MOBILE SECURITY FOR SMARTPHONES AND TABLETS

Are our mobile devices too ‘smart’ for their own good?

One Ring to Rule Them All• Smartphones and Tablets are the most

intimate pieces of IT that we've ever had:– Personal digital assistant, High resolution cameras– GPS navigation, Wi-Fi, Enhanced web browsers– Apps to do almost anything

• Users (from healthcare, police, military) store/manage personal data & sensitive info– View slides at http://www.slideshare.net/vcv1

One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them. J. R. R. Tolkien

Mobile (via @LukeW)• Think Mobile First• 3 Trends in Mobile Devices– Processing Power– Network Access– Data in the Cloud

• 1.4 Million devices are activated each day

BYOD• Bring Your Own Disk• Bathe Your Own Dog• Be Your Own Detective • Bring Your Own Dessert• Bring Your Own Deck (a.k.a John Dorner)

• Bring Your Own Drink• Bring Your Own Disaster

Bring Your Own Device

“Consumerization of IT,” refers to employees who bring their own computing devices – such as laptops, smartphones, and tablets to the workplace for use, using a corporate network for connectivity

How Are Smartphones Being Used? (9/20/2011)

Forrsights Workforce Employee Survey• Q4 2011, asked 9,900 information workers in

17 countries about devices they use, personal devices they use for work purposes 1

• Typical information worker has manage their information from more than one device

• Interested in work systems and personal cloud services that enable easy multidevice access, such as Dropbox, Box, SugarSync, Google Docs/Apps, Windows Live, and Apple iCloud

Combination of Devices

Combination of Devices

Global Device Usage• 33% use operating systems other than MS

Global Device Usage• 25% are mobile devices, not PCs

Forrsights Workforce Employee Survey• Shipping PCs still > 90% Win OS• Share of PCs in companies is even higher• Info workers, not IT, are voting with $$$,

Microsoft is down to about two-thirds of the devices they use to get work done

• Report concludes that – “mobile devices will become majority of devices

used for work, surpassing PCs” and “Windows’ device share will fall below 50 % by 2016.”

Security Quotes“Against the growing, unstoppable backdrop of consumerisation and BYOD [bring your own device], every mobile device is a risk to business.” Raimund Genes, Trend Micro CTO 2

Security Quotes“Security becomes a critical requirement (in mobile banking) and all parties involved in a financial transaction need to consider security. Mobility and freedom to transact anywhere, anytime is no longer negotiable - it is the nature of the lives we live today.”Schalk Nolte, Entersekt 3

Security Quotes“I'm sure you've seen this scenario. Halfway through [a] flight, a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal.”Cameron Camp, ESET 4

Security Quotes“Today what we’re seeing are malicious Android applications that have bundled legitimate apps such as Rovio ’s Angry Birds Space. First the malicious “wrapper” tricks and manipulates the user into granting permissions that allow the malware to subscribe to premium rate services. But then… the malware actually does install a working copy of the promised game. At this point, there is little to be suspicious of and nothing to troubleshoot. The user gets the game that he was promised.”Sean Sullivan F-Secure Labs 5

MDM vs. Mobile Security• What is Mobile Device Management (MDM)?• By controlling and protecting the data and

configuration settings for all mobile devices in the network, MDM can greatly reduce support costs and business risks. Gartner Aug 2011

• Software allows you to:– Remote lock/wipe, Password enforcement– Remote Configuration and Provisioning – Logging and Reporting, Decommissioning

Why Do Criminals Want Access?• Smartphones are the new credit cards! – This is where our "wallets" are– This is where our information is

• Criminals will take any info for Identity Theft• They can sell (make money) on online forums• Targeted emails designed to be read on

Smartphone/Tablets are just a matter of time

Security and Data Protection• Focus Four– Apple iOS– Blackberry– Google Android– MS Windows Phone 7

• Discussion will be Smartphone focused but will discuss tablets at the end

Smartphone Market Share 6

Which BOYD is most secure?Answer: 1. Blackberry2. iPhone and Windows Phone 7.x3. Android

That said, if you have poorly educated user, they can download malicious app on any Smartphone or Tablet and it can be compromised!

Which BOYD is most UN-secure?Answer: 1. Android 2. iPhone and Windows Phone 7.x3. Blackberry

That said, this can change quickly.. Could have a Vulnerability that is quickly accessed on iPhone by attackers

Blackberry• Long history of being Enterprise Ready• RIM's upcoming BlackBerry 10 (B10) OS is

intended to be even more secure• BB10 security will have multiple integrated

layers, with tight relationship between hardware and software

• There will be a permissions-based security model for apps, coupled with a various OS-level security and safety features

B10 New Protections• Blocking root access, which enables a user or

hacker to gain administrative access to the OS• Memory randomization, "scrambles" where in

memory routines may run, making it harder for these to be leveraged by attackers

• Adding security management, including auditing, to the kernel

Source: Network World “BlackBerry 10 OS will have multi-layered security model” May 8, 2012

Apple iOS• Will growing popularity in iOS mean criminals

will target?• Apple doesn’t allow 3rd party companies to

develop antivirus software for iOS-based devices, such as the iPhone and iPad

• Enterprise iPhone security issues and how to address them (Dec 2011)

Apple iOS• iOS threats are largely satisfied by tweaking

native security settings• VirusBarrier for iOS by Intego, $2.99• “Flashback” Java Vulnerability Exploit – 2 month delay for Apple’s Response– 600,000 Mac users infected

• Can you jailbreak iOS? Yup!– Absinthe 2.0 Untethered Jailbreak Released for iO

S 5.1.1 (May 25 2012)

Apple iOS• Kaspersky CEO Eugene Kaspersky is very vocal

in his criticism of Apple– Criminals “are happy with Windows computers.

Now they are happy with Mac. They are happy with Android. It is much more difficult to infect iOS but it is possible and when it happens it will be the worst-case scenario because there will be no protection. The Apple SDK won’t let us do it.” 7

– Eugene Kaspersky frustrated by Apple’s iOS AV ban (May 22 2012)

Windows Phone 7 History 8,9

• Released in late 2010, 7 updates since then– Microsoft shut down the Marketplace app store

for older Windows Mobile 6.x phone platform on May 9, 2012

• Apps only from Windows Phone Marketplace• Aimed at the Consumer market not Enterprise• Smartphone OS market share 2011– MS has only 1.9% market share– IDC predicts a 20% share by 2015 (likely high)

Windows Phone 7 Platform Security• Chambers concept to enforce app isolation

and least privilege, 4 chambers, apps in LPC• The fourth chambers is capabilities based– Least Privileged Chamber (LPC)

• Three higher chambers have fixed permissions– Standard Rights Chamber (SRC)– Elevated Rights Chamber (ERC)– Trusted Computing Base (TCB)

Windows Phone 7 App Security• Capability checks are enforced at runtime• Requests for other resources ==

UnauthorizedAccessException• Apps must have a valid MS signature to be

installed & run in LPC sandbox• Apps use their own “Isolated Storage”• WP7 allows developers to encrypt data and

databases

Windows Phone 7 - What’s Missing• Lack of native disk encryption• No support for client side SSL certificates• Lack of in built VPN functionality– Source:

Windows Phone 7 'not fit for big biz ... unlike Android, iOS'

Windows Phone 7 Tips• Only install apps from Marketplace. This

ensures that any app you install has been digitally signed, which reduces your risk and increases phone safety

• Windows Phone 7 includes a "Find My Phone" feature that allows you to find a lost phone, lock it remotely, and also wipe it remotely

• Best-windows-phone-7-apps#security

Android• Popularity makes Android a lucrative target for

malware authors• New families and variants of malware keep

cropping up each quarter, trend shows no sign of slowing down

• In Q1 2012, malware authors are focusing on improving their malware’s techniques in evading detection, as well as exploring new infection methods

F-SECURE Mobile Threat Report• In Q1 2011, 10 new families and variants were

discovered; In Q1 2012, 37 new families and variants were discovered

• Malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts.

F-SECURE Mobile Threat Report, Q4 2011 (.pdf)

Kaspersky - # of Signatures

That Said... Perspective• Mobile malware numbers remain low -- about

1% or less of all malware globally• Android threats now reach almost 7,000, with

more than 8,000 total mobile malware in our database

• To put it in perspective, there are 83 million malware samples in McAfee’s database

McAfee Threats Report for First Quarter of 2012 (.pdf)

Android – Reducing Risk• Practice safe mobile computing, Be vigilant

and avoid risky behavior• Don’t install apps that are new to the market– Yahoo’s Axis Browser Security Slip-Up (May 23 2012)

• Research apps before downloading, Check the publisher and app reviews, Use the official Android Market

• Avoid side-loading apps, unless software and its developer are familiar to you.

