Intuition & Elbow Grease™

The current generation of cellular telephony products presents a wide range of potential risk to the corporate environment. From the simplest cell phones that could expose a corporate phone list, to more advanced cellular devices that are capable of storing and manipulating documents, to the latest smart phones that enable direct access to the network via 802.11 wireless connectivity (“WiFi”); the landscape for protecting corporate assets is wider and more varied than ever before.

Modern cell phone devices can be loosely categorized into three tiers based on the functionality of each device: basic, advanced, smart

1) Basic

a. Cell phones that only provide voice and messaging capabilities

2) Advanced

a. Cell phones that provide additional features such as GPS or multimedia capabilities

3) Smart

a. Cell phones that provide PDA functionality including document management and manipulation.

b. Provide alternative network access including 802.11 wireless networking capabilities.

The key difference in the way we view these various devices is that the most advanced of them are truly full featured computing devices and should be subjected to the same scrutiny and governance as any other mobile IT corporate asset such as a laptop. These new devices are capable of nearly every function of their larger counterparts including document storage and manipulation, web browsing, messaging and direct network access via WiFi. Additional and unforeseen functionality may be added with the addition of third-party applications. While these devices are similar in many ways to regular corporate assets, they differ in one fundamental way: size. Due to their small size the risk of loss or theft is significantly higher than their larger counterparts.

According to the document from NIST entitled “SP800-124: Guidelines on Cell Phone and PDA Security” an estimated 85,619 mobile phones and 21,460 PDAs were left behind in one Chicago taxi firm’s vehicles during the six-month period of the study, compared with only 4,425 laptops. One estimate given for the year 2007 was that approximately eight million phones would be lost. These numbers suggest that it is prudent to employ a more stringent security regiment for those cellular devices capable of carrying sensitive data to include data/disk encryption and remote wipe capabilities.

Just as the risks are varied depending on the type of device, so too, are the efforts employed to secure the devices. A basic cell phone may be best secured by merely enabling a screen-lock that requires that the user enters a pin number before accessing the device. More robust and feature-filled devices that are equipped with document management tools, WiFi and internet access require appropriately robust solutions, comparable to larger portable devices such as a laptop. These more advanced cellular devices should use the same types of security as would be recommended for a corporate laptop, including firewall, anti-virus, anti-malware, remote wipe capabilities, strong passwords and encryption at the file and disk levels.

Issues with Connectivity

With the addition of 802.11 and Bluetooth wireless connectivity to this new class of portable device, care should be exercised to limit potential exposure when utilizing these connections to connect to corporate assets or when transmitting business related information. Whether web-browsing or using email, an unsecured WiFi connection can lead to confidential data leakage. When sending information over WiFi make sure that the connection is encrypted whenever possible (such as with an SSL connection.) If data is being sent via insecure means such as email, care should be exercised to protect the data by utilizing encryption (even using a password-protected zip format will provide at least some protection)

An improperly secured Bluetooth link will allow an attacker to surreptitiously connect to the device and potentially download any and all information stored on it. Bluetooth pairing pin numbers should always be changed from their default values, or should be disabled when not in use.

Consideration should also be given to the possibility of the device being used as a proxy, allowing unauthorized connectivity to/from the internet by proxying the WiFi connection to the cellular data connection.

Methods of Protection

Due to the similarity in features that smart phones have with laptops it is reasonable to consider securing the device as if it were a laptop or any other corporate asset. That means employing a local firewall, anti-virus/anti-malware measures, encryption of corporate data, enabling VPN connectivity to access corporate assets, etc. Any non-essential services should be disabled when not in use (such as Bluetooth or WiFi)

These devices should also be subject to the same scrutiny and rigorous standards as other corporate devices and subject to the same policies and procedures regarding acceptable use, authorized software, password requirements, Internet policies, etc. Specific policies and procedures should be created to assist in the governance of these devices (including laptops) that would delineate the methods and tools used to enforce these recommendations.

Threats:

Security concerns for the different types of cell phones are cumulative starting with the ‘basic’ cell phone.

Basic Cell Phone Security Concerns

a. Loss, Theft, Disposal

b. Unauthorized Access/Usage

c. Eavesdropping

2) Advanced Cell Phone Security Concerns

a. Electronic Tracking

b. Server resident data

3) Smart Cell Phone Security Concerns

a. Malware

b. Data Interception or Access

c. Network Access

d. Should be regarded as a small form factor laptop for the purposes of security requiring the same methods of protection including anti-virus, anti-malware, etc.

