SQLServerCentral Editorial

New Mobile Attack Vectors

,

Have you ever sent a password to anyone else through email or text? Perhaps a colleague trying to solve a problem on a system? Maybe to family or friends? I know I've had to send passwords (reluctantly) to my wife and kids at times. I hate doing that and usually change the password shortly thereafter. I think the idea of passwords lingering in email, or really any digital plaintext is a bad idea.

Note: It's easy for me to change passwords since I use Password Safe. I think everyone should use a Password Manager, as do others.

I ran across a piece this week that noted 10mm Android phones have malware that has rooted their operating system. For the most part this malware is designed to show ads and install apps. However, is it a reach to think that someone will use malware at some point to read text messages and email? After all, both of those functions are tightly built into iOS, Android, and Windows Phone at the OS level. If you've connected an account, it's possible that malware could access those applications.

From there, it's a short leap to being searching through messages for "password" and perhaps forwarding on information. While many databases aren't connected to the Internet, some are, and certainly others might be valuable enough credentials to sell. While security works well in layers, it's not perfect and determined hackers can likely crack some of those layers. Especially if you also have a VPN on your mobile device.

Mobile devices are becoming ubiquitous, for everyone. It's not just technical people that now have access to internal systems from mobile systems as everyone from low level marketing people to high level executives is becoming comfortable with accessing information regularly, from anywere, at any time. This means that our security is inherently weaker because we allow access.

There isn't a good solution to this, but certainly I think it behooves us to be very careful about what credentials we send in communications, as well as having ways to revoke access and issue new tokens. Education helps as well, but anyone can be taken in by some of the clever individuals out there intent on installing something on your device.

I also think that monitoring and regular audits of access is important, to ensure that when an unauthorized access takes place (and it likely will), that you can shut it down as quickly as possible. This security race is never going to be over, and we'll never prevent all attacks. However, we can learn to respond quickly.

Rate

You rated this post out of 5. Change rating

Share

Categories

Join the discussion and add your comment

Share

Rate

You rated this post out of 5. Change rating

Related content

SQLServerCentral Editorial

Mini-Me

Will the next version of Windows be a "Mini-Me" version of Vista? Who knows, and it's too early to tell, but apparently there's a mini-kernel version of Windows 7, the one after Vista, which fits into 25MB on disk. That's a touch lower than the 4GB that Vista takes up. Granted it's not a full […]

You rated this post out of 5. Change rating

2007-10-25

105 reads

SQLServerCentral Editorial

An Hour in Time

Daylight Savings time switches a little later this year. In fact it's November 4th this year, after having been in October for all of my life. In case you don't remember which way we move the clocks, here's a saying: Spring forward, fall back.

5 (1)

You rated this post out of 5. Change rating

2007-10-17

216 reads

SQLServerCentral Editorial

Software is Like Building a House

One of the really classic analogies in software is that it's like building a house. You have a foundation, multiple teams, lots of contractors that specialize in something, etc. And it's an analogy that's debated as to its relevance over and over. I won't go into the correctness of this analogy, but I wanted to comment on it.

You rated this post out of 5. Change rating

2012-10-08 (first published: )

331 reads