Feeds

back to article Don’t let mobile malware steal your company data

The mobile malware landscape is changing. Standardisation might be a good thing for building ecosystems and making phones more useful, but the emergence of Android and iOS as leaders in the operating-system wars makes life easier for those who would target the data on your corporate devices. It also means there is more to steal …

COMMENTS

This topic is closed for new posts.

Charles Brookson - one question

Was he approached to weaken GSM encryption, or told to make it 'easier for spooks' in the first place?

3
0

Re: Charles Brookson - one question

It was designed to meet the export control regulations at the time for the late 1980's - CoCom. Things have now changed with the Wassenaar Arrangement so we can do what we like.

1
0
Anonymous Coward

not allowing rooted or jail-broken phones?

"it is reasonable to enforce a company policy of not allowing rooted or jail-broken phones onto work premises."

A) Why is it reasonable?

B) What risks does it prevent? (in particular, risks that are not present with a factory-original phone?)

C) How do you expect it to be enforced?

D) How significant is the risk?

There'll often be easier options anyway. At a secure (UK MoD secrets onsite) establishment I'm familiar with, you just have to come in looking like a plausible printer/copier technician. No one will know or care who you really are (neither IT nor Facilities maintain the printers, it's outsourced), no one will be able to check who called you in, there will always be kit needing attention, and of course it will be networked and you will be allowed in with a laptop which you can plug in to the networked printer. And printers are full of nice dark corners where you could easily hide something the size of a Raspberry Pi.

The "security" people on that site have been notified of this hole. Apparently they get quite upset if you don't provide their required four weeks notice for the usual class of visitor, but have no suggestions or concerns when there's a gaping hole in the organisation's procedures. They will, one day.

2
1
Bronze badge
FAIL

Re: not allowing rooted or jail-broken phones?

Some time ago I worked as a member of a 'tiger team'. It was ridiculous at where you can get if you walk in wearing an HP polo shirt, carrying a laptop and some boxes with an HP logo on them (The polo shirt I got from a training class I attended, the box was from a spare part I ordered from HP).

One of the jobs I'd done was at the datacenter of a major international bank where that tricked worked far too well; I was able to get to touch their root CA servers, plug in a USB drive and access it from a crash cart. I could have grabbed all their private keys if I was so inclined (Disk wasn't encrypted)

0
1
Silver badge

Re: not allowing rooted or jail-broken phones?

"B) What risks does it prevent?"

Given a lot of "stock" phones will have an OS that is old, unpatched and vulnerable, the only reason I can see is to prevent users from having loaded un-vetted apps from dodgy sites.

However, there appear to be enough dodgy apps from the official site to limit that aspect as well...

1
0
Bronze badge
FAIL

proprietary device drivers

"The recent vulnerability in the Exynos5 chipset in the drivers used by the camera and multimedia devices creates a hidden Suid"

That's the problem with the closed nature of the device drivers...

4
0
Bronze badge

You don't need to weaken GSM to give government access.

The government has the right of legal intercept. You can build all sorts of things to protect yourself from organised crime, business rivals, tabloid newspapers whatever. But there is no protection from The Government.

1
1
Silver badge

Re: You don't need to weaken GSM to give government access.

The protection from "the government" is supposed to be due process and the court of law, which gets its power from the people's choice of elected representative.

Please stop laughing in the back seats!

2
0
This topic is closed for new posts.