Posts Tagged ‘mobile security’

There’s a spy in your pocket (or pocketbook or backpack). It’s so well camouflaged that you could stare directly at it and still not realize it’s there. Hiding in plain sight, as it were. In fact, if you are like most people according to a recent study, you rarely let this spy get out of arm’s reach. Are you sufficiently paranoid yet?

Turns out this spy is your mobile phone. It knows pretty much everywhere you go, how long you stay there, who you associate with, who your closest friends are, what you say to them, what you like and what you don’t like, what you’re in the market for and so on. It knows all this because it is the center of your digital life. Your social media accounts, your emails, your text messages, your phone calls, your photographs, your location, your purchases — all that and more are being tracked to one degree or another by Facebook, Google, Apple, Twitter, Verizon, AT&T, Sprint and a host of others.

Maybe none of that bothers you — but maybe this would … what if all that info was available to your ex, your boss, a stalker or just some creep who figured out how to turn your phone into a video and audio surveillance device by planting software on it without your knowledge. With this, your voyeur can turn on the microphone on your phone and listen in to your conversations even when you aren’t on the phone and see you through the video camera and read your emails and texts and … you get the picture.

Pretty creepy, huh? Well, it’s not at all far-fetched. In fact, here’s commercially available tool that will do it for you (Note: I’ve redacted the name of the software because I’m not trying to advertise for it):

PhoneSpyware

… and it’s far from the only option. Here’s an article from PC World that talks about malware that does the same:

http://www.techhive.com/article/2043321/malware-like-program-lets-your-android-phone-spy-on-you.html#tk.nl_today

This really isn’t a new concept as we’ve had malware on PCs that could do this for more than a decade. What has changed is that mobile phones contain so much more info about you and are so portable that they go everywhere with you — everywhere.

Mobile device anti-malware programs can help but that whole industry is still fairly immature so the capabilities haven’t really caught up with the threats just yet. Some of the best things you can do are:

  • don’t download programs from places other than the authorized sources (Google Play, Apple App Store),
  • don’t root your device (even though it’s awfully tempting to do so in order to get some extra goodies that the providers have been denying you) and,
  • just as with PCs, don’t click on links unless you are expecting them and know where they are going to take you — regardless of who they appear to be coming from.

Sorry to be the bearer of bad news and paranoia, but I figure it’s better you know because the bad guys already do…

The mobile phone has, for many, become no longer a “nice to have,” but a “must have” capability. Not only do we make and receive calls most anywhere, but we can access our calendars, check email, surf the web, update social media status, take pictures, play music, store contacts, play games, check scores, get directions, find restaurants … you get the idea. In a word it’s “indispensable.”

It is precisely because these mobile devices are easily portable, always connected and do about everything, but make toast for you in the morning, that they have also find themselves squarely in the middle of both our personal and professional lives. Most people are unwilling to carry separate phones for each persona because:

  1. it’s cumbersome
  2. it’s expensive (multiple wireless contracts, hardware acquisition costs)
  3. it’s not necessary — since we know a single device can handle the chores of the workplace as well as the household seamlessly.

The problem from a security standpoint is that these handy devices, which most people already own and want to connect to the corporate network, represent a significant loss of control over traditional computing platforms.

So how do you keep “bring your own device” from becoming “bring your own disaster” from an IT security standpoint?

There are basically three different approaches to reign in what would have seemed to us 30 years ago as a data center in your pocket:

  1. Mobile Device Management: install a client on the device which enforces security policies for things like password strength, encryption, remote device wiping, blacklisting and whitelisting of apps, etc.
  2. Containerization: Install a client which includes APIs that app vendors can leverage to create isolated versions of email, calendar, contacts, etc. so that threats to the personal side (e.g. Facebook, SMS, etc.) won’t impact the business side (e.g. corporate email).
  3. Virtualization: Install a client which essentially divides the device into multiple, virtual devices — meaning you basically have a personal phone with its apps and a business phone with its apps and never the twain shall meet.

Mobile device management provides the most seamless experience with virtualization providing the most isolation, which helps from both a security as well as privacy standpoint.

For the most part the vendors in this space fit into one of these three categories. But what about a hybrid/best of both worlds approach?

I’ve been espousing this tactic for a while so I was especially pleased to see an example of just such a union. In this case it’s between IBM’s Endpoint Manager (mobile device management) and Enterproid’s Divide (virtualization).

Now you don’t have to choose either/or but can do both/and. This way you get the isolation that guards against personal apps stealing business data while keeping the big brothers at corporate HQ from keeping tabs on your Angry Birds addiction. The mobile device controls can be added to the business container/virtual device for finer-grained policy enforcement so that the company gets to insist on your use of that irritatingly long and complicated password to secure their data while you can choose the security policy of your choice for your own personal data, which may or may not be more valuable to you.

For more info on this hybrid approach, take a look at:

http://www-01.ibm.com/software/tivoli/beat/07162013.html

You can download trial versions of the tools and try it out for yourself. I suspect we will see more of this sort of integration moving forward in order to gain back some of the control that corporate IT is losing when BYOD enters the picture.

