Presenting a new company venture from Aconiac: the mobile security company Hoodgate.

For several years now,  smart phones have increased in popularity and will continue to do so for years to come. We are truly only in the beginning of this development and can expect to see even faster and better systems in the future.

One thing that is however still lacking is effective handling of mobile security for a company with more than a few employees. Most available solutions are monolithic solutions where a company buys a software suite with some number of features (anti-virus, anti-spam, locking mechanism etc.) and then has to manually install this suite onto every single employee’s phone one by one, and subsequently if any additions are made to the software later on, in most cases you’d have to do the same manual reinstall all over again. In the end this can lead to enormous financial costs for a company, simply in shear terms of man-hours used!

Hoodgate is adopting another solution to the problem! Hoodgate will be offering a service where you, as a customer, can handle all your employee’s phones through a central control panel. Through this control panel you can then create a “Mobile Security Policy” for your company.

A “Mobile Security Policy” is basically the features you want to have, e.g. the ability to find a given phone through GPS, encrypted e-mails, remote lock of the phone (in case of theft), voice logging, and much more. Once you have a customer profile you can easily buy new features, remove old or order specially developed ones, and all these changes to your “Mobile Security Policy” are automatically sent to all your employee’s phones, ultimately making management of security for your mobile workforce much easier and cheaper. It is then the Hoodgate software on these phones that take in updates and synchronizes with the company “Mobile Security Policy” stored with Hoodgate online, rather than your system administrators having to do it manually.

Hoodgate is just starting up now, and does not at the moment have a finished product. We will however be making regular updates on how the development is going, and try to continually involve future customers in the development, in order to make as good a product as humanly possible.

The platforms we intend to support are the following:

With development prioritizes more or less in that order, so that the primary platform is Android.

All the plans above are of course still preliminary and open for change, and you can easily have a say in those changes and speak your mind to us. All you have to do is comment on this blog post, contact us directly or on one of the social networks we’re on (links are farther down). We’re very curious to hear what you think, even if you’re the type of guy/girl who loves to point out flaws in plans or designs – a real hacker type person! Feel free to contact us and point out what we’ve done wrong or haven’t thought about. In the end your opinions might very well result in an even better final product.

The company website can be found at http://www.hoodgate.com/ although it’s still very preliminary. As we state several times on the page: We’d rather use our time developing the software you need rather than worry about website details at the moment. The short comings on the site will however be handled within the near future.

You can also find us at other places on the web. We invite you to get involved and get your voice heard. We’re listening!:

McAfee came out with a blog post on March the 17th concerning a new scam targeted against Facebook users. An attack that had quite a significant success, and therefore clearly shows an issue that still isn’t being sufficiently adressed by private individuals as well as companies.

The original blog-post can be found here: http://www.avertlabs.com/research/blog/index.php/2010/03/17/facebook-suffers-password-reset-scam/

For the people who didn’t feel like going in and reading the original blog-post, I can give a small summary of it here:

Basically what it says is, that McAfee has been tracking a Facebook e-mail scam where users are being sent fake e-mails with the subject “Facebook Password Reset Confirmation! Customer Support.” including a message saying that the user’s password has been changed due to security reasons and that the new password is attached to the e-mail as a .zip file.

The scam is especially interesting because people generally fell for it. Within record time, it skyrocketed to number 6 on the Global Virus Map’s Top 10 list.

What this shows me, is that companies and other organizations still have a huge education task ahead of them with regards to security. Looking at the simple scam e-mail in its entirity, this is what the content says:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks,

Your Facebook.

There are several tell-tale signs that this is clear cut scam mail.

First and foremost, Facebook directly warns against any e-mails claiming to be from them, if they include such things as requests for account information or include attachments.  All Facebook’s information on scam prevention can actually be found at: http://www.facebook.com/security?v=app_4949752878 . All companies should consider including this document in their general security training of all personel! Given a few years, Facebook, Twitter and the like will be used by the vast majority of all internet users (even more so than now), including traditionally non-technical users that don’t necessarily have the insight to detect attempts at IT-fraud.

But even if Facebook didn’t come out with any general information about what an official e-mail from them would look like (as most companies/organizations don’t), there are still several tell-tale signs:

Looking at the e-mail as it has been sent to most people, here are a list of my observations of scam-like characteristics:

