Worker’s Reluctant to Follow Company BYOD Policy

Even at companies with BYOD (bring-your-own-device) policies, users may still be reluctant to officially register their tablets and smartphones with IT, instead preferring to covertly access the network. That’s according to a new study that shows employees are concerned about losing their personal data if they officially register their devices with the IT organization at their company. To ensure compliance with policies, managed services providers (MSPs) may need to win over small and mid-sized businesses (SMBs) employees with promises to protect personal data.

Aruba Networks, Inc. (ARUN) conducted the survey of more than 3,000 employees around the world. American respondents, specifically, fear the loss of personal data more than other regions of the world, the study revealed. Around 66 percent of American respondents claimed that they fear the loss of data, compared to the 45 percent of Europeans and 40 of Middle Easterners who felt the same.

More than 50 percent of Americans said their IT department takes no steps to ensure the security of corporate files and applications on their personal devices, a concern that has forced many employees to keep personal devices away from IT departments. Seventeen percent of Americans have not told their employers that they use a personal device for work. If you think that’s frightening, keep reading.

Eleven percent of American respondents said they would not report a compromised device, while 36 percent said they would not report leaked data immediately.

According to the survey, these numbers come from a distrust of IT departments and employee fear about what IT may do with personal data. Forty-five percent of respondents in the United States worry about their IT department’s access to personal data.

Should MSPs include policies and guarantees to customers’ employees on personal data?

There need to be incentives from the company to persuade employees to follow BYOD policy.  Furthermore, there must be a culture of transparency and trust from IT to help calm the fears workers have.

Our Mobile Device Management (MDM) solutions allow our technicians and engineers the ability to monitor and manage the mobile device but they do not have access to personal items such as text messages or pictures.  If there is ever a question of what we can or can not do, we give the client a complete tour of our MDM platform.

The importance of a highly secure IT environment coupled with the lack of adherence of workers to BYOD policies gives rise to major concerns.  Companies of all sizes need to rethink their policies and procedures regarding BYOD.  Also, ensure the MSP or IT provider is trustworthy and operates in complete transparency.  The goal is to protect your company, your IT environment, your customers and your employees.

Companies, especially small businesses, that ignore BYOD are playing Russian roulette.  Everyday workers are using secure business networks to do things on their mobile devices which are highly unsecured and dangerous to the IT environment.  For some verticals, such as healthcare, these oversights can led to a breach and bring disastrous implications.

Want to have a discussion about protecting your business and your employees?  Give us a call find out how we can help.

Serious Android Flaw Could Turn Mobile Apps Malicious

A weakness in the Android security model that validates mobile applications could be used by an attacker to turn a legitimate Android app into a dangerous attack platform, according to a security firm that discovered the vulnerability.

The weakness, discovered by San Francisco-based mobile security startup Bluebox Security, was reported to Google (NSDQ:GOOG)and has been corrected, but the firm said millions of Android devices remain vulnerable. The flaw enables an attacker to bypass the Google Play security mechanism designed to review changes to applications before they are sent to users.

Bluebox Chief Technology Officer Jeff Forristal will present the details of the vulnerability later this month at the 2013 Black Hat conference in Las Vegas.

The Android flaw, which has been in the firmware since 2009, enables an attacker to modify the mobile application code without breaking its cryptographic signature, wrote Forristal. In an alert to Android owners last week, Forristal said application changes could be made without being noticed by the app store, device or end user.

“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” Forristal wrote.

Digital signatures are used by both Google and Apple to determine the validity of a mobile application. The flaw enables the digital signature to remain intact even if modifications are made, Forristal said. Bluebox showed a screenshot of an HTC device showing how the manufacturer’s software can be modified to access all permissions on the device.

An attacker can program a legitimate app to make phone calls and record them, send text messages or turn on the camera. “Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” Forristal wrote.

Millions of mobile phones could continue to be at risk because security updates pushed out by Google must go to individual handset makers before being pushed out to device owners through their mobile carrier.

Breaking or cheating the cryptographic signature used to validate applications is a potentially serious issue opening up device owners to a wealth of serious problems, said Cameron Camp, a security researcher, at Bratislava, Slovakia-based antivirus vendor ESET. Code signing and application isolation or sandboxing are among the security measures used to make mobile devices safer.

“If you can break the crypto or cheat the crypto into thinking it’s something that it’s not then that is a dangerous problem,” Camp said.

Google did not respond to a request from CRN for comment. The company has reportedly updated its official app store, Google Play, to thwart attempts to cheat the app verification process. But Camp said mobile malware writers bypass Google altogether, getting malicious applications onto devices by using third-party app stores.

Android malware has increased significantly, with more than 92 percent of mobile malware targeting the platform, according toJuniper Networks (NSDQ:JNPR), which released its annual mobile threat report last week. Other reports found a precipitous increase in mobile attacks targeting Android devices. Google has been adding improvements, Camp said, including the addition of Bouncer, a malware scanner that vets apps before they are officially released to Android device owners.

“There are still an awful lot of apps to be analyzing on a daily basis, so determining with any degree of assurance that no malicious code out there is going to be difficult,” Camp said.

Originally posted here:

Apple Users Beware: Phishing Sites Are After Account Credentials

It’s not a surprising finding and one that experts have been predicting, but data being collected by antivirus vendors is revealing a rising number of threats targeting Apple (NSDQ:AAPL) users. While malware growth is relatively flat, phishing sites designed to trick users into giving up their account credentials is on the rise.

Threat detection data collected by Kaspersky Lab shows a significant increase in phishing sites attempting to trick users into giving up their Apple account credentials, according to Nadezhda Demidova, who recently provided analysis of the Apple phishing threat data. Apple iCloud and iTunes accounts can be lucrative to cybercriminals, Demidova said.

In addition to information stored in the Apple account, “many malicious users go further and try to the steal bank card details used to pay for those purchases,” Demidova wrote.

Phishing attacks targeting Apple users increased from 1,000 detections per day on average in 2011 to about 200,000 detections per day today, according to the Kaspersky Lab data. Many of the sites attempt to mirror the official Apple store or an official-looking Apple credential reset page. A user who doesn’t pay attention to the location of the Web page can easily be tricked into giving up information.

Fake phishing sites rose and declined throughout the year, but some significant surges can be traced to Apple events. Demidova noted that some of the surges in phishing can be attributed to iTunes store unveilings in Russia and more than 50 other countries in 2012.

The Mac malware threat, meanwhile, remains low. Only 2.5 percent of threats encountered by Mac users were written specifically for Macs, according to statistics from Symantec (NSDQ:SYMC). The latest Threat Report from McAfee supports Symantec’s findings and noted that malware growth was flat throughout much of 2012, with no growth in the first quarter of 2013.

Much of the Apple malware being detected stems from attack toolkits that continue to use the Flashback Trojan, which was behind an advertising click fraud campaign that targeted a Java error to infect Macs. Statistics vary but most experts say that Flashback infected about 600,000 Macs. Flashback may have served as a wake-up call to Apple users that they are not immune to malware attacks despite the lower risk of infection.

Graham Cluley, a U.K.-based security expert, said Mac threats are lower in number but include many of the standard problems encountered by PC users. Fake antivirus software has been configured to target both Mac and PC users and malicious software also targets browser components regardless of the platform the user is running, Cluley told CRN.

“I think you would be very foolish to not run an antivirus on your Mac,” Cluley said. “Mac malware in the last couple of years has moved from being experimental to having clearly been built with financial and spying motivations.”

Originally posted here: