Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat
DARPA-funded white hat emits timeless advice
AppSec EU IT admins should focus on the fundamentals of network security, rather than worry about sophisticated state-sponsored zero-day attacks, mobile security expert Georgia Weidman told London's AppSec EU conference on Thursday.
Weidman, founder and CTO of mobile security testing firm Shevirah, cut her teeth in the industry six years ago mingling with the black hat crowd, where elite security researchers tried to outdo each other with exotic exploits, and looked down their noses at attacks based on phishing emails and links.
Since she started helping enterprise customers test their mobile device management and other technologies, Weidman realized it's the simple stuff that causes the vast majority of problems.
Rather than fear a nation's top government hackers abusing an unheard-of vulnerability, you should keep an eye on defenses blocking phishing links, dodgy apps, and stopping files leaking over Bluetooth from handhelds. These are much, much more likely.
"It's patching or getting phished," Weidman told The Register after her keynote. "It's not nation states spending God know what on zero days. We still haven't gotten the basics right."
Enterprises seeking signs of exploitation in the mobile devices used by their workers often look for Cydia, an alternative to Apple's App Store for jailbroken iOS iThings. Jailbreaking devices in violation of enterprise security policies can be an issue, but the presence of Cydia is not enough. Data-stealing apps are far more of a threat.
Similarly, Weidman said employees should be trained to be wary of mobile phishing attacks, which can hit devices through multiple communication channels as well as email.
The controls are out there, so use them
Seriously, Cisco? Another hard-coded password? SheeshREAD MORE
During her presentation, Weidman ran through enterprise-grade security controls available on the market – such as mobile threat defense and mobile application management – while offering examples of how they may fall short under attack.
Weidman has presented or conducted training at venues around the world including for the NSA, West Point and the Black Hat security conference. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security, culminating in the release of the open-source Smartphone Pentest Framework (SPF).
These days she is developing proof-of-concept iOS and Android exploits for testing purposes. Android is so fragmented that it's hard to develop reliable exploits, Weidman said during her presentation.
Privately, after her talk, Weidman praised Google for open-sourcing its mobile exploit research, through its Project Zero initiative and other conduits. ®