Indian Government demands access to Gmail, Skype, and Blackberry data.

From SANS:

The Indian government is seeking to ensure that it will have access to
the content of communications sent over Gmail and the Skype and
BlackBerry networks in a readable format.  The government wants the
power to access communications as a means to combat terrorism.  Skype
and BlackBerry parent company RIM have been given two weeks to comply,
or they could find themselves banned in India.

Quick impressions:

While I’ve expressed concerns before over the decryption of Skype calls in China and Germany by the government, it has mainly been an issue of “is Skype business ready”.  While I’ve been okay with the use of Skype for personal communications, that is it.

Blackberry communications is another story.  A large percentage of the 41 million Blackberry users around the world are “corporate” users.  Which should mean that most of the data between those devices is work data (though we know quite a bit isn’t).  RIM supposedly has a symmetric key system while would mean that only the customer creates their own encryption key.  It would be very bad for RIM for this not to be the case and would cause a lot of issues with their customer base (many of which have chosen them for their secure messaging).

Gmail… again, this shouldn’t be your corporate mail system.  If Google willingly allows this, you can choose to opt out and choose another provider.  So while I’m not keen on the idea, at least you have the option.

http://www.pcworld.com/businesscenter/article/200257/reports_blackberry_skype_google_face_india_data_demand.html
http://www.business-standard.com/india/news/govt-may-get-access-to-foreign-firms%5C-networks/400107/
http://economictimes.indiatimes.com/Infotech/Hardware/BlackBerry-has-to-pass-security-muster-in-15-days/articleshow/6112344.cms?curpg=1
http://www.thehindubusinessline.com/2010/07/01/stories/2010070153420100.htm
http://asia.cnet.com/blogs/tech-curry/post.htm?id=63019606&scid=rvhm_ms

Cell phone security best practices – keeping your personal information personal.

In presentations I give on security, I have become accustomed to a pattern of presenting the information.  Step one, pose questions or situations that allow your audience to immediately identify with you or the subject.  Step two, provide case studies or scenarios that provide examples to support the subject.  Step three, give the audience some actionable items.

This article is all about supporting step three.  If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.

In this case, I wanted to provided supporting information to the Does My Cell Phone Have a Virus article. Also this seems very timely with the recent loss of the next generation iPhone at The Gourmet Haus Staudt in Redwood City, California. While I’m certain Apple has many more policies for device management, nevermind the policies around having a prerelease device, if Gray Powell had simply followed the first recommendation below, things would be much different…

But I digress…   Most all the offline questions I have received from my last article have had a common theme:

  • I did this, did I get a virus?
  • My insert_model_phone_name_here is acting funny what do I do?
  • I installed this app, is it legit?

Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid.  You want to put preventative measures in place so that these concerns should be minimized.

You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:

  1. Loss is your biggest risk, don’t lose your phone.  Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location.  Maintaining physical control of the device is the best thing you can do to avoid losing your information.
  2. Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device.  This is the single biggest thing that users complain about the inconvenience of.  If anyone were to pick up your device, do not leave it wide open for anyone to read.  Protect it.
  3. If your device offers encryption of the device and any removable media, use it.  If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information.  Make it difficult for someone to get the data.
  4. Just because you can download hundreds of applications, does not mean you should.  Be aware that many free applications are made to get personal information from you (again see my other post on this).  Others may actually be malicious.
  5. When downloading applications, be especially careful of banking applications. Only download them from trusted sources.  If you can download directly from the bank, that is your best option.  If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.
  6. Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.
  7. If your device supports WiFi, only connect to secure and trusted networks.  A network called “FreeWiFi” usually is not the best option.
  8. Limit the amount of data you store on your phone.  If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it.  Limiting the amount of data on the device limits your risk if the device is lost or stolen.
  9. From a financial liability standpoint, inquire about cell phone insurance from your provider.  In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.
  10. If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost.  If you remove all the data, you can limit your loss to just the device itself.
  11. Inquire with your provider and check with device manufacturer for device patches and upgrades.  Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.
  12. If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.

Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone.  If you follow these steps, chances are you should be okay.  In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off.  But for the average person, you’re going to be okay.

Cell Phone Contract With Your Kids

I am not one to address cell phone etiquette. As an adult and parent these are areas of your responsibility where I am not an expert. What I can offer advice on are security concerns as a parent and as a security professional and that is what I’ve done in the companion article to this one.

I have read quite a few articles online and I am using information from many of those articles also. I am providing links to those articles at the end of this article so you can review each of their perspectives and offerings on the information as well as giving them credit for their contribution to the general online discussion and presentation of this material.

While I’m one for trying to be thorough, I would think twenty-one terms with as much wording as I’ve included below would be a bit much for most kids.  It isn’t that they can’t live by the principals, but as an adult, look at it like the contract you signed to purchase your house.  It’s difficult for most to understand every single item because of volume alone.  So my suggestion would be to distill the information down to what you think is necessary for your child and try to get it to about seven rules that you can state in a sentence each.  Again, you are the parent and should best be able to determine which rules work (or are needed) for your child and how you can best present them.

    1. You can only provide your phone number to those whom Mom and Dad have given explicit permission to.
    2. Do not answer any calls or reply to any texts unless you know who it is (approved by Mom and Dad from above).
    3. Keep cell phone on when out with friends so Mom or Dad can reach you if needed and always answer when we call.
    4. You can only call or text those who are on your contact list. Any additions to your contact list must be approved by Mom or Dad.
    5. No downloads (apps, ring tones, etc) or using the internet without permission ahead of time — this costs extra.  Perhaps a prescribed number of apps or ring tones as incentives?
    6. Phone MUST be turned off by 9pm each evening and left in the kitchen for charging. It stays off till the next morning after you’re ready for school and/or chores are done.
    7. The phone may be used after homework and chores are completed.
    8. No cell phone till your homework is done after school and during family times (dinner, family night, etc).
    9. The phone is to be turned off when visiting with relatives or friends, or at other inappropriate times (movies, museums, etc.)
    10. When at home, use the regular phone instead of cell phone to make calls.
    11. When asked to turn off phone, it must be done immediately. If a second request is needed, phone will be taken away for a day.
    12. Sending pictures to anyone requires permission by Mom or Dad at first. Once judgement is demonstrated additional privileges can be granted.  If you send or receive any pictures that may be inappropriate or even questionable, please inform Mom and Dad immediately.
    13. If gossip, bad language, or immodest pictures are taken, phone may be taken away for a specific time period or permanently.
    14. Phone must be on “silent mode” during school hours and left in your backpack (unless you are leaving the school for a field trip or something similar — then keep it with you). The phone cannot be used at school during school hours unless you have your teacher’s approval first. Know your school’s rules for cell phones and follow them.
    15. If grades go down, and are not corrected quickly, cell phone privileges will be lost until grades are back up.
    16. Mom & Dad have the right to inspect your phone at any time.
    17. There is a 2 hour (or some prescribed) limit for your cell phone use for the month. If you go over that time you must pay for the overage.
    18. Mom and Dad may ask you to be responsible for a portion of the monthly bill or to pay for the additional services (text, Internet, etc) if you wish to have them. You may have privileges suspended at any time you are behind in payment terms.  (This is probably only appropriate for older children and helps teach financial responsibility along with the use.)
    19. Determine if you will allow texting. Kids can rapidly run up a large phone bill with texting.
    20. Web surfing is disabled.  If not disabled (e.g. an iPhone where it’s necessary) then surfing is restricted and monitored.
    21. If any rules are broken, Mom or Dad may put your phone on “time-out” for as long as we feel it is necessary.

This is a one-month trial period, if all rules are followed for thirty days, Mom and Dad will increase hours on weekends.

This contract will be reevaluated every six months to possibly receive more texts, web surfing or extra money for ring tones etc.

We agree to the above by signing our signatures here: _______ ________

Thanks to many online resources for the aggregate of this information.  Please see many specifically referenced here for more info:

Faux Facebook emails use password reset ploy

Faux Facebook emails use password reset ploy – SC Magazine US.

Nothing terribly new here, but it is a good opportunity to connect some dots and reiterate a point.  Your best defense against most malicious SPAM is being able to identify it as not a legitimate source.  So that requires using the mail headers, mousing over links, looking at the general “presentation” of the email.

What if you could deliver the messages and hide all of the factors that allow you to discern that it is really SPAM?

In my previous post regarding the use of the Facebook application on your Blackberry it was noted that a well crafted email would show up in your Facebook application as a Facebook notification.  Using the malware email above, a modification to meet the requirements of the Blackberry app bypass and you have a quite convincing backdoor to get passwords or deliver malware.

Does my cell phone have a virus?

Many users aren’t worried about viruses or malware on their cell phones.  However, most companies are.

To date, there isn’t any exploit based malware for the major smartphone OSs (Andriod, Symbian, iPhone, Windows Mobile, Blackberry and… oh yeah.. Palm).  What this means is that, unlike the Windows operating system, there isn’t piece of malware that has been written that takes advantage of a weakness in the code or device which would allow for an exploit to occur (at least not yet).

This means that all attacks on your cell phone require an action by the end user for them to work.  I think alot of people are still hung up on this point, so I’m going to restate it.  I can take advantage of a web server exploit and place malware in an iframe.  When, from your PC, you simply browse to that site, you can become infected assuming you don’t have an AV scanner or content filtering service that would protect you from the redirect and download.  In browsing the website, you have “done” something.

GREAT! Make sure everyone knows not to do anything to allow themselves to be compromised (or pwned)!

Rickrolled iPhone

Rickrolled iPhone

If only it were that easy, right?

What we have is a combination of a social engineering problem and end user education/awareness.

In many aspects, all malware delivered via email, web, sms, etc. has some context of social engineering to it.  One would either used a compromised account from a friends device and delivered messages to the contact lists, therefore making it seem like a trusted source or falsify the origination of the email to make it appear that it’s coming from a large trusted source (e.g. Microsoft.com).  Either way, they are trying to not raise any red flags and get you to open the email, the attachment, or follow the url.

