• No results found

Trust Digital Best Practices

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Trust Digital Best Practices"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Trust Digital Best Practices

April 2009

The information contained herein is subject to change at any time, and Trust Digital makes no warranties, either express or im-plied, with the respect to this documentation and disclaims all implied warranties of merchantability and fitness for a particular purpose. Trust Digital, the Trust Digital logo, are trademarks or registered trademarks of Trust Digital, Inc. All other trademarks are the property of their respective holders.

(2)

© 2009 Trust Digital. All rights reserved.

2

TABLE OF CONTENTS

Introduction . . . 3

Smartphone Convergence . . . 3

SMS As An Attack Vector . . . 4

Business Card Attacks . . . 4

Lost Device Attack . . . 5

The Security Fix . . . 5

Deploying the Fix . . . 6

(3)

© 2009 Trust Digital. All rights reserved.

3

Introduction

In the last decade, mobile devices have evolved from basic cell phones to Internet connected devices accessing Web applications and VPNs via the enterprise network. As such, users have come to depend on these devices to facilitate work and play. Enticed by the latest and coolest smartphones like the Apple iPhone™ and Google Android, employees have begun using these devices for work unbeknownst to corporate IT. This employee independence is creating security angst for IT organizations responsible for the data contained on that phone.

The growing number of smartphones being used at work represents an opportunity for corporate spies since smartphones are typically the weak link in IT security policies. Most organizations fail to take precautions to secure smartphones and therefore cannot track or manage which devices are hooked up to the network. Attacks via short message service (SMS) are a prime example of how a hacker may exploit this weak link. Although consumers think of SMS as simply just “text messaging” for cell phones, SMS is actually a far richer protocol. This white paper discusses SMS security threats, describes some easy to duplicate attacks on smartphones, and suggests approaches to both recognize and mitigate SMS threats.

Smartphone Convergence

Smartphones offer a number of ways to connect to a network, including USB, infrared and WiFi. Hackers can use these capabilities in a variety of malicious ways including: injecting viruses and malware, creating denial of service attacks against the enterprise, stealing employee’s data (emails, contacts, text messages and proprietary files) and eavesdropping on employee conversations. USB Attacks Cell Tower Email Server TD_Smartphone_Convergence_Dia_040809 Internet IrDA/Bluetooth Attacks Protocol Stack Attacks Installing Malware

IrDA

GPS

(4)

© 2009 Trust Digital. All rights reserved.

4

While WiFi, USB and browser based vulnerabilities are shared with laptops, other security holes that affect the network protocol stack or employ SMS messages are unique to the cellular capabilities of the smartphone.

So, what is IT to do? The remainder of this paper will explain how hackers can exploit SMS messaging and how IT can counter the hacker using an enterprise mobility management (EMM) platform.

SMS As An Attack Vector

Approximately seven billion SMS “text messages” are exchanged daily worldwide according to GSM-World reports. The SMS protocol can deliver rich data, control messages and applications to devices that control usability and change security policies. As a result, the SMS protocol can be used as an attack mechanism to send a message that is device or SIM card specific. Typically all that is needed is a phone number, which is easily gleaned from a business card or email signature.

The following scenarios will detail how SMS messages can be used to compromise a smartphone.

“Business Card” Attacks

The “Business Card” attack can be performed by the hacker without any knowledge of the intended victim other than their mobile phone number. To exploit the Business Card attack, the hacker sends a series of SMS messages to the phone. These messages are known as “control” messages. Control messages instruct the phone to act on the SMS instead of displaying it as a text message. These control messages can download applications to the phone, collect and forward data from the phone, force the phone to visit a website or change phone configurations. This gives the hacker control over the phone and access to the data on the phone. Much like viruses found on laptops today, the attack can happen silently and is highly targeted. It gives a hacker access to a device that otherwise may be under careful control.

The Business Card attack can be separated into three different attacks. The first attack utilizes a wireless application protocol (WAP) PUSH message. WAP PUSH messages have the ability to redirect a device to a website to download an application which is then installed on the targeted device. The application accesses information such as contact lists, text messages and emails and sends it back via SMS or email. The second attack involves sending the device an SMS control message that causes the phone to silently change configuration. This attack can be used for multiple purposes, for example it can expose user information by turning off

• Laptop with WiFi connectivity to the Internet • Tools available on the Internet

• Smartphone

• Mobile number of victim

(5)

© 2009 Trust Digital. All rights reserved.

5

security settings for email transmission such as SSL or it can render the data capabilities of the device useless by remotely wiping the device. The third attack is a Denial of Service attack. A denial of service attack sends multiple control SMS messages to the targeted device making the device slow and ultimately rendering it useless with no indication as to the cause of these issues.

