Mobile Security for the Modern Tech Mogul

Mobile SecurityFor the modern tech mogul

Andrew Schwabe, Founder

Background• WCU Computer Science Alumni • Entrepreneur• Mobile, Social, Cloud Developer• Founder of Point.IO

A Whole New World• Smartphones, Tablets

and Phablets• Mobile will overtake

desktop in 2015• BYOD trend

… Same Sandbox• You leave a “digital footprint”

everywhere you go• Most smartphones have

services enabled that you don’t know about

• 50% of enterprises have had a mobile data security breach

Being a safe netizen

Becoming a safe netizen• Mobility is awesome

Becoming a safe netizen• Mobility is awesome• ignorant < you < paranoid• Be informed and you don’t

have to fear• Mobile power requires

responsibility

Not all devices are equal• Each OS has different security goals• Apps have different screening

processes• Apple i-devices• Android• Blackberry• Windows Mobile• Symbian/Palm/Others?

• Which is better?

Safety goals: • Not losing your device, duh• Prevent identify theft• Prevent loss of passwords and dignity• Prevent family and friends from suffering

the same fate…• On their own accord, or…• Because you gave it to them

Apps and Tweets and Phreaks, oh my!

• Lots of things can get’cha, but…• That’s no different than swimming in

the ocean. You just need to know places to avoid sharks and other baddies.

• Use common sense.

Three categories of “bad stuff:”

•Email and communication threats•Malware•Phishing

Email: • Viruses can be spread through email

• Usually Attachments• Usually only affect desktops

(this will change over time)• You don’t want the virus (or to spread it)• Best course of action:

• Don’t open email from unknown/weird addresses

• Don’t open email attachments you were not expecting

SMS and MMC: • Generally pretty harmless• Sometimes contain links to websites that look

weird. E.g. hax0r.me/pinkbunnies• The age of spam and sms attacks

will come• Thumb and others are ok• Best course of action:

• Don’t click links from unknown/weird addresses• Don’t click links you were not expecting

WiFi Vulnerability: • Do you hotspot? Do you know if your phone

CAN hotspot?• Some smartphones let you configure a

hotspot with no password. • Best course of action:

• Know if your phone supports it• Disable it if you aren’t using it• Disable wifi when you are not home

Bluetooth Vulnerability: • Unconfigured services are sometimes active

by default• A skilled hacker can connect to

open bluetooth services and take control of your smartphone

• Best course of action:• Disable bluetooth if you aren’t

using it• Learn how to disable services you are not

using

Malware: • “My friend Mike’s Android phone had been

acting strangely for awhile. In the middle of the night, the phone would come alive. It would meander down various menu paths, send texts that were gibberish and start playing poker. Was it bug in the operating system? Or had Mike been hacked?”

- Forbes (link at end)

Malware: • “how come my phone|tablet|uber device is

going so slow all of a sudden?”• Not all mobile apps are by quality (ahem…

‘moral’) developers• Some apps can install “spyware” which reads

your personal info, runs keystroke loggers, or create popups.

Malware (cont…): • Beware of apps that request your personal

information, or that install new services • Read reviews and ratings before just

downloading apps• Android more

susceptible than iOS

Phishing: • They are the ‘fishermen’ and you are the ‘fish’• Smart scammers who want to trick you into

giving up personal information like:• Bank account info• Usernames/passwords

to websites

Phishing (cont…): • Obviousness• If its too good to be true,

it probably is.• You do not have a rich distant

uncle in Botswana that left you $20M

• If you did, why would you have to pay a fee to get it?

Phishing (cont…): • Social Media

• Emails meant to look like Facebook or twitter asking for yourpassword

• Services usually won’t send you an email asking for this information

• “Change your password” emails should only be trusted if YOU requested them

Phishing (cont…): • Sp00f websites and DNS poisoning

• Alternate websites meant to look like your bank.

• When you try to log in, they capture your username and password, but return a “account not available right now” or similar message

ALWAYS and NEVER list: • Mama always said to never use ‘always’ and

‘never’ in a sentence…• … Mama didn’t carry

no Android Phablet…

ALWAYS and NEVER list: • NEVER open email links and

attachments from suspicious or unknown people

• Includes unusual attachments from people you know, but you were not expecting

• “crazycool_giraffe_parasailing.mov.pif”

ALWAYS and NEVER list: • NEVER open links from emails that are asking

you for usernames and passwords.• Almost always a scam (real sites know

better than to send emails like that)• If your spam filter caught it, best to leave it

alone• If it’s a bank email, try calling your local

branch. If they never heard of it… danger!• If in doubt, throw it out

ALWAYS and NEVER list: • NEVER post anything on any site unless:

• You are ok with the whole world knowing it• Family picnic and birthday pics = ok• Skinny dipping pics = never ok• Ever read the EULA for facebook and

others? They OWN your content…

ALWAYS and NEVER list: • NEVER email or post personal and sensitive

information if at all possible:• Credit card numbers• Bank info• Maybe home address, vacation info• Never know who will see it• Easy to exploit your weaknesses

ALWAYS and NEVER list: • ALWAYS use basic security

lock on your mobile devices:• PIN codes on Apple

devices• Password/pattern locks

for Android

ALWAYS and NEVER list: • ALWAYS use apps that YOU installed:

• Verify that they are from a trusted author• Read ratings/comments• Use a bank’s APP instead of website if

possible

ALWAYS and NEVER list: • ALWAYS disable services you don’t need:

• Disable wifi/bluetooth if/when you don’t need them

• NFC, ssh, jailbreak and root apps• BONUS! Fewer running things = less battery

Symptoms of a hacked phone:• Unusual restarts• Slow response time• Web browser redirects to

inappropriate sites• Phone sends text messages

on its own• Online credit card charges start

showing up• Plane tickets to Amsterdam

What to do if you are hacked:• Log out from your app or website• Switch to a different device• Change your password• Call your credit card company• Request a credit alert with

credit bureau• Erase/restore your mobile device

Tips for being safe:• Incognito mode in some web browsers• Read the manual that came with your device

• Learn all the the stuff you don’t know • Google ‘security tweaks for Samsung galaxy

note 2’ (or your device)• Use a lost and found service

• Apple has several app and gps based choices• 3rd party labels – foundkarma.com

More reading:• Cloud storage (Box, Dropbox, others)• Google and Facebook’s new privacy rules• Read ‘technology’ channel using Flipboard

Reference and Stories: • Your Phone Has Been Hacked• Signs and Symptoms of a hacked smartphone

Thank You! • Blog: www.PainInTheApps.com• Personal Email: andrew@schwabe.net• Twitter: @aschwabe

• This presentation will be posted on my blog and my twitter

Special Thanks to:• http://www.theoatmeal.com for cartoon

awesomeness used in this presentation• Kim Slattery and West Chester University for

the opportunity to share• All the attendees who participated in our

session!