How To Turn BYOD Risk Into Mobile Security Strength

Andrew Hoog

Wed, 15th October 2014

Speaker Bio 1:
CEO/Co-founder of viaForensics. Andrew is a published author, computer scientist, and mobile security & forensics researcher. He has several patents pending and presents on mobile security topics to conferences, enterprise and government audiences.

Learning Objectives:

Andrew will explain:

  • Why traditional approaches to security won’t fully protect mobile devices
  • Illustrate how you can leverage mobile data (forensics, security, system and sensor data) to protect your devices and information
  • Explore several live scenarios for protecting against insider and external threats on both Android and iOS devices.

Resources and materials:

Questions and answers

Max, Concise Courses:
14:35 Does Santoku, your Linux Distro, offer support for ARM Architecture so that it can be imaged onto a Raspberry Pi?

Andrew Hoog:
That’s a great question. It came out as x86 and 64 bit and we haven’t had the request to run it on Raspberry Pi, but right now the idea behind the Santoku Linux is that there is a notion of, ‘look, there are a lot of pentesting tools that are out there, and you can spend a lot of time installing them and maintaining them: it is just not worth the brain damage! So, we take the ‘best of breed’ tools and we put a lot free open source tools that we have written and we try to make it easy to run.

I have to say now that ARM is not on the road-map but if we begin to hear demand from more and more people we can port the tools over. The ‘tools changing’ and ‘cross-compiling’ probably means that there is a lot of work to be done there and a lot of things that work today on Santoku might not work all that great on Raspberry Pi. It is certainly a possibility, we just have to see that there is demand for it.

Max, Concise Courses:
15:57 Has the Android Master-Key Vulnerability problem been patched?

Andrew Hoog:
It has been patched but the problem with Android of course is that it is fragmentation. Has it been patched on most people’s devices? I would say ‘no’, [at least] not on many of the devices, so one of the things we always look at are whether the devices themselves are vulnerable. We actually scan each of the Apps that getting uploaded and we can very easily check for the Master Key Vulnerability.

The other big thing is that Google starting putting checks online pretty quickly once they had identified the issue so you can spot the different attacks in an APK. It is very unlikely that any sort of Master Key would get into the Google Play market at this point. Unless your users are side-loading off other non-standard markets you are probably ‘ok’, but there are a lot of devices out there that would be vulnerable.

Max, Concise Courses:
1645 We had a show with Brendan O’Connor presenting some amazing research – and hardware – he built called CreepyDOL.Basically he showed just how much data Apps and Mobile are leaking. Question is, what can corporations do to limit BYOD exposure?

Andrew Hoog:
We are actually providing you with an agent that gives you a live peek into that right now [BYOD exposure] and it does it both on iOS and Android. It has been an absolute eye-opener and we are security guys! It’s been an eye-opener to see where our data is going. Having that [ability] not on special hardware or a rooted device, we are saying that we can deploy the agents right now to gain immediate insight across your enterprise. Maybe something is targeting executives, maybe something is not really malicious but is leaking information. We tie a lot of different things like Apps, ports, data, battery and where they get installed for example. Maybe we will get to a point where we start finding that ‘hey, somebody Trojaned FaceBook – it got popped whilst you were on an overseas network’ and we begin to see a trend where a malicious version of FaceBook is coming in.

The interesting thing about our solution is that [whilst] the App is FaceBook to the end-user, and still talks to the FaceBook servers and fully works, it could be a Trojan. We can spot that the RSA signatures are different and more importantly that that FaceBook App is actually talking to another server somewhere else in the world [probably a ‘Command & Control Server’]. Driving that continuous visibility into the mobility platform is key, and a quick example we always come back to, is a threat scenario: ‘do people use DropBox to pull your data?’ and with some MDM software you can say that DropBox is installed but that’s about all it will tell you. With the insight – that maybe what the Gentleman did with the hardware – we are doing on non rooted devices is you can see, is it installed, did it sync data, when did it sync? We can combine it with other security audit, and sometimes data is stored on an SD card so we can pull back added data.

We are going to be driving deep visibility in to the mobile platform to allow people to manage mobile risk.