Encryption & Security in a Mobile Context

By Richard Cooper, Principal Technical Consultant for Platform Security, Her Majesty’s Government Communications Centre

Unsurprisingly for an organisation that deals with national security, we are passionate about information security at HMGCC. Communication is at the heart of the UK economy and the ability to be able to communicate securely and effectively is essential in ensuring that the UK remains the best country in the world to do business with.

Secure communication has three key aspects: ensuring that the content of communication is confidential and secure from interception by 3rd parties; that the communication channel is available and resistant to denial of service attacks; and that systems provide high integrity, allowing you to be confident that the other parties involved are who they say they are.

Validating a person’s identity has become a crucial aspect of communication security. More and more communication is taking place when the persons involved are not face-to-face so an individual’s digital identity (Facebook accounts, telephone numbers, e-mail addresses) becomes a much sought-after commodity for attackers. Looking at unencrypted websites over public unencrypted WiFi links in the local coffee shop is recognised by most technical-savvy people as a bad idea; but it still takes place. This shows that users are unaware or disregard the risks to their digital identity.

Smart phones have changed the way we think of the telephone. Traditionally telephones provided basic voice and data services and whilst the handsets were simple and relatively immune from attack, the protection afforded by the network was somewhat lacking.  Now the situation is reversed.  Smart phones make confidential communication easy, with a wide range of options from secure email and web access through to secure VoIP and video conferencing. To support this the handsets have become fully fledged computers with a large attack surface and are becoming increasingly difficult to secure.

The new frontier in computer security is mobile security; whilst current attacks and malware are relatively benign, the impact on all of us should an SMS message worm/virus ever occur will be huge due to its ability to spread “peer to peer” and the ready access to an existing revenue stream (premium rate calls).  It is these threats which should drive us to better understand the mobile security domain and work to improve it wherever possible.

For all of us, security is a whole lot more than just encryption; its about the security of the whole system.  PIN locks on phones are a good start, but the finger marks left on most smartphones greatly reduce the search space for an attacker.  Equally, every application you install on your phone increases it’s attack surface – do you really trust the author and does it really need access to those system services?

The importance of a system level approach can be seen by looking at the work done at:http://robmenow.com.  Whilst not conventionally considered a mobile security issue, it has taken on a whole new form with smart phones.  http://robmenow.com demonstrates the ease with which location data can egress from devices to internet systems; be it through the user “checking in” somewhere or the unconscious geo-tagging of images; and that sometimes, users need to be protected from themselves.

Modern systems need to use the internet and must take advantage of the smart phone revolution. The business benefits are too great to ignore, but equally to stay useful, they must be secure – an organisations/individuals intellectual property only remains so if it is suitably protected.  Building these systems, be it the low level security architecture on the mobile platform, the application software or the server infrastructure required to support it is the primary challenge of our time.

Good luck!

Please enter your password, again and again

Experientia’s Putting People First Blog has highlighted an article by Khoi Vinh on the problem with passwords:

Please enter your password, again and again
Khoi Vinh Khoi Vinh reflects on the fact (and the user experience) that almost everything on all of his computers and all of his mobile devices can only be accessed with a password.

“This is a big problem, and for lots of people. Over the past few months, while working on various projects, I’ve seen computer users of all levels of expertise struggle again and again with remembering their passwords. Part of what I’ve been doing has been helping people install test versions of software, and doing so always requires signing into this or that and accepting this or that invitation and plugging into this or that computer or updating this or that software.” […]

“The preponderance of digital credentials that are required of us daily is clearly alreadybeyond reasonability, and yet there’s little apparent interest in this problem.” […]

“Everybody seems to agree that this is a problem, and yet no one is interested in it or sufficiently motivated to protest, much less create a solution. I just don’t understand why this is the case.”

Read article

If you’re starting to think about what to work on during the hackday portion of Over the Air – how about taking a crack at the password dilemna?

