• United States



Senior Editor, Network World

Security Roundup for Oct. 14: BlackBerry Blows Up; the ‘dual-Persona’ Mobile Device?; More on the RSA Hack; Moxie’s Moxie on SSL Certificates; Vint Cerf on Google’s Privacy Policies

Oct 14, 20119 mins
Data and Information SecuritySecuritySmartphones

Confidentiality, integrity and availability are oft-mentioned goals of security, and that being the case, this week’s lack of service globally for the BlackBerry constitutes a profound security collapse.

RIM executives have profusely apologized for the BlackBerry outage problem, that lasted Monday to Thursday, blaming the widespread outage on a “cascade failure” of RIM data systems around the world due to a core switch failure and a backup that simply wasn’t much of a backup after all. The company was busy dispelling suspicions of some disastrous hacking incident …

MORE ON SECURITY: The SSL certificate industry can and should be replaced

Do BlackBerry users, and the companies that buy the devices, care about this outage and will it influence their decisions on smartphones and mobile devices in the future?

I asked that question of Jon Martin, vice president of information technology at Digirad, the Poway, Calif.-based maker of solid-state gamma camera equipment for the medical field. He replied that right now the company is sticking with BlackBerry because it runs a specialized app the company needs, but the RIM outage is troubling and could mean rethinking buying them in the future.

‘Dual-persona’ mobile devices

Other news last week about mobile devices included two product and service announcements — one from Verizon and VMware, the other from AT&T — that could have a significant impact down the road.

At issue is the trend that companies are increasingly willing to say yes to demands from employees that want to use their own smartphones or tablets, such as the iPad, for business.

There are a lot of security questions that go along with this, and one of them is whether there can be a way to separate the personal data from the business data. It’s starting to be referred to as the “dual-persona” question. There are a few software mobile-management products for this today, but AT&T stepped into the limelight last week, saying it will offer a new service called Toggle that will use an application (developed by Enterproid) that will separate personal from corporate data on Android phones. Verizon and VMware happened to take up a similar theme in announcing dual-persona software last week that will be available for more than one mobile operating system that will be commercially launched later this year. Verizon was already taking a few digs at AT&T on this one …

In related news, Dell this week also said it would be shifting its focus to the “work and play” issue.

The RSA break-in: More just keeps coming

Since disclosing the horrendous break-in in which sensitive information about SecurID was stolen earlier this year, RSA has taken to turning this calamity into the equivalent of a morality play. The latest chapter of this slowly unfolding drama last week saw RSA President Tom Heiser in London telling attendees at an RSA-led conference that investigation work with the FBI, the Department of Homeland Security, the U.K. law enforcement and other agencies has led to the belief that two groups were responsible for the attack. EMC Executive Chairman Art Coviello declined to identify the groups, but is saying that “we can only conclude it was a nation-state sponsored attack.” And that attack was clearly designed, according to Heiser, to gain access to U.S. defense-related technology.

At the same London conference, Vincent Blake, head of cybersecurity at Raytheon U.K., said during a panel discussion that when Raytheon began selling missiles to Taiwan in 2006, the defense company’s computer network came under a torrent of cyberattacks. “For some reason, a country next door to Taiwan didn’t really like that so they got very interested in our IPR [intellectual property rights],” Blake surmised.

The China syndrome

Can anyone say the word “China” and “computer hacking” in the same sentence? Interestingly Mitt Romney, now trying to win the Republican Party’s nomination for president, did in his op-ed in the Washington Post today. In his column, Romney slams China for “systematic exploitation of other economies,” and says China “misappropriates intellectual property, including patents, designs and know-how” and ” hacks into foreign commercial and government computers.” So far, this is the first time I’ve seen China and computer hacking be taken up as a campaign issue at all.

Tensions over this trust issue may be rising between China and America, with China-based Huawei technologies calling on the U.S. Department of Commerce (DOC) to explain why the company is apparently being excluded from participation in the construction of a national wireless network for emergency responders.

The Chinese equipment vendor said the DOC last week said it was barred from taking part in the project due to national security concerns. The company’s participation would have involved testing the interoperability of elements of the wireless network, which is meant for use by police officers, firefighters and emergency workers.

