- Email: [email protected]
Securing mobile devices: technology and attitude
ALTERNATE DATA STREAMS The main alternative to scanning for and manually removing Alternate Data Streams is to use a third party file checksum application, which would be used to keep a record of all files checksums upon the system, and detect any changes made by an unauthorised Alternate Data Stream.
Conclusion Adequate protection against the improper use of Alternative Data Streams can be provided by the use of
freeware tools which can be used to identify their presence on an NTFS file system, alerting the administrator. However the most effective way to monitor a file system for changes would be to keep a database of file checksums which could be used to track any changes to the file system and efficiently locate any rogue streams. The fact that Alternate Data Streams remain relatively unknown even to the most experienced Windows system administrator makes them a real
Securing mobile devices: technology and attitude
threat. However, with the application of good security practice the threat can be minimized.
About the author Mike Broomfield is a security consultant with over five years security related experience. After graduating with a degree in Computer Networking andWeb Development, he has worked in a variety of roles (technical support, developer, consultant) before joining the security research and consulting company NGS Software.
MOBILE DEVICES made all over again. It is therefore interesting to consider the extent to which organizations and end-users realise what they are dealing with when it comes to the security aspects of using mobile devices.
Steven Furnell, Network Research Group, University of Plymouth
Security demands of
The existence of mobile devices can undermine an organization’s mobile devices perimeter protection model, as employees carry sensitive data into uncontrolled environments. When they return, their devices can carry The value of a mobile asset is very much linked to what the device is used for and threats into the network – bypassing firewalls and other controls. what it can enable access to. One of the Recent years have witnessed a proliferation they often leave the responsibility for fundamental changes when one looks at of mobile devices, driven by both personal securing handheld devices to end-users. PDAs and mobile phones is that many ownership and corporate deployment. As However, such devices actually present now come equipped with fully-fledged, a consequence individuals are routinely a security dilemma – on one hand, having user programmable operating systems, carrying valuable hardware and (often protection is far more important as they combined with processing and memory more significantly) data assets with them are far more exposed and vulnerable than capabilities that are comparable to PCs wherever they go. PCs residing within the protection of an of around six years ago (and these were When considering security in a mobile office, whereas on the other, security options hardly free from security concerns!). context, we need to recognise all manner of are typically restricted and people are less In addition, from a networking perdevices – including phones, PDAs, MP3 likely to use the measures available. Indeed, spective, they can support always-on players, USB keys, digital cameras, and port- to properly illustrate the special case that connectivity and the ability to access able hard disks. Indeed, different devices mobile devices represent, we need to concan pose varying levels of threat in terms of sider a number of factors, which will be the networks at multiple levels (e.g. 3G / their potential to divulge company informaGSM, Wireless LAN and Bluetooth focus of subsequent sections: tion, or to be used as a vehicle for stealing it. – collectively supporting wide, local and · the nature of the devices themselves However, for the purposes of this discussion, personal area networking). Although and their potential to hold sensitive the majority of focus will be given to mobile this can have clear advantages for the information; phones and PDAs, which introduce the user, it also means that the devices natu· the potential threats to the device, added dimensions of processing and commurally inherit the risks associated with and the risks that the devices themnication capabilities in addition to storage. each environment, with WLAN security selves introduce; having been a particular problem in · the level of security available and Unwise moves many of the deployments to date. likely to be in use. Mobile devices introduce a myriad of secuIn addition to the connectivity options, rity issues, but it is by no means certain PDAs and smartphones are increasDoing so reveals that, in many ways, we that these have received sufficient recogniingly equipped with applications that are are failing to carry over lessons learnt in tion amongst much of the user commuthe desktop domain to the mobile environ- geared to storing sensitive data (e.g. on the nity. For example, while organizations will ment. Thus rather than building upon Windows Mobile platform, devices run frequently make great efforts to enforce Word Mobile and Excel Mobile) in addiearlier experiences it looks like many of security on their desktop PCs and laptops, the arguments for security are having to be tion to the more standard contacts, tasks 9 August 2006
Network Security
MOBILE DEVICES and scheduling utilities that even the most basic handsets can be expected to include. Such applications invite more significant usage and could certainly act as a catalyst for a greater volume of work-related data to be created on the device, or transferred to it in order to enable access on the move. Leading on from the above, it is not surprising to discover that devices are increasingly holding a range of data that ideally requires protection. Evidence of this is easy to find, with a recent iAnywhere survey of 104 IT professionals reporting that 78% had sensitive information (such as emails and passwords) stored on their mobile devices, but only 62% of them were using techniques such as encryption, passwords or PINs to protect it.(1) Meanwhile, a Pointsec survey of 248 IT professionals determined that users are routinely storing sensitive data on mobile storage devices, with 56% of respondents admitting to storing corporate information (e.g. contracts, proposals and other business documents), 22% holding customer names and addresses, and 3% storing passwords and bank account numbers. The accompanying use of security in this survey was significantly less, with only 21% making use of protection such as passwords or encryption.(2) Having established the mobile devices can indeed be valuable assets, it is worth considering some of the consequent risks, and the extent to which these are recognised by the organizations and individuals that use the technologies.
Recognising the risks There is evidence to suggest that although organizations are readily deploying mobile technologies, there is varying appreciation of the risks involved. For example, results from the latest Audit Commission survey of ICT Fraud and Abuse(3) reveal that while PDAs are already used by 63% of respondents (with a further 12% planning to use them), only 41% considered them to be a high risk. Meanwhile, the 2005 Global Information Security Survey from Ernst & Young asked respondents to identify the new technologies that they considered to be the most significant security concerns, with results based upon responses from executives from over 1,300 organizations in 55 countries.(4) 10
Network Security
The top category was ‘Mobile computing’, which was identified as a significant concern by 53% of respondents – placing it ahead of a variety of other issues, including the somewhat related areas of ‘Removable media’ (49%) and ‘Wireless networks’ (48%), and other technologies such as ‘VOIP telephony’ (21%), ‘Open source’ (10%), and ‘Server virtualization’ (8%). However, identifying the problem and actually doing something about it are different things, and while 50% of respondents indicated that they were planning to address their concerns with mobile computing immediately, 26% said they would do so in 6-12 months, and 14% indicated that it would take more than a year if indeed they did anything at all (note that the results in relation to removable media were even less convincing, with 43%, 32% and 25% respectively). The very nature of the devices – small and portable – makes them susceptible to risks of loss and theft, and depending upon where you look, the extent of the resulting problem can be quite astonishing. For example, the iAnywhere survey that was cited earlier discovered that 57% of respondents had accidentally left mobile devices on subway systems and trains. Luckily, 49% of people claimed to have got their device back after it was lost or stolen – but more significant from a security perspective are the other half who were less fortunate. In this situaion, some devices are better for safeguarding data than others. For example, whereas Blackberry devices offer the capability to remotely wipe the device if the device goes missing, a Windows Mobile user has little option but to hope that they had enabled sufficient authentication to keep an attacker out.
Mobile malware From the technical perspective, one of the growing areas of concern is the emergence of malware (e.g. worms, viruses and Trojan horses) on mobile platforms. Given our experience in the desktop domain, the emergence of malicious code to target mobile devices was almost inevitable as the devices became more advanced. Indeed, malware can be considered to be the principal threat that is invited by
the programmable environments of smartphones and PDAs – although it should be noted that the problem is by no means restricted to these high-end devices, with Trojan code also having emerged that targets the more widely deployed J2ME environment,(5) and after much debate about whether it would become a genuine threat to mobile devices (with many arguing that the potential was being exaggerated by prophets of doom and the commercial interests of antivirus companies) it is now an undeniable reality that users increasingly need to be aware of. Although it is by no means emerging with the same ferocity as on the PC platform, there is now an established level of activity that goes beyond the mere ‘proofof-concept’ releases of a few years ago. For example, by the end of February 2006, FSecure’s viruslab had detected 169 mobile viruses,(6) with a further thirteen samples being analysed in March.(7) This is, of course, nowhere near the hundreds that regularly appear each month on desktop systems, but it is a sign of attackers’ increasing interest in mobile platforms. As such, although there may not be a widespread need for antivirus software on handsets now, there will be in the relatively near future. As such, it is not helpful for people to live in denial and pretend that it is not happening.
Device-level demands As a consequence of the threat, many of the major antivirus vendors now have offerings for devices, enterprises, and network carriers, thus enabling protection to be instigated at several levels. However, although the latter option exists, we cannot realistically expect to rely upon the shield of the network operator, given the other (non-cellular) forms of wireless connectivity. Unfortunately, having the protection at the device level introduces the requirement for the user to keep it up to date (in the same manner as we are now used to doing on traditional PCs), and updating antivirus software is an example of where a model that works in the fixed network may not be so attractive for mobile users. While updating AV signatures over a LAN, ADSL or even dial-up link is unlikely
August 2006
MOBILE DEVICES to be a problem, receiving signature updates via GPRS has the potential to hit users with a triple whammy, with impacts in terms of cost, battery, and bandwidth. The cost aspect comes from the fact that most mobile data charging models still bill according to the volume of data sent and received rather than a flat fee, so signature downloads will either cost money directly or eat into monthly inclusive allowances. Meanwhile, the communication itself will deplete battery life and reduce the available bandwidth. Although the latter will not necessarily have much of an impact on an individual device, e.g. McAfee claim that their VirusScan Mobile product is designed to “never have more than a 200 milli-second impact on most end user operations”,(8) it could still impact the relatively limited resources of the network if concurrent updates are being conducted by many users within a cell/coverage area.
Business vs. personal use A more subtle risk factor from an employer’s perspective is the lack of control that they may have over the use of mobile technologies. Mobile devices are produced and marketed for both business and personal use, and a private individual can go out and purchase from exactly the same range of devices that are available to employers. As such, even if a company does not provide technologies like smartphones or PDAs to its workforce directly, this does not preclude the possibility of employees using their own devices for work-related purposes. From the business perspective, this leads to the obvious risk of work data being held without the normal level of security that the organization would expect to apply, on a device that it did not provide and therefore does not have a right to configure. Meanwhile, from the user perspective, there will be a temptation to ignore distinctions between business and private life and simply use the device as a personal tool. As such, regardless of who purchased it, it is almost unavoidable that work-related artefacts will exist on personal devices (e.g. in the form of tasks, schedule and contacts) and vice versa. From the individual perspective, such usage makes clear sense – users encounter the devices outside the workplace, but can see the benefit of using
them to support their business lives. As such, taking the line of banning them entirely could work against the interests of the business, because users will be denied the opportunity to use them for a valid purpose. Indeed, it ought to be recognised that, sooner or later, many businesses will explicitly realise the potential benefits for themselves and therefore want their employees to use mobile devices - so forward-thinking organizations would do better to face the issue now than try to dodge it. Equally, however, it is impractical to expect a physical separation of personal and company devices to be viable. If you expect an employee to use a PDA for work, and they have a desire to use such a device on a personal level, then is it realistic to expect them to lumber around carrying two devices? Probably not, because employees will look for ways make their lives easier by getting everything onto just one of them if possible. Having said this, the use of personal devices can present genuine difficulties. For example, it becomes hard for the organization to deploy software solutions (e.g. antivirus) to devices in this scenario, as users’ personal ownership may span all manner of devices and OS versions. As such, even if they wanted to take a lead in encouraging protection, the organization would find it difficult to offer support for all the options required. Meanwhile, even if they do not actively store company data on it, a lost or stolen personal device could still reveal the user’s private interests and activities alongside their association with their employer – a combination that, in itself, could still be sensitive in some scenarios. For example, simply to know that a user works for XYZ organization and regularly surfs for porn could still have repercussions for XYZ’s reputation if disclosed. The above observations suggest that there are plenty of reasons why security ought to be considered. With this in mind, it is worth examining some of the challenges that users may face if they want to make use of the features available to them.
