBacks
| More

Emails are essential business records and today form the bulk of much of the communications an organisation has internally and with business partners and customers. They, along with their attachments, can contain a goldmine of information and it is vital that those records are kept securely and in a form that they can easily be retrieved for all manner of purposes. Any organisation can be involved in an internal or external dispute for which email records can be demanded as evidence and many regulations demand that business records be kept securely for varying time periods.
Email archiving systems were originally designed with the needs of large organisations in mind and were often designed to meet the needs of specific industries, and financial services in particular. Today, that has changed. New cloud-based delivery models have changed the economics of technology and are suited to the needs of any organisation, from microfirms to large multinationals. Such services are discussed in this paper from Bloor Research (The need for email archiving) and will be the subject of an upcoming webinar in conjunction with Webroot, a provider of email and web security technology products and services, on 28th September 2010 at 10am UK time. Click here to register:Email archiving in the cloud.

Application Code Security

| No Comments | No TrackBacks
| More

Software development managers and information security professionals need to act now to address the security of the software they write, purchase or co-opt into their solutions.

Failing to act due to lack of a pragmatic and cost-effective solution is no longer excusable.

If you are interested in finding out more about application code security then I will be running a webinar on 16th September in conjunction with Veracode. Details here.

The next-generation secure internet

| No Comments | No TrackBacks
| More

The internet was designed to be easy to use. As its use expanded rapidly, what was needed was a scalable system for associating an internet host's name with its IP address. Therefore, the domain name system (DNS) was developed. DNS is sometimes referred to as the phone directory for the internet, acting as a lookup service to ensure that emails are sent to the correct server and mailbox and that website requests reach the real address. On a technical level, computers work with binary identifiers that are used to locate and address computer resources, but strings of numbers are difficult for humans to remember. Because of this, DNS was invented to translate numerical identifiers into domain addresses that are meaningful to humans, associating the names with IP (internet protocol) addresses. For example, without DNS, a user would have to remember and type in "" in order to reach popular web search engine Google.
When DNS was invented, security was not considered to be an over-riding concern; ease of use was the priority and it has achieved that and is credited with enabling the widespread growth of the use of the internet. However, it has long been known to have a number of security issues. Among these vulnerabilities is that of cache poisoning, which allows a hacker to impersonate a real DNS server and insert a rogue IP address that can take a user to a spoofed website, which can lead to exploits such as identity theft, malware distribution and dissemination of false information--any of which can harm the brand of the organisation that has had its web presence hijacked.
To counter the known security issues, DNS security extensions (DNSSEC) was developed, which is a suite of security extensions that provide authentication regarding the origin of DNS records, using digital signatures to provide assurance of the integrity of the DNS record. DNSSEC is nothing new--in fact, it was developed around 12 years ago--but it has not yet been widely deployed. DNS works as a hierarchy, at the top of which are 13 root servers, spread throughout the world. These root servers are the name servers that answer requests from other authoritative name servers down the hierarchy. As such, they are critical because they are the first step in translating names that are readable to humans into IP addresses.
One of the key reasons holding up deployment of DNSSEC is that it works with digital signatures and certificates. Only when the name servers have been signed digitally can it be certain that they are trusted domains. At the apex of the DNS hierarchy, the root servers needed to be signed--and that has only just happened, in July 2010. Until that happened, there was a chicken-and-egg situation--why would anyone deploy DNSSEC when there were no servers to validate the responses?
Now that that situation has been resolved and top level domains such as .org and .com that form the next level down the hierarchy are being signed, DNSSEC is ready for prime time. Now is the time for organisations to implement DNSSEC themselves. Doing so will allow them to safeguard their valuable web presence and guard against the financial and brand impact of having their website hijacked by hackers.
Join F5 Networks and Bloor Research for a webinar at 3pm UK time 23rd September 2010 that discusses these issues and the benefits that organisations will see from deploying DNSSEC to make the internet a safer, more secure place than it is now. Click here to register: The next-generation secure internet.

Find recent content on the main index or look in the archives to find all content.

-- Advertisement --