Recap/Recommendations:

The amount of effort employed to secure each type of device should be commensurate with the potential risk associated with each class of device.

1) Basic and Advanced Cellular Phones

a. Employ the use of a screen lock password

b. Where possible enable backups of phone data to the network (via activesync or other methods)

2) Smart phones

a. Should be regarded as comparable to a laptop in regards to data exposure and potential risk and therefore should employ the same methods of protection.

b. Anti-virus measures should be installed and utilized.

c. Anti-malware measures should be installed and utilized.

d. Firewall software should be installed and active to prevent unauthorized connections to or from the device.

e. VPN connections should be used when connecting into the corporate network

f. Non-essential services (such as Bluetooth or WiFi) should be disabled when not in use.

g. Strong passwords or two-factor authentication should be used to secure access to the device’s networking connections.

Resources:

The security concerns delineated here are taken from various sources, primarily from NIST SP800-24 “Guidelines on Cell Phone and PDA Security” http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf

If you didn’t know it about me, I’m a very big fan of using text as my default method of storing information.  Whether it’s a note about the specific hex colors for a website, my daily tasks, projects or  todo lists, I keep them all in plaintext files.  I made the transition to text-only years ago when I ran into issues trying to move my palm-pilot memos to a new platform.  It took quite a bit of manipulation before finally being able to migrate my information from a proprietary format into one that is ubiquitous.  Plaintext is ultimately portable and can be taken everywhere.  I will always be able to read my plaintext files.  No, they’re not formatted all nice and pretty, but I can use html or some other markup language if I want to make them look nice.  No, my primary concern is that I can read them.  Twenty years from now, I am confident that whatever office suite word processor is in vogue, it will be able to read my meager text files.   Those old Wambulator 5 files?  I’m probably gonna be out of luck with those.

Emacs

Text editors are varied and many-flavored.  In the unix world, there are two primary editors: Vim and Emacs.  Both have their strengths and weaknesses.  (please, no need to get all huffy about it, I use both.  It’s true and I admit it: I am ambi-textrous)   For the quick editing of small scripts, notes, or log files I tend to favor the use of Vim.   I have a handful of basic Vim commands that I use constantly to edit and save files; a few commands such as search and replace functions that get used occasionally; and then there is a whole world of commands that I am completely unfamiliar with.  Vim Viewports is one such category of commands.

Did you know that the text editor Vim (which stands for Visual editor IMproved) is capable of providing a windowed editing page?   In Vim-land, these windows are called ‘viewports’   When you first invoke Vim from the unix command line you start out with a single viewport.

Vim - Single viewport

This is the default view that most users of Vim are used to seeing.   I’ve been using Vim (or it’s predecessor Vi) for well over a decade now and this single-viewport view is the only one I’ve used until very recently.   There are times when I want to be able to edit one file, while referencing another.  Before utilizing viewports, that meant opening another terminal, setting up another connection, and displaying the reference file using cat, less or more (depending on the system)

That all changed when I re-discovered the fact that Vim supports multiple viewports!  From the command mode of Vim (there are two modes; command mode and edit mode.  If you are unfamiliar with these concepts then this article is most likely not for you. Go learn some Vim basics over at the Vim homepage: http://www.vim.org/ then please come back!)

::ahem:: Where were we?

Vim - Three Viewports

Ah yes, from the command mode of Vim enter :split to split the current viewport horizontally.  Entering :vsp will split the window vertically.  Different text can then be loaded into each viewport using :e <filename>  Moving from one viewport to the next is accomplished using Ctrl-w Ctrl-w.  (that’s Ctrl-w twice, not a typo)   Or the standard Vim cursor movement keys modified with a Ctrl-w will also move you between viewports.  So Ctrl-w j will move you one viewport down, Ctrl-w k will move you one viewport up, and so on.  (for h j k l )

The content of each viewport can be swapped back and forth or rotated by using Ctrl-w r to move the current viewport contents to the right or Ctrl-w R to move the contents to the left.

It’s easy to open a bunch of viewports and have them all different sizes, making the contents difficult to read.  Issuing Ctrl-w = will resize all of the viewports, making them equal sizes (or as close as possible)

Some Vim commands for manipulating viewports

:sp|:split will split the Vim window horizontally.

:vsp|:vsplit will split the Vim window vertically.

Ctrl-w Ctrl-w moves between Vim viewports.

