Archive for category Mobile
Do 1st graders have all the answers? Convenience and risk considered.
Posted by Brian in Information Risk Management, Minds4IT, Mobile, Security on August 15, 2011
It wasn’t too long ago that installing an application took an IT professional. Now it’s so easy a first grader can do it. If you have an Android, iPhone, or Windows Phone 7 your first grader can search for an application in the marketplace or app store and install it. Not only is it easy it is also convenient. I know I’m not the first person to notice that convenience is a phenomenal sales tool. The more convenient something is the easier it is to make the sale. All companies are driven by revenue and not security. Vendors which offer a device you carry in your pocket have the ultimate convenience. On the flip side, SAP installs have been known to take years and require hundreds of IT people. This is the old model. The new model is to use a cloud solution with a web based interface which requires no install or a mobile app/web install. Floppy disks were replaced by CD/DVDs and CD/DVDs have been replaced by a connection to the internet.
The unfortunate truth about not requiring a disk (yes, I’m showing my age) to install software is it has possibly become too convenient. Ok, there’s no such thing as too convenient, but it helps me emphasize my point. One of the controls which IT savvy people have taught for years is to be careful what software you install. This helps prevent malware from making it onto your computer and is augmented by access control settings within the operating system which prompt before allowing installation. Primary examples are Windows 7 User Account Control (UAC) and OSx/Linux “sudo”. There are some differences between mobile devices and desktops and laptops. These differences primarily include the ability for location based information and additional access layers added by the platform vendors to isolate applications from the hardware.
The extreme convenience of application installation occurring under app store models is blurring the risk and leading to a change in the security model. Mobile device manufacturers are not providing root access by default, whereas desktop operating system vendors traditionally provide administrative access out of the box. Since people are tech savvy and they are used to having admin access on their laptops, they are requesting and even expecting to have it on their mobile devices. This is part of why the jailbreak and root/rom websites/blogs are proliferating. The mobile device vendors have the right idea in not granting root access to the user. It makes it much harder for malicious programs to infiltrate the device.
The question has always been one of trust. Who do you trust? The phone manufacturer or your operating system vendor? Do you trust the marketplace/app store owner? The application author? Device users may need to change their behavior to ensure they read the notifications regarding what information/hardware they are permitting the operating system, marketplace, or application to have access to.
I think we can agree the days of long setup and install times are gone. This is a great thing! Self-service and instant software acquisition is here to stay. However, the ability for users to install apps immediately using an app store is making IT departments across the globe look like they are not agile enough to meet their business’s needs. The ability for the business to execute an instant install is simultaneously increasing the risk tremendously.
To link back to the opening thoughts of this blog article… Do IT departments need to compete with 1st graders? If IT departments can’t create convenient secure installation scenarios to make tools available to business partners, then the business partners will go directly to cloud or mobile vendors. This is an opportunity. We as practitioners need to collaborate with our business partners, vendors and solution providers to create an educational feedback loop which allows the users to knowingly manage their trust relationships and security.
Secure your light bulbs!
The world is going crazy with endpoints and devices.
Everything is connected to the internet. Google recently partnered with Lighting Science Group as part of their Google@Home effort. At a recent industry event they demonstrated light bulb endpoints which are connected to the Internet via a new wireless solution controlled by your Android device. There are Blu-ray players which are connected to Netflix and Hulu. Home stereos can now integrate across the web to Rhapsody and Pandora. Even your car is connected to the internet for music and soon there will be other internet enabled functions in your vehicle.
While the ability to connect and manage various devices and endpoints via the internet and other integrated technologies, there are two things I’d like to convey related to these technologies.
1. Don’t forget security as you connect everything.
2. At Minds4IT when we say device, it means a phone, tablet, laptop, or other computer which is used interactively and when we say endpoint it is anything which you can connect to through any network.
