What To Do About Mobile Devices That Lie 107
GMGruman writes "InfoWorld has caught two Android devices that falsely report security compliance that the Android OS does not actually support, and Apple quietly has dropped its jailbreak-detection API from iOS 4. So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? There's no easy answer, but Galen Gruman explains what current technologies can do to help — and how Apple, Google, and others might increase the trustworthiness of their platforms in the future."
Nothing (Score:5, Insightful)
Do nothing. Didn't we read yesterday that the NSA assumes they're compromised. Sounds like a healthy way to operate - for everyone. While it may sound slightly paranoid and a "hassle", this is only true initially IMHO.
Re:Nothing (Score:4)
Agreed, so much of "security" from a lot of these companies is simply ruthless marketing these days anyway.
Re: (Score:1)
This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it. US and its companies do the same, but they hide it.
Re: (Score:1)
Indeed. The Chinese measures seem geared mostly towards stopping people (connection resets, dns poisoning, etc), whereas the US ones towards criminalizing people (logs.) Which is not to say that the Chinese would never prosecute you as a criminal, they probably will if it suits them, but it's not their default modus operandi.
Re:Nothing (Score:4, Insightful)
Perhaps it's because when some governments go after their citizens they don't bother with niceties like 'evidence', 'logs' or even 'trials'.
Re: (Score:2, Informative)
I am certain that Liu Xiaobo agrees with you, not that bad at all . . . .
Re:Nothing (Score:4, Informative)
Manning released thousands of confidential papers. Regardless of what we think about him (I support his actions, but then again, I'm not American), it's still more grave than a single re-tweet [allheadlinenews.com].
Re: (Score:1)
Re: (Score:2)
This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it.
Are we forgetting what happened last April? A huge amount of traffic, including that for .mil and .gov was routed through China. Monitoring that traffic could make future phishing attacks much easier, having had access to things like individual IPs and mail traffic.
What's honest or likeable about that? It's the stuff nightmares are made of.
http://slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]
Re: (Score:3)
Nothing. Not even if you're in the IT sec business. My first reaction was "oh goodie, consulting will increase!"
It didn't.
Nobody gave a shit.
Imagine this: You go to a company that not only has a lot of IP but also deals with China on a day to day basis because most of their manufacturing is there, present this to them and they dismiss it as "aw, that couldn't happen to us, our contractors are honest".
It's one thing to be spied on. It another to make it trivially easy.
Re: (Score:1)
Re: (Score:1)
what are you talking about?
NIST is not a guarantee of security. It's just saying that you are compliant with a gov't standard required to sell products to the government.
even FIPS 140-3 is not foolproof.
Blackberry encryption is also a joke and has been compromised in every country in the world, in a variety of ways.
Re: (Score:1)
Re: (Score:1)
gutless? you don't know shit.
try working with fips and you might know a ltitle more.
just because it isn't 100% doesn't mean you don't use it, it means you don't use it for anything critical.
how hard is this to understand?
hey, we've got something vulnerable, but let's put critical/valuable information on it. What can possibly go wrong?
try to learn about basic security and then get back to me bub. the first step is not the encryption on the device.
Back to your assertion, please provide evidence (Score:1)
Re: (Score:2)
HIPAA? HIPPA has nothing to do with FIPS. way to pull some stuff out your ass there. What's next? OSHA? UL? IBC? CE/EN?
just because you throw a name doesn't mean you have anything to show for it.
Lazy example 1 [zdnet.com] or how about lazy example 2 [infoworld.com].
Now shut the fuck up and stop trolling.
That was first couple results on google. No phone is secure. Storing anything company, corporate, etc is not going to be secure on any mobile device. Duh.
Youtube has nothing to do with how legitimate or not cracking is, if the first r
Re: (Score:1)
Re: (Score:2)
Shocking, people figure out ways around the tightest security when the target is worth it.
Re: (Score:3)
Assume that all security claims are false. It's just that any security hole hasn't been found yet.
There is always a way to hack something running software. Live with it, just make sure that you accept the risks of being overheard and that your address book may be downloaded to some third party that uses it for their own purposes.