• The e-mail is not recipient specific.
  What I mean by this is that the e-mail doesn’t mention the user specifically, but only refers to this person as “user of facebook”. This is highly unusual for a website so focused on user information. A website that would easily have access to specific information about i.e. your first name. Note however, that the lack of a personalized greeting is not necessarily an indicator of spam. In several situations some companies will probably choose to send out a non-personal greeting, but in such a case it would usually be worded differently and it would definitely not have included any profile information (i.e. a new password as an attachment)
• The presence of an attachment.
  Attachments are almost never used by any company, group or organization. If attachments are used, it will generally be because the recipient requested the given attachment. If you ever receive an attachment you didn’t expect (and I do mean EVER.. no matter who it’s from), be very skeptical! Call the sender up on the phone and ask for confirmation.
• Spelling, grammar and the like.
  Another tell-tale sign is the use of language and wording in a message. Would the real Facebook really refer to themselves as “facebook”, instead of “Facebook”. The lack of correct grammar might be possible for small companies, since they might not have anyone to check such things, but for any large company you can expect, that if there are more than a few simple microscopic typos (i.e. “teh” instead of “the”), it’s most likely a scam. Call the claimed sender on the phone for confirmation.
  Also Facebook would probably not call you their “client”, but instead their “user”.
• The e-mail is in plain text.
  Not all will agree with me on this point, but I do believe that serious individuals (especially companies) will generally send an e-mail in HTML with graphics, tables and layout and not as so called “plain text”, which is just simply characters + punctuation, with no possibility for images, tables, layout, text formating or anything of that sort. This is, as most rules above here, not a general rule and should not be used exclusively to discard an e-mail as a scam.
• Odd sign offs
  Somewhat related to the issue of spelling and language use, would Facebook really end an e-mail with “Thanks, Your Facebook”? Wouldn’t it be more likely they would end an e-mail with something along the lines of “Thanks, The Facebook Team”? Again this is not a clear cut sign of a scam, but this in union with other issues should put up a red flag for you. As always: Call for confirmation if in doubt! Any serious person will not mind that you care about security, they will most likely applaud it!
• Non-authenticated requests
  Whenever an e-mail asks you for any information you wouldn’t shout out in public, then that’s usually not information you should be sending through an e-mail in any way or form. That’s basically why we have encryption and digital signing for e-mails.
  But especially whenever an e-mails asks for account information or claim to include it, you should be skeptical. Normally whenever you access your account on the website (i.e. http://www.facebook.com/) you’ve gone through some form of authentication process, usually by means of simple username and password. You haven’t done this when checking your mail, so the website has no way of knowing it has reached the correct user with the relevant information or information request. A normal request for information will therefore include you having to go to the company or organization’s website and go through a process there – not on e-mail!
  Once again, there are exceptions and some companies don’t care much about the security and therefore do request information through an e-mail. So when in doubt: Call the company and ask for confirmation!
• Sender is wrong
  Obviously there is the option of checking the domain from which the e-mail was sent, but often times most users won’t be able to tell the difference between a correct subdomain and an incorrect one. So for most users this isn’t a viable solution for training.

All in all the real problem is that people are simply not skeptical enough and trust information sent to them over e-mail, social networks and text messages.

As companies and organizations, you need to make a continuous effort to educate your employees in all forms of basic security. Security isn’t only relevant for the IT-staff. All staffers need to have some basic understanding of what a scam might look like, no matter if it comes through an e-mail, a phone call or even physically at the business location.

There are several resources available to help you design an education program for your employees and if you need professional assistance, Aconiac is always available for a consultation.

The last several months we’ve been featuring a “Did you know?” daily tweet on Twitter. For the most part of this time, our feed has been fairly popular with at current 148 followers. The whole idea behind this campaign was actually not to continually feature these tweets, but to, at some point, come up with a new strategy for the use of Twitter, more focused on sharing our knowledge and views in a more directly usable manner.

We’ve now come to the point where we’ve decided to stop featuring the “Did you know?” tweets and instead begin twittering about subjects like the following:

• Security related news from around the world
• Public discussions we have an opinion about
• Research news from the fields of information security, cryptography and IT criminal psychology
• Security & business related comments from Aconiac Security Group members
• Tutorials & Guides which we believe our readers will find especially useful

Also unlike before, we will not be focused on putting out tweets once a day (or at any other specific time), but instead when they are relevant. This may mean that some days won’t even have any tweets at all, while other days may have several.

We hope our Twitter followers will keep on enjoying our feed, even though we’re now shifting focus! Feel free to comment on our actions here or on Twitter.. we want to hear what you think!

Best Regards

Aconiac Security Group

Yes, Aconiac has now officially started twittering!

Now you’re probably thinking: “Why? oh why God?”. Especially if you’re the typical European or business professional. However after having looked into the matter, we have found good use of Twitter and can see how it has it’s place in the future business market – so that is really why!

So what will be twittering?  Well, we thought long and hard about what content could be efficiently distributed in 140 characters, since this is, by all common standards, a very limited text amount. Ultimately we came to the conclusion, that security tips & tricks, news and facts were of most interest and it is therefore this we will be twittering in the future with our “Did you know?” posts.

If this has peaked your interest, please go to http://twitter.com/AconiacSecurity and follow our posts there.

As a final note: We’ve added a “Tweet this” button to all posts, so that you can easily post our blog posts titles and links to your Twitter account.