Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
Scaling API-first – The story of a global engineering organization
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
1. Are our mobile devices too ‘smart’ for their own good?
MOBILE SECURITY FOR
SMARTPHONES AND TABLETS
2. One Ring to Rule Them All
• Smartphones and Tablets are the most
intimate pieces of IT that we've ever had:
– Personal digital assistant, High resolution cameras
– GPS navigation, Wi-Fi, Enhanced web browsers
– Apps to do almost anything
• Users (from healthcare, police, military)
store/manage personal data & sensitive info
– View slides at http://www.slideshare.net/vcv1
One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the
darkness bind them. J. R. R. Tolkien
3. Mobile (via @LukeW)
• Think Mobile First
• 3 Trends in Mobile Devices
– Processing Power
– Network Access
– Data in the Cloud
• 1.4 Million devices are activated each day
4. BYOD
• Bring Your Own Disk
• Bathe Your Own Dog
• Be Your Own Detective
• Bring Your Own Dessert
• Bring Your Own Deck (a.k.a John Dorner)
• Bring Your Own Drink
• Bring Your Own Disaster
5. Bring Your Own Device
“Consumerization of IT,” refers to employees
who bring their own computing devices –
such as laptops, smartphones, and tablets to
the workplace for use, using a corporate
network for connectivity
7. Forrsights Workforce Employee Survey
• Q4 2011, asked 9,900 information workers in
17 countries about devices they use, personal
devices they use for work purposes 1
• Typical information worker has manage their
information from more than one device
• Interested in work systems and personal cloud
services that enable easy multidevice
access, such as
Dropbox, Box, SugarSync, Google
Docs/Apps, Windows Live, and Apple iCloud
12. Forrsights Workforce Employee Survey
• Shipping PCs still > 90% Win OS
• Share of PCs in companies is even higher
• Info workers, not IT, are voting with
$$$, Microsoft is down to about two-thirds of
the devices they use to get work done
• Report concludes that
– “mobile devices will become majority of devices
used for work, surpassing PCs” and “Windows’
device share will fall below 50 % by 2016.”
13. Security Quotes
“Against the growing, unstoppable
backdrop of consumerisation and
BYOD [bring your own device], every
mobile device is a risk to business.”
Raimund Genes, Trend Micro CTO 2
14. Security Quotes
“Security becomes a critical requirement
(in mobile banking) and all parties
involved in a financial transaction need
to consider security. Mobility and
freedom to transact anywhere, anytime
is no longer negotiable - it is the nature
of the lives we live today.”
Schalk Nolte, Entersekt 3
15. Security Quotes
“I'm sure you've seen this scenario.
Halfway through [a] flight, a user
switches from super-critical pieces of
corporate work to checking out the app
they downloaded while waiting in the
airport terminal.”
Cameron Camp, ESET 4
16. Security Quotes
“Today what we’re seeing are malicious Android
applications that have bundled legitimate apps such
as Rovio ’s Angry Birds Space. First the malicious
“wrapper” tricks and manipulates the user into
granting permissions that allow the malware to
subscribe to premium rate services. But then… the
malware actually does install a working copy of the
promised game. At this point, there is little to be
suspicious of and nothing to troubleshoot. The user
gets the game that he was promised.”
Sean Sullivan F-Secure Labs 5
17. MDM vs. Mobile Security
• What is Mobile Device Management (MDM)?
• By controlling and protecting the data and
configuration settings for all mobile devices in
the network, MDM can greatly reduce support
costs and business risks. Gartner Aug 2011
• Software allows you to:
– Remote lock/wipe, Password enforcement
– Remote Configuration and Provisioning
– Logging and Reporting, Decommissioning
18. Why Do Criminals Want Access?
• Smartphones are the new credit cards!
– This is where our "wallets" are
– This is where our information is
• Criminals will take any info for Identity Theft
• They can sell (make money) on online forums
• Targeted emails designed to be read on
Smartphone/Tablets are just a matter of time
19. Security and Data Protection
• Focus Four
– Apple iOS
– Blackberry
– Google Android
– MS Windows Phone 7
• Discussion will be Smartphone focused but
will discuss tablets at the end
21. Which BOYD is most secure?
Answer:
1. Blackberry
2. iPhone and Windows Phone 7.x
3. Android
That said, if you have poorly educated user, they can
download malicious app on any Smartphone or
Tablet and it can be compromised!
22. Which BOYD is most UN-secure?
Answer:
1. Android
2. iPhone and Windows Phone 7.x
3. Blackberry
That said, this can change quickly.. Could have a
Vulnerability that is quickly accessed on iPhone by
attackers
23. Blackberry
• Long history of being Enterprise Ready
• RIM's upcoming BlackBerry 10 (B10) OS is
intended to be even more secure
• BB10 security will have multiple integrated
layers, with tight relationship between
hardware and software
• There will be a permissions-based security
model for apps, coupled with a various OS-
level security and safety features
24. B10 New Protections
• Blocking root access, which enables a user or
hacker to gain administrative access to the OS
• Memory randomization, "scrambles" where in
memory routines may run, making it harder
for these to be leveraged by attackers
• Adding security management, including
auditing, to the kernel
Source: Network World “BlackBerry 10 OS will have multi-
layered security model” May 8, 2012
25. Apple iOS
• Will growing popularity in iOS mean criminals
will target?
• Apple doesn’t allow 3rd party companies to
develop antivirus software for iOS-based
devices, such as the iPhone and iPad
• Enterprise iPhone security issues and how to
address them (Dec 2011)
26. Apple iOS
• iOS threats are largely satisfied by tweaking
native security settings
• VirusBarrier for iOS by Intego, $2.99
• “Flashback” Java Vulnerability Exploit
– 2 month delay for Apple’s Response
– 600,000 Mac users infected
• Can you jailbreak iOS? Yup!
– Absinthe 2.0 Untethered Jailbreak Released for
iOS 5.1.1 (May 25 2012)
27. Apple iOS
• Kaspersky CEO Eugene Kaspersky is very vocal
in his criticism of Apple
– Criminals “are happy with Windows computers.
Now they are happy with Mac. They are happy
with Android. It is much more difficult to infect
iOS but it is possible and when it happens it will
be the worst-case scenario because there will be
no protection. The Apple SDK won’t let us do it.” 7
– Eugene Kaspersky frustrated by Apple’s iOS AV
ban (May 22 2012)
28. Windows Phone 7 History 8,9
• Released in late 2010, 7 updates since then
– Microsoft shut down the Marketplace app store
for older Windows Mobile 6.x phone platform on
May 9, 2012
• Apps only from Windows Phone Marketplace
• Aimed at the Consumer market not Enterprise
• Smartphone OS market share 2011
– MS has only 1.9% market share
– IDC predicts a 20% share by 2015 (likely high)
29. Windows Phone 7 Platform Security
• Chambers concept to enforce app isolation
and least privilege, 4 chambers, apps in LPC
• The fourth chambers is capabilities based
– Least Privileged Chamber (LPC)
• Three higher chambers have fixed permissions
– Standard Rights Chamber (SRC)
– Elevated Rights Chamber (ERC)
– Trusted Computing Base (TCB)
30. Windows Phone 7 App Security
• Capability checks are enforced at runtime
• Requests for other resources ==
UnauthorizedAccessException
• Apps must have a valid MS signature to be
installed & run in LPC sandbox
• Apps use their own “Isolated Storage”
• WP7 allows developers to encrypt data and
databases
31. Windows Phone 7 - What’s Missing
• Lack of native disk encryption
• No support for client side SSL certificates
• Lack of in built VPN functionality
– Source: Windows Phone 7 'not fit for big biz ...
