Small Business Attack – Mobile Defense

As mentioned yesterday, mobile devices are a pretty big threat.  In fact, it’s so obvious to those of us in security, that we often wonder why we don’t see many attacks along this vector.  Of course, that all changed this past weekend.  Now that we’ve had one that got media attention, there will be more… and they’ll be trickier.

So how do you defend against them?

The easiest way is to forbid such devices from accessing your network.  This can be done by limiting access on the perimeter to various services.  However, this won’t do anything if someone either:

  1. Brings their device to their workstation and does a manual sync.
  2. Has proprietary data on the phone that can be accessed by an attacker.

So it’s a bit more complex than that.  Some people solve the problem by giving all employees a standard mobile device.  IT is then responsible for maintaining the device and making sure that it’s secure.  This model is pretty much the same as workstations.  It balances the business’s control against the employee’s desire to be accessible.

Others say that the mobile device is the employee’s responsibility and invests in technologies that allow greater auditing capabilities.  This way it doesn’t matter what attack vector is used, the data itself is protected.  It allows maximal flexibility for the employee, but does require that the audit technology be reasonably layered so that a failure in one spot doesn’t expose everything.

The real risk is when a business does neither. If mobile devices are allowed access, but not controlled or protected, and there is no internal audit process, an attacker can waltz right in and take what they want, all while some employee somewhere is distracted playing their iPhone Ocarina.

Small Business Attack – Mobile Attack

Despite all the humorous commercials to which I am now receiving links, you may have in your possession an iPhone. You may have even gone through the lengthly process of installing unofficial software on it. So there you are, all happy with your fancy toy and feeling smart about yourself. Then, one day, you turn it on and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley… which isn’t quite the same thing, really.

It sounds far fetched, but that’s exactly what happened to a large number of iPhone users over the weekend. A worm was launched that specifically targeted iPhones and spread over the web in just a few hours. Now, in this case, the author was just trying to make a point, and the media is generally taking a light view of things… after all, Rick Astely is funny, right?

Let’s take a different view of the situation.

Suppose that, one day, you turn on your iPhone and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley. You shrug, go on with life and check your email. While you check your email, you notice that things a bit slow, but hey, it all works. You put your iPhone back in your pocket and head over to work. When you get to work, you see an upset security officer standing in your office, who informs you that someone hacked into your iPhone, copied all your email when you checked it, accessed your VPN password, used the VPN password to get into your network and download all your files, including the one containing access to your company’s bank account and transferred all of the money overseas.

That’s a bit more than an amusing little attack, isn’t it? However, to be fair, it is a little bit unrealistic. Let’s take a more realistic view:

The exact same things happened, but the security officer wasn’t waiting in your office for you. In fact, the security group didn’t even know what was going on until the accounting group called and let them know… which happened after they found the problem and were able to determine that it wasn’t an accounting error… which was in excess of the normal 48 hour window and now the money is gone, the business is going under and it’s your fault because your iPhone got hacked.

The risk here is that iPhones, Blackberries, Palms, Droids and the like aren’t phones. They’re little portable computers that work just like phones. More than that, they’re little portable computers that are always attached to the Internet, have no firewall, don’t run antimalware and are often connected directly to your network.

The fact that the first big worm just changed the background proves that we’re really lucky and should view this as a wakeup call.

Are you awake yet?

Security Lessons from Nature – Minimizing Shadows

Imagine for a minute that you’re a bug. You wander around looking for food and avoiding predators. Now, most critters that predate on bugs aren’t exactly the brightest. They just sort of fly around and look for anything that looks buggy and then try to eat it. There are generally only two clues for buggyness: movement and contrast.

Basically, if something moves like a bug, it’s probably a bug. Of course, this is only good against the bugs that haven’t learned to just keep still. If you want to keep your little bug self safe and secure, all you have to do is not move when a predator comes at you… which is a lot harder than it sounds… and not 100% successful now that predators have learned the contrast trick.

Most says, there tends to be light around, and even though bugs have gotten pretty good at matching their surroundings, if the light comes from the wrong angle, it doesn’t matter how well you match your environment, you’ll cast a nice long shadow. If a bird is looking for an area of sharp contrast, they can find you even if you manage to stay frozen.

Bad news for bugs.

Unless, of course, you manage to reduce your shadow. If you are careful to shift your position or only land in pre-existing shadows, you can really reduce these shadows. Similarly, if you only come out during mid day and stay hidden during morning and evening, you’ll avoid the long shadows. Basically, you want to reduce the amount of your body that catches the light, which would reduce the amount of shadow, which would reduce the likelihood of attack.

