Security Market Segment LS
Thursday, 02 September 2010 17:32

Social networking and mobile devices call for right policies


IT infrastructure provider Dimension Data is advising its clients to formulate appropriate policies about the use of social networking and mobile devices.

Dimension Data senior security consultant Ed Luck said that Facebook presents "a massive attack surface." Part of the problem is that there are more than one million developers and entrepreneurs involved, and Facebook doesn't pre-screen apps - it waits until complains are received and then investigates.

The Facebook API presents multiple opportunities that can be exploited by malware writers. For example, the API is vulnerable to 'man in the middle' attacks between a client and a legitimate application server, and Luck also suggested that it wasn't a major challenge to arrange for the server behind one externally supported app to send a message to another unrelated app (spoofing).

"We have to live through the bad part of the [security] cycle before it stabilises," he warned.

Privacy is another issue, though one that doesn't seem to be taken seriously by most Facebook users. 89% of then use their real name, and 61% use an identifiable picture, Luck said. The problem for organisations is that information available via social networks can be used as an entry vector to internal networks. One example is that such information can be used for spearphishing or social engineering attacks - the more you know about someone, the easier it is to compile an email message that will appear trustworthy because it appears to come from a known source and contains subject matter that might be expected from that person.

Is your company likely to be attacked?, Luck asked. Maybe, maybe not - but he suggested that mining companies are a good example of organisations whose secrets are of great interest to competitors and to certain governments.

And developments like Facebook Places and foursquare reveal people's locations - very useful if you want to pickpocket a particular person's mobile device when they're in a crowded bar, or when you want to be confident they will be away from their desks for a certain period.

So what do you do? Please read on for some of Luck's suggestions.

Simply banning the use of Facebook and similar services is unlikely to be effective. Apart from anything else, the result of prohibition is isolation: if your competitors are engaging with customers through Facebook, where does that leave you?, asked Luck.

The trick, he suggested, is to get the balance right. Information that's open to misuse shouldn't be published unnecessarily, but excessive prohibition can be counter-productive and may be ignored. Acceptable use policies might reasonably include not wasting company time, and not being derogatory about customers. Such policies should also cover the use of personal devices.

Talking of personal devices, Luck described mobile devices - especially smartphones - as "a target rich environment." He noted the discovery of multiple Android apps that request more rights than would be appropriate for the ostensible purpose and then use them for nefarious purposes. The fact that an Android app given rights to read logs has access to information including SMS messages, GPS coordinates, browser history and more doesn't help.

Among other problems with Android are the way old versions of the operating system with less restrictive default permissions are still being shipped by some manufacturers, and the period of vulnerability introduced by the delay between Google releasing a security update and it being distributed by vendors.

Android's not the only problem, Luck suggested, pointing out that techniques used to jailbreak an iPhone can also be used to implant malware.

Non platform-specific issues include mobile applications that expose personal data by failing to erase temporary files after use, web sites that use URL-based session IDs (which can then be abused by malware), and 'split tunnelling' situations caused by tethering a phone to a computer to bypass the corporate firewall (which can open the door to a cross-site attack).



Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



Some of the most important records are paper-based documents that are slow to issue, easy to fake and expensive to verify.

Digital licenses and certificates, identity documents and private citizen immunity passports can help you deliver security and mobility for citizens’ information.

Join our webinar: Thursday 4th June 12 midday East Australian time


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments