SlideShare une entreprise Scribd logo

Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-conference-2014

viaForensics
viaForensics

Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-conference-2014

Formation
1  sur  27
Télécharger pour lire hors ligne
SESSION ID: Why Mobile Should STOP WORRYING -A ND L EARN T O- LOVE THE ROOT MBS-R03 Andrew Hoog Co-Founder/CEO viaForensics @ahoog42
#RSAC The Storyline  Chapter One: History, or How We Came to Fear the Root  Chapter Two: Present Day – The Cold War  Chapter Three: Conclusion (An Armistice Proposal)  The End 2
“It is the fate of operating systems to become free.” Neal Stephenson
Chapter One: History, or How We Came to Fear the Root
#RSAC Root’s Roots or, origin of the superuser  “UNIX security” oxymoron  Open systems  There can be only one! 5
#RSAC The Root... Of All Evil? Root Can:  Modify the Operating System  Ignore file permissions  Break out of sandbox  Install software  Steal souls
#RSAC 1990’s – Computers Mean Business Windows reinvents the OS  Did someone say security?  3.0 (90)... 95… 98…  Win2K is secure! (ok maybe XP)  Admins could not block user from root until Windows 2000 7
#RSAC A New Era In_Security M$ got serious about security  No rights for you, user  Antivirus  Cyber security solved  Businesses rejoice! 8
#RSAC Fast Forward The CEO wants what? He wants an iPhone? No, we have secure Blackberry phones, tell him he can’t have an iPhone. (1 week later…) 9
#RSAC Consumerization New smart phones for all!  Ok, just a few iPhones  Became Full BYOD  Secured by Apple!  Android too, no root for you. 10
“This and no other is the root from which a tyrant springs; when he first appears he is a protector.” Plato
Chapter Two: Present Day – The Cold War 12
#RSAC Fact: Users Worry About Mobile Security What are we concerned about? 13
#RSAC Top Mobile Security Concerns Source: Informationweek Survey State of Mobile Security (April 2013)  78% - Lost/Stolen Devices  36% - Users Forwarding Corp. Information to Cloud Storage  34% - Malware from App Stores  32% - Penetration of Corp Wi-Fi  25% - Security at Public Hotspots  22% - Devices jailbroken/rooted by end users  21% - Malware exploiting internally developed mobile apps  19% - Interception of OTA traffic  17% - Users forwarding email to personal accounts  5% - Penetration of home Wi-Fi  1% - Other 14
#RSAC Fact: Carriers and OEMs Lock Users Out of Root What are they worried about?
#RSAC Carrier/OEM Use of Root Lockout  Pre-installed apps (aka “bloatware”)  Carrier locking  App store restriction  DRM  Exclusivity on security 16
#RSAC Track Record: iOS and Android Source: CVEDetails.com (MITRE CVE Reports) History of vulnerability  Faster patching in hacker space  Every major version rooted/jailbroken  Some remote / 1-click exploits  Many more on iOS (surprised?) 17
#RSAC Root #FTW Cat and mouse  Jailbreakme  Gingerbreak  HTC, ZTE backdoors  Master Key  Malicious charger  Fort KNOX? 18
#RSAC Fighting the Wrong Enemy Malware may not be reaching many devices – but many vulnerable apps are. 19
#RSAC Results of Root Exclusivity Intended Purpose  Pre-installed apps  Carrier Locking  App Store Limit, DRM  Security Exclusivity Result  Users root to install CyanogenMod  Users jailbreak to switch carriers  Users jailbreak to use Cydia  Security tools inside sandbox 20
“Gentlemen, you can't fight in here! This is the War Room!” President Merkin Muffley 21
Chapter Three: Conclusion (An Armistice Proposal)
#RSAC Securing Mobile – Whose Interests Are We Protecting? Consumers and business bear the risk, shouldn’t they have control?
#RSAC Real Mobile Security Risks  App vulnerability/misbehavior  Lack of visibility  Insider threat  Advanced adversaries  Malware 24
#RSAC Drive Visibility Do we really know what’s happening on our devices? 25
#RSAC A Different Approach Root for the Good Guys  Enterprise cert embedded by OEM  More unlocked options  Apple developer phone  Security vendor programs  Less paranoia 26
The End 27

Recommandé

R1 - Slides
R1 - SlidesR1 - Slides
R1 - Slides
ezSec
 
Nanu
NanuNanu
Nanu
piyushu90
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko Hypponen
Mikko Hypponen
 
Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]
Mikko Hypponen
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech Brand
Simon Loe
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Phone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations GovernmentsPhone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations Governments
John Adam
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
Garvit Arya
 

Recommandé

R1 - Slides
R1 - SlidesR1 - Slides
R1 - Slides
ezSec
 
Nanu
NanuNanu
Nanu
piyushu90
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko Hypponen
Mikko Hypponen
 
Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]
Mikko Hypponen
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech Brand
Simon Loe
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Phone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations GovernmentsPhone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations Governments
John Adam
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
Garvit Arya
 