We do the same thing in the security world. A system can be attacked in many (many (many)) ways. Looking just at a fairly standard Web system, a system can be attacked at: ssh, apache, mysql/postresql, openssl, php/perl/ruby, ftp, or any modules contained within… and this assumes that the system has been hardened and isn’t running any of the common applications such as X, Gnome/KDE, OpenOffice.org, Firefox, portmap, r* commands, etc. The simple fact is that we load our systems with all sorts of fancy widgets, adding new functionality here and there, making it run faster (or least, more interestingly) and… if an attacker looks at… casting a very interesting shadow.

Simply put, every thing you can install can be exploited. It may be reviewed. It may be well designed. It may be hardened. However, this is not a perfect world, and there are no guarantees. You can’t make sure that everything is running exactly as it should be, but what you can know with absolute certainty is that something that’s not there cannot be exploited. People have a really hard time robbing a house that’s not been built, and they’d have similar difficulties attacking a service that’s not running.

In I.T. Security, we call this reducing our attack surface. The term can apply to an entire business, a network, a server or just an application. The idea is pretty much exactly what a bug does. We want to make our shadow as small as possible, by reducing the number of protrusions and things that make the shadow interesting. In practice, this means reducing your business (you’re not a bug anymore, by the way) to just what you need. If you don’t need modems, don’t leave them plugged in. If you don’t need to be running telnet, don’t run it. If you don’t need to employ untrusted people at incredibly low wages, don’t do it.

The point here isn’t to say that you can be completely safe by minimizing what’s running… there is no completely safe. Any bug can get eaten, despite how good it gets at what it does. The point is that by minimizing the attack surface, you can get it to a manageable size. If bugs were the size of baseballs, cast huge shadows and were slow to maneuver, they’d be eaten awfully quickly. By staying small and relatively flat, they’ve been able to focus on better defenses (such as scent bombing, protective colouration, and just plain old tasting bad). The same applies to your business. If you limit what you’re doing and running to something manageable, it can then be managed.

It also helps not to move suddenly when someone flips over a leaf… but I’ve not yet figured out exactly how that applies to business.

Mythic Monday – Rolling Along

There’s often something lacking when I read Native American mythology. Perhaps it’s that that form of mythology uses a different form of logic, perhaps they are fragmentary, or perhaps it’s because the original tellings were oral and participatory and it just doesn’t carry over to the written word. However, once in a while, you get a myth like this:


Why the sun rolls along

Sun was warned by a messenger, “Someone is coming to kill you.”

Soon a person came along and seized the Sun. He threw him toward the East, but Sun came back. He threw him toward the South, but Sun came back. The evil one came toward Sun again, but Sun began to roll along. Sun rolled and rolled and rolled along. He rolls along to this very day.

(From Shasta Indian Tales by Rosemary Holsinger.)

Clearly, there is something missing here. Such myths raise more questions than they answer… but lucky for us, this isn’t a mythology blog, so we can leave the questions alone. The point here is that the sun just keeps on rolling, no matter how the evil person tries to kill him. As with many things, it’s all about persistence.

I’ve had numerous projects in the works for years, and at some point, they just stopped moving forward. Due to a lack of energy on my part and other pressing concerns, progress just ceased. There’s only so much time a day (mostly because Sun keeps on moving), and it’s sometimes not possible to keep everything progressing and something has to stop in order for other things to continue.  Last week, my blog stopped.  I had taken a week of vacation to make some progress on another project.  I had worked up a buffer of blog posts to cover the time I wouldn’t be paying attention to the blog… but I forgot about the post-push resting period.

Ooops.

The nice thing about being a mythic character such as Sun, is that you only have one thing on which to focus.  (Well, two if you count “rolling along” and “being glowy”.)  Here in the real world, we often have too many things going on to “keep on rolling” on more than one.  For me, the one thing that is always 100% consistent is monitoring security posture.  Things change every day.  In fact, just over the weekend, we got reports of an iPhone attack, a discussion on legacy systems, and a revival of an old attack.  Last month, there was a huge amount of malware to keep on top of as well as numerous patches from major vendors.  The threats never stop, so those of us in security have to keep on rolling.

Unfortunately, this means that other things have to be dropped sometimes. But hey, even Sun sometimes takes a day off, so I don’t feel that bad. I’ll just try to pick things back up and get to posting again. Hopefully I won’t miss to many days as I get things running again.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.