SlideShare a Scribd company logo

ISACA CACS 2012 - Mobile Device Security and Privacy

Michael Davis
Michael Davis

This document discusses trends in social media and mobile security. It notes that mobility and use of personal devices for work is increasing rapidly, bringing new security challenges. Mobile devices face security risks at the network, hardware, operating system and application layers. The document outlines common types of malicious mobile applications and vulnerabilities they may exploit, including monitoring user activity and stealing private data. It emphasizes the importance of securing sensitive data through encryption and access controls on mobile devices and applications. The document recommends organizations form mobility councils to develop mobile security policies and consider mobile device management solutions to help address security risks from increased mobility.

TechnologyBusiness
1 of 42
Download to read offline
Copyright ©2011Savid Social Media and Mobile Security: Can you steal from me now? Bad. Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
Agenda • Trends that you must get in front of • Macro-Social-Economic Models • Two Sides of the Problem – Mobile Device Management – Mobile Device Application Security • Social Media • Ask Questions
Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
Author
InformationWeek Contributor
Your gut knows work anywhere mobility is here to stay… But to what extent?? Mobility Trends
Devices w/ Broadband CY2010 CY2015 Increase Tablets $600M $6B 1000% Netbooks $1.2B $6B 500% Mobility Trends
• Google Android flavors • RIM Blackberry • Apple iPhone • Microsoft Phone • Nokia Symbian • HP webOS • Don’t forget tablets! Smart Device Growth
Mobility Struggles BYOD vs. Enterprise- owned devices Combat security threats & meet compliance requirements Manage multiple device platforms & apps Gauge device usage and control user parameters
But… • Fragmentation makes management impossible without software
Mobile Device Risks at Every Layer • NETWORK: Interception of data over the air. – WiFi has al the same problems as laptops – GSM has shown some cracks. Chris Paget demo DEFCON 2010 • HARDWARE: Baseband layer attacks – Memory corruption defects in firmware used to root your device – Demonstrated at Black Hat DC 2011 by Ralf-Philipp Weinmann • OS: Defects in kernel code or vendor supplied system code – Every time iPhone or Android rooted/jailbroken this is usually the cause • APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors – Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.
Mobile App Ecosystem Mobile platform providers have different levels of controls over their respective ecosystems Platform Signing Revocation Approval Android Anonymous, self- signed Yes No iOS Signed by Vendor Yes Policy & Quality Blackberry Signed with Vendor issued key Yes No Windows Phone Signed by Vendor Yes Policy, Quality & Security Symbian Signed by Vendor Yes Quality
Malicious Functionality 1. Activity monitoring and data retrieval 2. Unauthorized dialing, SMS, and payments 3. Unauthorized network connectivity (exfiltration or 4. command & control) 5. UI Impersonation 6. System modification (rootkit, APN proxy config) 7. Logic or Time bomb Vulnerabilities 7. Sensitive data leakage (inadvertent or side channel) 8. Unsafe sensitive data storage 9. Unsafe sensitive data transmission 10. Hardcoded password/keys The Veracode Top 10 List
Activity monitoring and data retrieval• Risks: – Sending each email sent on the device to a hidden 3rd party address – Listening in on phone calls or simply open microphone recording. – Stored data, contact list or saved email messages retrieved. • The following are examples of mobile data that attackers can monitor and intercept: – Messaging (SMS and Email) – Audio (calls and open microphone recording) – Video (still and full-motion) – Location – Contact list – Call history – Browsing history – Input – Data files
Activity monitoring and data retrievalExamples: Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts- banned-android/ RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
Unauthorized dialing, SMS, and payments • Directly monetize a compromised device • Premium rate phone calls, premium rate SMS texts, mobile payments • SMS text message as a spreading vector for worms. Examples: Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a https://www.computerworld.com/s/article/9180561/New_Android_malware _texts_premium_rate_numbers Premium rate phone call –Windows Mobile Troj/Terdial-A http://nakedsecurity.sophos.com/2010/04/10/windows-mobile-terdial- trojan-expensive-phone-calls/
Exfiltration or command & control • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. • Mobile devices are designed for communication. Many potential vectors that a malicious app can use to send data to the attacker. • The following are examples of communication channels attackers can use for exfiltration and command and control: – Email – SMS – HTTP get/post – TCP socket – UDP socket – DNS exfiltration – Bluetooth – Blackberry Messenger
Drive by Malware
UI impersonation • Similar to phishing attacks that impersonating website of their bank or online service. • Web view applications on the mobile device can proxy to legitimate website. • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application. • Victim is asked to authenticate and ends up sending their credentials to an attacker. Example: Proxy/MITM 09Droid Banking apps http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps- market
System modification (rootkit, APN proxy config) • Malicious applications will often attempt to modify the system configuration to hide their presence. This is often called rootkit behavior. • Configuration changes also make certain attacks possible. An example is modifying the device proxy configuration or APN (Access Point Name). • Example Android “DroidDream” Trojans Rootkit Phone http://www.androidpolice.com/2011/03/01/the-mother-of-all-android- malware-has-arrived-stolen-apps-released-to-the-market-that-root-your- phone-steal-your-data-and-open-backdoor
Logic or Time bomb [CWE-511] Logic or time bombs are classic backdoor techniques that trigger malicious activity based on a specific event, device usage or time.
Sensitive data leakage [CWE-200] • Sensitive data leakage can be either inadvertent or side channel. • A legitimate apps usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to 3rd parties. – Location – Owner ID info: name, number, device ID – Authentication credentials – Authorization tokens Example: Sensitive data leakage -Storm8 Phone Number Farming http://www.boingboing.net/2009/11/05/iphone-game-dev-accu.html Android “DroidDream” Trojans steal data http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware- has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your- data-and-open-backdoor
Unsafe sensitive data storage [CWE-312] • Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords. • Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system. • It should be noted that storing sensitive data without encryption on removable media such as a micro SD card is especially risky. Examples: Citibank insecure storage of sensitive data http://www.pcworld.com/businesscenter/article/201994/citi_iphone_app_flaw_r aises_questions_of_mobile_security.html Wells Fargo Mobile application 1.1 for Android stores a username and password, along with account balances, in clear text. http://osvdb.org/show/osvdb/69217
Unsafe sensitive data transmission [CWE-319] • It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. • SSL is one of the best ways to secure sensitive data in transit. – Beware of downgrade attack if it allows degrading HTTPS to HTTP. – Beware of not failing on invalid certificates. This would enable that a man-in-the-middle attack.
Hardcoded password/keys [CWE-798] • The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the application easier to implement, support, or debug. • Once this hardcoded password is discovered through reverse engineering it renders the security of the application or the systems it authenticates to with this password ineffective. Example: Mastercard sample code: http://jack-mannino.blogspot.com/2011/02/scary-scary-mobile-banking.html final String companyId = "your-company-id-here"; final String companyPassword = "your-company-password- here";
Determine Your Risk • Your risk is unique depending on use of mobile apps • Start with e-mail, then calendar, then contacts, then the device • Use DLP to prevent the data form reaching email in the first place • Tablets should use RDP/Citrix to access “rich” applications • Enforce policy from the get go
• Form a Cross functional Mobility Council. Engage end users – “Consumerization.” • Prioritize Goals & Establish Mobility Plan • Determine Applications that can be used • Make the plan part of approved policy – Define policy – Document End User License Agreement – Define who pays for the device (all/none/partial subsidy) – Establish data security & management controls – Deployment with proper tools Strategy
• Think outside the box. At minimum, entertain cutting edge MDM vendors with new ideas. • MDM software can lessen the blow of multi-platform madness. Ultimately makes multi-platform management cheaper and more effective! Security Concerns Security Concerns Support Quality Support Quality Performance Optimization Performance Optimization Cost Control Cost Control Mobile Management Over Time Strategy
• Enroll devices in a controlled fashion vs. free-for-all • Control Device Access to Corporate Network – ActiveSync, Wi-Fi, VPN • Enforce user-to-device authentication with pin code • Set full or partial “lock/wipe” policies depending on who owns the device • Be leery of platforms without embedded crypto. Encrypt devices and data cards, when possible. • Deliver firewall and antivirus capabilities, if possible • Whitelist Mobile Applications Tactics
• Activesync features vary by phone platform and the version of Exchange you use • Users can be enrolled in ActiveSync…meaning it off for everyone until turned on for individuals. • Email / Calendar / Contacts / Tasks pushing and sync • Full device wipe • Device passwords • Encrypted storage cards • Bandwidth reductions • Disable Wi-Fi / Bluetooth And more… The Basics - ActiveSync
• Maybe ActiveSync does not offer enough control? • Mobile Device Manager platforms from a wide array of vendors offer all sorts of control • Before buying: – Do your research well. They need to support the major platforms. – Don’t always take the first offer. Look at 3 minimum. – Attempt to identify the visionaries – Determine your business requirements and how they fit – Verify vendor financial viability • This space is moving fast I want my MDM
• Multi-platform MDM that uses an agent software and selective wipe. • Multiple policies can be employed to monitor for situations that exceed permitted bounds. Ex: “If you jailbreak your device, you can’t VPN to Corp.” • Comprehensive control & features across all major platforms. User self servicing. • MobileIron speaks: – “prepare to support 3 mobile OS platforms!” – “IT should not be surprised that lines of business are building apps. IT can turn from being a blocker to an enabler.” MDM Approach Example: MobileIron
Why Mobility Is Exploding
Mobile Payments mybanktracker.com paymentscouncil.org.uk tomnoyes.wordpress.com katu.com iranmobin.com
Social Media Risks Privacy Leaks social media attacks
Privacy Leaks • Reveal sensitive information • Defamation of others / organizations • This can be inadvertent or deliberate • And the repercussions include – Reputation damage – Damage to organization – Fines
Privacy Leak Example • July 2009: The wife of the chief of the British secret service MI6 posted highly revealing details on her Facebook page • Her privacy settings meant anyone in the "London" network could view her updates – up to 200 million people • Information revealed included – Family details – Personal photos – Location of their home
Threats Posed By Social Media
Mobile Privacy • Data Collection • Data Retention • Data Sharing What do your apps do?
Unaware Users • Photos contain data on location, etc • Twitter, FB post Location • FB/Twitter filter photo data but phone doesn’t • Once a photo, video or message is sent by mobile phone, the user can never regain total control of the content.
Privacy Solutions • It is the email threat all over again • Inherit trust of “friends” leads to bad choices • Facebook, twitter, myspace – All rip with malware and privacy problems • Instant Messaging is also a growing medium for malware distribution • This is nothing more than social engineering USER EDUCATION IS KEY
Conclusion Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo

Recommended

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 

Recommended

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
BYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO'sBYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO's
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
Bee_Ware
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wandera
Anjoum .
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityLenin Aboagye
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paperImaging Network Technology, LLC
 
How to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationHow to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your Organisation
IBM Danmark
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David Turahi
Commonwealth Telecommunications Organisation
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic Key
IBM Security
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
Kavita Rastogi
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
Denim Group
 
Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis BioMichael Davis
 
Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT Security
Michael Davis
 

More Related Content

What's hot

BYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO'sBYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO's
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
Bee_Ware
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wandera
Anjoum .
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityLenin Aboagye
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
How to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationHow to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your Organisation
IBM Danmark
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David Turahi
Commonwealth Telecommunications Organisation
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic Key
IBM Security
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
Kavita Rastogi
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
Denim Group
 

What's hot (20)

BYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO'sBYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO's
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wandera
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
How to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your OrganisationHow to Keep Hackers Out of Your Organisation
How to Keep Hackers Out of Your Organisation
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David Turahi
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic Key
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 

Viewers also liked

Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT Security
Michael Davis
 
Social Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation BiasSocial Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation Bias
HannahAshburn
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Michael Davis
 
Project 2 : Confirmation Bias
Project 2 : Confirmation BiasProject 2 : Confirmation Bias
Project 2 : Confirmation Bias
Azeem Banatwala
 
Test your Unconscious Bias
Test your Unconscious BiasTest your Unconscious Bias
Test your Unconscious Bias
Kwintessential Consulting Ltd.
 
Unconscious Bias: A Brief Introduction
Unconscious Bias: A Brief IntroductionUnconscious Bias: A Brief Introduction
Unconscious Bias: A Brief Introduction
Seán Stickle
 

Viewers also liked (7)

Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis Bio
 
Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT Security
 
Social Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation BiasSocial Psychology Presentation- Confirmation Bias
Social Psychology Presentation- Confirmation Bias
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
 
Project 2 : Confirmation Bias
Project 2 : Confirmation BiasProject 2 : Confirmation Bias
Project 2 : Confirmation Bias
 
Test your Unconscious Bias
Test your Unconscious BiasTest your Unconscious Bias
Test your Unconscious Bias
 
Unconscious Bias: A Brief Introduction
Unconscious Bias: A Brief IntroductionUnconscious Bias: A Brief Introduction
Unconscious Bias: A Brief Introduction
 

Similar to ISACA CACS 2012 - Mobile Device Security and Privacy

Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
Ramya Nellutla
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
Michael Davis
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Securing hand held computing devices
Securing hand held computing devicesSecuring hand held computing devices
Securing hand held computing devicesjraja01
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
Nagarro
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
NetWatcher
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
IJERA Editor
 
Outside the Office: Mobile Security
Outside the Office: Mobile SecurityOutside the Office: Mobile Security
Outside the Office: Mobile Security
McKonly & Asbury, LLP
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
SonakshiMundra
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
Symantec
 

Similar to ISACA CACS 2012 - Mobile Device Security and Privacy (20)

Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Securing hand held computing devices
Securing hand held computing devicesSecuring hand held computing devices
Securing hand held computing devices
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
Outside the Office: Mobile Security
Outside the Office: Mobile SecurityOutside the Office: Mobile Security
Outside the Office: Mobile Security
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile Banking
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Cyberattacks.pptx
Cyberattacks.pptxCyberattacks.pptx
Cyberattacks.pptx
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 

