mobile security

It seems almost every day new articles appear on new websites relating to the theft or loss of laptops. This week, the UK based Nationwide building society will mail all of their 11m (yes, ELEVEN MILLION) customers to inform them of a laptop which was stolen in August. Why it has taken Nationwide 3 months to mention this hiccup will only serve to further exacerbate customer anger. Trying to cover things up in this way will cost them more dearly than if they were just open and honest in the first place.
Other details Nationwide refuse to disclose include:

• what customer information was on the laptop
• where the laptop was stolen from
• how many customer details were on the laptop
• why so much sensitive data was there in the 1st place
• if any encryption was used laptop was using

All in all, this amounts to a huge embarrassing situation for Nationwide. Looking at the big picture, it seems they first tried to sweep the incident under the carpet and that has just made matters worse. Furthermore, failing to answer basic questions about the event and how secure the laptop will surely makes matters worse.

Who does incident handling and damage control at Nationwide?

If they have they don’t appear to be doing a very good job of it. The only useful piece of information that they have disclosed is:

the information did not include any PINs, passwords, account balance information or memorable data.

They go on to say:

since the loss of the laptop we have taken steps to improve our security measures further and provide additional protection to our customers

Could this be a case of shutting the stable door after the horse has bolted? I certainly think so.

The main customer concern here seems to be one of Identity Theft. In the UK, a criminal needs very little information in order to impersonate you. Your name, age, sex and address is all they need in order to start impersonating you. For more information about protecting your identity, see the UK Home Office’s Identity Theft website.

If you wish to read on about other laptops that have been stolen this week, the BBC is reporting another interesting theft of some laptops from some offices used by LogicaCMG that contain payroll information for 50% of the workforce of London’s Metropolitan Police.

Powered by Gregarious (41)

An article posted in the The Register last week just caught my attention. It was quoting Paul Miller, head of Symantec’s Mobile and Wireless Security Group. In this article were a lot of statements which I disgree with. On this blog I try as best as I can to remain impartial and not promote or bash any one vendor more or less than any other, but in this case I can’t help but feel that what I read amounts to little more than a modifed version of what I read one year ago in a Gartner Report.

This same Gartner report is quoting the same threats will increase which is exactly the same thing that it said last year. Whilst I don’t want to quote Paul Miller out of context, I find statements such as this highly controversial:

“Plus, operating systems on mobile phones lag those on PCs by six years - and hackers attack the weakest link. “

Six years? Weakest link? What mobile device does he use? And from which vendor? I don’t think he could be further from the truth. For example, I would say that Microsoft could learn a lot from Nokia with regards the security features in the new S60 3rd Edition operating system. Where are the patch Tuesdays and Zero Day Wednesday’s for Symbian? After all, the article went on to say:

Mobile phones will out-ship PCs by five to one this year, and are far more likely to be lost or stolen, according to statistics quoted by Symantec.

Miller continues:

But any computer attached to a network needs AV, and a smartphone is a computer and that IT staff need to target perhaps the top 5% of their users for additional defensive software such as firewalls and encryption, because they will be the senior execs and salespeople who keep critical business data on their phones.

This statement on the other hand is absolutely justified, and 5% might even be a little conservative. The threat of Flexispy as a tool for industrial espionage is very real, but statistically, you have a higher chance of misplacing or even loosing your phone so I would put mobile encryption higher in the ‘must have’ list.

So is the picture as bad as mobile AV and PF vendors would have you believe? I don’t think so. They love to focus on Flexispy as it is perhaps the best example of any application that has emerged this year that can justify why a mobile AV&PF should be installed onto your smartphone. However, one critical factor has been overlooked in all of this: User education. With smart phones the only way to get infected is if the user clicks ‘yes’ to install something e.g. over bluetooth (yes, there are other ways to install software), but in general it’s down to the user. And we are starting to see implementation of content signed software. When this becomes more mainstream, how far will bluetooth propagating crimeware really get people if the application is unable to talk to the network?

So lets see where we are at the end of 2007 with regards mobile security trends. More of the same? I know where I’ll put my money…

Powered by Gregarious (41)

Checkpoint Software Technologies Ltd, Israeli vendor of popular firewall and VPN solutions yesterday made cash bid to acquire Sweden’s Protect Data AB, the parent company of Pointsec Mobile Technology for $568 million.

This move puts in motion part of Checkpoint’s strategy which is to extend their product offerings to include data storage. Pointsec’s revenue grew 92% in the first nine months of this year to $52.4 million with $8.3 million profit after tax. Pointsec have spent a lot of money on their mobile security solutions for which they are currently the market leader. This move sees further consolidation in the security solutions market. I think the move for Checkpoint is not a bad one as they have essentially bought the leading market share the fast growing mobile device encryption market.

Powered by Gregarious (41)

An unnamed researcher, together with H.D, Moore, creator of metasploit and director of Security Research says vulnerable systems are exposed to a “stack-based buffer overflow that can lead to arbitrary kernel-mode code execution.” Essentially, you’re vulnerable when connected via WiFi as an attacker who is connected to the same WiFi network as you could remotely run some code on your machine. For this, the attacker needs to be running Linux, metasploit and have a wireless card capable of performing raw packet injections. The offending driver is called BCMWL5.SYS Laptops known to be using this driver (among other manufacturers) include Dell, Gateway, IBM, eMachines and HP.

What is interesting about this hole is that malicious packets will be seen by the driver before it is seen by a firewall, rendering it useless.

Until a driver a driver update is posted, a useful workaround for vulnerable systems is to switch to another wireless driver (e.g. Linksys) or to disable wireless completely.

Powered by Gregarious (41)

Last week Fox News ran an interesting story on what would appear to be a growing problem - phishing over SMS, or SMiShing. Scammers are sending large volumes of SMS messages and telling users to perform similar actions as seen in the traditional phishing scams.

So far, malicious SMS’s have been seen to:

• have a URL embedded within the message instructing the user to invoke that link with the phone web browser
• instruct the user to divulge sensitive information
• tell the user to download and install software to their phone that will compromise information on that device

Again, as in the traditional forms of phishing, this technique relies heavily on fraudsters masquerading as legitimate entities or using some form of deception.

Fox News story available on Google Video from here

Powered by Gregarious (41)