I anticipate referencing these terms often in future articles so here are the definitions of each more succinctly:
Device is any electronic component or computer which allows input, including stereos, Blu-ray players, phones, tablets, laptops, desktops, car, etc.
Endpoint is any electronic component connected to a network which can be controlled using a device but has no direct input mechanism, including light bulbs, door lock systems, etc.
It’s important to delineate the two, as endpoints generally have minimal security built in. Endpoints rely on being connected to a secure network. If they are not secured through the network and network services then any device which can find a path to them may be able to control them. (a firewall controls the paths). Endpoints do not have the resources for a firewall and therefore need network layer protections. Whereas a device may be capable of running its own security control; such as firewall (some can, some can’t). All devices do not have the ability to control the security; but, security controls typically can be enabled within the device; therefore, provide those controls to the entire environment including the endpoints.
Endpoints sometimes evolve into devices. Printers were originally endpoints. As evolution occurred and printers became network aware, input panels, hard drives and local operating systems were added. As a result this turned the printer into a device.
An example of poor network security permitting device compromise is Firesheep. When connections to Facebook and Google were not protected by network controls any device could be used to impersonate the user. The moral is even your light bulb needs security. To ensure security of your light bulbs you ensure they only connect to your secure network. Granted, there’s probably no market for controlling your light bulbs; therefore, you are safe. But if your best friend wanted to play a cold hearted trick on you it could be a source of opportunity.
Opportunities
Posted by Brian in Information Risk Management, Minds4IT, Mobile on June 16, 2011
You have heard it before… “It’s not a challenge it’s an opportunity!”
What exactly does that mean?
How can this huge hurdle someone has placed in front of you be an opportunity? It’s going to be difficult, it’s going to cause change, it’s going to take a lot of time which I do not have! Time is a function of priorities. That is a discussion for another time. However, what I am going to focus on is the mobile device challenge… err opportunity. Mobile devices are part of most IT discussions, strategies, roadmaps, and challenges right now. I promise you, this is an opportunity.
If the business and/or executive management want Ipads, it’s the perfect time to ask for additional funding or additional people. Dealing with Android phones is going to require changing how smartphones are managed. Which means it’s an opportunity to request an opening of the purse strings. Your business is requesting new functionality from you. Are they willing to pay for this new functionality?
Are you the partner the business is reaching out to help solve their technology challenges? Should you be? That’s how “opportunities” happen. Your company needs you to help them enable their associates by securely implementing tablets. They do not know if the solution integrates easily or if it is running windows, and the technology probably is not a technology you are comfortable with and know well. Use this as an “opportunity” to explain these things to management and negotiate what you would need (people, money, equipment?) to meet the organization’s requirements and help them meet their goals.
Now, that’s an opportunity!
Embrace the technology, assist the business partner with defining their requirements, document the risks using good Information Risk Management, and then drive results!
This is why successful IT folks look at challenges as opportunities.
Forcing Wireless Carriers to Embrace Change Control
I am excited by the progress wireless carriers are being forced to make regarding software updates! Prior to smartphones and data plans the software on a phone was not accessible from the network. Now that phones have IP addresses they have the potential to have vulnerabilities and the ability to be updated over the network. Unfortunately the concept of effective change management seems to be a relatively new to carriers.
Evidence of these ongoing challenges is apparent in the fragmentation of the Android market, as well as the length of time it took Microsoft and the various carriers to update Windows Phone 7. Apple and AT&T have been fighting these issues for years. You can look back at upgrades for iOS 2.0, 3.0, 4.0, etc. There were long time periods between when the iOS updates were released and when they were applied. To those who have been in IT for a while the issue of software updates is not a new problem. There are usually a small percentage of devices which don’t handle a software update well. Sometimes it’s a previous application that was installed which isn’t compatible. Other times it’s a shared file between two programs. It also might be artifacts left in the configuration files. The end result is always the same, the newly installed application doesn’t work, an existing program doesn’t work, or in worst case scenarios the device will no longer boot or connect to the network.
