Posts Tagged ‘mobile device management’

jc-blog-iphoneSecurity professionals have been begging people to secure their mobile devices with a strong passcode for years. Yes, it’s a pain to have to type in all those characters on a tiny keyboard but the alternative is that anyone who can put their hands on your phone could read all your emails, texts, pics, view phone history, see everywhere you’ve gone and install malware that will keep track of all of this remotely (plus turn on your mic to listen on your conversations even when you aren’t making a call — ditto with the camera).

Maybe your life is an open book and you don’t care about privacy. Surely you care about your bank account, your reputation and your company’s confidential information, which, if not protected, could, at minimum, cost you your job (if not bankrupt the organization). Yes, a bad guy could use your phone’s mobile banking app to raid your funds or satisfy the second factor login requirement your financial institution’s web site requires for users of a web browser (assuming you bothered to set up those protections).

Many think, “OK, I’ll do a 4-digit PIN and that will be enough, right?” On the surface it sounds like a reasonable compromise. It’s not as inconvenient as an 8-character, alphanumeric passcode, but it still would mean that a hacker would have to try, on average, 5,000 different numeric combinations (half the total of 10,000 possibilities since the odds would be 50-50 of a correct guess at that point) to break in and who has that kind of time? Better still, the reasoning goes, “I’ve turned on that setting that automatically wipes the device after 10 incorrect tries, so the bad guy would have to be incredibly lucky to guess the right sequence that quickly.”

As the saying goes, “there’s nothing more dangerous than presumed security.

What is being assumed, in this case, is that someone won’t come along and build a box that could automate the process of entering all those possible PINs and, here’s the kicker, disconnect the power supply on the device before it has a chance to wipe the phone’s storage after an incorrect guess. In other words, unlimited tries with no penalty. And what if the process of trying all 10,000 combinations could be done in roughly 4.5 days (bearing in mind that this is the worst case for the bad guy and the best case could be just a few seconds)? And what if this box only cost about $300?

IMG_1602What this means is that anyone who steals your phone (or just has access to it for some reasonable period of time, such as while you are asleep) could do all the nasty stuff described above to your bank account, company, Twitter feed, emails, photos and so forth. Well, that scenario exists.

So, while it may be a royal pain to enter that complex, 8 character passcode, it is, unfortunately, necessary. As an alternative, if you have one of the newer iPhones, you could simplify things with a fingerprint scan using the built-in Touch ID sensor. No, it isn’t perfect either. Nothing in security ever is, but it
could be a better trade off than the venerable but broken, 4-digit PIN.

Screen Shot 2015-02-05 at 2.16.49 PMIn 2013 I did a presentation on social media threats at the OOP (Object Oriented Programming) conference in Munich. (You can see my presentation here.)

Well, the folks that ran the conference were nice enough to invite me back for this year’s event where I did a talk entitled “The Data Center in Your Pocket: Securing Mobile Devices.”

There’s logo_biggerno video this time around but I did do an interview for InfoQ.com on the general topic of mobile security, which you can find here, in case you’re interested.

 

 

 

 

 

Here’s a link to a posting I did for IBM’s Security Intelligence Blog on the perils of ignoring the whole Bring Your Own Device (BYOD) trend. Enjoy …

http://securityintelligence.com/byod-why-you-better-not-ignored-it/

 

 

Here’s a not so fun fact … apparently now you can’t even trust the charger you have your phone plugged into to not attack. OK, before you break out the tin foil hats, it might not be as bad as all that but there is a bit of fire amidst all the smoke.

A researcher at Georgia Tech revealed details at the latest Black Hat security conference that a modified USB charger could install malicious apps on a connected iPhone. According to a PCWorld article:

Once you plug your iPhone, the Universal Device ID (UDID) can be extracted just as long as the device doesn’t have a passcode unlock. The Mactans then claims your device as a test subject with any validated Apple developer ID and you can’t reject it since it doesn’t ask for their permission or offer any visual evidence that there’s anything going on in the background. 

So far there is no evidence that anyone has actually tried to exploit this vulnerability and the good news is that Apple says they have a fix coming in iOS 7 which will notify you before it’s too late. Also, you can help yourself considerably by adding a passcode to the phone, which is something you should do anyway.

The reason I find this interesting is that it exposes yet another area of “presumed security.” No one thinks that a charger could do harm to your phone (assuming it doesn’t zap the circuitry). In fact, most don’t even consider the fact that the same connection that supplies power is also used for data transfer — a great idea for simplifying the design of mobile devices but not so good from a security perspective, where isolation of functions is preferable.

We are conditioned to think of a power outlet as a relatively passive connection that does nothing more than supply juice to our gadgets but, in reality, it can do much more and, since it can, just as we all leverage that fact to our advantage, you can bet that a bad guy will try to do the same.

So the lesson here is not so much about iPhone chargers as it is about questioning long held assumptions because that what the hackers are already doing. The only thing in doubt is which side will figure this stuff out first…

There’s a spy in your pocket (or pocketbook or backpack). It’s so well camouflaged that you could stare directly at it and still not realize it’s there. Hiding in plain sight, as it were. In fact, if you are like most people according to a recent study, you rarely let this spy get out of arm’s reach. Are you sufficiently paranoid yet?

Turns out this spy is your mobile phone. It knows pretty much everywhere you go, how long you stay there, who you associate with, who your closest friends are, what you say to them, what you like and what you don’t like, what you’re in the market for and so on. It knows all this because it is the center of your digital life. Your social media accounts, your emails, your text messages, your phone calls, your photographs, your location, your purchases — all that and more are being tracked to one degree or another by Facebook, Google, Apple, Twitter, Verizon, AT&T, Sprint and a host of others.

Maybe none of that bothers you — but maybe this would … what if all that info was available to your ex, your boss, a stalker or just some creep who figured out how to turn your phone into a video and audio surveillance device by planting software on it without your knowledge. With this, your voyeur can turn on the microphone on your phone and listen in to your conversations even when you aren’t on the phone and see you through the video camera and read your emails and texts and … you get the picture.

Pretty creepy, huh? Well, it’s not at all far-fetched. In fact, here’s commercially available tool that will do it for you (Note: I’ve redacted the name of the software because I’m not trying to advertise for it):

PhoneSpyware

… and it’s far from the only option. Here’s an article from PC World that talks about malware that does the same:

http://www.techhive.com/article/2043321/malware-like-program-lets-your-android-phone-spy-on-you.html#tk.nl_today

This really isn’t a new concept as we’ve had malware on PCs that could do this for more than a decade. What has changed is that mobile phones contain so much more info about you and are so portable that they go everywhere with you — everywhere.

Mobile device anti-malware programs can help but that whole industry is still fairly immature so the capabilities haven’t really caught up with the threats just yet. Some of the best things you can do are:

  • don’t download programs from places other than the authorized sources (Google Play, Apple App Store),
  • don’t root your device (even though it’s awfully tempting to do so in order to get some extra goodies that the providers have been denying you) and,
  • just as with PCs, don’t click on links unless you are expecting them and know where they are going to take you — regardless of who they appear to be coming from.

Sorry to be the bearer of bad news and paranoia, but I figure it’s better you know because the bad guys already do…

The mobile phone has, for many, become no longer a “nice to have,” but a “must have” capability. Not only do we make and receive calls most anywhere, but we can access our calendars, check email, surf the web, update social media status, take pictures, play music, store contacts, play games, check scores, get directions, find restaurants … you get the idea. In a word it’s “indispensable.”

It is precisely because these mobile devices are easily portable, always connected and do about everything, but make toast for you in the morning, that they have also find themselves squarely in the middle of both our personal and professional lives. Most people are unwilling to carry separate phones for each persona because:

  1. it’s cumbersome
  2. it’s expensive (multiple wireless contracts, hardware acquisition costs)
  3. it’s not necessary — since we know a single device can handle the chores of the workplace as well as the household seamlessly.

The problem from a security standpoint is that these handy devices, which most people already own and want to connect to the corporate network, represent a significant loss of control over traditional computing platforms.

So how do you keep “bring your own device” from becoming “bring your own disaster” from an IT security standpoint?

There are basically three different approaches to reign in what would have seemed to us 30 years ago as a data center in your pocket:

  1. Mobile Device Management: install a client on the device which enforces security policies for things like password strength, encryption, remote device wiping, blacklisting and whitelisting of apps, etc.
  2. Containerization: Install a client which includes APIs that app vendors can leverage to create isolated versions of email, calendar, contacts, etc. so that threats to the personal side (e.g. Facebook, SMS, etc.) won’t impact the business side (e.g. corporate email).
  3. Virtualization: Install a client which essentially divides the device into multiple, virtual devices — meaning you basically have a personal phone with its apps and a business phone with its apps and never the twain shall meet.

Mobile device management provides the most seamless experience with virtualization providing the most isolation, which helps from both a security as well as privacy standpoint.

For the most part the vendors in this space fit into one of these three categories. But what about a hybrid/best of both worlds approach?

I’ve been espousing this tactic for a while so I was especially pleased to see an example of just such a union. In this case it’s between IBM’s Endpoint Manager (mobile device management) and Enterproid’s Divide (virtualization).

Now you don’t have to choose either/or but can do both/and. This way you get the isolation that guards against personal apps stealing business data while keeping the big brothers at corporate HQ from keeping tabs on your Angry Birds addiction. The mobile device controls can be added to the business container/virtual device for finer-grained policy enforcement so that the company gets to insist on your use of that irritatingly long and complicated password to secure their data while you can choose the security policy of your choice for your own personal data, which may or may not be more valuable to you.

For more info on this hybrid approach, take a look at:

http://www-01.ibm.com/software/tivoli/beat/07162013.html

You can download trial versions of the tools and try it out for yourself. I suspect we will see more of this sort of integration moving forward in order to gain back some of the control that corporate IT is losing when BYOD enters the picture.

 

 

 

 A story that should be no surprise to anyone (but, no doubt will catch many off guard), BBC News is reporting that, unbeknownst to their owners, Android phones are being used as spam relays.

Yes, that smart phone that goes with you everywhere you go, fits easily in either a pocket or a purse, and has become an indispensable tool of modern life is, in fact, a small, fully functional computer. As such, it can not only place and receive calls but also do most the great things that we’ve come to expect from a PC (e.g. send/receive email, browse the web, run apps, play music, etc.). In addition, it can do most of the really awful things that PC can do as well such as crash at inopportune times, leak personal information and get infected with viruses.

Although, the amount of malware affecting smart phones to date is relatively small as compared to PCs, the threat is not insignificant and will only continue to grow.

So it shouldn’t surprise us when we read that infected versions of popular apps like Angry Birds are beginning to circulate. The latest twist is just a variation on a theme we learned about more than a decade ago with the advent of so called “zombies” or “bots” — systems under the control of a remote attacker that can be coordinated to form an army of denial of service attackers or spam senders. If you could do it on a PC, there’s no reason to believe it couldn’t (and wouldn’t) be done on a smart phone and, in fact, now it has been.

What can you do to protect yourself from being an unwilling accomplice and avoid a monstrously large cell phone bill if the zombie happens to exceed your monthly data limit or, potentially worse, leverages premium SMS text messaging services without your knowledge?

  1. Don’t install apps from untrusted sources.

    Even the official Google Play store is known to have more than its share of sketchy apps but if you veer off into some lesser known (and less reliable) sources, you are really playing with fire.

  2. Don’t install apps that you don’t really need.

    What constitutes “need” vs. “nice to have” is an endless debate topic that varies from person to person. Suffice it say, if that by limiting the number of apps you have to those that you will really use, you will have reduced your risk by effectively reducing the attack surface.

  3. Check the permissions before granting access.

    One of the nice features of Androids over iPhones is that they actually tell you during the install process what resources on your phone the app is going to access. At that point you can choose to proceed or abort the install based upon your tolerance for risk. Unfortunately, there isn’t much granularity in this process as you can’t see the details of how these resources will be used or have the ability to selectively grant access to some but not others but at least it’s a start.

  4. Install anti-malware.

    Yes, they have this for smart phones now. It’s not a perfect solution and some will argue that it’s unnecessary given the relatively small number of malware examples on smart phones but it wasn’t all that long ago that people were saying the same thing about Macs and, before that, PCs and time eventually proved them wrong.

Apple does a good job of vetting apps before they make it into their app store but that doesn’t mean there is no risk with that option either as there have been some cases where bad stuff slipped through.

Bottom line: If it does the good things a computer can do then it can also do the bad things a computer can do and that means you need to be mindful of security threats to not only desktops, laptops and servers, but also to phones and tablets. Can TVs and cars be far behind?