Security

During my Air Force days I was involved with the roll-out of the “CAC” for Air Mobility Command at MacDill. No one could understand why the military would put so much time and money into giving all personnel new ID Cards and equipping machines with readers that did nothing at that point. The main feature back then was that when you removed your CAC your machine would automatically lock. Well, that or you would just leave your CAC at work and need to call a coworker to come retrieve you from the gate. What I failed to understand back then was that Multi-factor Authentication (MFA) was something fundamentally needed for our nations and armed forces security. This should have been apparent and clear to me as I scattered around some of the bases most secure locations to find mission essential passwords affixed to stickies on the monitor. ...

In my continuation of howto secure your phone habits while on the go, we have come to anonymizing your traffic. There are a few reasons to do this: On a public internet network and have no access to a VPN In a country that censors the internet (Hi China!) You like to keep your identity somewhat off the grid for whatever reason TOR was developed to allow for all of the above. Due to the open nature of Android and the user-base, it was quickly ported back in 2009. The Guardian Project leads the effort and has since provided 4 main components. Today I will be focusing on the Orbot (TOR+Proxy) and the Firefox extension to allow proxy usage. In addition you can use their Jabber client for anonymous and encrypted chatting. So lets get to setting things up! A few things you need to grab from market: ...

Since everyone is talking about the fit and finish (which is great other than the battery) I thought I’d talk about the security of the device. Google has already spoken about the separation of user/system with the web browser functions so I will skip that portion. The majority of my work was looking at how the OS responded to simple pentesting scans. I used version 5.21 of Nmap running on MacOS 10.6 Server. The ChromeOS box was patched as of 12/11/10. ...

For there record if you say "CAC Card" in my presence you will be "SOL Luck" talking again soon. If you are running Linux or Mac there is a good chance you haven’t been touching my CAC, otherwise known as Common Access Card. George Bush signed HSPD-12 way back in 2004 to mandate the usage of CAC and multifactor authentication on federal networks. The DoD giggled as it was already deploying limited installs at choice commands and was way ahead of the curve. The rest of the government and corporate entities are starting to roll-out the installs and a common theme I see is lack of heterogenous OS support. In this day and age your CIO/CTO/CISO must think beyond what the Microsoft sales lead tells them and think of the user base. Here is a big hint to save you from looking silly – You can’t say iOS/Android development is important to your divisions and then mandate they use Windows computers to comply with your SmartCard policy. I only mention that having sat in the room when the mobile development PM had to make his leadership aware they were basically shutting his group down. ...

A question from a distinguished colleague of mine: Q: Some security group is claiming that locking apps down to a single cpu is more secure that multi-threaded apps. Is there any basis in fact that I don’t know of or is this as ridiculous as I think it is? – Distinguished Dude A: It is called Side Channel Attacks…thus far its only a theory that has no known in the wild exploit ...