Information Security Today Home

New Books

Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program by Sean Lyons; ISBN 9781498742283
Introduction to Certificateless Cryptography by Hu Xiong, Zhen Qin, and Athanasios V. Vasilakos; ISBN 9781482248609
Network and Data Security for Non-Engineers by Frank M. Groom, Kevin Groom, and Stephan S. Jones; ISBN 9781498767866
Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval, Second Edition by David R. Matthews; ISBN 9781498739580
Enterprise Level Security: Securing Information Systems in an Uncertain World by William R. Simpson; ISBN 9781498764452
Information Security Policies, Procedures, and Standards: A Practitioner's Reference by Douglas J. Landoll; ISBN 9781482245899

Pokémon Infiltrates the Business Network

Michael Patterson, CEO of Plixer

Many players of Pokémon Go are still recovering from learning about how the game can get full access to their Google account, which includes Gmail, Google Drive, Google Maps, Google Photos, and other Google features. Regardless of whether or not the game is reading or sending emails from their accounts, people want to play it and they are downloading it by the millions. Many don't care about what the game has access to on their phones. The phone still works, the game is fun and they are happy.

On July 25, Sensor Tower announced that the game had been downloaded 75 million times since it was released 19 days earlier in the month. Although Niantic, the makers of Pokémon Go, are probably not trying to hiack our email accounts or sell our browsing history, some game makers could. What's frightening is the willingness of users who install the game without reading or possibly even caring about the personal information they could be sharing. This should be a concern to someone. Think about all of the permissions to personal data that gamers are giving to any number of games being installed on their mobile devices: Candy Crush, Angry Birds, Facebook, Snapchat, Instagram, Twitter, Farm Heroes, Slither.io, CSR Racing 2, Stack, etc. It is effectively impossible to investigate them all.

Apathetic Users
Many people, especially the younger population are becoming apathetic about whether or not they become a victim of data theft. As long as the phone keeps working and the game is fun to play, many won't care if their contacts are being taken or if their browser history is being downloaded. Perhaps the argument is that it's a compromise for being able to play the game. In truth, many users simply don't care if they start receiving ads based on their browser history but, there is a potential bigger problem.

Millions of employee mobile phones are owned by their employers. For this reason, some security professionals argue that letting employees install whatever they want on their mobile devices could be putting the company's internal resources and network security at risk. Employees often email one another using the corporate mobile device and this information could be collected by an unbeknownst behavior of an application. Once it the hands of the game maker, it can be sold with user consent! Does this strategy sound familiar?

The Art of Distraction
Think about how porn sites are sometimes used to infect users with malware. Or how massive DDoS attacks are sometimes used to distract security teams from a smaller targeted malware infiltration attempt. The idea of capturing user information in exchange for playing a free came could be all part of a bigger distraction plan. What's scary is that the user agreed to the end-user license agreement or terms and conditions. Effectively, they have given them permission to take what they want.

Ideally, installing unapproved apps would not be allowed on corporate owned mobile devices. However, this strategy might fail as users could stop using the company owned phone and pick up their own personal device. Then, they could go back to having one device for personal use (e.g., gaming) and for work related activities (e.g., email).

Finding Pokémon Go
Fortunately, if companies want to stop these applications from working, identifying games such as Pokémon Go on the corporate network is pretty easy. Here are a few strategies:

  • Firewall: Most firewalls allow sites to be blocked however, with the rise in encrypted traffic and with content delivery networks such as Akamai; this strategy is becoming ineffective on some FW platforms.
  • Web Proxy: Companies that have implemented a secure web proxy for security purposes can easily identify and stop gaming traffic as long as it can perform SSL Deep Packet Inspection (DPI).
  • DNS: Perhaps the least expensive strategy to identify gaming traffic is to query the DNS log. Regardless of whether or not encryption is being used, it works great. If Akamai is involved that won’t be an issue either.

    For example, the game Pokémon Go reaches out to a Fully Qualified Domain Name (FQDN) of pgorelease.nianticlabs.com. This traffic can easily be redirected by maintaining a block list. The next traffic behavior to monitor for is low and slow uploads to the internet. This can help identify unaware machines that are feeding personal information to an Internet host. These are good reasons why monitoring end user behavior is key.

    It is tough to curb human behavior but, when it comes to installed mobile applications, we can usually identify their traffic patterns and stop them in their tracks.

    About the Author

    Michael Patterson, CEO of Plixer, worked in technical support and product training at Cabletron Systems while he finished his Masters in Computer Information Systems from Southern New Hampshire University. He joined Professional Services for a year before he left the ‘Tron’ in 1998 to start Somix, which eventually became Plixer.


 
Subscribe to
Information Security Today







Bookmark and Share


© Copyright 2008-2016 Auerbach Publications