We try to mitigate this with device control policies and the above mentioned user education/awareness.  By providing our users with examples and scenarios we try to make sure they are as informed as possible so they don’t fall prey to these attacks.

I have written a list of best practices for cell phone use to help protect you and your information.  If you are interested in those recommendations, please check out my post on Cell Phone Security Best Practices – keeping your personal information personal.

Droid

Droid

But wait, there’s another big hole here!  These are smartphones.  It’s not about email, text, and phone anymore.  These things can have applications installed on them!

Yep.

And so we have the app stores.  Each major manufacture has them for their respective OS (see list above).  What we have now is a channel by which a malicious person could deliver their application (aka malware) to your device.  What makes this more interesting is that you are willingly downloading and installing this application (aka malware).

These are supposed to be trusted channels.  Each manufacture has a process by which they test and verify some aspects of the application before they sign the app and publish it to their respective store.  This may range from, does the app start?  Does it crash my phone OS?  Or is it secure?  We can’t really assume they are checking for the security of it’s actions.

And why is that you ask?

Let me give you an example of a published application, that you would very likely not want.  Let’s just call this app “Flex(insert a vowel here)spy” and the vowel rhymes with the word try.  This company writes this application.  Submits it to an app store and says “This is a personal backup app.  It backs up your files, emails, contacts, etc to a website for you”.  Sounds good.  App store tests it and approves for sale.  It was posted in the app store and sold for a period of time.  Until our good friends at F-Secure notified them “um, you guys are selling an app that allows someone to spy on another users phone use”.  What????

What may have been presented to the app store as one thing, was in practice quite something else.  The app could be deployed directly to the phone or just put onto a memory card and slipped inside a phone to be activated.  So if you wanted to track someones usage and get their info, all you needed was 30 seconds of access to their phone.  What’s even more interesting is this is what the company’s website indicated you could do with the product.  If only the app testers had read it…

While not perfect, the app stores do provide a level of protection that should help keep users from putting malicious applications on their phones.  That is, until the users decide they need to “assert their freedoms” and jailbreak their devices so they can do things like install application not reviewed by the manufacturer.  Are you jailbreakers still sure your in the right here?

Even the new and highly touted Droid has seen issues with developers posting “apps” to help you connect to your online banking site.  Seriously though, when I want to connect to Citibank, do I need an app from 09driod that costs $.99 to do so?

Mobile Device Management

Mobile Device Management

Where does that leave us?

  1. Have policies for your device
  2. Use management applications for the device to enforce those policy settings
  3. Educate your users

This should look remarkably like any policy for managing a PC.  Well it is.  Lets take the approach that, as smartphones continue to mature and gain functionality, they will be under attack as much (if not more) than our PCs.  Since we have the perspective of having dealt with PC security issues, let’s try and stay in front of the smartphone security issues.

“Two” many calendars on your BlackBerry?

After a week of having duplicate calendars on my BlackBerry driving me crazy, I did some research to figure out what was going on.  (This is not original information, but is good to have if you find yourself in my situation.)

Background:

In order to update to the most current version of BlackBerry OS on your device, you’re best to install the BlackBerry Desktop Manager.  Having completed this (including the OS update) a second calendar showed up on my device. However there were enough other features to the new OS to keep me occupied so the calendar issue went to the back of my mind for a while.  That was, until I started to get duplicate updates for every event I had.  That got old fast.

After trying the calendar options, finding I could really only change the color for the calendars I had already installed, I found that my answer was not in the device options.

After reading quite a few other web postings on the subject, there were many recommendations about deleting service books for all CICAL entries, etc.  But that too wasn’t the answer.

If you have two calendars, here is the most direct way to consolidate them into a single calendar (assuming that is your goal):

  1. Open the Calendar.
  2. Press the menu key.
  3. Choose Options
  4. Type MOVE on the keypad.
  5. You will be asked to move all appointments in the base system calendar. Choose YES to accept moving all entries in the Device Default calendar to the default active calendar.
  6. Perform a hard reset of the BlackBerry by taking the battery out while the phone is still powered on and placing it back in.

This operation will move all calendar entries existing on the Device Default calendar to the active calendar shown in OptionsAdvanced Options > Default Services.

At this point, I was good.  And in fact this may be all you need to do also.  However if you had this issue because you have two calendars on two separate email addresses, you may need to do the following:

  1. Go to Options > Advanced Options > Default Services.
  2. Verify the correct email address is shown for Calendar [CICAL].
  3. Press the back arrow and save the changes if prompted.
  4. In the Advanced Options menu, choose Service Book.
  5. Highlight the entry for the calendar you do not want. This will appear as email@domain.com [CICAL].
  6. Press the menu key and choose Delete.

When deleting a CICAL, any calendar entries associated with it are moved to a Device Default calendar.

Hopefully this is helpful.