SlideShare une entreprise Scribd logo

Mobile and BYOD Risks Title

Michael Davis
Michael Davis

Mobile devices and BYOD policies introduce significant security risks to organizations. The proliferation of mobile devices has led to new threats like activity monitoring, unauthorized payments, and exfiltration of sensitive data. Many mobile applications also put users' private data at risk through unsafe data practices and potential impersonation attacks. To help address these issues, user education is important, and organizations need strong mobile privacy and document access controls.

TechnologieBusiness
1  sur  23
Télécharger pour lire hors ligne
Copyright ©2011Savid Can you steal from me now? Mobile and BYOD Risks Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
Agenda • Trends that you must get in front of • The Real Mobile Threats • Data/Document Sharing Risks • Ask Questions
Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
Author
InformationWeek Contributor
Devices w/ Broadband CY2010 CY2015 Increase Tablets $600M $6B 1000% Netbooks $1.2B $6B 500% Mobility Trends
But… • Fragmentation makes management impossible without software
Mobile Device Risks at Every Layer • NETWORK: Interception of data over the air. – WiFi has al the same problems as laptops – GSM has shown some cracks. Chris Paget demo DEFCON 2010 • HARDWARE: Baseband layer attacks – Memory corruption defects in firmware used to root your device – Demonstrated at Black Hat DC 2011 by Ralf-Philipp Weinmann • OS: Defects in kernel code or vendor supplied system code – Every time iPhone or Android rooted/jailbroken this is usually the cause • APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors – Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.
Mobile App Ecosystem Mobile platform providers have different levels of controls over their respective ecosystems Platform Signing Revocation Approval Android Anonymous, self- signed Yes No iOS Signed by Vendor Yes Policy & Quality Blackberry Signed with Vendor issued key Yes No Windows Phone Signed by Vendor Yes Policy, Quality & Security Symbian Signed by Vendor Yes Quality
Malicious Functionality 1. Activity monitoring and data retrieval 2. Unauthorized dialing, SMS, and payments 3. Unauthorized network connectivity (exfiltration or 4. command & control) 5. UI Impersonation 6. System modification (rootkit, APN proxy config) 7. Logic or Time bomb Vulnerabilities 7. Sensitive data leakage (inadvertent or side channel) 8. Unsafe sensitive data storage 9. Unsafe sensitive data transmission 10. Hardcoded password/keys The Veracode Top 10 List
Activity monitoring and data retrieval • Risks: – Sending each email sent on the device to a hidden 3rd party address – Listening in on phone calls or simply open microphone recording. – Stored data, contact list or saved email messages retrieved. • The following are examples of mobile data that attackers can monitor and intercept: – Messaging (SMS and Email) – Audio (calls and open microphone recording) – Video (still and full-motion) – Location – Contact list – Call history – Browsing history – Input – Data files
Activity monitoring and data retrieval Examples: Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts- banned-android/ RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
Unauthorized dialing, SMS, and payments • Directly monetize a compromised device • Premium rate phone calls, premium rate SMS texts, mobile payments • SMS text message as a spreading vector for worms. Examples: Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a https://www.computerworld.com/s/article/9180561/New_Android_malware_ texts_premium_rate_numbers Premium rate phone call –Windows Mobile Troj/Terdial-A http://nakedsecurity.sophos.com/2010/04/10/windows-mobile-terdial-trojan- expensive-phone-calls/
Exfiltration or command & control • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. • Mobile devices are designed for communication. Many potential vectors that a malicious app can use to send data to the attacker. • The following are examples of communication channels attackers can use for exfiltration and command and control: – Email – SMS – HTTP get/post – TCP socket – UDP socket – DNS exfiltration – Bluetooth – Blackberry Messenger
Drive by Malware
UI impersonation • Similar to phishing attacks that impersonating website of their bank or online service. • Web view applications on the mobile device can proxy to legitimate website. • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application. • Victim is asked to authenticate and ends up sending their credentials to an attacker. Example: Proxy/MITM 09Droid Banking apps http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android- apps-market
Unsafe sensitive data transmission [CWE-319] • It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. • SSL is one of the best ways to secure sensitive data in transit. – Beware of downgrade attack if it allows degrading HTTPS to HTTP. – Beware of not failing on invalid certificates. This would enable a man-in-the-middle attack.
Why Mobility Is Exploding
Privacy Leaks • Reveal sensitive information • Defamation of others / organizations • This can be inadvertent or deliberate • And the repercussions include – Reputation damage – Damage to organization – Fines
Unaware Users • Photos contain data on location, etc • Twitter, FB post Location • FB/Twitter filter photo data but phone doesn’t • Once a photo, video or message is sent by mobile phone, the user can never regain total control of the content.
Privacy Solutions • It is the email threat all over again • Inherit trust of “friends” leads to bad choices • Facebook, twitter, myspace – All rip with malware and privacy problems • Instant Messaging is also a growing medium for malware distribution • This is nothing more than social engineering USER EDUCATION IS KEY
Mobile Privacy • Data Collection • Data Retention • Data Sharing What do your apps do?
Mobile Document Access • Encryption is opt-in by the developer • Opening a document may copy it or even transfer it • How can you control or guarantee the apps viewing the document? – GoodReader – iAnnotate • Company App Stores aren’t enough unless you are also analyzing the app itself (most aren’t) • Most apps rely upon device encryption which requires the users password