Huawei wants to know which U.S. government body specifically had denied participation in the project. In a statement, William Plummer, Huawei’s vice president of external affairs, says the company “has been unfairly challenged due to vague supposed security concerns that have never been substantiated,” and that “playing Huawei as a pawn in some geopolitical game of chess is doing nothing more than threatening U.S. jobs, investment, competition and innovation.”

Moxie’s moxie

Security expert Moxie Marlinspike — he claims that’s his real name — filled me in on some details associated with his so-called “Convergence” plan to foster an alternative to the way the SSL certificate industry generally works today. Though it’s still experimental, it’s gotten increasing support, including from Qualys. The recent attacks on SSL certificate authorities shows there’s a need for new ideas in this area, and Moxie has the moxie to propose what he says is a viable alternative.

Vint Cerf on Google’s privacy practices

Not many companies inspire the awe — or the dread over privacy concerns — that Google does, with its multitude of services, not to mention its “Street View” cars with mounted cameras that drive around collecting geo-spatial images around the world. Google has faced a torrent of criticism about personal privacy or the lack of it, especially after the Wi-Fi fiasco of last year in which Google admitted to collecting tons of information about open Wi-Fi networks by mistake. In a story this week, we catch up on the fallout from that one around the world, plus more. Vint Cerf, Google’s senior Internet evangelist (who, as you probably know, decades ago played a significant role in the Internet’s invention), spoke with us about Google’s privacy practices. But he also acknowledged that he, too, can feel disconcerted when he suddenly sees video of himself on YouTube or gets “tagged” in photos on Facebook. Since he’s one of the closest things the Internet world has to a celebrity, you think he’d be used to that by now …


A look into cloud security is provided by Christine Burns this week in a series of stories that delve into different topics, including public cloud security, plus on-the-ground information that includes “4 valuable additions to your cloud security toolkit” and “5 cloud security companies to watch.”

From the “What the heck!%$#&* is going on now?” department

* A security report published by Microsoft last week says zero-day vulnerabilities accounted for less than 1% of all detected infections in the first half of 2011. According to Microsoft, Java remains the worst cause of infection — and old Java at that, with patches long since available. The report says phishing via social media, such as Facebook clickjacking attacks, are on the rise. The Microsoft research draws the conclusion that protection against attacks leading to computer infections remains in your hands by keeping up on patches and fixes. Perhaps we should also note the online comments to this story, which suggest using a Mac.

* The Zeus Trojan in its variants remains one of the most dreaded types of malware used to exploit financial systems in particular, and last week researchers reported improvements to it based on peer-to-peer technology that will make it harder to bring down.

* Speaking of digital derelicts, a 35-year-old man was arrested last week on charges he broke into the email accounts of numerous Hollywood celebrities and stole private photographs and correspondence. Christopher Chaney, of Jacksonville, Fla., is accused of breaking into more than 50 online accounts over the past year, those of including Scarlett Johansson, Christina Aguilera and Mila Kunis, the FBI said. if convicted of all 26 charges against him, he faces 121 years in prison. He’s expected to be tried in Los Angeles. Which sounds like the start of a movie, if not a good one …

* Writer Bob McMillan gives us an article on how there’s a hunt to look for computer viruses in industrial systems following the Stuxnet incident of last year. It’s his final piece for IDG, since he’s departing for Wired. Farewell, Bob; it was an honor to work with you over the years.

* Remember Aaron Barr, former CEO of HBGary Federal, who found himself and his former firm mercilessly hacked by the shadowy organization Anonymous after a news report last February quoted him as saying HBGary was tracking Anonymous and planned to expose members of the group? Barr, forced to resign after that, has surfaced as director of cybersecurity for a company called Sayres and Associates. He told an IDG News Service reporter at the RSA Conference in London last week that he dyed his hair blue and mingled with protesters on Wall Street on Sept. 17, an action coordinated by Anonymous, which he says he’s still interested in. My question is: Why blue?

Read more about wide area network in Network World’s Wide Area Network section.