Network security history
Network security historyNetwork security history
Network security history
shahab ali
 
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
ID-Based Security イニシアティブ
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
Introduction to ICT supply chain (Cyber norms awareness)
Introduction to ICT supply chain (Cyber norms awareness) Introduction to ICT supply chain (Cyber norms awareness)
Introduction to ICT supply chain (Cyber norms awareness)
Benjamin Ang
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
Indonesia Honeynet Chapter
 
Mobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirtMobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirt
IGN MANTRA
 
Arnaud Thiercelin at AI Frontiers : AI in the Sky
Arnaud Thiercelin at AI Frontiers : AI in the SkyArnaud Thiercelin at AI Frontiers : AI in the Sky
Arnaud Thiercelin at AI Frontiers : AI in the Sky
AI Frontiers
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
Mobile Day - App (In)security
Mobile Day - App (In)securityMobile Day - App (In)security
Mobile Day - App (In)security
Software Guru
 
Computing on the Move - Mobile Security
Computing on the Move - Mobile SecurityComputing on the Move - Mobile Security
Computing on the Move - Mobile Security
AVG Technologies AU
 
Ethical hacking for beginners and professionals
Ethical hacking for beginners and professionalsEthical hacking for beginners and professionals
Ethical hacking for beginners and professionals
Hackingmantra
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
Lumension
 
IoT - Rise of New Zombies Army
IoT - Rise of New Zombies ArmyIoT - Rise of New Zombies Army
IoT - Rise of New Zombies Army
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
cell phone viruses and security
cell phone viruses and securitycell phone viruses and security
cell phone viruses and security
PRIYANKA944
 
The Evolution of Mobile Security
The Evolution of Mobile SecurityThe Evolution of Mobile Security
The Evolution of Mobile Security
Samsung Business USA
 
FETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedFETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons Learned
Joseph Schorr
 
Mobile security in smartphone
Mobile security in smartphone Mobile security in smartphone
Mobile security in smartphone
Chico Mobile
 
Mobile changes everything, no one is safe
Mobile changes everything, no one is safeMobile changes everything, no one is safe
Mobile changes everything, no one is safe
Jorge Sebastiao
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
Synack
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_Intindolo
John Intindolo
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
The State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesThe State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ Websites
Priyanka Aash
 

Contenu connexe

Tendances

Arnaud Thiercelin at AI Frontiers : AI in the Sky
Arnaud Thiercelin at AI Frontiers : AI in the SkyArnaud Thiercelin at AI Frontiers : AI in the Sky
Arnaud Thiercelin at AI Frontiers : AI in the Sky
AI Frontiers
 
cell phone viruses and security
cell phone viruses and securitycell phone viruses and security
cell phone viruses and security
PRIYANKA944
 
The Evolution of Mobile Security
The Evolution of Mobile SecurityThe Evolution of Mobile Security
The Evolution of Mobile Security
Samsung Business USA
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_Intindolo
John Intindolo
 

Tendances (20)

Network security history
Network security historyNetwork security history
Network security history
 
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
Intune/AADとLookout連携によるモバイル端末の管理と脅威対策
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Introduction to ICT supply chain (Cyber norms awareness)
Introduction to ICT supply chain (Cyber norms awareness) Introduction to ICT supply chain (Cyber norms awareness)
Introduction to ICT supply chain (Cyber norms awareness)
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
 
Mobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirtMobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirt
 
Arnaud Thiercelin at AI Frontiers : AI in the Sky
Arnaud Thiercelin at AI Frontiers : AI in the SkyArnaud Thiercelin at AI Frontiers : AI in the Sky
Arnaud Thiercelin at AI Frontiers : AI in the Sky
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Mobile Day - App (In)security
Mobile Day - App (In)securityMobile Day - App (In)security
Mobile Day - App (In)security
 
Computing on the Move - Mobile Security
Computing on the Move - Mobile SecurityComputing on the Move - Mobile Security
Computing on the Move - Mobile Security
 
Ethical hacking for beginners and professionals
Ethical hacking for beginners and professionalsEthical hacking for beginners and professionals
Ethical hacking for beginners and professionals
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
 
IoT - Rise of New Zombies Army
IoT - Rise of New Zombies ArmyIoT - Rise of New Zombies Army
IoT - Rise of New Zombies Army
 
cell phone viruses and security
cell phone viruses and securitycell phone viruses and security
cell phone viruses and security
 
The Evolution of Mobile Security
The Evolution of Mobile SecurityThe Evolution of Mobile Security
The Evolution of Mobile Security
 
FETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedFETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons Learned
 
Mobile security in smartphone
Mobile security in smartphone Mobile security in smartphone
Mobile security in smartphone
 
Mobile changes everything, no one is safe
Mobile changes everything, no one is safeMobile changes everything, no one is safe
Mobile changes everything, no one is safe
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_Intindolo
 

Similaire à Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-conference-2014

A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
Vincenzo Iozzo
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
Paris Open Source Summit
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 

