× close Kiandra IT Logo Kiandra IT
Back to blog

COMMON SENSE SECURITY – INSTALMENT 4 – Encryption & Mobile Devices

Encryption these days is available for pretty much every device out there, but people and companies tend to shy away from it. I can’t figure out if it’s one of those ‘too hard’ situations or they just feel they don’t require it.

Let me give you a scenario, you have mobile sales and engineering teams that work off laptops and phones and frequently travel around the country, they are hardly in the office and they store a lot of their data locally on their devices. This data contains schematics for the latest mechanical product you are developing that would revolutionise a particular field. You also have a sales team that keep company pricing and other confidential client information on their laptops, and in emails on their phones.

What happens if one of the laptops gets lost or stolen? How much is the data on these devices worth to the company, and your competitors? You could be in big trouble, if all the data is compromised think about the lost revenue….private information being made public and most importantly the potential that your clients are at risk. These are the scenarios you need to think about.

Phones fall into the same boat, most people have smart phones and these smart phones have emails, documents and all sorts of other valuable information stored on them.

One of the easiest ways to mitigate these threats (without reverting to paper, crayons and a bubble for everyone) is encryption. Microsoft ship Bitlocker as part of the OS for versions Vista and above. So long as you have a TPM module in your laptop (and sometimes even if you don’t) you can utilise this and it will protect the data, all data is encrypted and no-one will have access to it.

BitLocker also supports a Diffuser algorithm to help protect the system against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses. Other vendors also have their own proprietary encryption software that can be used as well. Bitlocker uses AES 128 and 256 bit keys respectively and can be controlled by group policy.

In the case of phones, I recommend the use of windows mobile based device, not only does it provide free encryption of varying algorithms (AES, HMACSHA1, HMACSHA256, Rfc2898DeriveBytes, SHA1 and SHA256) but you can deploy encryption to it over the air, and it also has a feature called Device Lock which provides enhanced pin/password encryption, not to mention the device can be wiped remotely if lost.

Apple and Android based devices also have this facility to some degree, so why not use it?

Mobile phones are major sources of security weaknesses for organisations. These days mobile phones have bluetooth, wireless, IR, provide WAP services, 3G…the list goes on, but it’s amazing to see how many people still utilise bluetooth and leave it on all day long, my suggestion, turn bluetooth off if not in use!

It is extremely easy for someone to perform ‘Bluesnarfing’ and take control of your device and have access to everything from your videos, through to your contacts, through to making calls – not to mention that if your phone is also linked to the company network over wireless, a malicious person has just bypassed all of your enterprise security controls.

‘Bluejacking’ is another term that basically involves sending unsolicited messages / data to other bluetooth devices.

If you need to use bluetooth, much of the above can be mitigated by ensuring you set a PIN and change it frequently. For new bluetooth connections from devices, periodically review your bluetooth partner list and remove anything you do not know, block all unauthorised connections to your device, and of course turn off visibility for bluetooth. Better yet turn it off when not needed, it will save you power!

Also ensure that you set a lock code and lock your screen on your device, it’s not fool proof, and there are easy ways to get the pin (besides torture) but it’s still a good practice. For those of you who have devices with the drawing option to unlock your device (touchscreens like iphone and android based) with the circle and connecting lines (see below), sorry to say, you guys have the easiest device ever to gain access to. Unfortunately the normal oil released from the skin, combined with the surface texture used on your phone leaves a perfect trail to be followed, when a light is shined on your device.


Wireless

It’s amazing how in this day and age, you stumble across things that are from the stone age, and just keep coming back over and over again, for example mullets, shoulder pads, tight jeans and WEP encryption. I can’t understand how anyone can still use WEP for encryption but a lot of people are. Why is WEP weak? (Non tech’s turn away now).

It is easily breakable because of its key management and key size weaknesses, key management is not specified in the WEP standard, and the key is only 40 bits and uses RC4, not to mention portions of the data are sent in clear text.

The IV is too small. WEP’s IV size of 24 bits provides for 16,777,216 different RC4 cipher streams for a given WEP key, for any key size, the IV is sent in clear test and the IV can be reused. If the RC4 cipher stream for a given IV is found, an attacker can decrypt subsequent packets that were encrypted with the same IV or can forge packets.

The ICV algorithm is not appropriate, the WEP ICV is based on CRC-32, an algorithm for detecting noise and common errors in transmission. CRC-32 is an excellent checksum for detecting errors, but an awful choice for a cryptographic hash. Better-designed encryption systems use algorithms such as MD5 or SHA-1 for their ICVs.

The CRC-32 ICV is a linear function of the message meaning that an attacker can modify an encrypted message and easily fix the ICV so the message appears authentic. The biggest problem with IV- and ICV-based attacks is they are independent of key size, meaning that even huge keys all look the same. The attack takes the same amount of effort.

RC4 in its implementation in WEP has been found to have weak keys. Having a weak key means there is more correlation between the key and the output than there should be for good security

802.11 defines two forms of authentication: Open System (no authentication) and Shared Key authentication. These are used to authenticate the client to the access point. The idea was that authentication would be better than no authentication because the user has to prove knowledge of the shared WEP key, in effect, authenticating themself. In fact, the exact opposite is true: If you turn on authentication, you actually reduce the total security of your network andmake it easier to guess your WEP key.