Tweet

Are we making ourselves paranoid? Like many computer security professionals, I tend to closely follow technology and security news, even though its often discouraging and depressing.  It is routine to see articles disclosing general information about recent attacks and criminal successes (and sometimes criminal captures).  I suppose that at this point it is fairly common to find “shocking” breaches of trust and security in major corporations or large, widely-used or well-trusted systems.  Even reports of malware infections in drone control centers was met with a certain “well it was only a matter of time” feeling. This cynicism is common amongst those who work in the computer security field, both as reporters and as professionals in some capacity from tier 1 support to penetration testing and CSO’s.  When you’re a cynic, you stop being surprised.

What has started to happen as a blowback from all this security bad press and cynisism is a general feeling of paranoia.  This paranoia, advocated by security pros to general users in order to cut down the rate of infection of users and lessen security risks, is starting to creep into the minds and actions of security personnel.

This is a major problem because overly-paranoid security team members can cause major headaches with overreactions to abnormal conditions.  Like in Illinois with the water pump scare, or with the recent rumours of Iranian spy drone hacking.  While computer security problems have plagued us for years, they aren’t always to blame when something unexpected happens.  It’s important not to alienate users, customers, and the world at large by overreacting or acting before all the information is gathered.

It’s like the boy who cried wolf.  If your security team jumps at nothing all the time, they will not be taken seriously when they need to.

Implement policy to fix announcements of false positives.  A simple series of steps and confirmations should be enough to let you detect, learn about, and defeat intrusions.

1. Verify with users or other policy that system behaviour is unexpected or unwanted.

2. Gather information about activities on system.  Running programs, users, log information, communications to other systems, and outbound communications are important to know in order to profile the attack and determine the extent of the damage and action.

3. Disable/disarm attacker.  Use knowledge gained from step 2 to block attackers when starting remediation/triage.

4. Perform triage and remediation procedures on affected systems.

You will need to determine for yourself when along that process a security disclosure needs to occur in order to remain compliant with standards and honest with users/customers.

Tweet

The flip-side of letting employees bring their consumer devices into the corporate fold is that there are much fewer mechanisms on these devices to allow them to be administered by a corporate IT policy, which can cause more than a few security and compatibility headaches, not to mention auditing and compliance nightmares. The idea of complete and total control over the corporate IT landscape is dying, and here to replace it is a feeling of unease in corporate IT departments even as executives push for more BYOD models.

Why the unease in IT?  When email isn’t working on your new Android or iPhone, you or your employees will call the IT department. The department, which typically supported a population of devices that were all very similar and very manageable from one point, now moves to support hundreds of different devices across multiple platforms which require different services to be managed. They are not only expected to support the new phones and tablets — they are also expected to ensure the continued security integrity of corporate networks and data while doing so. In an environment with such a rapidly-growing malicious software base and uneducated users, the task quickly becomes daunting.

Enter Fixmo, the creators of the commercial versions of the AutoBerry and AutoBES software. These software packages were designed to automate the secure setup of corporate BlackBerry phones and to ensure their security. This is what Fixmo cut their teeth on before moving into Mobile Device Management software (MDM) and solutions for mobile security.

Mobile Device Management/Mobile Risk Management

Mobile device management and mobile risk management are oriented around reducing and managing risk associated with connecting highly mobile devices which “roam” networks to enterprise technology structures. While the act of connecting them to a network may be simple, ensuring that enterprise policy is translated to these devices appropriately is a challenge. Many consumer devices require software and servers which may not be in use, or which can’t be implemented. Furthermore, policies are difficult to set and more difficult to manage. It is for this reason that many corporations choose to issue devices which they have complete control over (BlackBerries).

Fixmo’s MDM solution, Sentinel, changes this with an approach that provides management and auditing to both phones and framework servers. This approach differs slightly between phones due to differences in the architectures of the phone operating systems it supports, but they all share a few features. The main component of the phone MDM is the agent. The agent monitors changes made to the phone and analyzes activities and installed applications. It relays this information to the Sentinel Server via automatic push or timed updates, and the server stores this information.
The agent can be made to monitor for any type of system event, and is responsible for enforcing policies on the phone and communicating with the server. The Sentinel server can be used to view things such as current phone status (on, off, out of service, last reported in date) and information about the phone such as recent policy violations, installed programs, set policies, group membership, and more. The interface is easy to use (it’s a web application interface) and provides plenty of information with a presentation which doesn’t confuse users.

Perhaps one of the greatest features of the Sentinel agent is in its Android incarnation. One of the great roadblocks to major corporate adoption of Android has been its reliance on Google apps and the Google “cloud”. By using the Sentinel agent on Android, Android phones can be taught to use corporate networks through the Sentinel server. This allows corporate information technology departments to provide their own app store of supported applications or company-specific Android apps. Fixmo will provide app-store services through their App47 product, which is still in development.

Making it Easy All The Way Up

Autoberry and AutoBES are two mature Blackberry management software packages from Fixmo that manage both the phone and the server. Fixmo has taken what they learned with those platforms and taken it to the next level with Sentinel. Good, Blackberry Enterprise Server, and Microsoft exchange are all integrated into the Sentinel management platform, allowing for the management of both devices and their servers. This means compliance with regulations and audits are much easier when using Sentinel, which can generate reports on these servers and their policies.

Users of the management and auditing application can be integrated from active directory or other LDAP software and from BES groups. These users can be given granular privileges over phones, servers, and management and reporting applications depending on their needs.

SafeZone

Fixmo is rolling out encrypted containers on the iOS and Android platforms which will allow users to work inside of FIPS-compliant environments on mobile devices which may not otherwise meet security requirements. The container, called Safezone, is an encrypted sandbox which has an API with which developers can create proprietary applications which can communicate and operate securely on mobile platforms. The container also has several applications from Fixmo which ship with the product, such as document editing services. This will allow mobile users to work on sensitive data without losing security, and without moving the data beyond the corporate network, since the application communicates via virtual network with devices placed inside of a corporate network.

Solutions currently on the market to perform MDM services are not currently as robust or full-scope as the Fixmo product, largely because they either highly focused or do not address some of the many limitations that the consumerization trend has brought upon corporate IT (namely, the lack of corporate policy enforcement mechanisms). Thus, Fixmo is a good investment for any IT firm looking to control their network and their security.

Tweet

Tweet

Android is a great mobile computing platform. It’s extensible, fairly easy-to-use (considering its plethora of features), has a great application store with hundreds of thousands of applications, and connects back with everything in Google so that all of Google’s information and services are at the users fingertip. For developers, it’s a very extendable platform which is able to integrate code from a variety of languages, run C programs, and deploy applications easily to users.

This combination of versatility, extendability, usability, and many features are a few reasons why Android has a significant market share in the mobile computing industry. These great features are also the things attracting enterprise users, including the government.

But something is becoming increasingly clear to security researchers. There are some very serious security issues with this platform. They are so serious the government should think twice before rushing to Android as a most favored mobile platform. In fact, a case can be built that it should be excluded from government use unless guidelines are followed in order to mitigate the issues.

Bottom line up front: If you are going to use Android, use it with a well thought out Mobile Risk Management solution.

Here is more to ponder:

Android is supposedly secure from the ground up, running a Linux kernel (with many adaptations), a walled-garden application model, system architecture to increase security (DEP, ASLR), application permissions, and more. Unfortunately, holes or bypasses have been found in nearly all of these security features. Some, like the application permissions model, may require significant overhauls in order to maintain security.  For more on Android security, please use the Crucialpoint contact form in “Contact Us” to request access to the “Current State of Android Security” whitepaper.

The security of the platform in question is not just notable for what has been broken or evaded,  it’s notable for what it doesn’t include: fine-grain enterprise management and mature management tools. Android from its inception has been primarily a consumer device and its somewhat meager corporate tools reflect this path. As the operating system grows, it has been adding new management/control features in order to allow its use in corporate infrastructure, but these features are still growing. Enterprise adoption of the platform has thus been low and slow. It doesn’t yet provide the myriad of options that blackberry does, and it doesn’t have the level of integration with existing corporate services either. These features need to be built into the core of the operating system and its management tools.

Android devices have also had a notoriously difficult update process, with devices waiting months or years to receive critical patches or version upgrades from service providers and/or manufacturers. Government devices need to be kept to a higher security standard and as such should receive patches at-pace. Android devices are computers, and they should be treated as such.

Government adoption of Android should meet these requirements in order to securely implement Android:

• Hardware that will be able to run next-generation Android versions
• Ability to push patches and upgrades
• Require vendors to have a quick patch turnaround (a few weeks instead of months, like Google Nexus devices)
• Management and Policy deployment platforms (such as Fixmo Sentinel)
• Support contracts from vendors or in-house Android support
• Release of patches back into Android Open Source Project
• Disablement of the Android Debug Bridge
• Encryption or Encryption Services (such as SafeZone)

Admittedly, most of the infection vectors for android require the ability to install malicious applications, a feature which can be easily disabled with simple policy, but some common application exploits are available for Android as well. Physical access to a device can also give other attack vectors to motivated criminals or state actors, and given the ease with which phones are lost, it isn’t beyond the realm of possibility that phone would get misplaced or stolen, hacked, and then returned to the user.

Android may be the most common, most easily extendable platform, but with its security concerns, very careful planning is recommended so that mistakes aren’t made in its deployment.

A concluding caution: There are issues in closed approaches to mobile as well. And some of those might even be harder to fix. With this article we wanted to focus a bit more on Android because the Government seems to be rushing there. The key point is that any mobile system will require the right planning and systems to be put in place. When it comes to Android, the versatility and ability to modify Android will prove to be an asset to the Government — so long as it is properly managed and as long as security is part of your architecture.

Tweet

Tweet

Tweet

As the various intelligence agencies, computer security companies, and hackers prepare for the week of convention carnage that is Blackhat (Going on now), Defcon, and BSidesLV, it’s important to remember how easy it is for security professionals to end up on the dreaded “wall of sheep” (a very public listing of usernames and partially-redacted passwords pilfered from the network and displayed to all). It’s not considered a surprise to get hacked and infected while there — it’s almost expected.  You have to be aware of your surroundings while schmoozing with hackers of every nationality, background, and moral code.  You have to be prepared: mentally, physically, and digitally.

Mental Security:

Before wading into an event as socially oriented as Defcon, you should know what you can and can’t talk about.  People will understand if you can’t talk about something because of an NDA, but if you make it seem really juicy, you’re just making yourself a target and you probably shouldn’t have brought it up.  If you can’t say to yourself: “My boss/security officer would be OK with this.” then you probably shouldn’t talk about it. While one question does not constitute a security threat, you should always be wary of disclosing information on corporate IT infrastructure if someone seems less than on the level.

Physical Security:

In a community that rewards physical security intrusion prowess as much as it does digital intrusions (and any mix thereof) it pays to pay attention to physical security.  Make sure anything sensitive to you or your company’s Operational Security is under lock and key(pad).  If that means putting your laptop in a safe because it’s an unwiped work laptop, then that’s what you should do.  It’s not hard to trick hotel staff.

Items such as RFID cards, bluetooth devices without encryption, magstripe cards, and access tokens should be accounted for at all times, especially RFID cards, since they are easy to clone, even from a distance.  All of these things can significantly impact your security and the security of your employer if lost or stolen.  Unless absolutely nessecary, never bring RFID cards, Access or ID badges, or RSA tokens to a security conference — you might even be made an example of in a presentation if you do (it’s happened before).

Digital Security:

Updates:

This should be the most obvious to people, yet it never fails to be left undone.  Update everything and check the week before you go, just in case there is a last-minute update from a vendor affected by something at the conference.  You won’t want to be walking around with a vulnerable computer when everyone is looking for a target to test out the new exploit.

Encryption:

An oft-overlooked protection against theft is full disk encryption, but only when it’s used correctly.  If you set up encryption on your laptop, make sure that hibernation and suspend states are being protected by something as well.  Failing to do this could mean that all your preparation and encryption goes to waste if the computer is on while stolen.  Be sure to also encrypt any sensitive files on your phone and your USB drives.

Set Passwords:

Double-check that your operating system’s auto-login feature is disabled, that you don’t have passwords stashed away inside the battery bay of your laptop or phone, and that your phone is set to require a password.  Be sure to clean your touchscreen devices after entering your password so that a thief can’t use your fingerprints to determine the password.

Prevent Data Leakage:

Should you be crazy (or desperate) enough to use the wifi, be sure to use HTTPS connections with NO certificate errors.  Even with this precaution, don’t be too sure.  There have been several issues found in SSL implementations in programs in the past few years, and it’s best to be safe.  If you have to use the internet, use your mobile phone as a tether or use SSH encryption.

SSH Tunneling is a great way to stay secure on the road by using it as a tunnel to another server (assuming you have one that you wish to use).  Create a tunnel to shove your internet traffic through by creating a local proxy with the -D command-line option.  The syntax is ssh -D [PORT] [username]@[IP ADDRESS].  Then set the proxy settings on your browser of choice to “localhost” for the hostname of the proxy, and [PORT] for the port.  It’s a socks proxy, so be sure to select that option.  This method works on Windows using Cygwin or Putty as well as Linux.

SSH Tunnels encrypt your traffic to and from your server, ensuring the security of your local connection, so long as you heed any warnings about changed keys (this could mean someone is attempting to intercept your traffic).

Phones:

Install tracking software with remote wipe and backup capabilities.  Lookout is a great application for android that combines all the features together.  You’ll sleep easier knowing that if your phone is lost or stolen, you can still wipe it and have all your data offsite.

Security Checklist

Disable the following:

• Any Ad-Hoc wireless network holdovers from XP (free public wifi, hpsetup, ect…) these can be used to connect to and take advantage of your computer in many nefarious ways.
• Any phone wifi hotspots, unless you have WPA2 encryption with a strong password/passphrase.
• Boot from CD (unless you are using a liveCD system)
• Autorun (if not already disabled)
• Any Unnecessary Services (Filesharing in particular)

Enable the Following:

• Screensaver lock
• BIOS passwords
• Hard drive passwords

Mental:

• Check NDA’s
• Check materials being brought to conference.  Do I really need this USB drive to come with me?

Physical:

• Are my RFID badges out of my wallet?
• Are my ID badges out of my wallet?
• Do I have to bring my authentication tokens?
• Do I have a safe place to put my tokens in the hotel?

Digital:

• Am I using an encrypted tunnel to the internet?
• Are my thumbdrives encrypted?
• Are my devices encrypted?
• Did I do updates the same week I leave?
• Are all the applications up-to-date, including my Antivirus?
• Do I have login passwords set and required for all my devices?

Potential Rookie Mistakes:

If you want to go a notch above secure and just below paranoid, some people recommend that you use non-persistent liveCD operating systems booted from USB.  I do NOT recommend this as they are usually at least somewhat out-of-date and can’t be updated (because they are non-persistent, even on USB).

Stay safe out there!

 

Tweet

Tweet

join our mailing list

* indicates required

Email Address *
 

Email Format

• html
• text
• mobile

Close

Tweet

vPro is a suite of high-impact technology that has just begun to make its presence known in mainstream IT organizations.  vPro can help you bring your organization’s security structure into shape with features that make a dramatic positive difference.

vPro technologies are implemented in the hardware and firmware of the Intel chipset in Intel Core 2 Duo computers and above (at the bottom of this post is a link to a list of vPro-enabled processors) which can provide everything from secure remote management to hardware-assisted virtualization.  This suite of technologies holds many computer security advantages for the corporations willing and able to take advantage of them.

When you hear vPro think of Active Management Technology (AMT) and Trusted Execution Technology (TXT).  There are other capabilities in vPro but these are the first two we recommend implementing to dramatically enhance your enterprise security.

Active Management Technology

AMT is the Intel implementation of the open DASH standard (DASH stands for Desktop and Mobile Architecture for System Hardware) of the Distributed Management Task Force (DMTF). Consider an enterprise where computers may need to have a significant amount of reliable up-time through business hours. Most of the machines when they are left for the night are shut off, which means that at 1:00am, the only time that IT has to push security updates, most of the computers are off and only receive updates when turned on the next day by students, causing up-time issues.

By utilizing AMT with vPro-enabled chipsets, the enterprise IT shop could turn on all the computers on the network, allow them to receive the update, and then turn them back off when it is finished. This saves the organization time, money, and vulnerability exposure from the thousands of users browsing the internet from the machines each day.

Other AMT technologies that have security uses/implementations are remote KVM at BIOS and the ability to remotely isolate PC’s from the network at a hardware level

Trusted Execution Technology (TXT):

The Intel Trusted Execution Technology is instrumental in detecting and preventing malware from running on a vPro-enabled computer. At boot-time, the computer checks the validity of the configurations against stored configurations in protected memory in the processor. If the two don’t match, then it can be safely assumed that some tampering has occurred.

The same sort of approach is also taken with encryption key management. The keys are encrypted within hardware, but will only be decrypted when the environment is the same as when the keys were first encrypted. Thus preventing key theft in the event of exploitation.

The TXT system also allows for increased protection with the both the display and the input of data to a system with TXT-developed software. USB keyboards can be configured to have encrypted communications with the system, and software applications can be developed using more secure system calls to the computer display, preventing applications that sniff internal communications from stealing sensitive information.

Theft Protection:

Theft protection is one of the biggest and most-developed areas of the vPro technology suite.  By utilizing the out-of-band communication capabilities built-in the to vPro system, some proprietary Intel technologies, and a 3G wireless connection built into the laptop, fears about stolen laptops and desktops can be alleviated quickly and efficiently using a “poison pill”.

The poison pill is a code that can be sent remotely by system administrators from an asset management console to the device to render it inaccessible and useless by deleting encryption keys and disabling key boot processes. This code can be sent via wireless 3G, wired, WiFi, or SMS to the target device. When the poison pill is sent, the target computer. Different conditions can be set for the computer to activate its theft mode locally as well, such as a specified number of login failures, or failure to check in with the remote server after a designated time interval.

Beyond the Boundaries:

Today’s businesses are more and more often placing people outside of the relative safety of the internal corporate network and into unknown and sometimes even dangerous locales. By setting up a secure method of communications with the corporate network, companies can be more assured of the integrity, confidentiality, and accessibility of their data. But how does a company go about implementing this?

By building a network from the ground-up with compliant hardware, and utilizing a vPro gateway, properly configured clients will be able to establish highly secured and encrypted communications throughout their travels. By combining the security and management features with the roaming security tunnels, a fairly secure system with high accessibility could be achieved by a determined organization.

Comparisons to “Current” Tech:

Most of the issues with current tech is the lack of high-level integration with the hardware, firmware, and software of a computer in the sense that usually a software breach can compromise firmware and sometimes hardware. What the vPro system has done is reduced the available information to be gained from exploiting the operating system, automatically disabled infected and stolen computers, and created a remote viewing and on/off switch that has a high degree of manageability.

Current solutions generally don’t stand up to the same kinds of tasks because the solutions require complex hardware solutions that Intel is offering here in the form of AMT and their Third Party Protected Storage system. Sure, a company could continue to use full disk encryption, VPN’s, and Active Directory, but these solutions lack Out-of-Band communications with hardware, and are all software solutions with their own separate flaws and vulnerabilities that could each be exploited to affect the others (even the full disk encryption has methods for being defeated.  vPro technologies could mitigate or negate many current attacks).

More Resources for vPro technology application:

List of processors supporting vPro: http://www.intel.com/support/vpro/sb/CS-030703.htm#core17m

Intel vPro Whitepaper: http://www.intel.com/technology/vpro/pdf/intelcorevprowhitepaper.pdf

More about AMT and its features: http://cache-www.intel.com/cd/00/00/32/09/320960_320960.pdf