Securing hand-held computing devices :The cyber-security challenge of the decade                 Jagadeesan R,            ...
The hand-helds have arrived   The growth rate for the hand-held market (including    smartphones and tablets) is leapfrog...
The hand-helds have arrived•    Deutsche Bank, Bank of America, Citi, JPMC,     Standard Chartered and UBS are all running...
But hand-held security hasn’t!   With the exception of the tightly controlled    Blackberry platform, Powerful handhelds ...
Typical vulnerabilities seen so              far•   Malware     –   Zeus mobile trojan intercepts One-time banking        ...
Typical vulnerabilities             encountered•   User information trails in phone memory from poor    design     –    Mo...
Typical vulnerabilities             encountered•   Signal interception     –    Bluetooth hacks can help make calls on    ...
Mobile device platforms - How     do they compare?•   For BlackBerry, Apple and Windows Phone platforms,    apps have to p...
Mobile device platforms - How     do they compare?• Google is taking the tack that more open-ness will lead to  a more dyn...
Prominent mobile security-related products in the marketAuthentication•   RSA Secure ID 2.2 for Symbian OS and UIQEncrypti...
Prominent mobile security-related products in the marketAnti-virus•   NetQin Mobile Anti-virus•   CAs eTrust anti-virus so...
Prominent mobile security-related products in the marketAnti-virus and Anti-theft• Kaspersky Mobile Security 9   –   Mobil...
In summary….• Blackberry continues to be the most secure platform for  Corporate IT, followed by the iPhone/iPad• Android ...
Citations•   http://gigaom.com/apple/ipod-touch-now-outselling-    iphone/•   http://www.mobile-tech-    today.com/story.x...
Citations•   http://www.finextra.com/News/fullstory.aspx?newsitemi    d=21982•   http://spotlight.getnetwise.org/wireless/...
Citations•   http://www.eweek.com/c/a/Security/Zeus-Trojan-    Mobile-Variant-Intercepts-SMS-Passcodes-from-Bank-    Sites...
Citations•   http://viaforensics.com/appwatchdog/viaforensics-    uncovers-vulnerabilities-smart-phone-financial-    appli...
Upcoming SlideShare
Loading in …5
×

Securing hand held computing devices

599 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
599
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Securing hand held computing devices

