SlideShare a Scribd company logo

Can You Steal From Me Now? Mobile and BYOD Security Risks

Michael Davis
Michael Davis

Mobile devices and BYOD policies introduce significant security risks to organizations. The proliferation of mobile devices has led to new threats like activity monitoring, unauthorized payments, and exfiltration of sensitive data. Many mobile applications also put users' private data at risk through unsafe data practices and potential impersonation attacks. To help address these issues, user education is important, and organizations need strong mobile privacy and document access controls.

TechnologyBusiness
1 of 23
Download to read offline
Copyright ©2011Savid Can you steal from me now? Mobile and BYOD Risks Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
Agenda • Trends that you must get in front of • The Real Mobile Threats • Data/Document Sharing Risks • Ask Questions
Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
Author
InformationWeek Contributor
Devices w/ Broadband CY2010 CY2015 Increase Tablets $600M $6B 1000% Netbooks $1.2B $6B 500% Mobility Trends
But… • Fragmentation makes management impossible without software
Mobile Device Risks at Every Layer • NETWORK: Interception of data over the air. – WiFi has al the same problems as laptops – GSM has shown some cracks. Chris Paget demo DEFCON 2010 • HARDWARE: Baseband layer attacks – Memory corruption defects in firmware used to root your device – Demonstrated at Black Hat DC 2011 by Ralf-Philipp Weinmann • OS: Defects in kernel code or vendor supplied system code – Every time iPhone or Android rooted/jailbroken this is usually the cause • APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors – Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.
Mobile App Ecosystem Mobile platform providers have different levels of controls over their respective ecosystems Platform Signing Revocation Approval Android Anonymous, self- signed Yes No iOS Signed by Vendor Yes Policy & Quality Blackberry Signed with Vendor issued key Yes No Windows Phone Signed by Vendor Yes Policy, Quality & Security Symbian Signed by Vendor Yes Quality
Malicious Functionality 1. Activity monitoring and data retrieval 2. Unauthorized dialing, SMS, and payments 3. Unauthorized network connectivity (exfiltration or 4. command & control) 5. UI Impersonation 6. System modification (rootkit, APN proxy config) 7. Logic or Time bomb Vulnerabilities 7. Sensitive data leakage (inadvertent or side channel) 8. Unsafe sensitive data storage 9. Unsafe sensitive data transmission 10. Hardcoded password/keys The Veracode Top 10 List
Activity monitoring and data retrieval • Risks: – Sending each email sent on the device to a hidden 3rd party address – Listening in on phone calls or simply open microphone recording. – Stored data, contact list or saved email messages retrieved. • The following are examples of mobile data that attackers can monitor and intercept: – Messaging (SMS and Email) – Audio (calls and open microphone recording) – Video (still and full-motion) – Location – Contact list – Call history – Browsing history – Input – Data files
Activity monitoring and data retrieval Examples: Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts- banned-android/ RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
Unauthorized dialing, SMS, and payments • Directly monetize a compromised device • Premium rate phone calls, premium rate SMS texts, mobile payments • SMS text message as a spreading vector for worms. Examples: Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a https://www.computerworld.com/s/article/9180561/New_Android_malware_ texts_premium_rate_numbers Premium rate phone call –Windows Mobile Troj/Terdial-A http://nakedsecurity.sophos.com/2010/04/10/windows-mobile-terdial-trojan- expensive-phone-calls/
Exfiltration or command & control • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. • Mobile devices are designed for communication. Many potential vectors that a malicious app can use to send data to the attacker. • The following are examples of communication channels attackers can use for exfiltration and command and control: – Email – SMS – HTTP get/post – TCP socket – UDP socket – DNS exfiltration – Bluetooth – Blackberry Messenger
Drive by Malware
UI impersonation • Similar to phishing attacks that impersonating website of their bank or online service. • Web view applications on the mobile device can proxy to legitimate website. • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application. • Victim is asked to authenticate and ends up sending their credentials to an attacker. Example: Proxy/MITM 09Droid Banking apps http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android- apps-market
Unsafe sensitive data transmission [CWE-319] • It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. • SSL is one of the best ways to secure sensitive data in transit. – Beware of downgrade attack if it allows degrading HTTPS to HTTP. – Beware of not failing on invalid certificates. This would enable a man-in-the-middle attack.
Why Mobility Is Exploding
Privacy Leaks • Reveal sensitive information • Defamation of others / organizations • This can be inadvertent or deliberate • And the repercussions include – Reputation damage – Damage to organization – Fines
Unaware Users • Photos contain data on location, etc • Twitter, FB post Location • FB/Twitter filter photo data but phone doesn’t • Once a photo, video or message is sent by mobile phone, the user can never regain total control of the content.
Privacy Solutions • It is the email threat all over again • Inherit trust of “friends” leads to bad choices • Facebook, twitter, myspace – All rip with malware and privacy problems • Instant Messaging is also a growing medium for malware distribution • This is nothing more than social engineering USER EDUCATION IS KEY
Mobile Privacy • Data Collection • Data Retention • Data Sharing What do your apps do?
Mobile Document Access • Encryption is opt-in by the developer • Opening a document may copy it or even transfer it • How can you control or guarantee the apps viewing the document? – GoodReader – iAnnotate • Company App Stores aren’t enough unless you are also analyzing the app itself (most aren’t) • Most apps rely upon device encryption which requires the users password

Recommended

Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
Divya Raval
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David Turahi
Commonwealth Telecommunications Organisation
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
NorazlinaAbdullah4
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
CAS
 
Mobile device security
Mobile device securityMobile device security
Mobile device security
Lisa Herrera
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 

Recommended

Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
Divya Raval
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David Turahi
Commonwealth Telecommunications Organisation
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
NorazlinaAbdullah4
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
CAS
 
Mobile device security
Mobile device securityMobile device security
Mobile device security
Lisa Herrera
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 
Mobile security
Mobile securityMobile security
Mobile security
Naveen Kumar
 
Corporate security
Corporate securityCorporate security
Corporate security
Sourabh Badve
 
Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksGraeme Wood
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
Jimmy Shah
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Cyber security
Cyber securityCyber security
Cyber security
franklinsimon4
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
 
Information Technology - System Threats
Information Technology - System ThreatsInformation Technology - System Threats
Information Technology - System Threats
Drishti Bhalla
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
JASHU JASWANTH
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
Shyam Kumar Singh
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khan
Tajwar khan
 
Software theft
Software theftSoftware theft
Software theftchrispaul8676
 
Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Zarafa
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basicsanandraje
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
PrajktaGN
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScan
MicroWorld Software Services Pvt Ltd
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measures
Dnyaneshwar Beedkar
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
NetWatcher
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?
Symptai Consulting Limited
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computererashmi1234
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
Ramya Nellutla
 

More Related Content

What's hot

Mobile security
Mobile securityMobile security
Mobile security
Naveen Kumar
 
Corporate security
Corporate securityCorporate security
Corporate security
Sourabh Badve
 
Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksGraeme Wood
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
Jimmy Shah
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Cyber security
Cyber securityCyber security
Cyber security
franklinsimon4
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
 
Information Technology - System Threats
Information Technology - System ThreatsInformation Technology - System Threats
Information Technology - System Threats
Drishti Bhalla
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
JASHU JASWANTH
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
Shyam Kumar Singh
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khan
Tajwar khan
 
Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Zarafa
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basicsanandraje
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
PrajktaGN
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScan
MicroWorld Software Services Pvt Ltd
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measures
Dnyaneshwar Beedkar
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
NetWatcher
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?
Symptai Consulting Limited
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computererashmi1234
 

What's hot (20)

Mobile security
Mobile securityMobile security
Mobile security
 
Corporate security
Corporate securityCorporate security
Corporate security
 
Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacks
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final Public
 
Information Technology - System Threats
Information Technology - System ThreatsInformation Technology - System Threats
Information Technology - System Threats
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khan
 
Software theft
Software theftSoftware theft
Software theft
 
Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basics
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScan
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measures
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computere
 

Similar to Can You Steal From Me Now? Mobile and BYOD Security Risks

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
Ramya Nellutla
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
IJERA Editor
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
GaytriDhingra1
 
Information security
Information securityInformation security
Information security
Appin Faridabad
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
CyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesCyberCrime attacks on Small Businesses
CyberCrime attacks on Small Businesses
Jose L. Quiñones-Borrero
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
MiltonBiswas8
 
cyber threats and attacks.pptx
cyber threats and attacks.pptxcyber threats and attacks.pptx
cyber threats and attacks.pptx
sakshiyad2611
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
Bee_Ware
 
Computer-Security.pptx
Computer-Security.pptxComputer-Security.pptx
Computer-Security.pptx
JoselitoJMebolos
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
Michael Davis
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptx3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptx
ssuser84f16f
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Cengage Learning
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
Abdul Manaf Vellakodath
 

Similar to Can You Steal From Me Now? Mobile and BYOD Security Risks (20)

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
 
Information security
Information securityInformation security
Information security
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
CyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesCyberCrime attacks on Small Businesses
CyberCrime attacks on Small Businesses
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
 
cyber threats and attacks.pptx
cyber threats and attacks.pptxcyber threats and attacks.pptx
cyber threats and attacks.pptx
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Computer-Security.pptx
Computer-Security.pptxComputer-Security.pptx
Computer-Security.pptx
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptx3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptx
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
 

More from Michael Davis

Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT Security
Michael Davis
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Michael Davis
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Michael Davis
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A Service
Michael Davis
 

More from Michael Davis (6)

Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT Security
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A Service
 
Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis Bio
 

Recently uploaded

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 

Recently uploaded (20)

GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 

Can You Steal From Me Now? Mobile and BYOD Security Risks

  • 1. Copyright ©2011Savid Can you steal from me now? Mobile and BYOD Risks Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
  • 2. Agenda • Trends that you must get in front of • The Real Mobile Threats • Data/Document Sharing Risks • Ask Questions
  • 3. Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
  • 6. Devices w/ Broadband CY2010 CY2015 Increase Tablets $600M $6B 1000% Netbooks $1.2B $6B 500% Mobility Trends
  • 7. But… • Fragmentation makes management impossible without software
  • 8. Mobile Device Risks at Every Layer • NETWORK: Interception of data over the air. – WiFi has al the same problems as laptops – GSM has shown some cracks. Chris Paget demo DEFCON 2010 • HARDWARE: Baseband layer attacks – Memory corruption defects in firmware used to root your device – Demonstrated at Black Hat DC 2011 by Ralf-Philipp Weinmann • OS: Defects in kernel code or vendor supplied system code – Every time iPhone or Android rooted/jailbroken this is usually the cause • APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors – Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.
  • 9. Mobile App Ecosystem Mobile platform providers have different levels of controls over their respective ecosystems Platform Signing Revocation Approval Android Anonymous, self- signed Yes No iOS Signed by Vendor Yes Policy & Quality Blackberry Signed with Vendor issued key Yes No Windows Phone Signed by Vendor Yes Policy, Quality & Security Symbian Signed by Vendor Yes Quality
  • 10. Malicious Functionality 1. Activity monitoring and data retrieval 2. Unauthorized dialing, SMS, and payments 3. Unauthorized network connectivity (exfiltration or 4. command & control) 5. UI Impersonation 6. System modification (rootkit, APN proxy config) 7. Logic or Time bomb Vulnerabilities 7. Sensitive data leakage (inadvertent or side channel) 8. Unsafe sensitive data storage 9. Unsafe sensitive data transmission 10. Hardcoded password/keys The Veracode Top 10 List
  • 11. Activity monitoring and data retrieval • Risks: – Sending each email sent on the device to a hidden 3rd party address – Listening in on phone calls or simply open microphone recording. – Stored data, contact list or saved email messages retrieved. • The following are examples of mobile data that attackers can monitor and intercept: – Messaging (SMS and Email) – Audio (calls and open microphone recording) – Video (still and full-motion) – Location – Contact list – Call history – Browsing history – Input – Data files
  • 12. Activity monitoring and data retrieval Examples: Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts- banned-android/ RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
  • 13. Unauthorized dialing, SMS, and payments • Directly monetize a compromised device • Premium rate phone calls, premium rate SMS texts, mobile payments • SMS text message as a spreading vector for worms. Examples: Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a https://www.computerworld.com/s/article/9180561/New_Android_malware_ texts_premium_rate_numbers Premium rate phone call –Windows Mobile Troj/Terdial-A http://nakedsecurity.sophos.com/2010/04/10/windows-mobile-terdial-trojan- expensive-phone-calls/
  • 14. Exfiltration or command & control • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. • Mobile devices are designed for communication. Many potential vectors that a malicious app can use to send data to the attacker. • The following are examples of communication channels attackers can use for exfiltration and command and control: – Email – SMS – HTTP get/post – TCP socket – UDP socket – DNS exfiltration – Bluetooth – Blackberry Messenger
  • 16. UI impersonation • Similar to phishing attacks that impersonating website of their bank or online service. • Web view applications on the mobile device can proxy to legitimate website. • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application. • Victim is asked to authenticate and ends up sending their credentials to an attacker. Example: Proxy/MITM 09Droid Banking apps http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android- apps-market
  • 17. Unsafe sensitive data transmission [CWE-319] • It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. • SSL is one of the best ways to secure sensitive data in transit. – Beware of downgrade attack if it allows degrading HTTPS to HTTP. – Beware of not failing on invalid certificates. This would enable a man-in-the-middle attack.
  • 18. Why Mobility Is Exploding
  • 19. Privacy Leaks • Reveal sensitive information • Defamation of others / organizations • This can be inadvertent or deliberate • And the repercussions include – Reputation damage – Damage to organization – Fines
  • 20. Unaware Users • Photos contain data on location, etc • Twitter, FB post Location • FB/Twitter filter photo data but phone doesn’t • Once a photo, video or message is sent by mobile phone, the user can never regain total control of the content.
  • 21. Privacy Solutions • It is the email threat all over again • Inherit trust of “friends” leads to bad choices • Facebook, twitter, myspace – All rip with malware and privacy problems • Instant Messaging is also a growing medium for malware distribution • This is nothing more than social engineering USER EDUCATION IS KEY
  • 22. Mobile Privacy • Data Collection • Data Retention • Data Sharing What do your apps do?
  • 23. Mobile Document Access • Encryption is opt-in by the developer • Opening a document may copy it or even transfer it • How can you control or guarantee the apps viewing the document? – GoodReader – iAnnotate • Company App Stores aren’t enough unless you are also analyzing the app itself (most aren’t) • Most apps rely upon device encryption which requires the users password