What can users use? One key issue is how easily the user-oriented features can be accessed. Looking at the user interfaces of some mobile operating systems it quickly becomes apparent that security-related features are fractured across
various menus and settings. Given the relatively limited set of security options that are offered at present, it ought to be feasible to have a ‘one-stop’ security centre and grant access to them all from one place (while also retaining access to individual features from within other menus as appropriate). A good example of the problem is demonstrated by the configuration of user authentication within Windows Mobile on a smartphone, when dealing with the separate options that can be configured to protect the device and the SIM. Although both options are accessible via the ‘Settings’ menu item, the PIN/password for the device is set via the ‘Password’ icon, while the PIN for the SIM is set via an option under the ‘Phone’ icon. User authentication is actually a case in point for further ease of use issues, and there is significant evidence to show that users encounter problems with the predominant PIN-based method. Indeed, a survey conducted amongst almost 300 mobile phone users by the University of Plymouth revealed that a third of users do not use PIN protection at all, with a similar proportion citing the inconvenience of the method as their reason.(9) Even those who do make use of it do not necessarily do so properly, with 45% of respondents retaining a default PIN, and 42% having only changed it once (after the original purchase). The potential difficulty of the method is further illustrated by the fact that 38% had experienced the need to obtain a Personal Unblocking Key (PUK) code in order to unlock their phone having entered the PIN incorrectly too many times. Finally, although not specifically addressed by the survey, anecdotal evidence would suggest the relatively few users actually make use of both of the available PINs (i.e. device and SIM). From a security perspective it is clearly logical to use both, as the user has two assets to protect (i.e. the device, which gives access to their data, and the SIM, which gives access to their mobile account), so the fact that this does not happen is likely to relate to one of the following reasons: · users do not appreciate the need for two PINs, or fail to understand the difference between them; · users are unwilling to tolerate the use of two separate authentication measures, or unable to manage the use 11
August 2006
Network Security
MOBILE DEVICES of two techniques (e.g. difficultly in remembering two distinct PINs). The issue of what is considered tolerable from a security perspective can also be related to the frequency of use. For example, staying with the issue of authentication, it is worth observing that on many mobile devices the PIN is not the only option available. For example, Windows Mobile allows the ‘password type’ for the device to be ‘Simple 4 digit’ or ‘Strong alphanumeric’ (with the latter forcing the user to choose a password with at least 7 characters, including “a combination of upper and lowercase letters, numerals or punctuation”). However, despite the opportunity to use something better, many of us with stick to using a 4-digit PIN because, in contrast to a PC where you typically expect to login and use the system for at least a few minutes, PDAs and phones are in and out of our pockets all the time for very short periods of use (e.g. to enter a task, check a schedule, make a call, etc.), and entering a password on each occasion would be dramatically more inconvenient. However, from a security perspective this has a significant impact in the sense that the simple PIN is potentially being used to protect the same data that, on the desktop, would need to be secured by a strong alphanumeric password. Moreover, it is providing this protection on a device that is far less likely to be physically secure. If even short PINs are considered inconvenient by some users, then it is logical to conclude that other forms of secret knowledge approach are also likely to fare poorly. Use of token-based authentication is rather redundant in this context – if the user wanted to use a removable token, they already have one in the form of the SIM card, but convenience dictates that this will almost certainly be left permanently in situ rather than regularly removed for security purposes.
No easy answers Thus, from the accepted categories of user authentication (what the user knows, has and is), this leaves the final category of biometrics. Unfortunately, this is by no means a direct solution to the mobile authentication problem either. For example, probably the most widely recognised biometric, fingerprint recognition, has yet to take off in this
12
Network Security
context – despite having a proven potential for deployment on mobile devices such models in the HP iPAQ range. From an ease of use perspective, the iPAQ implementation certainly has some advantages over the PIN – rather than tapping or typing in a series of characters, the user is simply required to swipe their finger smoothly over a sensor on the front of the device, which typically proves to be a quicker and more convenient authentication procedure. Thus, from the user perspective there should be little complaint. From the manufacturer’s perspective, however, this incurs an additional hardware cost that only has an application from a security perspective, and consequently only makes commercial sense if security is something that customers are demanding. However, at the present time, it is unlikely that such demand exists in large volume. For example, our research group’s aforementioned survey had shown that security was not high on purchaser’s agenda, with the findings revealing that security was not a key consideration when selecting either network operator or handset. Similarly, it is rare to see anything relating to security being listed amongst the comparison tables for phones and PDAs that feature in shop catalogues and magazine reviews. As such, it is easy to appreciate that the manufacturer’s logic could be that the additional cost of incorporating a reader into the device would not be matched by a corresponding increase in customer demand. Indeed, despite having made its debut appearance on iPAQ devices back in 2003, fingerprint recognition is only supported on one out of the eight models currently available in the UK.(10) A possible solution here may lie with leveraging facilities that are available on devices by default in order to enable other biometrics to be used. Examples here could include cameras for facial recognition, microphones for voice verification, and keypads for keystroke analysis, with an intelligent framework being used to select the most appropriate technique according to the user’s preferences and current activity. Such an approach represents the focus of ongoing work within the author’s research group.(11)
Limited user-level options Another issue is that mobile devices typically provide fewer opportunities to control
security than their desktop counterparts. While they include support for some of the main Internet security standards and protocols (e.g. S/MIME, SSL / TLS), the standard portfolio of user-level security features is often limited. For example, Internet Explorer on Windows Mobile 5.0 has just 3 user-configurable security options, whereas the version on Windows XP has in excess of 30. In many ways, this simply reflects the more limited capabilities of the browser itself, and the fact that many of the security threats that would apply on the desktop do not apply on the mobile device (e.g. in the case of IE, it can be observed that the mobile version has no support for ActiveX, which immediately removes the need for around seven of the options that would be offered on the full PC version). Similar observations about restricted functionality can also be made in relation to other applications, and thus the extent of application-level threats for mobile devices is generally less than their desktop counterparts. However, the situation will not remain this way forever and there is a consequent danger that as the capabilities of the mobile platform evolves, users will not keep pace with what is expected of them in terms of security. From another perspective, the restricted functionality of mobile applications can genuinely impede the use of security. For example, attempting to use a Windows Mobile device to open a password-protected document that was created on the PC version of Microsoft Word prompts the application to report that “Word Mobile does not support opening password-protected documents”. Assuming that password protection is typically reserved for documents that are considered particularly sensitive, this raises an interesting dilemma. On the one hand you might think that this constraint would discourage users from attempting to place such documents on their mobile device (thus ensuring that the most sensitive documents do not go mobile in the first place). The other scenario is, of course, that the user feels that their need to have the document on their device outweighs other factors, leading them to remove the protection and make the document even less secure. Over time, some of the above problems will likely disappear, as the level of inherent security provision within the devices is increased. However, there is a danger
August 2006
MOBILE DEVICES that by this stage users will have already become accustomed to using their devices without such protection, and thus it may be more difficult to retrofit security into their mobile mindset.
Conclusions This discussion has highlighted the potential importance of mobile devices from a security perspective, alongside a range of issues that may currently complicate the task of protecting them. Unfortunately, there is no simple answer to some of the problems, but it is at least relevant to recognise the complications and constraints that are likely to be encountered. It is worth noting that most of the commentary here has concerned the standard security provision on the devices, and (as with desktop PCs) additional products can be purchased to improve the situation. For example, various products are available that can ‘police the ports’ and prevent data from being transferred to and from mobile devices and removable media without authorisation (e.g. Centennial Software’s DeviceWall, Reflex Magnetics’ Disknet Pro). However, it must be recognised that technology will never provide the complete solution. Although such products can provide effective control for things like USB keys and external drives, these cannot prevent users from entering company sensitive information directly into phones or PDAs.
As such, organizations need to ensure that they have in some way addressed mobile device issues in their security policy, and followed it up with clear awareness raising so that employees know the situation. Other efforts will come to nothing if users do not recognise the risks, or understand why the use and protection of their personal devices is of interest to the organization.
7.
8.
9.
References 1. Millman, R. 2006. “Mobile devices ‘inadequately protected’, survey finds”, SC Magazine, 6 June 2006, http://www.scmagazine.com/uk/ news/article/562777 (accessed 8 June 2006). 2. Pointsec. 2006. “Companies see risk of removable media but still turn a blind eye”, Pointsec News Release, 8 June 2006, http://www.pointsec.com/news/release.cfm?PressId=294 (accessed 3 July 2006). 3. Audit Commission. 2005. ICT Fraud and Abuse 2004 – An update to yourbusiness@risk. Audit Commission Publications, UK. June 2005. (downloadable from http://www.auditcommission.gov.uk). 4. Ernst & Young. 2005. Global Information Security Survey 2005 – Report on the Widening Gap. Technology and Security Risk Services. EYG No. DJ0001. 5. Naraine, R. 2006. “First J2ME Mobile Phone Trojan Spotted”, eWeek.com, 28 February 2006, http://www.eweek.com/article2/0,1895,1932365,00.asp (accessed 30 May 2006). 6. “Monthly Mobile Threat Summary – February 2006”, F-Secure, 9 March 2006, www.f-secure.
10.
11.
com/wireless/ news/items/news_2006030900. shtml (accessed 30 May 2006). “Monthly Mobile Threat Summary – March 2006”, F-Secure, 12 April 2006, www.f-secure. com/wireless/ news/items/news_2006041200. shtml (accessed 30 May 2006). McAfee. 2006. “McAfee Mobile Security – Overview”, http://networkassociates.com/us/ local_content/datasheets/public/ds_mobile_security_overview.pdf (accessed 15 July 2006). Clarke, N. and Furnell, S. 2005. “Authentication of users on mobile telephones – A survey of attitudes and practices”, Computers & Security, vol. 24, no. 7, pp519-527. “Handhelds : HP iPAQ Pocket PCs”, HewlettPackard Development Company, UK website, http://h10010.www1.hp.com/wwpc/uk/en/ho/ WF02a/21675-21679-2 Handhelds : HP iPAQ Pocket PCs 1679.html (accessed 9 July 2006). Clarke, N.L. and Furnell, S.M. 2005. “User Authentication for Mobile Devices: A Composite Approach”, Proceedings of the 6th Australian Information Warfare and Security Conference, Geelong, Australia, 25-26 November 2005, pp48-56.
About the author Steven Furnell is the head of the Network Research Group at the University of Plymouth, UK, and an Adjunct Associate Professor with Edith Cowan University, Western Australia. His current research interests include the problem of user authentication for mobile devices, and this article is partially based upon his contribution to a security-related panel session at the Mobility Summit 2006. development. Previously he held various positions with Hewlett Packard in Europe. He holds a Masters degree from the European School of Management. [email protected]
PHISHING
Phishing update, and how to avoid getting hooked David Emm, Senior Technology Consultant, Kaspersky Lab
David Emm
Phishing is on the move. Cyber criminals are continually trying to find new ways to catch users off-guard. This may include new technological developments or it may simply mean using some topical ‘hook’ to beguile users. Here is a roundup of where it is today. Hardly a day goes by without some reference to ‘phishing’, also known as ‘brand spoofing’. It involves tricking computer users into disclosing their per-
sonal details (username, password, PIN number or any other access information) and using these details to obtain money under false pretences.
