$4000 in prizes this weekend, Hackathon @DeveloperWeek in San Francisco

Posted in Computers and Internet, General with tags , , , , , , , , on February 3, 2018 by Will

hackaton-banner-badgeHere we are, hanging out with a huge group of developers in SoMa.  There is a ton of cash on the line from over 20 vendors.  We are here offering $4000 in Amazon Gift cards, $2000 for the first place winner (and you can get an extra $250 if you use the mobile SDK’s) and $1000 for the second place winner (and the same extra $250 for mobile usage, and finally 4 prizes of $250 for the best Reporting Dashboards out there.  So if you’re a developer and need some cash this weekend come down and give it a shot.

Great crowd and some awesome ideas floating around.  It is awe-inspiring to watch allIMG_20180203_121513 these developers at work on different projects at once.  I had a colleague from another vendor take a trip down memory lane and just how much the tech space has changed.  We both worked for internet startups in the early 90’s during the beginning of the Internet.  Things have come a long way.  To get this many developers in one spot all working on problems and solutions that are for all different walks of life, things have certainly advanced.

There is still plenty of time and I’m sure there are plenty of problems out there that need solutions.


Google is doing their part, but it’s still not enough

Posted in Computers and Internet, Security with tags , , , , on February 2, 2018 by Will

A few weeks ago, I posted some statistics about the state of mobile application security.  Specifically a report showed that malware grew over 60% in just the last quarter of last year and the Google Play Store alone published over 9 million new mobile applications last year.

Google Developers BlogThis week Google published that they had removed over 700,000 malicious apps from the Google Play Store.  This is highly commendable, as it shows a firm commitment from Google to help improve their security image.  I think that is what everyone is overlooking, this helps improve the Android Platform security image. The removal of these apps from the closed application publishing service that Google provides is just a drop in the bucket in terms of the actual malware being Android Securitypublished for the mobile platforms.  As my colleague points out in his LinkedIn post, apps can be downloaded and installed from many different app publishing stores and often are.   The Android platform has an image of being more open, and because of this, it is also widely linked to being considered as less secure than the Apple platform.

Attacks exist on both the iOS and Android platform, and pretty much any platform that has a CPU.  With the Android platform being more open and more flexible, it is probably always going to be more open to attack, or at least publicized attacks.  With Apple and with a number of the other computing platforms out there, they are all more closed, so we are less likely to hear about the attacks until something big happens or the media gets a hold of it.

DP4Apps PhoneTaking a stance that the platform you are developing is secure enough without implementing secure controls within your own app is dangerous and negligent. Google and Apple do their part, but the entire app development community needs to be vigilant.  Understand that, while the platforms publish big numbers and clean up their images, this is more about attracting more developers to their platforms, and less about the actual security of those platforms.  Attack vectors change constantly and arrive at different platforms in many different ways, sometimes in control of the OS provider, sometimes not.  As long as developers take the time to implement all of the security controls at their disposal, perhaps your app won’t wind up on the list of breached apps next time.

Join me at DeveloperWeek in San Francisco

Posted in Computers and Internet, Entertainment, Security with tags , , , , , , , , , on February 1, 2018 by Will

Just a quick post to encourage anyone in the San Francisco area this weekend and next week to come down to the DeveloperWeek conference and meet up.

hackaton-banner-badgeOver the weekend I will be attending and helping host an event at the Hackathon.  If you want to play with some new mobile development tools or your interested in cloud digital signature products, come over and give our Hackathon a try.  There are some great prizes for the best projects.  Read more about the event and register for it over here: http://accelerate.im/challenges/179

1Artboard 1And if you can’t get out to the Hackathon, but you still want to learn more about #DevOpSec or just want to know more about the latest tools in mobile application security, come attend our discussion on Tuesday from 3 to 4:30 PM.  We will give you a run down of some of the tools we are giving free access to and then take you through some samples and answer any and all questions.  Register for the discussion and more information can be found here: http://sched.co/DGVX

It should be a great show, and there will be a lot of like minded people around.  Stop by our booth at number #203

ATM Jackpotting, finally hits the US

Posted in Computers and Internet, Security with tags , , , , , , , , on January 30, 2018 by Will

ATM jackpotting has been around for many years all over the world.  In the US, there were reports by Ars Technica, that during Blackhat ATM’s at the conference were 170-atm-image-courtesy-of-shutterstockcompromised in 2010.  In Europe, Bank Info Security reported on ATM attacks in 2016.  And we watched in 2013 as Mexico dealt with the attack, according to Symantec. These attacks have been known at least since 2009 when The Register reported on ATM trojans. So what did the US do to prepare for these attacks?

Apparently US ATM operators didn’t do much to prepare for these attacks.  According to the press releases from ATM manufacturers, Diebold Nixdorf and NCR, these US ATM attacks are focused on old ATM machines.  Machines that both companies recommend updates to.  According to the8054e8dac8afe00d183dea4af1163faf Secret Service memo, these machines are the ones that you generally see in secluded places, like a convenience store and pharmacies.  Keeping your software and hardware up to date is a common theme for the first step of any security operation.

According to Secret Service memo, these are the first known attacks to come over from Mexico to the US targeting ATM’s.  So this is the initial wave of attacks.  ATM operators, banks and others, should be on alert now and should follow all of their vendor recommendations.  One such recommendation has always been to added strong authentication for those administrative accounts, and replace those default passwords immediately.  default passwordsTaking the steps right now to catch up to the rest of the world with regards to ATM security should be on the minds of all of the ATM operators.

Everyone uses 2FA…right?

Posted in Computers and Internet, Security with tags , , , , , , , , , on January 23, 2018 by Will

Last week during the Usenix’s Enigma 2018 conference Google dropped a bomb on two-factor authentication.  For years companies like Google and other providers have encouraged users to use 2FA to protect their accounts.  Most of the security world thought people were listening since they were all telling us how important 2FA is to them and to keeping their accounts secure.  Now Google tells us that less than 10% of users use 2FA with their Google Accounts.  Bloggers and security experts are in disbelief, if everyone wants to secure their information, why aren’t they taking the first step?

Facts continue to pour in about the state of attacks on our users.  A report from Netwrix that came out today states that organizations believe that “employees were considered Netwix_Cloud_2018_5responsible for 58% of security breaches in 2017“.  These attacks should be stopped with users leveraging proper security measures.  Corporations have been using 2FA for years, it should be common practice to follow those users to the cloud with the same requirements and to follow up with those users.

As our platforms evolve, so does the perception of the platforms.  Users become numb to the constant news of the latest attack and latest threat.  Some of the biggest bugs in our time, the Spectre and Meltdown, hit the news and focus the attention on how insecure user data is.  These bugs effected almost every platform currently out there.  Still users haven’t patched and fail to see the major concern of the actual security risk.

As developers and security industry specialists, we need to ensure we are doing our part.  Making tools like 2FA available, is a great first step, but ensuring those same users use those tools and follows up with those users is also a requirement.  When developing mobile applications, taking the base security and applying Application Shielding and Hardening to an application should also be seen as a requirement.  When we rely on our users to properly understand and leverage security technology, we open the door for them to be attacked.

Mobile is not secure

Posted in Computers and Internet, Security with tags , , , , , on January 17, 2018 by Will

It seems strange to have to write it, but, the mobile platform is not a secure platform.  It has many holes both discovered and not-discovered.  Mobile Malware Graph 2015-2017Mobile malware saw the largest single quarter increase ever, over 60%, in the last quarter of 2017, according to McAfee Labs Threat Report, December 2017. Users are moving to the platform in droves.  And of course they are, because all of their apps are going there too.  In 2017, the Google Play Store added 9 million new apps, according to Statista’s reports.

When I talk to mobile users it’s amazing to me that most of them think their mobile devices are secured by their mobile operating system provider.  From a user’s perspective, they think that the operating system providers and the mobile app developers are making sure their experience is secure. When I ask them about the attacks they see on the news, they all seem to say the same thing, “we worry about it”, but it doesn’t stop them from downloading that strange new flashlight app.  With users hanging on to their smartphones for an average of 2.46 years, according to Statista, upgrading apps and patching operating systems should be top of mind for users.  Instead, I see users with a false sense of security and a “if it ain’t broke, why fix it” mentality.

Being in the mobile application security market, I speak with mobile developers fairly regularly, and I know there are a million things on their plates.  Most of us feel like we are being careful when we program and we are trying to be as secure as possible.  We reuse blocks that we know work and libraries that we have faith in and may have used for a number of years. We really do not have the cycles to focus on security unless our project managers focus us on it.

What troubles me is when I hear a developer tell me that they don’t need to focus on security because the operating system manufacturer has it covered.  In today’s mobile application development space, this is the last thing we should be relying on.  Looking back at the Microsoft Windows world, there was a time when developers said the same thing about that platform, but it was quickly wiped away.  Look at Apple’s Mac OS, how many of us still think that it has never been hacked (it has, a few times now too)?  Learn from our past experiences.

Securing a mobile application can be quick and easy.  Yes I work with a mobile application security company, but still, hardening and shielding an application is the least we should be doing.  Some companies, like VASCO, offer a low to no code option of introducing this security technology.  The process is straightforward and can be administered in a matter of minutes.

Sorry for the propaganda, but sometimes I think we all need a little push….

%d bloggers like this: