Laptop running Windows 8 with chains on the screen indicating security

DISA lays groundwork for implementing Windows 8

Recently the Defense Information Systems Agency released its Security Technical Implementation Guidelines (STIG) for use of Microsoft’s Windows 8 operating system. The unclassified version is available on the DISA website.

First, the guide specifies that this STIG covers only the versions of Windows 8 that supports the x86/64-based processor architecture. This precludes Windows 8 RT, but DISA said RT is being evaluated under a different STIG. Since RT runs on ARM processors, it only makes sense that DISA would cover it with other mobile operating systems.

For Windows 8, the guide goes into the specific steps that Defense Department IT personnel are supposed to take to review a Windows 8 system, such as changing the security and network settings to comply with DOD standards. To make these changes would require using the Computer Management Console and the Registry Editor, so you know this STIG isn’t fooling around.

In a FAQ included with the guidelines, DISA noted that it is moving toward adopting the Security Content Automation Protocol (SCAP), a National Institutes of Standards and Technology specification for standardized use of security data. DISA also is formatting the STIG in Extensible Configuration Checklist Description Format (XCCDF), an XML-based language for writing security checklists, benchmarks and related documents.

The DISA STIGs often become the standard by which other agencies and even private companies secure their computers. So admins setting up Windows 8 tablets or desktops should take a look.

Posted by Greg Crowe on Mar 01, 2013 at 9:39 AM0 comments

Intel tool converts much of iOS apps to HTML5

App Porter helps translate iOS apps for other mobile platforms

In the convergence of Bring You Own Device and in-house app development, many agencies are overloaded with the task of creating apps for multiple platforms. An app that was created for use in one mobile operating system may need complete rewritten to be used in another. This effectively multiplies the work by the number of platforms that need to be supported.

Intel has come up with a partial solution, at least for apps that start out written for Apple’s iOS. The HTML5 App Porter Tool  has been in beta for a little more than a month now, and it has just started to get some traction with the mobile app development community. It will automatically convert the Objective-C code of iOS-based apps into JavaScript so that it can be more readily converted to work with other operating systems, such as Android, BlackBerry and Windows.

It will also rewrite layouts in HTML/CSS (Cascading Style Sheets), and convert iOS API data types and objects to JavaScript/HTML5. While this won’t automatically convert 100 percent of an app, it could save a lot of effort by translating as much as it can.

If you are interested in trying out the HTML5 App Porter Tool, you can sign up at Intel’s website.  You can also learn how to get the most out of what looks to be a quite useful tool with the tutorial and support forum.

The tool requires Windows 8 and Microsoft Visual Studio 2012.

Posted by Greg Crowe on Feb 25, 2013 at 9:39 AM0 comments

iphone hack

Security flaw opens locked iPhone

For the last few weeks there have been several videos showing up on YouTube demonstrating how one can access the phone functions of a supposedly locked iPhone. The first video apparently was posted on Jan. 31, with screens and voices in Spanish, though many others have since followed suit in a variety of other languages.

For agencies that have been adding iPhones to their enterprises, the good news is that the hack apparently doesn't give access to a phone's features other than voice calls and contact list, so files and applications should be safe. Nevertheless, contact lists could be exploited for a variety of purposes.

We won't go into the details of the hack here and certainly wouldn't post a direct link to such a video. However, it involves using the emergency call feature and a well-timed press of the power button to gain access to phone functions, including the victim's contact list. Some videos show a second phone that is used to take the control over the victim phone, but others only show the victim's phone, so the second phone doesn't appear to be necessary. The flaw affects the latest version on iOS, 6.1, as well as some earlier versions.

The original poster writes in the video description that you should use this "For prank your friends..." or "for a magic show..." The poster goes on to practically beg the viewer to "please... do not use this trick to do evil !!!" Unfortunately, some of the more than 350,000 people who have watched the video may do just that. But, as reckless as showing the exact method of performing this hack is, at least the video makers are doing the service of pointing out the problem.

Apple said it was working on the problem and would issue a fix in a future software update, CNN reported. Meanwhile, agency employees with iPhone would be wise to keep them close at hand.

Posted by Greg Crowe on Feb 15, 2013 at 9:39 AM0 comments