) 
Mobile Device Security
I recently wrote an article for the WSCPA (Washington Society of of CPA’s) about Mobile Device Security. The article was not focused on the newest device flaw, or any particular fan-boy approach to the best or the worst device, but included a general approach to treating mobile devices with the same care you give towards managing laptop users.
Perhaps in the future I will re-post the entire article, but for now, here are the key points to developing a policy for mobile devices:
- Require that passwords be used. Password protection is a standard feature of mobile devices, yet few users utilize it as they find it inconvenient. This simple step is the most effective way to ensure the data on a device stays secure until it can be remote wiped.
- Turn on encryption! All the common devices have the ability to transmit data in an encrypted fashion, so make sure this is turned on with any device being used for email!
- Enable remote wipe! Ensure that your IT department gives itself access to every device so that they can remote wipe any lost or stolen device.
- Be clear on intellectual property policies! Business email and data transmitted to mobile devices is indeed intellectual property, and mobile device users must have clear policies outlining this fact, so that they understand the rights of the company to secure that data.
- Turn Bluetooth to hidden mode. Limit exposure to hackers who may discover your device if it is in default always on and discoverable mode.
- Have an acceptable use policy for applications. Applications are a big part of what owning a mobile device is becoming about… but they also can create a lot of issues, and they may present specific security risks. These applications can enable data theft, password theft, or other issues. If someone wants corporate data on their personal device, they may have to submit to some controls over what types of applications they run. If you are concerned about security, it may be important to limit the ability to load applications, or to require that applications loaded be vetted by IT first, as you can’t trust that the various places these come from (iPhone store, etc) can properly police all the applications presented to ensure that they don’t harbor malicious code or spyware.
Happy (mobile) computing!
Richard Brunke
Your Biggest Security Risk You Never Knew About
Sometimes you come across something and have one of those ‘really?’ moments. One would think that there are few big nasty surprises left in the world of digital security. Bad news and new leaks in the same old places sure, but surprises… no.
Well, here is a big surprise for you.
Your digital copier has a hard drive in it and keeps records of all documents scanned, copied, faxed, and emailed. Most every copier build since 2002 has a hard drive and retains this data. Think about the things you copy:
- Employee files with SS number, drivers licences etc
- Medical information
- Tax documents
- Personal letters
- Not to mention whatever body parts were copied at the last company holiday party
And when you are done with that leased copier, or you give away or sell your old owned copier, that content is available to whomever buys it. Apperantly we don’t know much about this, but identity thieves have long known of this opportunity. A recent story told of used copiers being purchased with hundreds of pages of medical information, pay stubs and payroll information, and even a list of targets for a major police drug raid.
Hippa and SoX compliance just went out the door.
There are software solutions such as InfoSweep that will completely wipe these hard drives. Alternatively, before sending off that old copier, have your service person remove the hard drive and give it to you. Pound it with a sledge hammer a few times, drill holes in it, or pound a few nails through it. Any of these will render it useless.
Perhaps most importantly, DON’T every copy private or sensitive material on a public facility copier! Any document you copy, fax, or email from one of the copy shop machines will leave behind a copy on that machines hard drive.
I am somewhat shocked that this is not commonly known, and even more shocked at the implications to compliance and data security. It is a gaping hole in the average companies data security plans, and really needs to be addressed. Talk to your copier service person, or IT staff or consultant and make sure that you have options available to destroy data on copier hard drives.
Happy (and safe) Computing!
Richard Brunke
Is Your iPhone Hackable?
Sometimes we find that new technology adoption rates can greatly exceed new technology maturation rates. In the case of the iPhone, while product is flying off the shelf, there may be some scary flaws needing resolution, and while I doubt any such issues will drive away the legions of fans, it is important to know what the risks are so you can protect your data.
The most recent security flap is, uncharacteristicly, not with the new version of Windows, but with the iPhone. Well the ’staggering’ truth may not be quite so scary as all of that, but it is an interesting and worthy story nonetheless. Basically, if you leave your iPhone lying around and someone who happens to have a laptop handy running Ubuntu “Lucid Lynx” 10.04 picks it up, they can bypass all security and see everything on your iPhone. Now, while that is sort of scary, it is a bit of a stretch to imagine hordes of potential hackers arming themselves with Linux laptops and hunting around for loose iPhones so they can see your vacation pictures.
Still, Apple needs to plug this flaw in its product. If you own one, don’t panic. If you see any questionable characters with well used laptops eyeing your iPhone while you sit at the Starbucks, don’t panic, don’t call the police, just think of it a bit like your wallet – if you leave it lying on the table, you are asking to lose the stuff in it. This is just another reminder that our mobile devices store things of value, just like our wallets, and deserve at least the same amount of care! Don’t leave them lying around, think about what you are storing on them, and for gods sake, don’t loan them to Linux OS weilding laptop owners!
Happy (mobile) computing!
Richard Brunke
The Hacker’s are Getting Smarter – And I Almost Got Caught Today!
We all like to think we are too smart to open the wrong files, the wrong emails… and yet, today, I was one click away from doom (well, if you define doom as having to take my computer in to the help desk to be wiped and cleaned). Actually, when you are the executive at an IT services company, that is about as close to doom as it gets if you define doom as total embarrassment.
Hacker’s are getting smart. Really smart. The email I received had claims that a lawsuit regarding a copyright infringement case was being filed against my business, and it was from the ‘Marcus Law Center’.
Now, this really did not make sense to me, and I could not think of any reason such a thing was happening, but the link to the documentation was there, and all good phishing emails are able to evoke that sense of panic, that need to check in. Well, in a moment of insanity, I started opening the attachment, and then saw it was an EXE file, not a PDF file, even though it made it look like I was clicking on a PDF document to open it. Smart really.
Well, Windows 7 did me a favor and asked me if I wanted to open the file, and, in a moment of clarity, I stopped and looked up the email online to find it was indeed a spoof with malware attached.
Always good to think twice before opening any attachments in email.
Happy (virus and malware free) Computing!
Richard Brunke