The Business Card attack is easy to understand and simple to perform even for a non-expert hacker. Free software is available and can be downloaded directly from the Web to help create these SMS control messages. The hacker uses his/her own phone to send the messages.

“Lost Device” Attack

In our second scenario, the hacker targets a lost or stolen smartphone. Like the Business Card attack, the “Lost Device” attack works even if the phone is locked with a PIN or password screen, since the hacker can push an application via SMS that unlocks the device. Once unlocked, the hacker has full control of the device and can access any information on the device or use the device to access corporate resources.

The Security Fix

The security fix for SMS attacks is to deploy a software file that blocks control messages on the affected smartphones. In effect, this fix only permits the smartphone to receive SMS text messages and prevents silent attacks.

The Trust Digital EMM platform for smartphones blends security and device management into a single solution, providing IT with the facilities and tools needed to effectively counter SMS attacks and other smartphone security threats. Trust Digital EMM is a Web Services platform that provides robust support across a diverse set of handheld mobile devices and includes:

• A self-service portal allowing end-users to load security software and policies on personal devices

• A flexible device agent enabling IT to secure and manage a wide variety of device platforms including Windows Mobile, Symbian and iPhone

• Policy-controlled security for protecting against hacker access and device loss • A centralized management console with integrated help desk capabilities for

simplifying policy implementation and user support

• A compliance management and reporting facility to ensure users adhere to IT policy

(6)

© 2009 Trust Digital. All rights reserved.

6

Deploying the Fix

To deploy the security fix to affected users, IT can run asset management reports to identify users that may own an affected smartphone.

The granular software distribution facilities of the Trust Digital EMM platform can deploy the needed software according to a criteria that includes: carrier, user group, device or operating system. In our SMS example, IT would use the EMM platform to push the needed CAB file to those users of affected smartphones.

For ongoing support and reassurance, compliance reporting and enforcement ensures the CAB file remains in place and alerts IT if a device is not compliant.

Conclusion

Unlike laptops, smartphones converge voice and data, creating new security challenges for IT. Hackers are increasingly focused on corporate espionage and the smartphone is a ripe target. Frequently ignored by IT, smartphones are often the weak link in enterprise security strategies. New threats, such as Business Card attacks will continue to appear and evolve. Trust Digital EMM arms IT with a sophisticated device management facility that quickly delivers security solutions on an individual or group basis to tactically counter hackers as they employ new methods to penetrate the enterprise.

TD_Centralized_Control_Dia_040809

Single Console for Centralized Control

SQL

AD

Executives

Group Based Policies & Software

(7)

Trust Digital | 1760 Old Meadow Road, Suite 550 | McLean, VA 22102

Toll Free 888-760-9401 | 703-760-9400 | www.trustdigital.com | [email protected]

© 2009 Trust Digital. All rights reserved.

secure, rapidly deploy and centrally manage their smartphones. Trust Digital’s unique software-overlay methodology simplifies how IT administrators and help desk specialists implement policies, assist users and enforce compliance for mobile applications. Trust Digital is the trusted mobility company. For more information, please visit our website, www.trustdigital.com.

References

Download now ( PDF - 7 Page - 3.41 MB )

Related documents

Are Nurses More Altruistic than Real Estate Brokers?

Using a dictator game with a costly exit option and with Amnesty International as the recipient, we find that nurse students are more generous when placed in the role

Chp133 Bbp Ms

The current in the current transformer (CT) due to a fault inside the protection zone is usually higher than the current in the CT due to a fault outside the protection zone..

Gandang Sinauna at Sariwa SATB

Kay tagal bago kita minahal, gandang sinauna at sariwa.. Ako'y nagpabihag sa likha

Telecom Decision CRTC

On 21 February 2013, the Commission issued Telecom Notice of Consultation 2013-79, inviting parties to file comments on whether the principle of applying the same rates for

NHBRC Geotechnical Site Investigations for Housing Developments

a) conduct a detailed Geotechnical Site Investigation involving an in-situ evaluation of the ground profile to a minimum depth of 3,0 m or to the machine

Retaining young Catholics in the Church : assessing the importance of parental example

Taken alone each of the aspects of parental religious identity (mother identified as Catholic, father identified as Catholic, mother’s religious identity is important to her,

Development of natural gas qualities in Europe

If hydrogen from surplus renewable electricity is injected into the natural gas network, the enormous transportation capacity and the huge storage capacity of the existing natural

How Does Communal HIV/AIDS Affect Fertility? - Evidence from Malawi

Table 7: Ideal number of children among rural women and men in Malawi – differentiating between female and male district adult mortality: Ordered probit coefficients and