#cyberaware
I would like to start today’s post with a question to my fellow iPhone-owning students, faculty and staff. How many apps do you have installed on your device? For comparison’s sake, I’ll limit this example to just iPhones. At the time of this post I counted 47 installed on my own device. Now that you have that number for your own device, stop and ask yourself, how many of these apps do I know were written and published using trusted code sets and verified publishers? Would I have installed these apps if I knew that they were not trusted and potentially malicious?
In order to thwart the publication of malicious apps Apple, Inc. has developed stringent policies and review processes around application development for their OS X and iOS platforms. To complement these processes, developers are required to use a specific software development package called Xcode.
Earlier this week Apple News announced that it had found that an unprecedented number of apps had made it past the review process and were published to the App Store, subsequently downloaded. To put this in perspective, “Prior to this attack, a total of just 5 malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks, Inc.”, says Jim Finkle from Reuters. To be more precise, 344 apps have been discovered by Chinese security firm Qihoo360 Technology Co. to be potentially affected by this attack.
This begs the question, how could this have happened? How could an organization with such strict requirements on app development inadvertently release apps infected with malicious code? The answer to this question lies with the software that we discussed earlier. Essentially a malicious copy of Xcode was created, also known as XcodeGhost. This framework almost identically mimics Xcode, with the exception that it can be modified to contain malicious code. While this may appear to be a rather simple concept the underlying logic of XcodeGhost is far more complex, a discussion which deserves its own white paper.
The fundamental issue with XcodeGhost is that it could potentially be used by legitimate app developers without their knowledge. Therefore we can assume that legitimate applications that leverage this malicious framework could be susceptible to SQL injection, XSS, or other client-based security flaws that could result in data leakage from a mobile device. Considering the types of apps that are available for banking, location tracking and social media, the problem of data leakage poses a very large and very real problem.
With that in mind, I think back to the 47 apps I have installed on my iPhone and wonder which apps I have installed that could potentially be vulnerable. Should there be a more strict verification process for app development that evaluates even the underlying development software that is being used? While we could leverage peer review methods or even the use of trusted certificates to avoid these situations we may continue to see these types of threats at a high frequency in the very near future. What do you think? Any discussion is welcome in the comments on how an organization might be able to avoid these situations.
#cyberaware
The 2015 Career Expo will be held on Wednesday, October 7th from 12:00 PM to 4 :00 PM in the Sewall Center Arena.
This event will provide students with the opportunity to network with local and regional recruiters from over 90 companies and organization. Many of these employers are looking for spring and summer interns and also full-time hires for immediate or future openings.
Make an effort to attend – it will be worth it!
Flyer – See the Employer List!
Just a reminder — please make room in your schedule for this presentation. Networking opportunities will be worth it!
SDLC PARTNERS, L.P.
Wednesday, September 30, 2015 (3:45 PM to 5:15 PM)
Wheatley Center Atrium
SDLC Partners, L.P., headquartered in Pittsburgh, PA, opened its doors in 2004 as an alternative to large consulting organizations. The firms’s 350+ employees take a practical and collaborative approach to deliver process improvement, analytics, and technology solutions to Fortune 1000 and mid-market customers by effectively working with business and I.T. units to serve as the “execution partner of choice.”
For more information about SDLC Partners, visit www.sdlcpartners.com
3:45 PM Registration for SET Credit
4:15 PM the speaker will start his presentation
Pizza will be served.
M&T Bank
Wednesday, October 7, 2015 (4:30 PM to 5:45 PM)
Wheatley Center Atrium
M&T Bank has been committed to customers and community for more than 150 years. Founded on the principle of providing exceptional financial products and friendly, personalized service, M&T is more than just your neighborhood bank. Representatives from M&T Bank will give a presentation on their company with a focus on information technology needs, including possible job opportunities and internships.
4:30 PM Registration for SET Credit
4:45 PM the speaker will start the presentation
Pizza will be served.
In October, we will continue our series of IT employer presentations on campus. Please make room in your schedule to attend!
PPG Industries
Tuesday, October 6, 2015 (3:45 PM to 5:15 PM)
Wheatley Center Atrium
3:45 PM Registration for SET Credit
4:15 PM the speaker will start the presentation
Pizza will be served.
PPG Industries’ vision is to continue to be the world’s leading coatings and specialty materials company. Through leadership in innovation, sustainability and color, PPG helps customers in industrial, transportation, consumer products, and construction markets and aftermarkets to enhance more surfaces in more ways than does any other company. Founded in 1883, PPG has global headquarters in Pittsburgh and operates in nearly 70 countries around the world.
WHY JOIN US? PPG is a growing global leader with a world of opportunities
• We are defined by our ethics, integrity, and social responsibility
• We develop our employee’s personal strengths
• We fuel their passion to excel
• We fulfill their desire to learn and grow
• We are one company, global businesses, one rewarding career
IBM, a worldwide leader in worldwide computing and technology, is hosting its 11th annual Master the Mainframe Contest.
What is it? Master the Mainframe is a contest that has been held every year for the past ten years. According to the FAQ section on IBM’s webpage, “no experience with mainframes is necessary. In fact, the contest is designed for students with little or no mainframe experience, increasing with difficulty as the contest progresses. Students just need to bring drive and competitive spirit and be ready to compete!”
Why should I participate? If you are even remotely interested in mainframe technology, you should consider signing up! Over the next decade, it is predicted that over 150,000+ mainframe professions will open up as current workers retire. Careers focused on mainframe technology start out at roughly double the average salary of other college majors. As was mentioned earlier, even if you have little to no mainframe experience, it wouldn’t hurt to register for the competition to see if you truly enjoy the material and possibly even win some prizes!
How do I sign up? Registration began on September 1st. The contest begins on October 1st and runs until December 31st. Registration can take place any time before the December 31st cutoff date! Here is the link:
http://www-03.ibm.com/systems/z/education/academic/masterthemainframe/contest/usca.html
One of the most important outcomes that can be attained through the contest is experience. As IBM states on their website, “Today’s mainframes are growing in popularity and require a new generation of mainframe experts. This contest is designed to equip students with basic skills to make them more competitive for jobs in the enterprise computing industry. Participation in the Master the Mainframe Contest could give you the edge you need.”
Good luck!
Thursday, October 1st begins National Cyber Security Awareness Month (NCSAM). It is sponsored by the National Cyber Security Division and the National Cyber Security Alliance. NCSAM is designed to immerse and inform the public and private sector through events and initiatives with the goal of raising awareness about cybersecurity and enhancing the resiliency of the nation in the case of a cyber incident.
Dr. Paullet and members of the Top Secret Colonials will be posting tips on cyber security throughout the month of October to educate and inform members of our university. Please stay tuned for more information.
CIS @ RMU 