Phishers rely heavily on ‘social engineering’ techniques employed by writers of viruses and worms as a way of beguiling users into running malicious code. The LoveLetter worm, for example, arrived as an email with the subject line ‘I LOVE YOU’ and the body text ‘Kindly check the attached LOVELETTER coming from me’. In an effort to put unsuspecting users further off their guard, the attachment had a double extension (LOVE-LETTER-FOR-YOU. TXT.vbs): by default, Windows does not display the second (real) extension. This double extension trick has been used by lots of viruses and worms since, including SirCam, Tanatos and Netsky. Another technique is to construct an email to look like something that’s beneficial. The Swen worm, for 13
August 2006
Network Security
Conclusion Adequate protection against the improper use of Alternative Data Streams can be provided by the use of
freeware tools which can be used to identify their presence on an NTFS file system, alerting the administrator. However the most effective way to monitor a file system for changes would be to keep a database of file checksums which could be used to track any changes to the file system and efficiently locate any rogue streams. The fact that Alternate Data Streams remain relatively unknown even to the most experienced Windows system administrator makes them a real
Securing mobile devices: technology and attitude
threat. However, with the application of good security practice the threat can be minimized.
About the author Mike Broomfield is a security consultant with over five years security related experience. After graduating with a degree in Computer Networking andWeb Development, he has worked in a variety of roles (technical support, developer, consultant) before joining the security research and consulting company NGS Software.
MOBILE DEVICES made all over again. It is therefore interesting to consider the extent to which organizations and end-users realise what they are dealing with when it comes to the security aspects of using mobile devices.
Steven Furnell, Network Research Group, University of Plymouth
Security demands of
The existence of mobile devices can undermine an organization’s mobile devices perimeter protection model, as employees carry sensitive data into uncontrolled environments. When they return, their devices can carry The value of a mobile asset is very much linked to what the device is used for and threats into the network – bypassing firewalls and other controls. what it can enable access to. One of the Recent years have witnessed a proliferation they often leave the responsibility for fundamental changes when one looks at of mobile devices, driven by both personal securing handheld devices to end-users. PDAs and mobile phones is that many ownership and corporate deployment. As However, such devices actually present now come equipped with fully-fledged, a consequence individuals are routinely a security dilemma – on one hand, having user programmable operating systems, carrying valuable hardware and (often protection is far more important as they combined with processing and memory more significantly) data assets with them are far more exposed and vulnerable than capabilities that are comparable to PCs wherever they go. PCs residing within the protection of an of around six years ago (and these were When considering security in a mobile office, whereas on the other, security options hardly free from security concerns!). context, we need to recognise all manner of are typically restricted and people are less In addition, from a networking perdevices – including phones, PDAs, MP3 likely to use the measures available. Indeed, spective, they can support always-on players, USB keys, digital cameras, and port- to properly illustrate the special case that connectivity and the ability to access able hard disks. Indeed, different devices mobile devices represent, we need to concan pose varying levels of threat in terms of sider a number of factors, which will be the networks at multiple levels (e.g. 3G / their potential to divulge company informaGSM, Wireless LAN and Bluetooth focus of subsequent sections: tion, or to be used as a vehicle for stealing it. – collectively supporting wide, local and · the nature of the devices themselves However, for the purposes of this discussion, personal area networking). Although and their potential to hold sensitive the majority of focus will be given to mobile this can have clear advantages for the information; phones and PDAs, which introduce the user, it also means that the devices natu· the potential threats to the device, added dimensions of processing and commurally inherit the risks associated with and the risks that the devices themnication capabilities in addition to storage. each environment, with WLAN security selves introduce; having been a particular problem in · the level of security available and Unwise moves many of the deployments to date. likely to be in use. Mobile devices introduce a myriad of secuIn addition to the connectivity options, rity issues, but it is by no means certain PDAs and smartphones are increasDoing so reveals that, in many ways, we that these have received sufficient recogniingly equipped with applications that are are failing to carry over lessons learnt in tion amongst much of the user commuthe desktop domain to the mobile environ- geared to storing sensitive data (e.g. on the nity. For example, while organizations will ment. Thus rather than building upon Windows Mobile platform, devices run frequently make great efforts to enforce Word Mobile and Excel Mobile) in addiearlier experiences it looks like many of security on their desktop PCs and laptops, the arguments for security are having to be tion to the more standard contacts, tasks 9 August 2006
Network Security
MOBILE DEVICES and scheduling utilities that even the most basic handsets can be expected to include. Such applications invite more significant usage and could certainly act as a catalyst for a greater volume of work-related data to be created on the device, or transferred to it in order to enable access on the move. Leading on from the above, it is not surprising to discover that devices are increasingly holding a range of data that ideally requires protection. Evidence of this is easy to find, with a recent iAnywhere survey of 104 IT professionals reporting that 78% had sensitive information (such as emails and passwords) stored on their mobile devices, but only 62% of them were using techniques such as encryption, passwords or PINs to protect it.(1) Meanwhile, a Pointsec survey of 248 IT professionals determined that users are routinely storing sensitive data on mobile storage devices, with 56% of respondents admitting to storing corporate information (e.g. contracts, proposals and other business documents), 22% holding customer names and addresses, and 3% storing passwords and bank account numbers. The accompanying use of security in this survey was significantly less, with only 21% making use of protection such as passwords or encryption.(2) Having established the mobile devices can indeed be valuable assets, it is worth considering some of the consequent risks, and the extent to which these are recognised by the organizations and individuals that use the technologies.
Recognising the risks There is evidence to suggest that although organizations are readily deploying mobile technologies, there is varying appreciation of the risks involved. For example, results from the latest Audit Commission survey of ICT Fraud and Abuse(3) reveal that while PDAs are already used by 63% of respondents (with a further 12% planning to use them), only 41% considered them to be a high risk. Meanwhile, the 2005 Global Information Security Survey from Ernst & Young asked respondents to identify the new technologies that they considered to be the most significant security concerns, with results based upon responses from executives from over 1,300 organizations in 55 countries.(4) 10
Network Security
The top category was ‘Mobile computing’, which was identified as a significant concern by 53% of respondents – placing it ahead of a variety of other issues, including the somewhat related areas of ‘Removable media’ (49%) and ‘Wireless networks’ (48%), and other technologies such as ‘VOIP telephony’ (21%), ‘Open source’ (10%), and ‘Server virtualization’ (8%). However, identifying the problem and actually doing something about it are different things, and while 50% of respondents indicated that they were planning to address their concerns with mobile computing immediately, 26% said they would do so in 6-12 months, and 14% indicated that it would take more than a year if indeed they did anything at all (note that the results in relation to removable media were even less convincing, with 43%, 32% and 25% respectively). The very nature of the devices – small and portable – makes them susceptible to risks of loss and theft, and depending upon where you look, the extent of the resulting problem can be quite astonishing. For example, the iAnywhere survey that was cited earlier discovered that 57% of respondents had accidentally left mobile devices on subway systems and trains. Luckily, 49% of people claimed to have got their device back after it was lost or stolen – but more significant from a security perspective are the other half who were less fortunate. In this situaion, some devices are better for safeguarding data than others. For example, whereas Blackberry devices offer the capability to remotely wipe the device if the device goes missing, a Windows Mobile user has little option but to hope that they had enabled sufficient authentication to keep an attacker out.
Mobile malware From the technical perspective, one of the growing areas of concern is the emergence of malware (e.g. worms, viruses and Trojan horses) on mobile platforms. Given our experience in the desktop domain, the emergence of malicious code to target mobile devices was almost inevitable as the devices became more advanced. Indeed, malware can be considered to be the principal threat that is invited by
the programmable environments of smartphones and PDAs – although it should be noted that the problem is by no means restricted to these high-end devices, with Trojan code also having emerged that targets the more widely deployed J2ME environment,(5) and after much debate about whether it would become a genuine threat to mobile devices (with many arguing that the potential was being exaggerated by prophets of doom and the commercial interests of antivirus companies) it is now an undeniable reality that users increasingly need to be aware of. Although it is by no means emerging with the same ferocity as on the PC platform, there is now an established level of activity that goes beyond the mere ‘proofof-concept’ releases of a few years ago. For example, by the end of February 2006, FSecure’s viruslab had detected 169 mobile viruses,(6) with a further thirteen samples being analysed in March.(7) This is, of course, nowhere near the hundreds that regularly appear each month on desktop systems, but it is a sign of attackers’ increasing interest in mobile platforms. As such, although there may not be a widespread need for antivirus software on handsets now, there will be in the relatively near future. As such, it is not helpful for people to live in denial and pretend that it is not happening.
Device-level demands As a consequence of the threat, many of the major antivirus vendors now have offerings for devices, enterprises, and network carriers, thus enabling protection to be instigated at several levels. However, although the latter option exists, we cannot realistically expect to rely upon the shield of the network operator, given the other (non-cellular) forms of wireless connectivity. Unfortunately, having the protection at the device level introduces the requirement for the user to keep it up to date (in the same manner as we are now used to doing on traditional PCs), and updating antivirus software is an example of where a model that works in the fixed network may not be so attractive for mobile users. While updating AV signatures over a LAN, ADSL or even dial-up link is unlikely
August 2006
MOBILE DEVICES to be a problem, receiving signature updates via GPRS has the potential to hit users with a triple whammy, with impacts in terms of cost, battery, and bandwidth. The cost aspect comes from the fact that most mobile data charging models still bill according to the volume of data sent and received rather than a flat fee, so signature downloads will either cost money directly or eat into monthly inclusive allowances. Meanwhile, the communication itself will deplete battery life and reduce the available bandwidth. Although the latter will not necessarily have much of an impact on an individual device, e.g. McAfee claim that their VirusScan Mobile product is designed to “never have more than a 200 milli-second impact on most end user operations”,(8) it could still impact the relatively limited resources of the network if concurrent updates are being conducted by many users within a cell/coverage area.
Business vs. personal use A more subtle risk factor from an employer’s perspective is the lack of control that they may have over the use of mobile technologies. Mobile devices are produced and marketed for both business and personal use, and a private individual can go out and purchase from exactly the same range of devices that are available to employers. As such, even if a company does not provide technologies like smartphones or PDAs to its workforce directly, this does not preclude the possibility of employees using their own devices for work-related purposes. From the business perspective, this leads to the obvious risk of work data being held without the normal level of security that the organization would expect to apply, on a device that it did not provide and therefore does not have a right to configure. Meanwhile, from the user perspective, there will be a temptation to ignore distinctions between business and private life and simply use the device as a personal tool. As such, regardless of who purchased it, it is almost unavoidable that work-related artefacts will exist on personal devices (e.g. in the form of tasks, schedule and contacts) and vice versa. From the individual perspective, such usage makes clear sense – users encounter the devices outside the workplace, but can see the benefit of using
them to support their business lives. As such, taking the line of banning them entirely could work against the interests of the business, because users will be denied the opportunity to use them for a valid purpose. Indeed, it ought to be recognised that, sooner or later, many businesses will explicitly realise the potential benefits for themselves and therefore want their employees to use mobile devices - so forward-thinking organizations would do better to face the issue now than try to dodge it. Equally, however, it is impractical to expect a physical separation of personal and company devices to be viable. If you expect an employee to use a PDA for work, and they have a desire to use such a device on a personal level, then is it realistic to expect them to lumber around carrying two devices? Probably not, because employees will look for ways make their lives easier by getting everything onto just one of them if possible. Having said this, the use of personal devices can present genuine difficulties. For example, it becomes hard for the organization to deploy software solutions (e.g. antivirus) to devices in this scenario, as users’ personal ownership may span all manner of devices and OS versions. As such, even if they wanted to take a lead in encouraging protection, the organization would find it difficult to offer support for all the options required. Meanwhile, even if they do not actively store company data on it, a lost or stolen personal device could still reveal the user’s private interests and activities alongside their association with their employer – a combination that, in itself, could still be sensitive in some scenarios. For example, simply to know that a user works for XYZ organization and regularly surfs for porn could still have repercussions for XYZ’s reputation if disclosed. The above observations suggest that there are plenty of reasons why security ought to be considered. With this in mind, it is worth examining some of the challenges that users may face if they want to make use of the features available to them.
What can users use? One key issue is how easily the user-oriented features can be accessed. Looking at the user interfaces of some mobile operating systems it quickly becomes apparent that security-related features are fractured across
various menus and settings. Given the relatively limited set of security options that are offered at present, it ought to be feasible to have a ‘one-stop’ security centre and grant access to them all from one place (while also retaining access to individual features from within other menus as appropriate). A good example of the problem is demonstrated by the configuration of user authentication within Windows Mobile on a smartphone, when dealing with the separate options that can be configured to protect the device and the SIM. Although both options are accessible via the ‘Settings’ menu item, the PIN/password for the device is set via the ‘Password’ icon, while the PIN for the SIM is set via an option under the ‘Phone’ icon. User authentication is actually a case in point for further ease of use issues, and there is significant evidence to show that users encounter problems with the predominant PIN-based method. Indeed, a survey conducted amongst almost 300 mobile phone users by the University of Plymouth revealed that a third of users do not use PIN protection at all, with a similar proportion citing the inconvenience of the method as their reason.(9) Even those who do make use of it do not necessarily do so properly, with 45% of respondents retaining a default PIN, and 42% having only changed it once (after the original purchase). The potential difficulty of the method is further illustrated by the fact that 38% had experienced the need to obtain a Personal Unblocking Key (PUK) code in order to unlock their phone having entered the PIN incorrectly too many times. Finally, although not specifically addressed by the survey, anecdotal evidence would suggest the relatively few users actually make use of both of the available PINs (i.e. device and SIM). From a security perspective it is clearly logical to use both, as the user has two assets to protect (i.e. the device, which gives access to their data, and the SIM, which gives access to their mobile account), so the fact that this does not happen is likely to relate to one of the following reasons: · users do not appreciate the need for two PINs, or fail to understand the difference between them; · users are unwilling to tolerate the use of two separate authentication measures, or unable to manage the use 11
August 2006
Network Security
MOBILE DEVICES of two techniques (e.g. difficultly in remembering two distinct PINs). The issue of what is considered tolerable from a security perspective can also be related to the frequency of use. For example, staying with the issue of authentication, it is worth observing that on many mobile devices the PIN is not the only option available. For example, Windows Mobile allows the ‘password type’ for the device to be ‘Simple 4 digit’ or ‘Strong alphanumeric’ (with the latter forcing the user to choose a password with at least 7 characters, including “a combination of upper and lowercase letters, numerals or punctuation”). However, despite the opportunity to use something better, many of us with stick to using a 4-digit PIN because, in contrast to a PC where you typically expect to login and use the system for at least a few minutes, PDAs and phones are in and out of our pockets all the time for very short periods of use (e.g. to enter a task, check a schedule, make a call, etc.), and entering a password on each occasion would be dramatically more inconvenient. However, from a security perspective this has a significant impact in the sense that the simple PIN is potentially being used to protect the same data that, on the desktop, would need to be secured by a strong alphanumeric password. Moreover, it is providing this protection on a device that is far less likely to be physically secure. If even short PINs are considered inconvenient by some users, then it is logical to conclude that other forms of secret knowledge approach are also likely to fare poorly. Use of token-based authentication is rather redundant in this context – if the user wanted to use a removable token, they already have one in the form of the SIM card, but convenience dictates that this will almost certainly be left permanently in situ rather than regularly removed for security purposes.
No easy answers Thus, from the accepted categories of user authentication (what the user knows, has and is), this leaves the final category of biometrics. Unfortunately, this is by no means a direct solution to the mobile authentication problem either. For example, probably the most widely recognised biometric, fingerprint recognition, has yet to take off in this
12
Network Security
context – despite having a proven potential for deployment on mobile devices such models in the HP iPAQ range. From an ease of use perspective, the iPAQ implementation certainly has some advantages over the PIN – rather than tapping or typing in a series of characters, the user is simply required to swipe their finger smoothly over a sensor on the front of the device, which typically proves to be a quicker and more convenient authentication procedure. Thus, from the user perspective there should be little complaint. From the manufacturer’s perspective, however, this incurs an additional hardware cost that only has an application from a security perspective, and consequently only makes commercial sense if security is something that customers are demanding. However, at the present time, it is unlikely that such demand exists in large volume. For example, our research group’s aforementioned survey had shown that security was not high on purchaser’s agenda, with the findings revealing that security was not a key consideration when selecting either network operator or handset. Similarly, it is rare to see anything relating to security being listed amongst the comparison tables for phones and PDAs that feature in shop catalogues and magazine reviews. As such, it is easy to appreciate that the manufacturer’s logic could be that the additional cost of incorporating a reader into the device would not be matched by a corresponding increase in customer demand. Indeed, despite having made its debut appearance on iPAQ devices back in 2003, fingerprint recognition is only supported on one out of the eight models currently available in the UK.(10) A possible solution here may lie with leveraging facilities that are available on devices by default in order to enable other biometrics to be used. Examples here could include cameras for facial recognition, microphones for voice verification, and keypads for keystroke analysis, with an intelligent framework being used to select the most appropriate technique according to the user’s preferences and current activity. Such an approach represents the focus of ongoing work within the author’s research group.(11)
Limited user-level options Another issue is that mobile devices typically provide fewer opportunities to control
security than their desktop counterparts. While they include support for some of the main Internet security standards and protocols (e.g. S/MIME, SSL / TLS), the standard portfolio of user-level security features is often limited. For example, Internet Explorer on Windows Mobile 5.0 has just 3 user-configurable security options, whereas the version on Windows XP has in excess of 30. In many ways, this simply reflects the more limited capabilities of the browser itself, and the fact that many of the security threats that would apply on the desktop do not apply on the mobile device (e.g. in the case of IE, it can be observed that the mobile version has no support for ActiveX, which immediately removes the need for around seven of the options that would be offered on the full PC version). Similar observations about restricted functionality can also be made in relation to other applications, and thus the extent of application-level threats for mobile devices is generally less than their desktop counterparts. However, the situation will not remain this way forever and there is a consequent danger that as the capabilities of the mobile platform evolves, users will not keep pace with what is expected of them in terms of security. From another perspective, the restricted functionality of mobile applications can genuinely impede the use of security. For example, attempting to use a Windows Mobile device to open a password-protected document that was created on the PC version of Microsoft Word prompts the application to report that “Word Mobile does not support opening password-protected documents”. Assuming that password protection is typically reserved for documents that are considered particularly sensitive, this raises an interesting dilemma. On the one hand you might think that this constraint would discourage users from attempting to place such documents on their mobile device (thus ensuring that the most sensitive documents do not go mobile in the first place). The other scenario is, of course, that the user feels that their need to have the document on their device outweighs other factors, leading them to remove the protection and make the document even less secure. Over time, some of the above problems will likely disappear, as the level of inherent security provision within the devices is increased. However, there is a danger
August 2006
MOBILE DEVICES that by this stage users will have already become accustomed to using their devices without such protection, and thus it may be more difficult to retrofit security into their mobile mindset.
