Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Warren Tsai (Product Manager)

    Recently, there was a very public example of how not to do a tablet deployment. The Los Angeles Times reported that the Los Angeles Unified School District had been forced to suspend a program to provide iPads to students because several hundred students had figured out ways to remove security restrictions put in place by school administrators.

    As it turned out, the LAUSD did not use sophisticated tools to manage their iPads. They merely used ActiveSync accounts, which students were able to “hack” by simply deleting them from their tablets. This allowed the students to gain control of their iOS devices and use them to stream music and visit social media sites. (The school district has since taken back all of the issued iPads.)

    This incident highlights the many pitfalls of trying to deploy and manage mobile devices in any large, organized setting. A more sophisticated device management solution may have been needed, but it would have raised costs (both up-front and in the long term). So instead, they relied on a relatively simple and easy to maintain solution – which, unfortunately, was easily defeated. From a purely technical perspective, solutions for this problem were available, but were not chosen.

    However, what’s more interesting – and what we can learn from – is the why. The technical issues can probably be resolved without too much difficulty. Why did students feel the need to hack their devices? One student said it best: they took the devices home and “they can’t do anything with them.”

    Simply put, the students viewed these iPads as personal devices, with their data, and theirs to do as they wished. That, in and of itself, is a valuable lesson for enterprises trying to secure and protect their employee’s devices.

    Despite the rise of consumerization, divisions should still exist between “personal” devices and “work” devices. Mobile device management attempts to bridge this divide, but it does add complexity and cost. Just as importantly, user mindsets about what’s “personal” and what’s “work” still exist. That means that corporate data can be placed at risk due to exposure on “personal” devices.

    What might be more important than technical solutions is to change and understand mindsets. Part of the strategy for dealing with consumerization is the understanding that “work” information on “personal” devices means that behavior has to change, too. You can’t, say, hand off a tablet with your work email to your child to play Candy Crush – that would just be silly. Employees have to understand that more than technical limits, behavioral limits apply, too.

    Conversely, enterprises have to understand that imposed limits on “personal” devices have to be reasonable. Here, the limits were so strict that students had plenty of motivation to go around them.  Enterprises have to be careful that their own limits aren’t similarly evaded – either by either “hacking” authorized devices or just using unauthorized ones.

    In dealing with consumerization, we’ve always said it was important to have a strategy. Obviously, different organizations will have different strategies depending on their needs, capabilities, and potential threats. What this incident teaches us is that in order for that strategy has to be sensible, reasonable, and perhaps most of all: enforceable.

    Posted in Mobile | 1 TrackBack »

    1:03 am (UTC-7)   |    by

    In the past couple of weeks, there has been some breathless reporting about how iOS users could now install pirated apps without having to jailbreak their phones. This was made possible by certain Chinese app store-like services.

    Some of the reporting has been wondering how this was possible, but anyone with knowledge of iOS enterprise deployments knew what was going on. The same features which allow enterprises to deploy their own custom apps have now been abused to deliver pirated apps to users.

    This “newly discovered” method represents one of the methods to get malicious/fake apps onto the iOS devices. However, because the iOS sandbox has not been compromised, what each app can and can’t do is rather limited. The iOS app may try to send out some personal privacy information to external server which creates privacy data leakage problem.

    Read the rest of this entry »

    Posted in Malware, Mobile | Comments Off

    1:07 pm (UTC-7)   |    by

    Last week the news sites were full of headlines proclaiming that the “first iOS malware” had hit the iOS App Store. Just one problem with those headlines: they weren’t 100% accurate.

    The “Find and Call” app – the Android version of which we detect as ANDROIDOS_INFOLKFIDCAL.A, and the iOS version as IOS_INFOLKCONTACTS.A – has only one key feature. It sends the user’s address book to a remote server without the user’s explicit say-so. Simply put, that’s a clear violation of privacy and apps shouldn’t be doing it. Period. In this particular case, the people in the address book were spammed, but that was done by the remote server, not the “malware” itself.

    But there’s one problem. Legitimate apps have done exactly the same thing before. The social networking app Path was famously caught doing this earlier this year. Path came under tremendous fire for breaching user’s privacy so blatantly.

    This was enough of a concern for Apple that the iOS 6 beta explicitly requires user consent every time before an app can access/send a user’s contacts, calendars, reminders, or photos.

    The fact is that enough legitimate apps want access to user’s behavior that the practice of sending a user’s calendar information to a server isn’t instantly thought of as “bad” behavior anymore, because so many people let their apps do it. Unfortunately, the act of sending a user’s contact list has been “legitimized” by these apps, even if it remains, strictly speaking, odious behavior. In fact, “Find and Call” did explicitly ask for access to the user’s contact list:

    Users should ignore the exaggerated hype about this “first iOS malware” to think about what it really did – it gave an app (and, implicitly, the people behind that app) access to their contacts. Think about how many apps ask for similar permissions – usually in the guise of sharing with or finding your friends/contacts. This incident should serve as a wake-up call to users as to exactly who – and how often – they’re giving their information to.

    Apple deserves kudos for giving users the tools to help manage their personal information. Other mobile OS vendors should follow suit to provide all users with methods to protect their privacy.

    Posted in Mobile | 1 TrackBack »

    Many of us are becoming increasingly familiar with the power and ease of using modern mobile OSs like iOS, Android, Windows Phone 7, and WebOS. These allow users to browse, check their email inboxes, use apps, and connect with friends with remarkable ease.

    It shouldn’t be a surprise then that more and more people want to use these same platforms in the workplace. In many cases, the devices are owned and paid for not by the company but by the employees themselves. Many IT departments—faced with manpower and financial constraints due to the economic climate—agree. A Computerworld survey in September 2010 suggested that 75 percent of all organizations already support the use of employee-owned mobile devices, as this presents a win-win situation. The employees are happy in that they get to use the devices of their choice and the employer is happy as the employees shoulder the mobile device and subscription costs.

    Many companies now support multiple mobile platforms (e.g., relatively new ones like iOS and Android OS) besides the traditional enterprise platform—BlackBerry OS. It’s also worth noting that whether or not devices are officially supported or not, they will still be used on office networks. In fact, according to a 2010 survey, 41 percent of IT professionals said that unauthorized devices already connect to their networks.

    What Kind of “Support” Do Companies Offer?

    The degree of “support” offered for these platforms widely varies. Enterprise-oriented platforms traditionally featured strong mobile device management (MDM) capabilities. System administrators can control many aspects of the phones—what settings should be used, what kinds of password are safe to use, what applications can be installed/run, and so on. In an enterprise environment, this was perfectly normal and expected, as desktops are similarly managed.

    However, that simply is not the case for employee-owned devices. The platforms themselves may include the necessary features for MDM, albeit one key difference—phones sold to consumers don’t have these features properly set up. IT departments are thus left with two options—provide limited “support” for these devices (which, more often than not, is limited to allowing access to internal email servers) or get their employees to allow MDM onto their self-owned devices. One is easy and cheap to do; the other, more difficult and expensive. Which one will end up being done?
    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice