Mobile Security: Camelot And The Wild West

The only secure device is one that is not connected to a network. However, this more or less defeats the purpose of mobile devices. Especially with the onset of social media and cloud computing, users are no longer just browsing the internet. As mobile devices become the primary platform for users, so will hackers' attention.

Just last month Google pushed the "Android Market Security Tool" onto at least 256,000 infected devices to remove apps with DroidDream malware, first reported by the Android Police. DroidDream was published within seemingly legitimate apps on the Android Marketplace which, once installed on Androids prior to 2.2.2, could obtain personal information as well as download additional code to run. The 58 apps infected with the malware were removed from the marketplace within minutes.

As with desktops, mobile malware can come in the form of anything from fake antivirus to "phishing" apps (apps posing as trusted banks or businesses), and they can be contracted through messages, app marketplaces, third-party marketplaces, and yes, even through the web browser. And this isn't just the case for Android. Even the iPhone has its own bout of security issues. Then, why is there so much hype regarding Android security?

The iPhone and Android exist in different worlds. The first is like Camelot, the second like the Wild West. On the iPhone platform, the operating system itself is tightly controlled and the App Store has strict regulations and screening. iOS users are looked after and protected by the "castle guards" at Apple. Exploits for iPhone are available only to very careless and those who install third party applications. The OS offers various encryption features and any known security holes in the OS are fixed and made available for users to easily upgrade upon syncing with their computer.

The Android platform is open source and there is little marketplace oversight. Users must lookout for themselves and the unguarded are vulnerable to exploit. There remains no built-in encryption available to apps, hence Skype's recent upgrade. That said, the lack of cooperation between carriers and Google to provide updates for the OS only compounds the issue, as this article discusses. Google has made security patches to its OS, but carriers have been unwilling to push the upgrades to its phones.

Both users and enterprises alike should realize the vast differences in the Android and iPhone environments. Be sure to confirm the authenticity of an app before installing, browse only trustworthy sites, and, as much as possible, keep devices upgraded.

Newest IOS Update Jailbroken Already

Less than a week after Apple released the newest version of their mobile operating system iOS, the iPhone Dev Team has released its updated client for jailbreaking. Called redsn0w, this client allows iPhone users to install third party apps without the use of iTunes or the Apple approval process. For a lot of people, this is a very tempting offer even in the face of potentially voiding the warrantee. As of the writing of this article, only the iPad 2 remains impervious to redsn0w.

In their blog, the iPhone Dev Team announced the release of redsn0w 0.9.6rc14 on Tuesday, merely five days after Apple released iOS 4.3.2 for its devices. Having the update come so soon after the official release is thanks to the lack of a patch for the vulnerability which allowed the last version of iOS to be unlocked. Earlier this week, the iPhone 4 was only able to be jailbroken in a 'tethered' way. This meant that every time the device was rebooted, it would have to be connected to the user's Mac before it would work again. Obviously this is not the ideal situation for a mobile device, but that issue has since been rectified. Anyone who used this 'tethered' jailbreak can download the new client and simply patch their current install to the 'untethered' version.

I am not trying to justify jailbreaking. There are reasons why people do and there are reasons why Apple doesn't want them to, but in the end the decision lies with the user. The iPhone Dev Team strives to make the process as easy as possible for those willing to break out of Apple's so-called 'walled-garden' and install unverified apps. And they do make it look easy by exploiting vulnerabilities in the mobile OS created by a company who prides itself on its security.

Epsilon Email Breach Should Heighten Everyone's Awareness

It's unfortunate, but the largest email security breach has taken place this past week. Epsilon, an online marketing corporation who sends out over 40 billion emails a year had their list of email addresses stolen by sophisticated cyber thieves. Epsilon handled the email campaigns of some of the largest corporations in the country: Best Buy, Walgreens, JPMorgan Chase, Capital One, and more. The breach has put many internet users on heightened alert, and for good reason.

Many have stated that the breach didn't cause a whole lot of damage, as all the cyber thieves stole was a list of email addresses. However, with these addresses they can conduct one of the largest phishing attacks we've ever seen.

In an interview with a local news affiliate, Steve J. Bernas president & CEO of the Better Business Bureau serving Chicago & Northern Illinois gave this advice to users everywhere, "It's fairly common for identity thieves to impersonate credible organizations with what appears to be legitimate email messages seeking to verify account information" he continues, "Along with attempting to get personal information phishing attacks are often the source of potentially harmful computer viruses."

With so many of our emails floating out in the open, it provides us a stark reminder on how to keep our information safe. The first, and most obvious tip is to never provide account numbers or your social security number over an email. No valid company will ever require you to send important information like that over an email.

With the size and scope that Epsilon's client base covered, all sorts of businesses were affected. According to this report, Epsilon handled over 2,500 clients. With such a large number, phishing attacks could come from all sorts of different directions.

Epsilon has responded to the security breach, apologizing to all of those affected, "We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers" continuing, "We take consumer privacy very seriously and work diligently to protect customer information."

While having a list of emails won't directly cause harm, it should put all of us at a greater level of awareness. Phishing attacks are more effective than a lot of people give them credit for. The only way to limit their effectiveness is to stay aware, and educate those around us on how to keep safe.

Keep Your Portable Devices Encrypted

When you're sitting at home or at the office, most physical threats are avoided. To keep people from accessing your computer, simply lock your office door or put your computer to sleep. Unfortunately, most of the steps taken for desktop security aren't afforded to portable devices. They're easily stolen, or misplaced. Which can lead to sensitive data being leaked.

Just ask BP, who had an employee lose their laptop while on a business trip. The story is of particular note because the laptop stored personal data. With information such as social security numbers, and dates of birth. The information belonged to 13,000 people who submitted claims against the company over the oil spill.

The story shows how vulnerable portable devices are when being transported on long trips, or even short ones as well. According to a recent study, 30 of 144 data breaches announced, occurred on portable devices.

These breaches can be avoidable if encryption software is being used on the device. The problem is many companies don't want to invest in the tools. The presents a problem which bothers, Avivah Litan, an analyst for Gartner Inc, "There really is no excuse for not encrypting laptops"

Litan makes the argument that the cost of protection is worth it, and enterprises can find worthwhile discounts. Volume prices can drop to as little as $15 per laptop. She accuses businesses that have the knowledge of data encryption but refuse to use it as being lazy.

Reports of data loss on portable devices will continue to rise if people and businesses continue to refuse the encryption option. The practice might increase cost, but the consequences of what can happen over certain data leaks has to make it worth the investment.