What Does the Consumerization of IT Mean to You? (An End-User Survey on Personal and Business Smartphone Trends)

More than ever before, smartphones are keeping us connected both personally and professionally. Because most of us have a preference as to the ideal smartphone, IT departments are increasingly being tasked with managing a mix of business-liable and employee-liable devices. This trend has become known as the consumerization of IT.

Symantec has developed a short survey to get smartphone end users’ perspectives on this trend. We’d also like to learn more about how your employer is managing the growing use of smartphones, especially those being purchased and brought into the organization by employees. The quick five minute survey can be found here: http://bit.ly/gsdgmX

Once you’ve taken the survey, please stay tuned to the original post that resides in the Security Community Blog. We’ll be sharing the results once the survey is complete.

Skype for Android leaks sensitive data

Skype in Android MarketWhat is being called a vulnerability in the Android version of Skype could simply be written up as sloppy coding at best, or disrespect for your privacy at worst.

Justin Case at Android Police did some poking around when he found a leaked version of the beta version of Skype that will allow video conferencing on Android devices.

He discovered that just about all the information in your Skype profile, except for your credit card number and password, was stored insecurely by the application.

This allows any application on your phone to simply read, or copy that information wherever they like without any special “root” access or other trickery.

Case thought that this must only be the case for this pre-release copy, but to his dismay it is configured the same way in the current production releases of the Skype for Android product (except the Verizon version).

Case created a proof-of-concept application to demonstrate the weakness in Skype’s security. His application can show you your name, address, account name, phone numbers and contacts (and their details) all without any special permissions.

Worst yet, information like your instant messaging chat logs are fully available as well. His application doesn’t show those, but none of the Skype data stored on Android handsets appears to be encrypted.

Skype responded on Friday stating that they intend to fix the vulnerabilities as soon as possible, and that in the meantime Android users should be careful what applications they load on their phones.

How you would implement that advice is difficult to know, as an application wishing to steal your Skype information doesn’t require special permissions.

I think the safest advice is simply to remove Skype from your Android until we can be satisfied that the problems have been resolved.

Controlling mobile devices is going to be a significant challenge for the next few years, and it isn’t just about malware. This type of situation makes one wonder about the Skype for iOS application.

It also makes you wonder whether it is safer in Apple’s App Store. Has Apple done a thorough enough check on their 100,000+ applications, including Skype, to know that data isn’t leaking here, there and everywhere?

Apple security fixes for SSL, Safari and iOS

You know how they say “Better late than never”? That appears to be Apple’s approach to the Comodo SSL certificate scandal. Today they released OS X Security Update 2011-002, Safari 5.0.5 and iOS 4.3.2 (4.2.7 for Verizon).

Security Update 2011-002 is simply the certificate revocation for the certificates that were fraudulently signed by Comodo over 3 weeks ago. The steps I outlined for Apple users are still good practice though, so there is no need to revert the changes.

OS X 2011-002 update

Safari 5.0.5 applies to both Windows and OS X versions of Apple’s browser. The update contains two fixes, both flaws could cause arbitrary code execution or a crash by visiting a malicious website.

To apply these updates for OS X click the Apple icon in the menu bar and choose Software Update.

Users of OS X mini (better known as iOS) have an update available as well. iOS 4.3.2 (4.2.7 for Verizon customers) was released to iTunes today and fixes the same certificate trust issue as the update for OS X.

It also patches the browser for the same two flaws as the Safari 5.0.5 update, and fixes an arbitrary code execution risk from the QuickLook application. QuickLook is used for viewing Microsoft Office files on iDevices, and this flaw appears to be the one used by Charlie Miller at this years Pwn20wn contest.

iOS update 4.3.2

One fix applies to iOS 4.3.2 only, a bug in libxslt which could disclose memory addresses on the heap if exploited. What does this mean? Attackers need to know memory addresses to attack certain parts of iOS.

The latest versions of iOS use Address Space Layout Randomization, which makes sure libraries are loaded at unpredictable locations in memory, making more difficult to exploit. This flaw could enable attackers to discover these “secret” memory addresses.

To update your iPhone/iPad/iPod touch device connect it to your computer with iTunes, select the device on the left side and press the button “Check for updates”.

For the best security on your Macintosh download Sophos Anti-Virus for Mac Home Edition, there is no reason not to as it is absolutely free.