Android – Reducing Risk• Turn off the ability to install apps from

unknown sources in by going to Settings and then to the Security menu (in Android 4.0 or later) or the Applications menu (in earlier versions of Android)

• When installing an app, pay close attention to the permissions it requires, Use your phone’s app-management tools to make sure it’s using only the resources it promised to use

Android – Reducing Risk• Be wary of phishing scams and malware via

the Web browser or SMS messages• Be cautious if you root a device, Keep an eye

out for Superuse prompts displayed when an app requests root permissions

• Rooting allows you to use some powerful apps and even enhanced security functionality, but at the same time increases potential damage from infections

Android – Reducing Risk• Install an antivirus/security app• Block or disable ability to send premium SMS

subscriptions (prevent malware from sending messages that will automatically charge your account)– AT&T (Manage Mobile Purchases & Downloads)– Verizon FAQ– More from c|net

Android – Mobile Security Apps• PC Mag Review (May 24 2012) • Apps reviewed on 5 Stars– Bitdefender Mobile Security – F-Secure Mobile Security 7.6 – Lookout for Android – McAfee Mobile Security 2.0 – TrustGo Antivirus and Mobile Security 1.0.6– ESET Mobile Security 1.1

Infographic: Grand Theft Mobile

Source: http://blog.mylookout.com/blog/2012/05/04/infographic-grand-theft-mobile/

Security Checklist• Attevo is a global business and information

technology consulting firm based in Cleveland, OH

• Here is their 13-point checklist for addressing mobile technology threats 10

• Keep in mind security around Windows laptops from mid to late 1990s

Security Checklist1. Where is My Device Again?

Always maintain physical control over your smartphone to prevent outright theft, unauthorized usage or the installation of malware (apps with malicious code) by seemingly mild-mannered co-workers or by ruthless digital predators; treat a smartphone like a wallet, never leave it unattended in public spaces.

vcv_note: @LukeW listed Near Field communication (NFC) as a positive, it is, I guess

Security Checklist2. Yes, You Need to Use a Passcode

Enable the smartphone's password/passcode protection; a recent study reveals that only 38% of smartphone users enable this security feature.

vcv_note: SIM-locks can be by-passed, but BlackBerrys 'a challenge' (May 17, 2012)Tip: Open Excel. In cell A1, enter =RAND() and press Enter. Fill Down to A10. Pick 5 random codes.

Security Checklist3. You Still Need to Do Updates

Install operating system updates whenever they become available to reduce the number of system vulnerabilities; a 2011 report indicated that 90% of Android users were running outdated operating system versions with serious security vulnerabilities.

vcv_note: Reinforce basics with your staff

Security Checklist4. Use a Security App

Install an anti-malware protection app (if available for the device) to thwart infection from malicious apps and websites; all major platforms have been hacked and are susceptible.

vcv_note: Free apps are good (better than nothing), but pay for apps give more features. Go ahead and spend 4.99 or 9.99

Security Checklist5. Be Careful Where You Browse

When using the smartphone's or tablet’s web browser, avoid suspicious/questionable websites that can be the source of malicious code.

vcv_note: Few se curity apps are available for iOS, but you can find secure Web browsers that offer extra features to lower risk of stumbling upon a malicious website, ex: Webroot SecureWeb Browser

Security Checklist6. Download/Install with Care & Caution

Be selective when buying or installing apps; wait for app reviews, download only from trusted sources (known app stores) and be cautious/suspicious of free apps, because they are free for a reason (the reason could be access to your data).

vcv_note: Google Android Market, Windows Phone Marketplace, RIM BlackBerry App World and Appstore for Android all disclose the permissions of apps. Apple iTunes App Store doesn’t (Apple vets apps)

Security Checklist7. Review What You “Agree To”

Understand and control each downloaded apps "access" to smartphone data and personal information; game apps do not need access to phonebook contacts, photos, e-mails, location, browsing history, texting history and other phone features (avoid allowing automatic app updates).

vcv_note: Double check, then go back AGAIN

Security Checklist8. Credentials Management

Do not save passwords, PINs or other account information as Contacts or in Notes.

vcv_note: In other words, don’t put your password on a sticky and attach it to the tablet

Security Checklist9. Wild Wild Free Wi-Fi

Avoid using open Wi-Fi, especially for shopping and banking activities; Wi-Fi sniffing is a common occurrence that can have significant consequences like lost credit card numbers.

vcv_note: Do not, I repeat, DO NOT do this at all

Security Checklist10.Phishing is More Than Nigerian Spam

Avoid opening suspicious e-mail or SMS text messages, especially from unknown sources. Unwary readers may be unwillingly tricked into phishing by entering sensitive information from online prompts.

vcv_note: If you are not certain, email your IT Specialist and ask, ;-)

Security Checklist11.Shields Up! Go to Red Alert!

