Mobile Security

Can your Employer Wipe your Phone?

Posted by

0

An Survey released today indicated that 70% of employees would not use their personal devices for work if they had knowledge that their employer could remotely wipe or lock that device.  70% !! It’s clear that employees are beginning to recognize that just downloading their work email onto their personal devices such as phones, tablets and laptops means the Enterprise will want to secure that information, and that this is often done in an overbearing, infringement of privacy fashion.  Not that Enterprises are trying to interfere with their employees privacy, they are simply trying to protect their data in any way possible, and in the past, most MDM (Mobile Device Management) solutions have been similar to a linebacker knocking over a toddler to get the ball.

Eweek.com reported that “more than 75 percent of enterprises in the survey were unable to meet eight out of 10 of their current top security requirements– this was combined with the fact that only 11 percent of employees are aware of the current level of enterprise control over their device.”  

So what happens as more and more employees gain awareness of the tight infringements on their personal devices? Lack of compliancy, which leads to vulnerability of sensitive data, which can of course lead to – disaster for the Enterprise.

The study of 1,000 IT  person; and 1,000 employees, conducted by research firm Harris Interactive, found that 83 percent of staff would stop using their own device or still use it with deep concern, if they knew their employer could see what they were doing at all times.

So what’s the Solution?  Enterprises SHOULD protect their data on devices that leave the office, but the level of intrusion on an employee’s personal device needs to be kept in check too, to make sure employees will not feel intruded upon and actually be compliant.  The first step is to use a product/service that uses the minimum security necessary; in many cases there is no need for an Enterprise to monitor which websites employees visit or what games they install.  Keep the Enterprise’s data separate (sandboxed) and manage it that way – it is really more the management of the DATA versus the management of the device.  The second step is discussing these policies with the employees, so that they have full knowledge of what these policies entail and how it affects their personal devices.  Engage your employees in the solution, versus thrusting it upon them.

 Yes, these email policies ARE necessary. But they don’t need to necessarily infringe on your rights – there are solutions out there (our own Cockpit, for one, and likely others, in the future) that are cost-effective, keep company data safe and maintain your privacy.  Win-Win!

 

Protect yourself from iOS and OS X Security breach

Posted by

0

The news over the last few days about Apple’s security bug is daunting. While we tend to hate media’s scare tactics when it comes to tech “news,” we do believe that when it comes to mobile security, especially in this case, there is much more harm in NOT updating your iPhone, iPad or Macbook than waiting.

The current security breach is said to allow a hacker to get in between the initial verification handshake connection between the user and the  server (the classic Man-in-the middle attack), enabling the bad guy to show up as  as a trusted server instead of a interfering hacker trying to steal your data. So all those connections you see as secure and encrypted (think bank, children’s school inter web, email, etc) is now open to interference and possible breach of sensitive data such as your family’s detailed information, your bank account numbers, and more.

Ashkan Soltani, who frequently writes about mobile security,  writes in his blog:

The severity of the problem doesn’t immediately come across in Adam’s blog post, but it’s pretty huge. Effectively, this vulnerability allows a moderately sophisticated attacker to monitor your communications with even the most secure sites and services. Specifically, many of the core programs on iOS and OS X rely on this library for communications, which means ANY app that relies on this library (not just Safari) was vulnerable. For example, when your Calendar or Mail.app synced to Gmail, those communications were vulnerable to eavesdroppers on the network as a result of this error.

apple-gotofail-apps

 

image from ashkansoltani.org

The iOS fix for iPads and iPhones is out now so if you use either one of the devices, we highly recommend updating to these versions to get the patch – right now.  For MacBooks, no OS X fix is out yet – so we recommend NOT using Safari until there is a fix – use Firefox or Chrome instead.

 

 

Securing your Email with S/MIME

Posted by

1

Today we start an awesome mini-series from one of our support gurus, DragonFly, about how S/MIME works in general, with following tutorials on how to implement S/MIME in TouchDown on iOS, Android and Mac platforms.  Check out today’s tutorial on iOS!

Hi,

Dragonfly from NitroDesk support here. In the following, today I’ll be describing how to import and use S/MIME in Touchdown for iOS. Using this functionality you can sign messages, proving that you are the person sending that particular message, and optionally encrypt them, meaning the email will only be readable by people who you have included in the message. Signing provides you with non-repudiation and potentially detect tampering on the fly and encryption prevents unauthorized viewing of the message. This type of functionality is great for keeping your emails safe and ensuring that information’s coming from the right source. (For more information on how S/MIME works, here’s a good tutorial: http://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx) Just know that to send an encrypted email, you need to have the recipient’s public key and vice versa- these can be verified from within Touchdown when that person sends you a signed message. Here’s what you’ll need before you get started:

First, you’ll need a certificate for S/MIME signing and the latest version of Touchdown. To get a certificate for S/MIME, you’ll want to contact your IT team. Also, keep in mind the only two certificate types Touchdown supports is .pfx and .p12. The certificate would need to include the complete chain to the root certificate authority.