 

 

 

The conventional answer to this question is that Apple’s “walled garden,” which places restrictions on app developers, creates a more secure environment for iOS whereas Google’s more permissive model puts Android users at greater risk.

As I have posted here before, there is plenty of ammo to bolster that position:

But the story is more complicated than that. For instance, take this recent report from Appthority which finds that “iOS apps leak more personal data than do Android apps”.

The differences are not huge but they do add fuel to the fire regarding which platform is safer. Apple Insider sums it up well:

A number of questionable policies and security concerns have painted Google’s Android platform as inherently less secure than Apple’s iOS. Android does appear to be more vulnerable to malware than iOS, but mobile malware affects only one percent of apps. The larger concern, the study concludes, should be over how mobile apps handle personal information and company data.

In the end, the unsatisfying answer as to which is more secure is, you guessed it, — it depends — so pick your poison … 🙂

 

I’ve written here previously about the increasing need for attention in the area of securing mobile phones. It has taken some time but it seems we have reached a place where most everyone realizes that if they want to connect a desktop or laptop to the Internet that they also need to take precautions against malware, spyware and so on, but we aren’t there yet when it comes to intuitively understanding the risks associated with mobile devices.

According to at least one estimate there are now more than 1 billion (with a “b”) smartphones in use around the world and we are on pace to reach a point where there are more of them (smartphones = 10 billion) than us (people = 7.3 billion) by 2016.

And what are all these smartphones but tiny, portable computers with wireless connections? Meaning, they can be hacked just like traditional PCs can. In fact, going mobile increases the risk by adding in additional variables since these devices are more easily lost and stolen.

Slowly the level of awareness is coming around to the point where eventually everyone will realize that smartphones need security just like laptops and desktops do.

But what about tablets? Same song, next verse. After all, what is an Android tablet other than a larger version of an Android phone that can’t make cell calls, and what is an Android phone other than a PC that can?

In other words, if it computes it can be hacked and if it can be hacked you probably ought to think about protecting it. Tablets are not exempt from security risks any more than smartphones or laptops are.

In today’s Raleigh News & Observer “Stump the Geeks” column, Tyler Dukes asked me to comment on the need for tablet security. You can see my comments along with some interesting study results from NC State University (my alma mater) in this area.

Ignorance may be bliss but when it comes to security it also leads to disaster so I’d say a little less bliss is better in this case…

If my last post regarding Android devices being marshaled into zombie armies sounded a little over the top maybe this one will resonate a little better.

According to forensic blog, which focuses on mobile phone forensics and malware, as of December 26, 2012, there are 115 unique Android malware families known to exist. That number would be significantly higher if you counted all the variations on these that might be circulating.

115 doesn’t sound like a lot compared to the tens of thousands of Windows viruses in existence but its a far cry from zero and should serve as a wake up call regarding the need for malware protection on mobile devices. If that still doesn’t convince you then maybe the analysis regarding the threat that these present might:

Families that steal personal information 51,3 %
Families that send premium rated SMS messages 30,1 %
Families with characteristics of a Botnet 23,5 %
Families that contain Root-Exploits 18,3 %
Families downloaded from the Google-Play Market 11,3 %
Families that install additional applications 10,4 %
Families that steal location related data 8,7 %
Potentially unwanted applications 7,8 %
Online-Banking Trojans 3,5 %

Source: forensic blog, http://forensics.spreitzenbarth.de/

And don’t get too smug because your phone or tablet runs iOS. We had this debate years ago when people claimed that Mac OS was immune and then again with UNIX/Linux. Granted, the relative risk might be lower over the entire population of these install bases but the fact remains that any functional OS can be exploited because none are perfect.

Put more succinctly, all software (of any significant complexity) has bugs and some percentage of those bugs will be security-related, therefore, all software carries with it a set of security risks.

 A story that should be no surprise to anyone (but, no doubt will catch many off guard), BBC News is reporting that, unbeknownst to their owners, Android phones are being used as spam relays.

Yes, that smart phone that goes with you everywhere you go, fits easily in either a pocket or a purse, and has become an indispensable tool of modern life is, in fact, a small, fully functional computer. As such, it can not only place and receive calls but also do most the great things that we’ve come to expect from a PC (e.g. send/receive email, browse the web, run apps, play music, etc.). In addition, it can do most of the really awful things that PC can do as well such as crash at inopportune times, leak personal information and get infected with viruses.

Although, the amount of malware affecting smart phones to date is relatively small as compared to PCs, the threat is not insignificant and will only continue to grow.

So it shouldn’t surprise us when we read that infected versions of popular apps like Angry Birds are beginning to circulate. The latest twist is just a variation on a theme we learned about more than a decade ago with the advent of so called “zombies” or “bots” — systems under the control of a remote attacker that can be coordinated to form an army of denial of service attackers or spam senders. If you could do it on a PC, there’s no reason to believe it couldn’t (and wouldn’t) be done on a smart phone and, in fact, now it has been.

What can you do to protect yourself from being an unwilling accomplice and avoid a monstrously large cell phone bill if the zombie happens to exceed your monthly data limit or, potentially worse, leverages premium SMS text messaging services without your knowledge?

