Category Archives: security
Get Ready for WYOD
I kicked off the Bring Your Own Device (BYOD): A Summit for Decision-Makers (summary article) as the keynote speaker last week in Ann Arbor, Michigan. This Summit was put on by Merit, who provides the network service needs of higher education, K-12 organizations, government, health care, libraries, and other non-profits for the state of Michigan. It brought together public and private sector technology and security leaders, as well as experts from academia and a wide array of vendor sponsors, to discuss hot trends for employees who are bringing their own devices to work.
I was interested in presenting on this BYOD topic because I understand the concerns but I also feel we need to put the issue into proper perspective. BYOD is officially defined as the practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes. This is the valid concern which causes us to question our preparedness for dealing with bandwidth and security issues associated with BYOD. But the acronym has become synonymous with challenges relating to the explosion of mobile internet access devices which tend to pressure our network management more than security risks. My Keynote entitled, BYOD: We just need to keep up, focused on the emerging concerns from Wear Your Own Device (WYOD) and the evolution of The Internet of Things (IoT).
Wearable devices today are not really pressing our infrastructure or security concerns, however, that is the calm before the storm. The focus for these wearables today typically points to some form of activity or health monitoring. Interaction with the Internet or local WiFi is minimal now typically because of power consumption issues. However, the stage is set for these small useful devices to interact with our personal Internet space. And the most significant use will evolve out of the NFC based authentication made popular by the Apple Pay entry for transacting purchases. The key here is the validation of mobile devices, typically today’s smartphones, as authenticators of our personal identity. Replacement of the credit card swipe for retail purchases will lead the way, however, we in IT will get to explore and support all of the other uses that will play off this technology. For us in higher education we will see this become our student’s ID Card for building access, attendance and even remote test proctoring. The technology challenge is not daunting, however, the shift of our support mentality may be difficult. We will need to protect the effectiveness of these activities along with ensuring the security. It will mean a lot more technology responsibility on our plates.
Cell Phone Authenticating our Identity
I was chatting with one of our professors and our conversation ventured into the importance of mobile devices. The topic related to why it was so important for Microsoft to gain a foothold in the mobile phone market and I explained to him the intricate connection between the consumer’s phone and their computing platform of choice. But I also told him that the mobile phone would someday be the most important component for authenticating identity which is critical for financial transactions. I’m not sure I knew exactly how that was going to play out but it is always fun to stimulate non-techies into imagining what the future might hold. I did tell him about how important cell phones were in Africa for providing a means of transferring money. So it was a natural assumption to connect the cell phone to the online or digital economy as a means of providing more secure form of authentication. And when you talk more secure you typically relate that to a dual form of authentication based on something you have and what something is better than cell phones. Anyways, this conversation led to being asked to give a talk on this topic for the local Rotary.
I relate this conversation as a lead in for the story today about how Apple might offer a means for how we pay for stuff. Apple is hinting that it may explore this territory of payment services and that the fingerprint authentication on the new iPhones was implemented with this in mind. But the real impetus may be that Apple has amassed the most impressive number of personal accounts, about 800 million, that are connected to a credit card. This number is huge especially when compared to the next closest, Amazon’s 237 million. And what was the trick to getting this many purchase ready accounts? Music Downloads through iTunes. Yes, the convenience of impulse buying for a song that I hear justified my synchronizing my credit card with my iTunes account. And I have been very pleased with the results; quick, efficient, receipt email, and trust. Yes trust, there has not been a significant security breach of Apple’s accounts.
So is Apple going to expand their payment services to include any online or even checkout counter transactions? Lot’s of issues that have to be worked out before that financial model is justified, but I would bet on it. I was originally thinking the mobile phone could provide an identity solution for verifying who you are using the 2 step authentication model. Apple has successfully expanded that to include biometrics which I think will inevitably be required in our insecure identity compromised world. Makes a whole lot more sense then offering a credit card and signing a receipt. Needless to say, control of the mobile phone market continues to grow in importance. The next authentication phase will probably involve scanning that chip they want to insert into our body, but I think for now we work from something that everyone wants to have on their body.
Finally admitting that we are under attack from China
Cyber attacks sure do seem to be on the increase as well as getting more sophisticated. Finding out today that Educause has experienced a security breach motivated me to offer up a post. Is anyone surprised by the attacks being traced back to the Chinese Army. Those of us with systems under attack have known for a long time where most of the serious traffic was coming from. And although we did not have a specific building in Shanghai, however, we did know that attacks were originating in China. I guess they finally went too far and the Pentagon had to go public with the story. Of course the official report issued by the security firm Mandiant Technologies could not be ignored especially after the New York Times hack was made public.
The cyber attacks were not sophisticated direct penetration attacks but instead just very well done phishing attacks. Phishing as in tricking users into allowing their account passwords to be discovered. The White House and many universities in our country, mine included, were heavily targeted by spear-phishing attacks in the Fall of 2012. The results of these compromised accounts translated into massive use of our email servers to send out Spam email. This turns out to be a very profitable product for the successful hackers. However, the positive outcome from these attacks is that our university is now willing to get far more serious about implementing stronger security measures. Leading the way will be a stronger password change policy. But the real reason for changing passwords is to protect us against the compromises we do not know about.
Be Cautious of Your Personal DNA Report
Hot topic on the news wire lately is the over-the-counter availability of “Your Personal DNA Report” from Pathway Genomics. This service involves sending in a saliva sample to a “Certified Lab” where comprehensive genotype testing will be performed regardless of your decision to order a report at additional cost. The first concern here is that the comprehensive genotyping data will be stored by Pathway Genomics. The second concern is that you believe that storage record is anonymous.
So why am I talking about this. Only because these things dredge up all the predictions and fears that I had in writing my 2003 thesis, “Security of Your Personal Genome” for my MS in Bioinformatics. I do think it is dangerous for us to venture down this path. I’m not sure we should tread so close to God like knowledge. But my real fear is that if a record of your genome exists, the risk of it getting into the wrong hands is not worth the knowledge it may bring you. As for anonymous, wrong, if your genomic information is compromised or is shared, and it could be under this “anonymous” label. It is not difficult for today’s search algorithms to match characteristics from the genome with say protein results from a past blood test or maybe your family tree had a certain trend toward a disease. One little link of information is enough to complete a match to you. So with the direction health care is going I would not want an insurer or an employer to be able to make a calculated estimate about my health future. Of course I might be OK since my grandfather lived to be 102 and my dad who is 95 expects to beat that mark. Just be careful and really think about how you control or protect your personal genome, it is your ultimate ID.
May 18, 2010 – Unbelievable – UC Berkeley having incoming freshman submit to a DNA analysis to stimulate discussion about nutrition.
May 28th – Unwinding Berkeley’s DNA Test, InSide HigherED article.
August 13 – The California Department of Public Health demands that Berkeley change its freshman DNA experiment. Double Helix Trouble, InSide HigherED article.
Could our Mobile Device be the Key to our Privacy?
I was contemplating the possibilities for how our mobile computing devices could serve as forms of identity. It is an electronic device that we control, that could offer personal validation; it could provide proximity authorization via various transmission modes; it is a repository that can be used to provide any type of information about us, etc, etc. So what are some possibilities for managing our identity information on our mobile device? There are some personal health record apps for the iPhone and of course numerous personal financial apps. What about our ultimate personal identity?
What if our personal mobile computing device served as an access control key to our genetic map, our personal genome? I bring this up because back in 2003 when I was finishing up my MS in Bioinformatics I designed the schema for a National Health Database. The concept worked from a National ID as a starting point for accessing or referencing all data that would be important for a personal health record. The ultimate challenge that I did not have a real answer for was the access control needed for the highest security, our personal genetic map, our DNA code. The design was based on this data being encrypted from inception with access based on a personal digital key that could be used to activate de-encryption when used in conjunction with an authorized medical professional’s digital key. At the time I could only imagine some sort of smartcard or embedded chip, but I was hung up on communication. I kind of saw it as 2 people with keys needed to launch a nuclear missile. But now I think it may be possible to design a scheme that works from a mobile computing device that might allow us to build this National Health Database. The mobile device is key for its ability to allow the patient to authorize access to their medical information with remote flexibility. Biometrics will probably be involved, but could a mobile device provide a privacy solution?
By the way, my thesis was titled “Security of Our Personal Genome”.