Time
8 hours 33 minutes
Difficulty
Beginner
CEU/CPE
9

Video Transcription

00:05
so cellular provider security,
00:07
late model smartphones and cellular network capable mobile devices followed digital network standards, which had security futures
00:16
to G uses an a 51 stream cipher that encrypts the network up indication.
00:22
The problem is two G's now been out
00:26
since the early 90 so we're looking at 20. Just over 20 years, the two G's been out, and each year
00:33
additional research goes into breaking that encryption scheme.
00:39
In the two thousands early 2000 somebody came out with a research paper that theorized the way of doing it. Well. A couple of years later, computing power increased. So now the attack that was theoretical here is possible Now,
00:53
last year 2011 somebody was actually able to break at least one a 51 stream cipher.
01:02
Does that mean that the whole GSM system needs to be blown up?
01:06
They didn't release all the technical details of their attack. I can't tell you if it works against every single phone and if they actually need access to your phone or if they just need to see the packets flying to your phone.
01:18
But just be aware that two G is under constant scrutiny Yes, it's encrypted, but the encryption algorithm isn't all that strong.
01:27
So as people attack it as more and more researchers look at it
01:34
to G, if it's not already,
01:36
uh, broken to G will eventually get to the place where
01:41
it's not usable anymore. And that's one of the reasons we're starting to see. Two G networks draw down, at least in the United States, to G Towers Air starting to be decommissioned, where three D Tower or three D signal is already strong enough.
01:53
Three g uses a Kasumi Block cipher. It's a stronger encryption algorithm. I don't know. I haven't seen any attacks against that block cipher,
02:02
but again,
02:04
20 years from now, as more and more researchers look at it is, computing power gets stronger and stronger.
02:10
I have no doubt that eventually that block cipher will be
02:15
broken.
02:15
And then for G e l T E uses E. P s authentication key agreement, which is 128 biz bit now as Cypher non access stratum
02:27
again.
02:28
No known attacks as of this point,
02:30
but no known attacks. Does that mean that somebody out there doesn't have an attack, and they just haven't released it to the general knowledge.
02:40
Nobody knows. I can't tell you for certain that to g three D or four g is perfectly safe
02:46
or perfectly compromised. I know the work is underway to compromise to G three G and 42 G is pretty close to them breaking it and having access to all the data.
03:00
And they don't even need to do it real time. They can record what's going on over the air, take it back somewhere and work on it at another location.
03:07
So you might have had a conversation 10 years ago with somebody recorded. And as information technology increases
03:16
as computing power increases, a conversation that happened 10 years ago that you,
03:21
I don't even remember at this point could be broken in the future.
03:27
An interesting side to this is,
03:30
um the M S. A. Has been working on a way of routing the call's encrypted
03:37
for their employees through their servers directly. So I get on the phone. I haven't encrypted encryption module on my phone.
03:46
2 56 a s. I can't rember someone 22 56 knowing s A. It's probably to 56.
03:52
It encrypts the voice to 56. It routes from the phone company to Endesa directly
03:59
the N s A. Then routes it to the person who you're calling. That's also in an NSA employee. They have the app on their end, which will allow the decryption of that phone.
04:10
So they're saying Leanna is going This encryption is not good enough for
04:15
are sensitive information
04:17
Currently. Military If you wanna have a classified call, you have to use a stew.
04:23
You have to use a secure telephone.
04:26
However, if Ennis Ennis his proposal works,
04:30
this could be very interesting. Technology for D o D haven't uploaded on
04:34
our warriors. Phones have an app at the command side. They can use now a cellular device rather than having to use a £10 brick and have to carry it around to transmit that information encrypted.
04:48
So there's other layers that people are working on, too.
04:53
Take care of the limitations that we're finding in thes security particles.
05:00
Now, to these two d three g for G are in relation to GSM
05:04
CD M A. Just due to the inherent nature of how the network works is more secure than GSM. I don't know of I only know of one attack has been reported in the last two years against CD A man, and the person didn't release any information about their attack.
05:21
It was actually the Black Hat Conference last year. Somebody
05:25
I was able to get a CD m a conversation from a phone.
05:30
Did they root the phone? Firsts. Did they get something off the phone before hit the CD M A network?
05:34
No details.
05:36
There's just reports that it happened. So again,
05:41
these air mobile devices
05:43
stuff is going through the air,
05:46
even if it's not able to be cracked now
05:48
as computing power increases. If we ever do see the quantum computing come about and the decryption capabilities that quantum computing is supposed to have,
06:00
I wouldn't trust the CD, a Mayor GSM network. It all of that point because we're talking on exponential ability to get past the encryption that these systems were talking. But that's sort of in the future, and that's sort of coming along
06:13
best. So Physical security Best practices.
06:16
First rule of cell phones don't lose it. If somebody gets physical access to your device,
06:24
even if you have encryption,
06:26
they'll have a much easier chance of trying to get something off the phone rather than if they're just trying to get something out of the air.
06:33
So don't let somebody get physical access to your your phone
06:38
again. Smartphones at this point are just networked computers. They're small form factor computer.
06:45
I can do anything on my phone
06:47
that I can do on my desktop or my laptop or even on a server. At this point, it doesn't have all the same software, necessarily, but it has the same sort of computing power
06:58
email contacts, photos, documents, stuff stored on the cloud banking, information, shopping information. All this information is linked to at least myself on I don't know for you guys whether you do the same sort of things with your cell phones, but I know most of my friends to do. I know most my family does.
07:17
I have no qualms about going to amazon dot com from my phone and purchasing something,
07:25
but is riskier than from a wired Internet connection. It's going over the air, and if somebody were ever able to get my phone
07:31
and me, I
07:33
tend to leave stuff places I probably shouldn't. Every now and then
07:38
they would be able to get my life basically from getting my phone.
07:42
So there is a huge security risk if it's lost, stolen or compromised.
07:46
So first rule. Never leave it unattended.
07:50
Know who's around you if they're using it at the restaurant, put it away after you use it. I've walked out of a restaurant at least three times. Luckily, I got only a couple steps out the door before I realized Wait a second. My phone's still inside.
08:07
Always use device passwords. Now there's there's strong and there's weak passwords. When I talk about a strong password, I'm talking about Alfa Numeric.
08:16
At least eight characters, special symbols or even better, it takes longer to crack those passwords. Week. The four digit numeric
08:26
password.
08:28
The swipe pattern on an android phone would be considered weak.
08:31
There are ways around it on certain devices, and the forensic tool manufacturers air working out how to get around it on other devices.
08:41
Use Alfa numeric if you can. I know
08:46
it's not as user friendly. It's much easier to type in a four digit number to swipe your password,
08:52
but at the same time it's less secure. So you you personally. If it's a personal phone, have to decide
08:58
how important is the data on my phone? In the case, it gets lost
09:03
as they work as a business environment.
09:05
Complex passwords are required if there's work email flying over that phone.
09:11
If that the phone has any sort of access to internal systems,
09:16
the network administrators really should make sure they're strong, complex passwords on the phones because if they're not and one of those devices go missing, somebody could haven't in to the entire network,
09:28
especially if there's, like VPN software on the phone or remote desktop programs on the phone.
09:35
A lot of companies don't have visibility into what exactly their mobile devices are doing.
09:43
So if a mobile device goes missing and I don't report that my mobile device went missing,
09:48
there can be issues later on.
09:50
If possible, add further password protection to private documents.
09:54
So if I'm sending and receiving documents from the phone,
10:00
try to pat password. Protect him if available, used in from information rights management functionality. Now by default on Lee Windows phone has Iran capabilities. There are add ons for some of the other phones that add the future later on, but on Lee, out of the box does the Windows phone support. I heard him,
10:20
and for business purposes,
10:22
I r M is absolutely wonderful. If I'm sending attachments or email messages to somebody,
10:28
I r M can prevent them from forging them on to anybody else inside or outside the company. Now there's always the manual techniques of Well, I'm just gonna take a picture of the screen.
10:39
Well, there's always ways around security features. If I will really want to find a way around security, I'm gonna find a way around security. But this prevents accidental leakage of important information toe other parties.
10:54
I can't tell you how many times when I've gone toe send a message to somebody.
11:01
Outlook Auto completes the name, and I don't realize Oh, it auto completed somebody else's name and not the person's name that I actually wanted to send it.
11:09
Well, if with Iron Graham, if I tried to send it,
11:13
it wouldn't send because would say this person is not authorized recipient of this message.
11:18
If the I R M technology was being used
11:22
and only keep necessary data stored on the device. So don't treasure trove or, um
11:30
keep information on your phone you don't even need. I am terrible with this.
11:35
I have every single SMS message that ever sent is still on my phone.
11:39
I don't delete my Gmail messages. Have my exchange mail have every single work email that I've sent from the day I started working for my company.
11:50
Every once in a while you do need to D'oh ah, housecleaning on his do spring cleaning. Remove messages You don't need any more.
11:58
Archive them to a secure place if you might need them at a later date in time.
12:03
I have all these text messages. I can't remember the last time I looked through my historic messages, I needed information that I'd received over SMS
12:16
mainstream mobile device platforms. These air the
12:20
this graph is of all the different operating systems, or at least the major operating systems.
12:26
The top four Google Android is number one. This graph shows 36%. This is ah Nielsen. This is February to April 2011.
12:37
Depending on which graph you look at. The painting on it is showing over overall numbers or numbers for just 1/4.
12:46
Depends on which numbers you'll get in each slice. I've seen
12:50
upwards of 40 to 50% B android devices. I've also seen it as low as in this case, 36%.
12:58
I can tell you,
13:00
Android and IOS, our number one and number two they're the most used smartphone platforms in the world. At this point,
13:07
every time
13:09
Apple comes out with a new device, there's a spike in the percentage of apple and then it starts going down until the next devices released. So when the iPhone four s was released, we saw massive spike in IOS devices purchased. And then it trickles down until the next until the iPad three is released. Then we see a spike in IOS devices again.
13:31
BlackBerry. This one shows 23%
13:33
BlackBerry used to be number one.
13:37
I used to be the most used corporate device
13:41
in the world.
13:43
They didn't change fast enough, so just because we see Android number one here Apple number two BlackBerry number three, Windows
13:50
Mobile number four.
13:54
If these companies stopped innovating, innovating or they forget what they're consumers actually want,
14:00
it can very easily switch
14:03
maybe Microsoft. When they release Windows eight and Windows eight tablets and Windows phone eight. It's the best thing since sliced bread, and we start seeing an op arising. Microsoft devices
14:15
this field, the mobile security feet, the mobile device field. Let's say changes very, very quickly.
14:22
The person that's on top today won't necessarily be on top tomorrow, and
14:28
really, it depends on Are they meeting the need of their customers, both consumers and businesses?
14:35
If Windows Phone eight comes out and it has all the security features required for enterprise and the enterprise is already a window shop, why wouldn't they purchase window tablets or window phones? When if it integrates
14:48
altogether, why have Apple devices, or why have BlackBerry devices when you have a tight integration?
14:54
That's one of the reasons they're all called Windows Devices because Microsoft wants that brand together. They want the linkage there so that you'll
15:03
have that thought. Oh, I'm a window shop. I'm going to get Windows phones instead

Up Next