During a rain delay Sunday at the PGA Championship, pro golfer Rory McIlroy pulled out his iPhone and entered his passcode to unlock it. The act is innocent enough -- but it was also aired on live TV for the entire world to see.
Following the incident, Twitter and other social media outlets lit up with the news of McIlroy's easily viewed "4589" passcode. The golfer quickly caught on to what happened and changed his passcode before returning to the course.
Passcode changed... Now time to play some golf! ⛳️
— Rory Mcilroy (@McIlroyRory) August 10, 2014
While no harm came from the situation, there are two important lessons to learn. First, McIlroy's passcode was nowhere near strong enough. Despite study after study warning of the risks of weak login credentials, people continue to use common PINs and passcodes -- including 1234, 0000 or easy-to-discover dates (such was the case with McIlroy's birthday, May 4, 1989). Complex combinations are critical to maintaining information security. Experts even admit that touch-gesture recognition passcodes -- where a user connects dots, makes particular motions on a picture or other such actions -- are riddled with issues. Experts agree that enterprises that don't require their users to use secure methods to secure smartphones and tablets are unnecessarily raising their risk of compromise.
Second, and perhaps more worrisome for enterprise IT departments, is that users offer up their sensitive information so easily -- and unwittingly. If a malicious actor knows the passcode of a device that is connected to the corporate network and accessed corporate data, he or she could easily wreak havoc simply by logging in. Even worse, without advanced contextual security mechanisms, most organizations are hard-pressed to identify an attacker using valid credentials.
While the insider threat is an issue most organizations are aware of, the insider may not be a malicious person. The Open Security Foundation's DataLossDB reports that 29% of data loss incidents since 2005 are due to insider threats, with 19% of those incidents labeled as accidental. And according to Forrester Research, 36% of all 2013 data breaches can be attributed to inadvertent insider misuse. Forrester attributes this to lack of security awareness training, unclear data use policies and the proliferation of device usage in the workplace.
In today's day and age where pictures and videos are so easy to take without a users' knowledge (and we're not even talking about the Google Glass threat yet), it's important to keep secrets safe.
In other news:
- Following the announcement that it would now support non-Latin characters to promote a more "global" Gmail, Google announced on Tuesday that changes to its spam filters will now detect non-Latin and accented Latin characters. Using the Unicode Consortium's "Highly Restricted" designation, Gmail filters will better detect hackers altering domains names (for example, SearchSecurity.com could be misrepresented as SeɑrchSecurity.com and lead users to a malicious site. Users don't often notice the subtle difference in changing the a to ɑ).
- The Blackphone -- the self-proclaimed "secure smartphone for everything you do" -- is at the center of a "Has it been hacked or hasn't it?" debate. Jon Sawyer (aka Justin Case), CTO of Applied Cybersecurity LLC, claims he rooted the device (it was first reported he achieved this in five minutes, but Sawyer himself admits it took longer). The problem is, the first of three vulnerabilities Sawyer found (re-enabling ADB to gain access to the device) has already been patched -- Sawyer was using old firmware. Blackphone creator SGP Technologies' CSO Dan Ford disputed the assertion, saying that the finding wasn't a real vulnerability. The second vulnerability reported by Sawyer (one that affected the device's remote wipe function) is known to SGP and has also been patched. Sawyer has not yet released details about the third vulnerability, but he admits it is a very hard hack and users are at very low risk.
- BlackBerry -- often touted as the most secure mobile device platform -- patched a slew of vulnerabilities this week on both its smartphones and enterprise server software. KB36174-BSRT-2014-006 addressed a file-sharing authentication bypass that affects Z10, Z30, Q10 and Q5 smartphones. If exploited, the flaw could allow attackers to access, read or modify device data. KB36175-BSRT-2014-007 fixes an information disclosure vulnerability on Enterprise Service 10 and Enterprise Server 5.0.4. If exploited, attackers could gain access and use logged credentials to impersonate legitimate users. BlackBerry claims that neither of these vulnerabilities are being actively exploited.
- Gartner Inc.'s Magic Quadrant vendor-ranking reports are widely used as sales tools throughout the IT industry, but not all vendors like the results. That was the cast last week as network security vendor NetScout Systems Inc. filed suit against Gartner, claiming unfair and deceptive business practices related to its Magic Quadrant rankings. The suit, filed in Connecticut Superior Court, alleges that Gartner's "pay to play" business model involves rewards paying clients with high-ranking Magic Quadrant positions, unfairly downgrading companies that aren't Gartner clients. Gartner issued a statement saying the suit is "without merit." However, former Gartner vice president John Pescatore told SearchSecurity earlier this year that many of Gartner's trend and future-focused reports are of questionable value.
Learn more about insider threats and how to mitigate them
Want to know the real impact of insider security threats?
Gain further insight into Gmail security
Join the discussion: Blackphone security
Are Blackberry security features still an enterprise differentiator?