As for companies - considering the large amount of phones and crap around anyone that really wants to listen in on secret conversations/information uses more targeted methods. Only
Re: (Score:1)
You don't. (Score:5, Insightful)
So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware?
You don't trust them. Just like you should be doing with desktops/laptops, don't setup services in a way that they allow a phone to ruin your data.
Re:You don't. (Score:5, Informative)
That is the case anyway. At least to some extent.
The problem is elsewhere. Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance" while it is not from the user viewpoint is actually a useful feature.
Example - I have a Nokia E71. I was seriously stupid at some point to configure my company exchange server on it. As a result it started autolocking itself in 2 mins requiring a security code. So far so good, however it autolocked and put screensaver on in applications which _MUST_ run in foreground - GPS navigation and the media player. It also autolocked itself when docked on a car craddle, etc.
After a couple of near misses on the motorway trying to get myself from A-Z or trying to dig out the name someone from contacts I tried to turn it off. Guess what, settings uploaded via these APIs _CANNOT_ be turned off. Even if you wipe out the mail for exchange application, disconnect, etc the settings are either not allowed to be changed any more or come back after a change. At the end I had to factory reset the phone and reset the settings partially from backup to recover the phone to a useable state.
Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.
Similarly, I am not surprised about Apple starting to take away powers away from the security software (and the people who use it). Apple's key selling point is user experience. The way some corporate security people use these APIs sends the user experience into "Mordok, denier of information services" territory. Knowing Apple, they are guaranteed to do something about it and in the land of "i" noone will hear the security people scream.
Re: (Score:3)
The "standard" way of implementing security these days seems to be to try and restrict users as much as possible...
The problem is that doesn't work for a number of reasons, the restrictions are onerous enough to hamper people's ability to do their work which causes them to seek ways to bypass the restrictions and the restrictions are often poorly implemented and therefore easy to bypass.
Incidentally, if your company wants you to read mail when your away from your desk they should supply you with a handset f
Re: (Score:2)
If the company you work for requires that you be able to read your email on your cellphone, they damn well be providing you a cellphone to do it with.
Re: (Score:3)
As was pointed out in the comment I originally replied to, if you allow your phone to interact with an Exchange server, you end up giving the Exchange admins the ability to do a LOT of things to your phone without your knowledge.
Including, erasing everything saved on the phone. [gigaom.com]
I am not willing to give up that level of control.
If I'm on call, or if my employer wants to replace my desk phone with a cellular one to make it easier to reach me, or they want me to be able to read and respond to email from m
Re: (Score:3)
Yup. I could make a killing if I sold an Email app that spoofs whatever is most common in major corps but which silently ignores the security policies.
If employers want to control the phone, they should issue the phone. If they issue it, then they can be sure that it supports whatever features they need. They can reclaim and reissue phones once a quarter to reimage them or whatever for extra security.
The problem is that employers want employees to use their shiny toys to do work off-hours, without paying
Re: (Score:2)
> Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance"
> while it is not from the user viewpoint is actually a useful feature.
There's actually a useful compromise that's so obvious, it completely blows my mind that it appears to have not even occurred to Microsoft -- keep the corporate data on the server, and give the end users Android and iPhone customized RDP clients that connect to a hosted email app on the server (with the ability to launch
Stop thinking of them as phones. (Score:5, Insightful)
What a Phenomenally Stupid Question (Score:5, Insightful)
And you've been doing this for at least the last 30 years...
And NOW you suddenly claim to give a shit about platform integrity?
And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.
What selective, partisan crap.
Re:What a Phenomenally Stupid Question (Score:4, Insightful)
Windows was excluded because neither of the Windows users have reported any problems. Yet.
P.S. Couldn't agree more.
You reap what you sow.
Keeping your eye firmly planted on next quarter's profit margin (and the resulting bonuses) will eventually bite you in the ass.
Re: (Score:2)
WIth an analysis that insightful in it's ability to see through a false, consensus reality, allow me to introduce you to the American political system!
You got the wrong Partisans (Score:5, Insightful)
If you RTFA you discover that the whole second half is boosterism for putting "Trusted Computing" modules inside cell phones. In that light the agnostic condensation of both "jailbroken iThingies" and "that unreliable open source Android thing" makes perfect sense.
