portable devices

Warning: your mobile phone is not safe from hackers

The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse. I am talking of course about your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control, and some not.

Just look at some of the recent hacks that have happened to phones. There are bad apps that look benign, apps that claim to protect you from virus infections but are really what are called “fake AV” and harm your phone instead, and even malware that infects application construction tools. I will get to some of the specifics in a moment. If you are in St. Louis on August 3, you can come hear me speak here about this topic.

Part of the problem is that the notion of “bring your own device” has turned into “bring your own trouble” – as corporate users have become more comfortable using their own devices, they can infect or get infected from the corporate network.  And certainly mobile users are less careful and tend to click on email attachments that could infect their phones. But the fault really lies in the opportunity that mobile apps present.

For example, take a look what security researcher Will Strafach has done with this report earlier this year. He demonstrated dozens of iOS apps that were vulnerable to what is called a man-in-the-middle attack. These allow hackers to intercept data as it is being passed from your phone through the Internet to someplace else. At the time, his report grabbed a few headlines, but apparently, that wasn’t enough. In a more recent update, he found that very few of the app creators took the hint — most did nothing. He estimates that 18 million downloaded apps still have this vulnerability. Security is just an afterthought for many app makers.

Another issue is that many users just click on an app and download it to their phones, without any regard to seeing if they have the right app. Few of us do any vetting or research to find out if the app is legit, or if it part of some hacker’s scheme, and to do so really requires a CS degree or a lot of skill. Take the case of the “fake AV” app that infects rather than protects your phone. There are hundreds of them in the Google Play store. FalseGuide is another malware app that has been active since last November and infected more than two million users.

The Judy malware has infected between 8.5 million to 36.5 million users over the past year, hiding inside more than 40 different apps. DressCode initially appeared around April 2016 and since then it has been downloaded hundreds of thousands of times. Both look like ordinary apps that your kids might want to download and play with. Hackers often take legit apps and insert malware and then rename and relist them on the app stores, making matters worse.

Even the WannaCry worm, which was initially Windows-only, has been found in seven apps in the Google Play store and two in Apple’s App Store. Speaking of Apple, the malware XcodeGhost is notable in that it has targeted iOS devices and resulted in 300 malware-infected apps being created, although that malware infected Apple’s desktop development environment rather than the mobile phones directly.

So what can you do? First, make sure your phone has a PIN to lock its use, and if you have a choice of a longer PIN, choose that. There are still at least ten percent of users that don’t lock their phones. Having a PIN also encrypts the data on your phone too.

Next, use encrypted messaging apps to send sensitive information, such as Signal or WhatsApp. Don’t trust SMS texts or ordinary emails for this.

Use a password manager, such as Lastpass, to store all your passwords and share them across your devices, so you don’t have to remember them or write them down.

When you are away from your home or office network, use a VPN to protect your network traffic.

Don’t automatically connect to Wi-Fi hotspots by name: hackers like to fool you into thinking that just because something is named “Starbucks Wi-Fi” it could be from someone else. Apple makes a Configurator app that can be used to further lock down its devices: use it.

Turn off radios that aren’t in use, such as Bluetooth and Wi-Fi.

Don’t do your online banking — or anything else that involves moving money around — when you are away from home.

Don’t let your kids download apps without vetting them first.

Turn on the Verify Apps feature, especially on Android devices, to prevent malicious or questionable apps from being downloaded.

Keep your devices’ operating systems updated, especially Android ones. Hackers often take advantage of phones running older OS’s.

I realize that this is a lot of work. Many of these tasks are inconvenient, and some will break old habits. But ask yourself if you want to spend the time recovering from a breach, and if it is worth it to have your life turned upside down if your phone is targeted.

Read More
iBoss blog: How to Implement the Right BYOD Program

Once you have decided to implement a bring your own device (BYOD) program, you need to think about how exactly to go about it. Here are a few aspects to consider, such as what you are trying to control, can you manage your devices from the cloud, and what granular level of policies you can create. It’s on the iBoss blog today.

Read More
iBoss blog: The benefits and risks of moving to BYOD

In this, the first of a two part series, I talk about why you want a BYOD program at your company.

We all know that mobile devices are becoming more popular and more used for enterprise computing needs. It is no mystery, especially now that phone screens approach the dimensions of small tablets, that both iOS and Android operating systems are becoming more capable of handling all sorts of corporate apps.

