Posts Tagged ‘mobile security’
From the desk of Perimeter E-Security CTO Andrew Jaquith: New -as-a-Service risks, the hot mess that is Android, why your password policy stinks, and two other sizzling security predictions.
In 2012, we saw increased worries about nation-state-sponsored cybercrime, mobile security, and the resurrection of an old tactic: the venerable denial-of-service attack. On the heels of our year in review post, in which we examined a number of topics that got and held our attention in 2012, last week we unveiled five new predictions for 2013.
Prediction 1: CISOs will wrestle with the risks of “as-a-Service” platforms
“The Cloud,” to many, has become a way of characterizing hosted applications and services that have had some “extras” added to them: elastic usage, geo-redundancy, instant-on, instant provisioning and by-the-drink pricing. Or to put it differently, ten years ago, when we talked about The Cloud, what we meant was a highly available application hosted by Somebody in a bunch of distributed Somewheres, the net effect of which was to create the effect of seamless availability; applications as a utility. Salesforce.com is the example par excellence of what The Cloud was to many observers just 10 years ago.
But as with every maturing technology, the cloud has split into three layers. At the top is what the cloud used to be: traditional web applications, such as Salesforce, and many cloud email vendors (including us!). At the bottom sit Infrastructure-as-a-Service (IaaS) vendors such as Amazon’s EC2 service that provides virtual machines for hosting your own servers; this category emerged five to seven years ago.
The cloud’s middle layer, Platform-as-a-Service (PaaS) is the newest to emerge, and by far the most vibrant and interesting. This layer includes application, storage and middleware services that customers can use without worrying about the underlying hardware. PaaS includes database-as-a-service vendors such as Cloudant and Platfora; Web framework cloud providers such as CloudBees, Google and Joyent; and mobile specialists such as Kinvey. More and more IT projects are moving to these types of vendors, and as a result, risk — and customer data — is moving out to these environments as well. Speaking as a weekend developer and observer of our own practices here at Perimeter, PaaS is by the most interesting area of IT today. It’s why the “Dev Ops” role, which has become the hottest job title for Internet-time companies, is also the hardest to fill.
Most CISOs have been insulated from, or have been willfully blind to, the adoption of PaaS by business units and internal development teams. It’s also safe to say that traditional risk auditors have no idea what to do with PaaS. But in 2013, we think that Platform as-a-Service will rocket to the top of CISOs’ list of concerns.
Prediction 2: Android’s security issues will force CISOs to take action
The numbers from Big Research are clear: the majority of email and Internet-capable devices sold today are smartphones and tablets, not traditional PCs. And the majority of smartphones are Android devices. Most are ActiveSync-capable and can access corporate email. It stands to reason that many employees will want to bring their Android devices to work.
Android has lots of problems, though. The first problem is that Android is highly fragmented. On the market today, one can find hundreds of devices from dozens of manufacturers running a dozen versions of the Android operating systems, and all with different security capabilities. Some have hardware-based encryption; most don’t. Customers have no guarantees what key security capabilities will be present, such as detailed password controls, encryption, app management or device restrictions. And then there’s the malware problem: without a centralized system for verifying application provenance, it is easy for malware writers to create and distribute malicious apps. In short, Android is a hot mess. We think that in 2013, increased malware, and limited corporate security and manageability features, will force CISOs to take drastic measures to deal with Android devices on their networks.
Prediction 3: Cloud application vendors will compete on metrics
If your CIO wants to move popular workloads to the cloud, such as customer care, email or Web hosting, you have many choices. But too often, the market for cloud services is an opaque one. Most cloud application vendors promise “availability” and “reliability,” but what does that mean? Actual, hard evidence is lacking. We’ve looked at the popular so-called “dashboards” that many cloud application vendors provide. Nearly all of them are terrible; most of the time, you see only crude checkboxes that say your service is up, or that it is down, or that it might be down. I call these types of displays “up, down, whoops” dashboards. Worse, you very rarely see time-series information about how services have been trending over time, and performance data (latency and throughput) is nearly always omitted. For customers that are seeking to justify their potentially career-limiting move to the cloud, this kind of opacity is no help at all. I can understand why opacity is the vendor’s default stance: publishing performance data gives customers more tools to measure against SLAs, and failure to meet SLAs costs the vendor money. But that’s a rotten deal for customers.
We think that in competitive markets, cloud vendors will find new ways to differentiate. Transparency is one area. We think cloud application vendors need to steal a leaf from developer platform vendor’s playbooks. For example, if you take a look at GitHub’s status page you can see a gorgeous chart with amazing detail, time-series analysis, commentary and performance data. It’s no secret why a developer-focused, Software-as-a-Service site might care a lot about their own performance: they are catering to people (developers, developers, developers!) who really, really care about performance too.
In short, in 2013 I predict that savvy cloud apps vendors will start treating their customers less like hostiles they need to hide things from, and more like audiences they must cater to. In 2013, expect to see “members-only” apps dashboards that offer far more than up/down/whoops.
Prediction 4: California will become the de facto privacy regulator
Data privacy is one of the CIO’s biggest challenges. Ten years ago (!), with SB 1386, California was the first state to adopt a data breach disclosure law that regulated personally identifying information. Forty-nine states have followed suit. The HITECH portion of the American Recovery and Reinvestment Act of 2009 (aka “The Obama Stimulus Bill”) did the same for protected health information, and it’s fair to say that 1386 served as a model for that, too.
In the last year, data privacy concerns have spread to the mobile realm. We wrote extensively about this topic in 2012. Now, with recent stories about the California Attorney General suing mobile app developers for failure to disclose mobile data collection policies, California is once again taking the lead in a new area of regulation. Indeed, we think that the scope of what is considered controlled information will spread to mobile user and location data.
That said, it would be foolish to wait for national regulation. Congress has bigger issues to think about (fiscal cliff, anyone?). In the absence of strong guidance from Washington, the government body that matters most is the state of California. As a result, we think CIOs at every U.S.-based B2C company will be forced to adopt the “high watermark” strategy for safeguarding customer data, using a “California first” strategy of establishing what that watermark should be.
Prediction 5: Your password policy will undergo a major overhaul
Every company’s information security policy starts with the need to have a “good” password. But passwords have been stuck in a time warp since the 1990s. Your policy probably looks like this: eight mixed-case letters and numbers, one special character and mandatory changes every 30 to 90 days. Why this formula? It is about the most complex password that employees can tolerate without clawing their eyes out in frustration.
But advances in password-cracking clusters mean that your decade-old password policy isn’t going to cut it for much longer. A 24-GPU cluster, for example, can break any conceivable Windows eight-character password in just a few hours. Many CISOs would conclude that logically, one can simply to require passwords to be longer, for example 12 characters. This would be the easy choice, but it would also be the wrong one.
Here’s why. When faced with a mandate to create a longer (“stronger”) password, we can safely predict that employees will attempt to cope by composing the weakest password they can possibly remember and change on a regular basis, for example, an 11-character English word with a number tacked on the end. Then each month, our fully-compliant employee will simply increment the number upwards by one. Paradoxically, this has the unintended consequence of making their passwords less random and therefore easier to crack.
There is another way out. Faced with the paradox that the need for longer — but still frequently changed — passwords will inevitably lead to weaker ones, many companies will do instead what they should have been doing all along: require longer passwords (16 characters), but eliminating the need to change then regularly unless there is a suspected compromise. This promotes “muscle memory” because a password that does not change can be committed to memory, and becomes automatic. Some companies may also take the opportunity to get rid of passwords entirely, and replace them stronger authentication methods such as certificates.
So, that is the quick rundown of our predictions for 2013. I’ve barely scratched the surface in this post; you can find much more texture, depth, nice-looking slides, color commentary and (yes!) a few jokes in our webinar recording. If you would like to hear how these fearless predictions issues will affect your business in 2013 — and most important, what you can do about them — check out our on-demand webinar here: Five Security Predictions for 2013.
See you in the New Year!
As the song goes, It’s The Most Wonderful Time of the Year. It’s the time of the year we write out our holiday cards, buy presents, think kind thoughts of our friends and family, and wax nostalgic.
Security is a big enough deal that it, too, warrants reflection and (dare I say it), a little bit of nostalgia. It’s the gift that keeps on giving. In that spirit, let’s dig up some of the tastiest chestnuts from the preceding 11 months, and gently roast them where appropriate. Given my sense of humor it’s going to be, shall we say, a dry roasting.
Here’s what got our attention in 2012. As is customary and appropriate, we spent a lot of time worrying about malware. The cloud — with all of its opportunities and challenges — was the second most important topic on our minds, along with mobile security. As you might expect, given our customer base of over 1,800 banks and credit unions, we analyzed financial services topics in depth. A variety of other topics got our attention, notably October’s National Cyber-Security Awareness Month and Mac security.
Each of these topics take time to review. So, let’s get nostalgic.
In 2012, it was clear that malware continued to be a problem for many companies. Of all of the topics we wrote about in 2012, we wrote about malware the most. Malware concerns came in four categories: web malware, new attacks, legacy malware and administrator-targeting malware:
- Web malware — because of the ubiquity and reach of ad networks, attackers have made it a priority to attempt to infiltrate and infect ad servers. My colleagues, analysts Evan Keizer and Grace Zeng, wrote extensively about a banner-add infection campaign that caused MLB.com to inadvertently serve malware. Unfortunately there are no easy fixes for banner infections; webmasters (and their colleagues in marketing) must be extremely vigilant.
- New attacks — the Flame malware family, which some have called the most sophisticated malware ever discovered, was discovered by our friends in May at Kaspersky and widely covered. We thought it was notable enough to write about, too. Just to show that I don’t have a monopoly on bad puns, my colleague Rick Westmoreland asked, “Flame: Is it getting hot in here?“
- Legacy malware — we saw campaigns targeting old-school programs like Symantec’s venerable PCAnywhere. (If you are asking yourself, “do they still make that?” you aren’t alone.) Malware targeting Microsoft’s RDP protocol also spread rapidly; we felt it was dangerous enough to issue an advisory.
