Mobile Security: putting the consumerisation genie back in the bottle

Since the arrival of the first consumer-bought smartphones, enterprise security has been under threat. That all-important chain of defense against security risks has been undermined by its weakest link, people, in this case by using non-standard devices to conduct business and therefore making corporate data vulnerable to attack.
The alternative, to roll out company-issued mobile devices, has not been an easy path to follow. When historical market leader Blackberry lost its leading position in the market to Apple and Google’s Android, companies also lost a significant part of the ability to control corporate messaging and applications from a central point.
From the perspective of the IT shop, the consequence has been fragmentation, which has undermined the ability to deliver a coherent response in security terms. While solutions such as Mobile Device Management have existed, they have been seen as onerous; also, some devices (in particular those based on Android) have been seen as less secure.
Looking more broadly, many organisations have ended up adopting an approach in which corporate devices are used alongside personal equipment for business use. The genie of consumerisation is out of the bottle, say the pundits. But now devices exist that can deliver on an organisation’s mobile security needs, the question is, can it be put back?
The answer lies in addressing the source of the challenge, which is not the device but the person using it. Human beings assess risk all the time, and indeed, we are very good at it. In the case of a mobile device for example, we are prepared to put up with a small amount of discomfort if it will get us the result we want: sending a message, say.
If the discomfort is too great, we will assess other risks, such as, “What happens if I get caught using my personal phone?” If the answer is nothing, then the chances are that the behavior will continue. With this in mind, anyone deploying a mobile solution needs to consider two variables: the discomfort it causes, and the cost of avoiding the discomfort.
Considering the discomfort first, the point of any mobile solution is to enable productivity. Different security features — such as encrypted data storage, separation of apps and so on — may be applicable to different business scenarios.
Defining a solution appropriate for an organisation or group requires familiarity with the security features available on a device and the risks they mitigate. Better knowledge makes for more flexibility, reduced operational overhead and therefore increased probability of a successful deployment.
An equal partner to product knowledge should be an understanding of the organisation concerned, the data assets to be protected and what constitutes their acceptable use. If a policy is in place, this may need to be reviewed: note that it needs to be signed off at the top of the organisation to be effective.
Once a standard configuration has been defined, it will require testing. Too often, enterprise mobile security can fail “for want of a nail” — insufficient licenses on the RADIUS server for example, or lack of WiFi cover in areas where authentication takes place. Users need a solution that works from day one, or they will immediately lose confidence in it.
Putting all these measures in place can help minimize discomfort, but the need to go hand in hand with measures to ensure that the capabilities cannot be circumvented. Note that we are talking about the organisation’s most important asset — it’s people — who will respond far better to inclusionary tactics than draconian tactics.
At the same time as understanding why secure mobile working technologies are being deployed however, employees need to know that they need to act as a strong link in the chain, not a weak one. An Acceptable Use Policy should be enforceable, in that a staffer at any level’s card will be marked if they attempt to circumvent it.
In addition, the genie should be given a clear timescale for getting back in the bottle. For example, in an ‘anything goes’ environment which mixes personal and corporate mobile equipment, individuals should be given a cut-off date following which corporate data access will only be possible via a secure device.
A final question is about sustainability, that is, how to keep it all going? Reporting is important, with deprovisioning perhaps the most critical — it is one thing to know that resources have been allocated to the right people, but even more so is to know that any rights — and indeed devices — have been returned on change of role or exit from the company.
The bottom line, and the most fundamental challenge, is that any shiny new corporate devices deliver on what they are supposed to do — in this case enabling mobile users to stay productive without compromising on corporate risk. Provide people with usable security they will not try to circumvent, and you avoid consigning devices to the desk drawer.
If you’re interested in improving your business’s mobile security operations, join us for our upcoming webinar: Evolving Enterprise Security for the Mobile-First World. This webinar is presented by GigaOm’s Jon Collins, with sponsorship by Samsung. Register now for the webinar taking place on Wednesday, March 9 from 1 to 2pm EST.

Windows users are also vulnerable to FREAK snooping attacks

The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.

FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.

The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.

When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.

The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.

In its advisory, Microsoft said:

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:

  • Internet Explorer
  • Chrome on OS X (patch available)
  • Chrome on Android
  • Safari on OS X (patch expected next week)
  • Safari on iOS (patch expected next week)
  • Stock Android browser
  • BlackBerry browser
  • Opera on OS X
  • Opera on Linux

As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.

Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…

BlackBerry shows off affordable, touchscreen-only Leap handset

BlackBerry has launched a touchscreen-only smartphone — its first since the Z3 a year ago — called the Leap. It will be reasonably affordable at $275 off-contract when it goes on sale this April.

The handset has a five-inch display and will reportedly go on sale in Europe and Asia first. BlackBerry is pushing the security angle pretty hard on this one, no doubt as a partial reaction to efforts by the likes of Blackphone and Jolla to appeal to privacy-conscious businesses and consumers.

“Companies and everyday consumers are finding out the hard way that mobile security is paramount. BlackBerry Leap was built specifically for mobile professionals who see their smartphone device as a powerful and durable productivity tool that also safeguards sensitive communications at all times,” BlackBerry devices chief Ron Louks said in a statement.

Indeed, the company also used Mobile World Congress in Barcelona to announce the BlackBerry Experience Suite, which is actually three suites of services that will work across rival platforms including iOS, Android and Windows. Two of the bundles will cover productivity and communications and collaboration, while the third will provide encryption and privacy controls for emails and documents.

Security aside, BlackBerry is promising that the Leap can take up to 25 hours of “heavy use” before its 2,800mAh battery gives up. It has an eight-megapixel rear camera and 16GB of internal storage with extra microSD support. As with other recent BlackBerry phones, the Leap also comes with the Assistant voice-and-text command feature and two app stores, BlackBerry World and the Amazon Appstore.

According to reports of the MWC unveiling of the device, Louks also briefly held up an unnamed handset with a slide-out keyboard that will properly appear later this year.

MWC-2015-ticker

Latest BlackBerry OS update adds Amazon Appstore

Good news for owners of BlackBerry devices: The latest software update, version 10.3.1, is coming to your handset. BlackBerry shared the news on Thursday rather emphatically in a blog post, saying you should “prepare to be wowed.”

The wow factor is presumably in both the latest software improvements and the expanded access to mobile apps.

minecraft on blackberry

[company]BlackBerry[/company] 10.3.1 adds the [company]Amazon[/company] Appstore, which BlackBerry announced in June when it signed a license agreement with Amazon, then saying 200,000 apps would be available. The squarish BlackBerry Passport and the Classic already had Amazon Appstore access; the software update will add the same to the BlackBerry Q5, Q10, Z10, Z30, and Z3 models.

BlackBerry’s latest software features are part of the update as well. BlackBerry Blend sends notifications from your phone to a computer or tablet, while the new BlackBerry Assistant is a voice-command service to help you manage your day. BlackBerry is also touting better power savings and updated camera software for improved images as well.

Handset owners will get a notification in their BlackBerry Hub when the software is available for their phone. BlackBerry noted that the timing of the update is dependent on carriers, so you may have a little more time to prepare before being wowed.

The BlackBerry Classic is an explicit appeal to nostalgia

BlackBerry officially launched the BlackBerry Classic at an event in New York’s financial district on Wednesday. It’s the first new BlackBerry device since 2011 to actually resemble what most people think of when they think “BlackBerry”: A QWERTY keyboard-equipped phone with physical navigation keys, including a touch trackpad.

Blackberry-Classic

Obviously, the BlackBerry Classic is a niche device — no matter how many celebrities claim they can’t live without theirs. BlackBerry spent a lot of time comparing the Classic to the Bold 9900, which came out in 2011. That’s the target audience for the Classic — companies that issue BlackBerries to their employees because of security reasons and are still hanging on to aging Bolds (running BlackBerry’s previous operating system.)

Because many people upgrading to the BlackBerry Classic are coming from years-old devices, the specs aren’t paramount, but they still pack a few nice upgrades. The Classic has a 720×720-pixel, 3.5-inch touchscreen and an 8 MP camera on the back. It will be able to tap into speedy LTE networks and it’s powered by a Qualcomm chip. The specs are generally inferior to those of the Blackberry Passport, the company’s new flagship device, which has an unusual square body.

In the United States, both AT&T and[company]Verizon[/company] have said they’ll carry the BlackBerry Classic, but the carriers haven’t offered details on when or how much it will cost. You can buy an unlocked BlackBerry Classic that works on [company]AT&T[/company]and [company]T-Mobile[/company] for $449 from BlackBerry World.

BlackBerry 10.3.1 is a pretty big upgrade from the operating system on the Bold 9900. It’s optimized for touch, has a modern browser, and, perhaps most importantly, it can run Android apps from the Amazon Appstore as well as native BlackBerry apps from BlackBerry World.

https://www.youtube.com/watch?v=3Ja3wuE2i6o

In the middle of the launch presentation, [company]BlackBerry[/company] discussed Brickbreaker, a game on the Classic that was notoriously pre-installed on all BlackBerrys during the company’s glory years. It was an appeal to former BlackBerry users who remember killing hours playing the Breakout clone, which takes advantage of the Classic’s new (and old) trackpad. But you don’t see Nokia or Microsoft talking about Snake when launching a new Lumia. Perhaps appealing to nostalgia is not the best way to get traction in the fast-moving mobile world.

Blackberry purchases ‘virtual SIM’ startup Movirtu, will bring the technology to iOS and Android

Blackberry has acquired Movirtu, a London-based company that specializes in virtual SIM technology, it announced on Thursday. Originally, Movirtu’s business centered around shared phone service for poor regions in India and Southeast Asia, but Blackberry is likely to use its cloud-based account management technology to improve its enterprise and bring-your-own-device capabilities — so an IT manager could, say, apply policies to a work phone number on a employee’s personal phone. Blackberry intends to deploy Movirtu technology on other smartphone operating systems, including iOS and Android.