Mobile Security

by Ajinkya Patil on June 28, 2013

In today’s world everyone just loves their nifty devices. People use smartphones for communication, tools and also as a means of planning and organizing their work and private life.

Statistics say “Four of Five employees use their personal device at work, which makes them productive & happy”. Here are some more surprising stats.

  • Percentage of Americans who use their personal mobile device for work:  81%
  • Percentage who allow others to borrow their devices: 46%
  • Percentage who store work email passwords on their phones: 35% 
  • Percentage who haven’t activated their auto-lock feature: 37%
  • Amount of BYOD activity that is going unmanaged: 80%
  • Increase in employee productivity when using mobile apps: 45%
  • Increase in mobile device malware detection across all platforms in one year: 155%

 The statistics come from GartnerOvum, IBM, VerticFlurryMagic Software, Motorola and Harris Poll. Hopefully these stats will help you make effective decision of managing mobile devices.

 Threats to Mobile devices are:

  • Theft—the biggest risk always comes from user not from the technology. A mobile device left unsecured not looked after carrying personal and business falls into the wrong hands leads to data leak. Loss or theft of device is possible as it is handy. 
  • Rogue Apps —nowadays there are apps for everything freely available on market viz. Android play store and Apple app store. Malicious apps uploaded in application market working as spyware or malware and stealing the data can be a concern. Some example being the Droid dream group of malware app developers uploaded 50 apps on android market, later they were removed by Google kill switch. However, risk of rogue apps stealing data remains, until they are identified and removed.

Another example is use mobile components with Zeus banking Trojan on windows phone that would hide and read SMS’s for transactions using OTP (One-time-password). 

  • Vulnerabilities —Most of smartphones, tablets use android now-a-days. However, maximum numbers of devices use the old versions exposing them to known vulnerabilities. Upgrading to latest version is important because in case of Droid dream malware it did not affect latest version of android. Statistics below show that maximum android users are still running android Gingerbread.

Source – developer.android.com

Mobile devices have become new vector to gain authorized access to corporate data. We need to manage the devices effectively to avoid compromise of corporate data using these devices. Briefly by:

mobile management

Managing access—access to corporate systems/applications from mobile device (e.g. Email) needs to be traced i.e. devices connected should be visible on a console or logged. On-device security is most important if it is connecting to corporate systems.

Managing Apps—if business allows using business and personal apps the devices should be scanned to remove malicious apps to avoid data theft.

Managing lost or stolen devices—it should be possible to remote wipe and track the device from web console.

Mobile devices are not just a trend anymore. It’s here to stay and the demand for it will only grow stronger. BYOD can offer tons of benefits if implemented and managed properly.

{ 0 comments }

Dropping a pocket spy behind enemy lines

by Phil Bramwell on May 22, 2013

Attack vectors to an organization’s confidential data are often restricted in part by a time variable: an attacker could do a whole lot more damage via a particular route if given 2 hours versus 15 minutes. Defenders take this into account when they assess their security stance, and naturally they give less attention to a vulnerability that would take longer to exploit than the 10 seconds an attacker could possibly stand there uninterrupted (e.g. due to cameras or personnel). The more dangerous attacks take advantage of this assumption by maximizing the benefit of a 10-second contact in clever ways. Today we’ll look at an attacker’s perspective on a method to steal information right from your staff’s fingertips.
There are a variety of methods you could use to get a keylogger on a computer, but they can be unreliable and require a lot of effort, or they require a lot of physical interaction with the target when you may be able only to social-engineer yourself 10 or 15 seconds. What we need is to be able to quickly plug something into a computer and leave, and we should never need to come back. We can accomplish that with a WiFi keylogger and a long-range antenna attached to BackTrack running an AP.

