Loading...
Mobile Device CyberSecurity_�1 �Ao • r F i rti� - - r: Fes- ''! • � . � . �- f• ti r, moi. •�s� .J • r••� J� •�� —rte � f+�••• .ice' �-• r 'ya• ' -• .�;.�• r'J. - _ 61_ti:r ti -,ter �;,�r,yl�•• - r •� • f _ - .. .. • - � �J� k} , '' � .� - . • . r � _• r� { • -� f fir` � - Car Mobile Device Cybersecurl'ty What Can You Do to Protect Your Smart Phone? Scandia Economic Development Authority April 19, 2018 John J. Carney, Esq. Carney Forensics Mobile Device Cybersecurity What Are We Worried About? Data Breaches Privacy Breaches Lost or Stolen Devices Theft of IP Viruses and Malware Ransomware S pywa re Advanced Exploits Advice for Mobile Device Users • Don't ever give up possession of your device! • Always protect your phone with passcode, PIN, pattern lock • Not your name • Not spouse's name • Not dog's name • Not birthday • Not phone number • Not street address • Not "123456" • Not "password" • Not "letmein" • Not "i l oveyo u" • Set short time-out period for auto -lock feature in Settings What Passcode is Strong Enough? • For security purposes a 10 to 15 character alphanumeric passcode delivers much greater security benefit compared to a simple 4 or 6 digit numeric passcode • iOS use of a longer, complex passcode protects against brute -force breaking of the passcode in earlier versions • Android use of a complex passcode can help prevent recovery of device data, with exception of microSD card • Pass Phrases are good, complex passcodes: • 1 will graduate in 2018 • 1 like Dr. Pepper 1024 • Old Man and the Sea 1952 • 2001: A Space Odyssey IS THE NEW PASSWORD Advice for Mobile Device Users • Encrypt mobile device handset, "a no-brainer solution" • Only 10% of Android, but 95% of iPhones (by default) • Does not protect memory card, which can be removed • Encrypt mobile device memory cards (microSD) • Upgrade new mobile operating system version immediately • Google Nexus or Google Pixel bought from Google Store Assume at some point device will be lost, stolen, or infected • Download or configure "Find my Phone" app on device • Setup "Remote Wipe" capability • Back up device regularly to PC, Mac, or Cloud 4 iTunes, Android Backup • Cloud, Lookout other 3rd party cloud software Advice for Mobile Device Users • Be cognizant of what apps you install on your phone • Only Apple App Store, Google Play, Amazon App Store • Which app permissions you accept • Turn off Wi-Fi and Bluetooth when traveling to protect against device automatically connecting to unsafe networks • Consider mobile security software to help protect against virus, spyware, malware exploits like ransomware and drive-by download attacks: • Lookout • Trend Micro • Malwarebytes �,,,... FortiClient �,G00(sle play Mobile Device Spyware? What is Spyware? What does it do? Telltale signs your phone may be infected with Spyware • Someone mysteriously knows your schedule, whereabouts? • Someone asked to borrow your phone? • Phone battery drain or warm? • Trouble powering phone off? • Flashing or unusual lights on phone? Op • Mysterious, new icon on phone's screen? • Significant new data charges on phone bill? How can users guard against Spyware? • Don't ever give up possession of your phone W • Always protect your phone with complex passcode or PIN • Turn off Bluetooth when not in use Turn off Wi-Fi • Turn off NFC Categories of Cyber Attacks • Phishing — social engineering tricks designed make user divulge personal information • Spear Phishing — highly effective personal because it's targeted and • SMiShing —mobile attacks using SMS • QRishing —attacks using Quick Response (QR) codes • Clickjacking — tricks a user into performing undesired actions by clicking on a concealed link • Trojan or Malicious apps • Worms — self -replicating exploits • Man -in -the -Middle Attacks Anatomy of Mobile Attack Boer $mflvv Ul U SerXrre dala 9arga 40"GQ ht3kio+xr�li:a InprapernrjliVm :CnOgvs "int "C ultra w phone Jrxess w 9e,iml rser A FBINT 02 F,': r r � Wr�r (�eiaaJ7eeaf eucl�pt3an} I g , Rorepo[sE'ar1 i � Pack�i Sniffing Id NoUng titan-file-Wddle (MHM) ii Sessian Hijiding DN$ Eb snnieg 2=ible OhIff WIMP r.'.T F&SSEMule I Y I r I V Doom to request furorfPSBfl Weak !Bputyat_ o E3rab faRe attacks 5#L lectin Pr�riEesta�liaa O�r� dum�in� OS "mad twutaan 01 VIAFORENSICS App User Security Stats Apps Installed on Average Mobile Device: 320 Permissions Requested by Android Apps: 20 (average) Apps Send Data to Ad Networks: 50% Devices Don't Have a Passcode: 43% Android Devices Have USB Debugging Mode Enabled: 18% Android Devices Allow Installation of Unverified Apps: 43% Devices are Rooted: 9% Unique IP Addresses Connected to Everyday: 160 Wi-Fi Access Points Connected to Everyday: 2 (average) Mobile Devices Connect to Unsecured Wi-Fi Each Month: HALF Analysis from 140M mobile security data points 0 ,-, 4�w uploaded daily from 180 countries 2016 Mobile Security Report p �Nowsecure Mobile App Security NowSecure Tested 400K Mobile Apps: 24.7% of Android Apps Have One or More High Risk Security or Privacy Flaws 10.8% of All Apps Leak Sensitive Data over Network 12.3% leak IMEIs (International Mobile Equipment Identity) 5% leak MAC Addresses (Ethernet and Wi-Fi) 2016 Mobile Security Report Mobile App Security NowSecure Tested 400K Mobile Apps: App Categories Having at Least One High Risk Vulnerability • Business: 27.6% • Social: 30.5% (4.7% More Likely to Leak E-mail Address) Financial App Insecurities • 16.9% Have at Least One High Risk Vulnerability • 4.2% Leak Sensitive Data Game App Insecurities • 32.8% Leak Sensitive Data 2016 Mobile Security Report Secure Text Messaging Apps • Signal (Open Whisper Systems) • No -charge, open source