Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/5/2008
11:08 AM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Is Obama's Mac A National Security Risk -- And Will He Be Allowed To Keep It?

There was a lot of focus a few weeks ago about whether President-elect Obama was going to be allowed to keep his BlackBerry. The discussion seemed kind of silly given how many BlackBerrys are in wide use in the U.S. government. However, you may recall that a foreign national stole a couple a few months ago, which certa

There was a lot of focus a few weeks ago about whether President-elect Obama was going to be allowed to keep his BlackBerry. The discussion seemed kind of silly given how many BlackBerrys are in wide use in the U.S. government. However, you may recall that a foreign national stole a couple a few months ago, which certainly raised the security profile for these devices.

So what about Obama's Mac?The vast majority of remedial security solutions currently in use by the federal government run on Windows. In addition, the government is one of the most aggressive users of Trusted Platform Modules to ensure the protection of the data and the integrity of the system's network connection. Absolute Software (LoJack/Computrace for PCs) is also in wide use for PC tracking. Government PCs generally have smart card readers to secure them, and some use biometrics, but Apple machines typically don't allow for either. Finally, management tools are widely used to do things like ensure USB ports can't pass data to USB keys and that any laptop brought into a secure organization isn't a carrier for malware that could compromise the security of that unit. The vast majority of the tools used to do all of this simply don't run on the Mac OS. Many require hardware components like the TPM, which aren't installed in Mac hardware and can't be retrofitted. Macs, while perceived as more secure than Windows, are commonly used as carriers for malware because they generally don't run malware scanning software. I'm writing this at a meeting with a bunch of desktop IT analysts from a variety of firms, and the consensus is that on the first day of the job someone will quietly take Obama's PC and promise to give it back to him when his term of office expires. I'm not so sure -- the guy will be President after all -- and think that he may instead order them to find a way to fix the problem. Will The New President Be Allowed To Use A Mac?

I'm going to disagree with my peers and suggest that rank has its privileges; I expect Obama will eventually be allowed to use his Mac. I base this on my experience at IBM, where we hired a CEO for the storage division during the OS/2 years, and he was allowed to create a little Mac island for himself and his admin. I figure if someone who wasn't the CEO of IBM could bring in a competitive product that violated a massive number of policies, then the vastly more powerful U.S. president could get a variance allowing him to bring in his beloved Mac.

So how will he or one of his people solve this problem?

There is antivirus software for the Mac, and custom scripts can be created to scan and ensure his exception machine when it connects to the network. Card readers and biometric readers can be added as peripherals. It isn't pretty, but it can be done. An equally secure RSA token solution also can be used on his machine (some parts of government do this today). The problem is the Absolute Software requirement and the TPM, neither of which can be retrofitted.

Now I think they can accept the Absolute product and put a physical tacking technology onto Obama's notebook. The Targus DefCon 1 laptop lock and alarm might be adequate, if used properly, to mitigate the theft risk, but it isn't as comprehensive as Absolute. However, I'm sure they have more advanced tracking devices they can get from the NSA, FBI or CIA that are even more effective at tracking than the Absolute. Granted, they are likely more expensive, but given the value of what is on this laptop, I'm sure the cost can be justified. The TPM is a bigger problem because it is one of the key components to ensuring the laptop's drive can't be pulled and compromised. So remote the data. There are few places Obama will be where he won't have a secure data connection available to him. All his organization has to do is find a secure way to connect his laptop to it (clearly some care will need to be taken here). If no critical data resides on the laptop, then the risk of loss is effectively mitigated and could be the first implementation of what is effectively a diskless Mac. Of course, they could also call Apple and quietly suggest it put in and enable its notebooks with a TPM. I'll bet even Steve Jobs will take a call from the U.S. CTO or president. (If it were my laptop I'd be tempted to make this call myself.) Having a technology-using president will force a number of changes. One of these changes may be ways to better integrate Macs into both government and business. Unfortunately, I doubt they will share this solution with us. but given how many things leak out of the government I expect it won't be long before someone figures this out and posts it. Who knows -- they may even share the information to help others in similar situations given that this new administration is promising more transparency.

Granted, they may have to solve the Zune vs. iPod questionfirst.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...