McAfee Shows Security Flaws of Smartphones (Especially Android Devices)
Smartphone security, or the lack of it, is downright scary. At this week's McAfee Focus event, CIO.com columnist Rob Enderle discovered just how easy it is to hack into someone else's device. Even if you secure corporate phones, employees' personal phones pose a significant risk.
Fri, October 26, 2012
CIO — This week at McAfee Focus the security vendor pounded home one point that it really didn't think attendees understood: Virtually every smartphone can compromise enterprise security. However, I walked away with a vastly bigger concern: enterprise security practices, short of confiscating smartphones entirely, may actually be making us more vulnerable.
One of the jobs I held at IBM was in the internal audit department, and one of the skills I seemed to be best at was finding ways to successfully breach security that others thought was bulletproof. My last audit—and this is likely why it was my last audit—took me into the secure safe of a top IBM executive and gave me access to files that only two or three people in the world had ever seen. After that, security was my specialty, and ever since I've been a security analyst or had security analysts report to me.
I've always had a knack for being able to look at a security practice and figure out how it could be successfully breached. That's why I was so interested in what McAfee had to say this week about operating system and smartphone security.
Scary Landscape: Boot Files All Too Easy to Access
McAfee CTO Mike Fey demonstrated a proof of concept attack tool the company has developed to showcase just how easy it is to compromise current platforms. Most companies have been penetrated already, he says, with data analytics tools secretly installed so attackers can get a general sense of which user has the most systems authority or, in the case of banking, who moves the most cash. That's who attackers target.
Typically, the attackers' goals are to do a lot of damage, get access to confidential information or transfer cash. As an example, McAFee showcased a man-in-the-middle attack in which the browser session is hijacked and the user's ID, password and challenge question answers are captured. From there, a cash transfer is executed, and the user is pointed to a false account screen that doesn't show the transfer. This way, the user can't stop the order until the cash is beyond retrieval.
A scarier demonstration followed. Starting with a Windows 7 PC, McAfee accessed the boot files and successfully reformatted the drive while the unsuspecting user was online. This, of course, would result in a recovery event—and if you can reformat the system, then there is little else you can't do with it, even if you're not in Admin mode.