SlideShare a Scribd company logo

2012 12-04 --ncc_group_-_mobile_threat_war_room

NCC Group
NCC Group
TechnologyBusiness
1 of 22
Download to read offline
Mobile Threat War Room Ollie Whitehouse
Agenda • Big Trends • Some Technical Details • Predictions for 2013
Big Trends
Mobile Malware.. Finally • Everybody has been predicting mobile malware for five years • Finally with mobile crimeware kits • Real events: • All Trojans.. premium rate SMS the money machine • On Android, automated repackaging is a huge issue • Disparate market places (i.e. non Google) • Demonstration of off-device payloads on iOS and Android • Although not on a mass scale…
Messy Android Ecosystem • Early decisions are coming back to haunt Google • OEM patching • Loose CTS • Open market • Not all phones are created equal • Tier-1 “Google Experience” Devices provide the only trustworthy Android choice • Google is trying to put the genie back in the bottle • We’re trying to help carriers/OEM, but it is an uphill battle
BYOD / Employee Liable • Increasingly our clients support iOS, with less supporting Android • RIM’s dominance of the FSTE 100 is over • Varied levels of support: • Open ActiveSync • Provisioned ActiveSync • VPN->ActiveSync • Secure Container Not Recommended
Death of Network Trust • GSM is totally toast • A5/3 showing massive weakness • A5/1 is good enough for 99% of situations • No longer theoretical • We had a high-net-worth client spot an IMEI catcher across the street • CA system completed failed in 2011 • DigiNotar, Comodo • 1500 ICAs and climbing
Widespread Government Monitoring • Arab Spring powered, countered by mobile • Tunisia is a cyber-warfare power? • More advanced than you might think • JavaScript Injection • User-agent, referrer, IP spoofing • Enabled by Western equipment, utilizing mixture of government and mercenary talent • Sites with less than 100% HTTPS might be automatically caught up • ActiveSync CANNOT be used overseas
Secure Containers Get Real • Many many clients are deploying secure containers for mobile mail and documents • Very helpful for: • More secure provisioning and wiping • Avoiding exposure of AD creds • Protecting against CA attacks • Not so helpful against: • Jailbroken devices • On-device malware • Lost phones
Mobile Forensics Gets Better.. • … for 7K GBP • That can bypass lock screens • … on some devices • That can do raw sector copies • … which impacts device not fully encrypted • Becoming incredibly easy to use
Mobile Two-Factor Authentication • Increasingly clients looking to mobiles for two-factor • SMS • Mobile Apps • Phone call • Reducing the token cost…
Researchers • Still successful • going lower (cellular baseband) • going sideways (NFC) • … these are not theoretical attacks • … but they’re also uncommon • Criminals still not having to invest • easy attacks still working • but research out there..
Interesting Details
iOS Changed this Year • iCloud complicates DLP situation • MDM much improved • TLS, iCloud, SMIME • Upgrade of KeyChain to defeat forensics • Didn’t work, see ElcomSoft • Fixes to file privacy settings • Slight anti-exploit improvements • Didn’t work, see PDF jailbreak • Still missing: • Real full-device encryption • Useful Safari Sandbox
iOS Changes in iOS6 • Guided access • Loan a device without fear • Supervised mode • Geo fencing notifications • Global proxy settings – enabling content filtering • Lock down profiles / certificates • … enterprise management gets real! • ….. or becomes as much fun as a BlackBerry • … and 197 security patches, including 4 for the lock screen
Android Changes this Year • Anti-exploit improvements • Local MDM API improvements • Significant fixes to permission regressions • Configurable CA root store (ICS) • Real data-partition encryption (ICS) • Still missing: • Kernel syscall sandbox • 3LM Technologies • Market anti-spoofing analytics
Top iOS App Mistakes • SQLite queries not parameterized • Bad entropy • Data stored insecurely • Not controlling iTunes backups • Static analyzer results not reviewed • General C issues (malloc(), and str*) • Format strings not declared • Incoming data from user not sanitized/encoded
Top Android App Mistakes • Exporting components accidentally • Silly custom permissions • Intent Reflection (use PendingIntents) • Unauthenticated services • WebView caching • Native Code Bugs • Poor HTTPS / SSL usage • Too much local storage
Microsoft Bring Their Game.. • Windows 8 • … but on a mobile phone • Ahead of security arms race • … but on a mobile phone • Without the legacy • … which has been the Achilles of the MS eco system • Everything we know and love • Secure boot • BitLocker • MDM • Etc..
Predications for 2013
Mobile Phishing gains traction Public disclosure of GSM eavesdroppingCitizen repression tech Used for Industrial Espionage Mobile APT DOESN’T happen Continued improvements in Mobile OS security Continued mistakes by handset OEMs Disclosed compromise of cellular carrier Mobile patch management becomes hot topic
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Chicago Atlanta New York Seattle Boston Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com

