Spooky Halloween Mobile Apps

In honor of Halloween, I did a quick analysis of 30 Halloween-themed Android games to see how many were sending data and to where. While not all apps that send data are malicious, the following stats are spooky for privacy conscious folks:

  • 16 apps sent data various US locations (53%)
  • 5 apps sent data outside of the US (17% — see pictures below)
  • Only 9 apps sent no data (30%)

Disclosure of Vulnerabilities and Exploit Code is an Essential Capability

Robert Lemos has an excellent summary of the state of the debate on disclosure of exploit code in his column at Dark Reading. In it, I’m quoted briefly:

Software vulnerabilities are often discovered independently, suggesting that silencing the disclosure of a vulnerability and how to exploit the flaw would merely allow a bad actor more time to use an attack, says Darren Meyer, senior security researcher at Veracode, an application security firm.

Our Apps Are Our Digital Lives

One of my national cyber security month activities was participating in an employee awareness day at NYU Langone Medical Center. Kudos to the infosec team for putting on a nice event.

Since the audience was doctors, nurses and students my goal was to present mobile security statistics in a memorable way. I had two slides showing at a very high level how mobile malware works, but one of the main points I wanted to convey was an app doesn’t have to be malware to do you harm.

Bad Boys of The IoT

Backdoor, schmackdoor – it’s Christmas Shopping Season, y’all!

This morning my blog, The Security Ledger, ran a story about research from the firm Duo Security that provided more evidence (if any was needed) that the fast-emerging market for IP-enabled “stuff’ has a serious reckoning with the security and privacy crowd.

The Appsec Program Maturity Curve 1 of 4

As information security professionals, we must pursue any opportunity to evolve our approach to Application Security. Most enterprises with in-house development teams do some kind of ad hoc AppSec testing, usually during the QA process. But maybe you think it’s time to do more than that, to get a bit more proactive in confronting the potential threats the organization faces from weak software security. Luckily there is a proven AppSec Program Maturity Curve that can help mature your existing effort, following a well-traveled road to overcoming common challenges along the way. Here’s the really good news: it’s easy to climb a few levels of the curve over a matter of months, not years.

Apple’s Fingerprint Scanner: Who is Likely to Hack – Mobile Device Security Series 3 of 3

We know that any type of software is bound to be hacked eventually, but Apple is claiming that nothing will get past its new fingerprint scanning technology. While its security implications far exceed those of a traditional PIN, could a hack of this nature truly be dangerous to high profile individuals? What would a hack like this mean for an enterprise or government agency? In part three of our discussion of Apple’s fingerprint scanning technology for the iPhone 5S, we discuss where these attacks are likely to come from and what this means for your mobile security.

Why Everyone Should Care about the new NIST Guidance

The private sector is usually in the fortunate position of being able to ignore the National Institute of Standards and Technology (NIST)’s guidance as new special publications come out and affect change in the public sector. However, the latest draft on addressing supply chain security epitomizes a trend we are seeing in the industry. Everyone – public, private, non-profit, etc. – should heed this new guidance as a harbinger of what is to come.

Information systems have rapidly expanded in terms of capability and number, permitting an increased reliance on outsourcing and commercially available products. This has resulted in a loss of both visibility and understanding for how acquired technology is developed, integrated and deployed.

Apple’s Fingerprint Scanner: Claims, Concerns, and Implications – Mobile Device Security Series 2 of 3

Apple’s making a lot of claims about how well they securely store that fingerprint and who can access it and what’s actually being stored. Nobody’s ever been really too deeply verify any of this yet. We do have a few hints from patent filings, from documentation of the company that makes the sensor, documentation of the trust zone technology that Apple says they’re using to store. Apple really put quite a bit of engineering effort into this, so they claim a couple of things.

1 5 6 7 8 9 64