Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/5/2008
11:08 AM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Is Obama's Mac A National Security Risk -- And Will He Be Allowed To Keep It?

There was a lot of focus a few weeks ago about whether President-elect Obama was going to be allowed to keep his BlackBerry. The discussion seemed kind of silly given how many BlackBerrys are in wide use in the U.S. government. However, you may recall that a foreign national stole a couple a few months ago, which certa

There was a lot of focus a few weeks ago about whether President-elect Obama was going to be allowed to keep his BlackBerry. The discussion seemed kind of silly given how many BlackBerrys are in wide use in the U.S. government. However, you may recall that a foreign national stole a couple a few months ago, which certainly raised the security profile for these devices.

So what about Obama's Mac?The vast majority of remedial security solutions currently in use by the federal government run on Windows. In addition, the government is one of the most aggressive users of Trusted Platform Modules to ensure the protection of the data and the integrity of the system's network connection. Absolute Software (LoJack/Computrace for PCs) is also in wide use for PC tracking. Government PCs generally have smart card readers to secure them, and some use biometrics, but Apple machines typically don't allow for either. Finally, management tools are widely used to do things like ensure USB ports can't pass data to USB keys and that any laptop brought into a secure organization isn't a carrier for malware that could compromise the security of that unit. The vast majority of the tools used to do all of this simply don't run on the Mac OS. Many require hardware components like the TPM, which aren't installed in Mac hardware and can't be retrofitted. Macs, while perceived as more secure than Windows, are commonly used as carriers for malware because they generally don't run malware scanning software. I'm writing this at a meeting with a bunch of desktop IT analysts from a variety of firms, and the consensus is that on the first day of the job someone will quietly take Obama's PC and promise to give it back to him when his term of office expires. I'm not so sure -- the guy will be President after all -- and think that he may instead order them to find a way to fix the problem. Will The New President Be Allowed To Use A Mac?

I'm going to disagree with my peers and suggest that rank has its privileges; I expect Obama will eventually be allowed to use his Mac. I base this on my experience at IBM, where we hired a CEO for the storage division during the OS/2 years, and he was allowed to create a little Mac island for himself and his admin. I figure if someone who wasn't the CEO of IBM could bring in a competitive product that violated a massive number of policies, then the vastly more powerful U.S. president could get a variance allowing him to bring in his beloved Mac.

So how will he or one of his people solve this problem?

There is antivirus software for the Mac, and custom scripts can be created to scan and ensure his exception machine when it connects to the network. Card readers and biometric readers can be added as peripherals. It isn't pretty, but it can be done. An equally secure RSA token solution also can be used on his machine (some parts of government do this today). The problem is the Absolute Software requirement and the TPM, neither of which can be retrofitted.

Now I think they can accept the Absolute product and put a physical tacking technology onto Obama's notebook. The Targus DefCon 1 laptop lock and alarm might be adequate, if used properly, to mitigate the theft risk, but it isn't as comprehensive as Absolute. However, I'm sure they have more advanced tracking devices they can get from the NSA, FBI or CIA that are even more effective at tracking than the Absolute. Granted, they are likely more expensive, but given the value of what is on this laptop, I'm sure the cost can be justified. The TPM is a bigger problem because it is one of the key components to ensuring the laptop's drive can't be pulled and compromised. So remote the data. There are few places Obama will be where he won't have a secure data connection available to him. All his organization has to do is find a secure way to connect his laptop to it (clearly some care will need to be taken here). If no critical data resides on the laptop, then the risk of loss is effectively mitigated and could be the first implementation of what is effectively a diskless Mac. Of course, they could also call Apple and quietly suggest it put in and enable its notebooks with a TPM. I'll bet even Steve Jobs will take a call from the U.S. CTO or president. (If it were my laptop I'd be tempted to make this call myself.) Having a technology-using president will force a number of changes. One of these changes may be ways to better integrate Macs into both government and business. Unfortunately, I doubt they will share this solution with us. but given how many things leak out of the government I expect it won't be long before someone figures this out and posts it. Who knows -- they may even share the information to help others in similar situations given that this new administration is promising more transparency.

Granted, they may have to solve the Zune vs. iPod questionfirst.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25329
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
CVE-2021-25122
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.