Recommended

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
IoT security compliance checklist
IoT security compliance checklist IoT security compliance checklist
IoT security compliance checklist PriyaNemade
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT deviceAbhijeet Rane
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 

Recommended

2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
IoT security compliance checklist
IoT security compliance checklist IoT security compliance checklist
IoT security compliance checklist PriyaNemade
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT deviceAbhijeet Rane
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M SecurityYu-Hsin Hung
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security ElementsEurotech
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
Privacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsPrivacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsJeff Katz
 
Internet of things security challenges
Internet of things security challengesInternet of things security challenges
Internet of things security challengesHadi Fadlallah
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 Cyd Isaak Francisco
 
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Intergen
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model PresentationGowdhaman Jothilingam
 
Cyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCharles Cline
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explainedrtp2009
 
Zero Trust
Zero TrustZero Trust
Zero TrustBoaz Shunami
 
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotTrack 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotST_World
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process EC-Council
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, ArduinoParis Open Source Summit
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 

More Related Content

What's hot

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security ElementsEurotech
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
Privacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsPrivacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsJeff Katz
 
Internet of things security challenges
Internet of things security challengesInternet of things security challenges
Internet of things security challengesHadi Fadlallah
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 Cyd Isaak Francisco
 
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Intergen
 
Cyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCharles Cline
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explainedrtp2009
 
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotTrack 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotST_World
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process EC-Council
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, ArduinoParis Open Source Summit
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 

What's hot (20)

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security Elements
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
 
Privacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsPrivacy and Security in the Internet of Things
Privacy and Security in the Internet of Things
 
Internet of things security challenges
Internet of things security challengesInternet of things security challenges
Internet of things security challenges
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016
 
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Cyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCyber Security Overview for Small Businesses
Cyber Security Overview for Small Businesses
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
 
Zero Trust
Zero TrustZero Trust
Zero Trust
 
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotTrack 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iot
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 

Viewers also liked

Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsNCC Group
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Search Engine Optimization - Even the little guys can win...
Search Engine Optimization - Even the little guys can win...Search Engine Optimization - Even the little guys can win...
Search Engine Optimization - Even the little guys can win...Greg Gifford
 
不一樣的台灣
不一樣的台灣不一樣的台灣
不一樣的台灣honan4108
 
单反相机
单反相机单反相机
单反相机Jacky Wu
 

Viewers also liked (20)

Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Search Engine Optimization - Even the little guys can win...
Search Engine Optimization - Even the little guys can win...Search Engine Optimization - Even the little guys can win...
Search Engine Optimization - Even the little guys can win...
 
不一樣的台灣
不一樣的台灣不一樣的台灣
不一樣的台灣
 
单反相机
单反相机单反相机
单反相机
 

Similar to 2012 12-04 --ncc_group_-_mobile_threat_war_room

SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Smartphone Shootout: Which One is Best?
Smartphone Shootout: Which One is Best?Smartphone Shootout: Which One is Best?
Smartphone Shootout: Which One is Best?Christopher Hunt
 
Building Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptBuilding Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptJonathan Stark
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Baileyidsecconf
 
Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Source Conference
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Android101 Intro to Android for the enterprise, IdoSphere
Android101 Intro to Android for the enterprise, IdoSphereAndroid101 Intro to Android for the enterprise, IdoSphere
Android101 Intro to Android for the enterprise, IdoSphereDennis Heinle
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
CIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on ITCIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on ITCloudIDSummit
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 

Similar to 2012 12-04 --ncc_group_-_mobile_threat_war_room (20)

SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Smartphone Shootout: Which One is Best?
Smartphone Shootout: Which One is Best?Smartphone Shootout: Which One is Best?
Smartphone Shootout: Which One is Best?
 
Building Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScriptBuilding Mobile Apps with HTML, CSS, and JavaScript
Building Mobile Apps with HTML, CSS, and JavaScript
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Bailey
 
Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
ANDROID SECURITY
ANDROID SECURITYANDROID SECURITY
ANDROID SECURITY
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Android101 Intro to Android for the enterprise, IdoSphere
Android101 Intro to Android for the enterprise, IdoSphereAndroid101 Intro to Android for the enterprise, IdoSphere
Android101 Intro to Android for the enterprise, IdoSphere
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
CIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on ITCIS13: Impact of Mobile Computing on IT
CIS13: Impact of Mobile Computing on IT
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 

Recently uploaded

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Recently uploaded (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