unlike Android, iOS'
32. Windows Phone 7 Tips
• Only install apps from Marketplace. This
ensures that any app you install has been
digitally signed, which reduces your risk and
increases phone safety
• Windows Phone 7 includes a "Find My Phone"
feature that allows you to find a lost
phone, lock it remotely, and also wipe it
remotely
• Best-windows-phone-7-apps#security
33. Android
• Popularity makes Android a lucrative target for
malware authors
• New families and variants of malware keep
cropping up each quarter, trend shows no sign
of slowing down
• In Q1 2012, malware authors are focusing on
improving their malware’s techniques in
evading detection, as well as exploring new
infection methods
34. F-SECURE Mobile Threat Report
• In Q1 2011, 10 new families and variants were
discovered; In Q1 2012, 37 new families and
variants were discovered
• Malicious Android application package files
(APKs) received in Q1 2011 and in Q1 2012
reveals a more staggering find — an increase
from 139 to 3063 counts.
F-SECURE Mobile Threat Report, Q4 2011 (.pdf)
36. That Said... Perspective
• Mobile malware numbers remain low -- about
1% or less of all malware globally
• Android threats now reach almost 7,000, with
more than 8,000 total mobile malware in our
database
• To put it in perspective, there are 83 million
malware samples in McAfee’s database
McAfee Threats Report for First Quarter of 2012 (.pdf)
37. Android – Reducing Risk
• Practice safe mobile computing, Be vigilant
and avoid risky behavior
• Don’t install apps that are new to the market
– Yahoo’s Axis Browser Security Slip-Up (May 23 2012)
• Research apps before downloading, Check the
publisher and app reviews, Use the official
Android Market
• Avoid side-loading apps, unless software and
its developer are familiar to you.
38. Android – Reducing Risk
• Turn off the ability to install apps from
unknown sources in by going to Settings and
then to the Security menu (in Android 4.0 or
later) or the Applications menu (in earlier
versions of Android)
• When installing an app, pay close attention to
the permissions it requires, Use your phone’s
app-management tools to make sure it’s using
only the resources it promised to use
39. Android – Reducing Risk
• Be wary of phishing scams and malware via
the Web browser or SMS messages
• Be cautious if you root a device, Keep an eye
out for Superuse prompts displayed when an
app requests root permissions
• Rooting allows you to use some powerful apps
and even enhanced security functionality, but
at the same time increases potential damage
from infections
40. Android – Reducing Risk
• Install an antivirus/security app
• Block or disable ability to send premium SMS
subscriptions (prevent malware from sending
messages that will automatically charge your
account)
– AT&T (Manage Mobile Purchases & Downloads)
– Verizon FAQ
– More from c|net
41. Android – Mobile Security Apps
• PC Mag Review (May 24 2012)
• Apps reviewed on 5 Stars
– Bitdefender Mobile Security
– F-Secure Mobile Security 7.6
– Lookout for Android
– McAfee Mobile Security 2.0
– TrustGo Antivirus and Mobile Security 1.0.6
– ESET Mobile Security 1.1
42. Infographic: Grand Theft Mobile
Source: http://blog.mylookout.com/blog/2012/05/04/infographic-grand-theft-mobile/
43.
44.
45.
46.
47.
48.
49.
50.
51.
52. Security Checklist
• Attevo is a global business and information
technology consulting firm based in
Cleveland, OH
• Here is their 13-point checklist for addressing
mobile technology threats 10
• Keep in mind security around Windows
laptops from mid to late 1990s
53. Security Checklist
1. Where is My Device Again?
Always maintain physical control over your smartphone to
prevent outright theft, unauthorized usage or the
installation of malware (apps with malicious code) by
seemingly mild-mannered co-workers or by ruthless digital
predators; treat a smartphone like a wallet, never leave it
unattended in public spaces.
vcv_note: @LukeW listed Near Field communication
(NFC) as a positive, it is, I guess
54. Security Checklist
2. Yes, You Need to Use a Passcode
Enable the smartphone's password/passcode
protection; a recent study reveals that only 38% of
smartphone users enable this security feature.
vcv_note: SIM-locks can be by-passed, but
BlackBerrys 'a challenge' (May 17, 2012)
Tip: Open Excel. In cell A1, enter =RAND() and press
Enter. Fill Down to A10. Pick 5 random codes.
