I would hate to be on Helldesk in the morning after this occured (Although if it was used as an alarm might be more balanced as staff wakeup realising their alarm didnt go off).
Mobile device management systems at insurance giant Aviva UK were last month hit by an attack – purportedly based on the Heartbleed exploit, although the firm denies this – that appeared to allow the perpetrator to royally screw with workers' iPhones. The insurance giant has played down the breach but El Reg's mole on the …
Tough balance for the PR hacks to get right. If they claim lots of damages they look bad, on the other hand if they pretend no harm was done it makes it harder to justify a serious sentence for the hacker, although I have no doubt they will discover some evidence showing huge damage should it go to court...
The claims of damage are reaching US levels of silliness.
Are they really claiming the data on these devices wasn't backed up elsewhere?
If that really is the case, then whoever specified the system (and penny pinched when an offline backup was suggested), should be given the bill.
Of course, this does explain why Insurers always find it incredible that you do sustain losses when you make claims, if they think 1000's of devices being reset had no cost.
Given they've got a bunch of iwhatever though, I'm not surprised. Surely everyone knows they're really just company paid for so everyone can have shiny toys to use at home?
"Surely everyone knows they're really just company paid for so everyone can have shiny toys to use at home?"
I wondered about that. The headline talks of BYOD, so was this company owned, or employee owned? If it was "real" BYOD, staff would have had their personal devices wiped due to a company/supplier flaw, which give an new excuse to those wanting to avoid the travails of BYOD: Sysadmins the world over now have the perfect response to berks wanting to use their own phone. Whereas before the response was "using your device will compromise company security", presumably the response now is "useless company security will compromise your device".
BYOD is just a ticking time bomb for Employers who now have to factor into employment contracts how they deal with personal claims for data loss and injury based on company actions or indeed the actions of their chosen partners as in this case.
BYOD is flawed simple as; it intro's more issues / challenges than it creates opportunities.
Unless you are self employed or contracting BYOD makes no sense whatsoever.......
That wiping every employees mobile phone after extracting all the data from it represented no financial loss to the company and no risk to customers.
Where did TFA say they extracted any data? The hacker just wiped, and they state no information was compromised. Of course, they could be lying or unaware, but you can't claim otherwise without proof or at least saying "possibly".
MobileIron claims that it offers a full management system for data on your mobile devices.
Unless they can prove that this hack was somehow able to post messages, send email and wipe the devices but somehow wasn't able to "fully manage" the data - you should assume that they slurped everything.
Comments like this show a readiness to post, and yet no understanding of what MobileIron, or other MDM solution, offer. MDM solutions can wipe devices, partially or fully, without the admin being able to see the data being removed. If I uninstall outlook from your PC, that doesn't mean I can read your email. MobileIron allows admins to see what apps are installed on a device, but not the data within those apps. Certain apps can be pushed/removed, but the data from them is not "extracted", it's just wiped. In this instance, it seems that the hacker used acquired admin credentials (MobileIron has LDAP integration, so it's also possible that these credentials had access to other systems).
The article makes it sound like MobileIron was compromised by the heartbleed vulnerability. MobileIron isn't vulnerable to this. However, like any system, if somebody logs in with administrator credentials, they are free to perform administrative tasks, which can include messages and wiping of devices. If they wanted to access corporate data, this isn't the way to see it. all they did was prevent mobile users from seeing theirs. However, if the credentials they used also had administrative privileges for mail/file servers, that's where their data could be at risk, and this risk is neither enhanced nor hindered by MobileIron or any other MDM being installed onsite. The story here is that admin credentials were compromised and used to wreak havok. the system they accessed is almost irrelevant, and replacing their current MDM solution with another one simply shows that nobody seems to actually understand what happened. The replacement MDM solution will still require admin credentials, and anyone with those credentials will be able to do exactly the same.
Sounds to me like someone was able to remote wipe all the devices and just did, but whether it was for the pure sadistic joy of it or some other reason, we may never know.
