ICYMI: British spies, security researchers & finding value from BYOD

News by Doug Drinkwater

This week's In Case You Missed column looks at Britain's new surveillance laws, the sacking of a security researcher and questions on BYOD management.

UK's new surveillance powers go against the tide

The British government is facing criticism after revealing that it is close to introducing a new law which will increase its surveillance powers over local mobile phone users.

The Data Retention and Investigations Power (DRIP) bill has been agreed on by all three main political parties and would require telecommunications companies and internet service providers (ISPs) to log customer data – such as internet browsing history or SMS messages – for up to 12 months. During this time, intelligence investigators would be able inspect this metadata if they had a warrant signed off by a government official.

The bill – which could be made law as early as next week – is controversial not only because it expands GCHQ's powers but also because it comes just three months after the Court of Justice of the European Union (CJEU) ruled that that the existing EU Data Retention Directive on mobile data collection was illegal. British Prime Minister David Cameron has stressed that the new law will comply with EU privacy legislation.

DRIP would replace the UK's own Data Retention Regulations from 2009 and would allow interception of metadata from webmail and other web services.

There are some safeguards – most notably a Privacy and Civil Liberties Oversight Board, a review of RIPA and an annual transparency report – but the news is surprising given the calls for greater transparency.

The National Security Agency (NSA) is embarking on reforms of its own, corporate companies are increasingly publishing government data requests, leading one former President Obama ally to say that transparency is unavoidable.

“We've been dragged kicking and screaming into the transparency world,” said Timothy Edgar, Obama's first director of privacy and civil liberties for the White House National Security Staff, last month.

Security researcher gets into hot water

It's the job of a security researcher to find and report vulnerabilities in products. By testing other systems for weakness, manufacturers and vendors can plug these gaps to prevent data leakage and potential breaches.

However, there have been concerns, voiced in particular at this year's BSides San Francisco conference, that security researchers are sometimes seen as the bad guys and that feeling is unlikely to subside given the on-goings at malware protection solution provider FireEye earlier this week.

On Monday, French researcher Jean-Marie Bourbon revealed on Twitter that he had been fired by IT vendor Sogeti after finding, and subsequently publishing, multiple vulnerabilities in the FireEye Malware Analysis System 6.4, along with proof-of-concept exploits for them.

The flaws were published to the Exploit-Database public repository, which is run by Offensive Security, but later removed.

Bourbon reportedly told FireEye of the flaw in May, but said that FireEye hadn't appeared to release patches for the flaws. [FireEye has now released a patch – crediting Bourbon's work]. He was then suspended from his role at Sogeti, with some reports suggesting that this was at the request of FireEye.

 “…I'm not [a] pentester, no NDA signed by me. Personal researches are illegals now,” he said, before adding: “Looking for a security job after getting fired.”  He says he found the flaws in his own time -  his company contends he should not have published them.

APT awareness is mixed

Advanced Persistent Threats (APTs) continue to be a concern for most large organisations, but there appears to be some misunderstanding about how dangerous they can be.

A new ISACA UK report – which has been criticised by some in the industry- revealed that 50 percent of security professionals do not see APTs as highly differentiated from traditional attacks, with the ones that are aware of the risk still reliant on traditional technologies – like firewalls, anti-virus and anti-malware - for detecting and responding to these.

A positive sign is that 92 percent now recognise that social engineering – such as spear phishing and long lining - can be used as part of this attack vector, but the report is nonetheless a concern considering other events this week.

In addition to the closure of UK-based travel bookings website Hotel Hippo – which suffered a breach the week before – two separate reports revealed how companies are expecting attacks, even though their defensive measures are suspect.

A study from Bit9 + Carbon Black revealed that two in three UK businesses expect to be targeted by a cyber-attack in the next year, while another – carried out by IT Governance – claimed that many of these are ‘complacent' in thinking that their defensive measures are up to the mark.

BYOD management needs fine-tuning

The Bring Your Own Device (BYOD) trend has been one of the buzzwords in business IT ever since CEOs started taking Apple's iPad into the workplace, and there have been thousands of words written on the increase in productivity and supposed cost benefits.

Yet three years on from the first smartphones and tablets entering the workplace, it appears as though several organisations are still working out how to grapple with this influx of devices.

Mobile Device Management (MDM), Mobile Application Management (MAM) have been touted – Active Directory too – but some organisations are still drafting their first policies.

In some quarters, there has been a kickback to BYOD. One organisation in the education sector, who wished to remain unnamed, told SC that it had cut off personally-owned devices and is now going with corporately owned, while another revealed how it put the brakes on an £80,000 MDM deployment to manage these products with their existing DLP and other security controls.

This news comes as one study reveals that 95 percent of staff worry about BYOD, and as another – carried out by Webroot – details that 58 percent of IT managers are ‘very' or ‘extremely' concerned about security.

More than twice as many workers report using personal devices than those issued by employers, indicating a potential IT security gap, but will this change going forward?

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews