CISA and other Political gambits

Last week, the Office of Personnel Management revealed it had been hacked. The White House and FBI are wanting backdoors in encryption. The world of politics not only wants us to be spied upon, but less secure and then complains about being hacked.

The “fun” of a bill such as CISA is how vague they wind up being. It attempts to cast a huge net without much forethought of how that net can be abused. In the case of CISA, it can create less privacy. Researchers already do what they can to share vulnerabilities that they find, and still get ignore by the companies that have them. OPM hadn’t kept up on a basic security program, such as patching, multifactor authentication and auditing.

Wait, there is more. the FBI and White House are now complaining about encryption. you know the idea of securing communication and data so it is unreadable without the proper key? They want backdoors put into it. Now how is that going to help us? It doesn’t. In fact, I would guess that if a backdoor was put into encryption standards, it would take less than 48 hours for the hackers out there to find it and start exploiting it for their own ends.

Truth be told, politicians want to look like they are doing something about a variety of things without thinking of consequences. The authors of the Patriot Act have said over the years that it is not being used how they envisioned. We have laws on the table that criminalize behavior that is trivial (remember what Aaron Swartz was arrested for), and those laws give unproportional sentence guidelines. We have laws and reforms that have been presented that could make security researchers criminals. None of this really protects us. None of it makes logical sense. A criminal is not going to follow the law. Hackers in other countries are not subject to laws here in the U.S. Making research basically illegal at worst, or a gray area at best just opens up more holes for the criminals to use.

Unfortunately this is the case in this day and age. People don’t think things through. Politicians even more so, as they listen to lobbyists and staff members, without asking help from the real experts. We want a more secure society, and one that embraces privacy? We have to pressure our politicians from local to federal to listen to us and to think things through. Best intentions often go awry. they have to think of the worst use for the wording of laws they pass.

Android Security: Google or Carriers issue?

In the world of Android a couple of disturbing articles have come out recently. Google is no long patching 4.3 (Jellybean) and earlier versions. Also the amount of malware for Android increased by 75% last year. This begs, who is to receive blame on the vendor side?

We all know people do not patch apps. Maybe they don’t like “new” terms that come with the update (most terms are the same as the prior versions). A lot get not the best information. Patching is important, and we all know that. In the world of PC’s we all know about Patch Tuesday (Microsoft, Adobe), and know how long it can take Apple to patch flaws in OSX and iOS (which they completely control and is out of the carriers hands). So what about Android, the worlds most popular phone OS?

The announcement this week that Google is no long patching WebView for versions 4.3 and earlier started me thinking more about this. Yes, Google is “abandoning” 930 Million users. Yes, They come out with new versions of Android so fast that the OS is fractured all over the place. The question is though, is Google doing the right thing? I personally think so. The reasoning why places a bunch of blame on the carriers.

Outside of iOS (iPhone), the carriers control when consumers get updates to their Android (and Windows) phones. In the world of Android, Google announces a patch, update, new version, then it gets sent to the device manufacturers. They have to test against their hardware and customization that they have done to Android for their devices (the look and feel of the OS you see). Then it gets sent to the carriers (Verizon, AT&T, Sprint, etc.) where even more testing has to be done against the carriers modifications to the OS (special built in apps, their radios, any network lock downs or features such as tracking cookies). Basically once Google releases the new version/patch/update getting it onto most peoples phones is out of their hands, the exception being the Nexus devices which Google controls. The longer an update take to get out there, the more chance there is for a breach. The easier it also may be for malware to get on the phones, and could be a reason the amount of malware for Android increased by 75% last year.

So the question arises, why does it take so long to hit our phones. the obvious and simple answer to me is money. Why bother pushing patches and updates, let alone new versions of the OS to phones especially ones that are only a year or two old, when you can try to force people to get new hardware, and either extend or get new contracts to get the latest? Security as a Service you can almost think of it as, but not quite. Seriously, the carriers have a cash cow on their hands with Android and doing things this way. The lastest verion of iOS is out and works on phones that are years old. Apple has it available for those older phones through their updater, although some features may not work on the older phones, it is still available. I am by no means an Apple fan, but the control they have over their updates is what Google needs to have over Android. The carriers don’t care, and won’t unless they lose some major lawsuit because someone’s phone got hacked due to a security update not having been available for that model. When I tweeted to my carrier (Verizon) about this, they sent me a link to their “news” page which has no information on updates. I also tweeted them back as they asked about what I was looking for (latest Windows Phone update, Android Lollipop) for specific devices. Never heard back from them.

The bottom line on this, from my perspective, is that both Google and the carriers are to blame. Google is to blame, not for not patching, but for not controlling the push out of patches and updates to the OS, and the carriers for not pushing out updates and patches in a timely fashion. Until this gets resolved, Android is going to stay heavily fragmented, and security for everyday peoples phones is going to be shaky at best.

Can Infosec get ahead of the Blackhats?

It is described at times as an arms race. Information Security always seems to be behind the bad guys. Can this ever change?

We all know the routine by now. New exploit, new signatures, new patches, new updates, new exploits. Rinse, lather, and repeat. We hear of the next big thing to be adaptive. Heuristic scanning, signature scanning, IDS, IPS, all to mitigate the threats. We are always fighting the good fight from behind. Unfortunately, this will always be the case. Yes, we get faster, not as far behind, and better. Yes, we have people on our side actively looking for the latest exploits. It is a neck and neck race in this day and age, but the fact remains, the bad guys will always find something we haven’t. We do our best to mitigate. We know that people are the weakest link. We try to educate, but even the best education, following the best practices will not stop exploitable scenarios, be they human or code. Why? Because we are human and are flawed.

Now don’t think that I am all doom and gloom. We have made great strides forward, and will continue to do so. Truth be told though, their are only a few ways to even have a chance of truly stopping the situation, and they are either super extreme or extremely improbable.

First idea I have is to have, as was a tag line from the movie Sneakers, “No More Secrets.” If everyone from corporations, to governments were wide open about everything, then what is there left to steal? Just money which brings me to the second thought. Go back to the bartering system. This gets rid of the money issue, and actually makes sense. Trading goods and services for other goods and services. Now you don’t need credit cards, Money, bank accounts, etc… The other big one that gets brought up in my mind is of course getting rid of technology all together.

None of these ideas are practical of course, so we are back to the original thought here. Can we ever get ahead. More thank likely not, but we keep getting closer to being even. So keep training, keep educating others, and keep your wits about you. We are in for a bumpy ride.