By: Keli Hay
The Sarbanes-Oxley (SOX) Act was established in 2002 to protect investors by improving the accuracy and reliability of corporate disclosures. SOX covers a variety of items including oversight boards, auditor scope, corporate responsibility, and financial disclosures.
As part of SOX, all financial institutions must regularly audit and control access to information. While the act does not specifically address the use of mobile devices, similar to other electronic devices, the mobile world requires proper security controls.
Bluebox brings the functionalities of company area network solutions, such as access control and secure corporate connectivity, with user, device, and app auditing to the mobile space. If you have an IT policy defining how corporate data is accessed within a company network, you can implement the same policy in Bluebox to enforce the same level of security on mobile devices – whether access is to cloud-based apps, such as Dropbox, or company-specific portals or network shares over a secured VPN.
Bluebox enables companies to secure mobile devices, apps, and documents using authentication configurations and encryption techniques. Bluebox also monitors mobile devices at the user, device, and app level. Network administrators can configure Bluebox to monitor apps, emails, and so on for specific corporate information, such as patterns and keywords.
How does Bluebox do this?
Bluebox helps secure mobile devices using policies, rules, authentication, and encryption so that mobile data is:
The all-encompassing functionalities provided by Bluebox means security teams can now audit mobile data access, helping minimize the risk associated with access to corporate data on such devices.
By: Keli Hay
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule exists to help protect the privacy of individually identifiable health information, while the HIPAA Security Rule, sets national standards for the security of electronic protected health information.
By implementing Bluebox on your mobile devices, you can help secure data to address the following section of HIPAA:
SUBPART C—SECURITY STANDARDS FOR THE PROTECTION OF ELECTRONIC PROTECTED HEALTH INFORMATION, 164.312 Technical safeguards
More specifically, having Bluebox on your mobile devices helps address the following subsections:
How does Bluebox do this?
Bluebox brings to the mobile world a similar approach to securing a company area network using policies, rules, authentication, and encryption so that mobile data is:
With Bluebox, for the first time your compliance team gets the visibility they need while your security team can provide secure access to sensitive information, while preventing the same sensitive information from being illegally shared or accessed. Similar to regular network-based Identity and Access management (IAM) solutions, Bluebox secures mobile apps with custom permissions – including configurations to prevent information distribution. To help ensure sensitive data remains secure, Bluebox is configurable to monitor, track, and audit user, device, and app data usage. Should healthcare professionals require access to hospital systems, Bluebox is also configurable to provide secure transmission to the necessary network or portal.
For information about how Bluebox can help secure apps in your mobile world, please contact us.
This year’s update to the Payment Card Industry’s Data Security Standard (PCI DSS) and the Application Data Security Standard emphasizes security risks for third-party and payment processing as well as more rigorous security requirements for payment app developers. The one thing the update does not address? Mobile payments, but it will.
Mobile payments are transforming customer experiences, and merchants, banks and retailers are learning how to cope with the change. While there are many benefits to be derived from the ease of taking mobile payments, retailers are now faced with a whole new set of security concerns. Why then would the PCI Standards Council omit them from the latest guidelines?
Troy Leach, the Chief Technology Officer of the PCI Security Standards Council has a theory. Leach implied that consumer mobile devices are insecure and PCI doesn’t want to add mobile payments to their update because it would “lower the standard”. This creates a huge problem for businesses, retailers and banks that have big security concerns that the updates don’t tackle.
From Square to Nordstrom processing payments on iPods, innovation in mobile payments has taken off. From Android and Windows to iOS security, organizations have the responsibility to implement controls and PCI SSC has the responsibility to protect consumers. Consumers deserve a secure mobile payment experience and not addressing these changes puts consumers at risk. Securing iOS and Android based payment systems is possible and should be required. Bluebox has developed a white paper detailing good mobile security practices and how PCI does and will apply to mobile devices.
At the end of the day, there’s been rapid growth in credit card payment processing services among merchants. Retailers, taxicabs or restaurants use iPhones equipped with credit card readers accept payments without needing traditional credit card terminals. Merchants are responsible for securing these mobile devices and the security and compliance issues need to be addressed by PCI, not dismissed. It’s not enough for PCI to include “best practices”. Ideally, they should address point-to-point encryptions solutions that minimize risk for merchants.
In the 6 years since the release of the first iPhone, iOS has gone through its share of changes. Probably the most interesting of these though is it’s move into the enterprise space. The iPhone (like the iPod and iPad) are some of the most consumer-facing devices on the market. And it makes sense – they were all created for the consumer.
However, as users soon discovered, these devices made their lives easier, and increased their productivity. It was only a matter of time before users brought these devices to work. Now more than half of Americans have smartphones. 75% of people use Apple devices to perform their jobs and the iPhone has evolved from a personal to enterprise-ready device.
As it has done so, iOS has evolved its security settings to work within the enterprise, though still lacking in many areas. This is clearly demonstrated in iOS7, which included several enhancements for enterprise access and usability. While these were mostly limited to MDM, Apple has released a feature that works quite well for organizations that fully locked down devices in their fleet. Universities are a great example of this. The feature allows the device owner to put iOS into an enhanced manage mode, giving the owner total control of the device. Unfortunately, this feature is anti-BYOD making it only usefully to those organizations that own and fully manage their devices.
Other major features in iOS 7 include allowing organizations to set policies about what email attachments can (and can’t) be opened by the users, though this doesn’t work with most mail clients. iOS7 also includes the ability to disable or whitelist AirPlay destinations, as well as Per App VPN, which allows the enterprise to set up policies that can limit which applications can access the VPN. Of course the app feedback feature is also useful for those using MDM.
We are going to continue to see new challenges as iOS moves into the enterprise. The most glaring example of this is corporate data. Most enterprises are not concerned about device management, they are much more concerned about their corporate data being handled on the device. As such, it will be important for Apple to work towards helping enterprise customers secure data on the device.
While Apple is known for controlling apps found in the app store one area that they could tighten up is on permissions. App permissions are a real weak spot for security. As we saw with the Master Key Exploit, app permissions make a huge difference when it comes to security. An app with too many permissions, whether “safe” or not, can still leak data and when it’s sensitive corporate data on a user-owned device, this is often at the expense of the organization, who is not even aware that their data is leaking. Some of this would also be solved by giving the enterprise access to these devices. Another nuance that Apple is working on is enterprise access control. As mentioned before they are working on it, as evidenced with enhanced manage mode; however, there needs to be a level between total control and no control.
Only time will tell if Apple can be successful in the enterprise; however, one thing’s for certain: As long as users continue to bring their Apple devices to work, the enterprise is feeling its presence and needs more solutions than iOS provides to meet enterprise security requirements such as PCI and securing corporate data.
As a CISO, the key to developing a mobile strategy is to understand that mobile is already part of your enterprise. Whether or not you choose to embrace a mobile policy, employees have established their own, using their mobile devices to access and move corporate data. A friend and fellow CISO recently discovered that 400 employees were going around IT controls to use a 3rd party file sharing website. From files, to 3rd party applications, to email, data is mobile and so is your enterprise.
Here at Bluebox we have just about every device you can imagine: iPods, iPhone 4, Eric’s pink iPhone 5c, the fingerprint protected 5s, and literally dozens upon dozens of Android devices (too many to name). We even stock Blackberries, Windows Mobile, and some feature phones just for fun hack projects. Among all of these we haven’t seen such a rapid adoption of any mobile platform to date.
Mobile malware may grab media headlines, but it has not grabbed the attention of those who manage security for the enterprise. A recent LinkedIn Information Security Community survey showed that the top 2 mobile security concerns were related to data loss and the unauthorized access to data. Mobile malware infection was a distant third for a few prominent reasons.
Bluebox CTO, Jeff Forristal’s presentation entitled “Android: One Root to Own Them All” about his research that uncovered the Android Master Key is now available.
Below is the abstract of Jeff’s presentation.
This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013. The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control. The vulnerability affects a wide number of Android devices, across generations & architectures, with little to no modifications of the exploit. The presentation will review how the vulnerability was located, how an exploit was created, and why the exploit works, giving you insight into the vulnerability problem and the exploitation process. Working PoCs for major Android device vendors will be made available to coincide with the presentation.
Written by Jeff Forristal, CTO
Recently Jay Freeman, aka Saurik, released an excellent technical analysis entitled “Android Bug Superior to Master Key.” His analysis covers additional exploit vectors not previously discussed that are contained in the Android Open Source Project (AOSP) patch for bug #9695860 (the same patch that covers the exploit vector highlighted by the Android Security Squad).
This commentary in response to the inquiries Bluebox has received regarding this new analysis. First, this analysis, along with Saurik’s previous analysis of the original “master key” Android vulnerability are great technical write-ups that thoroughly review the problem; kudos to Saurik for taking the time to create the posts for others to learn from. Second, Bluebox is aware of the exact issue covered in Saurik’s latest analysis, and had already previously disclosed it to the Google Android security team along with a working proof of concept for the method Saurik outlined. Google has since notified partners regarding the security implications of bug #9695860 and has provided back-ported fixes.
In addition, the earliest versions of the Bluebox Security Scanner, available for free on Google Play Store were already scanning for malicious APKs abusing this new method. Bluebox felt it was advantageous to scan for the flaw variations of bug #9695860, despite not being publicly known, in order to proactively ensure users were safe. Only in recent versions of the Bluebox Security Scanner do we also call attention to the patch status of bug #9695860; we didn’t previously call out this patch status since we knew devices were still largely unpatched. We have also been working with third-party markets, such as SlideME, by providing them a bulk security scanner for all Android master key vulnerabilities and variants. The bulk security scanner is used on their marketplace to ensure its app catalogue is free from malicious apps attempting to exploit these vulnerabilities. Detection for exploits using the method outlined by Saurik were included in prior releases of this scanner–which means markets collaborating with Bluebox are already protected from this vulnerability variant.
