Aconiac Security Group Blog
The official Aconiac company blog
Welcome to the Aconiac Security Group Blog
This blog includes company news, company statements, tutorials, guides and much more. So please add this blog to your RSS reader and let us help you to become better security professionals.
Disclaimer: The views of individual bloggers may not be the views of Aconiac as a whole.
1
Have you ever been on the road towards a meeting or a vacation, and then just suddenly stumbled upon an open network while waiting for a plane or drinking a cup of coffee? Most people probably have..
And have you even been a bit too tempted and logged onto this open network? Again, most probably have.
Now, have you then started working while on this network and directly sent corporate information or handled information on your corporate systems? Sadly, many have and if you’re one of them: Read on! Using open networks directly for sensitive data (like corporate data) is a big security no-no!
So why would this be a problem? Isn’t it just free internet for the masses? Well, yes and no. Yes it’s probably a network you are completely free to use. It might even be a network owned by the office building, hotel, airport or which ever company you’re at. But due to the way wifi-networks are designed, everything you send over this network is completely public. Every person, on the network or simply in the vicinity, can easily set up a simple network scanner like Wireshark or Kismet and directly save all the information you send over this network, including all e-mails, websites you visit, data you send to websites, data you receive – plain and simply everything! And you have no way of detecting this! None what so ever! There is absolutely no way to check for eavesdroppers on an open unencrypted network.
To add insult to injury, eavesdropping on a network is extremely easy to do and there are several easy to use tools out there that hordes of 15 year old script kiddies love to use to steal as much information as they possibly can – for no other reason than: They can!
So are we advocating not using public open wifi-networks? No, not at all – you just need to use them correctly!
You can look at it like this: A public open wifi-network gives you a gateway on which you can build a connection to your workplace and work from there. How do you do this? Well basically there are several solutions here:
- Make the network encrypted.
Well normally you won’t have the option of doing this, but in most cases it is simply better to keep smaller networks encrypted and then only use encrypted networks. Preferably using WPA2-PSK or WPA-Enterprise as encryption schemes. This is however most likely not a possible solution! - Use a VPN connection
A VPN (Virtual Private Network) is a technology with which you can remotely connect to your organization’s network in a completely encrypted manner. It is by far the most transparently secure solution available and is generally the one we would suggest to companies wanting their employees to be mobile always.
There are several VPN solutions available out there, including big corporate solutions from companies like Cisco and open source solutions like OpenVPN. - Access resources with SSL/TLS
While VPN applies to all network traffic sent from your computer, there is also the other option of encrypting critical parts of your work like e-mail, FTP access, critical websites etc. There are protocols to support this for almost all the different kinds of traffic including: POP3S and IMAPS for email, SFTP for FTP and HTTPS for websites.
Using this solution may in many ways be simpler, but it assumes you know beforehand every place from which you will be needing critical information. It also puts a considerable extra security concern onto the individual employee, since this person now has to deduce whether or not the given communication he/she is doing at the moment is secure or not. Using VPN, these concerns go away in most cases. - Remote desktop solutions
Another option, that’s somewhat similar to the VPN option, is to have the employee make a secure connection to a server at the workplace and from there open up a terminal service running another computer remotely. Solutions like this are available in many forms like VNC, RDP and proprietary solutions from companies like Citrix. This gives the employee a remote view of his/her workstation desktop even though he/she is no way near the actual office and, most importantly, it makes it possible for him/her to work securely from any network.
So you can look at it like this: If you’re not doing any of the above, you have a problem and should take it up with your company in order to get a security policy on the matter and making it safe for the company to work from anywhere! Mobility is one of the top priorities in business these days, and you really want to use the opportunities laid before you well, without screwing yourself because of bad security.
So remember: Public open networks aren’t bad, but you need to keep your assets safe while using them!
Presenting a new company venture from Aconiac: the mobile security company Hoodgate.
For several years now, smart phones have increased in popularity and will continue to do so for years to come. We are truly only in the beginning of this development and can expect to see even faster and better systems in the future.
One thing that is however still lacking is effective handling of mobile security for a company with more than a few employees. Most available solutions are monolithic solutions where a company buys a software suite with some number of features (anti-virus, anti-spam, locking mechanism etc.) and then has to manually install this suite onto every single employee’s phone one by one, and subsequently if any additions are made to the software later on, in most cases you’d have to do the same manual reinstall all over again. In the end this can lead to enormous financial costs for a company, simply in shear terms of man-hours used!
Hoodgate is adopting another solution to the problem! Hoodgate will be offering a service where you, as a customer, can handle all your employee’s phones through a central control panel. Through this control panel you can then create a “Mobile Security Policy” for your company.
A “Mobile Security Policy” is basically the features you want to have, e.g. the ability to find a given phone through GPS, encrypted e-mails, remote lock of the phone (in case of theft), voice logging, and much more. Once you have a customer profile you can easily buy new features, remove old or order specially developed ones, and all these changes to your “Mobile Security Policy” are automatically sent to all your employee’s phones, ultimately making management of security for your mobile workforce much easier and cheaper. It is then the Hoodgate software on these phones that take in updates and synchronizes with the company “Mobile Security Policy” stored with Hoodgate online, rather than your system administrators having to do it manually.
