ICYMI: NSA friendships, cloud concerns & Android flaws
This week's In Case You Missed It column looks at NSA friendships, concerns on the cloud and the latest flaw affecting Android users.
Global phone firm Gemalto confirms likely GCHQ and NSA attacks
NSA's unlikely friendship with Germany
The latest revelations from former CIA contractor Edward Snowden detailed how the NSA has been working with as many as 33 governments around the world to tap into their fibre optic cables, and gleen data from phone calls, internet messaging, VPNs and VoIP calls.
That's not too surprising in itself – it's widely-publicised that the agency has worked with the governments in the ‘Five Eyes' countries to share intelligence, and that the GCHQ advised European security agencies to tweak privacy laws to allow tapping. But the claim that Denmark and especially Germany are working with the NSA was more surprising.
The NSA, after all, hacked the phone of German Chancellor Angela Merkel, leading numerous officials from the country to call for a European internet and for the country to form part of a UN resolution to condemn the spying.
This news comes in the week where other leaked documents revealed the legal rationale used by GCHQ to underpin its snooping on Facebook, Google and Yahoo communications. Meanwhile, Labour MP Tom Watson, has submitted a motion to clampdown on the agency's surveillance powers.
Cheap cloud has legal barriers
Speaking at the Cloud World Forum earlier this week, the Bank of England CIO John French ruffled a few feather when he warned companies against adopting the cloud.
"All the vendors will be telling you 'you don't need IT teams as they'll do the heavy lifting for you'. That is sometimes true and there are cases where cloud can be a real enabler. But that doesn't mean it's always right," he said.
"Think about business models. There are many different variants how you can scale using other people's infrastructure - one doesn't fit all. The vendors will also tell you there is a financial upside. My answer is don't let the bean counters tell you how to count your beans, go and see an external accountant."
He noted legislative and data sovereignty as further issues to consider before rushing to private, public or hybrid cloud solutions.
"If you go to a partner to host your data, you need to ask questions. Do you know where the boxes it runs on are and do you know the legislation that covers those boxes? One well-known provider promises your data will stay in Europe. With this provider the boxes sit in a Nordic region somewhere. Who here knows Nordic law?" he said.
Will Semple, VP of research and intelligence from Alert Logic, added in an email to journalists that the move to the cloud should be given ‘stringent' considerations.
“The problem is, a fair amount of companies look at the cloud as purely a cost-saving exercise and don't consider the wider implications. One rule to live by is "measure twice, cut once" - carry out proper threat assessments, carefully weigh up whether or not a move to the cloud fits in with the overall business objectives. And don't always accept blindly what a service provider is telling you, ask the right questions and you will get the best outcome.
“Think about the data you are moving to the cloud, where it needs to reside due to data sovereignty, ask about how the provider shares (or doesn't share) your data and with whom, ask about regulatory requirements and their encryption strategies. Make sure the answers comply with business objectives and principles.”
Employees on holiday: Productive but vulnerable?
Employees are often cited as one of the primary security risks within an organisation, and that is exacerbated by BYOD and – according to a new study – when workers take these devices with them on holiday.
A new study, commissioned and published by Sourcefire - a Cisco company, reveals that UK employees are potentially putting their companies at risk from a breach by using mobile devices for work purposes when on holiday.
The ‘Beach to Breach' study found that nearly two thirds of workers (60 percent) do not check the security of a Wi-Fi network before accessing it, despite 69 percent admitting that their work had informed them of the risks with using devices remotely for work purposes.
Some 80 percent of directors, mid-managers and senior level employees took their work device on holiday, with this figure at 50 percent for junior colleagues. Approximately 72 percent of workers spend one or two hours per day keeping up with what's happening in the office.
This is an interesting take on the modern-day work culture; aiming to be more productive and add extra value, but at the same time creating new points of entry for would-be hackers.
Google Play flaw
Researchers from Columbia University this week discovered that they could grab developers' secret encryption keys for their Android apps.
To get this information, Computer Science professor Jason Neih and PhD candidate Nicolas Viennot created “PlayDrone”, an Android Google Play crawler, which scanned more than a million free Android apps.
Researchers then used “common hacking techniques” to decompile 880,000 of these apps, bypassing Google's security restrictions to download Google Play apps and recover the sources attached to them.
These “secret keys” were stored by developers within the software as part of their app' information, and if stolen, would allow people to gain access to user details from service providers like Amazon and Facebook.
Researchers added that this issue went undetected as little was known about what is uploaded to Google Play, a sign perhaps that the search giant needs to review its app approval process.
Nieh said: “Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play. Anyone can get a US$ 25 (£15) account and upload whatever they want.”
Researchers presented their findings at ACM Sigmetrics 2014, in Austin, Texas, on Wednesday and are now working closely with Google to make Google Play safer.
“Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future,” said Viennot.