This article has nothing to do with exchange boosterism etc, it is back-door partisanship for trying to revive the Trusted Computing Hardware Module that the technical industry managed to ignore into oblivion.
The article _is_ an attack on reason, but the goal isn't about Exchange etc, its about re-initializing the idea of corporate capture of your personal property and turning your device from a personal resource to a limited media consumption node. The media used this time isn't movies, its "corporate email" etc.
Disclaimer: I would _love_ TPM hardware if there were a law that required that _I_ get the _master_ _keys_ for my hardware when I buy it. This would, of course, allow me to lie to an exchange server if I so chose, and would do _nothing_ to prevent jailbreaks. Of course I would also have to demand that there was no "government key" etc. With those elements in place, a TPM would let my paranoia be soothed when I boot my gear.
So anyway, bitching about how bad exchange software is etc, falls into the hands of the author who is trying to false-flag some emergency to spur on "trusted computing" on the "new platform battlefield".
Re: (Score:2)
I've bought several computers in the last few years and all but one have been absent any TPM. One board from several years back had one, and several I have considered lately had a TPM header, but no actual TPM. My amd64 dual-core has a suspicious connector next to the memory connectors that I think _could_ accept a TPM, but said adapter is blank.
So far "Trusted Computing Modules" are common on HP/Compaq gear, and some Dell stuff, but not so much on any of the pieces-parts you can get hither and yon.
I know,
English_101 EPIC FAIL (Score:2, Insightful)
Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware. So long as the general public, and even Slashdot readers, are clueless, then cluelessness will map the security landscape.
Re: (Score:1)
I guess they used the term "Trojan Horse" in its original meaning, which is older than computer technology.
Re: (Score:2)
Re: (Score:2)
The word "let" used to mean to hinder or delay hence why passports say "without let or hindrance".
Incidentally this is also the nuclear argument against people who bitch about using the phrase "begs the question".
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This sums up your ignorance in a nutshell.
Re: (Score:2, Funny)
WTF is a Trojan Horse for Malware?
Well, you see, you leave a gigantic wooden Clydesdale with a firewire port in the parking lot. Some fool is going to plug it in because they want to see what possible use firewire could have in a giant wooden horse. Once they do, you've got access to their systems.
Re: (Score:1)
Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware.
More like History 101 epic fail...
It actually makes perfect sense, given the Trojan Horse's meaning. Perhaps you've forgotten what a Trojan Horse actually is given that the name has become so synonymous with malware. A Trojan Horse could mean anything that appears non-threatening to slip behind your security, which in this case is a cell phone, containing malware inside of it.
Re: (Score:2)
Re: (Score:2)
You mean like the ... (Score:1)
Re: (Score:2)
Yes, it was easier for Palm to violate its agreement with the USB-IF and exploit Apple's sync software implemented in iTunes than to actually make the fscing effort to write their own sync software that read the music files and XML that any program has access to, or make user instructions how you could copy files from the music folders.
But I wonder what the old Palm would have said if e.g. Sony had made a device that pretended to be a PalmOS device and talked to their HotSync software...
Re: (Score:2)
Hm, Sony was a bad example, I had forgotten they were an actual licensee... but the point still stands. If your device need sync software you write it, don't piggy-back on someone else's.
Don't ask stupid questions in the first place? (Score:1)
End all computer problems! (Score:2)
Hackers, please stop lying to our computers and telling them you have permission to do things when you know you don't. There. . . . now nobody will get anymore spam or viruses.
I love when people say something "cannot be hacked". I also like the idea of security by requiring the client to tell the truth about what it is and what it can do. If everything would just tell the truth. . . we'd have better security. Sounds like the EA boss saying "To take the market back from Call of Duty, you just have to make a
Ignore stupid policies (Score:3)
If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.
Re: (Score:1)
Why? So nobody could steal my phone and access all the internal spam I get about alcoholic events and recruitment for societies so odd that they apparently don't have the 3 members needed to fill their committee posts.
