Category Archives: Mobile security

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Laughing all the way to the bank: Why banks need to rethink their approach to social media

by Angus Batey

Every day, I check my bank accounts online. Every time I check, my bank is encouraging me to send it Tweets. So every day I find myself wondering whether I am the only one of their customers to find this bordering on insane.

The social-media revolution has changed the way all companies do business and interact with their customers, and it would be naive to imagine that banking hadn’t been as affected as everybody else. Facebook, Twitter, Google Plus and the rest are powerful tools, enabling individuals and corporations to strengthen relationships through easy interaction – and best of all, the costs are met by somebody else. What’s not to like?

Just about the only other thing I can guarantee on happening every day is that I’ll receive an email telling me that my bank account has developed some problem or other, but that help is at hand, if I’d just click on the link and resubmit my details. I’ve been getting them for the thick end of 20 years and they’ve not evolved greatly in their wit or sophistication. We all know the more obvious telltale giveaways, from the hilariously inept salutations (“Dear esteemed beneficiary…”) to the clumsily hidden address they really come from. Yet these scams still manage to fool some users – according to a 2010 report by Cyveillance [PDF], a spammer can expect to get about 250 people to hand over their data for every half-million phishing emails sent. This is a tiny fraction, but a significant number.

Usually, the first thing that lets you know a purported banking email is a fraud is that it claims it comes from a bank you’ve never had an account with. But what if the scammers knew who you banked with, and took a little more care to make their emails plausible? Wouldn’t that low rate of success quickly start to climb?

Every major High Street bank has a range of official Twitter accounts it uses to communicate with the outside world – often little more than a stream of links to corporate press releases or items of perceived interest to customers. But even if that’s all a bank uses Twitter for, its accounts represent an incredible intelligence-gathering opportunity for anyone willing to spend a couple of hours to better target phishing attacks.

Unless you’re an avid student of the banking industry you’re unlikely to subscribe to a bank’s social-media feed if you don’t hold an account with them – and on Twitter, where you don’t even need to be a registered site user to view details of who is following a particular account, the High Street banks’ feeds are a potential scammer’s goldmine. True, a list of followers will only give you a list of Twitter account names: but, obligingly, a significant number of Twitter users include their real names on their publicly accessible profile pages, sometimes with a link to a personal website which will contain contact information: some users even include email addresses and phone numbers on those public pages.

Worse – from a security perspective – most banks also operate helpline-style Twitter accounts, where users publicly out themselves as customers, often of products including mortgage, insurance and share-dealing services as well as just ordinary current accounts: and while conversations requiring detailed information are conducted via email or private Twitter direct messages, initial queries are asked and answered in full public view.

In the real world, someone wishing to target you for banking fraud would either have had to have sold you something and have you give them a cheque to know where you banked, or followed you up and down the High Street on the off-chance you might visit your local branch. Following your bank on Twitter is like walking up and down that High Street wearing a t-shirt emblazoned with the name of the bank; Tweeting a question to your bank, from a Twitter account that includes your email address, is like walking around in that t-shirt, and with a flashing neon sign fixed to your head saying “Please rob me”.

The criminals clearly prefer to spend their time counting the loot, not finding more effective ways to raise it – and for that we should be thankful. Because, in their enthusiasm to embrace the new opportunities for customer engagement that social media provide, our banks are giving criminals an unprecedented opportunity to improve their phishing success rate. Clearly the banks’ market research has told them that no new method of customer interaction should be shunned: and to the average internet user, who thinks anything free and convenient is to be applauded, a bank refusing to embrace social media will look out of touch. But by encouraging customers to publicly reveal information about the products and services they use, banks are playing a dangerous game – undermining security to promote customer dialogue seems a curious business decision for an industry that relies, more than most, on protecting its clients’
data.

* Angus Batey is a freelance journalist who has covered cyber defence and data security for titles including the Sunday Telegraph and Digital Battlespace. He doesn’t follow his bank on Twitter.

