Don’t let mobile malware steal your company data

It’s closer than you think

Website security in corporate America

From the first SIP

A common way to record calls is to use SIP, the protocol for voice and video-over-IP connections. However, at least one bank has fallen victim to crooks surreptitiously inserting the packet-sniffing tool Wireshark.

This can put network interface controllers into promiscuous mode to intercept calls and use the code words given in the security check to empty customers’ accounts.

Here a smartphone, which has the processing power for encryption, using clients such as CounterPath Bria or the open-source Linphone, can be more secure than a landline.

This technology is used by the Star Secure service. It offers encrypted conference calling, voicemail which uses the billing information to give access and a system that sends an email whenever voicemail has been picked up, so even if a phone is stolen you know if the voicemail has been accessed. It will even host the conference servers and voicemail in a company’s own data centre.

Interestingly, the over-the-air link is not the main security weakness. Brookson’s 24-year-old GSM encryption technology is still pretty good; cracking it requires setting up a fake base station for a man-in-the-middle attack – and that won’t cope with the phone being handed off to another cell.

Both 3G and 4G systems have an exchange of keys that makes the traffic even more secure. It is what happens at either end of the airwaves that matters.

Police caution

The education and enforcement strands go hand in hand. One great source of practical advice is the mobile security blog run by David Rogers.

It is not just good for bizarre mobile security merchandise such as cloud security umbrellas. It produced a leaflet for the Metropolitan Police which gives practical advice about using sensitive services such as banking on open Wi-Fi and turning off Wi-Fi, GPS and near field communication (NFC).

Brookson also warns of the dangers of NFC. When we met at the Scotch Malt Whisky Society he pulled an Android phone and NFC tag out of his pocket and demonstrated how it could open a browser window without user intervention. This in turn could insert an exploit through any holes in the browser.

QR codes pose a similar threat, but at least they have to be actively snapped with a camera.

Rogers has written a book on mobile security. It is a bit thin on plot and characterisation, but at least you know what to get your boss for Christmas.

Brookson praises the security tools that Apple makes available and advises companies that deploy the fruity kit to make the most of them.

He thinks Android offers the biggest opportunity for hackers, but takes an international view of security, pointing out that life is pretty safe in north America and western Europe, where people mostly use Google Play and iTunes for downloading software.

There is much more malware in eastern Europe and Asia, where a high proportion of phones are jailbroken and rooted so users can install pirated programs.

Both Brookson and Rogers highlight the need to protect devices with a PIN and, being security types, say you should change it regularly. This goes for the Android unlock patterns too.

Brookson says your IT department can push this kind of protection. And you don’t really want your company secrets out there in the open because a suspicious spouse has surreptitiously installed some software to monitor the other half.

This can simply be a matter of setting up an iPhone to back up everything to iCloud, enabling the spouse to log in to read the files.

Try Googling “Stealth Genie divorce” and you will get a better idea of the target market

One client for Android, Blackberry and iPhone is Stealth Genie, sold as a way to monitor your children’s activities – but try Googling “Stealth Genie divorce” and you will get a better idea of the target market.

It has to be installed by downloading it to the device – and iPhones need to be jailbroken – but once installed it shows no obvious sign of being there and gives whoever owns the account full access to the phone, including the ability to listen to and replay calls.

Whatever the rights and wrongs of infidelity, a company really doesn’t want an angry spouse gaining access to corporate secrets. But the threat of wronged spouses is nothing compare to governments.

There is a substantial industry in selling security software like Finfisher. In 2011 protestors who took over the headquarters of the Egyptian State Security HQ found paperwork showing that the Egyptian government wanted to buy the Finspy software.

All kinds of governments use malware. In March Kaspersky Labs found an Android attack targeted against Tibetan and Uyghur activists in the form of an email with an apk attachment sent to a mailing list from the hacked account of a high-profile Tibetian activist.

Even without nefarious actions, if your company becomes the subject of a government investigation, the mobile phone companies are obliged to hand over whatever they have under the laws of legal intercept.

Permissive society

In these days of BYOD (bring your own device) it is nigh on impossible to prohibit people from doing work on their own mobiles, but it is reasonable to enforce a company policy of not allowing rooted or jail-broken phones onto work premises.

Only by getting the right infrastructure in place, staying on top of the latest developments in mobile malware and educating both IT staff and users can you be sure that what not so long ago seemed like a distant threat does not become a career-breaking leak of data. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.