Skip navigation


warning: Creating default object from empty value in /var/www/vhosts/ on line 33.
Original author: 
Caleb Barlow


Mobile phone image copyright Oleksiy Mark

When it comes to mobile computing, many organizations either cringe at the fear of security risks or rejoice in the business potential. On one hand, mobile is revolutionizing business operations — improving operational efficiency, enhancing productivity, empowering employees and delivering an engaging user experience. On the other hand, sensitive data that used to be housed in a controlled environment of a company desktop or even laptop is now sitting in an employee’s back pocket or purse.

In today’s ultra-connected world, it can seem like threats are all around us. High-profile breaches and attacks from hacker groups have organizations of all sizes — from multinational enterprises to mom-and-pop shops — doubling down on security and making sure there aren’t any cracks in their defenses. Mobile security doesn’t have to be the Achilles’ heel that leads to a breach. New, innovative solutions for securing mobile devices at the application level are rapidly hitting the market and the latest IBM X-Force report indicates that by 2014, mobile computing will be more secure than traditional desktops. Phones, tablets and other devices are a staple of the 21st century workplace and in order to fully embrace this technology, businesses must be certain they’re well protected and secure.

Do You Know Where Your Data Is?

Tackling mobile security can seem like a daunting task. The IBM X-Force report also indicates a 19 percent increase in the number of exploits publicly released that can be used to target mobile devices. Making the task more challenging is the fact that — especially in the case of BYOD — the line between professional and personal data is more blurred on mobile platforms than anywhere before. According to Gartner, by 2014, 90 percent of organizations will support corporate applications on personal devices. This means that devices being used to connect with enterprise networks or create sensitive company data are also being used for social networking and to download mobile apps, leaving organizations with the predicament of how to manage, secure and patrol those devices. From the point of view of a hacker, a mobile device becomes an ideal target as it has access to the enterprise data as well as personal data that can be used to mount future attacks against your friends and colleagues.

Mobile apps are a great example of why mobile security tends to raise concerns among security professionals and business leaders. Employees install personal apps onto the same devices they use to access their enterprise data, but are not always careful or discriminating about the security of those apps — whether they are the real version or a manipulated version that will attempt to steal corporate data. According to a recent report by Arxan Technologies, more than 90 percent of the top 100 mobile apps have been hacked in some capacity. Some free mobile apps even demand access to an employee’s contact list in order to function correctly. Just pause and think about that for a second. Would you give your entire contact list to a complete stranger? That’s effectively what you are doing when you install many of these popular applications. If an organization takes a step back and really considers what employees are agreeing to, willingly or not, the results can be troublesome. So the challenge remains — how to get employees to recognize and understand just how vulnerable their mobile device can be to an enterprise.

Mitigating Mobile Risks: Why it’s easier than you think

Mobile app security and device management do not have to be a company’s security downfall. By employing intelligent security solutions that adapt to the requirements of a specific context, businesses can mitigate operational risk and unleash the full potential of mobility.

The key to mitigating security risks when it comes to mobile devices accessing enterprise data is access control. This may include passcode locks, data protection and malware and virus prevention. With that said, IT security priorities should focus on practices, policies and procedures, such as:

  • Risk analysis: Organizations must understand what enterprise data is on employee devices, how it could be compromised and the potential impact of the comprise (i.e. What does it cost? What happens if the device is lost? Is the data incidental or crucial to business?).
  • Securing the application: In the pre-mobile, personal computer era, simply securing the device and the user were sufficient. When it comes to mobile devices, we also need to think about securing the application itself. As a typical application is downloaded from a store, the end user really has no idea who built the application, what it actually does with your data or how secure it is. Corporate applications with sensitive data need to be secure in their own right.
  • Secure mobile access — authentication: Since mobile devices are shared, it’s important to authenticate both the user and the device before granting access and to look at the context of the user requesting access based on factors like time, network, location, device characteristics, role, etc. If the context appears to be out of line with normal behavior, appropriate counter measures can be taken.
  • Encryption: Simply put, if the data is sensitive it needs to be encrypted both while at rest as well as while in motion on the network.

Once an enterprise has defined its security policy — establishing set policies/procedures regarding content that is allowed to be accessed on devices, how it’s accessed and how the organization will handle lost/stolen devices that may contain business data — mobile technology solutions can help ensure that no opening is left unguarded.

So if security concerns are holding you back from “going mobile,” rest assured — there are many companies that have embraced trends like “Bring Your Own Device” without sending their Chief Security Officers into a panic. As long as organizations take the right steps and continually revisit their security posture to ensure that every endpoint is secured and that the proper technology is in place, it really is possible to be confident about your mobile security strategy.

Caleb Barlow is part of the executive team in IBM’s Security division. He manages three portfolios — Application Security, Data Security and Mobile Security. In addition to his day job, Caleb also hosts a popular Internet Radio show focused on IT Security with an audience averaging over 20k listeners per show.

Your rating: None


(Image: Lulzsec by DeviantArt user BiOzZ)


Download MP3 Audio

I joined The Madeleine Brand Show today for a radio discussion about the latest LulzSec hijinks, and related hacking news. Listen here.

Here's an overview published by the rogue security prankster group of their attacks so far. One day, it's PBS and porno sites and the FBI. The next, it's the US Senate, and Bethesda Software. Earlier today, Eve Online, Escapist Magazine and Minecraft. The targets seem so diverse, so random—following their Twitter account is like watching a rabid elephant on PCP wearing a top hat rampage through a crowded market with explosive banana diarrhea.

Yesterday, they opened an apparently-untraceable phone switchboard, and invited incoming calls. Jacob Margolis of The Madeleine Brand Show got through, and you'll hear what transpired in the radio segment above. Here's their current outgoing phone message (MP3 Audio), if you call 614-LULZ-SEC and can't get through.

So who are these guys? I don't know. None of the security experts I've spoken to know either. But a few theories are floating around.

I reached out to Joe Menn, FT writer and author of the cybercrime book "Fatal System Error." He wonders if LulzSec might a sort of "elite escape pod" that broke off from Anonymous. There is some evidence that various factions of Anonymous became unhappy with the trend toward politics and righteous actions (going after Iran one day, Ben Bernanke and the Federal Reserve bank the next). Other factions of Anonymous were drifting toward more conventional cybercrime, exploring ways to make money from attacks.

But the people who became LulzSec, the theory goes, really were just "in it for the lulz." They wanted to improve the state of security and have fun by pulling everyone's pants down, and go back to the spirit and fun of earlier 4chan days.

"They certainly do not appear to be in it for the dollars," said Joe.

And no, the Bitcoins they've solicited over Twitter for beer don't count.

[Video Link]

Menn and others I spoke to emphasized that nobody appears to have done deep enough reporting to say definitively who LulzSec is, or where their origins lie. Presumably, a number of FBI agents are tasked with figuring that out, at this very moment.

LulzSec's behavior patterns suggest they're smaller than Anonymous, and therefore less vulnerable to the chaos and internal politics endemic to larger, widely-distributed, more-or-less leaderless groups.

Security consultant and writer Rich Mogull (Twitter) agreed the brazenness of their actions suggests they're a close-knit group that is careful about how they operate. A tight core of technically skilled hackers (and these guys clearly have skills) can hide effectively. They may be people involved with, or on the edges of, the security industry.

"If they don't recruit and stick to being careful, they can probably have a good run," Rich told us over email.

Another interesting phenomenon to watch, and one which may eventually lead to some uncloaking: Anonymous, LulzSec, and various other entities keep trying to "dox" each other. "Doxing," as Joe Menn explains, means pulling together documents saying this is so-and-so's real IP address, here's their social security number... here's the school where Sony exec Howard Stringer's kids go. Right now, there are security groups trying to dox LulzSec, and LulzSec is trying to dox them back. This is how the HB Gary scandal was unspooled, and conceivably, something like this could also do LulzSec in.

As noted before on Boing Boing, some security professionals are quietly cheering LulzSec on. Patrick Grey of the Risky Business Podcast wrote a widely-circulated piece: "Why we secretly love @LulzSec." Bottom line: Apart from bringing back Tupac and Biggie and the eating of childrenz, and spawning weird internet art, LulzSec is causing governments and large companies to take I.T. security seriously. Well, at least for as long as the excitement around LulzSec lasts. But still, this is something that more sober security consultants, using less lulzy tactics, have failed to do despite much earnest, hard work.

And a lot of what LulzSec does is funny enough stuff. They demand that TV reporters put a shoe on their head, /b/-style, in exchange for interview access. The @lulzSec Twitter account is a thing of beauty, with unexpected surrealist interludes popping up between the breach brags:

# You are a peon and our Freemason lizard rebellion will propel us towards binary stars of yore, you sweaty caterpillar farm.

# You can't silence the Illuminati lizards that inject into the human psyche via the funfunfun override exploit to gain root access to humans.

# Our quest for world domination through the reality bot(man)net only manifests itself further through carefully-immersed subliminal tweets.

# Mankind should tremble as the SSH key to your neuron load balancers are used as a pathway to the chemical exhilaration of entertainment.

It's poetry in the grand tradition of prankster hacking. But the stakes are high. When you go after the FBI, as they did last week, and then, and who knows what's next—you're gonna draw heat.

Among their growing fanbase are gamers angry at Sony for being so sloppy with security, and people who just enjoy watching little-guy pranksters take on big, powerful entities that don't understand the internet well enough (or care enough about their users' privacy) to be more secure.

Watching the spectacle unfold, tweet after breach after ASCII art upload, feels like cheering on the Barefoot Bandit, Bonnie and Clyde, or Jesse James.

Everyone loves an outlaw. But eventually, outlaws tend to get caught.

# # #

[Video Link]


Your rating: None