Privacy is always better through sepia-tinted glasses

Facebook-Acquires-Instagram

Instagram has done one thing well. And no it’s not turn HD 8MP snaps of man plus dog’s meals in to Polaroid-esque travesties of blurriness, reminiscent of ‘70s snappers. What the photo filter app-maker (or photo-sharing and social-networking service if you sign up to marketing hyperbole) has done though is highlight that there isn’t a total sense of apathy and disinterest in security and privacy amongst the greater public, they just need something to care about – a sepia-toned champion if you will.

As word of a renewed privacy policy swept across Twitter, Tumblr, and Pinterest, the cool kids were up in arms, albeit at the duress of coattail-riding ‘celebrities’ like Kim Kardashian (a more orange than sepia skinned hero granted, but we take what we can get). How can you not own a photo you took on your own phone? There is one school of thought here that rationalises the situation – you own the unaltered photo which you took; but as you’ve over-exposed/scratched/generally ruined it with their app, then the output belongs to Instagram. By their logic, any image manipulation produces a new photo that is the property of the editor. That’s the kind of proprietary nonsense that even Apple’s legal team would turn their noses up at. This isn’t something anyone wants – my HTC has similar filter editing built in, and plenty of HDRs and digital cameras do their own image and balance correction on-device. Whilst we’re on the subject of what you can do ‘on-device’, in what world did Instagram think it was a good idea to not let users take pictures offline? Seriously?

Despite what Instagram, Zuckerberg, or anyone else claims the true intention of the shift was, the subsequent backtrack was unsurprising both in its speed and scope of the policy turnaround. For a company fresh off the back of a $1bn acquisition and enjoying the associated buzz of riding the crest of the Facebook wave, the whole move was a PR disaster and the damage has already been done. If you believe some news outlets, the app has lost half of its daily user base as a result of the debacle, and competitors have stepped up to try and fill the ‘vintage filter’ void.

But is it fair to blame companies like Instagram, YouTube, Facebook, et al for tying to monetise their offerings? After all they host literally petabytes of users’ content. It isn’t just servers that cost, but staff, cooling, and ground rent. And really, what were they going to use those pictures for? Which third parties were they hoping to sell them to? As nice as that shot of a sun-drenched deckchair on Brighton beach is in black and white, it’s not like stock photo repositories are going to be teeming with low-res shots of your shenanigans for sale. Let’s face it, Instagram got jealous of Facebook and LinkedIn with their user content advertising, and got caught up in the ‘we should be doing that too’ mentality that is synonymous with social media… except they forgot to offer an opt-out like those other bastions of user privacy (eventually) did.

So there’s one very important lesson Instagram has given us – users care about privacy and security when they have a vested interest, if it’s something they use out of choice rather than necessity, they are more than ready to get up-in-arms about it. Well actually there are multiple lessons, but if there’s one more fortune cookie of wisdom here… It might be best to explain the purpose of a policy before rolling it out, even if it’s just for awareness, hearts, minds, and warding off mutiny.

One Acronym to Rule Them All…

Image

It seems that maybe MDM (Mobile Device Management) isn’t the most effective solution to an issue as broad and undefined as BYOD (Bring Your Own Device), although it certainly is a simpler one. At a recent CISO panel, Andrew Yeomans, a board member of the Jericho Forum and regular attendee of the RANT event for end user security professionals, was amongst other senior figures in the industry calling for a more effective and rounded solution.

Since the iPhone and G1 came along and convinced us all that PDA owners were on to something after all, the issue of secure mobility has arisen beyond the need to encrypt laptops and USB sticks. This has troubled CISOs and Information Security Managers who are reluctant to tell their CEO “no”; after all information security is positioning itself as an enablement function now. So how do you tackle the problem of making a consumer device, with little inherent security, sufficiently resilient to hold sensitive or regulated corporate data?

It seems at one point about 12-18 months ago, MDM was a possible solution, now it is often heralded as the only solution. So what’s the problem, other than licence fees from some vendors can reach towards £100 per device, and that’s without support or server costs… there is of course the additional strain on already understaffed security departments as well.

So why might MDM be the great info sec white elephant of 2012/13? The main difficulty all security controls encounter is user resistance, if something isn’t intuitive or streamlined it will often be circumnavigated. MDM may sound like a good blanket solution but it is addressing Bring Your Own Device, and therefore it’s presence on a personal smartphone or tablet is incredibly intrusive. It is harkening back to the darkest days of Draconian approaches to information security and risk management. To do the job properly MDM needs to lock down the full device and in doing so impacts user experience.

MDM is one solution to fit them all. Fine your product covers iOS, but is it compatible with the iPod Touch/Nano and the latest iPad Mini too? Yes you do Android, but does that cover Froyo, Gingerbread, ICS and Jelly Bean? And what about every manufacturer’s Android OS overlay, will it work on employees’ HTC, Sony Ericsson, Samsung, Motorola, LG, Huawei, ZTE, Acer, Asus, Dell and Panasonic handsets? Then there’s the Nexus and Kindle ranges. Fragmentation is a huge problem not only for compatibility but also from a functionality and support perspective. And what about reporting, how do you manage so many disparate devices, and where do you begin with e-Discovery?

Other acronyms don’t necessarily fair any better. MIM (Mobile Information Management) is also troublesome from a security and monitoring perspective; and MAM (Mobile Application Management) is again difficult for the user to adjust to, there’s a sacrifice of native apps and there’s a whole new aesthetic and ecosystem to acclimatise to. The idea of MAM through SDKs and API wrappers, features recently announced by both AirWatch and Webroot, will likely materialise to be the most effective solution in the long-term.

As it stands, for many MDM is too obtrusive a solution for personal devices and much better suited to locking down corporate mobility assets. We’re on the right path, but there’s a lot of work to be done in balancing security, impact, and usability. Come to think of it then, BYOD is just like most other security concerns CISOs have encountered over the last decade.

History today – BYOD and the need for a smartphone policy

We all live through history. Seminal events, big changes in life, landmark breakthroughs and the like, however noteworthy, come to have a greater significance in the future, seen from afar, analysed, placed in a wider context. Like when the internet came – some of us remember hearing about it at school, a teacher remarking you could use it a lunchtime, but that was time for gossiping, kicking a football about. We didn’t know how important it was. It was just something new.

Needless to say, the internet has, in its relatively short history, come to transform life on earth radically. We look back at the day of dial-up and bland, static pages of content, and we see primitive beings working out how to exist within the confines of this new medium and it’s rather sweet, like children’s scribbles. And then one day, that scribble begins to take shape and an artist is born, shifting paintings worth millions of pounds. Back then it was just another picture, who would have known how important the work was?  History allows us to assess it.

What will they say of BYOD (bring your own device) in five or ten years time? Was it a fad, a stroke of genius or an inevitable consequence of the mass proliferation of powerful portable and handheld devices, the stuff of which was unimaginable a decade ago? It’s hard to say, this history is for those writing in the future. To us, whether it’s someone working in an information security or risk management setting, BYOD is just something that happened, like flexible working. It wasn’t a black and white thing where one day it wasn’t there and bam, the next day it was… it evolved.

Whatever your sentiments, it is definitely part of the discourse. And so, we stick to the present with this blog. BYOD is very open, complex and multifarious nature, meaning it is predisposed to any number of security issues. Smartphones in particular, because of the sheer volume of data, traffic and work conducted on them, are increasingly becoming part of the regular apparatus at work, yet policies governing their use are lax.

According to Darrin Reynolds, vice president of information security at Agency Services in New York, one of the key things is to have a policy in place and for it to be communicated in as simple a manner as possible, or as he puts it, for it to be written in “crayon”.

In an interview with SearchSecurity.com, he explained the canons that govern his organisation when it comes to BYOD and mobile phones.

“The rules are you can use any device you want, but if it is going to support or receive corporate data then you have to play by our rules,” he elucidates. “Our rules are: you have to have a [personal identification number] PIN; it has to support a code lock; it has to have an auto lockout feature; it has to support encryption; and it has to support remote wipe. We kept it really simple to those four things.”

And that’s it, he says, no additional security measures. He may well be correct in surmising that those four methods of security – which are top notch by the way – are enough to keep fraudsters and cyber criminals at bay, but, if history tells us anything, it’s that nothing stays static for long. In technology, what is new, what is current is immediately yesterday’s news. More measures will have to be developed either proactively or reactively when the time comes. History repeats itself, albeit it differently.

The threat to modern vehicles in the digital age

The German Karl Benz is the man who invented the modern car. Starting a blog with such a statement is bound to provoke some criticism because it can be easily argued that he wasn’t. For example, Ferdinand Verbiest, a Flemish Jesuit missionary from the 17th century is a legitimate contender as the modern car’s founding father. You can go even further back and make the case that Guido da Vigevano, an Italian inventor came up with the original concept in the 14th century.

Whatever your sentiments, from wind powered four-wheeled devices to engine-powered open top vehicles like the Benz Velo Model to today’s computer-powered behemoths, the evolution of the car has been unpredictable.

For computers to have ever been associated with vehicles in the way they are today would have been thought unimaginable both from a technical and aesthetical point of view. But normal laws do not bind technology so to speak – it develops in a fashion that is often hard to predict. Where will we be in 20 years time? We can estimate, but chances are it’ll be different.

“We are living in a world of incredible modern conveniences,” begins McAfee’s 2011 report Caution: Malware Ahead – An analysis of emerging risks in automotive system security.

“Computer chips, embedded in all aspects of our daily lives, have made it possible to have access to all kinds of information when and where we need it. Through internet protocols, these once dumb devices can now communicate with you and with each other in amazing, unprecedented ways.

The report goes on to discuss embedded systems and how historically information would only travel in one direction. Today it’s a two-way structure and these systems have become part of the very fabric of modern motors.

Consequently, they need security measures, which by natural deduction, implies they can be hacked into. It’s an unfortunate by-product of an era defined by gadgets, technology, the digitalisation of all sectors and the want to be connected. Convenience too is a big driver – pardon the pun – in the technological modifications made to cars.

We want to have the ability to start up a car using a smartphone, to have GPS systems integrated and hooked up to the web to provide ongoing, real-time updates and for our cars to have intuitive programmes that can respond to incidents quicker than us. What we want is what we get.

The worry, McAfee’s report states, is that little has really been done to provide security to these modcoms. When someone else can control your car, the risks become all too clear.

“The first remote keyless entry systems did not implement any security and were easily compromised: a regular learning universal remote control for consumer electronics was able to record the key signal and replay it at a later time,” the report says.

Security professionals working in information security and risk management will agree that these kinds of shortcomings need addressing. Indeed, as research has categorically pointed out, this allows for malicious software and hardware manipulation to become a regular feature of car crime and car theft.

It’s a fascinating area that is becoming evermore pressing the more sophisticated cars become and thus, the need to develop complex and secure safety systems to protect vehicles will become a bigger area of responsibility for some cyber security professionals.

Technology has had the ability to transform the one-time, wind powered vehicle into a titan of comfort, entertainment and drivability. Let’s keep it that way with in-car and remote security modernisation now and in the foreseeable future.

Innovative protection for Android devices

Things move apace and before you know it you’re living and working as an information security & risk management professional in a city from a futuristic Hollywood movie. The kind where you work with documents virtually, scanning them in the open air with your fingers. The kind where everything is voice activated. The kind of world where face recognition technology unlocks doors, cabinets and vaults – digitally and real.

That world, so to speak, is now, or at least we’re on the periphery of a new digital age as imagined many years ago by thinkers, futurologists and philosophers.

In terms of protection, on Android devices specifically, we’re already somewhere exciting. As we discussed in a previous post, the threats to Android smartphones are very real, and threats to cyber security are an ongoing risk which must be met with innovative ideas.

Take for example Google’s new ‘face unlock’ feature on the latest Android devices packing Ice Cream Sandwich (4.0), a self explanatory phone locking system which fundamentally does away with pin numbers and replaces it with the owners face. While it is still in its infancy, it is a system which is yet to be fooled – photos of the owner return a negative response.

Unless you are inclined to get the lasest Nexus however, you won’t yet be privileged to ICS and such features. In the meantime then, let’s discuss what security measures are out there right now.

