Week 11 – Netflix Stethoscope

On Tuesday, Netflix released their open-source, user led security tool, Stethoscope. From their blog post, Netflix outlined their belief that users are more open to security when it is not forced upon them.

It is an interesting web based tool (that works on mobile). The tool analyzes a user’s device and gives them easy to follow recommendations on securing the device. Things like encryption, screen locks, and OS updates are all topics the tool will offer advice about. It also integrates with existing tools an organization may be using, such as LANDESK. This is great because many organizations could provide this without making large changes to their environment.

This is a excellent tool that Netflix is providing to the community (it is on GitHub). Forcing security on users is tough for everyone. By explaining the needs is a very custom way, users may be more likely to implement the changes requested by the IT team.

I will be spinning Stethoscope up to take it for a test drive over the next week or two. Look for a follow-up post soon!

Week 10 – Aadhaar’s Security Problem

An interesting article popped up on Mashable.com this week about India’s biometric database Aadhaar. The Aadhaar database is India’s method to make up for the lack of birth certificates and other identification of Indian citizens. For many years, according to the article, the majority of people in India did not have birth certificates. To help combat this, the Indian Government designed Aadhaar.

Aadhaar is a biometric database which contains information on 99% of India. This database is used for more than just identification though. The government of India has plans to do away with credit cards, moving to fingerprint based transactions. In addition to being a payment gateway, Aadhaar is also poised to pivot into a digital wallet. India’s citizens will be able to load their health card and driver’s license into an electronic wallet of sorts, removing the need for normal cards.

This sounds great, but the problem is the database has never gone through an assessment or audit process. This, of course, has led to falsified entires into the database. These falsified entries are being used for all types of scams and a complete lack of oversight is leaving the citizens with little to no privacy.

My take – This is why we develop with a security first mindset. Aadhaar is already so big that it will be hard to transition into a more secure platform. If security would have been considered during software development, some of these problems could have been avoided.

Additionally, the government needs to consider routine audits of the database. A risk management strategy would really help the Indian government accelerate their chances of securing Aadhaar. Many identities are at risk if they do not adopt a risk management strategy for this database. A continuous assessment plan should be considered and adopted. This would certainly help with falsified records.

Week 9 – President Trump Fires White House CISO

In a follow-up to my Week 7 post about President Trump using a 5-year old Android phone, he has now decided to fire the CISO that President Obama hired in 2015. TechTarget Senior Reporter, Michael Heller, reports that the President is likely using his private security firm to handle duties until a replacement is hired.

When President Obama hired Cory Louie back in 2015, he wanted to help the White House better understand the risks and threats that they faced. While there was never much publicity about this hire, it is obvious that the former President and his staff felt the need to better protect the White House. I would tend to agree. As stated in my week 7 article, there are no laws dictating what types of technology the President can use, therefore it is easy to see why the President may want a security advisor. It is likely that Louie helped shape the President’s security strategy as well as making recommendations for how the President should use technology.

Frankly, if the President Trump’s private security team is allowing him to use a five year old phone, I have to question whether or not they can guide the White House away from security threats. I believe President Obama made the right decision in hiring a CISO for the White House, and am hopeful that President Trump will hire a replacement.

Week 8 – Super Bowl Security Considerations

As someone without a cable subscription, I was happy to see the NFL and Fox heavily promoting that one would be able to stream the Super Bowl using the Fox Sports Go app. I have seen a similar trend with the NBA offering most of their playoff games via streaming apps.

This is great for cord cutters, but it got me thinking about the security threats faced by the NFL and Fox. According to Business Insider, a Super Bowl commercial costs $5 million this year, up about $200,000 from last year. With streaming becoming a more popular form of consuming media, I would wager that advertisers are hoping for a high number of streamers to view their advertisements as well. Not only that, but streamers provide more analytics than typical cable viewers. With money and data at stake, the NFL and Fox have a vested interest in offering a high-quality stream. Because of that, I am sure attackers are also interested in taking the stream offline.

So while the NFL used to mainly focus on the physical security of their event, now they are going to have to also consider their cyber security strategy. Though I doubt we will ever get to see a breakdown of how the NFL implements this protection, I am sure they have a large team dedicated to minimizing the risk of a stream cutting out. I certainly hope they do, after all I want to see some ridiculous commercials without interruption!