Hoodgate is just starting up now, and does not at the moment have a finished product. We will however be making regular updates on how the development is going, and try to continually involve future customers in the development, in order to make as good a product as humanly possible.
The platforms we intend to support are the following:
With development prioritizes more or less in that order, so that the primary platform is Android.
All the plans above are of course still preliminary and open for change, and you can easily have a say in those changes and speak your mind to us. All you have to do is comment on this blog post, contact us directly or on one of the social networks we’re on (links are farther down). We’re very curious to hear what you think, even if you’re the type of guy/girl who loves to point out flaws in plans or designs – a real hacker type person! Feel free to contact us and point out what we’ve done wrong or haven’t thought about. In the end your opinions might very well result in an even better final product.
The company website can be found at http://www.hoodgate.com/ although it’s still very preliminary. As we state several times on the page: We’d rather use our time developing the software you need rather than worry about website details at the moment. The short comings on the site will however be handled within the near future.
You can also find us at other places on the web. We invite you to get involved and get your voice heard. We’re listening!:
NOTE: This news item was originally posted on December 30, 2008
2008 will soon be over and a new and exciting year lies in front of us. 2008 was an interesting year for computer security. We saw, once again, escalating threats towards companies from almost all fronts. Especially the leaks of unencrypted data in England, the automated SQL injection mass-attacks and the attacks on social network services were some of the big public problems in 2008.
But then how will 2009 be? Now, it’s obviously very hard to predict the future in such a dynamic world, however we have made an effort to come up with our ideas for what might be, the 10 biggest security threats in 2009:
- Weak economy
The economic crisis, which right now is devastating many businesses all over the world, will most likely result in companies having to cut down on expenses. In these kinds of expense cuts, typically what gets cut first is the administrative expenses like e.g. computer security and preventive measures. We can therefore expect to see an increase in the amount of security issues in software and systems developed in 2009.
- Lack of education
One of the greatest threats towards security in a company is and will always be education. This has been, in our minds, the biggest issue in 2008 and actually have always been the biggest issue. Users of IT solutions do not understand the security problems in such a way, that they can effectively protect themselves. We will therefore, once again this year, probably see an increase in successful hacker attacks – attacks that largely could be prevented by increased education.
- Mobile devices
Employees are becoming more and more mobile as each day passes. One of the big things that really got a boost in 2008 was mobile broadband. This technology specifically, can lead to employees beginning to do their jobs outside of the company’s secure parameters. A trend that could ultimately lead to catastrophic data leakage, that is if it is not prevented by good policies and encryption.
- Outsourcing
Due to the economic crisis, a lot of companies will probably begin to outsource certain tasks to cheaper labor in other countries. This act however has a lot of serious security implications, since the company now no longer has control of how its data is handled. It is therefore extremely important, that companies make a proper security policy with their outsourcing partner and that this policy is actually followed.
- Espionage
The time when hackers were just small kids in a basement is, by far, over. Today several indications are showing that hacking has, in several cases, been used by e.g. China to attack government institutions in the USA. This type of attack, which for the record can have catastrophic consequences, will likely escalate in 2009, where we will see even more examples of this form of Internet warfare.
- Anonymity/Privacy
While nations all over the world are using more and more censorship and surveillance, many freedom-loving employees will begin to work harder to secure their privacy and the right to free speech. This will probably manifest itself in an increased use of software to break blocking mechanisms and hide information about the user. With this increased usage, it will become much harder for companies to identify malicious users, since it will now not only be the criminals who are attempting to hide from identification.
- Apple’s Mac OS X
While viruses and spyware are everyday fears of Windows users, Apple’s Mac OS X has up until now avoided most problems. They’ve actually avoided it so well, that many Mac users are now, mistakenly, believing Mac OS X can not be infected with malicious software, like e.g. a virus. Apple had a record high sale of Macs in 2008 and as their market share increases, so will the number of attacks on the platform increase. Sooner or later it will therefore become a security risk to have an unprotected Mac OS X on the company network and companies should therefore implement effective security policies for Mac users.
- Insecure websites
A lot of companies and government institutions still have websites with several security issues of varying types. With the increasing economic crisis and the likewise increasing amount of computer criminals, it is very likely many more companies will be attacked from the web this year. Even many more than earlier years.
- SMS Scams (SMiShing)
With the expanded use of SMSs for almost any thinkable communication, criminals will soon begin to notice the possibilities in the use of SMS to scam individuals and companies. Most do not know, that it is extremely easy to fake an SMS so that it seems as if the SMS is from “Mom” or “The Boss”. This makes it easy for criminals to scam people into wiring funds or giving out passwords.
- Social networks
Social networks are not as big of a threat as some security companies would have you believe, however there are several dangers you should take seriously as a company owner. Like e.g. in 2008 there were several attempts at spreading viruses through Facebook and especially MSN Messenger is often a target for computer criminals. All of these attacks can however generally be avoided with simple education of one’s employees. We don’t recommended blocking the access to social networks for your employees, even though we know certain companies do this today.
Back to top
