Don’t let mobile malware steal your company data

From the first SIP

A common way to record calls is to use SIP, the protocol for voice and video-over-IP connections. However, at least one bank has fallen victim to crooks surreptitiously inserting the packet-sniffing tool Wireshark.

This can put network interface controllers into promiscuous mode to intercept calls and use the code words given in the security check to empty customers’ accounts.

Here a smartphone, which has the processing power for encryption, using clients such as CounterPath Bria or the open-source Linphone, can be more secure than a landline.

This technology is used by the Star Secure service. It offers encrypted conference calling, voicemail which uses the billing information to give access and a system that sends an email whenever voicemail has been picked up, so even if a phone is stolen you know if the voicemail has been accessed. It will even host the conference servers and voicemail in a company’s own data centre.

Interestingly, the over-the-air link is not the main security weakness. Brookson’s 24-year-old GSM encryption technology is still pretty good; cracking it requires setting up a fake base station for a man-in-the-middle attack – and that won’t cope with the phone being handed off to another cell.

Both 3G and 4G systems have an exchange of keys that makes the traffic even more secure. It is what happens at either end of the airwaves that matters.

Police caution

The education and enforcement strands go hand in hand. One great source of practical advice is the mobile security blog run by David Rogers.

It is not just good for bizarre mobile security merchandise such as cloud security umbrellas. It produced a leaflet for the Metropolitan Police which gives practical advice about using sensitive services such as banking on open Wi-Fi and turning off Wi-Fi, GPS and near field communication (NFC).

Brookson also warns of the dangers of NFC. When we met at the Scotch Malt Whisky Society he pulled an Android phone and NFC tag out of his pocket and demonstrated how it could open a browser window without user intervention. This in turn could insert an exploit through any holes in the browser.

QR codes pose a similar threat, but at least they have to be actively snapped with a camera.

Rogers has written a book on mobile security. It is a bit thin on plot and characterisation, but at least you know what to get your boss for Christmas.

Brookson praises the security tools that Apple makes available and advises companies that deploy the fruity kit to make the most of them.

He thinks Android offers the biggest opportunity for hackers, but takes an international view of security, pointing out that life is pretty safe in north America and western Europe, where people mostly use Google Play and iTunes for downloading software.

There is much more malware in eastern Europe and Asia, where a high proportion of phones are jailbroken and rooted so users can install pirated programs.

Both Brookson and Rogers highlight the need to protect devices with a PIN and, being security types, say you should change it regularly. This goes for the Android unlock patterns too.

Brookson says your IT department can push this kind of protection. And you don’t really want your company secrets out there in the open because a suspicious spouse has surreptitiously installed some software to monitor the other half.

This can simply be a matter of setting up an iPhone to back up everything to iCloud, enabling the spouse to log in to read the files.

Try Googling “Stealth Genie divorce” and you will get a better idea of the target market

One client for Android, Blackberry and iPhone is Stealth Genie, sold as a way to monitor your children’s activities – but try Googling “Stealth Genie divorce” and you will get a better idea of the target market.

It has to be installed by downloading it to the device – and iPhones need to be jailbroken – but once installed it shows no obvious sign of being there and gives whoever owns the account full access to the phone, including the ability to listen to and replay calls.

Whatever the rights and wrongs of infidelity, a company really doesn’t want an angry spouse gaining access to corporate secrets. But the threat of wronged spouses is nothing compare to governments.

There is a substantial industry in selling security software like Finfisher. In 2011 protestors who took over the headquarters of the Egyptian State Security HQ found paperwork showing that the Egyptian government wanted to buy the Finspy software.

All kinds of governments use malware. In March Kaspersky Labs found an Android attack targeted against Tibetan and Uyghur activists in the form of an email with an apk attachment sent to a mailing list from the hacked account of a high-profile Tibetian activist.

Even without nefarious actions, if your company becomes the subject of a government investigation, the mobile phone companies are obliged to hand over whatever they have under the laws of legal intercept.

Permissive society

In these days of BYOD (bring your own device) it is nigh on impossible to prohibit people from doing work on their own mobiles, but it is reasonable to enforce a company policy of not allowing rooted or jail-broken phones onto work premises.

Only by getting the right infrastructure in place, staying on top of the latest developments in mobile malware and educating both IT staff and users can you be sure that what not so long ago seemed like a distant threat does not become a career-breaking leak of data. ®