Roger's Information Security Blog

Good released a minor update to their app for the iPhone.   Release notes are on their site.

Companies that don’t want to use ActiveSync but still feel pressured into making the iPhone an option are looking to Good to do so.  

From the release notes:
• Complete landscape view – Including email list view, calendar, contacts and attachments.
• Conference dialer – quickly and easily dial into a conference bridge without having to memorize the conference pass code.
• Maps integration – quickly find the location of your meeting on a map and even get driving directions.

A change not mentioned is that when I receive a signed message instead of no indication the message is signed, I now get a message:

The sender has digitally signed the message with a personal certificate.  To verify the signature you can read this message on your desktop computer.

I can still read the message on the device, as I could before the update.   Without signature verification, I feel like this update only provides a false sense of message source identity verification.  

Its my understanding that full S/MIME support is on the roadmap.

Look at me, making Ralph Nader references whether they work or not.

Back in July, the US Copyright office ruled it is legal to jailbreak your iPhone in order to install non-appstore apps or even to unlock the phone to use with another carrier.

What does this mean for iPhones used the enterprise?

Just because something is permissible under the law, that does not mean that a corporation must allow it.    Apple may still make it a violation of their terms of service and void the warranty. 

Jailbreaking  offers a greater potential for malware to be run on the phone.  Do you remember the iPhone jailbreak worm?   A popular jailbreaking technique was setting up SSH and leaving a default password.   Doh!

Dave Zatz had a recent post asking if there was even a case for jailbreaking anymore.

So while my company is full of engineers who like to tinker.   While the phone has corporate data, we need to enforce a no jailbreaking policy.

As I mentioned back in July we started an evaluation of Good on the iPhone.   We used Good in the bad old days of RIM’s patent fight.  Some executives stated they wanted a quick out plan in case RIM was forced to shut down.   I don’t think that was ever likely to happen.   It did allow us to bring in what was then the current top (gadget) fashion accessory.  A Palm Treo.   I think we had both the original palm operating system and a Windows Mobile version.   I really hated it.   It locked up often requiring a device reboot (pull the battery). 

As I understand it we were able to bring our Good license back up to date without much trouble.  So the remaining question is will the current gadget accessory, the iPhone, work well with Good.    Part of security is usability so this post will largely focus on Good’s usability.

Installation
For those not familiar, Good is installed as an application from the App store.   Once that is installed, it can be provisioned over the air just like the Blackberry.   No issue there.  

Policies
I’m sure you can find other places that do a blow-by-blow comparison of the policies available on a Blackberry versus Good.  I think it has the policies needed.  One issue we had for a bit was every time we exited Good even for a second, we’d have to reauthenticate when we returned to it.   It turned out we had the security policy a bit too tight.  The Good environment can be set to timeout after x minutes whether you have the app open or not.  

Email
Good does not do S/MIME.   This really sucks.   This is on their roadmap for this year.   First being able to verify signatures and then later being able to encrypt/decrypt messages as well.   So they’ll be catching up with Blackberry.    I haven’t heard if Apple has any plans to support this natively on the phone.  I didn’t ask if PGP support was in the offering.  

There seems to be issues with HTML only emails.   I’ve had that issue with a couple of message where nothing displays.   To be fair we had an issue like that with the Blackberry.   If I recall correctly they hated Cyrillic characters.

Attachments
I have not checked what attachments are supposed to be readable.   I had issues with a few docx files.  Yet when I sent myself a docx test file, it opened correctly.   There is a configuration to keep larger attachments (4 MB by default) from downloading to the device.

If you used Notes or Tasks in Outlook those items are not synced

There are a number of Good settings that aren’t supported on iOS 4 right now.   You are unable to deploy the iPhone configuration file using Good.   It’s a good idea to be able to refresh that configuration rather than just when the phone is new.  In Good’s compliance policy they have a section to force Good to close or wipe itself if it detects the phone is jailbroken.   If I understand a co-worker correctly, he was told by Good that feature doesn’t work on iOS4 either.  I haven’t gotten an answer on how Good tells its jailbroken.   It appears that its checking for installed software (and I’d need to supply the names of the apps to look for).

Calendaring
My only issue with Good and calendaring is the meeting reminders are worthless.  Seems like whether the app is unlocked or not, I get “good meeting reminder” then I have to open Good to see what the meeting was.   One of those security tradeoffs.   But a meeting title isn’t that secret to me.