55. Security Checklist
3. You Still Need to Do Updates
Install operating system updates whenever they
become available to reduce the number of system
vulnerabilities; a 2011 report indicated that 90% of
Android users were running outdated operating
system versions with serious security vulnerabilities.
vcv_note: Reinforce basics with your staff
56. Security Checklist
4. Use a Security App
Install an anti-malware protection app (if available
for the device) to thwart infection from malicious
apps and websites; all major platforms have been
hacked and are susceptible.
vcv_note: Free apps are good (better than
nothing), but pay for apps give more features. Go
ahead and spend 4.99 or 9.99
57. Security Checklist
5. Be Careful Where You Browse
When using the smartphone's or tablet’s web
browser, avoid suspicious/questionable websites
that can be the source of malicious code.
vcv_note: Few se-curity apps are available for
iOS, but you can find secure Web browsers that
offer extra features to lower risk of stumbling upon
a malicious website, ex: Webroot SecureWeb
Browser
58. Security Checklist
6. Download/Install with Care & Caution
Be selective when buying or installing apps; wait for
app reviews, download only from trusted sources
(known app stores) and be cautious/suspicious of
free apps, because they are free for a reason (the
reason could be access to your data).
vcv_note: Google Android Market, Windows Phone Marketplace, RIM
BlackBerry App World and Appstore for Android all disclose the
permissions of apps. Apple iTunes App Store doesn’t (Apple vets apps)
59. Security Checklist
7. Review What You “Agree To”
Understand and control each downloaded apps
"access" to smartphone data and personal
information; game apps do not need access to
phonebook contacts, photos, e-
mails, location, browsing history, texting history and
other phone features (avoid allowing automatic app
updates).
vcv_note: Double check, then go back AGAIN
60. Security Checklist
8. Credentials Management
Do not save passwords, PINs or other account
information as Contacts or in Notes.
vcv_note: In other words, don’t put your password
on a sticky and attach it to the tablet
61. Security Checklist
9. Wild Wild Free Wi-Fi
Avoid using open Wi-Fi, especially for shopping and
banking activities; Wi-Fi sniffing is a common
occurrence that can have significant consequences
like lost credit card numbers.
vcv_note: Do not, I repeat, DO NOT do this at all
62. Security Checklist
10.Phishing is More Than Nigerian Spam
Avoid opening suspicious e-mail or SMS text
messages, especially from unknown sources.
Unwary readers may be unwillingly tricked into
phishing by entering sensitive information from
online prompts.
vcv_note: If you are not certain, email your IT
Specialist and ask, ;-)
63. Security Checklist
11.Shields Up! Go to Red Alert!
Turn the Bluetooth access feature off when not
needed and avoid Bluetooth use in busy public
areas.
vcv_note: Commander Riker Audio
64. Security Checklist
12.PIN Use “Good”; PIN Default “Bad”
Utilize a PIN to access voice-mail and avoid using
the carrier's default PIN setting.
vcv_note: Beyond the default...
Top ten iPhone passcodes:
[1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1
212, 1998] 11
65. Security Checklist
13.Locked and Loaded
Insure that smartphone or tablet e-mail account
access is through either a SSL or HTTPS connection
so that transmitted data is encrypted.