- Administrator targeting malware — the most insidious malware campaign we saw in 2012 was one targeting Plesk, an administrative console for website operators. This was a little scarier than most campaigns because it obviously targeted people who have a high level of privileges already — your IT guy. This is the kind of thing that presages an industrial espionage campaign, a topic I covered at length in my webinar “The Hype and Reality of APTs,” something you should watch. (Ed: I am not joking. Really, go watch this; it deflates the APT hype balloon.)
In 2012, Cloud security topics were right up there with malware in our consciousness. Call me crazy, but to me “the cloud” is a fancy name for hosted services mashed up with virtualization, and juiced up with instant-on provisioning and elastic usage billing. It’s a new — and welcome — twist on an old concept. Companies want to use the cloud in areas where it makes sense — for hosted email, productivity, and sales automation — but they want to do it only when they can be assured that their data is secure.
My colleague, Grace wrote about a key class of cloud risks: the security of servers in the cloud. She performed experiments where she placed 12 unprotected servers in the Amazon cloud and watched what happened. The headline: on average, your new cloud servers will start seeing scans, probes and potential attacks within an hour! Scary stuff — if you haven’t already, you should read these posts.
On the positive side, Perimeter created a series of video blog posts called the Cloud Owners’ Manual that took strong points of view on how companies should think about the cloud, and what they should be asking their vendors. Looking spiffy in a suit, I spoke on camera about key customer concerns about the cloud, and gave prescriptive guidance on the cloud in general, customer fees, data protection, data privacy, contractual terms, and contract termination. As an analogy, I compared cloud security requirements to car safety belts. Did you know that since the advent of car safety technology, based on US DOT official statistics, people now drive faster and have fewer accidents? It shows how safety gear is a precondition for faster, safer driving. To put it differently: confidence requires security. And by analogy: so it is with the cloud.
From iPhones to iPads to Galaxies, mobile devices continued to move to the top of IT security managers’ list of concerns. Beyond the sheer proliferation of devices, we observed four key trends:
- Bring your own device. When I was an analyst at Forrester, my then-colleague Natalie Lambert coined the term BYOD and wrote quite a bit about it. That was four years ago. Now, it’s the hottest thing in IT. What do companies do about it? For our part, Perimeter answered the bell in September when we unveiled our Cloud MDM service in partnership with AirWatch. In the service, we included strong default policies and a unique BYOD Kit that provides prescriptive guidance for all of the areas employers need to worry about: data rights, support, confiscation, and many other topics. We think the right solution to BYOD is holistic, and encompasses the domains of policy, technology and law.
- Developer ecosystem concerns. In September, developer Blue Toad had 12 million Apple unique identifiers (UDIDs) stolen. This shined a spotlight on a fragmented, shadowy part of IT: the thousands of smallish, contract mobile app developers, very few of whom are likely following mobile app security best practices. Watch for this topic to explode in 2013 as the Mobile Backend-as-a-Service (MBaaS) category heats up.
- Data privacy. In the first quarter, we saw a controversy erupt over the Path app, which was uploading customer address book records to their servers unbeknownst to customers. I called Path an example of “nosy apps” and characterized data privacy as the “third rail of mobile.” These kinds of negative stories had an immediate impact on handset makers. Apple, for example, added significant opt-in controls to iOS6 that require customers to explicitly authorize app access to address books, photos, calendars, tasks, FaceBook account information and much more.
- iOS has been a benefit to security. Speaking of Apple, did you know that iOS is now over 5 years old? In that time, customers have gotten used to the idea of vendor-controlled app marketplaces, digitally signed and trusted operating system runtimes, and locked-down devices. We have Apple to thank for popularizing the concept, building on the kinds of concepts RIM and Symbian had initiated. See my in-depth 5-year iOS security retrospective for details about why I think iOS is overall an huge net win for companies and consumers alike.
Banks, credit unions, broker-dealers and other financial institutions continue to be a significant part of Perimeter’s customer base. We noted many, many threats to financial services customers in 2012. The rash of denial-of-service (DDoS) attacks in September prompted us to issue a critical advisory to our customers. We followed up on the DDoS story in October; my colleague Rick Westmoreland called it “the new reality” for financial services firms.
In July, we inaugurated our first-ever Financial Services Threat Report for the first half of 2012, which described the most important threat trends our customers were facing in the year to date. We will be doing more of these reports, and our second-half report will be coming out after year-end. To help our credit union customers, Andrew wrote a three-part series on credit union security topics.
Beyond these four main themes, Perimeter noted several other trends. We weighed in on this newfangled concept called “cyber security,” which is what happens when government-type people get their hands on an otherwise perfectly acceptable phrase — that thing that most of us used to call “information security” — and dumb it down. I suppose cyber-security is, to paraphrase Deng Xiaoping, Security With Government Characteristics.
Whatever you choose to call it, we helped celebrate National Cyber-Security Awareness Month in October with four posts by my esteemed colleague Mr Mike Flouton:
- Utilities and critical infrastructure and its importantce — see also John Viega’s post condemning the inclusion of automated SCADA exploits into MetaSploit, and my post on metrics (“What You Can Learn from Your Energy Supplier”).
- Government’s role in cyber-security
- Health care as a critical sector
- Financial services security imperatives
Lastly, Perimeter wrote about those devices your executives and developers are probably now carrying: Macs. In October, we released a survey showing that Mac usage is up, and that security concerns are increasing. Earlier in the year, alerted customers to something rather rare but important: real-life Mac Trojan outbreak in the wild: the Flashback Trojan.
As I noted at the top of this post, security is the gift that keeps on giving. That’s good and bad. It’s bad for the obvious reason because the threats, concerns and challenges that got our (and the industry’s) attention affect companies and their customers everywhere. If security were a solved problem, we wouldn’t need to spend the time, attention and effort that we do.
I choose to be positive, though. Security threats and challenges are also good things. They remind us that, as professionals, we need to keep upping our game. New business frontiers such as mobile cause us to expand our horizons, become more involved with our colleagues and take the longer view.
As we look ahead to 2013, we are thankful for the continued support of our customers, colleagues and families. We at Perimeter wish you, dear reader, all the best this holiday season.
Your business is subject to new threats each day. Your employees are mobile: they go on the road, work from home and meet prospects for coffee. Many of them sport personal mobile devices with access to company information, such as email. And increasingly, you get requests for Mac computers in the workplace – especially laptops – which create new security headaches. You’re charged with providing a safe and productive workplace for your employees, but countless new security threats make this a constant, uphill struggle.
Perimeter recently conducted a survey of 113 IT professionals to help measure current laptop usage trends, Mac adoption rates and chief Web security concerns across small-to-midsize businesses. Not surprisingly, the results point to an industry-wide shift to more heterogeneous, mobile work environments – coupled with heightened IT security challenges and uncertainty. Among the key findings:
Sales of traditional PC desktops have plummeted and laptop usage has increased significantly in recent years. Our research reveals that laptop adoption is very prevalent among small businesses today, with a quarter of these respondents reporting 80 percent or more of their workforce regularly use laptops. “Roamers” – or companies whose employees most often use their devices on public WiFi networks – indicated the highest level of laptop use. Additionally, a significant minority (31 percent) of all organizations plans to increase the number of Mac laptops in the workplace over the next 12 months.
Macs in the Workplace
Historically, Macs represented only a small percentage of malware threats, and as a result, very few security software programs were developed to negate the threats. However, as businesses continue to expand policies allowing for employee-owned devices, many of them Macs, the threats are increasing and creating issues for security departments. Our study showed that 78 percent of IT managers want to have the same level of security on both Macs and PCs, yet 15 percent are unsure if their current security policies meet this need. Small businesses seem to be the most uncertain about Mac usage and protection, with 26 percent noting they are unsure about needing the same level of security for PCs and Macs.
Roaming and Web Security
On-premise Web security gateways that filter URLs and detect viruses work very nicely – assuming employees are actually on premise. But today’s modern workforce isn’t shackled to a desk. Because of this, a large majority of respondents (61 percent) are very concerned about the security of public networks. “Non-roamers” indicate the highest level of concern at 75 percent, while only 48 percent of “roamers” claim concern. This suggests that when security concerns are allayed, companies are more open and flexible about employees roaming off the corporate network.
You can read the full study in our new whitepaper – Rising Mac and Public WiFi Use Poses New Risks to Businesses. For organizations interested in learning more about protecting their Mac user base from today’s modern threats, we encourage you to check out Perimeter’s SaaS Web Security Client for Macs – the first in the industry.
Apple introduced the original iPhone in June 2007, a little more than five years ago. It’s appropriate at this point in time to ask whether Apple’s then-new, untested mobile platform has lived up to its promise as a secure platform. F-Secure’s Mikko Hypponen, one of the few consistently rational voices in the anti-virus vendor community, believes iOS has been good for customers from a security perspective. As he tweeted yesterday:
iPhone is 5 years old today. After 5 years, not a single serious malware case. It’s not just luck; we need to congratulate Apple on this.
On the opposite side of the argument is Sophos’ Josh Long. Although he concedes that the Apple’s App Store is “relatively safe,” he argues that Apple could do a better job vetting and patching, and that the risks of jailbreaking are still high:
Security researcher Charlie Miller has previously figured out how to break the App Store anti-malware model using a flaw in the iOS code signing enforcement mechanism, and there have been reports of developers working around other App Store restrictions with clever tricks; see the Security Now! episode 330 transcript and search for “vetting.”… The history of jailbreaking iPhones and iPads has provided plenty of evidence that smartphone users are being made to wait too long to get security updates for their devices.
