The Dark Side of BYOD: Privacy, Personal Data Loss and Device Seizure

Many employees don’t understand the implications of using their personal devices for work. Many companies don’t understand that they are in fact liable for the consequences. This post covers the things you always wanted to know about BYOD but were too afraid to ask.

Good News: Your company offers a BYOD program. You can finally stop carrying that boring corporate phone and use your own shiny new iPhone for work. Even better, you can now check your corporate email from home while streaming YouTube videos on your Galaxy tablet. Your company picks up part of the bill and even provides enterprise-grade help desk support to help you with your gadgets. It looks like an offer you can’t refuse.

Bad News:  You joined your company’s BYOD program. One morning you wake up, reach for your iPad to check the email but it doesn’t turn on. Your iPad is dead. Totally bricked. After a quick family investigation you realize that the little one tried to guess your password to play Angry Birds before you would wake up. Too bad the security policy enforced by the corporate email account triggered your iPad self-destruction to prevent sensitive corporate data from unauthorized access. Angrier than those famous birds? Wait until you realize that the device itself can be brought back to life and your corporate data restored. But that your pictures, videos and songs are gone. Forever. Note: the case above is based on a true story, my son’s name is Luca.
Read more of this post

Mobility Management and Security. A Customer Panel. Part Two.

Learn from a panel of industry peers the solutions and the best practices that have turned consumer mobile technology into a competitive advantage for their companies.

This is Part Two of the post based on the panel that I moderated at the IDC mobileNext Forum 2011 in San Francisco. Click here for Part One.

Eric Erickson
VP Information Systems
Liberty First Credit Union

Bill Troyak
Team Leader End User Devices
Navistar

Jeff Jackson
Partner
Acumen Technologies

Going back to the three step approach to consumerization, the last step is to deploy new security and management tools to enable these new models. It’s not just about new platforms. Traditional System Management tools don’t really cut anymore. Id love to know more about your experience and your learning with regard to the necessary new infrastructure.

Eric:  Well, being a financial institution, it’s critical for us to make sure our data is secure.

Read more of this post

Mobility Management and Security. A Customer Panel.

Learn from a panel of industry peers the solutions and the best practices that have turned consumer mobile technology into a competitive advantage for their companies.

This post is based on the recording of the panel that I moderated at the IDC mobileNext Forum in December 2011 in San Francisco.

Eric Erickson
VP Information Systems
Liberty First Credit Union

Bill Troyak
Team Leader End User Devices
Navistar

Jeff Jackson
Partner
Acumen Technologies

I’d like to start by asking the panelists to briefly introduce themselves and the size and scope of their BYOD programs.

Eric: My name is Eric Erickson. I have been at Liberty First Credit Union for seven years as the VP of Information Systems and in the technology field for almost 25 years, 17 of those years with financial institutions. Our mission is to provide security for our members and provide our staff with the tools that they need to be able to work with the members to be able to get their accounts opened in a timely fashion or to get the documents that they need. We are looking to the mobile device to be able to move beyond our physical location so that we can go out to the community and work with the members where it’s convenient for them.

Read more of this post

Consumerization 101 – Employee Privacy Vs. Corporate Liability

Three pitfalls your BYOD program can’t afford to ignore.


Mary D. joined MD&M Inc. in 2009. Being an Apple enthusiast, she was quite excited to learn that the company offered an innovative BYOD program that allows employees to use their own iPhone for work. As part of the new hire package, Mary signed the acceptable use policy and was granted access to corporate email on the go.

Mary’s started having performance problems in her second year, and her manager put her on notice. After six months, Mary was terminated. When her manager clicked the ‘terminate’ button within the company’s HR system, a series of automated tasks were initiated, including the remote wipe of all information on Mary’s iPhone.

As it turned out, Mary had been performing poorly because her son John was dying of cancer. Just a few weeks before Mary was terminated, her husband took a picture of her and his son using Mary’s iPhone. It was the last photo Mary had of her son, and MD&M Inc. unknowingly destroyed it. Mary sued the company for damages.

Just how much is the last photo of a mother and son worth? Attorneys and expert witnesses sought to answer that question. They arrived at $5 million.

Read more of this post

MDM not the only avenue to BYOD security. But technology is simply not there yet.

My reply to Steven Song’s post on Cisco Security Blog

http://blogs.cisco.com/security/mdm-not-the-only-avenue-to-byod-security/

Yes. Mobile virtualization is the way to go. In an increasingly Consumerized IT world however, meeting end-user expectations in terms of convenience, cost and usability is even more important than addressing corporate IT professionals’ concerns about security and manageability. Despite a few remarkable attempts by VMware, Citrix and WISE, technology is simply not there yet.

Read more of this post

Consumerization and Mobile Security

How to bypass the iPad password in 5 second

*** UPDATED AS OF 11/14/2011: I can confirm that Apple has fixed this security flaw in iOS 5.0.1 (9A405) ***

http://www.youtube.com/watch?v=ZPHDm88-HAc

Watch how to crack the iPad password in 5 secondsThe consumerization of IT is the single most influential technology trend of this decade. Companies are already well aware of it, as they wrestle with the growing influence of smartphones, tablets, Facebook, Twitter, Dropbox and on and on. While this growth does bring business value, too many companies make the mistake to trust consumer technology with corporate sensitive data without deploying appropriate enterprise-grade infrastructure to secure and manage it. Consumer technology is sexy, convenient and easy to use. When it comes to security and data protection however, consumer technology still has a long way to go. Security and data protection in fact remain top concerns among IT professionals – see The Consumerization Report 2011.

Read more of this post

There is a bug in my Apple – Part 2

Intego announces first-ever iPhone malware scanner – really?

July 12, 2011 11:49 AM ET Gregg Keizer – COMPUTERWORLD

http://www.computerworld.com/s/article/9218339/Mac_security_firm_ships_first_ever_iPhone_malware_scanner

Follow up on my previous post on the new security flaw discovered in Apple’s iPhone and iPad – see https://bringyourownit.com/2011/07/07/oops-there-is-a-bug-in-my-apple/

With impeccable timing, this morning Intego announded the availability of the “first-ever iPhone malware scanner”. Sure enough I went to the Apple Store and downloaded the VirusBarrier app in my iPhone and iPad. My test drive impressions: the app still leaves to the end user the responsibility to check the attachments rather than enforcing it. It is quite clunky and may provide a false sense of security: if you tap the attachment and then release the finger a little too early, you’ll end up opening up the attachment instead of scanning it(!) Probably safer – and cheaper – not to open pdf attachment in general. And as any other consumer app, there is no centralized IT management whatsoever: no reporting and no policy enforcement. One more thing: Apple is supposedly working with Adobe to address this vulnerability and will provide an update soon. At that point this app may become simply useless … but I guess this is one of those situations where “something is better than nothing” …

A few comments from a couple of Trend Micro’s experts:

Mark Bloom, Director – Director Product Marketing @ Trend Micro : “Usage or not, they [Intego] will get a lot of brand awareness out of this…..just for that value, it was worth the development effort.”

Patrick Wheeler, Sr Product Marketing Manager @ Trend Micro : “[… Apple iOS] antimalware matters, which puts us [Trend Micro] at an advantage over MDM-only vendors like MobileIron, Airwatch, and Symantec, and allows us to talk up the differentiation for our own antimalware we get from integration with SPN.”

Oops … there is a bug in my Apple!

The new security hole found in iPhones and iPads reminds us that no platform is immune to security threats and that there is in fact a need for mobile security software for Apple products.

http://online.wsj.com/article/SB10001424052702303365804576431541102701136.html

Not so secure after allHere we go. As it turns out Apple mobile operating system is not so secure after all. While it is common perception that iPhones and iPads are so secure that they don’t even need antimalware software, the reality is that any piece of software is potentially defective and therefore vulnerable to attacks. And Apple is no exception as shown by the recent discovery of a new security flaw affecting Apple’s best selling devices. Even worse, previously discovered security issues in iOS were limited to a minority of jail-broken devices, where end users deliberately patch the standard operating system to escape Apple’s suffocating control on device and apps – see my beer side chat on YouTube at http://www.youtube.com/watch?v=ZjbqI2V18sY.

Read more of this post

One micro SIM for two Apples

How to share the AT&T iPhone 4  data plan with the new iPad 2 – legally.


After waiting patiently for almost three weeks, yesterday I finally received my shiny new iPad 2 GSM. Quite exciting stuff: stylish, light and easy to use as my iPhone 4 but with a keyboard the size I can actually use. And of course a much larger display that allows for a real web experience – rather than tiny ad hoc apps tweaked for the small screen. You may wonder why I decided to get the unlocked GSM version – improperly marketed as “AT&T” in the U.S. – when I could tether my iPhone over Bluetooth to get 3G connectivity on the go. Well, the reason is quite simple. AT&T charges an additional $240 per year for the privilege of using your iPhone as a broadband modem. Note that the same charge doesn’t apply if you tether any other device – such as a Symbian or an Android smartphone. But in reality this is not quite about the money. I just feel bad to be asked (forced?) to pay twice for the same service. AT&T data plans are capped anyway. The fact that I use one device as the “pipe” to pour data into a different one doesn’t affect in any way AT&T network load or costs. And because the iPad is not subsidized, there is really no other logical explanation for AT&T pricing practice if not their de facto monopoly in the 3G/GSM market in the U.S. – T-mobile, we miss you already.
Read more of this post

Bombmaking and Cupcakes

When the “bad guys” are in fact the “good guys”


Spies hack al-Qaida's Inspire magazine

Friday, Jun 3, 2011 09:41 ET

Spies hack al-Qaida’s Inspire magazine: British intelligence agents replace bombmaking instructions with cupcake recipe

URL: http://bit.ly/l0wDzN   – PAISLEY DODDS, Associated Press

I have always been fascinated by the fine line separating good and bad in cyber security. Admittedly we tend to see the security world in black and white. On one side we have the “bad guys” doing any sort of “bad things” such as planting malware or hacking websites. On the other we have the “good guys” trying to stop them from getting away with their wrong doings. Well, as it turns out sometime the “bad guys” are in fact the “good guys” trying to stop the real bad guys from doing really bad things. Confused?Case in point: British intelligence agents hack al-Qaida’s website and replace bombmaking instructions with cupcake recipe. While it is not a surprise that intelligence organizations around the world use cybertools as part of their work, I always wondered how they maintain their leading edge, how they gain knowledge of zero day vulnerabilities and, in the end, at what extent governments are in fact indirectly funding the cybercrime underworld. Knowledge of  Zero day vulnerabilities is worth millions – if not tens of millions – in the black market. What kind of organizations do you think can afford to buy this expensive know-how? Intrigued by the topic? Speak your mind. Leave a comment.