World's Smartest Wi-Fi Keylogger
The wireless keylogger has built-in storage and a wireless NIC. You can connect the device and quickly configure its WLAN settings and the email address to which keyboard logs are sent. Choose an SSID and WPA password and configure the device.
The social engineering part is limited only by the cleverness of the attacker. You can walk into an organization’s front doors and pretend to be an IT guy – you have to check a connector to diagnose a network connectivity problem, and don’t worry, it shouldn’t take longer than a few seconds. Reach behind the tower and quickly intercept the keyboard connection with your keylogger. Don’t forget to thank the target for his time. You can top off the deception with a follow-up call to reveal that the connection check did in fact fix the issue, and everything should be all set now.
Meanwhile, you are setting up your long-range WLAN equipment. A ‘cantenna’ can afford you 12 dBi of gain or more, so that you can park your car in a location well outside the view of physical security cameras on the organization’s premises. This is reversing the purpose of the wireless hijack setup a bit: instead of hoping to grab a network connection from within the premises, we’re planning on feeding a network connection up to the eagerly waiting WiFi dongle inside the building.
Wireless Booster Antenna
You’ll need two wireless interfaces on your BackTrack laptop – one interface is connected to the Internet (via a cellular card, for example), while the other interface is putting out an AP signal, with a bridge between the two interfaces configured in Linux (airbase-ng is a great tool for this). The AP is, of course, configured according to how the WiFi keylogger was configured. With careful positioning of the cantenna, a projected AP signal can reach the keylogger and it will automatically associate with our laptop outside. As soon as a connection is established and the WiFi keylogger sees the Internet, it’ll email its database and you can log off and disappear, passwords and other data in hand. The WiFi keylogger can be periodically visited to get more data, or it can be left to be perhaps discovered someday, but by that point the attacker is long gone.
Access Point
In some environments, you might be able to reach the keylogger from the parking lot of a building that provides wireless Internet access to customers, like a McDonald’s or Starbucks. In this case, you can associate one of your BackTrack NICs to the public hotspot, and bridge that connection to your AP. Of course, the best scenario is one in which the target organization itself provides the guest hotspot – then you don’t even need to provide the access at all.
What does your organization do to mitigate an attack like this one? Physical security is the biggest issue here – notice that this attack requires the attacker to gain your staff’s trust. No one should be able to just walk off the street, say something smooth, and then have physical access to your IT equipment. Do you have an action plan for staff when they encounter a con artist like the one described above?
Also notice that this attack relies on good ol’ radio waves. If your organization uses wireless technology, do you have security awareness that encompasses that technology? If you have intrusion prevention systems, do you have wireless intrusion prevention systems?

 

{ 0 comments }

Wireless Connection, Safe?

July 19, 2012

In today’s world wireless connections are the mainstream way for people to stay connected. Gone are the old dusty wires of yesteryear, say hello to cleaner looking workspaces at home and in the office. Just like the old saying “more money, more problems” I have a phrase I’m going to start coining “more efficiency, more [...]

Read the full article →

There’s No Such Thing as “Bring Your Toy to Work” Day (And there’s good reason for that…)

January 9, 2012

With the holidays just behind us, there’s a good chance you may have received a cool new technology gadget as a gift. Yes, it has all kinds of bells and whistles. Yes, it could be very useful in the workplace. So yes, you should go ahead and bring it to work with you, right? Not [...]

Read the full article →

Don’t Fall Prey to “Trendy” Implementations

November 15, 2011

A recent survey unveiled an interesting statistic.  Enterprises may be rushing into implementing new technologies without any update to security controls.  Given the emphasis on information security controls lately, this statistic comes as a surprise.  New technologies are very enticing and lack of adoption could threaten the success of your enterprise; however, adopting trending technologies [...]

Read the full article →

Management Approach to Cloudphobia

October 13, 2011

If you are familiar with arcade games, you may have stumbled upon Cloudphobia – a time attack game where a player is required to withstand the never-ending assaults from incoming enemies while protecting itself and an assigned mother ship from lasers and missiles. From a business perspective, amongst other things, business managers and IT Executives [...]

Read the full article →

QR Tags – The Little Square That Can Pack a Punch

September 29, 2011

We use our smartphones more and more each day.  We use them to manage our finances, search the internet, maintain work and personal meetings, store pictures… the list goes on and on, so it’s no wonder cyber criminals are looking for the next avenue to gain access to these mini data gold mines. Recently we [...]

Read the full article →

Doctor iPad

September 22, 2011

Health Care organizations are starting to see the value in medical professionals using the iPad.  In October of 2010, the Healthcare Information and Management Systems Society hosted a webinar on iPad’s and of those in attendance, (nearly 1000 attendees) 25% planned to use an iPad immediately and 70% planned to use an iPad within one [...]

Read the full article →

Business Email on Employee-Owned Smart Phones

August 22, 2011

Earlier this week I was sent a question asking if we had seen any best practices for policies regarding email access on personal smart phones not owned by the company. The best practices are similar to what you would find in acceptable use policies for VPN access or corporate smart phone access, but they also [...]

Read the full article →

What is all the Fuss Surrounding Google Plus?

August 11, 2011

Circles, Hangouts, Sparks… what is all of this?   With all the avenues of social media out there it is hard to believe  that yet another one has jumped onto the scene.   Facebook has been the reigning champ for quite some time but it has had competition from Google since the beginning but never has Google [...]

Read the full article →