Downloads & Free Reading Options - Results

In order to promote public education and public safety, equal justice for all, a better informed citizenry, the rule of law, world trade and world peace, this legal document is hereby made available on a noncommercial basis, as it is the right of all humans to know and speak the laws that govern them. (For more information: 12 Tables of Code ) Name of Standards Organization: Bureau of Indian Standards (BIS) Committee Designation: LITD 17 Designator of Legally Binding Document: IS 17737 : Part 4 : 2021 Title of Legally Binding Document: Mobile Device Security Part 4 Assessment and Evaluation Number of Amendments: 0 Status: Active Additional Info: LEGALLY BINDING DOCUMENT Step Out From the Old to the New --Jawaharlal Nehru

Lei Xue, The Hong Kong Polytechnic University; Yajin Zhou, unaffiliated; Ting Chen, University of Electronic Science and Technology of China; Xiapu Luo, The Hong Kong Polytechnic University; Guofei Gu, Texas A&M University It’s an essential step to understand malware’s behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What’s worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware’s behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples. View the full program: https://www.usenix.org/sec17/program Source: https://www.youtube.com/watch?v=rXRm6RneY7A Uploader: USENIX

This week I talk about mobile device operating system and file system security, focusing specifically on applications.

The past decade has witnessed an explosion of the penetration of mobile technology through all strata of society. Mobile technologies including cell phones, tablets, and even some e-readers are used for surfing the web, running apps, reading email, posting to social media, conducting banking transactions, etc. This liberation from desktop and laptop machines and from the requirements of a specific geographic location raises concerns regarding the problems and challenges of maintaining security while traversing cyberspace. The purpose of this empirical study is to investigate the attitudes, behaviors, and security practices of business students using mobile devices to access online resources. One group of students surveyed received no specific training regarding mobile security while a second group was surveyed following the completion of an online training program. Results show no significant difference in the security practices of the two groups, indicating that commercially available security training programs are largely inefficacious with respect to modifying student behavior and that additional research on training efficacy is needed.

Summary: Cell phone cyber security 101 Source: http://hackerpublicradio.org/eps.php?id=2717 Original audio: http://archive.org/download/hpr2717/hpr2717_source.flac Introduction Hello and welcome to Hacker Public Radio, I’m Edward Miro and for this episode I decided to address mobile device security. As with most of the research and articles I’ve written in the past, these are geared toward standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes. If you like what I do, and want to have me come speak to your team, feel free to email me. As an information security researcher, I have noticed a trend in what potential clients lately have been interested in: cell phones. Almost everyone I have consulted for in the area of private investigations make this area their main priority. This makes sense as users have started to transition to using mobile devices more and more. Not only do cell phones represent the main conduit to the internet for a huge chunk of people, but many use them for work also. Many companies have smartly presented policies against this, but there are still many organizations that allow bring-your-own-device style implementations. In the following podcast I will try to define the threats, defense and considerations in very broad strokes. Cell phones differ from a standard hacking target in a few ways. For the most part, many of the same vectors are still valid. Remote code execution however is more rare, but not out of the question. I’m going to attempt to present these different vectors in an ascending list of what is most likely to be used as an attack, in my humble (and possibly ignorant) opinion. 1. Passive Surveillance This vector is one many in the hacking world will already be familiar with and it is a major concern for mobile devices as well. Attackers can monitor an access point where the mobile device is connected and collect packets in all the usual ways. Open public WiFi is a treasure trove and tons of data that’s being sent in the clear can be collected, analyzed and leveraged by attackers. Defense here is a bit more complicated for the general user, but shouldn’t be too intrusive for most: Use a VPN on your mobile devices. Switch to a DNS provider that provides secure DNSSEC. Implement proper encryption on access points. 2. Spyware Many commercial spyware applications are readily available on both of the main app stores. The challenges for attackers lie in either gaining physical access to the unlocked device to install the spyware, or tricking the user into installing it themselves. Most often the target’s spouse or close contact does this. Some of these apps can be disguised to look like innocuous applications as a feature, but with devices that are rooted/jailbroken, they can be completely hidden from the user. I found a few surveys that state the average smart phone user has about 30 apps installed. I don’t think it’s unreasonable to suspect the average person wouldn’t notice a second calculator or calendar app. These apps feature the full gamut of what you’d expect from a spyware app. Defense against spyware is pretty simple: Don’t allow unsupervised access to your device. Use a strong passcode or biometric lock. Remove unused applications and be aware of new apps that may pop up. Don’t root or jailbreak your device. 3. Social Engineering The tried and true vector that has always worked and will continue to work is social engineering. It doesn’t matter what kind of device a target is using if you can get them to click a malicious link, open a malicious attachment, or disclose their password to the attackers. With a user’s password you can conduct a vast amount of surveillance through their Google or Apple account. Not to mention leverage their password into all their other accounts as most users still use the same password for everything. We can also callback to the previous section on spyware by mentioning that many users are already familiar with enabling the installation of 3rd party applications and can be tricked into installing a cleverly disguised spyware application. Basic OPSEC recommendations are applicable here: Don’t click strange or unsolicited links or attachments on your devices. Never disclose your password to anyone through a text message or voice call. Don’t install 3rd party applications. I’ll extend this to say not to install any shady or questionable apps, even ones hosted by the app stores. There have been instances of vetted apps being malicious. 4. IMSI catchers/Femtocells I refer to these as DIY Stingrays. Stingrays are devices used by law enforcement to track and surveil cell phone traffic. These devices emulate a cell tower or boost cell phone signals when used in a legitimate way. Mobile phones are designed to prefer using stations that are the closest and strongest. Any technically proficient attacker can DIY one of these devices for not a lot of money. When an attacker deploys one of these devices, the target’s phone usually has no idea that the device isn’t an official cell tower and happily connects and passes traffic through it. The rogue stations can then be configured to pass the traffic on to an authentic tower and the user will have no idea. These rogue towers can not only collect identifying information about the mobile device that can be used to track or mark a target, they can also monitor voice calls, data, and SMS, as well as perform man-in-the-middle attacks. Often they can disable the native encryption of the target’s phone as well. Defense against this vector is a bit more complicated: As before, use a VPN. Use Signal or other encrypted communication apps. Avoid disclosing sensitive information during voice calls. There is software that has been developed to detect and notify the user when a rogue station has been detected, but this is not going to be super helpful for standard users. There are also maps online of known cell towers and it is possible to use software to identify your connected tower. 5. Exploits Speaking very generally, this attack vector is for the most part less of a concern (depending on your particular threat level), but we all know that the chance of this happening in the wild is probably remote for most people. The technical implementations of exploits such as Rowhammer, Stagefright, and Blueborne are well outside the scope of this particular talk, but we would be incorrect to not mention them and what can be done to protect against them. And we should also pay special attention to more and more exploits being developed to attack mobile devices as attackers have started putting a lot of attention in this area. Even though many of these vulnerabilities are being patched, we all know many users are still using old versions of Android and iOS, and many devices are simply outside the support period offered by the manufacturers and will never be updated past a certain point. Couple that with the general idea that mobile devices (or any device running a non Windows based OS) are “safer” because less exploits exist for them is currently a very poor assumption. This will probably get worse as the cost of keeping up with new devices now being over $1000 and many users won’t be able to get devices that are constantly being patched. What we can do: Keep your mobile devices updated with most current OS updates and carrier settings. Also keep applications updated. I don’t know how many times I’ve noticed friends or family with devices that are ready to be updated, but the notifications go ignored. If it’s possible, replace devices when they are outside the support period. Be paranoid, if it applies to you. What this means is when you use any computer or device, always remember that zero day exploits can exist for years before being disclosed. You could follow ALL the best OPSEC practices, and you could still be vulnerable to exploits that haven’t been disclosed and/or patched. This might not matter if you’re just a general user, but if you work for the government or do intelligence work, act as if. Well, thank you for taking the time to listen to my basic introduction to cell phone cyber defense. I know most of the information I provided is only the tip of the iceberg and if current trends hold up, this will only get worse in the future. If you want to add to or correct any mistakes I may have made, like I stated in the introduction, feel free to email me and let’s have a conversation. I don’t claim to know all there is to know and love feedback and any opportunities to learn more or collaborate with others in the field. Thanks again, and have a great 2019!

In order to promote public education and public safety, equal justice for all, a better informed citizenry, the rule of law, world trade and world peace, this legal document is hereby made available on a noncommercial basis, as it is the right of all humans to know and speak the laws that govern them. (For more information: 12 Tables of Code ) Name of Standards Organization: Bureau of Indian Standards (BIS) Committee Designation: LITD 17 Designator of Legally Binding Document: IS 17737 : Part 1 : 2021 Title of Legally Binding Document: Mobile Device Security Part 1 Overview Number of Amendments: 0 Status: Active Additional Info: LEGALLY BINDING DOCUMENT Step Out From the Old to the New --Jawaharlal Nehru

In order to promote public education and public safety, equal justice for all, a better informed citizenry, the rule of law, world trade and world peace, this legal document is hereby made available on a noncommercial basis, as it is the right of all humans to know and speak the laws that govern them. (For more information: 12 Tables of Code ) Name of Standards Organization: Bureau of Indian Standards (BIS) Committee Designation: LITD 17 Designator of Legally Binding Document: IS 17737 : Part 3 : 2021 Title of Legally Binding Document: Mobile Device Security Part 3 Security levels Number of Amendments: 0 Status: Active Additional Info: LEGALLY BINDING DOCUMENT Step Out From the Old to the New --Jawaharlal Nehru

The latest edition in our series on improving and maintaining your personal and work cybersecurity.

Perma.cc archive of https://archive.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security created on 2020-10-28 21:18:58+00:00.

Perma.cc archive of https://archive.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security created on 2020-10-28 21:18:58+00:00.

In order to promote public education and public safety, equal justice for all, a better informed citizenry, the rule of law, world trade and world peace, this legal document is hereby made available on a noncommercial basis, as it is the right of all humans to know and speak the laws that govern them. (For more information: 12 Tables of Code ) Name of Standards Organization: Bureau of Indian Standards (BIS) Committee Designation: LITD 17 Designator of Legally Binding Document: IS 17737 : Part 2 : 2021 Title of Legally Binding Document: Mobile Device Security Part 2 Security Requirements Number of Amendments: 0 Status: Active Additional Info: LEGALLY BINDING DOCUMENT Step Out From the Old to the New --Jawaharlal Nehru

In order to promote public education and public safety, equal justice for all, a better informed citizenry, the rule of law, world trade and world peace, this legal document is hereby made available on a noncommercial basis, as it is the right of all humans to know and speak the laws that govern them. (For more information: 12 Tables of Code ) Name of Standards Organization: Bureau of Indian Standards (BIS) Committee Designation: LITD 17 Designator of Legally Binding Document: IS 17737 : Part 2 : 2021 Title of Legally Binding Document: Mobile Device Security Part 2 Security Requirements Number of Amendments: 0 Status: Active Additional Info: LEGALLY BINDING DOCUMENT Step Out From the Old to the New --Jawaharlal Nehru