Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: What's on your iPad? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's on your iPad?


In a recent story (see the bottom of this article), there's been some discussion about a prominent NMS (Network Management System) with an iPad interface that uses a simple to duplicate algorithm for it's password.  

Do we care? Isn't the resulting password more secure than most passwords we ourselves would have picked?  Not so much if it's simple to derive, but in my opinion, the real story here is that we are trusting our mobile devices and apps way more than we should.  We buy low cost or free simple apps to do things that really matter, without checking doing our homework on security.  In this case, the app is using cleartext authentication and xmpp (the jabber protocol) to remotely access and control their NMS.  The "password math" doesn't help either.  The NMS in turn has access to the full device configurations, as well as the ability to send email directly to network admins (great spearphishing target!), and most importantly, in many cases has admin access to all the network routers, switches, firewalls and even servers.

People just as blithely (blindly?) use tablets and phones to access their bank accounts and control their cars (what could go wrong with that?) 

In the case of an NMS I can certainly see the attraction, now that tablet screens are just as good as many laptops, running your NMS from a tablet can be much easier from a tablet than a traditional laptop - especially if you're not at work.

I gotta admit that it still bothers me when I see the bank adds on TV, encouraging people to access their bank accounts using their phone (you know, the one without a screensaver or keyboard lock) - you know, so that their bank account is even *less* protected when the phone is stolen.

Mind you, some folks would likely be more upset if their social media accounts could be accessed this way ... umm, wait a second!  A favourite highschool prank is to steal a phone from your classmate for 10 minutes to put a bogus (and embarassing) facebook or twitter post up.

When did we stop using VPNs - the classic solution to encapsulating and encrypting sensitive traffic?  The VPN that encrypts both the data, the destination IP address and the authentication?

My worry here isn't really that the datastream could be MITM'd to steal credentials or hijack sessions, though that's certainly possible in this case.  The worry should really be that if your phone or tablet is stolen, big parts of our modern life go with it - banks accounts, facebook and twitter, ebay, your car keys.   And in this case control of your network.  If all we protect this stuff with is a simple keyboard password (my 11 yr old shoulder surfed mine - https://isc.sans.edu/diary.html?storyid=13084), then if your phone is lost, all is lost - you BETTER have a remote wipe function ready to go!

More here:
http://www.h-online.com/security/news/item/WhatsApp-takes-the-lazy-route-to-authentication-1703628.html

http://www.h-online.com/security/news/item/WhatsApp-allegedly-creates-overly-simple-passwords-under-iOS-too-1704972.html

 

===============
Rob VandenBrink
Metafore

Rob VandenBrink

501 Posts
ISC Handler
This article is more proof that most people put convenience well before security. The surest near cure is to build the security into the app or device and make it convenient to use. Can smartphones and tablets be designed with a persona lock so that only the registered user can use it? Not to make it proof against a persistent attack by an expert, which is impossible, but make it proof against the casual attack.
KBR

63 Posts
In a free society, it has got to be the user's choice whether to secure his devices -- and whether to lock his car, his front door, etc. Just make sure he has the option to secure, and is aware that he has the option; you can't force it on him.
Moriah

133 Posts
Free society notwithstanding, the vast majority of users are not choosing [a lack of] security, they're choosing whether or not to be inconvenienced.
Moriah
1 Posts
And what is more inconvenient than being compromised? But they only ever learn that the "hard way". :-(
Moriah

133 Posts
I like to tell users my "front door" story. I ask them if they have ever been incinvenienced by having to dig for their keys to open the front door, especially when they are carrying 5 bags of groceries. They always say yes. I then tell them how much easier it would be to get the front door open if they just left it unlocked. I usually get strange looks. I then go on to tell them that even when it is unlocked, they still have to turn the knob, which is also inconvenient with 5 bags of groceries. I say take the doorknob off the front door -- its more convenient. Then I say you still have to pull the door open, so just take the door off the hinges, and prop it up in the front yard, and spray paint a sign that says "crack party tonight, all welcome!" They usually get my point before I get this far. ;-)
Moriah

133 Posts
Are you perhaps confusing What's Up, a network monitoring system, with WhatsApp, which is an instant messaging application?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!