Wednesday, July 6, 2011

Hardening iOS

Hi folks,

iOS is the operating system that powers iPhones, iPods and iPads. These things, along with Android powered devices, are clearly a critical part of the future of computing, and how we go about securing them is an emerging issue. We may be confident that the Bad Guys (tm), whether they be criminals or State-level cyber-warriors are looking hard at how to attack them. With that in mind, I was pleased to see this document, prepared by DSD, the Australian Defense Department Intelligence group, about how to harden these devices against attacks and probes.

It's 36 pages of very interesting reading (if you're a security geek), and definitely worth studying (if you're said security geek). If, however, you're either a simple consumer, or ADD, or both, the critical points seem to me to be these...

(1) When you travel overseas, you need to keep in mind that foreign ISPs and carriers may not provide the same levels of user rights that we often take for granted. Being blunt, foreign governments may well sniff your traffic, so be .... thoughtful... about what you say / type / tweet. (On the other hand, if you are of a mischievous bent, and your friend happens to be traveling in one of these countries, it could well provide much entertainment if you sprinkle seditious words like "revolution" and "protest" in your emails/ IM chats with him... but I digress)

(2) Keep in mind that "Smart Phones" tend to synch (in other words, mirror) lots of data that you might otherwise think was just on your desktop, and if you lose your phone, or it's stolen, you might well be off-network, and thus unable to send a remote-wipe command to it. What this means is that it's a pretty good idea to set a pin on the phone, and set it to automatically wipe itself after 10 failed attempts to guess the pin. A few hundred dollars gets you a new phone, but a lost bank account UID/PW might cost you much more.

(3) Be cautious about what apps you allow on your devices. How do we know what data these apps are transmitting, and how do we know who they are transmitting to? The answer is that we don't. A good rule of thumb is to consider how the app developers are getting a return on their development investment. It costs money, time and resources to build an app, and oddly, not many folks do it for free. If you can't see how they're getting a return, it might be a good idea to pass it by. If I can mix metaphors for a moment, there aren't a whole lot of free lunches on the Internet.

When I first started in anti-virus in 1987, there were only a few viruses... Brain, LeHigh, Jerusalem. By the end of the first year, there were only about twelve in total, and we would wonder each month if there would be any more. Today, every anti virus lab in the world gets about 300k samples every day, 25-30k of which are new and unique. Every day!

For a long while, we only had to worry about Dos, and then Windows viruses, but now we have ubiquitous Windows, plus Apple OSX malware, and a fast-growing Android malware problem. iOS is still fairly safe, but history shows that any platform that has the characteristics of being both widely adopted, and cheap and easy to develop on, becomes a target.

Apple does their best to keep it all safe, but it's in our interests to employ whatever hardening steps we can now. Special thanks and shout-outs to Australia DSD for a fine document.

Keep safe folks.

No comments: