“A hacker wishing to break into a specific company may decide that compromising an unprotected mobile device is far easier than dealing with corporate firewalls”

After years of experience, and learning from the high profile mistakes of others, businesses are fully aware of the importance of security on desktop and laptop computers.  Anti-virus software and encryption tools are standard issue, and user rights management also forms a key part of any corporate security setup.

But this is now only one aspect of securing a business against digital threats. The rapid growth of powerful mobile devices has opened a whole new front in the war against hackers, viruses and mischief makers.

Now in addition to locking down a desktop and laptop computers, business owners must consider the danger posed by mobile devices, and those that don’t risk exposing their company to financial or reputational loss.

A trojan horse in every pocket

Smartphones and tablets can be hugely beneficial to businesses, but an unsecured device offers another route to confidential information for hackers.

There are already numerous mobile viruses in circulation. Typically these are untargeted, they’re used to gather private information or send premium rate texts for the financial benefit of those controlling the software. But a dedicated coder could easily create a virus with a much narrower focus, one designed with the express purpose of penetrating a company.

There’s already been one very high profile example of this kind of attack on desktop systems. Stuxnet was a virus designed to damage to a very particular type of industrial equipment used by the Iranian nuclear programme.

This was a sophisticated, state-sponsored effort, but it’s not restricted to those with government backing. A group known as ‘Winnti’ have been using malware attacks to steal online gaming credentials, security certificates and source code in order to profit from trading virtual currency and stolen data.

And just this month a new virus was discovered that is thought to have been targeted at UK companies, silently infecting thousands of machines.

A hacker wishing to break into a specific company may decide that compromising an unprotected mobile device is far easier than trying to deal with corporate firewalls. It could be all they need to capture confidential information or gain access to internal systems.

What can be done?

At this year’s Mobile World Congress event all the major security firms were in attendance, and while they were jockeying for attention for their own software solutions they did all agree on one thing: users need educating.

“On PC everybody is aware they need protection”, says Stefan Wesche of Norton Antivirus, “on mobile most people are not aware, and that’s where we should start, telling them about the problem.”

We’re all accustomed to the need for good passwords and up-to-date anti-virus on our computers, but the concept of anti-virus on a smartphone is still alien to many people.

Businesses need to start by ensuring their security guidelines cover the use of mobile devices, and that all employees are aware of the risks.

They also need to examine the inherent security features of the various mobile platforms; one reason BlackBerry was so popular for corporations was thanks to the excellent security it offered as a standard feature. At present, Google’s Android mobile OS has the largest number of viruses partly because there are very few limits to what users and developers can do with their devices. That offers many advantages, but also allows malware to piggy-back on pirated software or sneak in through the official app store.

A robust mobile security policy is particularly vital with the growth of ‘Bring Your Own Device’ (BYOD), where employees are permitted to use personal equipment. This can be a money saver, but a smartphone which is being used to download apps and games at home, perhaps being used by children, and then taken to work for business emails and calls should be a big area of concern for IT managers.

Author Bio: Matt Powell is the editor for the broadband, smartphone and tablet consumer information site Broadband Genie.

Not that confusion is anything new.

Everyone has, at some point, fumbled through a stack of payment cards stuffed in to a wallet or purse in a vain attempt to extract the right one for the purchase in hand.

“Do you accept Diners Card?  No?  How about Access? Oh. Hang on, I’ve got an Amex card in here somewhere…”

So much for taking the waiting out of wanting.

The last few years has seen the emergence of a variety of eWallet services. These on-line services enable the customer to register bank or payment card details just once with the eWallet provider. Once done, the customer does not have to share card data with the merchant as the eWallet provider handles all interactions with the account holders bank or card issuer.

But payment card brands are, just as the name suggests, brands. Vast amounts of money are expended to ensure that merchants and consumers alike are visibly reminded of the brand identity of the product embodied in that plastic card. eWallets obscure that brand, or indeed replace it altogether.

A curious but perhaps inevitable effect of this has been the appearance of “brands” such as PayPal in high street stores. No longer just an on-line entity, PayPal has a growing presence at the retail point of sale too, cleverly insinuating it’s own brand presence where previously only Visa, Mastercard, Amex et al had a footprint.