Turn the Bluetooth access feature off when not needed and avoid Bluetooth use in busy public areas.

vcv_note: Commander Riker Audio

Security Checklist12.PIN Use “Good”; PIN Default “Bad”

Utilize a PIN to access voice-mail and avoid using the carrier's default PIN setting.

vcv_note: Beyond the default...

Top ten iPhone passcodes: [1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998] 11

Security Checklist13.Locked and Loaded

Insure that smartphone or tablet e-mail account access is through either a SSL or HTTPS connection so that transmitted data is encrypted.

vcv_note: Quick web search should provide this answer. Example: Gmail

Encrypting Email Traffic• Android– TouchDown for Smartphones by NitroDesk

includes support for S/MIME keys from EchoWorx• Blackberry– BlackBerry devices provide encryption and policy

from the BlackBerry Enterprise Server (BES); The implementation is trusted and validated by many government organizations

Encrypting Email Traffic• iPhone– 3GS has hardware encryption (also enabled via

ActiveSync option); AES256 employed by default; Pre-3GS devices do not provide encryption

– Encryption bypass vulnerabilities all require the iPhone to be already jail-broken

• Windows Phone– Good for Enterprise by Good Technologies

providing security at the application layer (in addition to device security)

Tablet Security Products• Pay-for Android tablet security, similar

features, protect 1 device for 1 year, $19.99– Norton Mobile Security Lite– Kaspersky Tablet Security– Webroot Mobile Security

• Norton 360 Everywhere (May 4 2012)– protects up to 5 devices, including PC, Mac, and

Android smartphones and tablets, $99

Jumpstarting Your BYOD Policy 12

• Basic BYOD employee training include:– Training on physical security – Training on Wi-Fi security – Information about social engineering attacks and

how to avoid them – A requirement to password-protect personal

devices and education on strong passwords – Clearly stated rules on what work-related data can

be accessed from personal devices (Ohio State)

Intel’s Mobile Policy 13

• Policies and security expectations are same for corporate and personally owned devices

• Communicated to employees...– When employees sign up for particular services– When staff connect a new device to the Intel

network– On a regular basis through security awareness

articles and notices– In an annual security refresher for the entire staff

Future for People• One Constant ... Human Nature• People will look to do both good and bad

things with technology• Consumers will continue to drive new devices

and technology• Lack of Security Skills with today’s devices

(and future devices) will haunt us going forward

Future for Technology• Advances in materials science will continue to

make devices smaller and faster• Embedded devices– iDermal, Strapless iPod Nano Watch

• Tokenless Two-Factor authentication– PhoneFactor (Commercial) Video, White Paper

• Improved Security Built-In to devices (hope)– ZTE Android Backdoor Vulnerability

Future Threats• Social Networks will continue to evolve and

change• Transition to a more secure 3G/4G may take

some time• Those with bad intent (e.g. criminals) will

always find way to outwit or outlast any security measures put into place– One Constant ... Human Nature

Future Actions (by YOU)• BYOD is a done deal (mostly)• Devices with very little effort can be made

reasonably secure• Mobile Device Management (MDM) still

young – implement but review in 1 year

Final Thoughts• We come back to USER EDUCATION,

TRAINING, and RE-TRAINING• Encourage the use of “Common Sense”• Discourage the attitude of “No one would

want my data” and “this can’t happen to me”

• Security - It's not your fault. It's your responsibility.

Sources1. Employees Use Multiple Gadgets For Work — And Choose Much Of The Tech Themselves2. BlackBerry still trumps Android for security, analysis finds3. 41% of people believe online banking and shopping is akin to playing Russian Roulette4. BYOD Smartphones, PCs and Tablets Raise Big Security Risks, Experts Say5. Mobile Threat Report Q1 2012, F-Secure Labs6. Android, Apple iOS run away from pack: Can Windows Phone challenge at all?7. Apple iOS Needs Antivirus Protection: Kaspersky8. SecurityBSides London - windows phone 79. Bsides London 2012 David Rook: Windows Phone 7 platform and application security overview10. Attevo Offers A 13-Point Security Checklist For Smartphone Users11. Most Common iPhone Passcodes12. Jumpstarting Your BYOD Policy13. How to Enforce Your Mobile Policy