Perimeter
1/18/2012
08:48 PM
Don Bailey
Don Bailey
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

I Left My Data In El Segundo

Data is the new bit of lost clothing you left behind on that road trip -- and two-factor authentication VPN is the way to go mobile

If you know me, then you know that travel is a major part of my life. I live out of a suitcase for a third of the year, bouncing from conference to conference and city to city. People typically acquire quite a bit while traveling: memories, visa stamps, exotic bank notes, and sometimes a wicked bird flu. But at the end of the day, it's not about what you come home with -- it's what you leave behind. Unless you're Chris McNab or Nick DePetrillo rocking the penthouse suite, you're probably like me and think you're mainly leaving behind your hard-earned cash. But for all of us, we're leaving behind much more.

Data is the new lost piece of clothing. Instead of obsessing over a lost sweater, sock, or t-shirt, I feel like I'm constantly wondering what interesting trail of bits I've left behind me as I move. On the road, our smartphones constantly remind us that we're attached to more than just beaches and sunsets. They remind us with emails, calendar events, text messages, and a myriad of other attention-hogging tools that never let us forget just how important the smartphone is in our lives. Regardless, each status update, tweet, or ignored phone call is routed directly to us through a vast network that is complex, worldwide, and often less secure than we think.

As our packets traverse the global mobile network, we have to remember that others are indeed listening. While the romance of digital espionage was once fodder for television and movies, the modern-day reality is that it's everywhere. Government organizations want to enforce disabling encryption for security and safety reasons, kids and creeps poke at our browsers with Fire Sheep in cafes and airports, and even the occasional red-headed hacker crashes your phone's baseband out of boredom. Regardless of the means, motive, or likelihood of attack, the threat is real and there is a heck of a lot to lose.

Thankfully, we have options while traveling for both pleasure and work. And let's face it: There really is no longer a difference when you can take a conference call with a client at a Hindu shrine in Malaysia before prayer service. That's what makes technology so amazing! And with that amazing technology comes some simple steps that we can take to secure our important data and communications.

First of all, if you haven't checked out Duo Security or Google Auth, you need to. This is required reading, folks. Two-factor authentication is an absolute imperative. One of the most common vectors for network compromise in modern day is the virtual private network. The VPN allows access to all the enterprise's resources from thousands of miles away. Not only can someone listen in on my Malaysian conference call, but they could potentially steal my network login credentials and turn my vacation into a veritable information technology disaster. Two-factor authentication negates this attack vector by forcing the malicious party to crack more than a password. The attacker would also need your time-delimited token to successfully authenticate. Since mobile applications like Duo and Google Auth can be easily installed and run on the go, you always have easy access to your authentication credentials while minimizing potential impact of an attack.

Even if an attacker were to steal your phone, he would also need your password to log on, so even theft of the mobile device is a minimized threat to the enterprise.

What's even more imperative with new applications like these is that you no longer have to worry about a third party's compromise exposing your tokens. I think we all remember the lessons learned from a certain security giant's compromise in the recent past, don't we? We remember that time-based, one-time password algorithms are based on a seed, and that if the seed is compromised, your login token can be potentially derived and, of course, abused.

Well, with systems like Google Auth you manage your own seeds. While this means your enterprise must manage another piece of high security data, it's really the same as the enterprise managing passwords.

What's important is that first, as we saw with the RSA compromise, you might not get told right away when an important security resource you depend on has been breached. If you hold the seeds, however, you're no longer hoping that a black hole of security is telling you the truth. You have the ability to manage and monitor one of the most important pieces of personnel data you use, and if your enterprise security team is diligent, they are likely to detect a compromise, allowing you some time to react appropriately.

Second, a breach of a secure internal server housing critical VPN tokens is much more difficult to compromise if the attackers are likely to need those same VPN tokens in the first place. Two-factor auth? Just do it!

Most important? The next time you have to download an important document on your smartphone in a crowded airport in Mumbai, you'll feel far more comfortable knowing you've done so over a two-factor enabled VPN.

Especially since the brilliant guys that hang out at NullCon may be traveling to the same conference as you and are waiting at your flight's gate.

Don Bailey is director of research at iSEC Partners. Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
soapwax
50%
50%
soapwax,
User Rank: Apprentice
2/16/2012 | 10:16:05 AM
re: I Left My Data In El Segundo
Do you do anything to protect CC's or personal info? What about internet access when you're out of the states. Do you mainly rely on local wireless, or do you have mobile internet access / SIM cards?
BWILSON000
50%
50%
BWILSON000,
User Rank: Apprentice
1/25/2012 | 5:20:16 AM
re: I Left My Data In El Segundo
I second that! -áPeople should ALWAYS take advantage of two-factor authentication when it is available to them. -áAlthough the extra step may seem like a hassle to some, it is so worth it in the long run. -áAlso, some people may not be aware that it isnGÇÖt just VPNs or Google that offer two-factor authentication. Many businesses, sites and financial institutions are making it available as an affordable opt-in option for customers. (Disclosure - I work for Symantec, and we provide a cloud-based two-factor authentication solution called Symantec VIP - please don't hit me).
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.