But just as on-line payments companies like PayPal are moving in to the face-to-face environment, it would be wrong to assume that the traditional card brands are simply watching this happen. eWallet offerings from Visa (V.me), Mastercard (Masterpass) and Amex (Serve) are all competing too, and in exactly the space that companies like PayPal have defined for themselves.

“The analytic possibilities presented by mobile payments data will make current loyalty card schemes look positively quaint by comparison.”

However, the major card brands are not the only competition to the likes of PayPal. Let’s not forget Google Wallet, for example.  Or Square, or Isis. There’s a lot of competition out there, and the stakes are high with the US mobile payments market alone expected to be worth over $90 billion over the next few years.

The key driver behind the growth of these services has been Internet-connected smartphones. All of the major eWallet services include a smartphone app component that effectively sees the phone not just as an eWallet, but as the payment device too, bridging the gap between on-line and face-to-face payments. These apps are able to implement their own security features too, including voiceprint, fingerprint or pin authentication.

Android phones have been available for some time equipped with NFC hardware, enabling the phone to act just like a physical payment card, and there are rumours that Apple’s next iPhone could also be NFC-equipped with Apple releasing a so-called “killer” eWallet app.

So it seems that anyone who’s anyone now has a stake in the future of mobile payments. The convergence and adoption of key technologies continues, and although no clear winners have emerged as yet, the future of payments will surely be mobile.

Smartphone platforms provide an unprecedented opportunity for retailers and payment providers to profile customers, to push individually customised offers and to analyse sales patterns based upon location, historical data and any of the wealth of information our smartphones reveal about us. This data will be hugely valuable. The analytic possibilities presented by mobile payments data will make current loyalty card schemes look positively quaint by comparison.

The winners will combine simplicity and sophistication to create a ubiquitous payment process, and will reap rich rewards in the process.  For now, it’s the simplicity that’s proving elusive from the customer’s perspective. Until that changes, we think most people will prefer to reach for the plastic.

Developments in information security are reactive and innovation in the space only occurs when “real” innovations happen elsewhere. To some extent, this is inevitable. Example: there was no anti-virus industry before the microcomputer innovations of the 70s and 80s. Before that time, discussions about any kind of security were generally limited to the provision of usernames and passwords controlling access to dumb-terminals connected to central mainframe applications.

The microcomputer revolution changed everything, putting real power in the hands of the end user, freeing them from the tyranny of the sys admin. Simultaneously, the information security industry was born, offering instant solutions to new classes of problems.

Then the Internet blossomed, joining up the dots. End-users, empowered and on line. The next iteration, and an even bigger security industry.

The cycle is repeating itself, as cycles do. Roll forward a decade or so. AV is yesterday’s discussion, and every one of us is the administrator of perma-connected mobile devices.

We now have a massive security industry, and hacking and data loss is a bigger issue than ever before. Why?

The simple answer is that the security industry never actually catches up with innovations elsewhere (not forgetting that innovation happens both legitimately and illegally).  Also, there are some serious constraints that any security technology has to work within:

1. End-users will resist being functionally restricted.
2. Ease of use is, and always will be, paramount.
3. Most end users do not perceive security issues, do not know who to trust and will often make poor security decisions.
4. About 35% of the World’s population are currently on the Internet, and the figure continues to climb steadily. Solutions have to be capable of massive scaling in the future.
5. All user-facing technologies have to innovate within the constraints above, or risk becoming niche or irrelevant .

Technology that is secure but hard to use will fail to make an impact. Technology that is easy to use but does not improve security will fail to make an impact. There have been plenty such products over the years.

Which (apart from the Internet statistic) is exactly where we were decades ago. In that sense, the industry has not moved at all, but has merely repeated itself on a bigger scale. It’s easy to become frustrated by this (frustration is a common complaint in the security business) however, there are some positive effects.

Firstly, now that we’re in this third cycle, we’re past the “we know what we don’t know” phase. Which means that many of the behavioral aspects of human-computer interaction are well understood. We understand the kinds of decisions people make when interacting with technology (the bad guys know this too, but lets gloss over that for now).

Secondly, we’re just beginning to understand what doesn’t work in the vital task of establishing trust. Technologies such as SSL are shown to be flawed because of their susceptibility to human error and implementation faults – clearly we need something better. Projects like Convergence seek to replace the flawed certificate authority system which underpins the trust that SSL is supposed to provide. It’s still early days, but this is real innovation.

Third time lucky, there’s every reason to be optimistic.

The reality is, it isn’t.  A team of geneticists has shown there is a systematic weakness in the way that this data is handled. It turns out that statistical analysis combined with good old-fashioned searching the Internet for identity clues may be all it takes to render the strict controls associated with donor data completely powerless.

The law of unintended consequences always applies with new technology. If we give information away freely, we shouldn’t be surprised when someone finds a way to use it. Imagine what a geneticist could do with this research that uses Facebook ‘likes’ to predict race, religion and sexual orientation?

This does raise the question of how to design security systems to protect data from threats (or developments in technology) that we don’t know about yet. This intractable problem is likely to remain with us for the foreseeable future, but one approach is to offer up your implementation for attack, and pay a bounty for positive results.

Which sounds very much like the Google-sponsored “Pwnium 3″ contest where cash prizes of up to $150k are available for demonstrable exploits of Google’s Chrome OS. Google did manage to get some last-minute patching done just before the competition started, and (consequently?) there were no clear winners, with Chrome fending off all attacks.

Let’s wrap up this weeks somewhat sober assessment with a data-leak-of-the-week  quote from this story about widely reported data breaches at various credit reference bureaus:

“The data leak this week is being called a juvenile prank and not necessarily the work of any sophisticated hacker”

We’re not entirely sure what the difference is, from the victim’s perspective, but it’s an interesting defence.

What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept potentially malicious traffic destined for your web applications. Of course, the very best defence against these attacks is to write secure code to begin with, however there are a number of circumstances in which this isn’t achievable.

For example, where you’re running a 3rd party web application, or if you simply don’t have the resources available to make the code changes.

Highly recommended reading for all developers and development managers.

Read it here.

Why does Android seem prone to these issues? Part of the answer lies not in the technology, but in the end user. Hacking the human mind continues to yield some rich pickings. Disappointingly, we just keep clicking on stuff without thinking. Where’s the patch for that?

We can’t help recalling the uproar a few years ago when “free” webmail services were all the rage. The big deal then was the realisation that these providers could actually read your mail. The very thought! Roll forward to the present day, and not only have we completely forgotten about that, we’re storing all sorts of data in all sorts of places, without a care in the world.

Lost or stolen USB keys, DVDs and  laptops were also big deal, but now that’s all passé.  Now we have an even better way to lose sensitive data that we shouldn’t even be storing in the first place. Yes, it’s bring your own cloud, the thoroughly modern approach to data storage that has done for data security what King Henry VIII did for gender equality.

Emails aren’t secure, data is at risk of compromise more or less all the time. What’s left?  The good old cellphone system. That’s probably secure. By “probably”, of course we mean “probably not”. Witness this post via Bruce Schneier highlighting the techniques used by the FBI in order to intercept phone data and track users. Very informative.

But is it controversial? An organisation that tracks your location, knows all your contacts, reads your emails and extracts data from your phone? This is, of course,  completely unheard of on the Internet. On a mobile phone. We’re sure you see our point here.

Let’s end with a summary. We’re using mobile platforms that are full of holes, to store data that we shouldn’t be storing, on cloud services that are insecure; whilst assorted governments, commercial organisations and bad guys all compete for access to that data, right in the palm of our hands.

Who says information security is boring?

It turns out that China is being hacked by the US. There, we said it. As they say, it takes two to tango, so we presume this comes as no great surprise to anyone. Except for governments outside of the US and China, who are no doubt feeling a little “hacker envy” right now. Don’t worry, one of the big guys will get round to you eventually.

The age-old “my system is more secure than your system” arguments still rage on.  In the latest twist to this interminable, intractable and possibly uninteresting discussion, a Microsoft partner has claimed that Microsoft software is better patched than Linux software, under certain circumstances, with consideration given to other factors. All we can say is that we absolutely agree with that finding. Whatever it was.

