What To Do About Mobile Devices That Lie

GMGruman writes "InfoWorld has caught two Android devices that falsely report security compliance that the Android OS does not actually support, and Apple quietly has dropped its jailbreak-detection API from iOS 4. So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? There's no easy answer, but Galen Gruman explains what current technologies can do to help — and how Apple, Google, and others might increase the trustworthiness of their platforms in the future."

Nothing

[xnpu]

Do nothing. Didn't we read yesterday that the NSA assumes they're compromised. Sounds like a healthy way to operate - for everyone. While it may sound slightly paranoid and a "hassle", this is only true initially IMHO.

Re:Nothing

[Kalidor]

Agreed, so much of "security" from a lot of these companies is simply ruthless marketing these days anyway.

Re:Nothing

This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it. US and its companies do the same, but they hide it.

Re:Nothing

[The+End+Of+Days]

Shocking, people figure out ways around the tightest security when the target is worth it.

Re:Nothing

[Z00L00K]

Assume that all security claims are false. It's just that any security hole hasn't been found yet.

There is always a way to hack something running software. Live with it, just make sure that you accept the risks of being overheard and that your address book may be downloaded to some third party that uses it for their own purposes.

As for companies - considering the large amount of phones and crap around anyone that really wants to listen in on secret conversations/information uses more targeted methods. Only a few in a company have something really secret. And most of those secrets are short-lived anyway.

The classic spy/bug method is still one of the best methods to use.

But security in devices is something that the manufacturer shall allow for, but it shall not constrain the user. Because if users have freedom in their devices every device will look different and it's harder to do a massive harvesting of interesting information.

Re:Nothing

[IchBinEinPenguin]

Indeed. The Chinese measures seem geared mostly towards stopping people (connection resets, dns poisoning, etc), whereas the US ones towards criminalizing people (logs.) Which is not to say that the Chinese would never prosecute you as a criminal, they probably will if it suits them, but it's not their default modus operandi.

Perhaps it's because when some governments go after their citizens they don't bother with niceties like 'evidence', 'logs' or even 'trials'.

Re:Nothing

[fahlenkp]

I disagree with most of the comments here. In my opinion the solution is to continue to use Blackberry and ban iphone, google and MS phones from uses that require security. The nice folks at NIST regularly test Blackberry systems and they continue to pass over and over earning the magic FIPS140-2 certification. Throwing your arms up and screaming "screw it" indicates you are either joking or having a nervous breakdown and need to step down from your IT post. Layered defenses are effective because no one layer may be completely trusted. You have to make the best decision you can per layer and move on. In this situation it is easy. Continue to use only FIPS-140 approved devices. The encryption, security and central management on Blackberry is a lot better than the (none) on the other platforms.

Re:Nothing

I am certain that Liu Xiaobo agrees with you, not that bad at all . . . .

Re:Nothing

[icebraining]

Manning released thousands of confidential papers. Regardless of what we think about him (I support his actions, but then again, I'm not American), it's still more grave than a single re-tweet.

Re:Nothing

[camperslo]

This is why I like China. While they do spy on citizens and want to have their way, at least they're being honest about it.

Are we forgetting what happened last April? A huge amount of traffic, including that for .mil and .gov was routed through China. Monitoring that traffic could make future phishing attacks much easier, having had access to things like individual IPs and mail traffic.
What's honest or likeable about that? It's the stuff nightmares are made of.

http://slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders

Re:Nothing

[Opportunist]

Nothing. Not even if you're in the IT sec business. My first reaction was "oh goodie, consulting will increase!"

It didn't.

Nobody gave a shit.

Imagine this: You go to a company that not only has a lot of IP but also deals with China on a day to day basis because most of their manufacturing is there, present this to them and they dismiss it as "aw, that couldn't happen to us, our contractors are honest".

It's one thing to be spied on. It another to make it trivially easy.

Re:Nothing

[fahlenkp]

In my experience, things that have undergone more testing generally tend to have better performance. NIST tests the devices, algorithms, policy, etc. They don't wave a magic wand that makes it more secure or take a payoff to say it is just compliant as you state. Saying that no security measure is 100% to prove a point is gutless. Of course it isn't, but a security plan with more thought and research is more effective at meeting it's goals than none. Have countries outlawed iphone because the encryption is too difficult for government agencies to tackle? If it is so easy, why does this happen? Maybe you can link some examples and educate us. I am often wrong and would like some help if this is the case. I find a lot of youtube videos showing any idiot how to break in to any iphone OS version, where are the videos for Blackberry? I for one feel more comfortable having grandmas's ssn on some doctors blackberry than his iphone. Judging from your other flamebait comments, I think I am wasting my keystrokes here.

Re:Nothing

[Dellama]

On line shop: www.android-tablet-pc-wholesale.com Latest Android 2.2os tablet pc MX822: CPU:Freescale iMX515 ARM Cortex.A8 kernel, CPU Speed 800M DDR:512MB DDR2 OS:Android2.2 OS Storage:Built-in 4GB Nand Flash speaker:Built-in double horn network:devices wireless WiFi,support IEEE 802.11b/

Re:Nothing

[Dellama]

On line shop: www.android-tablet-pc-wholesale.com Latest Android 2.2os tablet pc MX822: CPU:Freescale iMX515 ARM Cortex.A8 kernel, CPU Speed 800M DDR:512MB DDR2 OS:Android2.2 OS Storage:Built-in 4GB Nand Flash speaker:Built-in double horn network:devices wireless WiFi,support IEEE 802.11b/

You don't.

[PhrostyMcByte]

So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware?

You don't trust them. Just like you should be doing with desktops/laptops, don't setup services in a way that they allow a phone to ruin your data.

Re:You don't.

[arivanov]

That is the case anyway. At least to some extent.

The problem is elsewhere. Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance" while it is not from the user viewpoint is actually a useful feature.

Example - I have a Nokia E71. I was seriously stupid at some point to configure my company exchange server on it. As a result it started autolocking itself in 2 mins requiring a security code. So far so good, however it autolocked and put screensaver on in applications which _MUST_ run in foreground - GPS navigation and the media player. It also autolocked itself when docked on a car craddle, etc.

After a couple of near misses on the motorway trying to get myself from A-Z or trying to dig out the name someone from contacts I tried to turn it off. Guess what, settings uploaded via these APIs _CANNOT_ be turned off. Even if you wipe out the mail for exchange application, disconnect, etc the settings are either not allowed to be changed any more or come back after a change. At the end I had to factory reset the phone and reset the settings partially from backup to recover the phone to a useable state.

Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

Similarly, I am not surprised about Apple starting to take away powers away from the security software (and the people who use it). Apple's key selling point is user experience. The way some corporate security people use these APIs sends the user experience into "Mordok, denier of information services" territory. Knowing Apple, they are guaranteed to do something about it and in the land of "i" noone will hear the security people scream.

Re:You don't.

[Bert64]

The "standard" way of implementing security these days seems to be to try and restrict users as much as possible...
The problem is that doesn't work for a number of reasons, the restrictions are onerous enough to hamper people's ability to do their work which causes them to seek ways to bypass the restrictions and the restrictions are often poorly implemented and therefore easy to bypass.

Incidentally, if your company wants you to read mail when your away from your desk they should supply you with a handset from which to do it, the idea of using your own handset is ludicrous... That's your handset, with their data on it, but because its your handset they lose control... They have no right to enforce policies on it, nor to wipe the handset...

Re:You don't.

[melstav]

Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

If the company you work for requires that you be able to read your email on your cellphone, they damn well be providing you a cellphone to do it with.

Re:You don't.

[Rich0]

Yup. I could make a killing if I sold an Email app that spoofs whatever is most common in major corps but which silently ignores the security policies.

If employers want to control the phone, they should issue the phone. If they issue it, then they can be sure that it supports whatever features they need. They can reclaim and reissue phones once a quarter to reimage them or whatever for extra security.

The problem is that employers want employees to use their shiny toys to do work off-hours, without paying for them. However, they don't like the fact that they now lose control over the platform.

Them's the breaks - the owner controls the phone.

Re:You don't.

[melstav]

As was pointed out in the comment I originally replied to, if you allow your phone to interact with an Exchange server, you end up giving the Exchange admins the ability to do a LOT of things to your phone without your knowledge.

Including, erasing everything saved on the phone.

I am not willing to give up that level of control.

If I'm on call, or if my employer wants to replace my desk phone with a cellular one to make it easier to reach me, or they want me to be able to read and respond to email from my phone, I'm perfectly happy carrying two phones.

But if I'm on my own time and I'm not on call, the work phone goes on a shelf, and it may or may not get turned off in the process.

Re:You don't.

[Miamicanes]

> Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance"
> while it is not from the user viewpoint is actually a useful feature.

There's actually a useful compromise that's so obvious, it completely blows my mind that it appears to have not even occurred to Microsoft -- keep the corporate data on the server, and give the end users Android and iPhone customized RDP clients that connect to a hosted email app on the server (with the ability to launch intents to alert users to new email when the app isn't actively unlocked, without actually passing sensitive data to the phone itself... ie, "New email" (or maybe "New email from ${name}", if enabled by server policy). Users want to read email? Strong authentication. Phone inactive in "mail" mode for too long? Hide the mail app's view (requiring authentication to re-activate), but leave the rest of the damn phone alone.

This isn't rocket science. Is it bulletproof? Of course not. Any rooted phone can do screenshots. But then again, all you'd need to take an effective screenshot of the most locked-down Android/iPhone ever made is an exotic piece of gear called... (drumroll)... a flatbed scanner. Or a DSLR with macro lens. Or a piece of paper and a pen or pencil. Or a voice recorder. The point is, by keeping the data itself on the server, and using the end user's device only to render the current view, you massively reduce the attack surface... and you get to do it without making the end user completely miserable.

Stop thinking of them as phones.

[Kenja]

Treat them like any other computer.

What a Phenomenally Stupid Question

[ewhac]

Let me get this straight: You've been acquiring personal computers, integrating them into your businesses, and installing on them software products so monumentally shitty that it beggars the imagination that anyone with even the slightest sense of pride would admit to writing them. What's more, you were told by people who actually know what the fsck they're talking about that the products were shitty, both at a superficial and fundamental level -- and you systematically ignored them, and kept throwing bad money after worse money, all the while complaining when your systems crashed, your data was corrupted, and your networks infiltrated...

And you've been doing this for at least the last 30 years...

And NOW you suddenly claim to give a shit about platform integrity?

And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

What selective, partisan crap.

Re:What a Phenomenally Stupid Question

[IchBinEinPenguin]

And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

Windows was excluded because neither of the Windows users have reported any problems. Yet.

P.S. Couldn't agree more.
You reap what you sow.
Keeping your eye firmly planted on next quarter's profit margin (and the resulting bonuses) will eventually bite you in the ass.

Re:What a Phenomenally Stupid Question

[moxley]

WIth an analysis that insightful in it's ability to see through a false, consensus reality, allow me to introduce you to the American political system!

English_101 EPIC FAIL

[Zero__Kelvin]

"So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? "

Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware. So long as the general public, and even Slashdot readers, are clueless, then cluelessness will map the security landscape.

Re:English_101 EPIC FAIL

[maxwell+demon]

I guess they used the term "Trojan Horse" in its original meaning, which is older than computer technology.

Re:English_101 EPIC FAIL

[Zero__Kelvin]

Yes. I already said that ignorance is the root cause.

Re:English_101 EPIC FAIL

[Shadow+of+Eternity]

The word "let" used to mean to hinder or delay hence why passports say "without let or hindrance".

Incidentally this is also the nuclear argument against people who bitch about using the phrase "begs the question".

Re:English_101 EPIC FAIL

WTF is a Trojan Horse for Malware?

Well, you see, you leave a gigantic wooden Clydesdale with a firewire port in the parking lot. Some fool is going to plug it in because they want to see what possible use firewire could have in a giant wooden horse. Once they do, you've got access to their systems.

Re:English_101 EPIC FAIL

[surferx0]

Because nothing ever becomes a trojan horses for malware. In order to do so, that sentence would actually have to make sense. WTF is a Trojan Horse for Malware? A Trojan Horse is, by definiton malware.

More like History 101 epic fail...

