Last Monday, we held yet another Mobile Monday event. Let me tell you about it…
First up, we had the gentleman that is; Rory MacHale, who welcomed Mobile Monday members to Morgan McKinley’s offices and offered an introduction to, and history of: Mobile Monday.
Next up, I gave my insight on Mobile Security, discussed recruitment trends in the space and gave a short presentation entitled; IT Security, whose job is it anyway?
I was very proud to, once again, have Morgan McKinley partner up with Mobile Monday, and this time around, we had a really fascinating topic lined up; Mobile Security. See: http://www.morganmckinley.ie/article/mobile-monday-free-event-morganmckinley-mobilesecurity
Morgan McKinley are witnessing, across all of our global markets, but particularly in Dublin, how businesses are realising how critical mobile is to Business. We are assisting more and more companies hire the right people, to address mobile security. This has been one of Morgan McKinley’s most profitable areas, and that serves as a positive message, that Ireland is, slowly but surely, addressing IT & now;Mobile Security, and giving it the respect and resources that it warrants.
On the day of the event, I met a buddy of mine for lunch and I was telling him about Mobile Monday. He asked me; “who is the event for?” “Who will be in attendance?”
And once the event had kicked off and the room began to fill up, I noticed quite a few people whom my team had placed into jobs; Ethical Hackers, Pen Testers, PCI-DSS mobile app developers, Development Managers, Cyber security engineers, Network security engineers, BYOD, MDM, Compliance, Risk, Disaster Recovery, Business Continuity Consultants, CTO’s, CIO’s, CISO’s.
The question then arises about Mobile Security, and it is a question I put to the audience; “Whose job is it anyway?”
1.) Is it the Mobile app developers?
2.)Is it the Vodafone’s, O2’s, Eircom’s of the world, the service providers who own the infrastructure?
3.)Is it the hardware manufacturers that provide mobile devises?
4.)Is it the Mobile operating system vendors? iOS/Android/Windows/Blackberry
5.)Is it the end users job to educate themselves?
Personally, I think we all have a stake in Mobile Security. It is for this reason that events like this one, are so important. Important too because, I believe that everyone who attended would take some useful information with them. And that they did.
Wow does Robert know his stuff! He offered an excellent talk, offering his top 10 reoccurring IT Security issues.
1 password security
2 installing too much unnecessary exposure
3 mid configuration – making mistakes
4 system isn’t hardened
5 no security training awareness of staff
6 Patches not applied
7 encryption issues (securing communication)
8 broken input /output validation – one god developer, one not so good
9 Improper management of policies, standards, guidelines
10 security is only engaged with at end of project
This was a great way to present, as if broke down each point (which in and of themselves are highly complex) in to bite size chunks, easy for the audience to digest. It’s an approach which OWASP are famous for with their top 10 lists.
Next up was the outstanding Cathal McDaid. I think that everybody in the room would have gladly listened and engaged with Cathal for hours. Cathal, as head of Security Operations at Adaptive Mobile and Chairman of GSMA Mobile Malware Group, is a real expert in the area.
He offered an interesting example of mobile malware, an android app called Bazuc. This particular app led to many being charged excessively large phone bills as well as being linked to stock market manipulation. All from a seemingly harmless app from the Google Play Store (since removed).
One of the interesting things about this app, is that it is not regular malware, as people actually sign up to it and consent to the terms and conditions.
Cathal displayed an image of Leo DiCaprio as Jordan Belfort, the subject of the blockbuster books and movie; The Wolf of Wall Street. He discussed how Bazuc can and is influencing the stick market, targeting penny stocks. Using people’s phones as drones, it will send messages to people across the world, promoting particular penny stocks. Eg, buy stock a now and expect returns of 400% over 6 months. By manipulating demand/price of these stocks, there is scope for the culprits to trade their way to millions in profit.
Another example of how Bazuc can be used is prompting txt receivers to “call me back”. The number provided may look similar to a local number, eg 085/086/087… But included an extra number, bringing you I stead to a foreign premium rate number.
Cathal used an excellent analogy in which he named Bazuc users as malware mules. Mules similar to drug mules, in the sense that they are knowingly carrying contraband. Users are told to fly under the radar of authorities, which should sound shady to users. He discussed instances where people have sent thousands of texts a week, many times from their company issued phones. Oftentimes, people are mistaken in their assumption that their phone plan included out of country texts, if it doesn’t, their service providers can hit them or the bill payer ( employer ) with a bill of up to 25 thousand. That is sure to be an awkward conversation with your service provider/employer/husband or wife.
More info on Bazuc here; https://blog.lookout.com/blog/2013/12/19/shoot-the-bulk-messenger/
One of the things I found interesting was how the room marvelled at and in some ways; showed appreciation for the intricate genius required in order to come up with and develop a malicious app such as Bazuc. Not only that, but also doing it in a way that users actually sign up and download the app themselves. I witnessed the audience taking notes and I’m sure it was so they could look the creator up at a later date.
This level of intrigue, between the white hats and black hats ( http://www.morganmckinley.ie/article/ethical-hackers-good-guys ) is fascinating, as in many ways the good guys and the bad guys work in the same space and get a thrill by learning of new innovations. It is also true that, sometimes the line between good and bad, can be a thin one, often times a white hat will swap out their white gag for that of a grey one.
Cathal also discussed how people will often click accept terms, in a case of user permission fatigue, which may stem from an inherent user trust, in applications offered by trusted OS vendors such as Android.
He discussed how, sure the android market, iOS AppStore etc are quite safe but they are not perfect. They are becoming safer with the stores becoming more and more security conscious, with regular updates ; eg the recent Kitkat upgrade, flushing
out security risks, tools which can be used for malicious purposes, tightening criteria to enter/publish apps.
I spoke with one of my contractors afterwards, an ethical hacker. I told him, if I had the brains for it, I would love to work in IT security. It is an area of IT which is full of really passionate people, unlike any other. My contractor gave examples of how security issues are all around us, shoulder surfing, even losing phones/data is one of the highest concerns of people/organisations. I had put up our login details so people can tweet etc, he gave me examples of how that could be a bad idea!
The event, was a success. We had a room packed to capacity, full of 80+really smart, intelligent IT Security professionals, all of whom were happy to engage in conversation and debate. Most will have left our offices last Monday having learned about Mobile Security and having got to network with peers over some Pizza and beers, ha that rhymes!