Globalize Networks blog

The explosive popularity of mobile email devices like smartphones and iPads can lead to security problems if not managed properly. In the corporate world, we want at the very least to be able to enforce passwords on devices and remotely wipe mobile devices if they are lost or stolen.

There is also the emerging scenario of devices left in semi-secure environments. Imagine an iPad configured with a corporate email account and left around the house to be toyed with by the children and their mischievous friends.

Here is a quick overview of some of the Mobile Device Management options available on the most common platforms:

1. Blackberry Enterprise Server has had “IT Policies” for some time. It fact, they really set the standard in this area, Mobile Device Management is old news to BB admins. This should come as no surprise given RIM’s deep commitment to the enterprise.
2. Microsoft Exchange 2003 is getting old to compete well in this area. However, SP2 allows password enforcement, and the “Microsoft Exchange Server ActiveSync Web Administration Tool” provided by Microsoft, although very basic, can do remote wiping of ActiveSync devices.
3. Exchange 2007 and 2010 introduce “Exchange ActiveSync mailbox policies” which have a myriad of great management options. Of course you can wipe the devices using the Exchange Management Shell and enforce passwords and password complexity, but some of my favorites include enforcing storage card encryption and
   setting inactivity time before the phone locks. You can even do things like disable the camera if you are feeling like a real control freak. Of course, not all phones will be able to enforce all of these options.
4. Google has been playing catch-up to enable these enterprise MDM features in Android and they now support a few of the essential options. They are also starting to roll out these features (including device location discovery) for Google Apps users via the “Google Apps device policy.” It looks like they can even password enforce and remote wipe any phone with Google Sync installed.
5. iPhones have been pulled into the enterprise for some time now, so Apple’s enterprise features are more mature than Android’s. They even include a “find my ” feature with Mobile Me which allows remote wipe and ad hoc passcode enforcement. Everyone I talk to about Mobile Me has been disappointed though, so I can’t recommend it in good faith.
   

I have been researching hardware-based SSD Full Drive Encryption (FDE) lately and here are some bullet points to consider:

• What is it? FDE is a way to protect data on laptops in case of loss or theft.
• Who cares? If you have any data on your machine that you wouldn’t gladly hand over to any stranger, it suggests that you want to protect your data somehow.
• Don’t file permissions control data access? It’s fairly trivial to circumvent standard file permissions by removing a laptop hard drive and connecting it to a different system.
• Why this method? Using hardware based Full Drive Encryption (FDE) with SSD drives should provide relief to the performance problems that users of other forms of encryption encounter.
• How does it effect users? Implementations vary by platform, but it basically requires an additional authentication step at system startup (password or fingerprint swipe).
• What systems is it available on? The two laptop platforms that business users care about most, Dell and Lenovo both offer hardware based FDE:
  • Dell
    • Dell’s solution is based on “Encrypted Mobility Solid State Drives” and the “Wave Embassy Trusted Drive Manager”.  Make sure that the model you select includes “Encrypted Mobility Solid State Drives” hard drive option.  Not all models do, but at the time of writing, I was able to add this to a Latitude 6410.
    • For more info, check out the bottom of this Dell hard drive description page.
    • Here is an interesting FDE performance study provided by Samsung.
  • Lenovo
    • Lenovo has partnered with WinMagic to provide the “SecureDoc” solution for FDE.  I didn’t research which specific models are available with this, but here is the press release.

If you haven’t yet seen the news that Google was hacked by someone looking (in part) for info on Chinese human rights activists,  then you might check out this summary on the SANS Newsbits.  SANS reliably provides sober assessments of incidents like this.  (Don’t mind the weary “I told you so” tone of the articles, it is difficult to continue beating the security drum when few decision makers are listening.)

It is romantic to think that Google might try to live up to it’s unofficial motto of “don’t be evil” by pulling out of China.  However, if Google pulled out it wouldn’t serve to  tighten up their corporate information security.   Also, Google pulling out of China will just give Chinese consumers one less search engine to choose from.  The wrong people would be punished.  It might make a fine display on the world technology stage to “take a stand” against the Chinese government, but it will almost certainly hurt Google’s profits. [ UPDATE 1/19/2010 - Google now denies they will leave China, but want to negotiate a non-censored search (?)]

The biggest payoff might have already been achieved.  Simply announcing the incident and the possible intention to leave China has had a huge impact online.  In the first place, very few corporations are even aware when they have been compromised, let alone announce it willingly to the world.  This sets an excellent standard of transparency.  If other corporations followed this example, it would raise the visibility of information security and hopefully lead to more attention (and budget) being devoted to protecting corporate information systems.  If other companies do not follow this example, it makes Google appear more honest, not less secure.  (This last was accomplished by revealing that as many as 30 other companies had also been hacked.)  In the second place, Google is hurting the reputation of the Chinese government by their announcement alone.  This may or may not be fair given that it’s difficult to prove exactly who hacked Google, but it focuses attention of the issue of Chinese “cyberspying“.

The actual attack vector was probably a previously unknown IE vulnerability (zero day attack).  It makes sense to start switching to a different browser, preferably one that has a Flash blocker plug-in available.  IE might be so vulnerable because it’s still got ~60% of the market.  It’s a high value target for hackers.  Having more browsers to divide up the attention of the hacker population might give browser developers a relative advantage.  The fact is that all software contains bugs and the more people you have beating on your software, the more bugs are revealed and the more robust your software becomes as you patch those bugs.

This incident highlights the general trend that client machines are becoming the most common attack vector.   Here is a quick summary of my current thinking in this regard:

1. Switch your primary browser to anything but IE.
2. Definitely use a Flash blocker.  Flash is too dangerous to use indiscriminately.  You can always choose to play flash video on sites you trust. For Firefox I use the aptly named “Flashblock” add-on: https://addons.mozilla.org/en-US/firefox/addon/433
3. Try to keep Adobe Acrobat patched and don’t open Acrobat files unless necessary.
4. Keep client apps patched  (i.e. MS Office, Quick Time,  etc.).
5. Explore using a browser proxy service.

What do you think? All comments are welcome.

[UPDATE 2/14/2010]
I just saw this other blog which suggests that one of these attacks exploited “a system used to help Google comply with search warrants by providing data on Google users.” Also, Spint apparently served 8 million GPS requests within a year and “someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response.” Nice. Automating government access to user data seems problematic to me. Ideally, each search warrant request should be validated, but I don’t see how that can realistically be done. So we end up with systems designed to help US law enforcement catch criminals and terrorists than can be hacked to spy on practically anyone. We trade one form of security for another and privacy goes in the garbage. What a conundrum!