While President Trump has been in the news all week for various Executive Orders, one thing that caught the security community’s attention was a New York Times article. In the article, Maggie Haberman notes that President Trump is still using an “old, unsecured Android phone” even though aides have urged him to give it up.
This is not a new practice, after all President Obama fought to keep his Blackberry clear back in 2009. The difference being President Obama took a new, secure Blackberry. At this point, President Trump has refused to give up his old Android handset.
Lily Newman writes about the inherent risk of President Trump using an old phone (some speculating it might be over five years old) in her article on Wired.com. Newman points out that the risk may not even be attacks against the President. Many applications, Twitter being one of them, constantly track a user’s location – not exactly secure.
My overall take is one of disbelief. Back in 2009 smartphones were relatively new, mainly used for email. There was not a real alternative at the time, so it makes more sense for President Obama to fight for a secure version of his device. Reportedly President Trump has been offered a secure device, but refuses. Furthermore, according to Newman, there are no policies requiring the use of secure devices by a President. This makes no sense from a security standpoint, but reminds me of most organizations that let their senior leaders ignore policy. Business should remember that they are only as strong as their weakest link, hopefully in this case the weakest link is not a five year old Android device.
With Donald Trump’s presidency starting on Friday, I felt this week would be a good time to tackle the idea of defense in depth. Trump, as everyone knows, is adamant that his administration will build a wall along the United States and Mexico borders. However, as noted by Lily Newman at Wired.com the wall will likely only cover half of the border. This reminds me of many firewall designs.
Typically a firewall will be deployed at the edge of a network and then various ports will be opened up. Once these ports are opened, organizations start leaving themselves vulnerable to attack. Additionally, many networks are using the M&M strategy – hard on the outside, soft on the inside. If an attacker makes it past the edge, many networks are ripe for the taking.
Organizations need to go beyond a wall if they want to stop the problem. Companies should evaluate adding security to each piece of their infrastructure. End points should have protection, email should be monitored, and web traffic needs to be classified. More mature organizations can also look at monitoring network traffic for anomalies and enforcing based on patterns.
Taking extra steps beyond the firewall can help a company build a in-depth defense strategy, helping them stop would be attackers.
Reports are fluttering around the internet that in several instances, the FBI has used Best Buy Geek Squad employees as informants. Paying the employees a $500 finder’s fee each time they turn in a computer.
R. Scott Moxley wrote about a court case in which this activity was revealed. While Best Buy has denied the activity, claiming they do not purposefully search devices, the court proceeding paint a different picture. According to the article posted by Moxley, Best Buy staffed an informant on nearly every shift starting in 2007.
This is concerning for privacy in general. While the employees seem to be uncovering illegal material, what else are they viewing without the consent of their customers? Is it true that my tax information, banking info, etc. are all open game for Geek Squad employees should I take a device there for repair?
Additionally, I would question whether this type of search is even legal? In the article, the files found were in ‘unallocated trash space.’ Unallocated trash space certainly would not constitute as plain view.
For the average user, I would never recommend they take their device to a repair shop of any type. The only exception to this would be the Apple Store, simply because Apple products can rarely be repaired. Users who cannot fix their own computer should look to a trusted friend for help.
Earlier this week, the Feds released a report asserting the Russian Government had a hand in the United States 2016 Election. As concerning as this is, some security skeptics feel that the report did not do enough, or say enough, to prove Russian involvement. Andy Greenberg’s Wired.com article quotes one security professional as being upset more technical details were not released.
I believe the US Government is in a tough position. A company would never release the full details of a breach, some items are always going to remain classified. Is it wrong for the government to hold back details? I am not sure. Because this report is dealing with the outcome of an election, should all the details be released? If it turns out that this is true, and the election was altered by Russia, do we start over with the election?
I wager that we will never know the full details of this attack, or how it influenced our election. With just a couple weeks until inauguration day, my guess is that the report will stay as is.