This week at IBM, a new term was coined: “systems of interaction” – to describe the integration across systems of engagement and systems of record. The idea is that you have systems focused on engaging with customers (systems of engagement) and other systems focused on transactions (systems of record), and the confluence of these helps drive interactions that can ultimately result in transactions for your business. That introduces new requirements for integration, security, reliability, and manageability across these domains. Find out more here: http://t.co/RfPAeohLKo.
Michael Curry: Information Explosion
The Story of Data Confusion
Malware on Mobile Grew 163% in 2012
Darrell Etherington of TechCrunch posted a new st
udy by NQ Mobile that reinforces the growing problem of security issues surrounding mobile. The report found that more than 32.8 million devices were infected in 2012. Over 25% of the infected devices are in China. It just isn’t realistic to assume that the mobile devices accessing your APIs are not infected…
Protecting Against JSON-Bourne Attacks
Mobile has become the new #1 target for hackers and cyberattacks. As more consumers and businesses become more comfortable conducting business over mobile devices, this becomes a natural target for the baddies who want to steal personal information, or just disrupt business. And if you believe what the experts are saying, you need to be prepared that your mobile phone will eventually be hacked… With the number of incidents of malicious code (particularly on Android) increasing by the day, it is vital that your organization is prepared.
That’s JSON-bourne, not Jason Bourne…
One of the main targets is not actually what is sitting on the phone, but instead the services that the app is accessing on the back end. These services present APIs that mobile apps invoke to get and put information into back end systems. In the mobile world, most of these APIs use a simple and concise data format called JSON to transmit this data and these requests. While most organizations protect these APIs using traditional firewall technologies, many are not doing enough to protect themselves from malicious content hidden in the JSON. According to IDC, “signature-based tools (antivirus, firewalls, and intrusion prevention) are only effective against 30–50% of current security threats.”
A similar issue arose in the height of SOA adoption, where protection against XML-bourne attacks became standard practice, but with the rise of mobile and lighter weight RESTful services, organizations need to shift to make sure they are protecting themselves against new threats.
The problem is that it is fairly easy to inject malicious content, buried in JSON data, into a seemingly innocuous REST call. Unless the malicious content matches one of the signatures that your firewall is watching for, the content will get through to the server, where it can be made to automatically execute as server-side Javascript. Since this code is generally executed in a less-protected area, it often has access to sensitive back-end systems, where it can do more damage or compromise private information.
Luckily, there is a way to protect against these threats without relying solely on good programming practices. Some of the same security gateways that organizations use to protect Web services can be easily extended to protect JSON/REST services. The best of these (like WebSphere DataPower) can be delivered as secure hardware appliances that prevent unauthorized tampering and provide FIPS 140-2 Level 3 certified protection. These gateways work by inspecting the data payloads and finding and filtering out suspect JSON data (among other things), providing a much deeper level of protection than traditional firewalls alone.
When you take a look at the OWASP top 10 threats, many of these remain relevant in JSON-centric applications. For example Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF) are still concerns. In addition, hackers can inject very large JSON documents that can cause massive slow-downs in the systems that process those messages. However, the biggest threat is script injection – one that is a bit more specific to how JSON is processed in Javascript, and one that enables direct execution of functions on infected servers.
With all of the focus and spending on Mobile security, organizations need to be considering this threat as much as they are the threats to what is resident on the phone itself. I don’t think this has sunk in for many organizations, yet. Is your organization ready?
An Internet of Things Hub for the Home
An Internet of Things Hub for the Home
Here it comes… Stacy Higginbotham has a nice post on Securifi’s touch screen Almond+ Router based on Zigbee. I want one.
It all changes when “things” get APIs
I’ve been spending an inordinate amount of time focused on the “Internet of Things” lately. I am impressed by how much buzz IoT has been getting lately, with a new connected device seemingly emerging each day. We’re in the early days, but things are moving fast.
In these early days, it seems that most connected “things” are producers of information. Sensors of many kinds are being deployed to collect information on all manner of things. Big data promoters and doomsayers alike rightly point to this information deluge as world-changing, allowing us to achieve an extra-sensory awareness of what is happening around us that opens up infinite new possibilities.
But it occurs to me that things will really get exciting when “things” expand beyond being just data producers, and begin to expose APIs that allow them to be controlled remotely. When a sensor can tell that a motor is overheating, that is good. When the overheating motor exposes an API that allows it to be remotely slowed or shut down automatically before it is ruined, that is even better.
We’re not that far away from this, really. Many of the new connected things are built to be controlled remotely, some with simple Web APIs. And with technologies like MQTT, it is relatively easy to retrofit traditional connected things to be controlled remotely. I think the next wave of consumer device innovation will focus on this – everyone will want a device router (or hack their Linksys router to act as one like T-Rob did), and everyone will expect their new appliances and consumer electronics to be connected so that they can tell you when they are having problems, and of course, be controlled remotely through an API.
“Did I turn off the dryer before we left?”
“I’m not sure – check your home control app”
It’ll be here before you know it…
Reliable messaging for mobile apps
James Governor wrote a nice post on Facebook’s expanding usage of MQ-TT. I’ve written about WebSphere MQ’s native telemetry transport (MQ-TT) capabilities in the past. The fact that Facebook is using MQ-TT protocol isn’t new news, they have actually been using it for their Facebook messenger capability for years. However, the fact that they are expanding their use because of the benefits of the protocol is definitely an encouraging development.
“…this week Facebook announced it would stop offering lame mobile experiences by offering a new native IoS client… and it is deepening its commitment to MQTT”
With Facebook expanding their usage of MQ-TT, I would think it is a safe bet that MQ-TT is the dominant real-time messaging protocol for mobile apps. It isn’t surprising that other software vendors like Software AG are announcing support for it.
