PPT DownLoad

Smartphone Security:From a Perspective of the TenImmutable LawsIan RobertsonBlackBerry Security GroupSeptember 14, 20101

The Necessity of Smartphone SecurityFunctionality-wise: Smartphone = ComputerSize matters: form factor considerationsEvolution of mobile security threats

Smartphone and PC Market Forecast“Plan for the PC to be overtaken as the primary computing device used bycustomers and employees. Re-design websites and portals for access frommobile devices.” – Gartner’s Top IT Predictions for 2010 and Beyond, Dec. 29, 20093

Mobile and PC Internet Forecast4

ConvergenceMobilizing Your Personal LifeMobilizing the Enterpriseinstant messagingemailE-mail & PIMCollaborationtravelsocialnetworkingLotusDominoNovellGroupWiseLotusQuickrLotusSametimeLotusConnectionsLotusSymphonyGroupWiseMessengerLBSgaminge-CommercemusicnewsIntranet AppsVoice Systemsproductivity

Size MattersForm factor dictates constraintsBattery life and ease of use are paramountPersonal DevicesUnconscious carry31,544 devices lost in NYC taxis over 6 monthsBattery Life & Network Capacity Do Not Follow Moore’s Law!

State of MalwarePCSmartphoneMalware instances to date 4,000,000+ 106 families, 514 variants*Malware growth rate +280% p.a. Poised for explosive growth(McAfee 2006-2009)Environment Homogeneous Heterogeneous(Windows)(7+ mobile operating systems)* http://www.securelist.com/en/analysis/204792080/Mobile_Malware_Evolution_An_Overview_Part_37

Security Threats Are Real and CostlySmartphone loss is the most common dataleak incident11.3% of data leaks due to a lost smartphoneEuropean Mobile Security Study 200917% of companies have experienced a mobilesecurity breach.The average organizational cost of a databreach is $3.44 million (USD)**Ponemone Institute, LLC.2010 Global Study: Cost of a Data Breach.8

The Original Ten Immutable “Laws” ofSecurity

The Ten Immutable Laws of Security1. If a bad guy can persuade you to run his program on your computer, it’s not yourcomputer anymore.2. If a bad guy can alter the operating system on your computer, it’s not yourcomputer anymore.3. If a bad guy has unrestricted physical access to your computer, it’s not yourcomputer anymore.4. If you allow a bad guy to upload programs to your website, it’s not your websiteanymore.5. Weak passwords trump strong security.6. A computer is only as secure as the administrator is trustworthy.7. Encrypted data is only as secure as the decryption key.8. An out of data virus scanner is only marginally better than no virus scanner atall.9. Absolute anonymity isn’t practical, in real life or on the web.10. Technology is no panacea.-- http://technet.microsoft.com/en-us/library/cc722487.aspx10

…adapted for mobile…

“Weak (or no) passwords trump strong security”A good password is a crucial foundation – use one!Beware of secret questionsTailor password policy to local threats / risk tolerancePassword length and complexityMaximum allowed tries before wipeAuto-lock after timeoutConsider multi-factor authentication12

“The security of your phone relies on many people”3-C’s: Consumer, Carrier, CorporationOn smart phones, users are often administrators…but most often not security experts…Security of wireless infrastructureCarrier management (OMA-DM), cloud backup, networkCorporate deployments can be centrally managedSecurity is only as good as your admin13

“Sometimes it’s better to stay in jail”Bypassing embedded checks on the OSMay subvert operational integrity + give access to local dataEnabling new functionality leads to new attack surfacee.g. SSH“ikee is never going to giveyou up”- Ashley Towns aka ikee14

“If a bad guy can convince you to install and run an app, it’s notyour phone anymore”Simplest attack involves NO vulnerabilityAbout people, not technologyMitigate risks with CONTROL/CONTAINMENTAllow listing vs. Deny listingGranular app controlsDefault app controlsPassword on application install“The user is going to pickdancing pig over securityevery time”- Bruce Schneier15

“Mobile antivirus is not your father’s antivirus”Detection vs. containmentDetection is hard / computationally expensiveApp security at the storefront is difficultDivination of intent / contextual issuesAssumption of liabilityContainment is a better fit for mobility“Our whitelisting application betatesting proved to be 100%, not 99.9% or99.99%, but 100% effective at stoppingmalware.”- Dave DeWalt, CEO McAfee16

“If a bad guy has unrestricted physical access to your phone, it’snot your phone anymore”Tamper resistance is crucialPasswords, content protectionHardware (removal of test points, underfill, etc)…as is remote intervention…Locate, lock, wipeGoalsFrustrate a lunchtime attackBreaking one device should not break all“The only truly securesystem is one that is poweredoff, cast in a block of concreteand sealed in a lead-linedroom with armed guards”- Gene Spafford17

“Encrypted data is only as secure as the decryption key”More than just encrypted data at riskMobile payment information, Network credentialsExposure for mobile greater than PC/laptopEasier to lose/misplaceAlways onImportance of security of local storageKeys should not be accessible by apps or tools“Cryptography is typicallybypassed, not penetrated."- Adi Shamir18

“Technology is no panacea.”No such thing as perfect security through technologyThere will always be bugsThere will always be humansSolution is to embrace that there are no silver bulletsIntersection of technology, policy and the userRequires security awareness and judgmentBalance is key“People in general are not interested inpaying extra for increased safety. At thebeginning seat belts cost $200 andnobody bought them”- Gene Spafford19

Closing Thoughts

Thank You

Appendix: Supporting Research and News

References1. If a bad guy can convince you to install and run an app, it’s not your phone anymoreJesse D'Aguanno – “Blackjacking”http://www.praetoriang.net/presentations/blackjack.htmlTyler Shields – “BlackBerry has spyware risk too”http://news.cnet.com/8301-27080_3-10448545-245.htmlSlashdot – “Malicious App in Android Market”http://mobile.slashdot.org/story/10/01/10/2036222/Malicious-App-In-Android-Market2. Sometimes it’s better to stay in jailMikko Hypponen – “Malicous iPhone Worm”http://www.f-secure.com/weblog/archives/00001822.htmlhttp://www.appleinsider.com/articles/10/04/09/hackers_jailbreak_apples_pre_release_iphone_os_4_beta.htmlhttp://www.androidcentral.com/tags/jailbreak24

References3. If a bad guy has unrestricted physical access to your phone, it’s not your phoneanymorePhone Unlock SIM-shimhttp://www.usbfever.com/index_eproduct_view.php?products_id=587Felix Domke – “Blackbox JTAG Reverse Engineering”http://events.ccc.de/congress/2009/Fahrplan/events/3670.en.htmlBruce Schneier – “My Data, Your Machine”http://www.schneier.com/essay-142.html4. Weak passwords trump strong securityBrad Antoniewicz – “Defeating the iPhone Passcode”http://www.packetstormsecurity.org/cellular_telephony/apple/iphonedefeat.pdfElcomsoft – “Password cracking chip causes security concerns”http://www.newscientist.com/article/dn1282525

References5. The security of your phone relies on many peopleJob de Haas – “Mobile security: SMS and WAP”www.blackhat.com/presentations/bh-europe.../bh-europe-01-dehaas.ppt6. Encrypted data is only as secure as the decryption keyChris Tarnovsky – “Researcher Cracks Security of Widely Used Computer Chip”http://www.darkreading.com/vulnerability_management/security/encryption/showArticle.jhtml?articleID=222600843Halderman et al – “Lest We Remember: Cold Boot Attacks on Encryption Keys”http://citp.princeton.edu.nyud.net/pub/coldboot.pdfSoghoian and Stamm – “Certified Lies: Detecting and Defeating GovernmentInterception Attacks Against SSL”http://files.cloudprivacy.net/ssl-mitm.pdf26

References7. Mobile antivirus is not your father’s antivirusLumension – “The Extraordinary Failure of Anti-Virus: Why WhitelistingSucceeds Where AV Has Failed”http://whitepapers.techrepublic.com.com/abstract.aspx?docid=381211Nicolas Seriot – “iPhone Privacy” [pg 34]http://www.blackhat.com/presentations/bh-dc-10/Seriot_Nicolas/BlackHat-DC-2010-Seriot-iPhone-Privacy-slides.pdfDaniel Tijerina – “MOBOTS: WeatherFist Exposed”http://dvlabs.tippingpoint.com/blog/2010/03/10/mobots-weatherfist-exposed27