Similaire à Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-conference-2014 (20)

The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesThe State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ Websites
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
Mobile security
Mobile securityMobile security
Mobile security
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing Bot
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 

Plus de viaForensics

Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensics
viaForensics
 

Plus de viaForensics (6)

Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
Hacking ios-on-the-run-using-cycript-viaforensics-rsa-conference-2014
 
Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13Via forensics icloud-keychain_passwords_13
Via forensics icloud-keychain_passwords_13
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
2011 06-sq lite-forensics
2011 06-sq lite-forensics2011 06-sq lite-forensics
2011 06-sq lite-forensics
 

Dernier

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Dernier (20)

Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 

Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-conference-2014

  • 1. SESSION ID: Why Mobile Should STOP WORRYING -A ND L EARN T O- LOVE THE ROOT MBS-R03 Andrew Hoog Co-Founder/CEO viaForensics @ahoog42
  • 2. #RSAC The Storyline  Chapter One: History, or How We Came to Fear the Root  Chapter Two: Present Day – The Cold War  Chapter Three: Conclusion (An Armistice Proposal)  The End 2
  • 3. “It is the fate of operating systems to become free.” Neal Stephenson
  • 4. Chapter One: History, or How We Came to Fear the Root
  • 5. #RSAC Root’s Roots or, origin of the superuser  “UNIX security” oxymoron  Open systems  There can be only one! 5
  • 6. #RSAC The Root... Of All Evil? Root Can:  Modify the Operating System  Ignore file permissions  Break out of sandbox  Install software  Steal souls
  • 7. #RSAC 1990’s – Computers Mean Business Windows reinvents the OS  Did someone say security?  3.0 (90)... 95… 98…  Win2K is secure! (ok maybe XP)  Admins could not block user from root until Windows 2000 7
  • 8. #RSAC A New Era In_Security M$ got serious about security  No rights for you, user  Antivirus  Cyber security solved  Businesses rejoice! 8
  • 9. #RSAC Fast Forward The CEO wants what? He wants an iPhone? No, we have secure Blackberry phones, tell him he can’t have an iPhone. (1 week later…) 9
  • 10. #RSAC Consumerization New smart phones for all!  Ok, just a few iPhones  Became Full BYOD  Secured by Apple!  Android too, no root for you. 10
  • 11. “This and no other is the root from which a tyrant springs; when he first appears he is a protector.” Plato
  • 12. Chapter Two: Present Day – The Cold War 12
  • 13. #RSAC Fact: Users Worry About Mobile Security What are we concerned about? 13
  • 14. #RSAC Top Mobile Security Concerns Source: Informationweek Survey State of Mobile Security (April 2013)  78% - Lost/Stolen Devices  36% - Users Forwarding Corp. Information to Cloud Storage  34% - Malware from App Stores  32% - Penetration of Corp Wi-Fi  25% - Security at Public Hotspots  22% - Devices jailbroken/rooted by end users  21% - Malware exploiting internally developed mobile apps  19% - Interception of OTA traffic  17% - Users forwarding email to personal accounts  5% - Penetration of home Wi-Fi  1% - Other 14
  • 15. #RSAC Fact: Carriers and OEMs Lock Users Out of Root What are they worried about?
  • 16. #RSAC Carrier/OEM Use of Root Lockout  Pre-installed apps (aka “bloatware”)  Carrier locking  App store restriction  DRM  Exclusivity on security 16
  • 17. #RSAC Track Record: iOS and Android Source: CVEDetails.com (MITRE CVE Reports) History of vulnerability  Faster patching in hacker space  Every major version rooted/jailbroken  Some remote / 1-click exploits  Many more on iOS (surprised?) 17
  • 18. #RSAC Root #FTW Cat and mouse  Jailbreakme  Gingerbreak  HTC, ZTE backdoors  Master Key  Malicious charger  Fort KNOX? 18
  • 19. #RSAC Fighting the Wrong Enemy Malware may not be reaching many devices – but many vulnerable apps are. 19
  • 20. #RSAC Results of Root Exclusivity Intended Purpose  Pre-installed apps  Carrier Locking  App Store Limit, DRM  Security Exclusivity Result  Users root to install CyanogenMod  Users jailbreak to switch carriers  Users jailbreak to use Cydia  Security tools inside sandbox 20
  • 21. “Gentlemen, you can't fight in here! This is the War Room!” President Merkin Muffley 21
  • 22. Chapter Three: Conclusion (An Armistice Proposal)
  • 23. #RSAC Securing Mobile – Whose Interests Are We Protecting? Consumers and business bear the risk, shouldn’t they have control?
  • 24. #RSAC Real Mobile Security Risks  App vulnerability/misbehavior  Lack of visibility  Insider threat  Advanced adversaries  Malware 24
  • 25. #RSAC Drive Visibility Do we really know what’s happening on our devices? 25
  • 26. #RSAC A Different Approach Root for the Good Guys  Enterprise cert embedded by OEM  More unlocked options  Apple developer phone  Security vendor programs  Less paranoia 26