  1. Don’t install apps from untrusted sources.

    Even the official Google Play store is known to have more than its share of sketchy apps but if you veer off into some lesser known (and less reliable) sources, you are really playing with fire.

  2. Don’t install apps that you don’t really need.

    What constitutes “need” vs. “nice to have” is an endless debate topic that varies from person to person. Suffice it say, if that by limiting the number of apps you have to those that you will really use, you will have reduced your risk by effectively reducing the attack surface.

  3. Check the permissions before granting access.

    One of the nice features of Androids over iPhones is that they actually tell you during the install process what resources on your phone the app is going to access. At that point you can choose to proceed or abort the install based upon your tolerance for risk. Unfortunately, there isn’t much granularity in this process as you can’t see the details of how these resources will be used or have the ability to selectively grant access to some but not others but at least it’s a start.

  4. Install anti-malware.

    Yes, they have this for smart phones now. It’s not a perfect solution and some will argue that it’s unnecessary given the relatively small number of malware examples on smart phones but it wasn’t all that long ago that people were saying the same thing about Macs and, before that, PCs and time eventually proved them wrong.

Apple does a good job of vetting apps before they make it into their app store but that doesn’t mean there is no risk with that option either as there have been some cases where bad stuff slipped through.

Bottom line: If it does the good things a computer can do then it can also do the bad things a computer can do and that means you need to be mindful of security threats to not only desktops, laptops and servers, but also to phones and tablets. Can TVs and cars be far behind?

I’m back from a few weeks in China where, unfortunately, it seems that this blog and many others are blocked. One of the hot topics there, and everywhere for that matter, is the subject of how to secure mobile devices — especially those that employees buy on their own and then expect to connect into the enterprise.

It’s a reasonable expectation, after all, as the line between work life and personal life continue to blur and the need to have instant access to corporate as well as personal email, calendar and contacts increases. If I need to travel over the weekend to be in Beijing by Monday then I also need to make sure that I don’t have a personal commitment with my family for some important event during that same interval. Having a single, portable device to let me juggle the demands of both the personal and professional realms makes the job a lot easier.

Not only is this a benefit for the employee but also for the business. According to one study this BYOD (Bring Your Own Device) trend resulting in an additional 20 hours of work per week as summarized below:

“Employees have become even more tethered to technology in their daily lives and report they work as many as 20 additional hours a week online due to their flexible schedules. One-third of mobile workers said they never fully disconnect from technology, even during family and personal time. In some ways BYOD is enabling and supporting employees, allowing them to work more hours – and these hours help the bottom line of their companies.”

But with this added flexibility come some really tough security issues that must be navigated. My colleague, Dave Merrill, has written a nice summary of some of the key differences that the mobile arena brings to the table, which I recommend taking a look at. Here’s a link to the posting on the IBM Institute for Advanced Security web site:

http://instituteforadvancedsecurity.com/content-library/m/public_files/149.aspx

BYOD or “Bring Your Own Device” is like a runaway train barreling down the tracks. If you’re the IT Dept you can either jump on board where at least you have a chance to determine which track it rides on or stand in front of the train, hands outstretched yelling “stop!” As you might guess, in that latter scenario, the train always wins.

But that doesn’t mean you just give up and let anyone bring any device they want into the corporate network where sensitive data is kept. The threat these handy gizmos pose is real but so is their value to the organization so you have to recognize both aspects and do what you can to mitigate the risks.

One of those risks is that the phone could be riding around New York City in the back of a cab even though the device’s owner no longer is. According to this article article in USA Today, Americans lost $30 billion (with a “b”!) worth of cell phones last year alone…

http://www.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1

 

With the proper precautions, though, you actually can embrace the trend that has resulted in the proliferation of this ubiquitous computing capability. Here’s a good story from InfoWorld on how IBM is doing it …

How IBM manages 80,000 bring-your-own devices

There are no risk free options here but learning to say “how” rather than “no” at least ensures that you remain part of the conversation. 

 

 

I was interviewed recently by Wes Simonds, a freelance technology writer who blogs for IBM Software, on the subject of mobile device security and some of the inherent challenges with “herding the cats” in this space. Here are a few of my quotes from the article:

  • “The form factor has shrunk, but the threat has not. We can either learn how to surf the tsunami of mobile devices or be crushed by it. And since the waters are shark-infested with hackers, the risks of getting it wrong are significant.”
  • “Whereas we used to have the data in some glass house, in some controlled environment, now it’s sitting in somebody’s pocket. Or worse yet, it’s sitting in the back of a taxi cab that you took an hour ago. And it’s still riding around New York City. And you aren’t.”
  • “When it comes to BYOD (Bring Your Own Device), we as IT security professionals have to learn to say ‘how’ rather than ‘no,’’ said Crume. “‘Because if we don’t, users will do it anyway, and in a far more insecure manner.”

Here’s a link to the full article:

https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/entry/mobile_security_smaller_devices_bigger_threats8?lang=en_us

Here’s the second half of the interview I did from last week’s IBM Impact 2012 conference with Tom Young from developerWorks