Archive for July, 2013

Pardon the interruption …

Posted: July 23, 2013 in Uncategorized

Well that was interesting … just before boarding a flight in Chicago I made a post here about mobile phone security/privacy entitled “The spy in your pocket.” When I got off the plane in Beijing (where my blog is blocked, by the way, as most are in China), I had a message that the site had been suspended with no further explanation.

After some frantic searching around and a few emails to WordPress support (they host the blog), I found out that their scanner apparently didn’t like one of the links I included. I had it there for illustrative purposes only but I think they assumed I was trying to promote it (which I wasn’t).

Anyway, all’s well that ends well and now back to your regularly scheduled programming …

Advertisements

There’s a spy in your pocket (or pocketbook or backpack). It’s so well camouflaged that you could stare directly at it and still not realize it’s there. Hiding in plain sight, as it were. In fact, if you are like most people according to a recent study, you rarely let this spy get out of arm’s reach. Are you sufficiently paranoid yet?

Turns out this spy is your mobile phone. It knows pretty much everywhere you go, how long you stay there, who you associate with, who your closest friends are, what you say to them, what you like and what you don’t like, what you’re in the market for and so on. It knows all this because it is the center of your digital life. Your social media accounts, your emails, your text messages, your phone calls, your photographs, your location, your purchases — all that and more are being tracked to one degree or another by Facebook, Google, Apple, Twitter, Verizon, AT&T, Sprint and a host of others.

Maybe none of that bothers you — but maybe this would … what if all that info was available to your ex, your boss, a stalker or just some creep who figured out how to turn your phone into a video and audio surveillance device by planting software on it without your knowledge. With this, your voyeur can turn on the microphone on your phone and listen in to your conversations even when you aren’t on the phone and see you through the video camera and read your emails and texts and … you get the picture.

Pretty creepy, huh? Well, it’s not at all far-fetched. In fact, here’s commercially available tool that will do it for you (Note: I’ve redacted the name of the software because I’m not trying to advertise for it):

PhoneSpyware

… and it’s far from the only option. Here’s an article from PC World that talks about malware that does the same:

http://www.techhive.com/article/2043321/malware-like-program-lets-your-android-phone-spy-on-you.html#tk.nl_today

This really isn’t a new concept as we’ve had malware on PCs that could do this for more than a decade. What has changed is that mobile phones contain so much more info about you and are so portable that they go everywhere with you — everywhere.

Mobile device anti-malware programs can help but that whole industry is still fairly immature so the capabilities haven’t really caught up with the threats just yet. Some of the best things you can do are:

  • don’t download programs from places other than the authorized sources (Google Play, Apple App Store),
  • don’t root your device (even though it’s awfully tempting to do so in order to get some extra goodies that the providers have been denying you) and,
  • just as with PCs, don’t click on links unless you are expecting them and know where they are going to take you — regardless of who they appear to be coming from.

Sorry to be the bearer of bad news and paranoia, but I figure it’s better you know because the bad guys already do…

Here’s a link to a short, 15-minute video on the subject of “Social Media Threats” that I did today for Hacker Hotshots. I had to step out of a customer workshop and use my iPad for the web cast so the lighting and camera angle are far from ideal but, hopefully, you will at least get an idea of what’s out there waiting for you on the Interwebs…

The mobile phone has, for many, become no longer a “nice to have,” but a “must have” capability. Not only do we make and receive calls most anywhere, but we can access our calendars, check email, surf the web, update social media status, take pictures, play music, store contacts, play games, check scores, get directions, find restaurants … you get the idea. In a word it’s “indispensable.”

It is precisely because these mobile devices are easily portable, always connected and do about everything, but make toast for you in the morning, that they have also find themselves squarely in the middle of both our personal and professional lives. Most people are unwilling to carry separate phones for each persona because:

  1. it’s cumbersome
  2. it’s expensive (multiple wireless contracts, hardware acquisition costs)
  3. it’s not necessary — since we know a single device can handle the chores of the workplace as well as the household seamlessly.

The problem from a security standpoint is that these handy devices, which most people already own and want to connect to the corporate network, represent a significant loss of control over traditional computing platforms.

So how do you keep “bring your own device” from becoming “bring your own disaster” from an IT security standpoint?

There are basically three different approaches to reign in what would have seemed to us 30 years ago as a data center in your pocket:

  1. Mobile Device Management: install a client on the device which enforces security policies for things like password strength, encryption, remote device wiping, blacklisting and whitelisting of apps, etc.
  2. Containerization: Install a client which includes APIs that app vendors can leverage to create isolated versions of email, calendar, contacts, etc. so that threats to the personal side (e.g. Facebook, SMS, etc.) won’t impact the business side (e.g. corporate email).
  3. Virtualization: Install a client which essentially divides the device into multiple, virtual devices — meaning you basically have a personal phone with its apps and a business phone with its apps and never the twain shall meet.

Mobile device management provides the most seamless experience with virtualization providing the most isolation, which helps from both a security as well as privacy standpoint.

For the most part the vendors in this space fit into one of these three categories. But what about a hybrid/best of both worlds approach?

I’ve been espousing this tactic for a while so I was especially pleased to see an example of just such a union. In this case it’s between IBM’s Endpoint Manager (mobile device management) and Enterproid’s Divide (virtualization).

Now you don’t have to choose either/or but can do both/and. This way you get the isolation that guards against personal apps stealing business data while keeping the big brothers at corporate HQ from keeping tabs on your Angry Birds addiction. The mobile device controls can be added to the business container/virtual device for finer-grained policy enforcement so that the company gets to insist on your use of that irritatingly long and complicated password to secure their data while you can choose the security policy of your choice for your own personal data, which may or may not be more valuable to you.

For more info on this hybrid approach, take a look at:

http://www-01.ibm.com/software/tivoli/beat/07162013.html

You can download trial versions of the tools and try it out for yourself. I suspect we will see more of this sort of integration moving forward in order to gain back some of the control that corporate IT is losing when BYOD enters the picture.