Mobile Device CyberSecurity_�1
�Ao
• r
F
i rti�
-
- r:
Fes- ''! • � . � .
�- f• ti r, moi. •�s� .J • r••� J� •�� —rte � f+�••• .ice' �-• r 'ya• ' -• .�;.�• r'J. - _
61_ti:r ti -,ter �;,�r,yl�••
- r •� • f _ - .. .. • - � �J� k} , '' � .� - . • . r � _• r� { • -� f fir` � -
Car
Mobile Device Cybersecurl'ty
What Can You Do to Protect Your
Smart Phone?
Scandia Economic Development Authority
April 19, 2018
John J. Carney, Esq.
Carney Forensics
Mobile Device Cybersecurity
What Are We Worried About?
Data Breaches
Privacy Breaches
Lost or Stolen Devices
Theft of IP
Viruses and Malware
Ransomware
S pywa re
Advanced Exploits
Advice for Mobile Device Users
• Don't ever give up possession of your device!
• Always protect your phone with passcode, PIN, pattern lock
• Not
your name
• Not
spouse's name
• Not
dog's name
• Not
birthday
• Not
phone number
• Not
street address
• Not
"123456"
• Not
"password"
• Not
"letmein"
• Not
"i l oveyo u"
• Set short time-out period for auto -lock feature in Settings
What Passcode is Strong Enough?
• For security purposes a 10 to 15 character alphanumeric
passcode delivers much greater security benefit compared
to a simple 4 or 6 digit numeric passcode
• iOS use of a longer, complex passcode protects against
brute -force breaking of the passcode in earlier versions
• Android use of a complex passcode can help prevent
recovery of device data, with exception of microSD card
• Pass Phrases are good, complex passcodes:
• 1 will graduate in 2018
• 1 like Dr. Pepper 1024
• Old Man and the Sea 1952
• 2001: A Space Odyssey
IS THE
NEW
PASSWORD
Advice for Mobile Device Users
• Encrypt mobile device handset, "a no-brainer solution"
• Only 10% of Android, but 95% of iPhones (by default)
• Does not protect memory card, which can be removed
• Encrypt mobile device memory cards (microSD)
• Upgrade new mobile operating system version immediately
• Google Nexus or Google Pixel bought from Google Store
Assume at some point device will be lost, stolen, or infected
• Download or configure "Find my Phone" app on device
• Setup "Remote Wipe" capability
• Back up device regularly to PC, Mac, or Cloud
4 iTunes, Android Backup
•
Cloud, Lookout other 3rd party cloud software
Advice for Mobile Device Users
• Be cognizant of what apps you install on your phone
• Only Apple App Store, Google Play, Amazon App Store
• Which app permissions you accept
• Turn off Wi-Fi and Bluetooth when traveling to protect
against device automatically connecting to unsafe networks
• Consider mobile security software to help protect against
virus, spyware, malware exploits like ransomware and
drive-by download attacks:
• Lookout
• Trend Micro
• Malwarebytes
�,,,... FortiClient
�,G00(sle play
Mobile Device Spyware?
What is Spyware? What does it do?
Telltale signs your phone may be infected with Spyware
• Someone mysteriously knows your schedule, whereabouts?
• Someone asked to borrow your phone?
• Phone battery drain or warm?
• Trouble powering phone off?
• Flashing or unusual lights on phone? Op • Mysterious, new icon on phone's screen?
• Significant new data charges on phone bill?
How can users guard against Spyware?
• Don't ever give up possession of your phone W
• Always protect your phone with complex passcode or PIN
• Turn off Bluetooth when not in use
Turn off Wi-Fi
• Turn off NFC
Categories of Cyber Attacks
• Phishing — social engineering tricks designed make user
divulge personal information
• Spear Phishing — highly effective
personal
because it's targeted and
• SMiShing —mobile attacks using SMS
• QRishing —attacks using Quick Response (QR) codes
• Clickjacking — tricks a user into performing undesired
actions by clicking on a concealed link
• Trojan or Malicious apps
• Worms — self -replicating exploits
• Man -in -the -Middle Attacks
Anatomy of Mobile Attack
Boer $mflvv
Ul U
SerXrre dala 9arga
40"GQ ht3kio+xr�li:a
InprapernrjliVm
:CnOgvs "int
"C
ultra w phone
Jrxess w 9e,iml rser A
FBINT 02
F,':
r r � Wr�r (�eiaaJ7eeaf eucl�pt3an}
I g , Rorepo[sE'ar1
i � Pack�i Sniffing
Id NoUng titan-file-Wddle (MHM)
ii Sessian Hijiding
DN$ Eb snnieg
2=ible
OhIff WIMP
r.'.T F&SSEMule
I Y I r I V
Doom to request furorfPSBfl
Weak !Bputyat_ o
E3rab faRe attacks
5#L lectin
Pr�riEesta�liaa
O�r� dum�in�
OS "mad twutaan
01 VIAFORENSICS
App User Security Stats
Apps Installed on Average Mobile Device: 320
Permissions Requested by Android Apps: 20 (average)
Apps Send Data to Ad Networks: 50%
Devices Don't Have a Passcode: 43%
Android Devices Have USB Debugging Mode Enabled: 18%
Android Devices Allow Installation of Unverified Apps: 43%
Devices are Rooted: 9%
Unique IP Addresses Connected to Everyday: 160
Wi-Fi Access Points Connected to Everyday: 2 (average)
Mobile Devices Connect to Unsecured Wi-Fi Each Month: HALF
Analysis from 140M mobile security data points
0 ,-, 4�w
uploaded daily from 180 countries
2016 Mobile Security Report p �Nowsecure
Mobile App Security
NowSecure Tested 400K Mobile Apps:
24.7% of Android Apps Have One or More High Risk Security
or Privacy Flaws
10.8% of All Apps Leak Sensitive Data over Network
12.3% leak IMEIs (International Mobile Equipment Identity)
5% leak MAC Addresses (Ethernet and Wi-Fi)
2016 Mobile Security Report
Mobile App Security
NowSecure Tested 400K Mobile Apps:
App Categories Having at Least One High Risk Vulnerability
• Business: 27.6%
• Social: 30.5% (4.7% More Likely to Leak E-mail Address)
Financial App Insecurities
• 16.9% Have at Least One High Risk Vulnerability
• 4.2% Leak Sensitive Data
Game App Insecurities
• 32.8% Leak Sensitive Data
2016 Mobile Security Report
Secure Text Messaging Apps
• Signal (Open Whisper Systems)
• No -charge, open source app that employs end-to-end encryption
• Send encrypted group, text, picture, and video messages
• Encrypted phone conversations between Signal users
• All you need to use Signal is your phone number
• Supports Phone and Android
• Minimal user data retained
• Electronic Frontier Foundation Score: 7 out of 7
• Wired articles in 2016 and 2017
Attachment
ccoer I Inrol mattgri
N/A
Lw connedon dere: rix milli8
,+ r=or:t crested; Unix Millis
oftm WHISPER
SYSTEMS fi%cu FkC-
ARE
,0?4 A mer&
i7r
TOWS
T"nom Akio w445)
Secure Text Messaging Apps
• WhatsApp (Facebook)
• Provides end-to-end encrypted messaging on iPhone &Android
• Uses Facebook privacy policy and data sharing giving Facebook
access to WhatsApp phone numbers and usage data
• Unencrypted backups and no key change notification by default
• Allo (Google)
• Uses "Signal Protocol" to provide end-to-end encrypted
messaging in "incognito" mode
• Uses a darker background, but is not the default mode
Advanced Security Solutions
• Password Management
• Generate safe passwords, auto login, safely share passwords
• Scorecards to reduce password reuse and easily change
• Cross platform support for Windows, OS X, iOS, Android
• Products like Dashlane, LastPass, RoboForm, eWallet, etc.
• Two -Factor Authentication (2FA) dashlane
• Second, time -based token for access to web accounts & apps
• Google, iCloud, Amazon, Banks, Credit Cards, Investing, etc.
• Obtain 2FA token from mobile apps
• Google Authenticator �
• Twilio Authy
(0% A U T H Y
Advanced Security Solutions
• Virtual Private Networks (VPN)
• Service provides access to secure, encrypted network
• Solves unsecured Wi-Fi Access Point connection problem
• Avoid free offerings and choose service carefully
• Consider log retention policy, performance, ease of installation
• NordVPN supports six connected devices at once
• Mobile Device Management (MDM) (VTPN
• Central management and control of mobile devices
• SMBs may like Google Apps or Microsoft Exchange
ActiveSync for limited, low-cost capabilities
• Enterprises may invest in industrial strength offerings like
JAMF, AirWatch, Mobilelron, Good Technology
Smartphone Security Checker
CL
Home
FCC Smartphone Security Checker
This tool is designed to help the many smartphone owners who aren't protected against mobile security threats. To use this tool, choose your mobile operating
system below and then follow the 10 customized steps to secure your mobile device. More about the Smartphone Security Checker,
Select Your Mobile Operating System
U Android
0 Apple i0S-
0 BlackBerry
O Windows Phone
Also available, a general Smartphone security checklist (PDF).
Visit the HealthlT,gov Mobile Security Guide for 10 steps you can take to protect and secure health information when using your mobile device.
Consumers using smartphones, tablets and other mobile devices as "mobile wallets" to pay for goads and services should check out the FCC Consumer Guide
on Mobile Wal let Services Protection for tips on protecting devices, mobile wallet services and applications, and associated data from theft and cyber attacks.
Smartphone Security Checker
Ck
Home
Ten Steps to Smartphone Security for Android
5martphones continue to grow in popularity and are now as powerful and functional as many computers. It is important to protect your
smartphonejust like you protect your computer as mobile cybersecurity threats are growing. Mabile security tips can help you reduce the risk of
exposure to mobile security threats. rcwm�
1. Set PINS and passwords. To prevent unauthorized access to your phone, set a password or Personal Identification Number (PIN) on your en
phone's home screen as a first line of defense in case your phone is lost or stolen. When possible, use a different password for each of STOP T.IINK
CONNECT -
your important lag -ins (email, banking, personal sites, etc.). You should configure your phone to automatically lock after five minutes or
less when your phone is idle, as well as use the SIM password capability avaiIable on most smartphones.
2. Do not modify your smartphane's security settings. Do not alter security settings far convenience. Tampering with your phone's factory settings,
jail breaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone, while making it more
susceptible to an attack.
3. Backup and secure your data. You should backup all of the data stored on your phone — such as your contacts, documents, and photos. These files
can be stored on your computer, on a removal storage card, or in the cloud. This will allowyou to conveniently restore the information to your phone
should it be lost, stalen, or otherwise erased.
4. only instaill apps from trusted sources. Before downloading an app, conduct research to ensure the app is legitimate. Checking the legitimacy of an
app may include such thing as: checking reviews, confirming the legitimacy of the app store, and comparing the app sponsors official website with the
app store link to confirm consistency. Many apps from untrusted sources contain malware that once installed can steal information, install viruses, and
cause harm to your phone's contents. There are also apps that warn you if any security risks exist on your phone.
Questions & Answers
Carney Forem
"Digital Evidence is Everywhere"
Cell Phones / Smart Phones
Smart Tablets
Computer Forensics
GPS Devices
Social Media / Email
Sign up for our Newsletter!!
www.carnevforensics.com
_�1
�Ao
• r
F
i rti�
-
- r:
Fes- ''! • � . � .
�- f• ti r, moi. •�s� .J • r••� J� •�� —rte � f+�••• .ice' �-• r 'ya• ' -• .�;.�• r'J. - _
61_ti:r ti -,ter �;,�r,yl�••
- r •� • f _ - .. .. • - � �J� k} , '' � .� - . • . r � _• r� { • -� f fir` � -
Car