See General alexander's keynote from blackhat 2013!

General alexander of the NSA speaks on technology the NSA is using for counter terrorism and cyber-terrorisim

General Alexander speaks on phone monitoring in the U.S and how it is collected according to the general only meta data is collected such as
the called number the originating number and duration of call he also speaks on the vigorius requirements that are needed to query this database

this keynote is one of the best keynotes in my opionon in a long time for blackhat !

leave comments of what you think !

more to come on blackhat stay tuned !

Mobile Phone app privacy should you be concerned ?

Lately in the news we have been hearing about security concerns over mobile apps on the android and apple platform the question is should you be concerned?

I would say yes and you should be careful at your mobile app selections
if you look at this situation it looks exactly how the pc landscape looks when it comes to applications you install on your desktop PC installing applications on your mobile phone comes with the same risks if not greater than on your desktop pc since mobile phones now have gps capabilities it is possible for a hacker to track your every move by activating the gps receiver on your phone they can also potentially have the ability to record your phone calls and also make phone calls via your phone by installing malware on your phone and turning it into a voip server


What to look for when picking apps?

When you pick applications to install on your mobile phone you should take into account a couple of things

1.) Is the application from a trusted author?
2.) What permissions is the application requesting?
3.) Read the privacy policy of the application
4.) Read online reviews

How to protect yourself?

To protect against these attacks you can do the following

1.) Don’t allow applications to see your location
2.) Install anti-Virus software on your phone
3.) Don’t install applications requesting too many privileges example a notepad application
Should not need access to your gps and your phone calls
4.) Make sure to have the latest version of mobile operating system on your phone
5.) Keep all applications up to date

As the mobile landscape starts to take over the pc and laptop landscape we need to use the same best practices we have implemented for our pc on our mobile devices

Until next time
Stay Secure!

Hey All,

Hey everybody

Just wanted to let you all know that I am still working on this blog
Just have been very busy lately will have new content next week !

thank you all for your patience

Thanks
Sean

My full report on security considerations for Bring Your Own Device

Risk considerations for bring your own device in the business environment
Written by Sean Mancini

The trend
In the last 5 years the mobile computing industry has boomed we have more power at out finger tips than ever before thanks to the boom of the smart phone era only now have corporations and businesses have started to adopt the trend of BYOD or bring your own device this trend make a lot of economic sense to the business for example instead of purchasing the entire sales force new blackberry’s and in turning having to run a infrastructure to support blackberry for example having to run BES or black berry enterprise server a company now can run an Microsoft exchange environment which they most likely already utilize and have the sales force use their own personal device to connect to the exchange server
And they now have corporate email on their personal device this in turn frees up funds for the company as the devices did not have to be purchased

The problem for I.T Support

While the company’s board of directors may want to dash at the idea of this trend the I.T administrators and hitting their heads on their desk
Questions will have to be answered on the I.T level for example when all of the devices that were purchased for company employees all devices mostly likely ran the same operating system i.e. Blackberry OS so when users had problems with access email they contacted I.T support who were trained to support the Operating system if there is now many different devices how will you I.T. department be ready to support them? Additional training will have to be done which comes at a cost which should be part of the process of considering the adoption of this trend

Software Governance

Another variable that Company’s should take into consideration is that of software being installed on the users phones for example if a user installs an application that is licensed for non-commercial use but the user is using it for work purposes this can lead to legal problem for the company

Network Security

From a network security standpoint bring your own device if not prepared for properly can lead to a disastrous outcome remember that in the business networks that we have run traditionally network and security administrators were tasked with the responsibility to keep the systems secure based on policies that were developed for example system patches are announced by the operating system developers the I.T department analyzes the effect of each of these patches in a test environment and when the outcome is satisfactory the patches and fixes are deployed to the production environment but now we are relinquish this control how many end users have an antivirus on their mobile phones ? How many end users have a password protected phone? recent studies suggest that these simple security features are in the signal digit percentile for users that take advantage of these security basics that we consider standard on our corporate devices if you look at todays mobile security practices if the business has control of the devices we can make it mandatory to have a password locked phone via policy’s on the network or we lock down certain features on the phone like web-browsing or applications from being installed by allowing the employee to use their own device we lose this control as such security practices will need to be adapted to accommodate these new variables that are not as much in the control of the administrators that previously was

A mobile attack scenario

I have come up with a feasible mobile attack scenario in which I think may very well be an attack we will see in the wild sooner rather than later

Scenario:

The Target
ABC Company is a medium size company that is on the verge of becoming a large company the owner’s project that in the next 4 years they will have 20 % more employees bringing the total amount of employees to just fewer than 800
The company has recently sent out a communication to its employees that employees are now welcome to use their more cell phones instead of company issued phones

The adoption rate is an amazing 70 percent which equal to around 560 employees are now using devices they own rather than the company’s
A survey is done by the I.T department of ABC company to see what operating systems they should create documentation for they find 70 % of devices are running android 20% are apple IOS devices and 10% are blackberry devices which these numbers can be supported because of trends in the market all users who use their own devices will need to connect to the company exchange server so they can receive emails when around the office or on the road

The Attack

Its Monday morning around 8:30 am when an email comes in from an attacker that is spoofed to look like it’s from the I.T department the subject line is please update your email application asp with an attachment in this case specifically for an android phone telling the user to click the attachment and install the “update”
The users do and the application installs and the users continues on, The user has unknowingly installed an IRC client on His/hers phone out of the 560 employees 400 fall for the social engineering attack and install the malware on the phone the malware forms a mesh and is programmed to have all the phones connect to a IRC server out on the internet and since the phones are not on a VPN network are not subject to the company’s internal network security policy so the traffic reaches its destination without hassle the IRC server sends a message back to the phones to select the phone with the highest MAC id to become a secondary IRC server and also selects 2 more phones to become IRC servers it then instructs the other infected phones to now attack to the primary IRC server located on one of the affected phones and use the others as secondary servers all of the other phones become zombie devices the attacker now has access to 396 zombie phones which now have about as much system resources as a home desktop pc and the attacker has a “walking botnet “ of mobile phones at his or her disposal which they can now use to attack ABC company’s infrastructure and with the power of almost 400 devices can wreak havoc on a network especially when the traffic is coming from its own devices the attacker can use the botnet for example to attack the exchange server as they were able to access the information for the server via a compromised phone and use the users credentials to send out spam mail via the phones mail application which can damage ABC company’s

Aftermath:

The attacker used the phones at their disposal to send spam messages all of ABC company’s clients with malware clients have started to complain of the malware received and are starting to distrust working with ABC company over web services such as email as they are concerned for their internet safety ,
The company’s I.T department is scrambling to get the infection under control but since they don’t have access to all devices this is a daunting and time consuming task that is costly to the company where we would normally be able to initiate a remote wipe of the phones connected to our network we have lost this ability

Solution and prevention
The solution to the issues with BYOD would be to adopt strict policy for use of personal devices on corporate networks for example
All users should be required to have antivirus software on their phones
All users must have password protection on the phone
The phone must not be rooted or jail broken
The user must not use applications that are for personal use only
The user must report lost or stolen phones immediately
The phones MAC address should be recorded this will allow administrators to ban the device from getting access to the LAN in the event of a security issue
The phones should not be able to communicate with local resources unless connected through encrypted channels such as VPN
Phones should be checked periodically for mobile security policy breaches and if a user breaches the security policy should lose privilege of using their personal device for work purposes

In conclusion

The concussion to the above statements are BYOD can be implemented in the workplace but companies will need to consider all variables and construction strict security policy’s and invest in a suffice security infrastructure in order for it to be successful company’s technical departments will have to evolve as there are new security vectors that may not have been an issue before as the malware trend now is on the incline for mobile operating systems the malware landscape is becoming more vast and new challenges are being faced

Paper written by Sean Mancini
March 2013
www.seanmancini.com
[email protected]

You can download the PDF version of this Document here
Bring your own device considerations