Recently uploaded

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

ISACA CACS 2012 - Mobile Device Security and Privacy

  • 1. Copyright ©2011Savid Social Media and Mobile Security: Can you steal from me now? Bad. Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
  • 2. Agenda • Trends that you must get in front of • Macro-Social-Economic Models • Two Sides of the Problem – Mobile Device Management – Mobile Device Application Security • Social Media • Ask Questions
  • 3. Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
  • 6. Your gut knows work anywhere mobility is here to stay… But to what extent?? Mobility Trends
  • 7. Devices w/ Broadband CY2010 CY2015 Increase Tablets $600M $6B 1000% Netbooks $1.2B $6B 500% Mobility Trends
  • 8. • Google Android flavors • RIM Blackberry • Apple iPhone • Microsoft Phone • Nokia Symbian • HP webOS • Don’t forget tablets! Smart Device Growth
  • 9. Mobility Struggles BYOD vs. Enterprise- owned devices Combat security threats & meet compliance requirements Manage multiple device platforms & apps Gauge device usage and control user parameters
  • 10. But… • Fragmentation makes management impossible without software
  • 11. Mobile Device Risks at Every Layer • NETWORK: Interception of data over the air. – WiFi has al the same problems as laptops – GSM has shown some cracks. Chris Paget demo DEFCON 2010 • HARDWARE: Baseband layer attacks – Memory corruption defects in firmware used to root your device – Demonstrated at Black Hat DC 2011 by Ralf-Philipp Weinmann • OS: Defects in kernel code or vendor supplied system code – Every time iPhone or Android rooted/jailbroken this is usually the cause • APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors – Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.
  • 12. Mobile App Ecosystem Mobile platform providers have different levels of controls over their respective ecosystems Platform Signing Revocation Approval Android Anonymous, self- signed Yes No iOS Signed by Vendor Yes Policy & Quality Blackberry Signed with Vendor issued key Yes No Windows Phone Signed by Vendor Yes Policy, Quality & Security Symbian Signed by Vendor Yes Quality
  • 13. Malicious Functionality 1. Activity monitoring and data retrieval 2. Unauthorized dialing, SMS, and payments 3. Unauthorized network connectivity (exfiltration or 4. command & control) 5. UI Impersonation 6. System modification (rootkit, APN proxy config) 7. Logic or Time bomb Vulnerabilities 7. Sensitive data leakage (inadvertent or side channel) 8. Unsafe sensitive data storage 9. Unsafe sensitive data transmission 10. Hardcoded password/keys The Veracode Top 10 List
  • 14. Activity monitoring and data retrieval• Risks: – Sending each email sent on the device to a hidden 3rd party address – Listening in on phone calls or simply open microphone recording. – Stored data, contact list or saved email messages retrieved. • The following are examples of mobile data that attackers can monitor and intercept: – Messaging (SMS and Email) – Audio (calls and open microphone recording) – Video (still and full-motion) – Location – Contact list – Call history – Browsing history – Input – Data files
  • 15. Activity monitoring and data retrievalExamples: Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts- banned-android/ RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
  • 16. Unauthorized dialing, SMS, and payments • Directly monetize a compromised device • Premium rate phone calls, premium rate SMS texts, mobile payments • SMS text message as a spreading vector for worms. Examples: Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a https://www.computerworld.com/s/article/9180561/New_Android_malware _texts_premium_rate_numbers Premium rate phone call –Windows Mobile Troj/Terdial-A http://nakedsecurity.sophos.com/2010/04/10/windows-mobile-terdial- trojan-expensive-phone-calls/
  • 17. Exfiltration or command & control • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. • Mobile devices are designed for communication. Many potential vectors that a malicious app can use to send data to the attacker. • The following are examples of communication channels attackers can use for exfiltration and command and control: – Email – SMS – HTTP get/post – TCP socket – UDP socket – DNS exfiltration – Bluetooth – Blackberry Messenger
  • 19. UI impersonation • Similar to phishing attacks that impersonating website of their bank or online service. • Web view applications on the mobile device can proxy to legitimate website. • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application. • Victim is asked to authenticate and ends up sending their credentials to an attacker. Example: Proxy/MITM 09Droid Banking apps http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps- market
  • 20. System modification (rootkit, APN proxy config) • Malicious applications will often attempt to modify the system configuration to hide their presence. This is often called rootkit behavior. • Configuration changes also make certain attacks possible. An example is modifying the device proxy configuration or APN (Access Point Name). • Example Android “DroidDream” Trojans Rootkit Phone http://www.androidpolice.com/2011/03/01/the-mother-of-all-android- malware-has-arrived-stolen-apps-released-to-the-market-that-root-your- phone-steal-your-data-and-open-backdoor
  • 21. Logic or Time bomb [CWE-511] Logic or time bombs are classic backdoor techniques that trigger malicious activity based on a specific event, device usage or time.
  • 22. Sensitive data leakage [CWE-200] • Sensitive data leakage can be either inadvertent or side channel. • A legitimate apps usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to 3rd parties. – Location – Owner ID info: name, number, device ID – Authentication credentials – Authorization tokens Example: Sensitive data leakage -Storm8 Phone Number Farming http://www.boingboing.net/2009/11/05/iphone-game-dev-accu.html Android “DroidDream” Trojans steal data http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware- has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your- data-and-open-backdoor
  • 23. Unsafe sensitive data storage [CWE-312] • Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords. • Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system. • It should be noted that storing sensitive data without encryption on removable media such as a micro SD card is especially risky. Examples: Citibank insecure storage of sensitive data http://www.pcworld.com/businesscenter/article/201994/citi_iphone_app_flaw_r aises_questions_of_mobile_security.html Wells Fargo Mobile application 1.1 for Android stores a username and password, along with account balances, in clear text. http://osvdb.org/show/osvdb/69217
  • 24. Unsafe sensitive data transmission [CWE-319] • It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. • SSL is one of the best ways to secure sensitive data in transit. – Beware of downgrade attack if it allows degrading HTTPS to HTTP. – Beware of not failing on invalid certificates. This would enable that a man-in-the-middle attack.
  • 25. Hardcoded password/keys [CWE-798] • The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the application easier to implement, support, or debug. • Once this hardcoded password is discovered through reverse engineering it renders the security of the application or the systems it authenticates to with this password ineffective. Example: Mastercard sample code: http://jack-mannino.blogspot.com/2011/02/scary-scary-mobile-banking.html final String companyId = "your-company-id-here"; final String companyPassword = "your-company-password- here";
  • 26. Determine Your Risk • Your risk is unique depending on use of mobile apps • Start with e-mail, then calendar, then contacts, then the device • Use DLP to prevent the data form reaching email in the first place • Tablets should use RDP/Citrix to access “rich” applications • Enforce policy from the get go
  • 27. • Form a Cross functional Mobility Council. Engage end users – “Consumerization.” • Prioritize Goals & Establish Mobility Plan • Determine Applications that can be used • Make the plan part of approved policy – Define policy – Document End User License Agreement – Define who pays for the device (all/none/partial subsidy) – Establish data security & management controls – Deployment with proper tools Strategy
  • 28. • Think outside the box. At minimum, entertain cutting edge MDM vendors with new ideas. • MDM software can lessen the blow of multi-platform madness. Ultimately makes multi-platform management cheaper and more effective! Security Concerns Security Concerns Support Quality Support Quality Performance Optimization Performance Optimization Cost Control Cost Control Mobile Management Over Time Strategy
  • 29. • Enroll devices in a controlled fashion vs. free-for-all • Control Device Access to Corporate Network – ActiveSync, Wi-Fi, VPN • Enforce user-to-device authentication with pin code • Set full or partial “lock/wipe” policies depending on who owns the device • Be leery of platforms without embedded crypto. Encrypt devices and data cards, when possible. • Deliver firewall and antivirus capabilities, if possible • Whitelist Mobile Applications Tactics
  • 30. • Activesync features vary by phone platform and the version of Exchange you use • Users can be enrolled in ActiveSync…meaning it off for everyone until turned on for individuals. • Email / Calendar / Contacts / Tasks pushing and sync • Full device wipe • Device passwords • Encrypted storage cards • Bandwidth reductions • Disable Wi-Fi / Bluetooth And more… The Basics - ActiveSync
  • 31. • Maybe ActiveSync does not offer enough control? • Mobile Device Manager platforms from a wide array of vendors offer all sorts of control • Before buying: – Do your research well. They need to support the major platforms. – Don’t always take the first offer. Look at 3 minimum. – Attempt to identify the visionaries – Determine your business requirements and how they fit – Verify vendor financial viability • This space is moving fast I want my MDM
  • 32. • Multi-platform MDM that uses an agent software and selective wipe. • Multiple policies can be employed to monitor for situations that exceed permitted bounds. Ex: “If you jailbreak your device, you can’t VPN to Corp.” • Comprehensive control & features across all major platforms. User self servicing. • MobileIron speaks: – “prepare to support 3 mobile OS platforms!” – “IT should not be surprised that lines of business are building apps. IT can turn from being a blocker to an enabler.” MDM Approach Example: MobileIron
  • 33. Why Mobility Is Exploding
  • 36. Privacy Leaks • Reveal sensitive information • Defamation of others / organizations • This can be inadvertent or deliberate • And the repercussions include – Reputation damage – Damage to organization – Fines
  • 37. Privacy Leak Example • July 2009: The wife of the chief of the British secret service MI6 posted highly revealing details on her Facebook page • Her privacy settings meant anyone in the "London" network could view her updates – up to 200 million people • Information revealed included – Family details – Personal photos – Location of their home
  • 38. Threats Posed By Social Media
  • 39. Mobile Privacy • Data Collection • Data Retention • Data Sharing What do your apps do?
  • 40. Unaware Users • Photos contain data on location, etc • Twitter, FB post Location • FB/Twitter filter photo data but phone doesn’t • Once a photo, video or message is sent by mobile phone, the user can never regain total control of the content.
  • 41. Privacy Solutions • It is the email threat all over again • Inherit trust of “friends” leads to bad choices • Facebook, twitter, myspace – All rip with malware and privacy problems • Instant Messaging is also a growing medium for malware distribution • This is nothing more than social engineering USER EDUCATION IS KEY
  • 42. Conclusion Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo