Mobile working: Protect your buzz

Feature by Barry Mansfield

What are the real risks of mobile working and how can you address them? Barry Mansfield separates the myths from the facts

What are the real risks of mobile working and how can you address them? Barry Mansfield separates the myths from the facts.

The move towards remote and mobile working seems unstoppable. A survey of British companies carried out earlier this year by analysts Pulstracker found that nearly a quarter of the organisations questioned considered more than half their staff to be mobile workers.

Yet, security breaches involving the theft or exploitation of a mobile device or removable media are rarely out of the news. For example, in January Marks & Spencer was reprimanded by the Information Commissioner's Office (ICO) following the theft of an unencrypted laptop from the home of a contractor that contained the personal data of 26,000 employees, including information on pension arrangements.

According to Ian Kilpatrick, chairman of security infrastructure solutions specialist Wick Hill Group, today's high-performance, low-cost solutions "make it impossible to justify not encrypting laptops and USB storage devices". He describes static passwords as "woefully inadequate" and sees two-factor authentication as a basic requirement to ensure the identity of the mobile user, whether they are remotely connecting to their company data using a virtual private network (VPN) or logging on to their work laptop or PDA.

It is hardly surprising that VPNs are an attractive target for hackers. Remote-access VPNs often allow full access to the internal network, while VPN traffic is usually invisible to intrusion-detection monitoring tools. It's a worry that VPNs secured using Secure Sockets Layer (SSL), for example, can be vulnerable to simple denial-of-service (DoS) attacks mounted against their TCP connections, which are inherently unauthenticated.

Public WiFi also has some security vulnerabilities, for example "evil-twin" attacks, where criminals set up a computer to transmit a signal that turns the PC into an access point, or WiFi hotspot. It is possible to give the hotspot a legitimate-sounding name such as "T-Mobile Hotspot" to fool unsuspecting surfers.

While the victim surfs the web, the criminal can view their email and track the sites they visit. The fundamental problem is that when internet users are connecting in a public place there is no way to discriminate between a legitimate and non-legitimate hotspot.

If surfers restrict their public internet use to web pages they don't mind a stranger reading along with them, an evil-twin attacker can do little harm. However, the question of how mobile workers can remain secure when using public wireless hotspots has been further complicated by a series of innovations in the industry. One of these is the rise of the free WiFi movement FON, which was kick-started in early 2006 by serial entrepreneur Martin Varsavsky and quickly became the world's largest WiFi network, with a total of around 300,000 hotspots online.

The premise of FON is that subscribers buy a cheap, subsidised WiFi router from the company, agreeing to open up 512kbps of their bandwidth for public use. In return they receive a username and password that enables them to use any other FON hotspot free of charge.

This may sound like a revelation for business travellers as it allows them to avoid extortionate hotel charges for WiFi, but it has raised concerns over just how vulnerable "Foneros" are when they use another subscriber's hotspot. Last year, Stockholm-based security expert Dr Fredrik Bjorck claimed that any person with a Fonera access point can spy on users accessing the internet in this way.

He said this can be done by changing the configuration of the Fonera, using a serial cable to connect the computer to the router. The new configuration might be used to store the traffic information of users - for example, who they email, what they write, which sites they visit, their password for online banking or phone numbers called with VoIP applications. "This information could instantly be forwarded anywhere in the world," warns Bjorck.

He admits that FON has worked to make this scenario more difficult, as the routers are patched regularly for security problems from the FON website, with new updates made automatically the first time the router is hooked up to the web. However, security vulnerabilities are found regularly, so FON's story is "the traditional race between hackers and security pros."

In April, security think tank GNUCitizen discussed a flaw it identified in the UK's most popular home broadband router. By default, the BT Home Hub, which is manufactured by Thomson/Alcatel, uses a weak algorithm to generate WEP (wired equivalent privacy) keys for locking down a WiFi network.

But the research also affects workers using the much more robust WiFi protected access (WPA) to secure their BT Home Hub. Because the algorithm uses a predictable means to determine the WPA, an attacker can easily work out the pass phrase should the default encryption key value be used.

Elsewhere, lawmakers are concerned that some methods of mobile communication are in fact too secure for their liking. Research in Motion's BlackBerry smartphone made headlines earlier this year when it emerged that the device had raised fears over national security in India, due to the fact that the company's proprietary encoded transmissions were impossible to monitor. However, in March the country's telecommunications secretary dismissed talk of a nationwide ban and confirmed that four Indian operators had agreed to cooperate with the government by keeping logs of messages sent to or from BlackBerry phones.

In any case, IT managers in the UK can rest assured knowing that all email and data transmissions between their handsets and the BlackBerry Enterprise Server (which sits behind the organisation's firewall) are encrypted messages.

There is some uncertainty over mobile phone viruses, however. F-Secure's warnings over mobile malware back in 2005 were treated with a pinch of salt by many; Sophos' senior technology consultant, Graham Cluley, famously declared that there was "more chance of being hit by a grand piano than by a mobile-phone virus".

The case of the missing viruses

Three years on, little seems to have changed. Although around 400 viruses have been identified so far, many of these are classed as proof of concept, meaning they were developed by researchers rather than criminals. Perhaps the most innovative to escape into the wild so far has been Commwarrior-A, the first known mobile virus capable of replicating via MMS messages, which captured the world's attention in March 2005.

Outbreaks of the virus, originally targeted at Symbian Series 60 smartphones, have since cropped up at a Live8 concert in Germany and at the World Athletics Championships in Helsinki.

An MMS virus could potentially spread as quickly as an email worm, but the only real damage Commwarrior-A can cause is to the mobile user's phone bill - the cost of the MMS. The recipient must accept the Commwarrior download for their phone to become infected; the virus uses more than 20 different messages to lure users into downloading the software, from fake Symbian software updates to pornographic images. Despite all this, Commwarrior failed to result in an epidemic.

MobHappy blogger Carlo Longino has criticised the information put out by mobile-security vendors that seems intended to scare people into buying their products, claiming that they attempt "to whip up a frenzy by playing on people's experiences with viruses on their PCs, then ignore the reality that it's actually quite difficult to get a virus on your mobile phone". Longino points out a recent vendor release, from March this year, which claims three quarters of mobile phone users are aware that malware can infect a mobile device via Bluetooth, but still opt not to install security software. "Maybe that's because people realise they don't need it, and that the threat is largely an invented one?"

Statistics from wireless informatics firm WDSGlobal would appear to back Longino's view. The company handles around 300,000 mobile data support calls per quarter on behalf of major operators on five continents. Of these, it found that only around 0.004 per cent were related to a mobile-phone virus or a perceived virus infection.

Symbian OS 9, implemented behind S60 third edition and UIQ 3, has been deployed in millions of handsets for the past two years, even though there's not one virus for either platform. Symbian OS 9 introduced platform security, meaning any functions that could be used to spread malware or damage the device were restricted to Symbian Signed applications. As one security professional puts it: "Why would hackers waste time targeting well-protected Symbian phones when PCs without patches are waiting for them in the millions? If you can plant a Trojan on a PC it's very easy to make money by renting it out as part of a botnet to spammers."

Yet, many Symbian fans are happy to defend the anti-virus vendors. One blogger from All About Symbian points out that viruses are only a small part of the malware problem: "There is at least one Symbian Signed application out there that allows somebody, if they install it on your phone, to listen to your calls, read your text and MMS messages and find out where you are using cell ID or GPS."

FlexiSpy Pro5 spyware, which is available for purchase online at just £25, does most of this. According to the FlexiSpy website, "Even when the phone is not in use, you can remotely activate the microphone and listen in on non-call conversations. Of course, the legality of this falls in a grey area." An intruder would need access to your phone to install this application, but people often leave their phone lying on their desk while they go to meetings.

It seems likely that the greatest slip-ups occur when mobile workers make a poor assessment of external risks unrelated to the technology itself. "The danger is there, in the guy sitting next to you on the train, or peering over your shoulder in the canteen, when you fire up your laptop," says Tony Lock, a security analyst at Freeform Dynamics. "That's what screen privacy protectors are for. But my point is that the key to good security is staff training. There's no technological silver bullet."

The problem with mobility, he adds, is that workers enter into a somewhat lackadaisical mental state when they are speaking to colleagues on the phone or using a laptop. They are less aware of their surroundings or the appropriateness of their actions in relation to their environment. "I was sitting on a train recently and a business executive from a large IT company, which I'm very familiar with, was on the phone, loudly discussing a round of redundancies before they had been officially announced," he says. "And this was in an open carriage."

WHAT NEXT? The future of remote working

Dr Fredrik Bjorck of Stockholm-based consultancy Vicente estimates that, within a year or so, nearly all USB drives will have built-in hardware encryption - and that organisations will require this protection.

When it comes to securing laptops, Bjorck foresees two separate developments: high-grade full-disk encryption, since file encryption leaves too much unencrypted information in temporary files; and greater corporate use of "thin clients", where no information is stored on the laptop. In northern European countries this will be made easier with the ongoing improvements to high-speed mobile networks based on HSDPA (high-speed downlink packet access), which will eventually offer up to 14Mbps downstream, and long-term evolution (LTE), which could take this to 250 Mbps in several years' time.

"The mobile device becomes just a temporary looking-glass for data stored on central servers," explains Bjorck. "Yes, history repeats itself - back to the good-old terminal times."

He stresses that mobile viruses could become a problem in future. "With old POTS systems and new VoIP-based fixed and mobile services, there will be many, many vulnerabilities to exploit," he says. "I think we will see viruses making many calls using captured SIP-credentials or VoIP logins. Let's say a virus spreads across the world and then, one day, it starts to call ordinary phones."

Tony Lock, a security analyst at Freeform Dynamics, points out that information and knowledge - in other words data - has been in demand by people and organisations with a legal right to it - and those without it - since the beginning of time. "Technology will change, but human error will always play a starring role here. There may well be problems with VoIP in future, but a simple notepad containing minutes of a confidential meeting, if it's just left around or mislaid for an interloper to pick up, can cause just as much damage to a business."

CASE STUDY: Sony Computer Entertainment

Sony Computer Entertainment Europe (SCEE), based in London, is tasked with the distribution, marketing and sales of PS one, PlayStation2 and PlayStation Portable (PSP) software and hardware in more than 100 territories across Europe, the Middle East, Africa and Oceania. The firm also develops, publishes, markets and distributes games software for all three formats and manages third-party licensing for these platforms.

SCEE opted for PGP Whole Disk Encryption with the goal of securing enterprise data and complying with international data privacy and financial accounting regulations. Mobile computing features strongly in the company's culture, and SCEE used the PGP product to secure the laptops of 1,100 employees in nine countries. PGP Whole Disk Encryption is centrally deployed and managed, preventing users from circumventing it.

"In achieving compliance, the encryption of mobile computers was of course very high on our list of priorities," says Simon Leggett, SCEE's European technical services manager.

Now, all data is encrypted, including often overlooked temporary, hibernation and system registry files. PGP enforces preboot authentication, ensuring only authorised users can start up protected systems. Optional two-factor authentication with hardware tokens provides an additional level of protection. Built-in anti-keylogging capabilities prevent any passwords or login data being captured by malware.

If users forget their password, helpdesk or administrative staff can use PGP Universal Server to provide them with a one-time-use password for immediate system access. Once this has been used, a new recovery password is generated and securely stored on the PGP server.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events