Anyway, non-patches are not the only threat to security. Encryption experts agree that the current trust-based system of Certificate Authorities (the entities who digitally vouch for the authenticity of millions of  web servers) is not working as well as hoped, and should be replaced. Apparently, we need a system where people can choose who to trust. In other words, replacing one system that fails due to fundamental human weakness, with one where humans can make even more uninformed choices. That should work like a charm.

Speaking (indirectly, at least) of Achilles and his infamous heel, the word of the week is “sisyphean”. Of course we didn’t have to look it up; we instantly recognised that other Greek mythological reference which equates the task of doing proper security with the task of repeatedly pushing a giant boulder up a hill only to watch it roll back down again.  Many readers will no doubt identify with that job description. Have no fear, help is at hand.

In the future, big data analytics and advances in machine learning will decide on our behalf what is friend, and what is foe. We simply don’t need to get involved. Perhaps the encryption experts we mentioned earlier have got it wrong – we shouldn’t be permitted to make trust-based decisions; as a species we’re simply not evolved enough to spot digital predators. A sobering thought, for sure.

But then, whilst we’re in the mood for classical references, Quis custodiet ipsos custodes?

But things move fast in the murky world of  attack and counter-attack. The widely-touted report  itself  has become a security risk, and is being used as bait in a phishing attack.  Naturally, that’s the level of entrepreneurial, free-market thinking that one automatically associates with communist China.

Speaking of Chinese ingenuity, malware is getting smarter says anti-virus vendor McAfee; a revelation that presumably comes as no surprise to competitor Symantec, whose own products apparently failed to spot (and here’s that phrase again) the prolific and sustained hacking of the NY Times. Can anyone else see a pattern emerging here?

If security products can’t help us, we have to defend ourselves against the data breach apocalypse. Better not start with Sharepoint then. According to a recent survey, two thirds of Sharepoint users have no security policy.  We know it’s called Sharepoint, but really there are some things that one shouldn’t be sharing. Like the fact that you have no security policy, for example.

Finally, if that’s not apocalyptic enough, we now know that the emergency TV broadcast systems used to address the US public in the event of a real apocalypse are riddled with default passwords and other poor configuration choices. We know this because during a recent spate of zombie uprisings across three US states, community-spirited citizens were able to alert the general public to the imminent danger posed by the walking dead.

What a relief.

Whilst it’s great to focus on weak passwords, let’s not forget that a weak password usually needs a corresponding username to make it useful to the attacker.

This is why the logging of invalid access attempts is useful not just from a compliance perspective, but can also provide valuable insight in to which accounts are being targeted in the wild. If you can see an account access attempt in your log that isn’t covered by your strong password policy, be prepared to act promptly to remediate.

To illustrate this point, we’ve taken sample log data from our own systems. Specifically, invalid login attempts against one of our Secure Shell (SSH) services from the end of January 2013 to date. In all we logged 12,317 unsuccessful attempts using 1331 user names.

The graph (click image to enlarge) we’ve included shows the top 20 most popular usernames attempted during that period, which were:

oracle,test,mysql,support,tomcat,user,www,guest,upload,test2,tester,test1, testing,ftpuser,postgres,nagios,info,anna,cyrus,web

The findings from our small sample show that whilst the most popular targets remain the generic service accounts such as “oracle”, “tomcat”, “ftpuser” and so on, the targets are by no means all generic. Further down our list there are many end-user names, such as “mark”, “lauren” and “steven”.

In summary, logging can provide you with insight that extends beyond confirming who’s logging on to your system. A record of invalid access attempts provides a valuable additional checklist to confirm the coverage of your strong password policy.

You can download our complete anonymous data set here.

Although cloud computing feels like a new thing, the issues about responsibility for cardholder data are certainly not new. Related issues, such as nebulous (pun intended) statements about PCI compliance from a CSP need to be qualified, and mutual responsibilities clearly established.

Actually, this new document echoes some guidance that we’ve been publishing for a while now. Have a look at PCI Compliance Claims: 3 Questions You Must Ask for example. More recently, we published a 10 minute video entitled Penetration Testing & The Cloud, which is an ideal management introduction to the subject, even if PCI DSS isn’t on your radar.

The SSC document is available here.