Enterprise Mobile Security I – Heartbleeds & Saber-Tooths
The other day, I get a call from my dad. He needs a favor. Not surprising since this is the only reason he ever calls. At first, I assumed it had something to do with his printer, his most frequent source of woe, or maybe some general network issue like he can’t get the DVD player to hook up to his Netflix. This time, however, it’s neither. Rather, he has some photos he shot, and he needs me to somehow get them off his camera and onto his laptop so he can email them out.
I tell him it won’t be a problem. In fact, I can help him right away. There are a bunch of applications that’ll let me take over his computer remotely. That way, I tell him, I’ll be able to fix any future problems without having to physically shlep myself over there. You know, just in case I’m, like, really busy with work and the kids and the new baby and everything.
I expected my dad to reply with a “Hey, great. Sounds terrific. Let’s do it!” Instead, he let out a weird, patronizing laugh. One that clearly said, “How could I have fathered such an idiot!”
Nevertheless, I didn’t back down. “Seriously, dad,” I said, “Millions of people do this stuff every day.”
Again with the laugh. Then he said something that came right out of central casting for old Jewish guys: “Oh sure. And you’re such a genius you know how to do this?”
First off, maybe the guy who can’t figure out how to move the photos from his camera to his computer shouldn’t be telling the guy who architects mobile applications for Fortune 500 companies how to do his business. I tried a different approach: “It’s really easy, dad…it would literally take five minutes to setup.”
“Ha ha ha. Right,” he said, “Tell that to the people at Target!!”
Target? I wondered. What the hell was he—? Then I got it. Ah, right. Of course. He’s equating our little person-to-person network with the massive hacking of Target’s corporate network—one of the greatest data heists of our time—gaining access to 40 million credit cards. A “meticulously planned and intricately coordinated attack…potentially with covert help from within.” Makes total sense.
Long story short. An hour later, I’m at his house. He opens up his MacBook Air and right away I notice he’s got a piece of electrical tape covering his camera. You know, so nobody can see what he’s doing? And then it all makes sense. My father is losing his marbles.
Kids today (sorry) don’t seem to share the same concerns older folks do. They post their every moment on Facebook and don’t buy into this crazy idea that in the near future (or even in the current future) auto insurance companies will scour our social media for mentions of drugs and alcohol, anything that might hamper our ability to drive—and adjust our rates accordingly. Health insurers may behave likewise, sending out bots to hunt down pictures of us smoking or enjoying a bacon-burger and a nice tiramisu. Why shouldn’t they? What have they got to lose?
So is my dad’s digital paranoia simply another manifestation of that age-old aging disease? The one that makes people intrinsically fear everything the younger generation is doing, no matter that their own generation was just as rebellious against the one that came before it…and so on and so on all the way back to the Neanderthals: “You call that a saber-tooth? You kids don’t know from saber-tooths!! Or is it just that my father’s been getting his all tech news from the online version of Reader’s Digest?
Well, just as I was beginning to feel all happy and smug about myself, a quick Google search revealed my father might not be so crazy, after all. And it turns out, higher insurance rates are the least of our problems.
According to WikiLeaks, Remote Administration Tools (or RAT) can be “covertly deployed on Target Systems” and enable “Live Surveillance through Webcam and Microphone,” among other nefarious aims. Minyanville agrees: hackers can watch you through your webcam. “Even worse,” the article asserts, “a webcam hack could leave a victim vulnerable to blackmail or theft of online banking passwords.” And about that little green LED light that’s supposed to let you know that your camera is on? The Washington Post states it’s pretty simple to remotely “reprogram the iSight camera’s micro-controller to allow the camera and light to be activated independently.” As it turns out, microcontroller attacks are becoming more common, including those that can turn an Apple battery into a fire hazard, for example, by forcing it to discharge rapidly, or can even create spyware from the built-in keyboard. Now that’s what I call a saber-tooth!
It gets worse. An FTC Press Release issued March 28th reveals this undeniable little fact: when it comes to the sensitivity of your information, some companies just don’t care. Fandango, LLC and Credit Karma, Inc.—an ironically named credit information company—
“misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps.
“…despite their security promises, Fandango and Credit Karma failed to take reasonable steps to secure their mobile apps, leaving consumers’ sensitive personal information at risk. Among other things, the complaints charge that Fandango and Credit Karma disabled a critical default process, known as SSL certificate validation, which would have verified that the apps’ communications were secure.
“As a result, the companies’ applications were vulnerable to ‘man-in-the-middle’ attacks, which would allow an attacker to intercept any of the information the apps sent or received. This type of attack is especially dangerous on public Wi-Fi networks…
“By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app, exposing consumers’ credit card details..as well as email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses and passwords, credit scores, and other credit report details such as account names and balances.”
The next morning I awoke to scores of headlines all about something called the “Heartbleed bug”, and that’s when the bits hit the fan. Since March of 2012, this simple coding error has left a gaping hole in OpenSSL, which in plain English means we’re all screwed. The hole allows anyone to read the memory of systems protected by vulnerable versions of OpenSSL software, including a user’s names, passwords, and content. Hackers may eavesdrop on communications, steal data, and even impersonate services and users. Worse yet it leaves no evidence of foul play behind.
Though OpenSSL 1.01g (released 4/2014) claims to have fixed the bug, a ton of sites relied on the buggy OpenSSL. Unfortunately, there’s no way to know how many have been attacked. CNN says, “if you’re a user of one of them, assume your credentials are now out in the wild.” And guess what? One of those sites just happens to be Yahoo.com. So to cap this all off with a big fancy kicker, the overriding irony of the whole deal is my father’s one and only email account is with—you guessed it—Yahoo.
Question is: do I tell him?
Use this tool to learn if your own hosts are vulnerable. And don’t take chances. With Propelics you can sleep soundly, knowing your most sensitive Enterprise data is always secure. In the meantime, you’ll just have to tape up that webcam, don your tinfoil yarmulke, and get back to work.