Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Mobile Device Security
Image from http://appaddict.net
http://security.vpit.txstate.edu [email protected]
Examples of Mobile Devices
- Phones – iOS (iPhone), Android, Windows, etc.
- USB devices
- Tablets (iPad, Dell/HP running Windows, WebOS, etc.) This area looks to be growing rapidly
- Laptops (usage decreasing)
http://security.vpit.txstate.edu [email protected]
A Paradigm Shift - Personal vs. Work
A growing number of personal devices are used for work
Work email and documents can be discoverable on personal devices…
http://security.vpit.txstate.edu [email protected]
A Quick Overview of Laptops…
- The same risks as other mobile devices
However, they have:
- Mature encryption technology- A full keyboard (it’s easier to have good
passwords that way)- The same protections as a desktop
- Antivirus- Regular OS updates- Regular application updates
http://security.vpit.txstate.edu [email protected]
How Powerful are Smart Phones?
iPhone as a penetration testing tool….
Image from http://www.offensive-security.com
http://security.vpit.txstate.edu [email protected]
General Current Threats
- Wireless access
- Loss and Theft
- Privacy
- Malware
- Cloud Data Storage
http://security.vpit.txstate.edu [email protected]
A note on web browsing
Always use HTTPS if you can, even if you’ve already logged in or don’t have to.
https://facebook.com - GOOD
http://facebook.com – VERY BAD
http://security.vpit.txstate.edu [email protected]
Four Types of Wireless
- “Wifi” or “Wireless” Wireless (802.11x)Texas State Campus, Home, Airport, etc.Medium range, much fasterSometimes encrypted, sometimes not
- Data Service (3G, 4G/WiMAX/HSPA+)Slower but more widespread and more secure
- NFC (Near field communication)Used for mobile payments, public transportation ticketing, etc
- BluetoothShort range, good for device to device communicationWireless keyboards, mobile phone earpieces
http://security.vpit.txstate.edu [email protected]
Wifi Snooping
Malicious user at coffee shop/airport
Image from: http://blog.meseta.co.uk/
http://security.vpit.txstate.edu [email protected]
Firesheep
http://security.vpit.txstate.edu [email protected]
More Wifi Snooping
Google Streetview Cars
Google ClientLogin Issue
http://security.vpit.txstate.edu [email protected]
http://security.vpit.txstate.edu [email protected]
VPN Can Help!
http://security.vpit.txstate.edu [email protected]
VPN Products
VPN can protect you from a majority of wireless threats. Support for mobile devices is limited but growing. We are currently testing Texas State VPN for the iPad.
Texas State VPN
http://security.vpit.txstate.edu [email protected]
A Wireless Usage Suggestion
Use your data service. Disable wifi/wireless and bluetooth unless you really need them.
http://security.vpit.txstate.edu [email protected]
NFC (Near Field Communications)
http://security.vpit.txstate.edu [email protected]
Loss and Theft Consequences
Identity Theft – work email, apps with personal information –saved credit cards, SSNs…
If your phone is used for payment (NFC/Near Field Communications), someone may be able to use your phone for purchases
FERPA violations – work email
http://security.vpit.txstate.edu [email protected]
Locking Your Phone – Now More Important Than Ever
Download an app, wave your phone in front of a scanner and get a latte…
Image from http://bits.blogs.nytimes.com/
http://security.vpit.txstate.edu [email protected]
Loss and Theft basics…
- Enable autolock with a password/swipe pattern
- Enable autowipe after a certain number of login attempts
Passwords for an iPhone under Settings, General, Passcode lock:
http://security.vpit.txstate.edu [email protected]
Image from http://q8geeks.org/
http://security.vpit.txstate.edu [email protected]
Remote Wipe/Lock
- Mobile Defense for Android – locate, lock, backup and wipe
- Android 2.2 and above support a remote Exchange wipe
- iPhone supports remote wipe through Exchange
- iPhone/iPad also support remote wipe through MobileMe/iCloud
Image from http://www.cellphones.ca
http://security.vpit.txstate.edu [email protected]
Device Encryption
- iPhone 3GS and newer as well as iPads are encrypted at the hardware level. This encryption is only useful if your passcode is not easy to guess or crack
- Android has software based-encryption (Part of WhisperCore)
- Windows 7 does not look like it supports on-device encryption as of yet
- DARPA has released a request for technology for encrypting many common mobile devices – April 11th, 2011
http://security.vpit.txstate.edu [email protected]
USBs and EncryptionUse encryption. Ironkey has great (waterproof) and easy to use products. Some USB security is sub-par, make sure the USB has hardware/chip level encryption.
Image from: http://www.topreviewshop.com/
http://security.vpit.txstate.edu [email protected]
An Important Tip!Keep your device in a pocket or in some way attached to you. This can be annoying but much better than the alternative.
VERIZON SAMSUNG FASCINATE 6/13/2011 16:20iPhone 4 in blue case 6/13/2011 9:09
NIKON D50 CAMERA, LENS, 2 SD MEMORY CARDS IN BAG 6/13/2011 8:27nokia cell phone 6/13/2011 6:45LG Rumor Touch cellphone 6/12/2011 6:43blackberry curve 6/11/2011 17:05IPOD TOUCH 32 GB BLACK in a black "rubber" case 6/11/2011 17:03Blackberry curve 6/11/2011 14:51Droid 6/10/2011 22:57iPhone4 6/10/2011 15:43Steel I-pad in black "InCase" case 6/10/2011 14:52Steel I-pad in black "InCase" case 6/10/2011 14:52iPhone 6/10/2011 10:46White iPhone 3Gs, white sticker on back, cracked top 6/10/2011 9:02Nikon D3100 Camera in black case 6/10/2011 0:00Two backpacks, laptop, Australian passport 6/8/2011 21:12iphone 4 lost in Northside cab service 6/8/2011 10:33Gucci sandal 6/8/2011 9:32Black Purse with ID, Phone, Ipod, etc. 6/7/2011 16:44iphone 4 with white case 6/7/2011 8:36Cell Phone 6/7/2011 6:45Small Cingular cellphone 6/6/2011 13:07Iphone 4 6/6/2011 10:54
REWARD Black iPhone 4G with Black Case mountain on screen 6/6/2011 6:31iphone 4 6/6/2011 6:04LG Optimus black cell 6/5/2011 14:05cell phone (DROID) 6/5/2011 6:58Silver Sony Viao in black case lost on 5/30 6/4/2011 21:57Samsung phone 6/4/2011 20:02Black 32gb iPhone 3GS 6/4/2011 15:39REWARD: Lost Sony Vaio laptop and bag 6/4/2011 13:44iPhone 4G black w/ black case 6/4/2011 7:22iPhone black 6/4/2011 6:40iphone4 6/4/2011 6:33
http://security.vpit.txstate.edu [email protected]
Mobile Devices and Malware (viruses, worms, trojans, oh my…)
Image from http://www.mobiletopsoft.com/
http://security.vpit.txstate.edu [email protected]
USBs and Malware
- Incidents on campus with plugging infected USBs in to machines and vice versa
- Social engineering is an issue – leave a USB lying around at an organization and it’s highly likely someone will pick it up and plug it in…
http://security.vpit.txstate.edu [email protected]
Desktop malware migrates to mobile platforms
Image from http://techgeek.com.au/
http://security.vpit.txstate.edu [email protected]
Android Gemini
- Comes from third party app store in China
- Steals most information:Installed/Running applicationsSubscriber information (IMSI number, SIM serial number, network provider, etc.)Phone information (IMEI number, manufacturer, model, etc.)Current user’s location (via GPS)
- Probable precursor to a mobile botnet
http://security.vpit.txstate.edu [email protected]
Jailbroken iPhones
Jailbroken phones are at much higher risk for attack and infection. It’s HIGHLY recommended that you don’t do this.
Image from http://www.tipb.com/
http://security.vpit.txstate.edu [email protected]
Mobile Security
http://security.vpit.txstate.edu [email protected]
Privacy - User tracking….
From the Wall Street Journal in December of 2010
Of 101 iPhone apps:56 transmitted phones unique device ID without users’ awareness or consent47 transmitted the phone’s location5 sent age, gender and other personal details
Also, Google makes a very large amount of money through advertising. More target advertising tends to be more profitable, therefore the more they know about your habits the more profitable they are…
http://security.vpit.txstate.edu [email protected]
What is Cloud Storage?
Image from http://www.agent-x.com.au
http://security.vpit.txstate.edu [email protected]
Cloud Storage products
From the Dropbox terms of service:
“You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services.”
http://security.vpit.txstate.edu [email protected]
More Cloud Storage
http://security.vpit.txstate.edu [email protected]
Q & A