Could you imagine if this occurs on a large number of phones? The local cellular store would be overwhelmed with people. The user base would be completely frantic. (If you have ever forgotten your phone, you know how naked you feel without it.) The good news is operating system models, software programming, and testing have matured to a point where this doesn’t happen as frequently. However, it could still happen. For that reason the carriers are rightly concerned and afraid of phone updates.
I mention this because it’s indicative of security and operational maturity. The more secure and experienced an organization, the better these change processes are fleshed out, making them easier and more predictable. The time and difficulty of change control occurring in the smartphone space is sending a clear message. I believe, the manufacturers, OS vendors, and carriers are not very mature. Further increasing the risk related to vulnerabilities. If these businesses are not prepared to react quickly, then a known vulnerability will be exploitable for a much longer period of time. The critical path is usually related to testing and complexity. The more complex the environment, the more testing is required. Initial testing has to be created and validated manually as, do most changes to the testing plans. This takes significant time, until it can be automated. Also as complexity increases the likelihood of conflict increases requiring retesting after the conflict has been resolved.
The lack of maturity and continued increasing levels of complexity is driving the extended periods between updates, the long periods between when an update is released for Android, IOS, or Windows Phone and when/if all receive it. Microsoft has put together a website which describes how they released the update; demonstrating it’s the manufacturers and carriers who are delaying it from getting to phones. I suppose Apple has an advantage in this sense as they are both manufacturer of the hardware and developer of the OS, unlike Android and Windows Phone. However, that advantage is lost when they don’t have transparency. Apple is notorious for not discussing their security, vulnerabilities, and patches. I believe, this is the wrong approach. It takes a village to raise a kid and it takes an active, transparent community to keep things secure. This is why I’m ecstatic that carriers and manufacturers are finally working on change control and security within their smartphones!
Agility comes from standardizaton
All extremely agile technology solutions have come from their ability to leverage standards. While this may seem like an oxymoron or nonsense, the truth is, the web came about because of the standard IP protocol stack. The web browser came along because of the standard HTML language. The success of the personal computer can be traced to the dominate Microsoft Windows operating system. A standard to build upon and work from is like a house’s foundation. If the foundation is flat, stable, and secure then the architect and interior designer can create masterpieces on top of it. Unique, one of kind, thought leading, representations of what someone wants. Salesforce and Facebook would not have happened if Marc Benioff and Mark Zuckerberg had to solve protocol incompatibility or browser issues. The fact that these standards existed, allowed them to apply their brains to the business/consumer problems, limiting the time/effort needed for the more remedial problems.
Let’s look at some of the standards they leveraged and the known results:
- How is the signal going to get from the computer to the internet? Ethernet.
- How is the message formed? TCP/IP.
- How is the presentation layer going to present the text and graphics to the user? HTML.
Each layer of standardization removes another point of minutia so the technology solution developer and user can focus on the technology opportunity they are really trying to solve.
When there is not a specific standard, there is competition. Using our examples above – Ethernet used to compete with token ring. TCP/IP used to compete with IPX and SNA. HTML was a revolutionary way of presenting text and graphics at the time. It solved a problem and instantly became a standard. The alternative was a desktop based application or basic text. Somewhere along the timeline of technology evolution a standard is defined and supporting the standard is a definitive reasoning or level of support which defines the standard.
Let’s use a current discussion as a basis for the process to define a standard. Companies have been trying for years to create a tablet computer that would meet the standards of the consumer requirements. Along comes Apple and their tablet solution which included a touch screen, created pinch and zoom, and now that is the standard. It’s an interface standard. All other phone, computer and related operating system companies are scrambling to catch up and innovate their own systems. With the interface standardized we are left evaluating an OS; Android, Blackberry OS, Chromium OS, IOS, Windows Phone 7, and WebOS. While there may be others these seem to be the most prevalent players in the mobile technology platform race.