So instead of using the built in exchange support I use a third party that ignores these. I run a cyanogen based rom that I buil
Re: (Score:1)
If you have so little regard for the rights and privacy of others then do you do not deserve a well paying job. If you cannot handle being responsible with your position in student government, how can anyone trust you with a "real" job in the future?
Re: (Score:1)
Can I suggest if English is not your first language, and you don't understand what you read, you don'
Re: (Score:2)
Why does your university know anything about the phone you have? Why wouldn't you just tell them you have no phone?
Re: (Score:1)
If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.
Ok. Fine. So what is your account number? Publish your account numbers, your SIN, Credit Card numbers with expiry dates, your real name, address and phone numbers. No? But information wants to be free right? If you expect to get paid to work in IT then you should treat the security of other peoples information like you would want your bank to treat your private information.
The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there
Re: (Score:2)
The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there was a security breach caused by an employee with a "hacked" phone that was lost and could not be remotely wiped.
I don't understand the contradiction. Information not being property doesn't stop me from signing a contracting binding someone to protect it. Contracts were never limited to the protection of property...
What it does mean is that I can't sue the recipient of such information (the guy who finds the data), even if he shares it with the world, because he wasn't bound to me through any contract not to divulge such information.
In the case of file-sharing, for example, the companies could sue the original sharer
Re: (Score:2)
You're confusing authentication with ownership.
TPM (Score:1)
There's no inherent reason Android devices could not use a verified boot (TPM+remote attestation). This would allow servers to know exactly what firmware image they're talking to, so whilst it wouldn't exactly stop devices lying about their capabilities, it'd allow you to catch devices that were lying once the general class of problem was detected.
The reason phones don't come with TPMs is simply cost and demand. If businesses really care about this, they'll make it clear that a TPM is as important to them a
Re: (Score:2)
If it's an enterprise-provided phone, you can bet your ass it'll be a fireable offense soon enough not to have it with you...
Mandating being a covered area is trickier though.
Re: (Score:2)
Once you have TPM the _last_ thing you have is a free market.
Re: (Score:1)
Re: (Score:2)
...or a secure machine.
TPM is about securing the machine from you. Not for you.
Trustworthiness... (Score:2)
End user devices are not trustworthy, regardless of the type of device a user could modify it to report anything back to an upstream server...
Re: (Score:2)
You can make such modifications prohibitively expensive, however. It is precisely what a hardward TPM chip would do. Hope you have a well-equipped lab and knowledge to operate it...
What To Do... (Score:2)
"Have you ever tried simply turning off the TV, sitting down with your mobile devices, and hitting them?"
Re: (Score:2)
Just don't allow them. (Score:1)
Unless there's a compelling business need there is no reason to allow Android or iOS devices to connect to a company's resources in any way. Personally if I were starting a new company I wouldn't allow anything other than a Blackberry to be used as a smartphone. One of the reasons RIM has been and continues to be successful in the business space is the security of their devices.
If people want their shiny toys they are free to get one on their own dime and use it with their own resources.
Re: (Score:2)
Unless there's a compelling business need there is no reason to allow Android or iOS devices to connect to a company's resources in any way.
Why stop there? Add Rim and Windows to the list as well. I challenge you to find a good business reason for any phone to be connected. When desire is great enough, a business justification will be made.
I need to get email on my phone! The fate of the free world is in the balance!
It's nonsense. Since we're caving in to give folks their wants rather than needs, might as well go all they way and let them use their iPhones & Droids.
Re: (Score:2)
Actually you make a good point. If there ever really is a business need for a connected device though it should be something completely locked down. People are still free to have their own personal device that they pay for; there isn't a need to cave to user demand for features if they don't help give a competetive advantage.
Admins (Score:2)
Better question, what to do about admins that don't test policies on devices they support before deployment?
Re: (Score:2)
That doesn't help when the user jailbreaks it and the new OS doesn't have the same capabilities as the OS you audited.
The solution is to simply issue your own hardware and make employee tampering a terminable offense. I'd fully support that as long as the company provided the device and its plan.
If I get to provide the device, then I get to decide what security policies it implements, and what policies it lies about implementing. Don't like that? Simple, stop sending me email after 5PM...
