Tiger Woods Would Have Benefited From A Mobile Device Management Policy

 

Tiger Woods Cell Phone

Tiger Woods On His Cell Phone

Loss of brand and market share.  This is not just a recent concern for Tiger Woods (or better yet the PGA, Nike, etc), but also for you and your company.

In my previous article, I wrote about the threat of malware to your mobile devices.  In actuality, the biggest threat to your company (or data) is the physical loss of your device.  The “Tiger Mobile Incident” as I like to call it (hmm TMI, that works on a few levels) is an excellent example of this.

I last wrote that protecting against mobile malware is an issue of social engineering and user education/awareness and not always an issue of technical controls around the device.  In this case, physical protection of the device is about the technical controls of the device and user eduction/awareness (let’s face it, it’s always about end user education/awareness).

Here are some suggested minimum guidelines for what you should have deployed for your mobile management:

  1. Mange the device – Seems simple, but my guess is that there are many devices being used in corporate environments that are not under any management.
  2. Have a password policy (and of course, enforce it) – This is the hardest control for end users to get used to.  Gone is the freedom of just picking up your device and using it.  Remember if it’s that easy to access to for you, it’s just as easy for a thief to access (or your wife, right Tiger?)
  3. Have a short inactivity timeout – The most common places that cell phones are lost and quickly picked up are cabs and airports.  In both cases, it’s unlikely that the devices are returned.  If you do not have a short inactivity timeout before you phone locks itself, you are at risk of the data being access prior to the device locking.
  4. Have the ability to remotely wipe the device – This capability varies based on mobile device as well as device management platform.  Regardless of which you choose, the ability to kill the device or wipe the data is recommended.  (side note: in areas of data loss disclosure, this may help keep you out of a lot of trouble).
  5. Utilize encryption when possible – depending on the device, you may have the ability to encrypt all of, or at least the important, data.
Lost phone reward

Is your data worth more than $40 to a thief?

Mobile Device Management (MDM) platforms typically have these, plus many more controls depending on the software and the devices managed.  These need to be aligned to your organizations needs and your particular risk tolerance.

These technical controls help mitigate the risk of data loss if a device is physically lost, but we still have the issue of end user awareness.  Often we like to use personal references as much as possible in our end user awareness programs.  When you can make something relate to your personal life, it makes it easier to understand.  We now have Tiger to thank for a great scenario to present to all end users that they will be able to understand and remember.

Now if Tiger had only had his phone locked…

Does my cell phone have a virus?

Many users aren’t worried about viruses or malware on their cell phones.  However, most companies are.

To date, there isn’t any exploit based malware for the major smartphone OSs (Andriod, Symbian, iPhone, Windows Mobile, Blackberry and… oh yeah.. Palm).  What this means is that, unlike the Windows operating system, there isn’t piece of malware that has been written that takes advantage of a weakness in the code or device which would allow for an exploit to occur (at least not yet).

This means that all attacks on your cell phone require an action by the end user for them to work.  I think alot of people are still hung up on this point, so I’m going to restate it.  I can take advantage of a web server exploit and place malware in an iframe.  When, from your PC, you simply browse to that site, you can become infected assuming you don’t have an AV scanner or content filtering service that would protect you from the redirect and download.  In browsing the website, you have “done” something.

GREAT! Make sure everyone knows not to do anything to allow themselves to be compromised (or pwned)!

Rickrolled iPhone

Rickrolled iPhone

If only it were that easy, right?

What we have is a combination of a social engineering problem and end user education/awareness.

In many aspects, all malware delivered via email, web, sms, etc. has some context of social engineering to it.  One would either used a compromised account from a friends device and delivered messages to the contact lists, therefore making it seem like a trusted source or falsify the origination of the email to make it appear that it’s coming from a large trusted source (e.g. Microsoft.com).  Either way, they are trying to not raise any red flags and get you to open the email, the attachment, or follow the url.

We try to mitigate this with device control policies and the above mentioned user education/awareness.  By providing our users with examples and scenarios we try to make sure they are as informed as possible so they don’t fall prey to these attacks.

I have written a list of best practices for cell phone use to help protect you and your information.  If you are interested in those recommendations, please check out my post on Cell Phone Security Best Practices – keeping your personal information personal.

Droid

Droid

But wait, there’s another big hole here!  These are smartphones.  It’s not about email, text, and phone anymore.  These things can have applications installed on them!

Yep.

And so we have the app stores.  Each major manufacture has them for their respective OS (see list above).  What we have now is a channel by which a malicious person could deliver their application (aka malware) to your device.  What makes this more interesting is that you are willingly downloading and installing this application (aka malware).

These are supposed to be trusted channels.  Each manufacture has a process by which they test and verify some aspects of the application before they sign the app and publish it to their respective store.  This may range from, does the app start?  Does it crash my phone OS?  Or is it secure?  We can’t really assume they are checking for the security of it’s actions.

And why is that you ask?

Let me give you an example of a published application, that you would very likely not want.  Let’s just call this app “Flex(insert a vowel here)spy” and the vowel rhymes with the word try.  This company writes this application.  Submits it to an app store and says “This is a personal backup app.  It backs up your files, emails, contacts, etc to a website for you”.  Sounds good.  App store tests it and approves for sale.  It was posted in the app store and sold for a period of time.  Until our good friends at F-Secure notified them “um, you guys are selling an app that allows someone to spy on another users phone use”.  What????

What may have been presented to the app store as one thing, was in practice quite something else.  The app could be deployed directly to the phone or just put onto a memory card and slipped inside a phone to be activated.  So if you wanted to track someones usage and get their info, all you needed was 30 seconds of access to their phone.  What’s even more interesting is this is what the company’s website indicated you could do with the product.  If only the app testers had read it…

While not perfect, the app stores do provide a level of protection that should help keep users from putting malicious applications on their phones.  That is, until the users decide they need to “assert their freedoms” and jailbreak their devices so they can do things like install application not reviewed by the manufacturer.  Are you jailbreakers still sure your in the right here?

Even the new and highly touted Droid has seen issues with developers posting “apps” to help you connect to your online banking site.  Seriously though, when I want to connect to Citibank, do I need an app from 09driod that costs $.99 to do so?

Mobile Device Management

Mobile Device Management

Where does that leave us?

  1. Have policies for your device
  2. Use management applications for the device to enforce those policy settings
  3. Educate your users

This should look remarkably like any policy for managing a PC.  Well it is.  Lets take the approach that, as smartphones continue to mature and gain functionality, they will be under attack as much (if not more) than our PCs.  Since we have the perspective of having dealt with PC security issues, let’s try and stay in front of the smartphone security issues.

“Two” many calendars on your BlackBerry?

After a week of having duplicate calendars on my BlackBerry driving me crazy, I did some research to figure out what was going on.  (This is not original information, but is good to have if you find yourself in my situation.)

Background:

In order to update to the most current version of BlackBerry OS on your device, you’re best to install the BlackBerry Desktop Manager.  Having completed this (including the OS update) a second calendar showed up on my device. However there were enough other features to the new OS to keep me occupied so the calendar issue went to the back of my mind for a while.  That was, until I started to get duplicate updates for every event I had.  That got old fast.

After trying the calendar options, finding I could really only change the color for the calendars I had already installed, I found that my answer was not in the device options.

After reading quite a few other web postings on the subject, there were many recommendations about deleting service books for all CICAL entries, etc.  But that too wasn’t the answer.

If you have two calendars, here is the most direct way to consolidate them into a single calendar (assuming that is your goal):

  1. Open the Calendar.
  2. Press the menu key.
  3. Choose Options
  4. Type MOVE on the keypad.
  5. You will be asked to move all appointments in the base system calendar. Choose YES to accept moving all entries in the Device Default calendar to the default active calendar.
  6. Perform a hard reset of the BlackBerry by taking the battery out while the phone is still powered on and placing it back in.