Carphone Warehouse Mobile Security Week

Over The Air’s David Rogers has been advising Carphone Warehouse in preparation for their Mobile Security Week which is happening at the moment. Head over to Carphone Warehouse’s dedicated security page to see their advice and David’s tips on keeping yourself secure whilst using your mobile. As developers, we all have a role to play in helping to keep users secure. Remember, the majority of your users are going to be non-technical people who just want to use your product and be safe online. By providing a clear, simple user experience when it comes to security, users feel much more comfortable. Help users out by explaining why you’ve used certain permissions and don’t unnecessarily use someone’s private data. The GSMA has some great privacy guidelines for developers. David’s extended guide can be found on his blog.

Mobile Encryption – Easy to Crack?

Wondering about the modern state of data encryption and the security level of mobile traffic? If you’re thinking that attention has been lagging in this area, even with the recent voice-mail hacking scandal, you wouldn’t be wrong… Check out this recent piece of news about the latest Karsten Nohl cracks:

A German computer boffin has worked out a way to crack code used to encrypt most of the world’s mobile Internet traffic.

Karsten Nohl is going to publish a guide to prompt global operators to improve their safeguards.

Iti s not the first time that Nohl has hit the headlines for doing this sort of thing. In 2009 he published the algorithms used by mobile operators to encrypt voice conversations on digital phone networks.

Now he and his chum Luca Melette, intercepted and decrypted wireless data using an inexpensive, modified, 7-year-old Motorola mobilephone, a couple of free software applications and some double sided sellotape. The pair managed to intercepted and decrypte data traffic in a five-kilometer, or 3.1-mile, radius.

 His modified phone was used to test networks in Germany, Italy and other European countries. In Germany, decrypted and read data transmissions on T-MobileO2 Germany, Vodafone and E-Plus. This was pretty easy because the level of encryption was weak.

In Italy Telecom Italia, and Wind did not encrypt their mobile data transmissions at all and Vodafone Italia only provided weak encryption.

O2, which is owned by Telefónica of Spain, told the New York Times that it was following Nohl’s research closely and would take account his findings in its own operations.

Nohl, makes his cash working for mobile operators who hire him to detect vulnerabilities in their systems. He said that many operators run unencrypted data networks because it allows them to more easily filter out competing, unwanted services like Skype.

Read more: http://news.techeye.net/mobile/german-hacker-cracks-mobile-encryption#ixzz1WEEbPHRT

 

Security Stream at OTA 2011

Bletchley Park is renowned for its mathematics work in breaking encryption during the second world war. It is also the home of the world’s first programmable digital computer: Colossus and the National Museum of Computing. Where better to hold a security stream for Over the Air?

Security in the mobile world is increasing in prominence. Convergence of technologies within mobile handsets mean that more people have more reason to attack mobile phones and their users. From mobile payments and company emails to our photo albums, buy cheap our entire lives are centring on one thing – the handset. If we lose our phone it is more than a big deal.

As we all get hooked on our connected lives, malware and virus creators are thinking of new dastardly ways to wreak havoc and steal money from us and even from the developers of the applications we download. Developers need to think more and more about how to protect their own applications and user data, alongside being responsible with the private data they have access to.

Speakers in the Over the Air security stream will be giving attendees the low-down on how to secure mobile applications, the evolution of malware and the history of codes and ciphers:

  • What’s going on with security in the mobile industry and what’s coming up?
  •  The threat from mobile malware and how to make sure you don’t develop something bad
  • Stolen and lost phones – can mobile applications help with this problem?
  • Webapp security, signing and app stores
  •  Break the code! – A mobile application challenge for developers

Stay-tuned for Speaker Announcements….

 

Does the cloud increase corporate security?

The Shaping Cloud blog has an interesting post arguing that the horde of Cloud-service-provider security experts beavering away at keeping security tight will ultimately enhance Corporate IT security efforts and speed up the adoption of Cloud services:

“Internet security will always be a valid concern and services will always be subject to increasingly sophisticated attacks. Companies may feel more secure with their servers on-site, but in reality if they have an internet connection, location is of no consequence – it is just as vulnerable in one place as it is in another. By using the cloud companies suddenly have an army of dedicated people committed to maintaining security. They don’t need to rely solely on an in-house or outsourced provider who often have multiple duties to perform and where security will often get pushed down the priority list as they deal with the day-to-day IT issues that occur in all companies. For the vast majority of companies today, a move to the cloud will actually enhance their security and compliance levels. What many people view as a barrier to cloud adoption should, in our view, actually be seen as a driving factor behind take-up.”

There are certainly many mainstream IT companies providing services in this area, with Microsoft standing out in particular: “The amount of money Microsoft have allocated to developing cloud services is staggering – this year it will be 90% of their annual Research and Development budget totalling $8.5 billion. ”

Many of us will have anecdotes of their corporate IT department not allowing applications like Skype because they aren’t officially supported, but as people increasingly use their own smartphones and tablets to get around the corporate firewall, I wonder whether the internal IT department is loosing it’s hold anyways..

Thoughts?

 

It’s not ‘phone’ hacking…

On his Mobile Phone Security blog, David Rogers has written a really informative article about the whole News of the World scandal, and the real nature of the hacking that went on.

Below is a synopsis, although I highly recommend that you read the full post:

Voicemail hacking and the ‘phone hacking’ scandal – how it worked, questions to be asked and improvements to be made

In brief, there are three main mechanisms for illicitly accessing voicemail: firstly social engineering the call centre to reset or change the PIN for you as precursor to one of the following 1) call the remote voicemail number and access it using the default (or acquired PIN), 2) ringing the actual phone, going into the voicemail menu by pressing the * key or 3) using an advanced mechanism to fool the phone into opening up the voicemail. There are some loopholes still existing and as technology evolves new ones will emerge.

This is not ‘phone hacking’. It is illicit or illegal access to voicemail.

The mobile operators are coming under some pressure from the Home Affairs Select Committee, led by Keith Vaz. Both the Police and network operators will have responsibilities in terms of their actions over the affair, although the operators took the Police lead on what to do. It is unlikely that the full list of victims will ever emerge as the data has likely been deleted after all this time.

Is Security the next Killer App?

Given our location at Bletchley Park this year and it’s major role in the history of Cryptology, we’ll be developing a bit of a theme around modern-day security and encryption. It’s doubly a hot topic thanks to the implosion of the News of the World in light of the telephone-hacking scandal, and Dasient discoving that 800 of 10,00 Android Apps leak personal data.

To get the conversation started and perhaps inspire some problem-solving for this year’s Hack-a-thon, I’d like to share a recent  post from Mark Vanderbeeken on Experientia’s Putting People First blog:

1password Online security for regular people like you and me is a disaster. It’s a killer app waiting to be designed.When you have a smartphone with some apps and a computer, you easily have to manage 30 to 50 sites and apps that require passwords. And the experience of this is highly non-human-centered. It all protects the site/app owner but doesn’t help us, and – worst of all – doesn’t take into account how our memory and psychology work.6% of Italians suffer economic losses because of this, and some suffer a lot (from 1000 to 5000 euro). Italians, I think, are not in any way special in this. They are like most other people.

Security experts suggest to change passwords often, and to select complicated passwords (like “v37AEBRasdRqS”) that are not easy to guess (but also not easy to remember). Now imagine that you have to do this on multiple devices for over 50 sites and apps. It’s a nightmare and completely unsustainable.

Security experts should read a few books on cognitive psychology.

But they don’t. So in the end, we simply have to struggle with the many usernames and passwords, write them down, store them somewhere, and hope that all goes well. All doesn’t go well, of course. And risks multiply the more sites you frequent that require a password.

How can you protect yourself in a decent and easy-to-use way?

Well, the shocking thing in this multi-device world is that you can’t really. As a Mac only user, seeing the limitations of Mac Keychain, I tried the top of the line (1Password for Mac and 1Password for iPhone/iPad), only to discover that it only works with websites on computers and mobile devices. Forget apps – let alone password access to apps within apps (let’s say entering Instapaper passwords within Feeddler, so you can save an article for later reading).

And that’s just within the Apple ecosystem. Imagine if you have to deal with multiple brand devices.

Why is this such a disaster? Why is nobody confronting this? Please comment