Reading current news and blog postings, you might think Chinese hackers are leading us to world's end, attacking our systems in ways before unseen in the history of computing. This is an obvious overreaction. Attacks against information assets—government, corporate, and personal—have been going on for some time. So why all the hype about the dangers of taking laptops to the Summer Olympics, using laptops in Chinese hotels, or carrying smartphones into Chinese public venues? Simple. Many users and organizations have blatantly ignored recommendations for protecting mobile devices, exposing themselves, their businesses, their customers, and often employees to harm.
Mobile devices in the hands of mobile workers are exposed to a variety of threats. Let's run down a short list.
- Hotel wired networks are often wide open to eavesdropping by cybercriminals or other guests. Jacking into a network frequently equates to sending and receiving information over a single collision domain. This means all packets for a set of rooms, a floor, several floors, or even the entire hotel/motel are seen by all other systems on the network. Unprotected packets are prime targets for capture, analysis, and data extraction.
- Connecting to unencrypted hotel or other public wireless networks, sending sensitive information out into the ether, is a well-known problem. I won't beat it to death.
- Improper configuration of firewalls, or the total lack of an end-user device security perimeter, allows anyone, anytime, and anywhere to use public networks to peruse private information on laptops, smartphones, or PDAs.
- Some unencrypted stolen or lost devices are a treasure chest of information, including passwords, customer and employee information, and user identity data. In large, chaotic venues like the Olympics, it isn't difficult to lose a laptop or PDA.
Again this is not a complete list of potential attack vectors, but proper attention to these four issues reduces risk to a reasonable and appropriate level. The following steps are a good start in preventing information or system compromise:
- Store only what you absolutely need. This is my first rule of data leakage protection. Why carry around customer spreadsheets, financial data, or plans for a new product/service if you don't need them while out of the office? Absent Information can't be compromised.
- Protect data passing over public wired or wireless networks. The best way to prevent casual or directed packet snooping on public networks is packet or session encryption, even if encryption is limited to only traffic between the end-user device and a traffic encryption service provider on the Internet. For ultimate protection, use only SSL connections to check e-mail or access company information. When this isn't possible, online services, both free and for-fee, can fill the gap. Two examples are MegaProxy (fee-based) and AnchorFree (free).
- Configure devices to block external snooping. The first step in establishing a security perimeter around a device is configuration of a firewall. Personal firewalls are free on laptops running Windows XP or Vista. These solutions provide minimal protection against intruder compromise of your mobile system. More complete protection is available in security suites, like those from AVG, McAfee, or Symantec. Firewalls are also available for many handheld devices, protecting contact lists, e-mail, and other sensitive information commonly found on PDAs and smartphones. The second step is configuring Bluetooth, on laptops and handhelds, to block all unauthorized access. Bluetooth threats and secure configuration information is found in Secure your Bluetooth wireless networks and protect your data. No laptop should be unnecessarily exposed because it lacks anti-malware protection.
- Encrypt sensitive information on the device. I know this is like beating the proverbial dead horse for many, but laptop theft reports make it clear that many users and organizations haven't yet gotten the message. And laptop encryption doesn't have to drain your budget. Solutions like TrueCrypt provide effective, free file and full-disk encryption. If you need a more centralized approach to key management, lost data destruction, or data recovery, online services like Beachhead or more traditional systems like PGP can help.
- Backup critical information. All business critical information should be copied to an alternate location. Even mobile users, who might not connect to the company network every day, can be protected against data loss with online solutions like Symantec's backup.com or with Amazon.com's S3 service, supported with client software like Jungle Disk.
And of course, practice standard system hardening practices—patching, shutting down all unneeded services, etc. In addition to following Microsoft's best practices, consider implementing some or all NIST (National Institute of Standards and Technology) recommendations and baseline template settings.
It shouldn't take warnings about Chinese hackers to push users and organizations toward secure mobile computing. Cybercriminals come in all shapes, sizes, and from all ethnic backgrounds. Securing systems isn't about thwarting what some see as the great cyber-threat in the East. It's simply the right thing to do.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.