If you have your certificate already in IE, but need to export it to your desktop,Here’s how (in IE):

1. Go into the Settings>Internet Options, and clicking on the Content tab.

2. Click on Certificates, and find the one you want to export

3. Click Export. Make sure you choose the option to export the private key and also to include all certificates in the certification path.

4. Choose a file path, and save it.

5. Don’t forget to  remember the password you use to perform the export. This password prevents anyone else from being able to access the certificate. If you’re having difficulty with this process, contact your IT team and see if there’s another way you should be doing it. As with any operations like this, make sure you are staying within your IT team’s best practices so you stay in alignment with any security policies.

6. Once you have your certificate backed up to a file, send that file to your email as an attachment, and you’re ready to go.

Let’s start with the iOS version.

S/MIME for iOS

In this demo, I show how to send an encrypted email to the ‘welovenitrodesk’ account.

First, I want to ensure that I have my certificate for S/MIME, so I find the email with the attached certificate, and view it in the attachment list.

IMG_0007
The attached certificate, note the file type is .pfx. 

After downloading, I click the ‘I’ icon and choose to ‘Import for both.’

IMG_0008
Choose Import for Both.

A password prompt appears.

IMG_0009
Enter your certificate password here that was created when you generated the certificate. 

After entering the correct password (This is set up during certificate exporting from your browser, for help with this  please contact your IT team) it will tell you your certificate has been saved.

IMG_0010
Saved certificate message. 

Now that I have a certificate, I’m ready to send the account  welovenitrodesk an encrypted message:

I click on the tools/options icon and enable Encryption and signing.

IMG_0011
Tools icon to enable encryption signing.

IMG_0012
Enable signing and encryption for the email.

I send the email. If you suddenly see this message (see below), it means you didn’t validate the recipient’s public certificate key from a signed message. (This can also be done over the GAL if your company supports it.) Remember how I said earlier that to send an encrypted email, you need the recipient’s public key? Now I just need to fetch it. Thankfully, a while back welovenitrodesk sent me a signed message, which contains the key.

IMG_0016
Oops!

I find the email where welovenitrodesk sent me the key, and click on the lock icon.

IMG_0017
Welovenitrodesk sent me a signed message.

I click ‘verify signature’ and it verifies.

IMG_0018

Now I can send that encrypted message!

The second time, I attempt to send the encrypted message again. This time it comes through.

Back in welovenitrodesk, after having imported the public certificate and the welovenitrodesk certificate, I check the encrypted message, and am able to successfully decrypt it.

IMG_0020

The signed and encrypted email.

Clicking on the lock icon, I can confirm that it is indeed signed and encrypted.

Hope this helps you get a better understanding on how to use S/MIME functionality with Touchdown for  iOS. If you have any questions, please feel free to contact us at  iossupport@nitrodesk.com for any iOS queries. Be sure to check in on Monday for Part II, SMIME for Android. Thanks for reading!

Make BYOD a Win-Win

Posted by

0

More and more the BYOD (Bring your Own Device) movement is taking over the small, medium and even huge enterprise world.  At first it seemed like a win- win for smaller firms – employees would get to use their own devices that they prefer and are comfortable, and business wouldn’t have to shell out a ton of money purchasing new devices for each new employee.  Employees could sneak in a a Facebook post or check their personal email during working hours, and no one would be the wiser. While Heads of IT departments freaked out everywhere,(with good reason) CEO’s and employees everywhere were happy – until the realization hit that now that enterprises sensitive data was  being carried out of the office onto trains, planes and automobiles.  Not to mention cafe’s movie theaters, bars…  A logistical nightmare or IT departments trying to make sure no data leaks pout anywhere.

MDM’s to the rescue!  Smart developers responded to this growing need by  developing all-encompassing, control-every-move of the user’s device – and charging a lot for this security.   IT heads breathed a sigh of relief, and CEO’s shortly followed, if nothing but relieved that their IT department heads were no longer complaining. However, now employees were unhappy, rightfully feeling that their privacy rights were being infringed upon.  If Joe brings his cell phone to the workplace and back home to do work, should the enterprise be able to control what he downloads? Where he surfs?  What he takes pictures of?  So, the pendulum tipped the other way, and while controls are secure, employees feel violated and therefore, end up being less compliant.  Less employees are using all the necessary passwords, PIN’s and other security measures.

What’s the answer?  The middle, of course!

BYOD doesn’t have to be a win-lose proposition where only the employee or the enterprise wins.  There are many options that allow employees to use their own devices that preserved the users privacy.  Enterprise data SHOULD be protected on a users device – in it’s own, safe sandboxed compartment on the device.  Enterprises SHOULD be able to control that compartment, whether  to access it, wipe it remotely, or check on it’s current state.  That’s all that is really necessary. There is absolutely no need to ” manage” the rest of the device – only the enterprise compartmentalized data.  It’s the Data,  (and only the Enterprise’s data) not the device, that needs to be managed.  It IS possible to make BYOD be a win-win.

 

 

Another fix against Streak

Posted by

0

As soon as we at TouchDown heard about Streak, we created an ‘Intervention against Streak‘ so that TouchDown users would NOT have their emails tracked unknowingly.  Meanwhile, across the pond (Wales, to be exact) @Lukeberry99 was working away on a fix as well. Check him out on Twitter!   I love when the good guys work on shutting down the bad guys.  In Luke’s words, “Streak shouldn’t exist.” We couldn’t agree more!  See our fix  here

Happy Valentines Day – and happy private emailing.

Sochi, hacking (real or not) and how to prevent it

Posted by

0

The opening ceremonies are tonight for the Winter Olympics in Sochi, and in this age of digital media, there’s already more attention on #sochiproblems (lack of Sochi’s readiness and bad accommodations) and #sochihacking.  While it appears that NBC’s report of their own Richard Engel being hacked upon arrival may or may not be very forthcoming about details (read more about the controversy here), there is always a concern about the privacy of your data whenever you travel, whether domestically or internationally.  So here is a short list of how to prevent your data being hacked when you travel:

1. Do not download APK’s or other files on your Android device. In fact, just don’t download anything you did not initiate.

2. Sandbox your work data away from your personal data.

3. Do not use unsecured wifi sources

4. Backup your personal data so you can wipe your device if it becomes compromised.

 

Here at NitroDesk, we LOVE to protect your data.  No, really LOVE. And since we also love the spirit of the Olympics, we are offering FREE (no strings attached) TouchDown licenses to any athlete at the Sochi Olympics, and to any journalist  in Moscow or Sochi covering the games.  How’s that for Olympic Spirit!  Go focus on the games, and let your data be safe.  Contact TouchDownSochi@nitrodesk.com with your full name, country or  full name and journalistic credentials.

What happened with Target and what you can learn from it

Posted by

0

So it turns out Target was allowing one of their maintenance companies (an HVAC/refrigeration company) to access Target’s database so that no one had to actually come out and show up to log-in to do efficiency updates, it could all be done remotely…this is quite common, and not a problem if you keep your private information separate from your non-private. 

See, hackers unfortunately are often quite smart, and can find vulnerable points of entry into a database, especially a shared database that has several  points of entry.  Find another way besides the obvious  “secure entry point,” and then follow it all the way to the goldmine of private data.  This is what happened in Target’s case.  One of the HVAC’s worker’s credentials was stolen, and the hackers were able to insert the malware through this entry point and access the payment network through the maintenance network.  They were able to put this card-stealing malware on POS (Point of sale) cash registers at various stores, and after verifying it worked and that it was NOT detected, were able to access most of the Target stores nationwide, stealing card numbers in real time.

Visa, MasterCard and other Card payment systems do not require  that retail stores and other payment collectors keep their payment  networks  separate from their other operational networks, but it would kind of make sense, no?  Payment collectors ARE supposed to require a two-factor authentication system for remote login capability, and it appears that Target did not have such a system in place.

Had Target kept their sensitive (Customer financial data) separate from less sensitive operational data, they could still have allowed remote log-ins without putting their customers at risk.  

So the point is twofold:

1)Even as a small company (and Target is HUGE), do not be cheap with the security of your data, especially your customer’s financial data.  Yes, Target saved money in the short term by not buying software that kept their data separate and by having a two-factor authentication system in place.  But the huge financial cost of stolen data ALWAYS outweighs the smaller cost of preventing it in the first place, not to mention the larger cost that is not easily fixed: losing their customer’s trust.  

2) Keep your sensitive data separate. And yes, this goes for you too.  On your phone.  On your laptop (yes, that IS a mobile device).  Your iPad that your kiddo plays with at the dentists office or in the Target shopping cart while you shop.

Whether it’s your own device, or you own a business and need to keep you enterprise’s data safe, use software that helps you achieve separation.  With products as affordable as $20 why are you NOT doing this? Trust me, it will cost a lost more if someone steals your data or your identity.

 

 

Congratulations to AirWatch and VMWare

Posted by

0

 

Congratulations to  Alan Dabbiere, John Marshall and all of AirWatch and  VMware! The announcement that AirWatch is being acquired by VMware was officially  announced today. We are super excited about this new chapter in the history of one of our favorite partner companies and we look forward to continuing that relationship with VMware.  It will be wonderful to see the AirWatch management team working closely together with Sanjay Poonen of VMware.  It’s great to see an industry leader such as VMware adopt a solid mobile strategy through an acquisition such as this…especially as BYOD just continues to grow and strategies for consistency and ease of use are a requirement for successful enterprises.