BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Tips for ID’ing Your Phone and Laptop

Posted May 14, 2010    Morey Haber

I personally think I have set a new record for going through three Blackberry phones in one week.

I had my old phone (which was continuously having runtime errors) for over a year. I received a new unit and after two days it broke (don’t ask) and required a third replacement unit. Like any programmable electronic device, it required me to reset-up all of my applications, settings, and preferences for everyday use.

Like most companies, the device is automatically hardened when connected to the Blackberry Enterprise Server (BES). That means that certain settings are only available before enterprise activation and are locked out afterwards.

Take the simple field of “Owner” within a Blackberry. When not connected to BES, my company’s policy allows me to set the owner and contact information in case the phone is lost. Once connected, the system automatically places a read-only lock on the field and no longer permits edits.

You may be asking yourself so what? Well if I lose the phone, I would only hope a good samaritan would return it based on this contact information. Realistically, once it has been registered with the company it is probably better that the device remain anonymous in case it is lost or stolen like the policy attempts to do.

So how many times do you provide personal information on devices, laptops, phones, etc., that if lost or stolen would allow a deviant mind to capitalize on your misfortune?

Growing up, my parents instructed me to always write my name on my personal property, and even my school would encourage us to write our names inside the book for the year. It was always cool to see who had the book previously, friend or nerd.

Harmless enough back then, but today writing our names and identifying the property can lead to additional problems. Let’s take my Blackberry for example, the company policy clearly wants the device anonymous because if it was stolen, someone would be able to associate my name with the contents and would be more likely to access the device to find out what secrets it may hold.

Do you remember the Paris Hilton hack using Bluetooth? If her phone was not personally branded, would it have been a harder target to identify? If the device is completely identity-free, it is just another Blackberry. I’ve seen many companies identify their laptops with big logos, and property stickers. The malicious side of me would definitely target the laptop with the bank logo versus one that had someone’s bait and tackle shop logo.

This becomes a delicate balance of identifying systems physically versus providing too much information. I recommend using:

• Generic asset identification tags to track your inventory

• Provide electronic-based asset inventory for hardware details

• Forgo company logos that brand the device and make it a target for theft.

It is important to note, that many devices, including BES and iPhones, support the ability to remotely wipe the device in case it is lost. It should also be noted that the average time for a user to report a lost phone and have it wiped by an administrator is almost always going to favor the attacker. This includes the attacker removing the SIM card, disabling the radio, and/or removing the microSD card on a device before the remote wipe is sent. Remote wiping shouldn’t be considered the end-all solution for lost/stolen devices.

Balancing marketing and security is critical. When branding your devices, consider if they contain sensitive information and should remain anonymous due to their contents. This little tip might make a thief look at another target versus your company’s assets since they are anonymous.

Leave a Reply

Additional articles

asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,

Bad POODLE, Don’t Bite!

Posted October 16, 2014    BeyondTrust Research Team

Researchers at Google (Bodo Moller, Thai Duong, and Krzysztof Kotowicz) have discovered that the encryption schemes used by SSL 3.0 are exploitable (CVE-2014-3566). Although the majority of web servers implement Transport Layer Security (TLS), the majority of clients will downgrade to SSL 3.0 in an attempt to maintain interoperability between protocols. For example, when a…

Tags:
,