Feeds

Don’t let mobile malware steal your company data

It’s closer than you think

Choosing a cloud hosting partner with confidence

From the first SIP

A common way to record calls is to use SIP, the protocol for voice and video-over-IP connections. However, at least one bank has fallen victim to crooks surreptitiously inserting the packet-sniffing tool Wireshark.

This can put network interface controllers into promiscuous mode to intercept calls and use the code words given in the security check to empty customers’ accounts.

Here a smartphone, which has the processing power for encryption, using clients such as CounterPath Bria or the open-source Linphone, can be more secure than a landline.

This technology is used by the Star Secure service. It offers encrypted conference calling, voicemail which uses the billing information to give access and a system that sends an email whenever voicemail has been picked up, so even if a phone is stolen you know if the voicemail has been accessed. It will even host the conference servers and voicemail in a company’s own data centre.

Interestingly, the over-the-air link is not the main security weakness. Brookson’s 24-year-old GSM encryption technology is still pretty good; cracking it requires setting up a fake base station for a man-in-the-middle attack – and that won’t cope with the phone being handed off to another cell.

Both 3G and 4G systems have an exchange of keys that makes the traffic even more secure. It is what happens at either end of the airwaves that matters.

Police caution

The education and enforcement strands go hand in hand. One great source of practical advice is the mobile security blog run by David Rogers.

It is not just good for bizarre mobile security merchandise such as cloud security umbrellas. It produced a leaflet for the Metropolitan Police which gives practical advice about using sensitive services such as banking on open Wi-Fi and turning off Wi-Fi, GPS and near field communication (NFC).

Brookson also warns of the dangers of NFC. When we met at the Scotch Malt Whisky Society he pulled an Android phone and NFC tag out of his pocket and demonstrated how it could open a browser window without user intervention. This in turn could insert an exploit through any holes in the browser.

QR codes pose a similar threat, but at least they have to be actively snapped with a camera.

Rogers has written a book on mobile security. It is a bit thin on plot and characterisation, but at least you know what to get your boss for Christmas.

Brookson praises the security tools that Apple makes available and advises companies that deploy the fruity kit to make the most of them.

He thinks Android offers the biggest opportunity for hackers, but takes an international view of security, pointing out that life is pretty safe in north America and western Europe, where people mostly use Google Play and iTunes for downloading software.

There is much more malware in eastern Europe and Asia, where a high proportion of phones are jailbroken and rooted so users can install pirated programs.

Both Brookson and Rogers highlight the need to protect devices with a PIN and, being security types, say you should change it regularly. This goes for the Android unlock patterns too.

Brookson says your IT department can push this kind of protection. And you don’t really want your company secrets out there in the open because a suspicious spouse has surreptitiously installed some software to monitor the other half.

This can simply be a matter of setting up an iPhone to back up everything to iCloud, enabling the spouse to log in to read the files.

Try Googling “Stealth Genie divorce” and you will get a better idea of the target market

One client for Android, Blackberry and iPhone is Stealth Genie, sold as a way to monitor your children’s activities – but try Googling “Stealth Genie divorce” and you will get a better idea of the target market.

It has to be installed by downloading it to the device – and iPhones need to be jailbroken – but once installed it shows no obvious sign of being there and gives whoever owns the account full access to the phone, including the ability to listen to and replay calls.

Whatever the rights and wrongs of infidelity, a company really doesn’t want an angry spouse gaining access to corporate secrets. But the threat of wronged spouses is nothing compare to governments.

There is a substantial industry in selling security software like Finfisher. In 2011 protestors who took over the headquarters of the Egyptian State Security HQ found paperwork showing that the Egyptian government wanted to buy the Finspy software.

All kinds of governments use malware. In March Kaspersky Labs found an Android attack targeted against Tibetan and Uyghur activists in the form of an email with an apk attachment sent to a mailing list from the hacked account of a high-profile Tibetian activist.

Even without nefarious actions, if your company becomes the subject of a government investigation, the mobile phone companies are obliged to hand over whatever they have under the laws of legal intercept.

Permissive society

In these days of BYOD (bring your own device) it is nigh on impossible to prohibit people from doing work on their own mobiles, but it is reasonable to enforce a company policy of not allowing rooted or jail-broken phones onto work premises.

Only by getting the right infrastructure in place, staying on top of the latest developments in mobile malware and educating both IT staff and users can you be sure that what not so long ago seemed like a distant threat does not become a career-breaking leak of data. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.