Conclusions This discussion has highlighted the potential importance of mobile devices from a security perspective, alongside a range of issues that may currently complicate the task of protecting them. Unfortunately, there is no simple answer to some of the problems, but it is at least relevant to recognise the complications and constraints that are likely to be encountered. It is worth noting that most of the commentary here has concerned the standard security provision on the devices, and (as with desktop PCs) additional products can be purchased to improve the situation. For example, various products are available that can ‘police the ports’ and prevent data from being transferred to and from mobile devices and removable media without authorisation (e.g. Centennial Software’s DeviceWall, Reflex Magnetics’ Disknet Pro). However, it must be recognised that technology will never provide the complete solution. Although such products can provide effective control for things like USB keys and external drives, these cannot prevent users from entering company sensitive information directly into phones or PDAs.
As such, organizations need to ensure that they have in some way addressed mobile device issues in their security policy, and followed it up with clear awareness raising so that employees know the situation. Other efforts will come to nothing if users do not recognise the risks, or understand why the use and protection of their personal devices is of interest to the organization.
7.
8.
9.
References 1. Millman, R. 2006. “Mobile devices ‘inadequately protected’, survey finds”, SC Magazine, 6 June 2006, http://www.scmagazine.com/uk/ news/article/562777 (accessed 8 June 2006). 2. Pointsec. 2006. “Companies see risk of removable media but still turn a blind eye”, Pointsec News Release, 8 June 2006, http://www.pointsec.com/news/release.cfm?PressId=294 (accessed 3 July 2006). 3. Audit Commission. 2005. ICT Fraud and Abuse 2004 – An update to yourbusiness@risk. Audit Commission Publications, UK. June 2005. (downloadable from http://www.auditcommission.gov.uk). 4. Ernst & Young. 2005. Global Information Security Survey 2005 – Report on the Widening Gap. Technology and Security Risk Services. EYG No. DJ0001. 5. Naraine, R. 2006. “First J2ME Mobile Phone Trojan Spotted”, eWeek.com, 28 February 2006, http://www.eweek.com/article2/0,1895,1932365,00.asp (accessed 30 May 2006). 6. “Monthly Mobile Threat Summary – February 2006”, F-Secure, 9 March 2006, www.f-secure.
10.
11.
com/wireless/ news/items/news_2006030900. shtml (accessed 30 May 2006). “Monthly Mobile Threat Summary – March 2006”, F-Secure, 12 April 2006, www.f-secure. com/wireless/ news/items/news_2006041200. shtml (accessed 30 May 2006). McAfee. 2006. “McAfee Mobile Security – Overview”, http://networkassociates.com/us/ local_content/datasheets/public/ds_mobile_security_overview.pdf (accessed 15 July 2006). Clarke, N. and Furnell, S. 2005. “Authentication of users on mobile telephones – A survey of attitudes and practices”, Computers & Security, vol. 24, no. 7, pp519-527. “Handhelds : HP iPAQ Pocket PCs”, HewlettPackard Development Company, UK website, http://h10010.www1.hp.com/wwpc/uk/en/ho/ WF02a/21675-21679-2 Handhelds : HP iPAQ Pocket PCs 1679.html (accessed 9 July 2006). Clarke, N.L. and Furnell, S.M. 2005. “User Authentication for Mobile Devices: A Composite Approach”, Proceedings of the 6th Australian Information Warfare and Security Conference, Geelong, Australia, 25-26 November 2005, pp48-56.
About the author Steven Furnell is the head of the Network Research Group at the University of Plymouth, UK, and an Adjunct Associate Professor with Edith Cowan University, Western Australia. His current research interests include the problem of user authentication for mobile devices, and this article is partially based upon his contribution to a security-related panel session at the Mobility Summit 2006. development. Previously he held various positions with Hewlett Packard in Europe. He holds a Masters degree from the European School of Management. [email protected]
PHISHING
Phishing update, and how to avoid getting hooked David Emm, Senior Technology Consultant, Kaspersky Lab
David Emm
Phishing is on the move. Cyber criminals are continually trying to find new ways to catch users off-guard. This may include new technological developments or it may simply mean using some topical ‘hook’ to beguile users. Here is a roundup of where it is today. Hardly a day goes by without some reference to ‘phishing’, also known as ‘brand spoofing’. It involves tricking computer users into disclosing their per-
sonal details (username, password, PIN number or any other access information) and using these details to obtain money under false pretences.
Phishers rely heavily on ‘social engineering’ techniques employed by writers of viruses and worms as a way of beguiling users into running malicious code. The LoveLetter worm, for example, arrived as an email with the subject line ‘I LOVE YOU’ and the body text ‘Kindly check the attached LOVELETTER coming from me’. In an effort to put unsuspecting users further off their guard, the attachment had a double extension (LOVE-LETTER-FOR-YOU. TXT.vbs): by default, Windows does not display the second (real) extension. This double extension trick has been used by lots of viruses and worms since, including SirCam, Tanatos and Netsky. Another technique is to construct an email to look like something that’s beneficial. The Swen worm, for 13
August 2006
Network Security