Last Updated: 2012-09-17 15:46:06 UTC
by Rob VandenBrink (Version: 1)
In a recent story (see the bottom of this article), there's been some discussion about a prominent NMS (Network Management System) with an iPad interface that uses a simple to duplicate algorithm for it's password.
Do we care? Isn't the resulting password more secure than most passwords we ourselves would have picked? Not so much if it's simple to derive, but in my opinion, the real story here is that we are trusting our mobile devices and apps way more than we should. We buy low cost or free simple apps to do things that really matter, without checking doing our homework on security. In this case, the app is using cleartext authentication and xmpp (the jabber protocol) to remotely access and control their NMS. The "password math" doesn't help either. The NMS in turn has access to the full device configurations, as well as the ability to send email directly to network admins (great spearphishing target!), and most importantly, in many cases has admin access to all the network routers, switches, firewalls and even servers.
People just as blithely (blindly?) use tablets and phones to access their bank accounts and control their cars (what could go wrong with that?)
In the case of an NMS I can certainly see the attraction, now that tablet screens are just as good as many laptops, running your NMS from a tablet can be much easier from a tablet than a traditional laptop - especially if you're not at work.
I gotta admit that it still bothers me when I see the bank adds on TV, encouraging people to access their bank accounts using their phone (you know, the one without a screensaver or keyboard lock) - you know, so that their bank account is even *less* protected when the phone is stolen.
Mind you, some folks would likely be more upset if their social media accounts could be accessed this way ... umm, wait a second! A favourite highschool prank is to steal a phone from your classmate for 10 minutes to put a bogus (and embarassing) facebook or twitter post up.
When did we stop using VPNs - the classic solution to encapsulating and encrypting sensitive traffic? The VPN that encrypts both the data, the destination IP address and the authentication?
My worry here isn't really that the datastream could be MITM'd to steal credentials or hijack sessions, though that's certainly possible in this case. The worry should really be that if your phone or tablet is stolen, big parts of our modern life go with it - banks accounts, facebook and twitter, ebay, your car keys. And in this case control of your network. If all we protect this stuff with is a simple keyboard password (my 11 yr old shoulder surfed mine - https://isc.sans.edu/diary.html?storyid=13084), then if your phone is lost, all is lost - you BETTER have a remote wipe function ready to go!