I recently released an article around the area of HTML5 which received a lot of, let’s say, emotionally driven comments and while I don’t want to open that can of worms again, one of the key issues I did raise around HTML5 was security. Here I wanted to expand on the issue of mobile security and security threats in our current “always on” culture.
Let me start by answering the question I first posed, is secure enterprise mobility possible? The answer I believe is yes, but it takes a huge amount of work and forethought or the right tools to do the job. Right now, I believe HTML5 is not one of those tools.
Let’s face it if we look back over the past decades this is now the third time we are going through this security debate with HTML, and our past experience should play a role here. Let’s divorce the possibilities of HTML5 as a tool with potential from the practicalities of its security right now.
You like so very many of my colleagues may very well be in love with the technology as a developer but when you need to look at it from an IT Manager or a CIO perspective where you need to put your neck on the line choosing HTML5 when it is just not mature enough. In reality face it the internet and thus HTML was built without security in mind, it was built and then later when security matters arose patches were created to Band-Aid those problems but this of course left loopholes which are open to exploitation.
As we all know 25% of attacks are done through SQL injection and this is something HTML5 is very susceptible to. I don’t want to attack just HTML5 here enterprise mobility is fraught with danger for the unsuspecting and unprepared enterprise, another key vulnerability of mobility is the ability to take a whole bunch of requests and divert it via one machine.
Let’s look at an example I am sure could affect any of us, a hacker could go into any coffee shop that offers free wifi and set up his own “free public” wireless network he could then easily sit on the router and route all the traffic from the phones or mobile devices that connect through “free public”. This would then record everything done on those devices including every key stroke and every password, anyone could steal with a laptop and easily break what they have recorded down and see whatever they want.
Like HTML5 many of the mobile operating systems can be equally insecure, if we look at a recent story from Watchfire, who were I believe acquired by IBM, they recently group found a loophole in the Android OS that can be used by a malicious application downloaded from Google application store which would then track down all Internet activity on the infected mobile even when the application is closed.
Watchfire have since approached the Google staff and helped them repair it but this could really be the tip of the iceberg. There has been much coverage about Andrioid’s weaknesses and vulnerabilities in particular and I will cover this in a future blog as I really feel it requires its own attention here I just want to stress each OS has its own issues.
The point I am making is that with enterprise mobility you are opening your organisation up to a whole new set of attacks and whilst we are all very aware of email viruses and so forth mobility is not something we are so well educated on and it is something our users may easily fall prey to.
One story in particular from a year or so ago really epitomises to me how clever and how destructive mobile viruses can be when they penetrate an organisations core. I will recount the tale for those that aren’t familiar with it, so the first thing is to start by saying no one knows how the virus got into the plant there has been a lot of speculation about covert operations but let us leave that for other experts to discuss what we do know as a fact the virus got in the organisation.
It patiently recorded all traffic on the servers and then the moment it activated it could portray to the systems that everything was ok. The virus then started sending the centrifuge into super hi speed and told the programme to ignore temperature so the controllers thought everything was ok when of course it wasn’t it.
Ultimately the virus eroded the centrifuge and brought the whole plant down making the uranium enrichment operation. To me this tale just highlights how something small that “worms” its way into your organisation seeming innocuous and then intelligently finds the right place to do the most damage a virus like this can easily take your entire enterprise down.
As I have said viruses are nothing new but mobility is and people are less virus aware when downloading apps than they should be to my mind mobile collaborative apps could be one of the biggest threats. Here I want to take an example of a collaborative app, I want to stress the app I am talking about is not a malicious app I am just using it as an example of the type of app to stress my point.
So Color is a photo sharing app, when you switch it on at a big event like a concert you can see and download every picture that every other Color user takes at the event. So say someone is in the front row you can download and save their pictures it’s a wonderful idea and I myself am a big time user. However I think these collaborative apps bring with them vulnerability let’s say you save a picture it could have a virus attached and you download it and save it on your work PC it can then get straight into your work server.
So the point is vulnerabilities exist everywhere and mobility is just the new line of attack however it does seem to be one where we are less prepared. As I said before it’s not a lost cause secure enterprise mobility is possible you could use an MDM like Fusion which RIM have just announced or you could use a MEAP with built in security. But whatever you use education is key and you must make your users mobile virus savvy, here are some quick tips which I think every organisation need to bear in mind to help with security:
- Never use unknown WIFI
- Research an app’s providence before download
- Check which permission the app is requesting
- Keep your antivirus software up to date
- Have users use passwords wisely and insist they are never the same
- If it seems too good to be true it usually is!