Ctrl-w j moves one viewport down.

Ctrl-w k moves one viewport up.

Ctrl-w h moves one viewport to the left.

Ctrl-w l moves one viewport to the right.

Ctrl-w = tells Vim to resize viewports to be of equal size.

Ctrl-w – reduce active viewport by one line.

Ctrl-w + increase active viewport by one line.

Ctrl-w q will close the active window.

Ctrl-w r will rotate windows to the right.

Ctrl-w R will rotate windows to the left.

Do you have a great Vim tip?  Or an <editor of your choice> tip?  Then be sure to comment below, I’d love to learn something new!

These notes pertain specifically to OpenSolaris build 105 and VMWare Fusion v.2.01 on MacOS Leopard 10.5.6 ~ The host machine is a 13″ macbook with 2GB ram.

When initially creating a new virtual machine for Solaris 10 the default memory size is set to 580Mb.   At  this setting the install  either hangs or progresses so slowly that it might as well be hanged.  Increasing the memory to 1024Mb solves this problem and the install progresses and enters the graphical (X-windows) install for OpenSolaris.

Getting past the memory issue, the install continues but eventually fails due to lack of disk space.  The failure does not show up until  all questions have been answered from within the graphical install portion and the installer attempts to partition the provided disk space.  The default hard drive size is set to 8GB.  Setting this to 12GB does not prevent the failure of the installation.  Pre-allocating the disk space as a single file (not broken into 2GB chunks) was also ineffective; the installation still failed due to lack of disk space.  The install fails and the diagnostics appear to show that there was little to no disk space available.  This can be circumvented by manually partitioning the disk space.

Once the install process has reached the graphical portion, I was able to open a new terminal window and used the ‘fdisk’ command to create a new disk label (using solaris defaults) for the disk space provided within VMWare.  Once the disk was labeled and written, the install procedure was able to identify the disk space correctly and the install continued to completion.

I was tweeting in bed the other day…

Tweeting: (verb) To tweet.  Post a message composed of 140 characters or less to the Twitter service on the internet.

Ok, so I was sending this message that was composed of 140 characters or less to the Twitter service while I was in bed the other day…

Twitter?

It’s true.  I tweet.  I’m a twitterer.  A twitizen of the twitterverse.  Tweetsville population +1.

From Wikipedia, the free encyclopedia

Twitter, Inc.

Type	Private
Founded	2006
Headquarters	San Francisco, California, USA
Key people	Jack Dorsey, Evan Williams, Biz Stone
Industry	mobile social network service, micro-blogging
Revenue	none (2008)
Employees	25
Website	http://twitter.com/

Twitter is a free social networking and micro-blogging service that allows its users to send and read other users’ updates (otherwise known as tweets), which are text-based posts of up to 140 characters in length.

Updates are displayed on the user’s profile page and delivered to other users who have signed up to receive them. The sender can restrict delivery to those in his circle of friends (delivery to everyone being the default). Users can receive updates via the Twitter website, SMS, RSS, or email, or through an application such as Tweetie, TwitterFon, Twitterrific, Feedalizr, and Facebook. Four gateway numbers are currently available for SMS: short codes for the United States, Canada, and India, and a United Kingdom-based number for international use. Several third parties offer posting and receiving updates via email. Twitter had by one measure over 3 million accounts and, by another, well over 5 million visitors in September 2008, a fivefold increase in a month.

Some of the amazing people that I follow on Twitter are from St. Louis or St. Charles and tweet about things relevant to the area around me.  Some of them tweet about information security, or homeschooling, or operating systems; things that are interesting.  Some of them are just interesting people tweeting about their daily lives.

In a strange sort of way, its a sharing of community information.  Sometimes about the traffic around me, sometimes about news from around the world (a significant amount of the information that flowed out to the world regarding the Mumbai bombings came from people using Twitter) and it happens in real-time.  It’s faster than news agencies, it’s faster than blogs.  It’s broader than instant messaging.  Imagine being able to instant message 200 of your friends, each of whom was interconnected to 200 other friends, who in turn were connected to… well, you get the point.

