Mobile Devices Using Without Losing

Mobile Devices – Using Without Losing

Mark K. Mellis

Associate Information Security Officer

Stanford University Information Security Office

We all have mobile devices…

§ 

iPhones, iPads, Droids

§ 

“There’s an App for that!”

§ 

What can we do to protect our own

privacy and the University’s data while

enjoying the convenience of mobile

Preview

§ 

Risks of Mobile Computing

§ 

Tips

§ 

What If You Lose Your Phone?

§ 

Review

Risks - What’s on the device?

§

Not merely documents

•

Access credentials for networks and applications

•

Presentations / Briefing Notes

•

Stanford Email (including secure email)

•

Address Book information

•

Personal photos, movies, and email

•

Personal health, salary, and benefits information

§

Indirect costs

Risks – What could happen?

§

Loss or Theft of the Device

•

At security inspection points

•

In cabs and airplanes

•

Public places, hotel rooms, and offices

§

Confiscation of the Device

•

By the local police department, US Government, or other

governments

§

Spying

•

Reading “over the shoulder”

•

Targeted attacks – planting keyloggers or other malware

Stanford’s Policy

§

Mobile devices used to store or access Restricted

Information (per AGM 63) are required to be managed

with an approved mobile device management system

(e.g. Stanford MDM) and profile (e.g. the MDM

Restricted profile).

§

Examples include Health Information, including

Protected Health Information (PHI), Passport and visa

numbers, and export controlled information under U.S.

law.

Label your device

•

A label can help

honest people return

your lost device, even

if the battery is dead.

•

“Anonymous” labels

are available – the

round label pictured

came from

Use a passcode

§ 

A four digit passcode is plenty unless

you access Restricted Data

§ 

Don’t use “1-2-3-4” or “6-6-6-6”

§ 

Set the screen to auto-lock after a

minute or two

§ 

Set the phone to erase itself if the wrong

passcode is entered too many times –

A digression on passcodes

§

Daniel Amitay studied* the most-used f0ur

digit PINs used in his app - 204,508 samples

§

Top ten (in order of popularity) were 1234,

0000, 2580 (vertical line), 1111, 5555, 5683

(LOVE), 0852 (vertical line), 2222, 1212, 1998

(birth year?)

§

Of these, 1234, 0000, 1111, 2222, 1212 are

blocked by the MDM passcode policy. Beware

of the others…

Phones - Keep the software updated

§

Updates are issued frequently – as new

vulnerabilities are exposed, the vendor

patches them.

§

Applies to both the basic device software and

applications – for iOS devices, the operating

system is updated via iTunes or over the air,

and applications are updated via the App

Don’t “jailbreak” or “root” it

It is popular in some circles to circumvent the security

controls on mobile devices in order to avoid paying for

particular features or to enable capabilities that the

carrier or vendor doesn’t provide. This is called

“jailbreaking” or “rooting.”

§

Jailbreaking removes a layer of protection that helps

keep malware from running on the device

§

Jailbreaking is usually prohibited by mobile phone

company contracts

§

Jailbreaking is contrary to security “best practices”

Sign up for "find my iPhone”

§ 

It’s available free on the iTunes App

Store.

§ 

Of course you might have an Android

phone – “there’s an app for that.”

Lookout Mobile Security Premium

https://www.mylookout.com

for

example.

Sign up for "find my iPhone”

Allows you to:

•

Display a

message or

make a sound

•

Set a passcode

lock remotely

•

Remote wipe

•

Display

location on a

Backups

§

If it’s an iOS device, you can use iTunes or

iCloud to back it up. Other devices have other

backup mechanisms.

§

If you have a good backup of your phone, and

you lose it, you can do a “remote wipe”

without having to worry about losing your

contacts, photos, and other valuable

Encryption

§

If it’s an iOS device running recent software,

merely setting a PIN or passcode will

automatically encrypt the phone.

§

If you have a good backup of your phone, and

you lose it, you can do a “remote wipe”

without having to worry about losing your

contacts, photos, and other valuable

information. It helps make “doing the right

thing” easier.

What if you lose it?

§

Next to the pictures of your loved ones, the most

valuable things on your mobile device are probably

your SUnetID and password

§

If your device is lost or stolen, call the Help Desk at

5-HELP. They will assist in changing your SUnetID’s

password. Doesn’t matter if you are in MDM or not,

works even for Androids and other devices that MDM

doesn’t support yet.

§

If you

are

enrolled in Stanford MDM, the Help Desk

Mobile Device Management

§

Stanford has a new service called Mobile Device

Management

§

It will set up your email and calendar, and these

security and privacy “best practices” for you

§

Read about it at

Support Management Interface 1

$ remctl mdm1 mdm list-devices -u mkmellis

fde2f92601f64fb48fb7847cf9599f58ec85ff8c mkmellis AT&T iPhone4,1

117 3c:d0:f8:4e:df:16 Mark K. Mellis's iPhone

Support Management Interface 2

$ remctl mdm1 mdm show-device fde2f92601f64fb48fb7847cf9599f58ec85ff8c

Device 1 of 1:

DB id: 3158

UDID: fde2f92601f64fb48fb7847cf9599f58ec85ff8c

Device Name: Mark K. Mellis's iPhone

User Name: mkmellis

Model: iPhone 4S

Last Check-in: 2012-01-02 20:03:09

OS Version: iOS 5.0.1 (9A405)

Cert Expires: 2013-01-01 20:02:18

WiFi Mac Address: 3c:d0:f8:4e:df:16

[continued]

Support Management Interface 3

[continued]

Phone Number: +16504756859

Cellular Technology: GSM

Cellular NetworkId: 01 300400 333769 5

Sim Carrier: AT&T

Last Carrier:

Serial Number: C39GPJ9QDT9V

Carrier Settings Version: 11.0

Modem Firmware Version: 1.0.13

Capacity (GB): 13.58082199096700

Last Updated: 2012-01-02 20:02:42

Profiles Installed:

Support Management Interface 3

$ remctl mdm1 mdm show-apps fde2f92601f64fb48fb7847cf9599f58ec85ff8c

Applications Installed:

AirPort(100.14)

BayAreaNews(1.02)

BodyMedia(2413)

Calc 16C(1.1.0)

[…]

Yelp(5.5.1)

Z-Subsonic(2.8)

$

Here’s what you do…

1.

Review these tips (and more) at

http://securecomputing.stanford.edu/

mobile

2.

Put them into practice today!

3.

Enroll in Mobile Device Management

Questions?

Mark K. Mellis

[email protected]