Well, it could be argued it is. If the staff all used BlackBerry's they would use the BlackBerry Services software that MobileIron immitates. Because Aviva want to save a few pounds and not issue their own handsets to their staff they decide to use this MobileIron thing instead, allowing BYOD harmony.
But I agree, it's not an iOS issue. I would also say it's not a MobileIron issue, it's a Heartbleed issue.
The article said it was Heartbleed, but offered no evidence whatever, only a "purported" connection together with conjecture and a somewhat misleading description of the Heartbleed vulnerability. The source linked,
does not mention Heartbleed. The only indication of a connection between this event and the Heartbleed OpenSSL vulnerability appears to be "hart bled" in the text message pictured. So it is entirely appropriate to question how the access was made and how any necessary credentials might have been obtained.
"It is important to note that foundational components of the MobileIron Infrastructure are not vulnerable to the attack including our VSP (management console), Sentry (Secure Mobile Gateway), ConnectedCloud, Anyware, and the MobileIron client. None of these product components are vulnerable. We also conducted a recent webinar reviewing this for our customers."
If I were MobileIron^H^H^H^HGlass, I would check again.
Imagine they had managed to get credentials, that would mean they were probably accessing other systems as well - however, since it is limited to MobileGlass, I guess their server was not patched OR MobileGlass is still vulnerable ....
This just shows that if you are an enterprise company with sensitive information, you can't afford to skimp on security. In light of this incident, they should probably consider BES 10 for their MDM solution, as it can manage IOS, Android and BB10 devices has a very good reputation for security.
"This just shows that if you are an enterprise company with sensitive information, you can't afford to skimp on security."
Quite right. It also highlights that the company is incompetent when it comes to assessing risk to their own business. That is somewhat ironic given that they're an insurance company. What's the betting that they had bought the 'cheapest' solution...
What they should have been asking was, "Do I absolutely need BOYD for my business?". If the answer was 'yes' then they should then have considered how best to go about it given that they were then going to stake their entire business on it working properly.
"In light of this incident, they should probably consider BES 10 for their MDM solution, as it can manage IOS, Android and BB10 devices has a very good reputation for security"
The article says that this is exactly what they have done. BES10 seems to have a FIPS 140-2 rating for Android, BlackBerry and iPhone.
Aviva have just learned that those accreditations do actually mean something. They should have been looking for things like that to seek assurance that the 'bet-the-company' decision was well informed. Getting that decision wrong like they had done was putting their company in a very bad position. If it turns out that Aviva have suffered a data loss as well that might very well destroy their reputation and their whole business.
A managed BlackBerry handset (with BlackBerry Balance) is a very well set up system. The security doesn't get in the way of usability or the user's freedom to install their own apps, use Facebook, Twitter, etc. I suspect that the same level of integrated usability and convenience doesn't quite exist on BES10 managed iPhones or Androids.
This post has been deleted by its author
"FIPS 140-2 rating"
1) What level
2) Where is the "cryptographic module"?
3) Amazingly, it is very often possible to hack around the cryptographic module.
those accreditations do actually mean something
SNORT. They mean that money was pushed to "consultants" to obtain an accreditation. Basically, a feature for people with lots of money, pointy hairs and a stamp fetish.
And then: OpenSSL is accredited!
Did I mention this? It used to be in the standard: "Deterministic Random Number Generators, Number 4: (Removed) Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)"
And from the this presentation, we bring this pricelessness. Yep, ECDSA never worked in OpenSSL in the first place.
But wouldn’t the FIPS validation have caught the fact that the OpenSSL implementation didn’t work? Not only the original validation but many subsequent validations have successfully passed the algorithm tests ... several hundred times now. That’s a lot of fail ... the FIPS 140-2 2 validation testing isn’t very useful for catching real-world problems (“Flaw in Dual EC DRBG (no, not that one)”, Steve Marque)
FIPS 140-2 refers to validation of cryptographic modules. Unauthorized use of creds has nothing to do with cryptography, although how the creds were obtained might.
For what it's worth, the OpenSSL FIPS object module (OpenSSL was mentioned in the article, but only in speculation) has been FIPS 140 validated for several years (most recently on 12/20/2013) at 140-2, when built, deployed, and used according to a precise recipe. When I last looked, it was the only cryptographic module validated in the form of source code. One may reasonably conclude that (1) validation of cryptographic functions does not guarantee there are no bugs; and (2) cryptography is a necessary part of overall security, but far from a sufficient one.
In all likelihood, insider threats, whether malicious or accidental, still are the most likely to become problems.
"It is important to note that foundational components of the MobileIron Infrastructure are not vulnerable to the attack including our VSP (management console), Sentry (Secure Mobile Gateway)............"
doesn't look so good up against:
"Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract."
I couldn't help but notice that MobileIron's website says:
"An accredited Cryptographic and Security (CST) laboratory has validated MobileIron’s use of FIPS 140-2 cryptographic libraries to be in full compliance with the Cryptographic Module Validation Program (CMVP)"
Yet it would appear that full FIPS 140-2 compliance requires a whole lot more than that.
So has MobileIron been caught using only partial FIPs compliance solely to gain the right to put the words "FIPS 140-2" and "compliant" on the same page on their website? Though I'm sure they wouldn't intentionally seek to create the impression that their product has somehow been sprinkled with the whole packet of FIPS fairy dust...
Aviva outsources email to a third party mobileiron service provider. Users (who are too stupid to realise BYOD means they are spending their own money on IT equipment that should be provided to do their jobs) install the MI client. The third party server o/s gets hacked probably due to poor perimeter controls. MobileIron service running on compromised server then accessible to remote hacker who issues the 'if you get this message wipe the device' message and since the MI client permits this, then all users personal devices are wiped of all apps and data.
I'll leave it as an exercise for the reader to list the lessons to be learnt here.
"There were no financial losses or repercussions." For Aviva this is true. It's their customers who will probably pay for any losses or 'repercussions'.
You suffer a loss, for example as a victim of a burglary, and the insurance company increase your premium so you pay the cost of your own claim. Just to rub financial salt into the emotional wound of being a victim.
The insurance company suffer a loss, for example as a result of a virtual burglary, and they will create an 'unavoidable' excuse to increase your premium.
As someone who administers MobileIron in my workplace, if they had the password to access the management console, they'd be able to send those messages and wipe the devices, but wouldn't be able to access corporate data. That interface merely administers registration etc for the devices.
Also, as MobileIron said, their infrastructure is not vulnerable to heartbleed because it doesn't use OpenSSL, so it's clearly a case of a password ending up in the wrong hands or a disgruntled employee, rather than a technical vulnerability. Not sure why they made the heart bleed reference in the messages sent out to everyone, but perhaps just to make it seem like they were more clever than they really were.
There are a few incorrect conclusions drawn here. Moving to BES will not solve anybody's issues. Neither will they be solved by moving to another MDM solution. In this instance, someone obtained administrator credentials, presumably by exploiting the Heartbleed vulnerability. Using the admin credentials, they then accessed the MobileIron server and sent messages and wiped devices.
Let's say for a second that BES had been in place. Hacker obtains admin credentials, and wipes devices. No difference. The problem is the leaking of admin credentials, which were not obtained through the MobileIron system, just used to access it. If the hacker had used the same credentials to delete/reset the mail server, would this article having been blaming Exchange? It seems that the company didn't patch servers for heartbleed, and got hacked, MobileIron was just a tool on the network that got used, but the failure to secure servers is actually the problem here, and replacing MobileIron will do nothing to resolve that.
This post has been deleted by its author
If you're wondering which bugs in particular miscreants are exploiting to break into, or attempt to break into, US government networks, wonder no more. And then make sure you've patched them.
Uncle Sam's Dept of Homeland Security has this month identified at least six possible routes into the nation's computer systems, and the method used to gain total control over the machines once inside. Those six vulnerabilities are...
Biting the hand that feeds IT © 1998–2022