Apparently delegation is not working.  My Director issued an invitation from Good to a Senior Manager.   The Admin Assistant was unable to accept on his behalf even though she had the correct Exchange rights.   I’m wondering if that is a Good configuration issue rather than something that would require a patch.   

Bottom Line
It’s a bit sad but Blackberry is no longer something they’d have to pry from my cold dead hands.   The Good application is more than acceptable usability and I think security too.   I probably check mail a bit less because it’s in a separate application but that can be a good thing.  The work/life balance can be improved if I’m not looking at work email every 5 minutes.

I’ve now heard question about allowing Good to be installed on personal iPhones.  Check out the Forrester article I linked to yesterday for some tips on policies to use in that event.  To a certain extent the flood gates are opened.   If Good is good enough for a corporate iPhone.  What about personal iPhones.  What about Android. 

I’d love to hear what other people do about a device pin/passcode versus a Good pin/passcode.   Some people feel with a strong passcode policy on the Good application no device passcode is necessary.   I’m not sure I agree with that.

Earlier this week Forrester released a paper on iPhone and Enterprise use.   That article was summarizedby Larry Dignan on ZdNet.   As a side note, I started to write on this earlier but wasn’t sure that I could legitimately quote from the article.   I guess it would be ok to quote small passages to critique.   But it’s fairly easy to start using too much.   I don’t need Forrester on my case over their $500 article.   I notice the article was updated 8/4.   I read the original Forrester article.

The thing to remember is these research company articles focus on feature sets.   Can you check the encryption box.    Can you require a pin.   Can you remote wipe.    While that is a good baseline, I’m worried about security not box checking.   Can you bypass the encryption still is first on my list.   So they bury security considerations deep within the article after spending half the article saying the iPhone 3.1 was secure enough.   No.   It wasn’t .   iOS 3.1 failed to fix the Zdziarski Method.   There was also the insecure backups in Zdziarski’s videos.   And then later there was the boot PIN bypass.    Lets not forget that Apple downplayed or denied these issues.   That’s just how they roll.

Andrew Jaquith equates iPhone security with PC security.   Yet denies that the phone needs any of the security software that a PC would have.   He says because people don’t worry about Cold Boot Attacks against Full Disk Encryption, they shouldn’t worry about encryption bypasses on the iPhone.    My FDE product claims to have protection in place against the cold boot attack.   Additionally, the FDE still protects against cold boot attacks when off.   Lastly, laptop computers are necessary.   Replacing the Blackberry with an iPhone is personal preference.   Thus different requirements are possible.  I would suspect a phone is much more likely to be lost, and now it s a candidate to be stolen as well.

The iPhone already found a home in organizations that don’t care about security.   What is supposed to allow us to sleep at night and deploy the iPhone is the new encryption.   Each App can now have a separate data container with its own encryption keys.   Check out Anthony Vance’s blog post .   Only Mail by default is encrypted this way.   Each app developer would have to specifically use it.   I wonder if a year from now we’ll have similar security issues as were found in ios 3.

I feel pretty secure about my corporate email inside a GoodLink on the iPhone.   But what other data will end up on this device?   Fortunately, the iPhone doesn’t seem to like our brand of EAP-GTC.   So it stays off our internal wireless.   We keep them off the ASA by not enabling it for access.  (I’m guessing that request isn’t far behind).

 I feel a bit offended by the tone that anyone stopping to evaluate the security of the iPhone must be a security idiot.   (even though they do go on to say that Corporations under strict regulatory control will need the stronger security of the Blackberry).

Have you read this Apple profile on Unisys’ use of the iPhone.

“A wide range of aspects give us confidence that iPhone is a secure device.”

Tip Underwood, Vice President of Sales and Management Support

 I wonder if they still have that confidence after reading about the Zdziarski Method.  or PIN bypass.  The PIN bypass may be fixed in version 4.   Then there is the issue of Apple patching haphazardly, for example the desktop Safari gets patched but the phone lags.  Then there is the issue of patch management on a iPhone.  

It worries me.   That’s why we’ve been fighting iPhone ActiveSync for ever and are looking at Good to see if that might be more secure.

Symantec Endpoint Protection 11.0.6 is available on fileconnect. The release notes are here.
Release Highlights

•”Symantec Protection Center v1.0″ introduces a centralized management console with single sign-on to integrated Symantec applications including Endpoint Protection, Brightmail Gateway, Data Loss Prevention, Web Gateway, Critical System Protection, and IT Analytics
•”SEP Manager Web Console” delivers web-based access to SEP Manager in addition to the legacy JAVA console
•”SEP for Mac” provides integrated management and reporting of Mac and Windows clients in the SEP Manager
•Randomizing scan start time improves support for clients in virtualized environments
•The Symantec Endpoint Recovery Tool allows customers to scan and remove malware from client computers that the SEP client is unable to remediate effectively
•Enhanced default Antivirus and Antispyware security settings make SEP more efficient at detecting malware
•Includes over 155 customer reported defects

One of the defects may be one I’ve had a case open on for more than a year.
Auto Location Switching does not recognize 144 Mb/sec 802.11n connections
Fix ID: 1927272
Symptom: Auto Location Switching does not switch a client to a 144Mbs wireless connection
Solution: Added support for a 144Mbps wireless connection.
I’m hopeful that this will solve the location awareness issues when 802.11n is used. I’ve been told that wouldn’t be fixed until RU6MP1. But we’ll see what this does.
Another writeup of on the release is here.

Back in November I wrote a summary of several concerns we have about the iPhone in the enterprise.
Four months later lets take a look at see what’s changed.
One of the other guys at work took that list of concerns to our AT&T rep, who then took them to a unnamed, untitled Apple contact. Next they ran it the questions by the magic 8 ball. The responses are below.
Problem 1: Encryption and PIN bypasses reported at iPhoneinsecurity.com
Apple’s Response:
We take iPhone security very seriously and have made consistent improvements in all areas.For example, in the most recent iPhone 3.1.3 update we made the changes detailed in the following KB – http://support.apple.com/kb/HT4013 One to highlight is CVE-ID: CVE-2010-0038 related to recovery mode. This is a big improvement to thwart those who are using tools to modify the iPhone software.
That doesn’t really answer the question though. Is the encryption bypass which Zdziarski is only talking to law enforcement about fixed or not? Due to the lack of public disclosure there is no way to know. Zdziarski does mention using recovery mode so it is possible that the attack is patched. But I dont give the benefit of the doubt to non-disclosers.
I suppose some would argue that the evil maid attack allows bypass of Full Disk Encryption on computers so I shouldn’t have my data there either. Of course using a smart card or bitlocker with TPM I could protect myself from this attack.
The evil maid attack requires an attacker to have physical access to the device. Then I log in. The the maid returns to harvest the results. The iPhone encryption bypass can occur when you leave the iPhone unattended for a few minutes. I dont think that is comparable.
2. iphoneinsecurity shows a password bypass in addition to the encryption bypass.
Apple’s” response indicates that the enterprise passcode policy is completely different than the consumer four diget pin and thus not vulnerable. I’m not sure I’m buying that.
3. Lack of Centralized Config Management
Apple’s Response indicates that its possible to force the iphone to have enterprises configuration in order to be able to connect in order to connect to the enterprise. I’m not sure exactly how that is supposed to be done.
Further Apple claims that the iPhone is more secure than the Blackberry because its Unix. Its also more secure because you can only run one application at a time and every app is approved by Apple. lolz.
4. Patching
With the BES we can deploy them as forced updates over the air.
Apple’s Response:
We (Apple) don’t view them as patches, but as major, free OS upgrades and updates..a typical OS update for us is 200-300 meg ( very unwieldy to do OTA) and is packed with useful new features , security upgrades, OS enhancements, etc…
“we dont view them as patches”. Sorry, I didn’t read the rest. Laughing too hard.
5. iTunes
Apple Responded that its best practice to not supply full itunes to everyone. Apparently there is some way to skinny down itunes so its basically a sync software.
6. App Store
This issue goes back to is this a business device or not. Are the users going to have the device on their Apple account and take the applications with them or what?
Apple’s response was basically, yes the user takes the app with them when they leave the company even though the company bought the app.
7. Jailbroken phones maybe less secure.
Apple’s response is dont let jailbroken phones connect to the network. No word on how to do that. Authentication alone doesn’t do that. Is ActiveSync going to check for that? I think not.
8. Repeaters. This is more an ATT issue. If we buy X iphone’s can we get repeaters for free.

A few weeks ago my officemate posted to Facebook,

As I read that, I figured this was Mac users in our company fighting our policy requiring antivirus for Macs. Certainly antivirus can slow a system. And any software can have vulnerabilities. But this wasn’t about that. No this was actual honest to god responses from Apple support. My officemate wanted to know if this was official policy. So he asked for it in writing. That got him escalated to the next level where he was apologetically told it was not Apple’s policy that antivirus is not necessary.
I thought of this today as Graham Cluley tweeted links to a couple of video blogs from last year. Unicorns have been spotted, Malware for the Mac does exist. Now to be fair these examples are largely social engineering. Just because it’s not a zero day doesn’t mean the systems isn’t owned. Fake Codecs and Fake anti-maiware aren’t the exclusive providence of Microsoft Operating Systems.

 

Just when you thought you’d successfully killed it off, its back. The email from management who is getting pressure from the c levels asking why the iPhone isn’t supported. It comes in on schedule every two month.
“iPhone version 3.1 has solved all the security problems, right?”
Um, no.
“There is now a Wolfram Alpha app for the iPhone. This would really help our business development”
Are you serious?
Who can blame them. Apple and their willing co-conspirators in the tech media have been repeating the mantra. “iPhone 3GS is secure for the enterprise.” Secure or not companies are adopting the iPhone, even to the point of allowing personal devices. Lets summarize what we know and what we dont know about the
Problem 1: Encryption
It is of critical importance to protect data privacy through encryption. iphoneinsecurity.com, a site dedicated to iphone forensics has posted video demonstrating the bypass of the iPhone 3GS encryption.
I suppose some would argue that the evil maid attack allows bypass of Full Disk Encryption on computers so I shouldn’t have my data there either. Of course using a smart card or bitlocker with TPM I could protect myself from this attack.
Problem 2: passcode bypass
The passcode on a iPhone is bypassable
Problem 3: Lack of Central Config Management
Enterprises are used to controlling phone configuration centrally a la through a Blackberry Enterprise Server. iPhones configuration is sort of voluntary. TrustDigital would say they solve that issue. I need to talk with them (again) because I think they can enforce a configuration at the time the iPhone connects to the server, but I dont think they have a permanent enforcement agent. Could be wrong.
Problem 4: patching
While patches can be pushed from the BES, iPhone users need to install each patch individually through iTunes
Problem 5: iTunes
Speaking of iTunes, that isn’t exactly a corporate type product. What if we dont want that on our computers. RIM has worked to make Blackberry work without installing any desktop software in a BES environment.
Problem 6: App Store
Whose account is used in iTunes? Do they use their personal account? In that case the end user really owns any applications purchased by the corporation on that account. When the employee terminates they would essentially walk out with the applications the company owns. If a corporate account is created then the opposite problem occurs.
Problem 7: Jailbroken phones
Jailbroken phones are susceptible to security problems. Besides the ikee worm, they allow unapproved applications to be run, bypassing Apple’s whitelisting security model. How can an enterprise prevent jail broken phones from being used?
Problem 8: Repeaters
Like a lot of company headquarters, ours is like a unintentional Faraday Cage. We’ve had to put up repeaters for Verizon and Nextel. Are we supposed to pony up and install AT&T repeaters?
While the iPhone remains exceedingly popular, it still has Apple’s consumer mindset at the core. (sorry bad pun) At least at our company I dont see it making headway until the encryption issue is solved. Then I’ll talk with TrustDigital again about their management solution.
update
The day I posted this I got emailed an announcement of Good Technology’s support for the iPhone. Good uses their own application and would keep the corporate email encrypted in that. However any other corporate data that made its way on to there wouldn’t be protected. In an era of cutbacks its hard to provide support for both Good and Blackberry.
Commenters have pointed out that the iPhone still does not support S/MIME or PGP. I had thought to check on that but it didn’t make the article. S/MIME support is mandatory for my company.

I usually skip over the Mac versus PC adds, but due to the hazards of watching football live I caught one today.
It was about the hardware innovations of the Mac. Kind of silly since last time I checked my hardware was from Dell not from Microsoft.
How about Macs software innovations. Apple went all out with XProtect in Snow Leopard.
Here is Sophos’ writeup

When files are downloaded through the following applications:

• Entourage
• Safari
• Mail
• Firefox
• Thunderbird
• iChat
• and other programs that use LSQuarantine
  XProtect is invoked.
  Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the com.apple.quarantine extended attribute, for example via:
  Skype
  Adium
  BitTorrent
  and Finder (via USB keys, network share, etc …)
  Then you’re sort of out of luck.

- source: Sophos
But hey, you’re not missing that much anyway. This “feature” only scans for the hash of 2 Mac trojans according ZDnet’s Zero Day blog.
Now that is innovation.