This operation will move all calendar entries existing on the Device Default calendar to the active calendar shown in OptionsAdvanced Options > Default Services.

At this point, I was good.  And in fact this may be all you need to do also.  However if you had this issue because you have two calendars on two separate email addresses, you may need to do the following:

  1. Go to Options > Advanced Options > Default Services.
  2. Verify the correct email address is shown for Calendar [CICAL].
  3. Press the back arrow and save the changes if prompted.
  4. In the Advanced Options menu, choose Service Book.
  5. Highlight the entry for the calendar you do not want. This will appear as email@domain.com [CICAL].
  6. Press the menu key and choose Delete.

When deleting a CICAL, any calendar entries associated with it are moved to a Device Default calendar.

Hopefully this is helpful.

Why you should hack your iPhone

or really why you shouldn’t.https://i2.wp.com/www.160over90.com/blog/wp-content/uploads/2009/06/broken-iphone.jpg

I know quite a few people who have jailbroken their iPhones.  And I will apologize to many of them now, but I can tell you that most all of them should not have done it.

I realize that in their frustration to have the iPhone be all the things that it is capable of being, many users feel the need to bypass the constraints put in place by Apple.  Unfortunately they also bypass a lot of the security functions (roughly 80%) built into it also.  I see the stat that nearly 7% of all iPhones are jailbroken.  Given that 90% of those probably have not done anything to increase that security posture, there are roughly 2.1 million “vulnerable” iPhones in use today (given 34 million in use Q9 2009).

So, for you to have the ability before anyone else to teather, MMS, Google Voice, etc you open yourself up to the following:

  • Default SSH password setting –  since this is often not changed by users who jailbreak their iPhones, this is the easiest port to access the phones OS.
  • Use of iPhone to proxy your connections

Via those vectors “one” can easily connect and:

  • See the iPhone OS file system… hmmm what files can I see and copy over from there?  How about:https://i1.wp.com/modmyi.com/appimages/finder.jpg
  • Email
  • SMS Messages
  • Voicemail in .amr format
  • Addressbook/Contacts
  • Call History
  • Notes
  • Bookmarks
  • History
  • Cookies (could really find some interesting things with persistent cookies here)
  • Even more fun?  What about recAudio?  Remotely, from the command line, enable the audio recording feature of the microphone.  The audio is then stored to a local file (.aiff) that I can now SCP from the iPhone to the machine I’m on.  Bamo… you have your own remote bugging device and no one will think twice about it sitting in a conference room while they are talking about… well anything.
  • Uber stalker?  You can also query the iPhones GPS API to return HI RES latitude/longitude information in XML format.  Put those coordinates into Google maps and you can (with a tremendous amount of accuracy) track the path of an iPhone user.
  • Make phone calls?  What about making the remote phone make calls?  You can make someone prank call without their knowledge.  If you know them, you can make them call you and give them a hard time about calling and not saying anything.  The uses are endless, eh?
  • Remember the use of your phone as a proxy connection?  How many users connect their iPhones to their office or home wireless networks?  Since there are multiple interfaces on the iPhone and you can route between them.  “One” could now use this as a bridge into a private network.  So much for your firewalls and perimeter devices protecting your network.

Sweating yet?

Well believe it or not, there is good news for you jailbreakers out there.  AT&T has begun to filter addresses on their NAT’d wireless network.  But only quite recently.  Prior to this, “one” could pop an AT&T aircard into a laptop, get onto a mobile wireless segment, get “one’s” own IP address and quickly scan that entire segment for users.  A port scan will tell you which of those devices are iPhones.  With this filtering in place (and only in some places) you are limited and not able to (as easily) map the devices around you.  So this is a hurdle, but don’t take too much comfort in it being high enough to keep very crafty people out for long.

So the long a short of it?

Given how much information is contained on your iPhone, I don’t think there’s any application you need so badly that you’d be willing to give up access to all your personal information.  So suck it up and use the apps/functions/features that Apple has available.  When it can be provided securely (and probably profitably for Apple) it will be released.  Until then, go play outside.

Special thanks to Trevor Hawthorn for his research and demonstration of these exploits at Schmoocon 2010.

Just say no! BlackBerry + Facebook = Security FAIL

Point 1:

I’m not the biggest fan of any RIM device, though I do utilize one for my job.

Point 2:

I support the development of applications for mobile devices.  Applications are key to driving the adoption and growth of many of the new “smart” (and I use that term loosely) phones on the market.

Point 3:

Applications, regardless of what platform they are developed for, should all be done securely and efficiently.  And in that order.

What the heck does all this have to do with the BlackBerry and Facebook????

Here: http://www.spylogic.net/2010/02/facebook-spam-on-blackberry-devices/

Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox.  In the case of many, many Blackberry users, this is not your personal email, but your corporate email.  Of the 13,934,752 monthly active users (according to facebook.com) I’m sure you all read the EULA when you installed the app right?  That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names.  So if you’re on a corporate BES, the information contained therein is your corporate email directory?  Uh, yeah.  So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company.  My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily.  Can someone please point me to the data management policy that protects this information from disclosure?  I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now.  Sorry.  But if you have this app installed on your BlackBerry.  Uninstall it.  NOW! Do not finish reading this post, uninstall the app and come back to finish the post.

To RIM:

I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect.  Like skim our emails and contact information.  Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

Let me check here… Options – Security Options – Application Permissions -….  hmmm I’m sure the app is on here, let me look again…

Options – Security Options – Application Permissions -… nothing.  So, when I install Facebook for BlackBerry devices, it doesn’t ask me for any permissions?  NONE?!?  FAIL!

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts.  First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough.  But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email.  I infer from this that it still reads emails from your message list.  So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are):  (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here.  In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default.  Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0.  If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used.  I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.

How do I really know this is you?

The recent OWA (Outlook Web Access) themed spam/crimeware reinforces what has been known for some time.  Criminals continue to get better and better at what they do. (http://ddanchev.blogspot.com/2010/01/outlook-web-access-themed-spam-campaign.html)

What is also enforces is that, it’s not about just keeping up.

Through the tiers of systematic scans and filters, we have managed to reduce an inordinate amount of SPAM and crimeware.  The use of signatures, heuristics, dictionaries, and external reputation scoring you can dramatically reduce the amount of spam received.  Through these mechanisms we now only deal with a single digit percentage of the total emails received at the gateway.

The next step in this battle has relied on the education of end users.  Given the fast changing landscape of how spam/malware/crimeware is changing, it’s a difficult prospect to expect end users to be able to dissect each email with a keen technological and investigative eye.  Though I will admit, this has been the common practice to help fight that which makes it through all your technical controls.

In the case of this OWA themed spam the emails look remarkably like they OWA system and sound professional enough to be legitimate.  It’s very easy for end users to discern spam when the wording of the email is similar to this:

“Good news dear, It is my pleasure to inform you that the latest development regarding the news from the New president of the United State of America to release all your fund through bank of america without any further delay.” (http://www.scambusters.org/scamlanguage.html)

However when the images are done well, the wording is grammatically correct, and the emails appropriately targeted, this can be a difficult task.

While this may be considered a tactical approach to combating these issues, I have a suggestion that can help fight this battle:

Provide your end users with a validation that internal emails are authentic.

By utilizing certificates to digitally sign your email communications, you provide your end users with:

  1. Message integrity (content is reliable)
  2. Validate origination (this came from a known trusted source)

In the case of the OWA spam, users would note that this is not digitally signed and from their trusted source.  So they don’t have to worry about discerning if the wording is correct, mousing over links to see if they are legitimate urls, etc.

This approach will help your organization communicate two messages to your end users.  One, the message you are sending in the email communications, and two the concern and support for reliable trusted communications between the company and the user base. Utilize your education and awareness campaigns to inform users of the point of digitally signed communications and hope that the applications of the technology find it’s way into other applications.  In the case you have an external certificate store, there is an excellent opportunity to use this to communicate with your customer base also.