Software Testing Blog

The growing “bring your own device” trend has some enterprise companies wringing their hands with worry. How do you keep employees happy while still protecting company data? Well, InformationWeek has seven tips to help companies navigate this new frontier (I threw a few notes in as well):

1. Create Strong Security Policies

While it might sound basic, having mobile device security policies in place is a necessary first step. … An organization in a highly regulated industry may specify that all data stored on employees’ mobile devices, as well as any removable media used with those devices, be encrypted. Businesses in other industries, however, may think that approach is overkill.

2. Apply Existing Security Policies To Mobile Devices

When crafting mobile device security policies, carry through existing policies. For example, if you require that passwords for accessing the corporate network have 15 characters, mixing uppercase, lowercase, and at least one symbol, then the same should be true for any mobile device that’s allowed to connect to the corporate LAN. … Also weigh whether Bluetooth file-sharing will be allowed for mobile devices, and if jailbroken devices should be blocked from accessing the network altogether.

3. Enforce Security Policies

The next step is to enforce your organization’s policies, typically by using mobile device management (MDM) tools [Note: The mobile device management link leads to another great article on protecting your company while allowing employees to use their own devices. It's definitely worth a read]. Regardless of the approach selected, without enforcement, employees will see your mobile security policies as optional, especially you have a bring your own device (BYOD) to work policy. [Another Note: 21% of employees in a recent survey said they don't know their company's IT security policies. 33% said they don't always follow them. Check it out at InfoSecurity >>>]

Read more…

If you follow tech news you’ve undoubtedly seen multiple stories lately of websites falling to DDoS attacks. Most of these attacks have been by Anonymous and targeted government, big media or SOPA/PIPA/anti-piracy supporters’ sites. But their actions have also begun inspiring like-minded hackers who fancy themselves “hacktivists.” Whether these hackers are taking your site down in protest, to make a point or for financial gain doesn’t really matter to you, because in the end, your site is still down.

With this growing trend and the increase attacks on consumer sites it’s important to know what steps you can take to prevent a DDoS attack from effecting your business. With that in mind, InformationWeek put together a list of “10 Strategies To Fight Anonymous DDoS Attacks.” Here’s what they suggest:

1. Know You’re Vulnerable

One lesson from the use of DDoS by Anonymous–as well as its sister hacktivist group LulzSec–is that any site is at risk. That’s not meant to sound alarmist, but rather simply to acknowledge that the hacktivist agenda can seem random, at best.

2. DDoS Attacks Are Cheap To Launch, Tough To Stop

Hacktivists can quickly crowdsource “5,600 DDoS zealots blasting at once,” as Anonymous boasted on Twitter, to take down the websites of everyone from the FBI and the Justice Department to the Motion Picture Association of America and Recording Industry Association of America. “DDoS is to the Internet what the billy club is to gang warfare: simple, cheap, unsophisticated, and effective,” said Rob Rachwald, director of security strategy of Imperva, via email.

3. Plan Ahead

Stopping DDoS attacks requires preparation. If attacked, “folks that don’t take active measures to ensure the resilience of their networks are going to get knocked over,” said Roland Dobbins, Asia-Pacific solutions architect for Arbor Networks, via phone.

Read more…

Guess what? The No. 1 biggest security threat to your website is still SQL injections (not one of those hacker collectives that have been taking down websites left and right recently). SQL injections aren’t anything new – they’ve been on the Open Web Application Security Project‘s list of Top 10 threats since 2004 … when they started compiling the list.

Despite being on the security radar for literally years, injections still make up the vast majority of security issues today. From PCWorld (emphasis added):

SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them; yet 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line, according to Neira Jones, head of payment security for Barclaycard.

Speaking at the Infosecurity Europe Press Conference in London last week, Jones said that hackers are taking advantage of businesses with inadequate and often outdated information security practices. …

In October 2011, for example, attackers planted malicious JavaScript on Microsoft’s ASP.Net platform. This caused the visitor’s browser to load an iframe with one of two remote sites. From there, the iframe attempted to plant malware on the visitor’s PC via a number of browser drive-by exploits.