Enforce choice of auditing (Score:2)
Turn on phone for the first time,
"Which application auditor would you like to choose?"
"Which search engine would you like to use?"
"Which Browser would you like to use?"
Re: (Score:3)
Cue customer of a new phone.
"Ohhh shiny! I wanna use it, I wanna toy with it, I wanna see all the features and all the ... huh? What's an "auditor"? Ah, a list, uh... (thumbs through manual), whatever, this one looks spiffy. Now, where that feature I bought the phone for... huh? Search engine? Get off my back, dammit! I wanna toy with the billion megapixel cam! So, here, now let me... browser?"
Tosses phone onto the counter.
"Here's your crap back, gimme a phone that lets me do stuff!"
And this is why we do no
What happened to lists? (Score:1)
Microware's OS9 from the early 1980s had a table that it checked for each module it loaded into memory. Each library or executable had a CRC that it checked against and then that CRC was checked in a lookup table of stuff to accept or not load. You could load that table with a list of approved memory objects and then only those things would be loaded and run or you could list things to exclude like an old runtime library in which case it would try to find an approved one in the path. This stuff was being
Re: (Score:2)
Only if that whitelist has to change too often. Whitelists can be very valuable when you are dealing with resources that change rarely. Like the modules in the aforementioned example. It's not like the modules you want to load change every time you use the system, or that you might suddenly get to load modules you didn't know about.
Whitelists are useless when it comes to mail addresses and webpages, unless you plan to only communicate with known sources. But when it comes to drivers and OS modules, they are
Re: (Score:2)
So I may trust Blackberry if I trust the governments of the US, Canada, UK, Austria, Australia, Turkey, New Zealand and the NATO.
What if I do not?
Re: (Score:3)
They've been found to meet the specifications of those places. If you don't know those specifications it tells you little.
The legal troubles blackberry has had mostly indicate the one you care about is Canada, as Canada's privacy laws were a problem with the UAE, India and a few other countries. The solution was always for those countries to get blackberry servers/datacenters that they could seize, since the ones in Canada were out of reach. If you truly don't trust Canada's privacy laws, that's your bus
Re: (Score:2)
Just because I agree with some laws of a country does not mean that I trust its government.
For reference, see US constitution and US government.
Depends (Score:2)
Do not trust your devices (Score:3)
"Trusted computing" my ass...
There's nothing to be trusted about anything you did not make yourself. And even if you made something yourself, trusting it is a bit overconfident. Do not trust anything you own to be "secure". It is not. It is as secure as the company that made it thinks is necessary.
Now, you know how security conscious the average person is, right?
Why do you think security would be high up on the priority scale of the company making it if it is no selling point AT ALL?
Do not trust anything you did not audit. If you cannot audit it yourself, have someone you trust audit it. Yes, at some point in that chain you will have to trust someone, especially if you do not have the knowledge and experience to do such an audit yourself.
But for $deity's sake, do NOT trust the maker of a device to be security conscious. They make a device with the bare minimum required to sell it. That means it will have all the features the customer will request. And as stated above, security is a feature that is rarely, if ever, requested!
The user is the weakest link (Score:1)
If one of your end users jailbreaks their company supplied iPhone, fire them. If the company paid for the phone and pays for the phone service then it is the property of the company, not the end user.
If you officially allow employee iPhones to be used on the company exchange, ensure that it supports full device encryption before you enrol it on the network (iPhone 3GS or newer). Then periodically perform random audits of those phones to check to see if they are jailbroken. If they are, perform a remote wipe
You can't (Score:2)
Frankly (feel free to flame) it appears to me that the virus/trojan/botnet programmers/scammers are far more intelligent than the majority of security professionals working the other side of the fence.
Re: (Score:2)
No. It's just an instance of that old military truism: in the battle between warhead and armor, the warhead always wins. The defender's job is always harder than that of the attacker. The defender needs to plug every possible hole while the attacker just needs to find only one that can be exploited, and once that happens, the game is over. The security professionals may be much smarter than the malware writers and black hats, but sadly, because their job is much harder, they aren't anywhere sufficiently
Lie??? (Score:1)