Security

Is the NSA Spying On You? They Might Be…

With all the news lately about the NSA using everything from Angry Birds, to your Xbox, to your Yahoo! accounts you may be concerned that the NSA or someone else is spying on you and your data. Unfortunately, unless you are using the right security tools to monitor what’s happening on your computer or phone then you may never know. Also, any data you store in the Cloud or interact with in the Cloud can also be used to spy on you.

The best way to protect yourself from prying eyes is to use inbound and outbound monitoring software on your computer to see who or what is connecting to your computer and to see what your computer is sending back out to the Internet. On the Mac we like to use Little Snitch, and on our Windows PCs we use Zone Alarm or NetLimiter. As far as personal or private data you have in the Cloud there isn’t really much you can do about that because the Cloud provider or service provider where your data is hosted can provide access to organization with the right credentials who want your data. On your game console or phone things become much more complicated as you’ll have to use some very specialized software and tools to monitor. We’ll cover more tools for phones and game consoles in another article.

Read more

ios 7 flaws

Apple Security Issues Continue With New iOS 7 Flaws

Apple really needs some help with security testing as part of its release cycle for new software. In particular, iOS 7 flaws continue to show up that should have been caught prior to release. The latest issue is that anyone can bypass the iPhone’s lockscreen to hijack photos, email, or Twitter. Also, there’s a bounty for hackers to crack the fingerprint “Touch ID”. Some security analysts claim that this will be a near impossible feat, but my money is on the hackers.

So, why do we hear of so many instances where a company, often a large one, has released a new product or service that has gone through their QA team only to have the public and their customers find some serious security issues and bugs? Well, it’s partly the “see the forest for the trees issue” that’s at the heart of the problem. You and your team are often too close to your products to formulate enough of a unique perspective. You see, no matter how sophisticated of a team you have, the processes you have in place, the tools you use, the test cases you use, you are still limited and myopic to a certain degree by those same sets of tools, processes, people. Whatever your QA process is it will still be dictated by the definition of that very process. If that process has a flaw in it then chances are good you’ll release software that your customers will find issues with.

So, what can you do to increase your odds of finding issues in-house before your software leaves the lab? Secondary QA testing, by a professional software quality assurance company will help. This means to bring into your release process a separate QA team that employs different processes than what you use and to use a team that isn’t as familiar with your product or service as you are and are not already “tainted” with how it should work, look, and feel. Our company, QuadrixIT, is often used by other software development firms to employ a fresh look and fresh test perspective to supplement their in-house test teams and processes. More times than not we’re able to report back to our clients new bugs – both in functionality, feel, and security that they completely missed.

Some companies further try to reduce bugs by implementing a beta test cycle where they have some of their customers test their software after their QA team has completed testing or near the tail-end of the development cycle. While this should certainly be standard protocol, beta testing does not replace the expertise of having a secondary QA team employ their own test processes, tools, and methodologies. If you can utilize a secondary QA team that uses completely different test methodologies (albeit some form of accepted QA processes) than what your team uses, you’ll be that much more assured that those fresh eyes will find issues that your team may not have caught.

Apple and other companies can try to keep the QA team and the development team separate enough from each other to emulate this “freshness”, but in practice that doesn’t work well in the corporate world. Corporate process often dictates that the model is usually one of a shared expertise so that resources can be cross-utilized between teams to meet project timelines and release/development cycles. This close-team integration might be positive for product design and sharing of tools, etc. but it is a sure way to corrupt that fresh perspective when testing. Apple certainly could have benefited by having a secondary QA team review iOS 7, potentially finding these flaws prior to release.

Edward Snowden

Can the Next Edward Snowden Be Stopped?

Whether you view Edward Snowden, the former CIA employee who blew the doors open at the ultra secret NSA, as patriot or as spy, you can be assured that the CIA and NSA will take strong measures to put the lid back on how they do business.

The director of the NSA, Gen. Keith B. Alexander, says that his agency will institute a two-man rule, similar to what is used on submarines where both the commanding officer and executive officer must agree that the order to launch is valid. The idea is that it will take two people to gain access to server rooms and that System Administrators (SysAdmin) will be paired together when accessing sensitive intelligence. Also, access to data will be limited by not storing as much on a single server.

However, with the job of a SysAdmin how will the two-man rule be implemented and will it truly be effective? Many organizations protect their secrets by using ‘security by design’, where the software or systems have been designed from the ground up to be secure, or by ‘security through obscurity’, where secrecy of design or implementation provide the security.

Effective security is not just about the technology managing the secrets, but more importantly the management of the people who hold those secrets. The problem is that the role of SysAdmin is one of access to the systems and they are usually the ones who hold the keys to the kingdom. With a two-man authentication system the NSA will certainly undergo a slowdown in the amount of data they’ll be able to review since approvals for both the ingress and egress of that data and its systems must be done in tandem. Also, with the advent of even bigger Big Data and Cloud-based data solutions the problem becomes exponentially more difficult to manage.

How can a SysAdmin, who by the nature of the job has access to enormous amounts of sensitive information be regulated and controlled? To start, the NSA has said they’ll be cutting SysAdmins by 90% to limit data access. Gen. Alexander has said that “what we’ve done is we’ve put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing.” Using technology to automate the work done by employees and contractors would make the NSA’s networks “more defensible and more secure,” Gen. Alexander said at a cybersecurity conference in New York City.

Regardless of the security technologies implemented, security processes in place, and the systems to protect the release of those secrets, security will still boil down to the trust of the people who control those systems. What’s to stop a person who manages the NSA’s new control systems from releasing those secrets? Will the next Snowden be the person who manages those control systems or the person who wrote the software that manages those controls? Implementing the two-man rule, reducing the number of people with access, and bringing in new control systems will help the NSA, but it will come at a high cost in efficiency. The solution to not having another Snowden actually lies not only in the security processes put in place to protect the secrets, but in the most simple part of the equation – ensuring that the to be hired analyst undergoes more stringent interviews, background checks, and ongoing recertification upon hire. It turns out that Booz Allen Hamilton, the firm that hired Snowden as a subcontractor, had concerns when finding discrepancies in his resume, though they still hired him.

It used to be that when someone joined the military and applied for a secret or top secret clearance not only would they be interviewed by the FBI and the hiring branch of service, but so would their friends, and their friend’s friends. That hiring and approval process was very exhaustive. A good start to avoiding another Snowden would be to tighten up the interview and background checking process. Having subcontracted firms be responsible for the approval process of hiring prospective NSA personnel is not the most effective method for weeding out poor candidates. All potential NSA personnel should go through extensive checks beyond what a subcontracted company can provide and that responsibility should be given back exclusively to the government. Strength in security must start at the individual that is hired, and not only be reliant on the systems in place.

Joseph Gutwirth, Founder and CEO QuadrixIT