It actually makes perfect sense, given the Trojan Horse's meaning. Perhaps you've forgotten what a Trojan Horse actually is given that the name has become so synonymous with malware. A Trojan Horse could mean anything that appears non-threatening to slip behind your security, which in this case is a cell phone, containing malware inside of it.

Re:English_101 EPIC FAIL

[Zero__Kelvin]

You're right. You failed on the history part. In recent history the term Trojan Horse, when used in a malware context, has taken on a very specific meaning, which has nothing to do with trying to steal Helen of Troy back. If one wants to refer to the actual Trojan Horse of the Iliad it is necessary to upcast the reference. Anything else is just ignorance.

Re:English_101 EPIC FAIL

[Zero__Kelvin]

You apparently failed English as well. It would be ridiculous to say that the Trojan Horse was for the Greeks.

Re:English_101 EPIC FAIL

[Zero__Kelvin]

First of all, you are clearly a troll, as you are posting AC, but making a point to follow up on my posts. Second you claimed that I implied that an English class would teach the definition of "Trojan Horse" because you couldn't figure out the semantic error in the sentence. Finally, you have now verified that you cannot understand English, by claiming that you "could say" it was for the Greeks. Now off you go little troll ...

Re:English_101 EPIC FAIL

[Zero__Kelvin]

Take the absolute value of the temp in Celsius and and you get a number much closer to mine than to yours ;-)

Re:English_101 EPIC FAIL

[Zero__Kelvin]

"You claimed that the article fails English 101 by not using the computing definition of "Trojan Horse"."

This sums up your ignorance in a nutshell.

You mean like the ...

[doramjan]

Palm Pre? I love my Pre, but in the early days it "lied" about what it was so it could sync via USB with iTunes as an Apple iPod.

Re:You mean like the ...

[toriver]

Yes, it was easier for Palm to violate its agreement with the USB-IF and exploit Apple's sync software implemented in iTunes than to actually make the fscing effort to write their own sync software that read the music files and XML that any program has access to, or make user instructions how you could copy files from the music folders.

But I wonder what the old Palm would have said if e.g. Sony had made a device that pretended to be a PalmOS device and talked to their HotSync software...

Re:You mean like the ...

[toriver]

Hm, Sony was a bad example, I had forgotten they were an actual licensee... but the point still stands. If your device need sync software you write it, don't piggy-back on someone else's.

Don't ask stupid questions in the first place?

[WaffleMonster]

If your going to take the bold step of asking a device if it is safe to use you might as well just go all in and mandate full evil bit compliance for all malicious IP packets. To test evil compliance simply invoke the javascript function iamastupidfoolEvilSupported(EVIL_FA_IL); If it returns true or raises a javascript error the device is totally secure and you have NOTHING to worry about.

End all computer problems!

[Paco103]

Hackers, please stop lying to our computers and telling them you have permission to do things when you know you don't. There. . . . now nobody will get anymore spam or viruses.

I love when people say something "cannot be hacked". I also like the idea of security by requiring the client to tell the truth about what it is and what it can do. If everything would just tell the truth. . . we'd have better security. Sounds like the EA boss saying "To take the market back from Call of Duty, you just have to make a better game"

How's this crap get published?

Ignore stupid policies

[Improv]

If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.

Re:Ignore stupid policies

[raburton]

Yes, give us the option to ignore them! My uni (I'm a student, not staff) requires permission to wipe my phone and force me to pin protect it, etc. The whole works.
Why? So nobody could steal my phone and access all the internal spam I get about alcoholic events and recruitment for societies so odd that they apparently don't have the 3 members needed to fill their committee posts.
So instead of using the built in exchange support I use a third party that ignores these. I run a cyanogen based rom that I build myself from source so I could just modify the built in exchange support, but life's too short - Android should already be ignoring them for me.

Richard.

Re:Ignore stupid policies

[aristotle-dude]

If you have so little regard for the rights and privacy of others then do you do not deserve a well paying job. If you cannot handle being responsible with your position in student government, how can anyone trust you with a "real" job in the future?

Re:Ignore stupid policies

[raburton]

WTF are you talking about? What do the rights and privacy of others have to do with the ability of my university to wipe my phone? And as for not "handle being responsible with your position in student government", this doesn't make any sense at all. I have no position in student government (whatever that even means) and I'm not sure what part of what I said had anything to do with my responsibility to it.