Users should still be cautious about what apps they install and from where they get their apps. This is a way to keep them protected until device vendors have finished rolling out updates to fix all of the vulnerability variants in the master key bug “family.”
The notion that enterprises know where mobile data is could perhaps be better framed as a “suspension of disbelief” rather than a “myth” to bust. We are tackling the whereabouts of mobile data in this “episode” because there is a large contingent of the BYOD vendor community that wish you would believe that mobile data remains on the device and is secure. The reality is enterprises already acknowledge that your data can go anywhere and ultimately goes everywhere, but unfortunately you have no way of tracking it and thus can’t protect it.
Jeff Forristal, CTO Bluebox
During our initial discussions around the “master key” vulnerability a couple of weeks ago, we mentioned our early work with Google as part of our “responsible disclosure” to them. Our insight enabled Google to implement checks for pre-existing and new apps in the Play Store that are exploiting devices using the vulnerabilities we disclosed. Since the release of the free Bluebox Security Scanner – which checks if a device has been patched against the master key vulnerability and if there are any apps exploiting it – we have expanded its capabilities to be leveraged across Android app marketplaces and not just on individual Android devices.
A container is a conventional endpoint security concept that can be used to create data separation, for example between personal and business data. Container separation in theory prevents the comingling of data but does not lock down corporate data despite what has become a marketing-perpetuated myth. The concept of containers serving as data-lockers is simply not true on two levels.
Written by Jeff Forristal, Bluebox CTO
We have released a free app to help consumers and enterprises manage the risk around the “Master Key” vulnerability I blogged about last week. The Bluebox Security Scanner app produced by our research team allows you to directly check if your Android device has been patched for this vulnerability without the hassle of having to contact the device manufacturer or mobile carrier. It will also scan devices to see if there are any malicious apps installed that take advantage of this vulnerability. Once we discovered the bug we set out to create a tool to help individuals to evaluate their risk and that app is now available for free at both Google Play, Amazon AppStore for Android and GetJar:
The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.
By Felix Matenaar and Patrick Schulz
Thanks to the BerlinSides team for putting together yet another strong conference. Our presentation on “Android Reverse Engineering and Defenses“ was just one of many worth checking out. We had a number of requests for copies so we wanted to post it here on our blog.
Here is the abstract for the presentation. We also used some of the same material at the SOURCE Dublin Conference earlier that week.
It might not be explicit in four letter shorthand, but BYOD means that IT is showing up as an invited guest onto your device. We all know being a “guest” generally comes with certain implicit privileges i.e. hospitality, but perusing the contents of the medicine cabinet is crossing the line. The right BYOD implementation does not cross that line and invade your privacy. And the myth that it does probably started with how heavy handed IT has been on the corporate PC.
This notion of being in “stealth” is a hard one for a CEO; my inclination is to share the excitement about what we are doing with everyone. At the same time, I know from my experience founding SPI Dynamics, that when defining a new category, less is more in the early days. The hardest thing to do in technology is take a whiteboard concept and get it running to expectation in production environments–exposing that process to the world too early can distract from that focus. That’s why I know this is the right time to open the kimono just ever so slightly, and I am proud to do so.
Exciting news coming from the nation’s capital on Wednesday, when The Wall Street Journal reported that within the next few weeks the Department of Defense (DoD) will approve use of both Apple and Samsung mobile devices. To completely “capture the hearts and minds” within the DoD the conversation is quickly going to shift from approvals to how DoD IT will fully empower their users to take advantage of this post Blackberry era.
This Bluebox take on MythBusters was inspired by customer conversations that we’ve had over the past couple of months. Our team is finding that we are addressing a rotating list of mobile security myths that we thought best to expose and debunk in broadcast form to hit a wide audience. Given that more than a quarter of corporate data being accessed everyday is flowing to mobile devices it’s time to set the record straight to make sure that IT’s energies are focused on reality not mythology.
The mobile app market is truly a global phenomena. In 2012 alone, there were 45 billion apps downloaded . This overwhelming reception is attracting the attention of attackers, looking to peddle malware and badware on innocent mobile bystanders. It’s the same desktop/PC recipe adapted with new mobile ingredients. But while desktops have a wide range of anti-virus packages and malware analysis tools available to leverage, the young mobile application ecosystem is lacking in strong analysis tools and techniques. Such tools and techniques will be critical to keeping mobile application markets untainted by malware and nefarious applications. Who will produce these tools? A lot of research and trial techniques are coming to light by academic and industry researchers; it’s a matter of selecting the robust approaches and adopting them on a widespread scale. But perhaps that’s easier said than done… there’s a lot of early mobile malware analysis research in the industry that appears to be solid in limited trial runs, but perhaps doesn’t fit the bill when put to the task. We’ve put together an analysis challenge to help show you where some of the pitfalls of mobile application analysis exist, so the collective researcher community can learn and evolve our analysis approaches for Android applications.
Bluebox Labs is proud to present Dexter, a free Android application analysis framework with a rich web-based user interface. The tool extracts information from either legitimate or malicious Android application packages (APKs) and produces various views of the package & application contents.