2012 12-04 --ncc_group_-_mobile_threat_war_room

  • 1. Mobile Threat War Room Ollie Whitehouse
  • 2. Agenda • Big Trends • Some Technical Details • Predictions for 2013
  • 4. Mobile Malware.. Finally • Everybody has been predicting mobile malware for five years • Finally with mobile crimeware kits • Real events: • All Trojans.. premium rate SMS the money machine • On Android, automated repackaging is a huge issue • Disparate market places (i.e. non Google) • Demonstration of off-device payloads on iOS and Android • Although not on a mass scale…
  • 5. Messy Android Ecosystem • Early decisions are coming back to haunt Google • OEM patching • Loose CTS • Open market • Not all phones are created equal • Tier-1 “Google Experience” Devices provide the only trustworthy Android choice • Google is trying to put the genie back in the bottle • We’re trying to help carriers/OEM, but it is an uphill battle
  • 6. BYOD / Employee Liable • Increasingly our clients support iOS, with less supporting Android • RIM’s dominance of the FSTE 100 is over • Varied levels of support: • Open ActiveSync • Provisioned ActiveSync • VPN->ActiveSync • Secure Container Not Recommended
  • 7. Death of Network Trust • GSM is totally toast • A5/3 showing massive weakness • A5/1 is good enough for 99% of situations • No longer theoretical • We had a high-net-worth client spot an IMEI catcher across the street • CA system completed failed in 2011 • DigiNotar, Comodo • 1500 ICAs and climbing
  • 8. Widespread Government Monitoring • Arab Spring powered, countered by mobile • Tunisia is a cyber-warfare power? • More advanced than you might think • JavaScript Injection • User-agent, referrer, IP spoofing • Enabled by Western equipment, utilizing mixture of government and mercenary talent • Sites with less than 100% HTTPS might be automatically caught up • ActiveSync CANNOT be used overseas
  • 9. Secure Containers Get Real • Many many clients are deploying secure containers for mobile mail and documents • Very helpful for: • More secure provisioning and wiping • Avoiding exposure of AD creds • Protecting against CA attacks • Not so helpful against: • Jailbroken devices • On-device malware • Lost phones
  • 10. Mobile Forensics Gets Better.. • … for 7K GBP • That can bypass lock screens • … on some devices • That can do raw sector copies • … which impacts device not fully encrypted • Becoming incredibly easy to use
  • 11. Mobile Two-Factor Authentication • Increasingly clients looking to mobiles for two-factor • SMS • Mobile Apps • Phone call • Reducing the token cost…
  • 12. Researchers • Still successful • going lower (cellular baseband) • going sideways (NFC) • … these are not theoretical attacks • … but they’re also uncommon • Criminals still not having to invest • easy attacks still working • but research out there..
  • 14. iOS Changed this Year • iCloud complicates DLP situation • MDM much improved • TLS, iCloud, SMIME • Upgrade of KeyChain to defeat forensics • Didn’t work, see ElcomSoft • Fixes to file privacy settings • Slight anti-exploit improvements • Didn’t work, see PDF jailbreak • Still missing: • Real full-device encryption • Useful Safari Sandbox
  • 15. iOS Changes in iOS6 • Guided access • Loan a device without fear • Supervised mode • Geo fencing notifications • Global proxy settings – enabling content filtering • Lock down profiles / certificates • … enterprise management gets real! • ….. or becomes as much fun as a BlackBerry • … and 197 security patches, including 4 for the lock screen
  • 16. Android Changes this Year • Anti-exploit improvements • Local MDM API improvements • Significant fixes to permission regressions • Configurable CA root store (ICS) • Real data-partition encryption (ICS) • Still missing: • Kernel syscall sandbox • 3LM Technologies • Market anti-spoofing analytics
  • 17. Top iOS App Mistakes • SQLite queries not parameterized • Bad entropy • Data stored insecurely • Not controlling iTunes backups • Static analyzer results not reviewed • General C issues (malloc(), and str*) • Format strings not declared • Incoming data from user not sanitized/encoded
  • 18. Top Android App Mistakes • Exporting components accidentally • Silly custom permissions • Intent Reflection (use PendingIntents) • Unauthenticated services • WebView caching • Native Code Bugs • Poor HTTPS / SSL usage • Too much local storage
  • 19. Microsoft Bring Their Game.. • Windows 8 • … but on a mobile phone • Ahead of security arms race • … but on a mobile phone • Without the legacy • … which has been the Achilles of the MS eco system • Everything we know and love • Secure boot • BitLocker • MDM • Etc..
  • 21. Mobile Phishing gains traction Public disclosure of GSM eavesdroppingCitizen repression tech Used for Industrial Espionage Mobile APT DOESN’T happen Continued improvements in Mobile OS security Continued mistakes by handset OEMs Disclosed compromise of cellular carrier Mobile patch management becomes hot topic
  • 22. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Chicago Atlanta New York Seattle Boston Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com