Can I suggest if English is not your first language, and you don't understand what you read, you don't waste your time (and mine) writing incomprehensible replies to it.

Re:Ignore stupid policies

[aristotle-dude]

If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.

Ok. Fine. So what is your account number? Publish your account numbers, your SIN, Credit Card numbers with expiry dates, your real name, address and phone numbers. No? But information wants to be free right? If you expect to get paid to work in IT then you should treat the security of other peoples information like you would want your bank to treat your private information.

The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there was a security breach caused by an employee with a "hacked" phone that was lost and could not be remotely wiped.

Re:Ignore stupid policies

[icebraining]

The ironic thing is that that very people who chant "information is not property" would be the first in line to sue their bank if there was a security breach caused by an employee with a "hacked" phone that was lost and could not be remotely wiped.

I don't understand the contradiction. Information not being property doesn't stop me from signing a contracting binding someone to protect it. Contracts were never limited to the protection of property...

What it does mean is that I can't sue the recipient of such information (the guy who finds the data), even if he shares it with the world, because he wasn't bound to me through any contract not to divulge such information.
In the case of file-sharing, for example, the companies could sue the original sharer (if they legally prove the act of selling the product entails also a binding obligation not to redistribute it), but they couldn't sell subsequent downloaders or uploaders, who have no contract with the company.

http://mises.org/journals/jls/15_2/15_2_1.pdf [pdf]

Re:Ignore stupid policies

[Improv]

You're confusing authentication with ownership.

Re:Ignore stupid policies

[repapetilto]

Why does your university know anything about the phone you have? Why wouldn't you just tell them you have no phone?

TPM

There's no inherent reason Android devices could not use a verified boot (TPM+remote attestation). This would allow servers to know exactly what firmware image they're talking to, so whilst it wouldn't exactly stop devices lying about their capabilities, it'd allow you to catch devices that were lying once the general class of problem was detected.

The reason phones don't come with TPMs is simply cost and demand. If businesses really care about this, they'll make it clear that a TPM is as important to them as remote wipe and other things, manufacturers keen to find an edge will listen and the necessary changes can be made to Android as it's open source.

So .... let the free market operate and we'll see what happens. TPMs are cheap. It wouldn't take much pushing.

Re:TPM

[IchBinEinPenguin]

So .... let the free market operate and we'll see what happens. TPMs are cheap. It wouldn't take much pushing.

Once you have TPM the _last_ thing you have is a free market.

Re:TPM

[CaptainJeff]

Please explain. Some manufactures put a TPM in their devices. Some do not. If you decide you want a phone that cannot do remote attestation with a tamper-resistant hardware root-of-trust, you buy one of the later. If your organization, *who gets to set their own policies for remote access to their environments*, chooses to buy a phone for your use (or require you to do so as a condition of that remote access) that can do remote attestation with a tamper-resistant hardware root-of-trust, they (or you) buy one of them. That is the crux of a free market - multiple options and solutions are available and the one(s) that people actually want win out. Just because you don't like the idea of a tamper-resistant store in a mobile device, it actually DOES solve the exact problem that this article is about. I, in no way, intend to indicate that it does not introduce other problems, however.

Re:TPM

[Opportunist]

...or a secure machine.

TPM is about securing the machine from you. Not for you.

Re:TPM

[perlchild]

If it's an enterprise-provided phone, you can bet your ass it'll be a fireable offense soon enough not to have it with you...
Mandating being a covered area is trickier though.

Trustworthiness...

[Bert64]

End user devices are not trustworthy, regardless of the type of device a user could modify it to report anything back to an upstream server...

Re:Trustworthiness...

[shutdown+-p+now]

You can make such modifications prohibitively expensive, however. It is precisely what a hardward TPM chip would do. Hope you have a well-equipped lab and knowledge to operate it...

What To Do...

[Odinlake]

What To Do About Mobile Devices That Lie
"Have you ever tried simply turning off the TV, sitting down with your mobile devices, and hitting them?"

Re:What To Do...

[Totenglocke]

I was going to suggest grounding them or sending them to bed without dinner, but hitting would work too.

Admins

[DarkOx]

Better question, what to do about admins that don't test policies on devices they support before deployment?

Re:Admins

[Rich0]

That doesn't help when the user jailbreaks it and the new OS doesn't have the same capabilities as the OS you audited.

The solution is to simply issue your own hardware and make employee tampering a terminable offense. I'd fully support that as long as the company provided the device and its plan.

If I get to provide the device, then I get to decide what security policies it implements, and what policies it lies about implementing. Don't like that? Simple, stop sending me email after 5PM...

Enforce choice of auditing

[jago25_98]

Turn on phone for the first time,

"Which application auditor would you like to choose?"
"Which search engine would you like to use?"
"Which Browser would you like to use?"

Re:Enforce choice of auditing

[Opportunist]

Cue customer of a new phone.

"Ohhh shiny! I wanna use it, I wanna toy with it, I wanna see all the features and all the ... huh? What's an "auditor"? Ah, a list, uh... (thumbs through manual), whatever, this one looks spiffy. Now, where that feature I bought the phone for... huh? Search engine? Get off my back, dammit! I wanna toy with the billion megapixel cam! So, here, now let me... browser?"

Tosses phone onto the counter.

"Here's your crap back, gimme a phone that lets me do stuff!"

And this is why we do not get that. Unfortunately.

What happened to lists?

[thogard]

Microware's OS9 from the early 1980s had a table that it checked for each module it loaded into memory. Each library or executable had a CRC that it checked against and then that CRC was checked in a lookup table of stuff to accept or not load. You could load that table with a list of approved memory objects and then only those things would be loaded and run or you could list things to exclude like an old runtime library in which case it would try to find an approved one in the path. This stuff was being done 30 years ago on 8 bit CPUs. It should be an option on every OS today.

Re:What happened to lists?

[Opportunist]

Only if that whitelist has to change too often. Whitelists can be very valuable when you are dealing with resources that change rarely. Like the modules in the aforementioned example. It's not like the modules you want to load change every time you use the system, or that you might suddenly get to load modules you didn't know about.

Whitelists are useless when it comes to mail addresses and webpages, unless you plan to only communicate with known sources. But when it comes to drivers and OS modules, they are quite useful.

Re:Just don't allow them.

[joebagodonuts]

Unless there's a compelling business need there is no reason to allow Android or iOS devices to connect to a company's resources in any way.

Why stop there? Add Rim and Windows to the list as well. I challenge you to find a good business reason for any phone to be connected. When desire is great enough, a business justification will be made.

I need to get email on my phone! The fate of the free world is in the balance!

It's nonsense. Since we're caving in to give folks their wants rather than needs, might as well go all they way and let them use their iPhones & Droids.

Depends

[gmuslera]

you use windows in your desktop computers? Then the phone is the least of your actual risks.

Do not trust your devices

[Opportunist]

"Trusted computing" my ass...

There's nothing to be trusted about anything you did not make yourself. And even if you made something yourself, trusting it is a bit overconfident. Do not trust anything you own to be "secure". It is not. It is as secure as the company that made it thinks is necessary.

Now, you know how security conscious the average person is, right?

Why do you think security would be high up on the priority scale of the company making it if it is no selling point AT ALL?

Do not trust anything you did not audit. If you cannot audit it yourself, have someone you trust audit it. Yes, at some point in that chain you will have to trust someone, especially if you do not have the knowledge and experience to do such an audit yourself.

But for $deity's sake, do NOT trust the maker of a device to be security conscious. They make a device with the bare minimum required to sell it. That means it will have all the features the customer will request. And as stated above, security is a feature that is rarely, if ever, requested!

Re:Just use a blackberry. Duh.

[Opportunist]

So I may trust Blackberry if I trust the governments of the US, Canada, UK, Austria, Australia, Turkey, New Zealand and the NATO.

What if I do not?

The user is the weakest link

[aristotle-dude]

If one of your end users jailbreaks their company supplied iPhone, fire them. If the company paid for the phone and pays for the phone service then it is the property of the company, not the end user.

If you officially allow employee iPhones to be used on the company exchange, ensure that it supports full device encryption before you enrol it on the network (iPhone 3GS or newer). Then periodically perform random audits of those phones to check to see if they are jailbroken. If they are, perform a remote wipe immediately to brick the device, remove the phone from exchange and discipline the user. Make sure that you include jailbreaking or any other circumvention of security policies in your policy documents as forbidden activities and have each employee sign it before allowing their device on the network.

The real question is how much do you trust your employee because they are always the potential weakest link.

A non-jailbroken iPhone 3GS or iPhone 4 is about as secure as a blackberry if you use exchange in your organization and perform a remote wipe when the phone is either lost or the employee leave the organization.

You can't

[koan]

Frankly (feel free to flame) it appears to me that the virus/trojan/botnet programmers/scammers are far more intelligent than the majority of security professionals working the other side of the fence.

Re:You can't

[dido]

No. It's just an instance of that old military truism: in the battle between warhead and armor, the warhead always wins. The defender's job is always harder than that of the attacker. The defender needs to plug every possible hole while the attacker just needs to find only one that can be exploited, and once that happens, the game is over. The security professionals may be much smarter than the malware writers and black hats, but sadly, because their job is much harder, they aren't anywhere sufficiently smart enough to beat them at a game where the deck is stacked against them.

You got the wrong Partisans

[IBitOBear]

If you RTFA you discover that the whole second half is boosterism for putting "Trusted Computing" modules inside cell phones. In that light the agnostic condensation of both "jailbroken iThingies" and "that unreliable open source Android thing" makes perfect sense.

This article has nothing to do with exchange boosterism etc, it is back-door partisanship for trying to revive the Trusted Computing Hardware Module that the technical industry managed to ignore into oblivion.

The article _is_ an attack on reason, but the goal isn't about Exchange etc, its about re-initializing the idea of corporate capture of your personal property and turning your device from a personal resource to a limited media consumption node. The media used this time isn't movies, its "corporate email" etc.

Disclaimer: I would _love_ TPM hardware if there were a law that required that _I_ get the _master_ _keys_ for my hardware when I buy it. This would, of course, allow me to lie to an exchange server if I so chose, and would do _nothing_ to prevent jailbreaks. Of course I would also have to demand that there was no "government key" etc. With those elements in place, a TPM would let my paranoia be soothed when I boot my gear.

So anyway, bitching about how bad exchange software is etc, falls into the hands of the author who is trying to false-flag some emergency to spur on "trusted computing" on the "new platform battlefield".

Re:You got the wrong Partisans

[IBitOBear]

I've bought several computers in the last few years and all but one have been absent any TPM. One board from several years back had one, and several I have considered lately had a TPM header, but no actual TPM. My amd64 dual-core has a suspicious connector next to the memory connectors that I think _could_ accept a TPM, but said adapter is blank.

So far "Trusted Computing Modules" are common on HP/Compaq gear, and some Dell stuff, but not so much on any of the pieces-parts you can get hither and yon.

I know, I've looked. TPMs usually have (must have?) a hardware random number source so I actually like boards that have them for that.

But I would never buy a board that had a certified boot chain to windows enforcement environment. Blarg. Like I said, the idea is great if _I_ have the master key to my gear so that _I_ can trust my computing environment. When it's a mater of the MAFIAA and Microsoft that want to trust my computer, well I could give a rat's ass...

Re:Just use a blackberry. Duh.

[perlchild]

They've been found to meet the specifications of those places. If you don't know those specifications it tells you little.

The legal troubles blackberry has had mostly indicate the one you care about is Canada, as Canada's privacy laws were a problem with the UAE, India and a few other countries. The solution was always for those countries to get blackberry servers/datacenters that they could seize, since the ones in Canada were out of reach. If you truly don't trust Canada's privacy laws, that's your business. If you find a better country for laws dealing with that, please let us know, I'm sure a few people on Slashdot want to move there.

Re:Just use a blackberry. Duh.

[Opportunist]

Just because I agree with some laws of a country does not mean that I trust its government.

For reference, see US constitution and US government.

Re:Just don't allow them.

[dreamchaser]

Actually you make a good point. If there ever really is a business need for a connected device though it should be something completely locked down. People are still free to have their own personal device that they pay for; there isn't a need to cave to user demand for features if they don't help give a competetive advantage.

Back to your assertion, please provide evidence

[fahlenkp]

I am fairly well versed on FIPS standards for both HIPAA, PHIPA and rusty on DoD work. I 'try' every day... Please return to your assertion that blackberry encryption is weak and comprimised. I will state my challenge to you again in simple plain terms so you might understand before replying this time. 1. Cite articles from sources displaying proof of your assertion. I can't find any. Perhaps you could inform NIST of these breaches so that they can remove the offender from the certified list. 2. Provide details on why cracking iphone encryption comes up a lot on youtube, and blackberry not at all. Here is my link for abundant proof of my claim.- http://tinyurl.com/28wesd6 I'm patient. Take your time.

Re:Back to your assertion, please provide evidence

[poetmatt]

HIPAA? HIPPA has nothing to do with FIPS. way to pull some stuff out your ass there. What's next? OSHA? UL? IBC? CE/EN?

just because you throw a name doesn't mean you have anything to show for it.

Lazy example 1 or how about lazy example 2.

Now shut the fuck up and stop trolling.

That was first couple results on google. No phone is secure. Storing anything company, corporate, etc is not going to be secure on any mobile device. Duh.

Youtube has nothing to do with how legitimate or not cracking is, if the first result for (device name)+(encryption cracking) shows up for every device in every search engine, which it does. If you're relying on youtube, maybe you should try checking out /b/ or any CEH website that shows the pitfalls of modern encryption done to governmental standards. Real encryption is higher grade than government allows.

Re:Back to your assertion, please provide evidence

[fahlenkp]

Hi, I can help you understand many of these subjects. HIPAA as put forth by Centers for Medicare Services on behalf of the US Government has partnered with NIST to establish controls for protection of patient data. The end result being that HIPAA data is protected by FIPS-140-2 standards. PHIPA - I'm assuming the name I threw in, is the health regs modeled on the US HIPAA but used in Canada. The Ministry of Health decided to use US NIST FIPS 140-2 standards or better as well. Military uses a mix of FIPS 140-1 to 3 for normal stuff. Funny how the National Institute of Standards and tech would implement standards for the nation. Lazy example 1 you provided is an inaccurate example, I don't think you read the last paragraph, or that you understand the difference between breaking encryption on the phone vs breaking the transmission protocol from phone to carrier. Any phone besides blackberry on the carrier to phone has next to nothing. Lazy example 1 has been mitigated by blackberry. Lazy example 2 - Ok, that is a good example os poor implementation. But so incredibly easy to mitigate, I'm not sure why you linked it. I don't know anyone who uses blackberry desktop, not a BES server. And even if you did use blackberry desktop, your hard drive will already be encrypted to nist fips-140-2 standars if you are in this business anyway. Thanks for the link, I didn't see it. But stupid example. Trolling? I'm open to a nice discussion, you know, what slashdot is supposed to be. IT folks exchanging information. The information I would exchange back to you - in your threat assesment of Blackberry, look at the statistics involved in risk management on this subject. The biggest risk is loss/theft of the physical device. Not backups, not data transmission. You know, #1 in the NIST/FIPS security cycle- Identify the problem. Next line- no phone is secure. Agreed, if there are no wires and no radios, the more it is like a hunk of granite, a device is more secure. But there are more secure devices than others and I stand by my premise that a blackberry is more secure than an iphone and a google phone. I was trying to use an easy example to show you that one device was more secure than the other with the youtube search. I guess the youtube numbers game was not a good choice to try to convince you. I am aware of many problems with modern encryption. Most require more $ worth of GPU power than my data is worth. I'm not interested in the theoretical fun you are. I'm interested in the practical implementation of these technologies. I am also interested in protecting my company from monetary losses incurred from failing to observe federal regulations for processing patient data. I suppose the big difference is that I'm prepared for a US court, you are prepared for what, writing a book about conspiracy theory? At this point I abandon my customer service practice and move on to begging you to put your tinfoil hat back on. (don't forget to run a line to earth ground or it doesn't work)

Lie???

[Cyrock]

Seems to me this is another case of MS not able to write secure software. If a device can access Exchange when it shouldn't be able to, the problem is not with the device but with the buggy MS software.....