app that employs end-to-end encryption • Send encrypted group, text, picture, and video messages • Encrypted phone conversations between Signal users • All you need to use Signal is your phone number • Supports Phone and Android • Minimal user data retained • Electronic Frontier Foundation Score: 7 out of 7 • Wired articles in 2016 and 2017 Attachment ccoer I Inrol mattgri N/A Lw connedon dere: rix milli8 ,+ r=or:t crested; Unix Millis oftm WHISPER SYSTEMS fi%cu FkC- ARE ,0?4 A mer& i7r TOWS T"nom Akio w445) Secure Text Messaging Apps • WhatsApp (Facebook) • Provides end-to-end encrypted messaging on iPhone &Android • Uses Facebook privacy policy and data sharing giving Facebook access to WhatsApp phone numbers and usage data • Unencrypted backups and no key change notification by default • Allo (Google) • Uses "Signal Protocol" to provide end-to-end encrypted messaging in "incognito" mode • Uses a darker background, but is not the default mode Advanced Security Solutions • Password Management • Generate safe passwords, auto login, safely share passwords • Scorecards to reduce password reuse and easily change • Cross platform support for Windows, OS X, iOS, Android • Products like Dashlane, LastPass, RoboForm, eWallet, etc. • Two -Factor Authentication (2FA) dashlane • Second, time -based token for access to web accounts & apps • Google, iCloud, Amazon, Banks, Credit Cards, Investing, etc. • Obtain 2FA token from mobile apps • Google Authenticator � • Twilio Authy (0% A U T H Y Advanced Security Solutions • Virtual Private Networks (VPN) • Service provides access to secure, encrypted network • Solves unsecured Wi-Fi Access Point connection problem • Avoid free offerings and choose service carefully • Consider log retention policy, performance, ease of installation • NordVPN supports six connected devices at once • Mobile Device Management (MDM) (VTPN • Central management and control of mobile devices • SMBs may like Google Apps or Microsoft Exchange ActiveSync for limited, low-cost capabilities • Enterprises may invest in industrial strength offerings like JAMF, AirWatch, Mobilelron, Good Technology Smartphone Security Checker CL Home FCC Smartphone Security Checker This tool is designed to help the many smartphone owners who aren't protected against mobile security threats. To use this tool, choose your mobile operating system below and then follow the 10 customized steps to secure your mobile device. More about the Smartphone Security Checker, Select Your Mobile Operating System U Android 0 Apple i0S- 0 BlackBerry O Windows Phone Also available, a general Smartphone security checklist (PDF). Visit the HealthlT,gov Mobile Security Guide for 10 steps you can take to protect and secure health information when using your mobile device. Consumers using smartphones, tablets and other mobile devices as "mobile wallets" to pay for goads and services should check out the FCC Consumer Guide on Mobile Wal let Services Protection for tips on protecting devices, mobile wallet services and applications, and associated data from theft and cyber attacks. Smartphone Security Checker Ck Home Ten Steps to Smartphone Security for Android 5martphones continue to grow in popularity and are now as powerful and functional as many computers. It is important to protect your smartphonejust like you protect your computer as mobile cybersecurity threats are growing. Mabile security tips can help you reduce the risk of exposure to mobile security threats. rcwm� 1. Set PINS and passwords. To prevent unauthorized access to your phone, set a password or Personal Identification Number (PIN) on your en phone's home screen as a first line of defense in case your phone is lost or stolen. When possible, use a different password for each of STOP T.IINK CONNECT - your important lag -ins (email, banking, personal sites, etc.). You should configure your phone to automatically lock after five minutes or less when your phone is idle, as well as use the SIM password capability avaiIable on most smartphones. 2. Do not modify your smartphane's security settings. Do not alter security settings far convenience. Tampering with your phone's factory settings, jail breaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone, while making it more susceptible to an attack. 3. Backup and secure your data. You should backup all of the data stored on your phone — such as your contacts, documents, and photos. These files can be stored on your computer, on a removal storage card, or in the cloud. This will allowyou to conveniently restore the information to your phone should it be lost, stalen, or otherwise erased. 4. only instaill apps from trusted sources. Before downloading an app, conduct research to ensure the app is legitimate. Checking the legitimacy of an app may include such thing as: checking reviews, confirming the legitimacy of the app store, and comparing the app sponsors official website with the app store link to confirm consistency. Many apps from untrusted sources contain malware that once installed can steal information, install viruses, and cause harm to your phone's contents. There are also apps that warn you if any security risks exist on your phone. Questions & Answers Carney Forem "Digital Evidence is Everywhere" Cell Phones / Smart Phones Smart Tablets Computer Forensics GPS Devices Social Media / Email Sign up for our Newsletter!! www.carnevforensics.com _�1 �Ao • r F i rti� - - r: Fes- ''! • � . � . �- f• ti r, moi. •�s� .J • r••� J� •�� —rte � f+�••• .ice' �-• r 'ya• ' -• .�;.�• r'J. - _ 61_ti:r ti -,ter �;,�r,yl�•• - r •� • f _ - .. .. • - � �J� k} , '' � .� - . • . r � _• r� { • -� f fir` � - Car