You can read my post on iBoss’ blog here.

Read More
See a USB drive, don’t pick it up!

Most of us know by now that if you spot a random USB thumb drive sitting on the ground, you should ignore it, or better yet, put in the nearest trashcan. This action was an early plot point in the TV series Mr. Robot. I even saw a poster at Checkpoint’s Tel Aviv headquarters when I visited there in January warning employees to dispose of such drives when found on their campus.

But still, human nature gets the better of us sometimes. A recent academic paper shows just how tempting that drive can be for college students at the Universities of Michigan and Illinois. The study found that out of 300 drives that were sprinkled around the various campuses, at least half were retrieved and inserted into computers. In some cases, the drives were inserted within a few minutes of being left.

These drives contained special code that would “phone home” and alert the researchers that they were found, but they could have contained more dangerous malware. Which is the point of this depressing exercise.

What is interesting about the paper was the lengths that the researchers went to understand their target’s motivations and rationale for picking up the drives in the first place. They were asked to complete a survey (paying them $10 to complete, after all, these are college students). Two thirds of them said they took no precautions before connecting them to their computers.

They also tested the time of day, location, and branding of the drive itself to see if these factors made them more or less likely to be retrieved. For branding, the researchers attached a “confidential” sticker, a return address label or keys to see if that made a difference. Interestingly, the return address label actually reduced insertion rates. The researchers also monitored Facebook and Reddit to see if any students posted warnings about the proliferation of drives around campus. Despite several postings and the fact that word spread on these networks quickly during the experiment, the drives were still retrieved.

This isn’t the first, and certainly won’t be the last such study. Several years ago, the Department of Homeland Security found that 60% of folks who found drives planted outside government buildings tried them out, and this percentage increased to 90% when the drives had a logo on them indicating some sort of official use. And last fall, a study commissioned by the trade group CompTIA found that 20% of 200 drives that were sprinkled across five cities were retrieved.

Certainly, there are some drives that are truly evil, such as this drive reported by Gizmodo that will literally cook your motherboard. Or the infamous Rubber Ducky drive used by penetration testers.

Bruce Schneier complained about this meme years ago, and wrote in a blog post:

“The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that it isn’t safe to plug a USB stick into a computer. Quit blaming the victim. They’re just trying to get by.”

Certainly, better and more security education would be a good idea. The college survey found that students perceived the files on the flash drive as being safer because they used .html extensions. Uh, not quite. But there is some hope: a few students were suspicious and actually used a text editor to open these files and connect them to offline computers.

Read More
Lessons Learned From a Master Inventor: An Interview with IBM’s Lisa Seacat DeLuca

Lisa Seacat DeLuca is the most prolific female inventor in IBM’s history. With more than 400 patent filings, she comes up with a new idea almost every week. She’s had numerous jobs within IBM and currently works as an omnichannel strategist for IBM Commerce. She works from her home-based Baltimore lab, which is filled with lots of different gadgets, including a 3-D printer.

I recently interviewed her for a post in IBM’s SecurityIntelligence blog here.

Read More
CDW StateTech Magazine: Review of Citrix XenMobile

xenmobile1Citrix has long offered mobile device management software in cloud and on-premises versions. The latest version, XenMobile 10, offers some welcome enhancements to the user experience and security. In my review for CDW’s State Tech Magazine, I walk through some of the notable features. Citrix sells three different software bundles under its XenMobile brand: XenMobile MDM, XenMobile App and XenMobile Enterprise editions.There are differences that you should be aware of.

Read More
A short history of wireless messaging

As part of my tripping down memory lane and reading my archive, I naturally came across the dozens of articles that I have written over my career on wireless messaging. It made me think about how the industry has evolved so quickly that many of us don’t even give this technology a second thought — we just expect it to be part of our communications package.

Now our smartphones have multiple messaging apps: Email, SMS, What’s App, Skype, AOL IM, and Apple’s iMessage, just to name a few of them that are on my phone. We flip back and forth from one to the other easily. When you add in the social networks’ messaging features, there are tons more.

radiomailMy first brush with wireless messaging was when Bill Frezza stopped by my office and gave me one of his first prototypes of what would eventually turn into the BlackBerry. It was called the Viking Express, and it weighed two pounds and was a clumsy collection of spare parts: a wireless modem, a small HP palmtop computer running DOS, and a nice leather portfolio to carry the whole thing around in.

The HP ran software from Radiomail Corp. The company was one of the first to understand how to push emails to wireless devices. Its innovations were never patented due to the philosophy of its founder, Geoff Goodfellow. Ironically, after Research in Motion, the company behind the Blackberry, went on to become one of the more litigious computer vendors, it had to pay $615 million to obtain the rights for patents for its device.

Now wireless has gotten so fast, it can be faster than wired connections. Cisco’s latest networking report predicts that Internet traffic will carry more wireless than wired packets in a few years. And we have come full circle: with new desktop Macs, Apple has gone a bit retro on us. Now you can access iMessage from your desktop, which is great for those of us that want to type on regular keyboards, inside of with our thumbs or use Siri to compose messages.

So for those of you that don’t recall where we have been, I have posted the original articles that I wrote about some of the early wireless messaging apps for some perspective on my blog. Here are some links to them.

Review of smart pagers for Computerworld (1998)

Back then, BlackBerries weren’t available, and Motorola ruled the roost. Pagers were in transition from simple one-way devices that would just display numerals to more interactive messaging devices. However, they were pretty unsatisfying: The one-way pagers worked because they were tiny, their batteries lasted forever, and they could be used by anyone including my nine-year old. The smarter devices were harder to use, they aet batteries for lunch, and they didn’t always work without some specialized knowledge.

Evaluating wireless web technologies (2000):

Back then, I gave up my laptop and tried to use just a smart(er) phone and borrowed PCs when I traveled. There were some early apps back then that could actually work.

Supporting PDAs and wireless devices on your corporate network (2001):

The first messaging device to gain traction was the Palm Pilot, but we also had the Pocket PC too. This article was a piece of custom content for CDW that reviewed all the options available back then. For cellular data, you needed add-in radio cards.

The joys of wireless messaging (2003)

How about AOL’s IM running on a Palm i705? That was a pretty slick device, as this article can attest to.

Don’t buy a Treo 700w (2006):

Remember the Treo? I still have one somewhere in my closet. They were a combination of a phone and a Palm Pilot. Back then I wrote: “the Treo isn’t as cool as the Sidekick, doesn’t do iTunes like the Rokr, and isn’t as addicting as a CrackBerry.”

Sidebar conversations are here to stay (2009):

It isn’t just texting during driving, but texting while doing something else that is at issue.By 2009, the notion of having a side conversation using a wireless device was very common.

What is your favorite wireless messaging device or app from the past?

 

 

Read More
ITworld: The enterprise mobility management journey

Enterprise mobility management (EMM) is a marathon, not a sprint, so you must be thinking about what you need today with the tools available, and be planning for the future. At the core, enterprises need stability and scale, so how do they choose the right solution?  Analysts say this is the year to review your EMM strategy or develop one if you haven’t already. There are a lot of companies vying for the enterprise business with tools that have varying degrees of functionality. I wrote a white paper for ITworld that explores the journey as you manage this moving target.

You can download the paper here, reg. is required.

Read More
CA Blog: Mulling over enterprise mobility at Mobile World Congress

CA’s booth at the show even looked very cloud-like!

 

It is impossible to walk all of the floor across the eight different cavernous halls of the Mobile World Congress trade show. It struck me that my slow progress through the show floor is a good metaphor for what IT folks have to do to manage their mobile devices across their enterprises: Sometimes you have to pick and choose your battles, not lose sight of the overall objective and avoid getting caught down in the weeds.

You can read my post on CA’s blog here about what I learned from my trip to Barcelona.

Read More
Solution Providers for Retail: Tasty Apps Mean More Than Appetizers for Restaurants

slide-5-638This week is a popular one for going out to dinner, yet when it comes to restaurant-oriented mobile apps, love isn’t always in the air. About half of the top 100 restaurant chains don’t have any mobile apps, and many have frequent crashes or contain obvious coding errors.

The best restaurant mobile apps combine several features, including mobile ordering, digital payments, location awareness and more.

You can read the entire post on Solution Providers for Retail here. And you can sign up to get the full restaurant report that Ira Brodsky and I are working on when it is ready here.

Read More
1 2 3 6