Security theater around mobile devices

by Volker Weber

I am always advocating a sensible approach to mobile security. You need the ability to lock a lost device, wipe it if you cannot retrieve it, and use a minimal barrier for unintended use, like the pattern Android provides or a short PIN. Something users will put up with, without trying to evade.

In those locked down environments, where security makes the device useless, people will find their way around you. Most often by forwarding their mail to their private account. Unencrypted, insecure, to completely open devices. I can't blame them, they need to get their work done. Plus, you have smart workers don't you? People who can solve problems without being told how to get it done.

Don't be a part of the problem.


Hear hear. Same for blocking of social sites too...

Stuart McIntyre, 2010-08-10

Have to disagree with you on this one.

- The email that you use at work is not your property. It is the proprietary information of the company you work for. It is their email.
- The device that you have connected to the work email, be it personal or company owned, is subject to the policy of that company. Again, it's the company's information on that device, not your information. You may use it to get your job done, but, if you want that device connected to the company infrastructure you have to play by the rules.
- If the company has a policy against forwarding mail, then there is a course of action that can be followed if the employee is caught.

I know it sound Draconian but companies are getting more and more security minded lately regarding the mobile gray area.

Andy Donaldson, 2010-08-10

Sorry to burst your bubble but I see this behaviour in the highest ranks. The kind of people that piss in your beer instead of the other way around.

Volker Weber, 2010-08-10

Luckily for us, they are the ones that set that and at least come to us first before doing things like that.

Andy Donaldson, 2010-08-10

I like my Droid a lot, but the security pattern is a joke. Unless you wipe your screen clean immediately after you unlock it, every time, then someone who gets hold of your phone stands a very good chance of being able to just tilt it until the light hits the screen at the right angle to make the patten stand out.

Richard Schwartz, 2010-08-10

I´ve heard about external staff of nuclear power plants re-routing alarm messages to their gmail account through some really inventive and ingenious measures.

I´ve heard about peoples bank account statements that were on their gmail available from search engines.

I would rather not be in the consultant´s skin if anything similar like this came to be leaked.

On the other hand, all of us may commit some stupid error, as the security concepts are still alien and seen as being in contrast to the "real work" - and I am not excluding myself from being utterly stupid sometimes. Yet, I have at least realized, that third parties might be more interested in my work or intellectual property or individual or entrusted data than I wold like.

Armin Roth, 2010-08-10

>> "In those locked down environments, where security makes the device useless, people will find their way around you."

Make that 'services' rather than 'devices', and it's even more accurate. It's not just devices being rendered useless by security theater, it's often much more widespread than that.

>> "Most often by forwarding their mail to their private account."

A bad example, in my opinion. Finding mail forwarding agents is trivial - 'tell amgr schedule' on a server. If a decent admin takes longer than a morning to throw together a quick script to find forwarding agents on their mail servers, then you should question how decent that admin actually is.

From that prototypical script, it becomes a quick game of cat and mouse that the mouse (user) will always lose. Finding the agents and disabling them overnight in a completely automated fashion isn't trivial, but it's not going to be the end of the world either. Depending on your environment size, the quick script run manually and acted upon each day may be fine - or a few day's development work will automate it totally.

From the "decent admin's" point of view, forwarding agents are a big risk to uptime. That doesn't mean that there aren't cases where a forwarding (or notification) agent isn't the correct solution, and should be allowed.

But once you've seen your first 50Gb+ mailbox that's been caused by a 20Mb+ attachment that was forwarded, then sent back as a delivery failure, then the failure notice was forwarded, which was then sent back as a delivery failure.... Well, these things take out servers within a matter of hours, and most admins will see one do so within their first two years of the job.

I empathise with the folks that want forwarding agents. I really do. I have to live under the same stupid security rules.

>> "Plus, you have smart workers don't you? People who can solve problems without being told how to get it done."

If your workers are smarter than your admins, and can defeat your admins in order to get this work done, then congratulations on employing smart workers. And commiserations on employing dumb admins.

If you are in this situation and care about system availability, then you need to start hiring smarter admins, or become very used to downtime.

Maybe you should retrain a couple of workers as admins?

Philip Storry, 2010-08-11

Andy and Philip, you are not part of the problem, people like you are the problem.

Sven Richert, 2010-08-11

@Sven. Sorry dude. We are not the problem. We are following guidelines put in place by our company to protect its data. Plain and simple. If the user cannot understand that, sorry about your luck. Corporate security is paramount. Period.

Andy Donaldson, 2010-08-12

Andy, security guidelines are not put in place by companies. People set those policies. If you are just following orders, you are not the core of the problem.

I did not think I needed to elaborate, but it looks like I need to. Let's make an example on how more drankonian guidelines lead to less security.

A person has to make a presentation, and he needs an update from the mothership. One of his team sends the presentation to his BlackBerry. There is a policy on the BlackBerry which does not allow him to use the USB port and the storage card. He is now faced with the problem how to move the file from the BlackBerry to the presentation computer. What would you do in this situation? Failure is not an option.

Most users I know would find this solution to work best: send the file to the mailbox of the person who owns the presentation computer. Smarter users send the file to their own mailbox, open that in a web browser and pull the file from there, hold the presentation, and later delete it from the presentation computer. They would also access their corporate mailbox from the presentation computer, but they are unlikely to be able to do that, since that is another security risk mitigated by the mandatory use of a VPN protected by a security token.

As I said, failure is not an option. The person is going to find a way. He is not going to say, I'm sorry, I am unable to hold this presentation because the guidelines put in place by our company ... unless, he is an administrator of course. ;-)

Imagine a person who carries two phones: one company issued, with all the bells and whistles that security policies provide. And another one with sensible measures. Which one are they going to use for the heavy lifting? The real problem is, that the "other" device most likely has no measures applied at all. And it would not be carried in the first place if the company device would not be so useless.

I am finding that most of the critical information I receive comes from private Google Mail accounts. If the company blocks Google logins, people use their own smartphones.

If you follow my train of thoughts you will find that more security theater leads to less security.

Volker Weber, 2010-08-12

Old archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe