MOOC_topic_5 - Personal Psu

shrewdnessmodernΚινητά – Ασύρματες Τεχνολογίες

14 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

75 εμφανίσεις

COMPSEC

Dr. Gerry Santoro



Founding Associate Professor

Topic
5



Mobile Devices

Introduction

Everything

we have

covered so far with regard to desktop and laptop computers also applie
s to mobile
devices such as PDAs, tablet computers, and smart
phones.

In
fact, smart
phones running the android or
IOS operating systems are among the fastest growing targets for malware and spyware.

On
these
devices,

the user

does not create different accounts, so the issue of le
ast privilege is moot
.

The
single user is assumed

to be the device administrator, so extra care must be taken when downloading
and installing applications.

It is
generally good advice

that applications only be acquired from reputable
locations

such as Android Marketplace or the Apple Store.

It may also b
e advisable to
perform

research
on an app before downloading it

to ensure that there are no reports of that app containing a Trojan.

However, even this may not be enough
.
Instances have occurred

where applications obtained from
reputable sources have been
found to be infected with malware.

A few examples are listed in this
Information Week article

8 Notorious Android Malware Attacks
.”
While doing research on an app, such
as googling its name, can often help prevent the installation of an infected app, this is not sufficient. For
that reason
,
you should install
anti
-
malware software as with a desktop or laptop system.

How
to
Protect Your Mobile Device

There are many anti
-
virus/anti
-
spyware applications for mobile devices. A few are listed in the resources
section for this topic.

Some are free
,
while

some
charge

a small fee.

They work much like anti
-
virus and
anti
-
spyware applications on a desktop computer
. Some may require

configuration.
You will want to
make sure
the application you choose

is tailored for the OS of your device.


Patches are imp
ortant! Because

m
uch

mobile device malware is application dependent,
you should
apply any OS and application patches that are released

as soon as possible. These patches
are

mostly

created to close specific vulnerabilities.

Jail
Breaking
a
nd
Rooting

You ma
y have noticed when viewing a friend’s smartphone that they have
what seems to be
privileged

access to certain features on their phone. This may be a result of “jail

breaking” or “rooting.” Jail

breaking is when a user circumvents the proprietary system so
ftware locks to access the underlying
operating software of the device.

Users may do this to install applications that have not been approved
by their service provider or to allow the device to be used with a different service provider.
In many
cases,

jail

breaking is against the user agreement with the
smartphone

vendor

and may void the
warranty. (The legality of jail breaking is still a grey area.)

The biggest problem with jail breaking

and rooting your device

is that it may open
unexpected

vulnerabilitie
s that could be exploited by malware

by
disabl
ing
the
defenses

that are built into your
system software.
As a rule
, unless you are
sure

of what you are doing and are willing to take on the
security risk, you should avoid jail breaking

or rooting

your devic
e.

Lost
or

Stolen Devices

What
happens
if your
smartphone

or mobile device is lost or stolen?

The least worry is that you may
lose all of your contact information or any other data (pictures, etc.) on the device.

Some carriers offer

services that will allo
w this information to be backed up
automatically

so it is available if you lose your
device
,
or it is stolen, and you need to get a replacement.


Additionally, most

mobile devices
allow you
to designate a PIN or password to prevent access
by an
un
authorize
d user.

Some
smartphone
s have applications that can be used to track and locate the device
should it be stolen
or lost
.

Important personal

information (such as account IDs or credit card numbers)
should not be stored
on a mobile device.

Even if the device
is password protected it may be possible to
use forensics methods to acquire that data.

Some protection programs for mobile devices go a step further

by providing

a Web
-
based portal that
can be alerted when the device is lost or stolen.

The portal can be u
sed to track the location of the
device if it is used.

The portal can also issue a command to wipe the memory of the device clean to
prevent the thief from obtaining contact information or other data stored on the phone.

Location Tracking

A current concern

to mobile users lately is if a

mobile device
can
be used to track
their

whereabouts. In
2010, much controversy ensued when it was revealed that manufacturers had installed software on the
iPhone and other
smartphone
s that could be used to record and track

user activity.

The developers of
the software insisted that this was only used to

improve the user
experience

and that the data was
not personal in nature.

Nevertheless, it is quite possible to track the location of any mobile device.

Many mobile device
s have built
-
in GPS circuitry that keeps a record of locations.

The intent of this
capability is to allow

applications to provide you with geographically
-
relevant information such as local
maps, information on hotels near you, or local weather reports.

A r
ecent controversy arose over reports
that Apple was collecting geo
-
data from iPhone users without their knowledge.

Although Apple insists
the intent is to improve the user experience, this shows a potential vulnerability

as others might have
gained access
to this unencrypted data.



GPS

information can be accessed through forensics methods

that pull the data from the

internal
storage
.

Generally such a method is only done by law enforcement

using specialized tools
.

It is also
possible to determine the locati
on of a mobile device by triangulating the signals from
three

separate
cell
phone
towers.

This method has been used by law enforcement to establish the whereabouts of
persons suspected of committing a crime

in cases where GPS data is not available.

Is it l
egal?

That is still a grey area being debated by the courts.

Many law
-
enforcement organizations are
arguing that the GPS information for a user’s phone is not protected information and should not require
a warrant for access.

Any time the phone is turned
o
n,

it will be in contact with cell towers, and that
information can often be used to establish a location.

Simply turning the telephone off may not be
enough
. T
he safest approach

if location tracking is a genuine worry

is to turn the phone off and
remove t
he battery.

Important data
remain safely stored

in the device

s SIM memory.

Sidebar for small businesses

An additional consideration for
businesses

is the use of the mobile device in the workplace.

Malware on
an employee’s
smartphone

could bypass firewalls

and establish a foothold in an organization’s
networks.

Because

many smartphones have cameras and free software is available for picture
uploading, these devices can be used for industrial espionage.

Many organizations do not permit

personally
-
owned mobil
e devices to be connected to the organization’s networks.

A number of security
-
minded companies provide separate smartphones specifically for business use.

Businesses should also encourage their employees to install good anti
-
malware applications on their
personal mobile devices.

One way to do this
is

to reimburse the employee for the cost of the software.
An employee’s personal
smartphone

might record internal numbers or
ID
/password sets to services
such as a company’s electronic mail.

If the device is
com
promised,

this information may be stolen

and
used against the business.

Resources:



Best Mobile Anti
-
Virus
:
http://electronics.howstuffworks.com/cell
-
phone
-
ap
ps/best
-
mobile
-
anti
-
virus
-
app.htm




2013 Best Mobile Security Software Comparisons and Reviews
:
http://mobile
-
security
-
software
-
review.toptenreviews.com/



Anti
-
Virus for Mobile Phones
:
http://en.kioskea.net/faq/2943
-
antivirus
-
for
-
mobile
-
phones



Avast Free Mobile Security
:
http://www.avast.com/free
-
mobile
-
se
curity



AVG anti
-
virus for Android
:

http://www.avg.com/us
-
en/for
-
mobile