Deflecting hackers

Posted on by

There is a lot more noise in the press recently about hacker groups such as Lulzsec and Anonymous breaking into sites such as PBS, the CIA, and most recently the Arizona Department of Public Safety. One of the upsides of this increased noise level is that a lot of companies are talking a longer, harder look at their site security, and one of the offshoots of that is focusing on the potential security risks associated with mobile devices. Why? Because more often than not, websites are being accessed from a mobile device, rather than a fixed point device. So this triggers a couple of unsettling questions. Are mobile devices more susceptible to hacking? Are tablets a more attractive target than smartphones? Is this even an issue, or is this more media hype? If it’s not hype, who’s at risk?

First, this is not hype. While the overall incidence of attacks has not gone up much, the hacker groups are noisier (braggier) so it seems like more is going on. However, in addition, the pattern seems to be expanding to include smartphones and tablets. People have historically understood the need for security on their PC; most of the time some sort of security software is actually included when you buy your PC, and this has been going on long enough that it’s become part of the background noise of the technology landscape. However, people look at their iPhone, or Android device, and see a phone. So here is the problem: those are not phones. Referring to them as smartphones is a misnomer, they are not phones, they are computers that happen to be able to make phone calls, and conveniently fit in your pocket, just like a phone. People are making a huge mistake if they think they don’t need to secure the device in their pocket. This also applied to tablets. Why? Same operating system. There are slight variants between the iOS on an iPhone and an iPad, but its basically the same OS. Same thing with Android devices from manufacturers that offer a range of form factors, smartphones to tablets-all running effectively the same version of Android OS. If you want to exploit a computer, go in through an application (usually assisted by the user clicking on a suspect link), which provides access to the OS, and start hacking away. Same exact process works on a mobile device, the main difference being that the majority of PCs are secured, and the majority of smartphones and tablets are not. Think this will be a problem?

So who is more at risk, the consumer, or the enterprise? It depends on the intention of the hacker. If it a denial of service type of thing, then the enterprise is a tempting target; look at Sony’s month-long spank-a-thon. This is effectively macho posturing by the hackers, who target high profile sites to show their “prowess”. If it’s a straightforward identity theft type of thing, then the devices themselves provide a nice gateway to the goodies normally found in sites accessed by a mobile device, such as on-line banking or Facebook (which is now more frequently accessed by mobile devices than by PCs). Given the strategic arc of access to on-line information resources (6 billion mobile devices in play, and counting), this will become a significant issue, and we would be well served to get ahead of it as quickly as we can. If you are an enterprise, and you provide your employees mobile access to company information resources, you HAVE to secure those devices, and I mean right now. If you are a consumer, it is very much in your interest to talk to your carrier about what options they offer for securing the device. You wouldn’t leave your house or car unlocked, right? And yet, its highly likely that your mobile device, which can provide access to all sorts of things that would be of interest to a hacker, is sitting there, wide open.