Early last week, I was attending the three-day WiSec’ 2012 (ACM Conference on Security and Privacy in Wireless and Mobile Networks) conference in Tucson, Arizona. This conference used to focus primarily on wireless security topics, but this year it attracted quite a few papers on mobile security. There was a whole session with five presentations on mobile device and application security – all of which were related to the Android platform. I was a presenter in this session, talking about my work titled “Design of SMS Commanded-and-Controlled and P2P-Structured Mobile Botnets.”
I have been researching botnet issues since 2007 when the Storm botnet was in its heyday. Botnets have been primarily targeting personal computers in recent years. Not until 2009, did I start to think about the possibility of mobile botnets after seeing the growing popularity of the iPhone and Android-based phones. I felt that they would fall victim to attackers sooner or later because of the following factors:
- Frequent downloading and sharing of third-party applications (esp. non-market applications) and user-generated contents
- More processing power and memory
- More personal and sensitive data stored
- Multiple communication interfaces (SMS/MMS, Bluetooth, EDGE/3G/4G, WiFi) coupled with mobility
- Lack of protection mechanisms
So I put myself in the attacker’s shoes to think ahead on how to construct a mobile botnet in an efficient and stealthy way. I designed a proof-of-concept mobile botnet that takes advantage of mobile services and stays resilient to disruption. Similar to PC-based botnets, a mobile botnet requires three key components: a vector to propagate the bot code; a channel to issue commands (a.k.a. command & control channel); and a topology to organize the botnet. Our bot code can be propagated through user-involved vectors such as hiding itself into popular game or system applications to entice users to download and install. My design primarily focuses on the command & control channel and the topology shown in the figure below. In this botnet, all C&C communications are transmitted via SMS messages and these messages are disguised as spam to be less noticeable. For example, the spam-like message shown in the figure actually encodes a command that asks the bot to send system information (SYS_info) to a server. To hide the identity of the botmaster, I adopted a P2P topology to allow the botmaster and bots to publish and search commands in a decentralized but structured fashion.
When I first started demonstrating the reality of mobile botnets in 2009, I received comments like “Mobile botnets are not realistic” and “Why would attackers bother to compromise smartphones? – there isn’t much a phone can do.” Over the past three years, we all have witnessed the evolution of mobile malware that has not only grown in number but also become sophisticated.
A few pieces of mobile malware in the wild have already demonstrated botnet-like behavior. For example, in February this year, a malware application called RootSmart was discovered in third party Android markets in China and made headlines immediately. It was estimated to affect between 10,000 and 30,000 phones on any given day. Once started, RootSmart connects to a remote server to send information of the infected phone and fetches an exploit to root the phone. The infected phone is conﬁgured to send premium SMS messages and use other premium telephony services. Though the infected devices haven’t coordinately launched any large-scale attacks, potentially they can be instructed to do so because the attacker has full control of the rooted devices. Observing the advancement of mobile malware, people have realized that mobile botnets are becoming a real threat. This emerging threat particularly concerns enterprises due to the exploding trend of employees using their mobile devices for company purposes –compromised smartphones that have access to privileged company resources can cause an enormous security problem. At the conference last week, the questions asked were: “Will mobile botnets be a more serious threat than PC-based botnets?” and “what countermeasures can we use?”
Indeed, my objective is not just to demonstrate that a mobile botnet can be stealthy, resilient and as sophisticated as a PC-based botnet, but to spur discussion on how to defend against this threat before it becomes serious. Although mobile botnets sound scary, unlike PC-based botnets that can infect your machines without your consent, mobile botnets cannot get to your phone without you taking some action. So, users, you are the first line of defense! Use caution when you download and install an application. (Android users, please pay attention to the permission list that is prompted to you and make good judgment. Does the application require strange permissions like sending/receiving SMS messages?) I believe an informed user can ward off a majority of mobile malware himself.
Unfortunately, many users have poor judgment. So automated detection solutions are still indispensable to securing mobile devices. Here are some options:
- Mobile application certification is useful but has limitations. Apple has a tight control over applications placed in its App Store, though it cannot limit what jail-broken iPhones do. The certification required on the Android Market is not difficult to get around – that’s why we have seen numerous disguised malware plaguing the Market. What is worse, there are many third-party Android application markets with malware circulating around. I think an additional protection such as an install-time certification is necessary. For the Android platform, an install-time certification can automatically analyze the application as well as its permission list and tell if it requires more permissions than it needs. In a proactive manner, it can alert the user or even prevent the application from installing if something suspicious is found.
- Network-based detection should complement host-based detection. Host-based detection solutions for mobile devices have been around for a while. Like their PC counterparts, such solutions may be disabled and uninstalled by malware. Since network-based detection is more resilient and has a good view of all devices’ traffic, it is better off working together with host-based detection to provide an additional layer of protection. But unlike in the PC world where a firewall and IDS/IPS can be placed at the entry point of a LAN, there are few vantage points in a mobile network. So a network-based detection solution has to scale well in order to protect a large number of mobile devices.
Interested readers: For more details, please refer to my WiSec paper here.
Most readers of the Perimeter STAR Team blog probably know where I stand on mobile security issues. I believe that mobile malware, other than on the Android platform, is a tempest in a teapot stirred up by anti-virus vendors scaring up new markets. I believe that modern mobile operating systems are, as a species, much more secure than their PC counterparts due to platform features such as sandboxing, trusted boot and code signing. I believe that vendor-managed App Stores, as constraining as they are in many ways to developer freedom, offer the prospect of significantly increasing customer security.
And most significantly, I believe that data privacy is the third rail of mobile. Exhibit #2,080 was furnished today by Path, a social networking service that connects friends and family. Path offers both web-based and native clients, and is the arguably the fastest-growing social network out there, mushrooming to 2 million users in just over a year of operation.
But Path has a problem. Earlier today, researcher Arun Thampi found that its mobile apps have been caught copying customer data up to Path servers without consent. Just what did Arun find? He found that:
Two days ago little-known “activist investment fund” Jaguar Financial made a lot of waves in the Twitterverse by calling for Research In Motion to take dramatic steps to save their business. They want RIM to:
- Fire the co-CEOs
- “Monetize its patents,” which I interpret as meaning “sue lots of people and hope to bring in lots of money”
- Focus exclusively on services, notably the RIM delivery network
- Sell off the handset and tablet businesses
I’m probably giving Jaguar far more exposure than it deserves by writing up a quick post about this. The first idea, firing the co-CEOs is hard to argue with. It is clear that, five years after the launch of the iPhone, RIM is no closer to figuring out how or why Apple has — somehow — managed to eat its lunch. Its next-generation BBX (whoops, BlackBerry 10) operating system will be over a year late. And anecdotes from former RIM insiders make it sound like a place that puts the “fun” back in “dysfunctional.” While I never wish anyone in corporate life ill, it is clear to me that the company needs new leadership. RIM’s co-CEOs (how weird is that, anyway?) should gracefully retire before the board fires their asses.
Other ideas are questionable. The “monetize your patents” recommendation is no shingle to hang a sign on. Patent wars are the last refuge of the desperate. It hasn’t worked out too well for Kodak, its neighbor 175 miles to the east, has it?
The last recommendations, to (1) sell off the hardware division and (2) focus exclusively on services strikes me as the sort of crazy you might get from someone who doesn’t actually understand RIM’s business. Has Jaguar been reading the news over the last few months? RIM had a series of crippling outages earlier in the fall that knocked its uptime back to three nines (99.9%) and left millions of customers without connectivity. RIM is the only handset vendor that continues to cling to a proprietary network delivery model, years after TCP/IP over cellular became ubiquitous. Most enterprise buyers I talk to are dumping their BlackBerry devices largely because of network problems. RIM’s network isn’t some kind of shining jewel; it’s an albatross. In fact, I’ve previously forcefully argued the opposite of Jaguar’s recommendation: that RIM must get rid of its network before it’s too late. Telling RIM to focus on its network is like telling AT&T that it needs to beef up its investments in ATM and X.25, or that Kodak ought to redouble its efforts in silver-halide photography.
Which brings us back to recommendation #1. Investors can make a strong case for firing co-CEOs Mike Lazaridis and Jim Basillie on the general grounds of being technologically tone-deaf, strategically blinkered and competitively clueless. But stupid they are not, which is why I give Jaguar’s recommendations a zero percent chance of happening.
The Perimeter STAR Team holds its “Heard on the Street” call every week on Wednesdays. On these calls, the team discusses hot security trends, current events, and issues that our customers should be aware of. Below is an annotated summary of the topics we discussed this week, which we present as a service to our customers and to the public.
This week, in a special edition of HOTS, we asked the team to bring two ideas with them: (1) their favorite security, email or networking story of the year (either “best” or “worst”) and (2) one surefire prediction for 2012. Here’s what the team discussed, which we present for your entertainment.
Will Campbell, Senior Director, Network and Infrastructure Engineering
Will’s Evidence-of-Scarcity Story of the Year: IANA gave out the last IPV4 address blocks this year. In 2012, we will see a lot more constraints on giving out address blocks. This will cause more companies to adopt IPV6. Note that this has already happened in countries outside the US, which weren’t given as much address space to begin with, and so depleted their blocks more quickly. As a result of the increased uptake in IPV6, we expect to see more IPV6-related security weaknesses.
On a side note, Perimeter owns a Class B IPV4 address block. We’ve used about 1/4 of it. (ARJ asked, jokingly, whether we could put it on the company’s balance sheet as an asset.)
Will’s Reality-Distortion-Field Prediction: More companies will try to emulate Steve Jobs with their products: better focus on customer experience and product design. They will avoid putting “the sales guys” in charge.
Will’s Stick-Money-Under-The-Mattress Prediction: As a currency, the Euro will fail next year. Greece will essentially be “voted off the island.” As evidence, just look at the trouble Germany had selling its own bonds a few weeks ago.
Tom Neclerio, SVP Professional Services
Tom’s Advanced, Persistent Story of the Year: by far, it was the RSA hack. It shed a lot of light on a subject that wasn’t talked about much before: advanced, targeted attacks that go after a company’s trade secrets.
Tom’s Take-It-To-The-Bank Prediction: I predict mobile data leakage features will become a major point of focus for banks in 2012. I’ve talked to many banks that are used to the idea of using data leak prevention (DLP) software to filter out violations in their email systems. They are very worried about data loss over mobile phones. A key problem is that on personal mobile devices, the openers typically use both personal and work email accounts on the same device. Without appropriate controls, it is too easy to forward emails from work to Gmail, for example.
[Note from ARJ: Perimeter/USA.NET's SaaS Secure Messaging suite provides channel DLP features for detecting credit cards, social security numbers, keywords and other patterns. We'd be remiss if we didn't tell you this, right?]
Ron Martin, QA Manager
Ron’s Story of the Year: I’d agree that the RSA story was it.
Ron’s Credit-Card-With-An-Antenna Prediction: We will see more personal data theft coming from smartphones. There are two problems. From the company perspective, they worry that their information will be stolen or leaked. That’s the first problem. On the personal side, consumers and employees who possess these devices are at increased risk of the theft of personal financial information.
Ron’s Fear-The-Cloud Prediction: We will see at least one new class of vulnerabilities introduced related to cloud services. Cloud platforms are relatively new, and while the attack methods are likely to be similar to those seen with other technologies, cloud has some unique properties. We will see at least one new novel attack technique disclosed, and perhaps used against a major cloud infrastructure provider such as Amazon, Rackspace, GoDaddy or IBM.
Jeff Lathrop, Senior Exchange Developer
Jeff”s Trust-Is-For-Suckers Story of the Year: some of our supposed gatekeepers to the Internet — the SSL certificate authorities — were compromised this past year. As we saw in three cases, Comodo and Diginotar were shown to have issued certificates to unauthorized parties. In Malaysia, the DigiCert CA’s root was revoked by Mozilla and Microsoft after having been shown to be issuing weak certificates in violation of best practices.
Jeff’s Wearier-But-Wiser Prediction: In 2012, we will see more of the same. None of the problems we saw reported this year have been fixed: the CAs issues, DNS problems, personal data leaks on smartphones, privacy issues with Facebook and Google etc. With Facebook, for example, all they got was a slap on the wrist. Because none of the underlying root causes were fixed, 2012 will be a lot like 2011, but more of it.
Andrew Jaquith, Chief Technology Officer
Andy’s Wearier-But-Not-Wiser Story of the Year: The RSA breach was the biggest one by far, as measured by the amount of company resources it took to deal with it. We are an RSA reseller and thus a partner. We learned about the breach by reading a press release. Our customer support teams, operations staff, corporate communications teams and executives worked hard to understand the issue in depth, keep customers informed and create an action plan. That’s hard to do with a breaking story, especially when the vendor isn’t forthcoming about the risks. We wish RSA had handled the situation differently.
Andy’s Tipping-His-Hand-For-Next-Week Prediction: Because we will be hosting our annual “Five Predictions for the New Year” webinar next Wednesday, December 12th at 2PM Eastern time, I’d rather not tip my hand about what all of our predictions in this post. In the meantime, here is one we will be talking about. I predict in 2012, we will see legislation enacted that makes it a crime to mishandle location-based information contained on a mobile devices. There will be generous carve-outs for the usual suspects: national security and cellular carriers. Come to our webinar next week and find out the other four!
Have you heard heard about the tracking software built into just about every smartphone on the market?
Trevor Eckhart, an independent security researcher, recently posted a video examining hidden software from a vendor named Carrier IQ which comes pre-installed on the most popular mobile devices on the market today, including HTC, Blackberry, Apple and many others. In the video Trevor, shows how Carrier IQ’s software logs every Google search query and text message; the URLs of websites searched; and phone numbers entered into the keypad. This information is then sent back to your mobile phone carrier. Eckhart’s video shows how even data sent over supposedly secure connections to websites via HTTPS were logged as well.
After disclosing this information to Carrier IQ and questioning the company about the purpose behind what is, essentially, a rootkit, Eckhart was threatened with a cease and desist order. Fortunately, Eckhart was able to retain the Electronic Frontier Foundation after which the company backed off on its threats.
Carrier IQ now states that their software is for “gathering information off of the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life” for the benefit of mobile phone carriers. Despite the company’s statements, Perimeter feels the Carrier IQ software introduces significant privacy concerns. Users should have been notified of these information-gathering activities, and given the option to “opt-out” from the get-go.
The best way to determine whether your mobile service provider uses Carrier IQ is to watch closely for their press releases. As of now, only Sprint has admitted to using the software on their customers phones. Verizon has indicated they do not use Carrier IQ and we are still waiting to see statements from T-Mobile to surface.
Unless you have a rooted Android device you will not be able to determine if your phone is running Carrier IQ. Thankfully, Gizmodo is keeping an up to date list on phones which are confirmed to not have Carrier IQ installed. Blackberry has issued a statement indicating that they do not ship their products with Carrier IQ but that does not mean your carrier didn’t slip it on your phone. Apple has indicated that it doesn’t collect any personal information, keystrokes or messages.
Apple claims they stopped supporting CarrierIQ with iOS 5 in most of their products and plan to remove it completely in a future software update, though the company has not given out a timeline for when the update will be released. For those of you using an iPhone, here are some quick steps on disabling Carrier IQ:
1. Go into Settings.
2. Go into General.
3. Go into About.
4. Go into Diagnostics and Usage.
5. Click Don’t Send. On the chance that your iPhone does indeed have Carrier IQ installed, the information it is gathering will no longer be sent to Apple.
This is a developing story. We will continue to monitor the ongoing investigations about Carrier IQ’s capabilities and how the carriers are storing and using this data.
I read a lot of blogs. Skim, them, actually. In addition to the roughly 200 blog posts per day on security that strafe my consciousness like little daily meteor showers (courtesy of the Security Bloggers Network and about 60 other blogs I subscribe to), I also skim posts from another 70 blogs in areas ranging from politics and economics, to design, architecture, programming, food and sports. I do this because it’s important to synthesize widely from a lot of sources, and it because it gives me a broader view of (among other things) how technology is affecting society.
One of the “professional hobby” topics I watch closely is health care. One of my main sources of insight are the posts of local “geek doctor” John Halamka, who is CIO of Beth Israel Deaconess Medical here in Boston. He always writes good stuff. If you haven’t checked out his blog, you should. Although he isn’t a security professional per se, much of the work he does touches at least tangentially on security. For example, he has written extensively about the security controls needed to safely govern Meaningful Use, which describe how hospitals and clinics should be using electronic medical records in order to qualify for stimulus funds made available for modernizing their systems.
I find it hard to believe that a man who receives 1000 emails per day (as he says he does) is able to bang out blog posts with the regularity that he does, but there you are. Amazing.
Anyway: John’s latest post is a good one. Simply titled “More BYOD Worries,” John cites the multitude of Android malware stories (much in the press lately), vulnerabilities in Siri, and various iPad woes. These stories, and other concerns, have caused him to raise the alarm about investments that will be be needed to be successful with Bring-Your-Own-Device (BYOD) programs. Succinctly put:
It’s very clear that in 2012 and beyond we will have to move beyond policy-based controls and we’ll have to implement technology based controls that may cost up to $10 per device per month. Given our 1000+ mobile devices, that could be a $150,000/year increased operating expense to protect consumer devices brought from home.
John is right about the need to secure consumer mobile devices with policy-based controls, by which he means mobile security software, or more broadly: mobile device management (MDM) software. I’ve written about this topic before as an analyst. The challenge, put simply, is this: how do you secure data on devices you don’t own? These software controls provide the solution. Here’s why.
The key insight here is that CISOs need to plan for a future where they don’t own any mobile computing devices. They should assume all mobile devices will be employee-owned. Of course, that won’t really happen. There will always be clinical systems that are company owned, and the “fleet management” ethos for laptops, desktops, and servers will be with us forever. But by using own-nothing as a base case assumption, you can successfully plan for every other scenario where any non-company device needs to get on your network for any reason. Got outside contractors that need access to your wireless network? Long-term consultants that are on-site for a month or more? Executives bringing their iPads to work? If you assume that you all mobile devices on your network are owned by someone else, all of these possibilities are addressed. This isn’t a genius insight: the Jericho Forum has been advocating this posture for years, as has Mr Bruce Schneier, and my former colleague John Kindervag has written extensively about the “Zero Trust” network, a concept I was proud to help him articulate while I was at Forrester.
John’s post essentially reminds us all that Zero Trust, aka BYOD, means that health care CISOs need to buck up and buy MDM or mobile security software. But in hospitals, they should have been doing that anyway: consumerization isn’t the only reason. Look at the iPad: its increasing pervasiveness in hospitals is due to its ideal form factor for e-Prescribing, portable imaging, and other clinical applications. If you are a hospital CIO with fleets of iPads on the horizon, you know you need to have these devices under control. So you probably are already well acquainted with companies like MobileIron, BoxTone, AirWatch and Zenprise. Right?
But in citing the cost of the software, John doesn’t mention that he will save money on the other side of the equation: carrier wireless contracts that the hospital no longer has to pay. With BYOD, most companies do not pay the full share of the employee’s monthly bill. Some pay nothing at all, or make it the employee’s responsibility to remember to expense their bills. In my experience, employees at firms with BYOD programs are generally willing to share at least some expenses, because they get to use the device for personal email, photos and music, and apps. Partial or full cost-shifting of wireless expenses from the employer to the employee, in exchange for more convenience and satisfaction, makes sense for the business, and for the employee. It’s a win-win.
When you look at it like that, mobile device management software looks like a bargain: spend $10 per employee per month, get much better security than you had before, and save $40-100 depending on how much the employee pays. That’s the biggest no-brainer in the history of earth.