Read more…

Having just finished Steve Jobs biography, and being of the school of gated platforms – at least for my phone, where I don’t want to deal with bugs the way I might in my work laptop (sorry Matt B and the uTest IT team) – I found this concept very interesting.

According to the BI article, “Android Hackers Plan App Store of Banned Apps,” a group of Android Developers are looking to start their own app store for all the banned and rejected apps that didn’t make the cut.  The article includes a quote from the potential founder that, “apps removed from the Market include, one-click root apps, emulators, tether apps, Visual Voicemail apps, and more.”

It sounds great but we already know about the growing number of malware on phone operating systems, the Android especially.  The other alternative for apps is to create mobile-specific landing pages (i.e. HTML5 apps), like Grooveshark (music) and Untappd (beer reviews) have done, making the apps available via your mobile browser.  Since their launch, Untappd has launched a native app for iOS and Android but has not shared details on traffic comparisons.  [It won’t be applicable to most mobile users but we cover some security exploits and common attacks in our Security Testing whitepaper.]

Am I the only one uber-sensitive about the integrity of my phones OS and Apps?  Would you download an app that isn’t scrutinized for security?

IBM released this year’s “5 in 5” list – a tradition where they make five, slightly science fiction-y, predictions about tech we’ll have in the next five years. This year’s list:

1. People power will come to life
2. You will never need a password again
3. Mind reading is no longer science fiction
4. The digital divide will cease to exist
5. Junk mail will become priority mail

While those seem awesome, some of them also seem pretty far fetched (mind reading?). But as it turns out … most of these concepts are not only in the works, they’re already here (albeit in a rough form). Let’s take a look:

1. People power will come to life.

IBM says:
“In five years you be able to power your house with the energy you create yourself.”

How it’s already here:
PaveGen tiles have been turning the kinetic energy of footsteps into harvest-able electricity for a few years now and 20 of the tiles will be in place at a busy pedestrian mall in London in time for the 2012 Olympics. The slabs are expected to generate enough power to light half of the location’s outdoor lamps.

Read more…

Last month there were several reports of cyber attacks on water treatment plants ( Houston, TX and Springfield, IL come immediately to mind). The Springfield incident turned out to be a major miscommunication, but the Houston attack is holding strong and at least three other attacks have been confirmed by the FBI. These attacks were so real, in fact, that Michael Welch, deputy director of the FBI’s Cyber Division, recently announced that the FBI will be increasing its cyber budget by roughly 12%. Here’s a recap from Sophos’ Naked Security blog:

At a recent security conference Michael Welch, the deputy assistant director of the FBI’s Cyber Division, gave a speech where he discussed the issue of SCADA security.

Information Age magazine reported on his speech and quoted Welch as saying:

"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city."

… It’s great that Welch acknowledges the work we have to do in this area and even went so far as to suggest the FBI will double the size of their Cyber division in the next 12 to 18 months.

Sound too good to be true? Then it probably is.

Read more…

Oh Black Friday – that joyous occasion when sleep-deprived, turkey-charged shoppers do battle at unholy hours of the morning. Smartphones and tablets are again at the top of many holiday wish lists and Black Friday is the day that promises excellent discounts on these pricey items. But before you wrap that new purchase (or lose the receipt) take a quick look at this list of “Dirty Dozen Smartphones” to make sure you’re not getting a bad deal:

• Samsung Galaxy Mini
• HTC Desire
• Sony Ericsson Xperia X10
• HTC Wildfire
• Samsung Epic 4G
• LG Optimus S
• Samsung Galaxy S
• Motorola Droid X
• LG Optimus One
• Motorola Droid 2
• HTC Evo 4G

Those 12 phones pose the highest security and privacy risks for users, according to Bit9, a company focused on software end-point protection. Interestingly, all 12 poor performers are Androids. Harry Sverdlove, Bit9 CTO, told PCWorld that the reason Android poses more of a risk than iOS is because of the wide-spread nature of Android over manufactures, models and carriers. Here’s what Harry had to say to PCWorld about how the study was done and why the results are what they are:

In compiling the list, Bit9 researchers looked at three things: the market share of the smartphone, what out-of-date and insecure software the model had running on it and how long it took for the phone to receive updates.

Read more…