vcv_note: Quick web search should provide this
answer. Example: Gmail
66. Encrypting Email Traffic
• Android
– TouchDown for Smartphones by NitroDesk
includes support for S/MIME keys from EchoWorx
• Blackberry
– BlackBerry devices provide encryption and policy
from the BlackBerry Enterprise Server (BES); The
implementation is trusted and validated by many
government organizations
67. Encrypting Email Traffic
• iPhone
– 3GS has hardware encryption (also enabled via
ActiveSync option); AES256 employed by default;
Pre-3GS devices do not provide encryption
– Encryption bypass vulnerabilities all require the
iPhone to be already jail-broken
• Windows Phone
– Good for Enterprise by Good Technologies
providing security at the application layer (in
addition to device security)
68. Tablet Security Products
• Pay-for Android tablet security, similar
features, protect 1 device for 1 year, $19.99
– Norton Mobile Security Lite
– Kaspersky Tablet Security
– Webroot Mobile Security
• Norton 360 Everywhere (May 4 2012)
– protects up to 5 devices, including PC, Mac, and
Android smartphones and tablets, $99
69. Jumpstarting Your BYOD Policy 12
• Basic BYOD employee training include:
– Training on physical security
– Training on Wi-Fi security
– Information about social engineering attacks and
how to avoid them
– A requirement to password-protect personal
devices and education on strong passwords
– Clearly stated rules on what work-related data can
be accessed from personal devices (Ohio State)
70. Intel’s Mobile Policy 13
• Policies and security expectations are same for
corporate and personally owned devices
• Communicated to employees...
– When employees sign up for particular services
– When staff connect a new device to the Intel
network
– On a regular basis through security awareness
articles and notices
– In an annual security refresher for the entire staff
71. Future for People
• One Constant ... Human Nature
• People will look to do both good and bad
things with technology
• Consumers will continue to drive new devices
and technology
• Lack of Security Skills with today’s devices
(and future devices) will haunt us going
forward
72. Future for Technology
• Advances in materials science will continue to
make devices smaller and faster
• Embedded devices
– iDermal, Strapless iPod Nano Watch
• Tokenless Two-Factor authentication
– PhoneFactor (Commercial) Video, White Paper
• Improved Security Built-In to devices (hope)
– ZTE Android Backdoor Vulnerability
73. Future Threats
• Social Networks will continue to evolve and
change
• Transition to a more secure 3G/4G may take
some time
• Those with bad intent (e.g. criminals) will
always find way to outwit or outlast any
security measures put into place
– One Constant ... Human Nature
74. Future Actions (by YOU)
• BYOD is a done deal (mostly)
• Devices with very little effort can be made
reasonably secure
• Mobile Device Management (MDM) still
young – implement but review in 1 year
75. Final Thoughts
• We come back to USER
EDUCATION, TRAINING, and RE-TRAINING
• Encourage the use of “Common Sense”
• Discourage the attitude of “No one would
want my data” and “this can’t happen to me”
• Security - It's not your fault. It's your
responsibility.
76.
77. Sources
1. Employees Use Multiple Gadgets For Work — And Choose Much Of The Tech Themselves
2. BlackBerry still trumps Android for security, analysis finds
3. 41% of people believe online banking and shopping is akin to playing Russian Roulette
4. BYOD Smartphones, PCs and Tablets Raise Big Security Risks, Experts Say
5. Mobile Threat Report Q1 2012, F-Secure Labs
6. Android, Apple iOS run away from pack: Can Windows Phone challenge at all?
7. Apple iOS Needs Antivirus Protection: Kaspersky
8. SecurityBSides London - windows phone 7
9. Bsides London 2012 David Rook: Windows Phone 7 platform and application security overview
10. Attevo Offers A 13-Point Security Checklist For Smartphone Users
11. Most Common iPhone Passcodes
12. Jumpstarting Your BYOD Policy
13. How to Enforce Your Mobile Policy
Editor's Notes
Smartphones and tablets give us unprecedented access to our work-related networks and data. You may have an Apple iOS, Google Android, RIM Blackberry, Symbian, Windows or other device. With the rising adoption of these mobile devices, cybercriminals are beginning to target their vulnerabilities with increased fervor. As such, you need to consider security on all types of mobile devices.
How Are Smartphones Being Used? [Infographic]20th September 2011http://www.tatango.com/blog/how-are-smartphones-being-used/
Employees Use Multiple Gadgets For Work — And Choose Much Of The Tech Themselveshttp://blogs.forrester.com/frank_gillett/12-02-22-employees_use_multiple_gadgets_for_work_and_choose_much_of_the_tech_themselves
With the strong growth of mobile devices — personal or issued by IT — and Microsoft’s minuscule share of mobile devices, that means that Microsoft’s share of the OS on devices used for work will continue to erode.
Luke Wroblewski made the comment at lunch about using these devices while “we wait”
MDM will not be the focus of this talk. Instead we will look at lower budget (free) recommendations for our customers.The Gartner Report link from last Fall gives a good overview of MDM
Question can be posed 2 ways?Who is the most secure? Or who is the least secure?
Extracting data from an iPhone is fairly easy for hackers. If an iPhone is lost or stolen, even if it’s locked, it’s possible for a hacker to obtain sensitive data. For example, existing software allows hackers to jailbreak phones even if they're locked. The hackers can then run any application or install a script that retrieves the phone's secure keychain entries, which can include account details for accessing enterprise resources.Apple tightly controls the applications allowed to run on iOS. But many security experts think it’s just a matter of time before renegade coders develop malware capable of infiltrating iOS. Users who have jail-broken their phones are already susceptible.IT must take every step possible to protect the data stored on users’ iPhones. That means encrypting transmitted data, using digital certificates for authentication and enforcing strong passcode-lock rules. It’s also important to implement remote-wipe capabilities, in case a phone is lost or stolen. Configuring the iPhone to erase all personal data after a certain number of unsuccessful attempts to unlock the phone will help with data security as well.
Due to the secure design of iOS, it is not possible to scan files automatically or to run scheduled scans. VirusBarrier iOS is an "on-demand" detection system that lets you scan files when you want to.VirusBarrier iOS lets you easily scan e-mail attachments, other files you have access to on your iOS device, or files on remote locations such as MobileMe and DropBox, web servers or WebDAV and FTP shares. VirusBarrier iOS uses Intego's award-winning VirusBarrier X6 scanning technology to detect and eradicate all known malware affecting Windows or Macs: viruses, worms, Trojan horses, fake antiviruses, and other types of malware that might otherwise pass through undetected.
Kaspersky CEO said in late April that Apple is 10 years behind Microsoft in terms of security. … Welcome to Microsoft’s world, Mac. It's full of malware. Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on.”Last week, Kaspersky was again talking about Apple, this time saying he was “a little bit disappointed … Apple won’t let us” develop antivirus software for iOS devices, including iPhones and iPads. In an interview with The Register news site, he warned that—like with Macs and Mac OS X—the rapidly growing popularity in the iOS devices will mean that criminals increasingly will target the operating system.http://www.eweek.com/c/a/Security/Apple-iOS-Needs-Antivirus-Protection-Kaspersky-844659/
SC Mag Awards, BSides London and Bletchley ParkApril 30, 2012 Source: http://www.slideshare.net/securityninja/securitybsides-london-windows-phone-7Video: http://www.youtube.com/watch?v=XQFkhZ0Y3dw&feature=youtu.beInternational Data Corporation (IDC) is a market research and analysis firm specializing in information technology, telecommunications and consumer technology.
Trusted Computing Base (TCB) Kernel and Kernel-mode drivers run hereProcesses have unrestricted access to most resourcesTCB chamber can modify policy and enforce securityOnly Microsoft can add signed software to TCB chamberElevated Rights Chamber (ERC)User mode drivers and services run hereCan access all resources except for security policyIntended for services and user-mode driversOnly Microsoft can add signed software to ERC chamberStandard Rights Chamber (SRC)Default chamber for pre-installed MS and OEM appsApps that do not provide device-wide services run in the SRCLeast Privileged Chamber (LPC)Default chamber for all non-Microsoft applicationsLeast Privileged Chamber are configured using capabilitiesCapabilities are listed in the WMAppManifest.xml fileWP7 apps are granted security permission based on contents of the WMAppManifest.xml file
Windows Phone 7 SandboxingApps in LPC can’t communicate with other appsSandboxed apps aren’t allow to run in the backgroundNo access to native code from within the sandboxAll I/O operations are restricted to per app Isolated StorageWindows Phone 7 Isolated StoragePer app Isolated Storage allows apps to keep their own data “private”No direct access to the file systemNo access to other apps Isolated Storage Windows Phone 7 Data SecurityThe local databaseencryption is based on a passwordDevelopers create a database in code and must include the passwordDatabase is encrypted using AES-128 (Advanced Encryption Standard)Password is hashed with SHA-256 (Secure Hash Algorithm)An encrypted database can be created with two lines of codeThe key sizes are in bits, and generally a longer key is stronger, but encrypting with it will be slower. So, AES with a 128 bit key is faster but less secure than AES with a 256 bit key.Source: http://www.slideshare.net/securityninja/securitybsides-london-windows-phone-7Video: http://www.youtube.com/watch?v=XQFkhZ0Y3dw&feature=youtu.be
Kaspersky - Android is system under attack right now. Just like Windows was 10 years ago, # of signatures
The McAfee Threats Report for the First Quarter of 2012 (.pdf) has documented that hundreds of threats in the middle of 2011 have moved into the thousands this year. Part of the reason for the increase is because security firms are getting better at collecting, processing and detecting mobile malware, McAfee said.Source: http://searchsecurity.techtarget.com/news/2240150714/Android-Malware-Genome-Project-aims-to-nurture-mobile-security-research
While Yahoo was celebrating the surprise launch of its Axis Web browser yesterday (May 23), a security researcher was swiftly exploiting a critical vulnerability in the new software, proving just how easy it would be for an attacker to steal users' passwords or even install malware.Axis comes in the form of a stand-alone browser for mobile devices such as iPhones and iPads, but is a browser extension for desktop versions of Google Chrome, Microsoft Internet Explorer and Mozilla Firefox. In the Chrome version of the extension, Yahoo mistakenly left its private authentication certificate key in Axis' source file, according to independent researcher NikCubrilovic.In the words of Kaspersky Lab researcher Dennis Fisher, "That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
Smartphones are valuable tools that help us navigate through everyday life: they’re our camera, MP3 Player, Rolodex, and GPS. Unfortunately, thieves think they are valuable too! According to law enforcement officials, phone theft is actually one of the fastest growing crimes in the U.S. Check out the infographic below to learn more about “Grand Theft Mobile,” and see how you can keep your smartphone safe!
The Metropolitan Police will introduce new forensic software, which will allow it to extract information from a suspect's mobile phone within minutes.The Aesco Software will be able to quickly obtain call and messaging data, even if the SIM card is locked, meaning the boys in blue won't have to send the device off to the crime lab for weeks at a time.
iPhone3GS has hardware encryption which is also enabled by enabling the ActiveSync option; AES256 employed by default; Pre-3GS devices do not provide encryption
More info: http://www.infosecisland.com/blogview/18240-The-Urgent-Need-for-Mobile-Device-Security-Policies.html
Chinese telecom and mobile device manufacturer ZTE recently confirmed the presence of a backdoor vulnerability in smartphones distributed in the U.S.The vulnerability would allow an attacker to remotely gain root access control over a device, and the password located in the /system/bin/sync_agent that accesses the backdoor has been published in the wild.Symantec researcher BrankoSpasojevic says the company has successfully applied the exploit to MetroPCS and Cricket Wireless versions of the ZTE phones.The Android operating system is designed to "sandbox" applications and prevent them from initiating system-level commands without being granted proper authorization by the user, but the ZTE backdoor allows for unabridged privilege escalation on the devices.The vulnerability was apparently hard coded into the ZTE Score M smartphones, an it is rumored that the vulnerability may also exist in the company's Skate devices as well, but ZTE has denied that Skate's are at risk."The privilege escalation was not a bug in code on the device, but instead likely a design feature for carrier administration purposes or troubleshooting. Unfortunately, irrespective of the reason this code was included, by allowing any application to gain a root shell (system level privileges), malicious applications can also utilize the root shell performing malicious actions normally prevented by the Android security model," Spasojevic writes.