mobile security master class oct 2014 day 2 public version
TRANSCRIPT
Passionate about• IT security and hacking • Fast cars and champagne (not together)
IT Security advisor / Ethical hacker • Jan 2014 - now: Independent advisor @ Linq42 • 2006 – 2013 @ KPMG Information Protection Services • Strong technical skills -> business use • Testing mobile since 2009
Who am I
Usage statistics
Amount of smartphones sold in 2013? • 968.000.000 • 57,6% of all phone sales • 1st time surpassing non smartphones
Major vendors in 2013?• Samsung: 300.000.000 • Apple: 150.000.000
Other mobile platforms - BlackberryBlackBerry• Since 1999 • Since August 2013 “intention to sell the company” • Custom hardware and custom OS, many releases • Since 4.0 ‘modern’, 7.1 latest of old OS, 10.0 new OS
BlackBerry Enterprise Server• MDM before it was called MDM
BlackBerry Tablet OS• QNX-based • V1.0 -> V2.0 -> BlackBerry 10 • Android .apk support
Other mobile platforms - Symbian
Multiple owners, original Psion
Long used by Nokia for N and E series
Nokia now switched to Windows Mobile
Battle beyond mobile
SWOT Apple Microsoft Google
Strength• Strong in mobile phones and
tablets in corporate world, partly in consumer world
• Shininess-factor
• Strong in corporate world (servers, desktop, training, services, etc.)
• Strong “ownership” of the consumer’s online ID
• Allows for cheap devices -> strong in consumer world
Weakness• Small presence of desktop
and server in corporate world• Corporate presence due to
MDM
• Tablets and mobile phones, both corporate and consumer market
• Android almost non existing in corporate world
• Android’s reliance on 3rd party vendors
Opportunity • Macs and OSX in corporate environment
• Windows Phone 8 and Windows 8 have great new features
• Android *anywhere*• Corporate services around
online ID
Threat• OSX not meeting corporate
needs and demands• Too expensive
• If not acting soon will become ancient computer company
• Android’s open model may result in too little too late
• Prone to malware
Battle beyond mobile - Windows 8 family
How to get to the level of iOS/Android, and beyond?• Desktop = Windows • Phones = Windows Phone • Tablets = ??
"They draw the line between the phone/tablet and the PC.
We are drawing the line between the PC/tablet and the phone."
Battle beyond mobile - Windows Mobile/PhoneHistory• ‘90s • Windows CE – PocketPC 2000/2 • Windows Mobile 2000 -2003, 6 – 6.5 • Windows Phone 7 – 7.5 • Windows Phone 8
Architecture• Stylus • Related to Windows but different software origin • Dedicated vendors make hardware • Exchange ActiveSync
• Proprietary but licensed to others
Battle beyond mobile - Windows 8
Windows 8• New operating system for desktops and tablets • Single OS for both X86 / Arm architectures
• except, not exactly: • Windows RT - ARMv7 - Surface RT • Windows 8 - x64 - Surface Pro
• Metro interface for easy touch - Can switch between interfaces • Surface RT / Windows RT all in Metro interface
• Surface devices in-house created by Microsoft
Battle beyond mobile - Windows 8 (cont.)
Windows 8• Strong integration with existing MSFT architecture
• Active Directory / SCCM / InTune • Windows Store • Multi user • Nifty features
• Security features Secure boot, measured boot, ELAM, DAC • DirectAccess • Hyper-V virtualization • Picture Password
Desktop platforms - Mac OS X
History• Not talking pre OS X • Mac OS X, strong but small client base • Lost battle for the corporate world due to lack of mngt tools
(amongst other reasons)
• iOS huge success in consumer world • iOS not welcome in corporate world due to lack of control
Into corporate world• The path that worked for iOS:
• Open up iOS for security checks • Allow 3rd party MDMs control iOS
• The path that may work for OSX: • Slingshot OSX using iOS functionality
• Maps / iMessage / FaceTime / iCloud / Notification Center / etc • Open up OSX for security checks a la iOS • Allow 3rd party MDMs • But also make own MDM
Desktop platforms - Mac OS X (cont.)
Summary
Enrolling mobile devices results in new risks• Broader then expected, e.g. legal, technology, cloud integration, backup • Broader eco-system, thankfully the proper tools are now here
How to continue• Stay up-to-date with recent developments • Know your weaknesses. Take a look at your
organization from an attacker’s perspective. • 100% security is not possible. And undesirable! • No technical solution fixes it all, mitigate risks by people
processes and technology • Prevention is insufficient. Invest in detection and response.