One of the most interesting developments is using GPS to track a stolen smartphone and not only remotely trace it, but allow for important and sensitive data to be wiped. Consider the free app Remote Phone Lock&Track, which allows you to do a range of things including wiping all internal memory, memory from an SD card and help locate it. HTC have built a similar function in to their Sense overlay.

Another free app is the LBE Privacy Guard (root required), which helps negate the weaknesses that come with an open source platform. It works in a similar vein to an interactive firewall, whereby every app you install is thoroughly scanned and then listed by the number and types of permissions it requests – thereby giving you the power to block those which are unnecessary.

Encryption – a powerful word in information security, forensics and governance. One such platform is WhisperCore, which basically encrypts all the data on your device, so should it go missing you can rest assured that your data is safe. And because WhisperCore integrates with Flashback, you can send your data to the cloud – encrypted.

As with the levels and amounts of threats out there, this is only a brief introduction to the kinds of security measures available to everyone and every business operating off smartphones that come with Android as its operating software. It’s an exciting new age for anyone involved in technology. For every malicious piece of software out there, there’s an equally stringent defence mechanism to counter it.

The battle lines are drawn.

Read more about LBE Privacy Guard and Android security in general in the Acumin white paper: http://www.acumin.co.uk/cm/content/resources/white_papers

Threats Facing Android

In a very recent article on PC World’s website, Eric Geier wrote that 2012 will see a rise in information security threats, aided, in part, by the ubiquity of mobile devices – smartphones, tablets and laptops for example – as well as the growing and sustainable popularity of social networks. Cybercrime is going to become a very pressing issue indeed.

Moreover, a new study by McAfee, suggests that Android is now the number one attacked mobile platform out there.

With that in mind, we thought we’d give some of you professionals working in forensics, governance and compliance, and information security and risk management a lowdown as to some of the major threats – and vulnerabilities – facing devices using Android.

Third party applications are one of the best things about using Android – the open source nature of it allows for widespread innovation and development, providing consumers and businesses alike with a huge variety of choices. Naturally, established names imply a certain level of tacit trust – you’re confident that you’re getting a reliable product – whereas unfamiliar names bring a level of uncertainty – you’ve got nothing to weigh it up against. Because the open source environment is defined by the sheer volume of developers and products out there, it can be a tough maze to navigate through.

Similarly, Google’s own casual mantra, their guiding company philosophy of openness and close collaboration, though commendable brings certain, obvious weaknesses that is, in comparison to say Apple, a major shortfall. Take for example the verification process for applicants wanting to enter the Android market – in the last two years a number of apps, approved and available to users, have come with malware-infections. This is a major area that needs addressing.

Other things to be wary of include privacy settings. Though we may live in an age of ‘over-candidness’, where people reveal odd little titbits on sites like Facebook and Twitter, privacy is still a right worth protecting. However, in some cases, there are transparent weaknesses already built into certain devices. HTC devices, for example, automatically geo-tag photos and Tweets – you actively have to disable this feature. Consequently, other devices alleging localised services could, rather worryingly, sneakily utilise GPS permissions for location tracking. And of course there is the much publicised data collection and exposure on the company’s Sensation and Evo range.

One of the biggest risks is the easy access to a virtual private network (VPN), which many businesses and employees use remotely, providing an easy mobile working environment. Which is great for increased connectivity and in promoting flexible working, but also a route for cybercriminals to infiltrate corporate networks surreptitiously and either introduce corrupt software or thieve important data.

The threats are very real but there are measures in place to help protect Android uses. We’ll be discussing that in our next post. In the meantime for further reading check out the Acumin white paper on Android security: http://www.acumin.co.uk/cm/content/resources/white_papers

Open source Android a target for cyber criminals

The smartphone revolution was always inevitable if we considered Moore’s law as indisputable fact. To abridge a very fascinating and somewhat complicated branch of philosophy coupled with technological discourse, Moore’s law relates to the idea put forward in 1965 by Gordon Moore, Intel co-founder, that the number of transistors on a chip would double every 24 months.

Simply put, this would result in technological devices being smaller, more intelligent and powerful than their predecessors. So far so good, this could be a near-enough description of how things have panned out nearly 50 years on from that now prescient statement.

With smartphones coming to dominate the lives of everyone from bankers, to social networkers to information security and risk management professionals, these devices, like their cumbersome ancestors, are vulnerable to – or at least victim to – cyber security breaches.

Google’s Android operating system, which is at the forefront of the smartphone market – it’s available on a wide range of devices at competitive prices – is one which is being most visibly targeted. At any given time there are 40,000 infected devices across the globe, which goes some way to show how serious the problem is for Google.

It comes with the territory – Google, though famous for its adage “don’t be evil”, has grown into a huge multinational corporation with a massively diverse portfolio of operations. Many of which are free, many of which are predicated on the idea of collaboration. This is especially the case with Android, which is based on an open source philosophy – which allows people the freedom to modify, change and improve existing programs.

Which leaves it naturally vulnerable to those seeking to use it for far less noble goals – rootkits, Trojans, botnets, you name it; all of this is able to, in some way, immerse itself into the Android operating system. An apt description of this is the commercialisation of mobile malware, meaning smartphones are now prey to malicious and manipulative rogue software like SpyEye.

That’s just a brief introduction to the current state of play in the growing prevalence of cyber security in mobile devices. In the last year alone, 20 per cent of cyber crime in the United Arab Emirates occurred on mobile devices.

With smartphones fast becoming a part of everyday business, adopting risk management procedures to counter this is going to be an important part of the daily rigmarole.

In our next blog, we’ll look at some of the major threats and vulnerabilities on Android devices.

Download the Acumin white paper on Android Security from here: http://www.acumin.co.uk/cm/content/resources/white_papers

What are you and your organisation doing about Android security?

At the RANT Forum (Acumin’s monthly information security networking event), attendees often complain that they are playing catch up to cybercriminals. It is the bad guys that define the market, they are at the cutting edge as they try and find vulnerabilities, attack vectors, and exploits that will allow them to break in to a network. It is difficult enough for the CISO and Info Sec Manager to ensure that they are recognising and mitigating the appropriate risks, let alone trying to factor in emerging threats such as zero days and second guess the nature of the next generation of hack attempts.

This idea of playing catch up in IT security also extends in to new technology areas, the corporate line often requires some maturity before implementation of new products. This has not necessarily been the case with smartphones. By smartphones I refer here not to the old school PDA-type devices we enjoyed at the turn of the millennium – my guilty pleasure on that one is here! Rather I mean the combatting trinity of iPhone, Android, and Blackberry… sorry WinMo7, you are underappreciated indeed!

There must be few technologies that have been so rapidly integrated in to corporate environment, let alone being driven by users. Early adopters usually spend hours going blue in the face trying to explain why gadgets like the Psion Series 3 are the ‘next big thing’, with the emergence of shiny and gimmicky apps, the ‘Wow factor’ of the modern smartphone has spread like wildfire (not the HTC Wildfire, which would spread slowly due to an underclocked and underspec’d CPU!).

So, when the CEO (or his/her designated errand runner) knocks on the door of the info sec team, it is a brave IT Security Manager who will cautiously lean out from behind the firewall cluster and inform them that the proper security controls haven’t been developed and implemented yet to let the boss’ new toy run riot on the network. So what do you do?

We find the information security industry, both in terms of vendors and internal security, looking to develop protective measures for what is essentially a pocket computer (a proper one with RAM and CPU to match the claim, as opposed to this.) With such rapid technical innovation in terms of hardware and software it is difficult to keep abreast of emerging threats and how to counteract them.

Android here probably stands as more of a challenge than the iPhone here – its users are typically more technical and are allowed greater freedom by the OS to chop and change. This means that control becomes difficult, especially with the wide number of devices and various incarnations of the operating system. The iPhone with its proprietary nature is an easier beast to tame. So if you’re looking to find out more about the threat landscape on Android, as well as some of the potential vulnerabilities and counter actions you can take as both a personal and business user, take a look at the Acumin white paper on Android Security.

– Ryan Farmer

rfarmer@acumin.co.uk