  1. 1. Securing hand-held computing devices :The cyber-security challenge of the decade Jagadeesan R, Senior Consultant
  2. 2. The hand-helds have arrived The growth rate for the hand-held market (including smartphones and tablets) is leapfrogging the desktop/laptop market growth rate by some length It is estimated that around 73.5 million iPhone OS devices( iPhones and iPod touches) had been sold globally till Jan 2010 Global iPad sales are projected by Piper Jaffray to reach 23.3 million units in 2011 - up from an estimated 13 million in 2010 A large number of consumer and business applications are being made available for hand- helds
  3. 3. The hand-helds have arrived• Deutsche Bank, Bank of America, Citi, JPMC, Standard Chartered and UBS are all running pilots with BlackBerry alternatives – iPhones/ Android phones• Starbucks already has a mobile payment app for the iPhone• Union Bank of India to introduce mobile payments network including person-to-person payments• ICICI bank-Vodafone, SBI-Airtel, Yes Bank – Nokia have launched mobile payments initiatives• Barclaycard, Orange and T-mobile are set to launch the UKs first commercial contactless mobile phone payments system this year
  4. 4. But hand-held security hasn’t! With the exception of the tightly controlled Blackberry platform, Powerful handhelds are a recent entrant into Corporate IT The handheld market resembles the PC market of the mid 1980’s to the early 90’s  Poor awareness of most security threats  Dynamic market with keen competition between several players and platforms  Very rapid growth – “Get it out to the retailer” mind-set  Highly driven by retail consumer adoption
  5. 5. Typical vulnerabilities seen so far• Malware – Zeus mobile trojan intercepts One-time banking passwords sent by certain banks by SMS; affects Symbian and Blackberry devices – Geinimi trojan for Android can allow infected phones to be controlled by a remote server, tracks geo- location and unique device IDs• Backdoors – Android vulnerability allows malicious website to read files from SD card
  6. 6. Typical vulnerabilities encountered• User information trails in phone memory from poor design – Mobile financial applications(Android, iPhone) from USAA , Wells Fargo were found to insecurely store account numbers and balances in phone memory (subsequently fixed)• Cross-site scripting – A cross-site scripting bug in the Android market allowed anyone to silently install a malicious app on the users Android phone (when the user clicks on a link while browsing the Market on a desktop)(later patched)
  7. 7. Typical vulnerabilities encountered• Signal interception – Bluetooth hacks can help make calls on hacked phone, read/send SMS, access contact lists, tap phones, divert incoming calls, surf web – Rogue base stations can be used to tap phones• Poor privacy controls – There is a suit filed in court alleging that Apple and other app creators have been passing along users personal information by tracking Unique device IDs/geo location without getting prior consent
  8. 8. Mobile device platforms - How do they compare?• For BlackBerry, Apple and Windows Phone platforms, apps have to pass review before being made available for download; This blunts some of the attack points• Android allows apps to be distributed through websites directly on the Market; This opens up more attack points for malware bundled into apps - to exploit vulnerabilities – Google recently applied a master kill-switch( for the first time) to clean up more than 50 virus-infected apps from individual Android phones
  9. 9. Mobile device platforms - How do they compare?• Google is taking the tack that more open-ness will lead to a more dynamic and secure Android platform in the long run• However currently, there are broken links in the software update chain(unlike the desktop market)• Here, there is a dependency on telecom carriers which typically do not push OS patches fast enough on to smartphones - There will be a significant amount of pain in stabilizing Android as a secure platform
  10. 10. Prominent mobile security-related products in the marketAuthentication• RSA Secure ID 2.2 for Symbian OS and UIQEncryption and authentication• Checkpoints PointsecComprehensive cloud-scanned web-security• Zscaler mobileData-loss Prevention• WebSense Mobile DLP
  11. 11. Prominent mobile security-related products in the marketAnti-virus• NetQin Mobile Anti-virus• CAs eTrust anti-virus software for Palm, Windows MobileAnti-virus and Anti-theft• McAfee WaveSecure + VirusScan remote lock GPS tracking remote wipe malware scanning
  12. 12. Prominent mobile security-related products in the marketAnti-virus and Anti-theft• Kaspersky Mobile Security 9 – Mobile filtering – Anti-theft features(use of Phones GPS to track location, Remote data-wipe/block/lock, SIM Watch) ; SMS find shows missing devices location on GoogleMaps using GPS data – Encryption, Parental controls – Anti-virus, Firewall Privacy protection – Supports Symbian OX 9.1 and higher, Windows Mobile 5.0 to 6.5, BlackBerry 4.5 to 6.0 and Android 1.6 to 2.2
  13. 13. In summary….• Blackberry continues to be the most secure platform for Corporate IT, followed by the iPhone/iPad• Android is likely to catch-up in the long term with it’s open philosophy; not at the top for security in the short term though - Timely pushing of patches to devices is a major concern.• Windows Phone is a clear laggard even with an early start and a recent deal with Nokia• Very sophisticated security applications are becoming available in the marketplace• An extraordinary range of powerful functionality is available on these handhelds -> More power for mischief in the age of “Information anywhere”
  14. 14. Citations• http://gigaom.com/apple/ipod-touch-now-outselling- iphone/• http://www.mobile-tech- today.com/story.xhtml?story_title=Apple_May_Boost_i Pad_Production_To_6M_Per_Month&story_id=10100 CJ4GFWG• http://www.finextra.com/News/fullstory.aspx?newsitemi d=22199• http://www.finextra.com/community/fullblog.aspx?ID=4 933• http://www.finextra.com/News/Fullstory.aspx?newsitem id=22207
  15. 15. Citations• http://www.finextra.com/News/fullstory.aspx?newsitemi d=21982• http://spotlight.getnetwise.org/wireless/wirelessguide.p df• http://www.ameinfo.com/56628.html• http://www.eweek.com/c/a/Security/From-Android-to- the-iPhone-Security-Vendors-Target-Mobile-Devices- 198446/• http://www.eweek.com/c/a/Security/Kaspersky-Adds- Android-BlackBerry-OS-Support-to-Mobile-Security- Suite-200955/
  16. 16. Citations• http://www.eweek.com/c/a/Security/Zeus-Trojan- Mobile-Variant-Intercepts-SMS-Passcodes-from-Bank- Sites-480154/• http://thomascannon.net/blog/2010/11/android-data- stealing-vulnerability/• http://www.netqin.com/en/security/newsinfo_3897_2.ht ml• http://www.gizmag.com/researcher-demonstrates- vulnerabilities-of-mobile-phones/17366/• http://www.veracode.com/images/pdf/the-challenges- of-developing-secure-mobile-applications1.pdf
  17. 17. Citations• http://viaforensics.com/appwatchdog/viaforensics- uncovers-vulnerabilities-smart-phone-financial- applications.html• http://jon.oberheide.org/blog/2011/03/07/how-i- almost-won-pwn2own-via-xss/

×