Click for larger view

It’s like a great big party on the internet, and you’re invited!   Just go to http://www.twitter.com and sign up!  Then go to http://search.twitter.com and search for things you like, or the city you live in and find people that you can “follow”   Then start tweeting!  Tweet what you’re doing, or something cool or funny you found on the internet.  Read what others have tweeted and respond!  Just like a party in real life, the more you interact, the more fun you’ll have.  (or the more value you will get from the experience)  Check out the lists over at http://twitter.grader.com for a list of highly rated people using twitter.  Here’s a list of St. Louis folk that you can take a look at and follow those that look interesting: http://bit.ly/Axcm

I can get a message out to a vast number of people almost instantaneously, and receive feedback nearly as fast.  I can ask a question, or post a link, or make a statement.

Today I met a handful of these folks at a Tweetup.  That’s a meeting in meatspace (i.e. the real world, not on the computer – great frame rates, graphics are awesome; game play can get tedious at times) of a group of local folk who use the Twitter service.

The St. Charles, MO Tweetup was held on Dec 20th, 2008 at the TrailHead Brewing Co. and was attended by:

St. Charles, MO Tweetup at Trailhead Brewing Co

@tojosan

@stl4closures

@idonotes

@jpickell <-that’s me!

@ap0ught

@LoriFeldman

@Karenstl

Pictures from the Tweetup courtesy of Tojosan: http://www.flickr.com/photos/tojosan/tags/trailheadbrewery/

The conversation was always fast and diverse!  We talked about Real Estate, Blackberrys, passwords, the amount of personal information that may or may not be available on the internet.  We talked about our kids, and our jobs, we talked about html formatting in a blog!  We talked about intersting ways of combining social media streams (Twitter, Facebook, Friendfeed, etc)  We really covered so much ground and everyone had so many great ideas and suggestions or experiences to share!  I really wish that I had a notebook with me to be able to write down all of the great ideas that were bouncing around!  I’ve tried to capture some of the websites that were discussed and I’ve listed them at the end of this article.

If you haven’t participated in a local tweetup, you really don’t know what you’re missing.  In addition to all of the great conversation and socializing, it’s added a new dimension to my twitter experience that has been probably the most amazing thing of all:  I now know these folks in a way that’s just not possible from just being online with them.  The fact that we’ve tweeted together made it very easy and comfortable to meet them in real life.  Now when I tweet to these folks, there’s a deeper, more personal connection that didn’t exist before.  Do I truly know these people?  Probably not, but I can tell you this: some great friendships got off to a great start because of that tweetup!

You can follow me at twitter here: http://www.twitter.com/jpickell

Here’s a partial list of just some of the really cool websites/technologies that were discussed:

http://www.everythingtwitter.com

http://www.tweetshops.com

http://www.useqwitter.com

http://www.diigo.com

http://www.lijit.com/

http://www.kallow.com

Just a quick note this morning to remind everyone to make sure that you’re making plenty of backups of your data.   I’m a bit paranoid when it comes to data loss, so I like to take extra precautions.  Since all of our computers are macs every machine here has an external drive attached for using Apple’s Time Machine to make automatic backups.  I also archive my data to a shared location on the network.  The only problem with either of these approaches (as implemented) is that it doesn’t get the data offsite.   To solve that problem, I’ve been using Mozy for the last two months.  Mozy offers 2GB of free online storage for home use per account.  It’s not enough to back up everything, but it goes a long way to backup my most important or timely documents.  I may consider upgrading my account and pay the $4.95 a month to get unlimited storage.

I haven’t tried the Windows client so I can’t vouch for it, but so far the Mac client has worked with no problems.

::Full Disclosure::

And if you decide to try it out I’d appreciate it if you used my link here.  It’s a referral program and I get an extra 256MB of space for each person that signs up through the link.   For a short time, their bumping that up to 512MB per sign up, so I thought I’d plug the product here and maybe earn myself a bit of extra backup storage!

The SANS Internet Storm Center is reporting that Microsoft has released a critical security patch to address a vulnerability in remote code execution for users of Windows 2000, Windows XP, and Windows Server 2003.

There are unconfirmed reports that this critical patch was released out of band due to the vulnerability that it addresses is currently being exploited in the wild.

• Microsoft Patch Details: http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
• ISC details may be found at: http://isc.sans.org/diary.html?storyid=5227
• In depth details of the vulnerability: http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

Apparently the little prongs on the adapter have a tendency to break off while plugged into an electrical outlet, causing a potential electrocution hazard.   Replacements will become available on October 10th at your local Apple store.  (If your adapter has a green dot near the prongs, you already have the newer redesigned version)

Check the following link to Apple’s page for all the specific details:

http://www.apple.com/support/usbadapter/exchangeprogram/