Recommandé

Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systemsDivya Raval
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCommonwealth Telecommunications Organisation
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Mobile device security
Mobile device securityMobile device security
Mobile device securityLisa Herrera
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 

Recommandé

Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systemsDivya Raval
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCommonwealth Telecommunications Organisation
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Mobile device security
Mobile device securityMobile device security
Mobile device securityLisa Herrera
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 
Mobile security
Mobile securityMobile security
Mobile securityNaveen Kumar
 
Corporate security
Corporate securityCorporate security
Corporate securitySourabh Badve
 
Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksGraeme Wood
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsJimmy Shah
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
Cyber security
Cyber securityCyber security
Cyber securityfranklinsimon4
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
 
Information Technology - System Threats
Information Technology - System ThreatsInformation Technology - System Threats
Information Technology - System ThreatsDrishti Bhalla
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESShyam Kumar Singh
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khanTajwar khan
 
Software theft
Software theftSoftware theft
Software theftchrispaul8676
 
Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Zarafa
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basicsanandraje
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer securityPrajktaGN
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScanMicroWorld Software Services Pvt Ltd
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measuresDnyaneshwar Beedkar
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end usersNetWatcher
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Symptai Consulting Limited
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computererashmi1234
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptxRamya Nellutla
 

Contenu connexe

Tendances

Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksGraeme Wood
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsJimmy Shah
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
 
Information Technology - System Threats
Information Technology - System ThreatsInformation Technology - System Threats
Information Technology - System ThreatsDrishti Bhalla
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESShyam Kumar Singh
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khanTajwar khan
 
Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Zarafa
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basicsanandraje
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer securityPrajktaGN
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measuresDnyaneshwar Beedkar
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end usersNetWatcher
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Symptai Consulting Limited
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computererashmi1234
 

Tendances (20)

Mobile security
Mobile securityMobile security
Mobile security
 
Corporate security
Corporate securityCorporate security
Corporate security
 
Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacks
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final Public
 
Information Technology - System Threats
Information Technology - System ThreatsInformation Technology - System Threats
Information Technology - System Threats
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khan
 
Software theft
Software theftSoftware theft
Software theft
 
Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011Mobile security 8soft_final_summercamp2011
Mobile security 8soft_final_summercamp2011
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basics
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
 
Malicious malware breaches - eScan
Malicious malware breaches - eScanMalicious malware breaches - eScan
Malicious malware breaches - eScan
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measures
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?
 
Basic Security Computere
Basic Security ComputereBasic Security Computere
Basic Security Computere
 

Similaire à Mobile and BYOD Risks Title

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on reviewMiltonBiswas8
 
cyber threats and attacks.pptx
cyber threats and attacks.pptxcyber threats and attacks.pptx
cyber threats and attacks.pptxsakshiyad2611
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMichael Davis
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptx3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptxssuser84f16f
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Cengage Learning
 

Similaire à Mobile and BYOD Risks Title (20)

The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
 
Information security
Information securityInformation security
Information security
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
CyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesCyberCrime attacks on Small Businesses
CyberCrime attacks on Small Businesses
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
 
cyber threats and attacks.pptx
cyber threats and attacks.pptxcyber threats and attacks.pptx
cyber threats and attacks.pptx
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Computer-Security.pptx
Computer-Security.pptxComputer-Security.pptx
Computer-Security.pptx
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptx3Nov Challanges to Inernal Security.pptx
3Nov Challanges to Inernal Security.pptx
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
 

Plus de Michael Davis

Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT SecurityMichael Davis
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkMichael Davis
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A ServiceMichael Davis
 

Plus de Michael Davis (6)

Cost Justifying IT Security
Cost Justifying IT SecurityCost Justifying IT Security
Cost Justifying IT Security
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A Service
 
Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis Bio
 

Dernier

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Mobile and BYOD Risks Title

  • 1. Copyright ©2011Savid Can you steal from me now? Mobile and BYOD Risks Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
  • 2. Agenda • Trends that you must get in front of • The Real Mobile Threats • Data/Document Sharing Risks • Ask Questions
  • 3. Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
  • 6. Devices w/ Broadband CY2010 CY2015 Increase Tablets $600M $6B 1000% Netbooks $1.2B $6B 500% Mobility Trends
  • 7. But… • Fragmentation makes management impossible without software
  • 8. Mobile Device Risks at Every Layer • NETWORK: Interception of data over the air. – WiFi has al the same problems as laptops – GSM has shown some cracks. Chris Paget demo DEFCON 2010 • HARDWARE: Baseband layer attacks – Memory corruption defects in firmware used to root your device – Demonstrated at Black Hat DC 2011 by Ralf-Philipp Weinmann • OS: Defects in kernel code or vendor supplied system code – Every time iPhone or Android rooted/jailbroken this is usually the cause • APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors – Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.
  • 9. Mobile App Ecosystem Mobile platform providers have different levels of controls over their respective ecosystems Platform Signing Revocation Approval Android Anonymous, self- signed Yes No iOS Signed by Vendor Yes Policy & Quality Blackberry Signed with Vendor issued key Yes No Windows Phone Signed by Vendor Yes Policy, Quality & Security Symbian Signed by Vendor Yes Quality
  • 10. Malicious Functionality 1. Activity monitoring and data retrieval 2. Unauthorized dialing, SMS, and payments 3. Unauthorized network connectivity (exfiltration or 4. command & control) 5. UI Impersonation 6. System modification (rootkit, APN proxy config) 7. Logic or Time bomb Vulnerabilities 7. Sensitive data leakage (inadvertent or side channel) 8. Unsafe sensitive data storage 9. Unsafe sensitive data transmission 10. Hardcoded password/keys The Veracode Top 10 List
  • 11. Activity monitoring and data retrieval • Risks: – Sending each email sent on the device to a hidden 3rd party address – Listening in on phone calls or simply open microphone recording. – Stored data, contact list or saved email messages retrieved. • The following are examples of mobile data that attackers can monitor and intercept: – Messaging (SMS and Email) – Audio (calls and open microphone recording) – Video (still and full-motion) – Location – Contact list – Call history – Browsing history – Input – Data files
  • 12. Activity monitoring and data retrieval Examples: Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts- banned-android/ RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
  • 13. Unauthorized dialing, SMS, and payments • Directly monetize a compromised device • Premium rate phone calls, premium rate SMS texts, mobile payments • SMS text message as a spreading vector for worms. Examples: Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a https://www.computerworld.com/s/article/9180561/New_Android_malware_ texts_premium_rate_numbers Premium rate phone call –Windows Mobile Troj/Terdial-A http://nakedsecurity.sophos.com/2010/04/10/windows-mobile-terdial-trojan- expensive-phone-calls/
  • 14. Exfiltration or command & control • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. • Mobile devices are designed for communication. Many potential vectors that a malicious app can use to send data to the attacker. • The following are examples of communication channels attackers can use for exfiltration and command and control: – Email – SMS – HTTP get/post – TCP socket – UDP socket – DNS exfiltration – Bluetooth – Blackberry Messenger
  • 16. UI impersonation • Similar to phishing attacks that impersonating website of their bank or online service. • Web view applications on the mobile device can proxy to legitimate website. • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application. • Victim is asked to authenticate and ends up sending their credentials to an attacker. Example: Proxy/MITM 09Droid Banking apps http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android- apps-market
  • 17. Unsafe sensitive data transmission [CWE-319] • It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. • SSL is one of the best ways to secure sensitive data in transit. – Beware of downgrade attack if it allows degrading HTTPS to HTTP. – Beware of not failing on invalid certificates. This would enable a man-in-the-middle attack.
  • 18. Why Mobility Is Exploding
  • 19. Privacy Leaks • Reveal sensitive information • Defamation of others / organizations • This can be inadvertent or deliberate • And the repercussions include – Reputation damage – Damage to organization – Fines
  • 20. Unaware Users • Photos contain data on location, etc • Twitter, FB post Location • FB/Twitter filter photo data but phone doesn’t • Once a photo, video or message is sent by mobile phone, the user can never regain total control of the content.
  • 21. Privacy Solutions • It is the email threat all over again • Inherit trust of “friends” leads to bad choices • Facebook, twitter, myspace – All rip with malware and privacy problems • Instant Messaging is also a growing medium for malware distribution • This is nothing more than social engineering USER EDUCATION IS KEY
  • 22. Mobile Privacy • Data Collection • Data Retention • Data Sharing What do your apps do?
  • 23. Mobile Document Access • Encryption is opt-in by the developer • Opening a document may copy it or even transfer it • How can you control or guarantee the apps viewing the document? – GoodReader – iAnnotate • Company App Stores aren’t enough unless you are also analyzing the app itself (most aren’t) • Most apps rely upon device encryption which requires the users password