The many announcements at Apple’s 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals.

Last week we got a concrete example of how some cybercriminals are now actively targeting Apple ID accounts. A thread in the Apple support forums was filled with users complaining that their devices had been locked, with a message from a certain “Oleg Pliss” demanding $100 to unlock the device. (The real Oleg Pliss is a developer for Oracle; his name appears to have been appropriated by the attackers.) Australian users appear to be the ones most affected by this attack.

How was this attack carried out? It appears that the Find my iPhone feature was abused. An attacker with the victim’s Apple ID credentials would be able to log into the Apple site providing this service, send the ransom message to the user, and lock the phone.

It’s unclear where the Apple ID credentials came from, but there are multiple possibilities. For example, we know that since last year phishing sites have tried to harvest Apple ID credentials. Reused passwords or social engineering may also have been used in this attack.

How could users recover from this attack? One way would be to restore a backup from iTunes. Unfortunately, many – perhaps even most – iPhone users are not particularly fastidious about backing up. One could try restoring from iCloud as well, but that would involve logging in with the user’s Apple ID account – which has been compromised by this very attack. As in any case where a user’s account has been compromised, recovery can be very difficult.

We will likely see more attacks trying to steal Apple ID moving forward. For example, we can see routers with malicious DNS settings being used in man-in-the-middle attacks to try and steal credentials. Phishing attacks may increase as well. The value of a stolen Apple ID can only go up as more and more information is placed in it by users. For example, the introduction of HealthKit and HomeKit in iOS 8 may mean that even more intimate and personal information may be tied, directly or not, to the Apple ID.

It’s a good reminder that despite Apple’s willingness to use mobile malware and vulnerabilities as a club against competitors, not all mobile threats can be so easily addressed and dismissed.

Figure 1. Apple criticizing Android fragmentation

So, what can users do? Our advice is similar to those for any other credential that needs to be protected:

• Don’t reuse your password.
• Use a secure password/passphrase.
• Enable security features like two-factor authentication, if possible.

To be fair, some of these steps are harder to perform on a mobile device than a desktop or laptop. Entering a long password may be hard without a password manager (like DirectPass), for example. Despite this increased difficulty, it has to be done: it is now clear that mobile device credentials – like Apple ID – are a valuable target for cybercriminals.

Recently, there was a very public example of how not to do a tablet deployment. The Los Angeles Times reported that the Los Angeles Unified School District had been forced to suspend a program to provide iPads to students because several hundred students had figured out ways to remove security restrictions put in place by school administrators.

As it turned out, the LAUSD did not use sophisticated tools to manage their iPads. They merely used ActiveSync accounts, which students were able to “hack” by simply deleting them from their tablets. This allowed the students to gain control of their iOS devices and use them to stream music and visit social media sites. (The school district has since taken back all of the issued iPads.)

This incident highlights the many pitfalls of trying to deploy and manage mobile devices in any large, organized setting. A more sophisticated device management solution may have been needed, but it would have raised costs (both up-front and in the long term). So instead, they relied on a relatively simple and easy to maintain solution – which, unfortunately, was easily defeated. From a purely technical perspective, solutions for this problem were available, but were not chosen.

However, what’s more interesting – and what we can learn from – is the why. The technical issues can probably be resolved without too much difficulty. Why did students feel the need to hack their devices? One student said it best: they took the devices home and “they can’t do anything with them.”

Simply put, the students viewed these iPads as personal devices, with their data, and theirs to do as they wished. That, in and of itself, is a valuable lesson for enterprises trying to secure and protect their employee’s devices.

Despite the rise of consumerization, divisions should still exist between “personal” devices and “work” devices. Mobile device management attempts to bridge this divide, but it does add complexity and cost. Just as importantly, user mindsets about what’s “personal” and what’s “work” still exist. That means that corporate data can be placed at risk due to exposure on “personal” devices.

What might be more important than technical solutions is to change and understand mindsets. Part of the strategy for dealing with consumerization is the understanding that “work” information on “personal” devices means that behavior has to change, too. You can’t, say, hand off a tablet with your work email to your child to play Candy Crush – that would just be silly. Employees have to understand that more than technical limits, behavioral limits apply, too.

Conversely, enterprises have to understand that imposed limits on “personal” devices have to be reasonable. Here, the limits were so strict that students had plenty of motivation to go around them.  Enterprises have to be careful that their own limits aren’t similarly evaded – either by either “hacking” authorized devices or just using unauthorized ones.

In dealing with consumerization, we’ve always said it was important to have a strategy. Obviously, different organizations will have different strategies depending on their needs, capabilities, and potential threats. What this incident teaches us is that in order for that strategy has to be sensible, reasonable, and perhaps most of all: enforceable.

In the past couple of weeks, there has been some breathless reporting about how iOS users could now install pirated apps without having to jailbreak their phones. This was made possible by certain Chinese app store-like services.

Some of the reporting has been wondering how this was possible, but anyone with knowledge of iOS enterprise deployments knew what was going on. The same features which allow enterprises to deploy their own custom apps have now been abused to deliver pirated apps to users.

This “newly discovered” method represents one of the methods to get malicious/fake apps onto the iOS devices. However, because the iOS sandbox has not been compromised, what each app can and can’t do is rather limited. The iOS app may try to send out some personal privacy information to external server which creates privacy data leakage problem.

Read the rest of this entry »

Last week the news sites were full of headlines proclaiming that the “first iOS malware” had hit the iOS App Store. Just one problem with those headlines: they weren’t 100% accurate.

The “Find and Call” app – the Android version of which we detect as ANDROIDOS_INFOLKFIDCAL.A, and the iOS version as IOS_INFOLKCONTACTS.A – has only one key feature. It sends the user’s address book to a remote server without the user’s explicit say-so. Simply put, that’s a clear violation of privacy and apps shouldn’t be doing it. Period. In this particular case, the people in the address book were spammed, but that was done by the remote server, not the “malware” itself.

But there’s one problem. Legitimate apps have done exactly the same thing before. The social networking app Path was famously caught doing this earlier this year. Path came under tremendous fire for breaching user’s privacy so blatantly.

This was enough of a concern for Apple that the iOS 6 beta explicitly requires user consent every time before an app can access/send a user’s contacts, calendars, reminders, or photos.

The fact is that enough legitimate apps want access to user’s behavior that the practice of sending a user’s calendar information to a server isn’t instantly thought of as “bad” behavior anymore, because so many people let their apps do it. Unfortunately, the act of sending a user’s contact list has been “legitimized” by these apps, even if it remains, strictly speaking, odious behavior. In fact, “Find and Call” did explicitly ask for access to the user’s contact list:

Users should ignore the exaggerated hype about this “first iOS malware” to think about what it really did – it gave an app (and, implicitly, the people behind that app) access to their contacts. Think about how many apps ask for similar permissions – usually in the guise of sharing with or finding your friends/contacts. This incident should serve as a wake-up call to users as to exactly who – and how often – they’re giving their information to.

Apple deserves kudos for giving users the tools to help manage their personal information. Other mobile OS vendors should follow suit to provide all users with methods to protect their privacy.

Many of us are becoming increasingly familiar with the power and ease of using modern mobile OSs like iOS, Android, Windows Phone 7, and WebOS. These allow users to browse, check their email inboxes, use apps, and connect with friends with remarkable ease.

It shouldn’t be a surprise then that more and more people want to use these same platforms in the workplace. In many cases, the devices are owned and paid for not by the company but by the employees themselves. Many IT departments—faced with manpower and financial constraints due to the economic climate—agree. A Computerworld survey in September 2010 suggested that 75 percent of all organizations already support the use of employee-owned mobile devices, as this presents a win-win situation. The employees are happy in that they get to use the devices of their choice and the employer is happy as the employees shoulder the mobile device and subscription costs.

Many companies now support multiple mobile platforms (e.g., relatively new ones like iOS and Android OS) besides the traditional enterprise platform—BlackBerry OS. It’s also worth noting that whether or not devices are officially supported or not, they will still be used on office networks. In fact, according to a 2010 survey, 41 percent of IT professionals said that unauthorized devices already connect to their networks.

What Kind of “Support” Do Companies Offer?

The degree of “support” offered for these platforms widely varies. Enterprise-oriented platforms traditionally featured strong mobile device management (MDM) capabilities. System administrators can control many aspects of the phones—what settings should be used, what kinds of password are safe to use, what applications can be installed/run, and so on. In an enterprise environment, this was perfectly normal and expected, as desktops are similarly managed.

However, that simply is not the case for employee-owned devices. The platforms themselves may include the necessary features for MDM, albeit one key difference—phones sold to consumers don’t have these features properly set up. IT departments are thus left with two options—provide limited “support” for these devices (which, more often than not, is limited to allowing access to internal email servers) or get their employees to allow MDM onto their self-owned devices. One is easy and cheap to do; the other, more difficult and expensive. Which one will end up being done?
Read the rest of this entry »