I’m not going to postulate which mobile operating system is going to survive. I don’t believe in anyone’s ability to predict the future. I do believe that we need a stable and secure identity management or access control/authentication standard. The ability to leverage today’s mobile and cloud solutions are dependent upon a stable, secure and autonomous identity management solution which can provide effective seamless controls related to authentication and authorization through multiple technology layers across the internet. This is where both the career technologist and the technology aware consumer mind can partner to establish the standard. Today if you are like most people you have a login and password for between 40-100 different websites, applications, and services. This complexity is rapidly getting out of hand as users move from standard HTML access to web applications to applications requiring additional access controls at each layer of the puzzle (Operating System Access, Web Access, Application Access, Cloud Access, etc.).
No one wants to enter a secure password to make a phone call. However, I believe many people want a secure password for when they access their bank account. Once the browser or application has been logged into, there needs to be transparency. An app running on a phone should be able to use the same authentication as Javascript in the browser, which should also authenticate to the cloud. I believe phone applications will eventually overtake the browser because the ability to segment processing between the local processor and the cloud will provide the best user experience. However, the cloud and the ability to segment that processing is dependent on an autonomous access control standard. Alternatively a method to segment processing in the browser could be developed. I’m just unsure if Javascript, ActiveX, or any other standard has that capability yet.
What other standards do you feel are required for success in today’s and the future mobile and cloud worlds?
Finally, mainstream America knows about root access!
Posted by Brian in Information Risk Management, Mobile, Security on April 26, 2011
Ask the majority of the people you meet if they know what a Jailbroken iPhone is? Or a rooted Android phone? Most people have heard of these things and even the youngest users can complete the process. A good portion can also discuss the benefits of doing this to their devices. They can take a Jailbroken phone onto any network. (Technology supported that is. GSM or CDMA dependent on the phone) They can download any applications they want to their rooted phone. Isn’t life grand!
It scares the bejeezus out of me to think that providing root access to any computer has become mainstream. Yet, this is exactly what we’re talking about. They may have given it a cute name like JailBreak, but it’s still just root access. It’s up to us as security professionals to ensure our friends, associates, and the public at large understand the negatives and consequences of this dangerous technology. There are controls built in to Android, Windows Phone, and iPhone application stores. These controls are not present if they download an application via the web. Just like the early days of PCs, the technologists understood the ramifications of no change control (application conflict) or unknown security of applications (viruses). However, the public didn’t understand these things. Until…. viruses impacted their world! Today everyone knows to run anti-virus software today. They know they need a firewall. They know not to leave their wireless router open.
This is due to the diligence of professionals like you. It’s time for all of us to start educating on mobile security. Talk to your friends about how rooting their android device or jailbreaking their iPhone causes them risk. Recently there has been a lot of discussion around the GPS location data the iPhone is storing. Android is storing similar data, although they are not replicating it to your computer, and they are asking your permission to store it and transmit it back to Google. What they don’t make clear is that if someone has rooted their phone that data is accessible by any application.
You can tell from the title of this article that I am both excited and scared. It thrills me and speaks volumes about how technology centric the world has become, these concepts are in the Wall Street Journal and are known by the lay man. It also ups the ante for IT folks. We have to continually educate people on the other edge of this sword. The good news is, they speak our language. The public consciousness is ready to talk about it. So get it out in the open.
Another topic you may want to talk about is a setting in Android which allows installation of apps from unknown sources. The real kicker here is Amazon’s new app store instructs users to turn this on. Turning this on allows Amazon to load applications onto an Android device. Unfortunately it also removes any security features Google built in to their app load process. Granted I trust Amazon to both review their apps and remove apps which are identified as malicious or behaving outside their stated use. The problem is as a universal setting it doesn’t allow you to maintain which app stores are good and which are bad. Do I sense a reputation based product opportunity here? A product similar to SiteAdvisor for websites, but designed around an app store reputation?