Viewing posts from : December 2009



Video games are a threat to my corporate security? If only it was a joke. Video games, both PC based as well as console games, and even phones, are a threat. Not one that you as the asset protector can necessarily deal with, but awareness of a growing threat can’t hurt.

We (in the security industry) are well aware of the use of console systems for brute forcing passwords on encrypted sources. The Air Force and other governmental agencies have made large quantity purposes, for various “missions”. But aside from the massive computational power, modern console games have a dark side almost nobody is talking about yet: harnessing them for a botnet. If some enterprising hacker figures out a way to harness one or more console types in a persistent botnet, we could have a serious problem. And none of the consoles is equipped with security features anywhere near the PC platforms. You’d think that would make them natural targets. At least they tend to use private networks for connectivity, although a good examination of the protocols should reveal the usual collection of weaknesses and exploitable problems.

If you look at a modern console game platform, you’ll find all the necessary hardware to support malware. Processors, persistent memory, and a network connection. Several platforms are readily hackable, in ways that the manufacturer won’t be able to detect without knowing what to look for, assuming anyone is even looking. Better yet, most of the console OS’s bear close resemblance to an existing OS platform, making it easy to transition to coding for the consoles. Getting the information necessary to pervert the console OS might be difficult, but definitely not impossible, since most of the code necessary for programming the console is available, the actual OS code can’t be far out of reach.

We are reviewing the EULA to see if we can conduct some tests on our console without angering some corporate lawyers or “bricking” the unit.

Games that run on consoles are another issue. Assuming the same level of security awareness in game programmers as found in corporate software would seem to imply that there are quite a few bugs out there waiting to be exploited. Thankfully, the cycle of game popularity means there is a shorter window of availability to use any particular game as a point of entry to a console. PC games have similar concerns. The protocol streams of both types of games reveal some interesting artifacts that may lead to exploitable services. Who would have thought of using a MitM attack against an Xbox?

PC games are more of a security challenge though, as many of, if not all, corporate alpha geeks, and many company males in general, either take laptops home where user PC’s get access to them on the home network, or users directly install games on the corporate hardware. Two vectors to gain access inside your firewall, bypassing most, if not all, of your security.

Bill, in Sales, loads a popular game on his corporate laptop, and if that game is compromised, the hacker has a clean, invisible pipe into your corporate network. Or it could just turn into a simple botnet zombie that, when he innocently brings it to the office, infects all the rest of your company PCs.

If hackers are willing to exploit Adobe and Word, what makes you think they won’t exploit Madden NFL 10?

In any corporate environment, be sure you are restricting users abilities to install programs, or connect uncleared devices to a secured network.

Digital Trust, LLC

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

Passing business information to a mobile phone increases a risk of loss for the information, we all know this, so why do we permit it to happen? Risk management: sometimes the payoff is worth it. But what is the big deal, anyhow?

First, there is the direct loss issue. If a user loses a phone with business information and someone finds the phone they can access the business information. The business can avoid this risk by restricting what information can be transferred to mobile devices, and including policy for proper use by users. This is very restrictive, however, and should a business model indicate mobile phone risks are possibly justified, additional options must be examined.

Second, is a control issue. Once the business determines that phone use is acceptable, how to minimize the risk of loss or compromise? Policy, both paper and electronic, can ensure that a phone is locked and password protected. This prevents loss through misplacing the phone or theft, in most cases. Encryption of the device, encryption of the business information, and secure erasure are all additional protective measures that can be implemented. But the platform must support the security requirement, or the policy is moot.

Currently, Blackberry is the only secure phone on the market with adequate controls for use as an extended business network. Companies should properly configure and restrict the Blackberry so that users don’t inadvertently expose their phones to hostile software. Likewise, companies should observe the phone behavior, just as they would a user PC in the office, to watch for abnormal activity, such as browsing to international web domains or similar. Anything that can be observed to detect a compromised device should be tracked and alerted on. eTracker from Prism is a good choice for log management and alerting.

But a Blackberry alone does not guarantee better security, the device must be configured properly and audited for any compliance issues. If you are, for example, passing patient data to a device, then that access must be logged for HIPAA compliance. And users who own their own phones are a greater risk of loss than users of phones controlled through a Blackberry Enterprise Server (BES). Through the centralized control of a BES, auditing and security settings are maintained by the business. Trusting the end user to perform these activities is increasing the risk that a mistake will occur and information will be compromised. Only through the use of the BES can a company be confident it has properly addressed security concerns for mobile devices.

Furthermore, proper selection of a BES is vital to maintaining the security protections. If you elect to have a RIM BES in house, you’ve got all the responsibility and capability. If you elect to use RIM external BES options, you have transferred some control, but keep all the responsibility. It may be easier on your IT shop, but you’ll have to trust RIM. Finally, there are third party options, including functionality for non-Blackberry phones, similar to a BES. Again, you’ll have to trust these 3rd parties.

Currently only the RIM Blackberry and BES server stand alone at the top of the security risk prevention chart for organizational smart phone use. Any organization selecting an alternative solution should be prepared for potential problems, including justifying why you elected to use the higher risk option. Until an alternative enterprise option has been vetted by a qualified security organization, electing to use anything but the Blackberry BES is accepting additional risk that companies must justify to be compliant with risk management requirements in regulated environments.

Finally, there are issues with smart phones that you as a user may not know, that bad guys are gleefully searching for and vendors will not bring up for fear of losing sales. Did you know that iphones log screen shots of all user activity? Imagine that, a record of your activity on your phone.

Digital Trust, LLC

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.