eReaders and Corporate Information
I love my Kindle, I really do. I can carry two or three books, magazines, newspapers or whatever with me when I travel, without the added weight of dead trees in my bag. There may be someone reading this who prefers a Nook, but feels the same way I do regarding eReader portability and functionality.
They are versatile, they are light weight, they don’t take much time to turn on and, if you’re savvy, you can put just about any document on it outside of what’s available over the respective wireless networks. And therein lies the problem.
- The nook and the Kindle both support PDF, JPG, BMP and GIF file formats
- The Kindle allows you to send an attachment to a unique email address which is assigned to your device, it will be converted to PDF and sent over the air to your device
- Both the nook and the Kindle can be mounted as a hard drive on your computer
The traveler, productive and efficiency side of me says “Hey, that’s great, I don’t have to boot a computer anymore if I can put a document in PDF format.”
But the security side of me says “Big problems to come in 2010 and beyond.”
Outside of the username and password assigned to the wireless store account, neither of these devices have any sort of access control or authentication mechanism nor do they have any sort of file security or encryption. Therefore, there’s no way to prevent “just anyone” from picking it up, turning it on and reading whatever is on it.
However, there really isn’t a reason to have authentication or any other sort of security on them, right? Simply stated, they don’t need them because they’re intended to devices of convenience for the avid reader. However, business people are always looking for ways to become more efficient.
Very recently, I’ve had conversations with colleagues and friends, during which one asked if documents other than books could be read on the Kindle. His idea is that he will load it up with documents that he needs to review while on airplanes. Great idea in concept, maybe not so much in practice depending on the nature of the information.
The other already had a plan, he was thinking about getting one and one of the plans he had was to put user guides, documentation and other materials related to technology he sells on his eReader. Another good idea in theory, but again this could lead to problems down the road.
I’m sure much of this material will benign and my hope is that the folks I work with in the security industry will show better judgement than to put confidential information on their devices. But what about those not the security industry with the same ideas of eReaders being a model of efficiency for travel? That’s what concerns me.
Generally speaking, most people who will find the ability and convenience of putting documents on these devices won’t even think about the security implications of their actions.
The potential problem that exists is not only the device owner either, it’s anyone who could be configured to send email to the device. In my case, I can set up users or entire domains to be authorized to send a document to my Kindle to be converted to PDF and sent to my device. This happens automatically when I turn on the wireless connection and the device synchs to the Amazon servers. However, I have no way to control what’s being sent to the device. Sure, I can delete it if it looks like it doesn’t belong or looks out of the ordinary, but the risk of confidential data being placed on the device still exists.
The ability to put documents on my Kindle is great, it really is. I love the fact that I’m not restricted to only paid content from Amazon. In theory, I could read and grade student papers during terms when I’m teaching. I can review draft documents intended for public use. Imagine the creative use cases for eReaders in business, they are quite extensive.
This is the problem that information security professionals will face in the coming year and beyond as more people buy eReaders. My years old theory about personal technology in the work place still holds true today, any consumer technology that becomes cheap enough for it to be widely used in the workplace creates a security risk. Primarily because the owners of these devices bring them into the work place thinking it will make their jobs easier or use them as a convenience. The risk introduced by these devices can be attributed to the fact that the users of IT are quite smart; they do what they are allowed to do, in the environments the are allowed to do “it”, with the knowledge and education they are provided.
Because of the ease of interoperability and the challenges associated with managing enterprise infrastructures, many personal technology devices have been introduced into the work place over the years. These include; iPods/MP3 players and their use as a hard drive (I know at least one person who has two iPods – one for music and one as a hard drive backup), mobile phones and their cameras and video/audio recording capabilities, high capacity USB drives, watches with USB drives and portable document and business card scanners. In 2010, I believe we will see the eReader revolution take off as a personal technology device that is introduced into the work place.
The job of the information security professional is only getting tougher and even if companies are primarily concerned about minimum compliance standards, it’s time to start paying attention to where your data and information is being stored. Because in my opinion, it’s only a matter of time before one of your employees leaves an eReader on an airplane, in the security line or in a hotel room and that eReader very well might contain some information critical to your business that is not intended for public viewing.
This article has been making the rounds around the IT/Security blog world, and I couldn’t help but weigh in and comment on it. The story being passed around is a scary one: An employee of the Massachusetts state government was found to have a fairly large quantity of child pornography in the browser cache of his state-issued laptop. He was, of course, arrested and charged with possession of child porn. During the course of mounting his defense against these charges, it was found that his machine had some form of malware that was “programmed to visit as many as 40 child porn sites per minute,” a clearly impossible task for a human who actually wants to see what’s on those sites. It became clear to all involved that the pornographic images found were very unlikely put there by him, and the charges were dropped. All’s well that ends well, right? Wrong.
The first problem here is that this opens Pandora’s box a crack, as it tends to raise the standard of proof for the conviction of real offenders. In fact, prosecutors are already calling this the “SODDI” (Some Other Dude Did It) defense. Their skepticism is probably warranted here: every real offender will point to this case and try to make the government (who has the burden of proof, at least in a United States court) prove that a virus wasn’t the reason illegal child pornography was on a particular machine.
There’s another problem here, though. This opens up a whole new world for profit-motivated malware authors. It’s actually a play on the old ransomware attack: traditionally, ransomware works on a “we’ve encrypted your files. Pay up or you’ll never see them again” basis. One problem in the business model for ransomware authors is that some people back up their machines (really!), and others simply won’t care about the data that is being held hostage. You can’t get someone to pay when they can simply respond “Screw you, I’ll just restore from backup”. The new twist on this is that, at least in concept, a ransomware author, instead of holding files hostage, can hold a person’s entire life hostage by planting a piece of malware of this type on someone’s machine and then threatening to expose that person.
Take for example the case of the person in the article. In this case this guy lost his job, his reputation, many of his friends, close to 250,000 dollars spent on his defense – and you can’t restore that from backup. Crimes involving the sexual exploitation of children are (justifiably) considered to be among the most grave transgressions against not only individual children, but society as a whole, and people who commit these crimes have richly earned society’s reproach. One unfortunate side-effect of that, however, is the fact that the mere accusation, even a false one, of a crime of that magnitude is enough to irrevocably harm one’s reputation. If the profit-motivated malware gangs hadn’t already figured this one out, they certainly have now, and I’d be willing to bet that we’re going to see at least sporadic attacks of this type (attacks against the reputation of an individual) in the very near future.
I would remiss if I did not mention the roll of the backdoor within the context of this discussion. Backdoors are well known within the information security world. They come in a variety of flavors however can be traditionally categorized as either symmetric or asymmetric (today their study is commonly referred to as cryptovirology). Adam Young and Moti Yung spoke about this back in 1996 defining the terminology and use cases. Backdoors are used (in authorized or unauthorized manners) largely for bypassing normal or traditional authentication mechanisms. The reality is that they are used to gain secure remote access to these systems with the endgame being the obtaining access to plain-text data in some form of privilege escalated state. All while remaining or attempting to remain undetected by administrators.
Backdoors can be independent applications or programs. They can also be the result of a modification made to an existing application, program or even hardware devices (e.g BIOS backdoor passwords etc). The possibilities are quite broad; limited only by the imagination of the designer and the weaknesses, flaws and vulnerabilities identified in the target application, program or device in question design. Examples of this type of activity are abundant. In November of 2003 just such a threat was identified and addressed in the common Linux Kernel. A two-line addition to a development copy of the source code made to look like a harmless error-checking feature was identified. At first glance, it appeared to be quite harmless; benign in both function and intent. Why such a serious matter then? The answer stems from what the code was truly architected to do: if it identified an invalid combination of flag pairings, it would grant the process root privileges, turning the seemingly innocuous wait4 () into backdoor allowing for complete control of any machine found susceptible to it. 
Many other such examples of this type of threat can be seen historically, some associated with worms such as MyDoom for example, and others manifesting as cleverly marketed DRM styled protection mechanisms such as the SONY/BMG Rootkit I discussed in my last post. It’s important to bear in mind that all of them play a role in today’s threat landscape and have not gone the way of the dinosaur as some researchers and vendors would have you believe. Their uses and application are limited only by the intent and imaginations of those wielding them. Their role in the rise of Advanced Persistent Threats and Designer Malware is irrefutable and must not be dismissed as ideal held over from the antiquity of computing.
