Mobile Devices Using Without Losing Mark K. Mellis Associate Information Security Officer Stanford University Information Security Office Tech Briefing 30March 2012
We all have mobile devices iphones, ipads, Droids There s an App for that! What can we do to protect our own privacy and the University s data while enjoying the convenience of mobile personal computing devices? Mobile Devices Using Without Losing
Preview Risks of Mobile Computing Tips What If You Lose Your Phone? Review MDM Walk Through (if we have time) Mobile Devices Using Without Losing
The Future is Mobile Mobile Devices Using Without Losing
What do we use at Stanford? Mobile Devices Using Without Losing
Risks - What s on the device? Not merely documents Access credentials for networks and applications Presentations / Briefing Notes Stanford Email (including secure email) Address Book information Personal photos, movies, and email Personal health, salary, and benefits information Indirect costs Regulatory Issues, Reputation Impact (think donors ) Enough to make you wish you never heard of computers should you lose it Mobile Devices Using Without Losing
Risks What could happen? Loss or Theft of the Device At security inspection points In cabs and airplanes Public places, hotel rooms, and offices Confiscation of the Device By the local police department, US Government, or other governments Spying Reading over the shoulder Targeted attacks planting keyloggers or other malware Intercepting network traffic Mobile Devices Using Without Losing
Stanford s Policy Mobile devices used to store or access Restricted Information (per AGM 63) are required to be managed with an approved mobile device management system (e.g. Stanford MDM) and profile (e.g. the MDM Restricted profile). Examples include Health Information, including Protected Health Information (PHI), Passport and visa numbers, and export controlled information under U.S. law. More information about information classification and handling at: http://securecomputing.stanford.edu/dataclass_chart.html! Mobile Devices Using Without Losing
Label your device A label can help honest people return your lost device, even if the battery is dead. Anonymous labels are available the round label pictured came from stuffbak.com Mobile Devices Using Without Losing
Use a passcode A four digit passcode is plenty unless you access Restricted Data Don t use 1-2-3-4 or 6-6-6-6 Set the screen to auto-lock after a minute or two Set the phone to erase itself if the wrong passcode is entered too many times ten or more is fine Mobile Devices Using Without Losing
A digression on passcodes Daniel Amitay studied* the most-used f0ur digit PINs used in his app - 204,508 samples Top ten (in order of popularity) were 1234, 0000, 2580 (vertical line), 1111, 5555, 5683 (LOVE), 0852 (vertical line), 2222, 1212, 1998 (birth year?) Of these, 1234, 0000, 1111, 2222, 1212 are blocked by the MDM passcode policy. Beware of the others! * http://amitay.us/blog/files/most_common_iphone_passcodes.php! Mobile Devices Using Without Losing
Phones - Keep the software updated Updates are issued frequently as new vulnerabilities are exposed, the vendor patches them. Applies to both the basic device software and applications for ios devices, the operating system is updated via itunes or over the air, and applications are updated via the App Store. The update story is not so nice for Androids. Mobile Devices Using Without Losing
Don t jailbreak or root it It is popular in some circles to circumvent the security controls on mobile devices in order to avoid paying for particular features or to enable capabilities that the carrier or vendor doesn t provide. This is called jailbreaking or rooting. Jailbreaking removes a layer of protection that helps keep malware from running on the device Jailbreaking is usually prohibited by mobile phone company contracts Jailbreaking is contrary to security best practices for those reasons Mobile Devices Using Without Losing
Sign up for "find my iphone It s available free on the itunes App Store. Of course you might have an Android phone there s an app for that. Lookout Mobile Security Premium https://www.mylookout.com for example. Mobile Devices Using Without Losing
Sign up for "find my iphone Allows you to: Display a message or make a sound Set a passcode lock remotely Remote wipe Display location on a map Mobile Devices Using Without Losing
Backups If it s an ios device, you can use itunes or icloud to back it up. Other devices have other backup mechanisms. If you have a good backup of your phone, and you lose it, you can do a remote wipe without having to worry about losing your contacts, photos, and other valuable information. It helps make doing the right thing easier. Mobile Devices Using Without Losing
Encryption If it s an ios device running recent software, merely setting a PIN or passcode will automatically encrypt the phone. If you have a good backup of your phone, and you lose it, you can do a remote wipe without having to worry about losing your contacts, photos, and other valuable information. It helps make doing the right thing easier. Mobile Devices Using Without Losing
What if you lose it? Next to the pictures of your loved ones, the most valuable things on your mobile device are probably your SUnetID and password If your device is lost or stolen, call the Help Desk at 5- HELP. They will assist in changing your SUnetID s password. Doesn t matter if you are in MDM or not, works even for Androids and other devices that MDM doesn t support yet. If you are enrolled in Stanford MDM, the Help Desk can lock it, wipe University data, and help you think through your options for trying to recover the device. Mobile Devices Using Without Losing
Mobile Device Management Stanford has a new service called Mobile Device Management It will set up your email and calendar, and these security and privacy best practices for you Read about it at http://mobilemanagement.stanford.edu Mobile Devices Using Without Losing
Enrollment Walk-thru 1
Enrollment Walk-thru 2
Enrollment Walk-thru 3
Enrollment Walk-thru 4
Enrollment Walk-thru 5
Enrollment Walk-thru 6
Enrollment Walk-thru 7
Enrollment Walk-thru 8
Enrollment Walk-thru 9
Enrollment Walk-thru 10
Enrollment Walk-thru 11
Enrollment Walk-thru 12
Enrollment Walk-thru 13
Enrollment Walk-thru 14
Enrollment Walk-thru 15
Enrollment Walk-thru 16
Enrollment Walk-thru 17
Enrollment Walk-thru 18
Enrollment Walk-thru 19
Enrollment Walk-thru 20
Self-Management Interface 1
Self-Management Interface 2
Self-Management Interface 3
Self-Management Interface 4
Self-Management Interface 5
Self-Management Interface 6
Support Management Interface 1 $ remctl mdm1 mdm list-devices -u mkmellis fde2f92601f64fb48fb7847cf9599f58ec85ff8c mkmellis AT&T iphone4,1 117 3c:d0:f8:4e:df:16 Mark K. Mellis's iphone $
Support Management Interface 2 $ remctl mdm1 mdm show-device fde2f92601f64fb48fb7847cf9599f58ec85ff8c Device 1 of 1: DB id: 3158 UDID: fde2f92601f64fb48fb7847cf9599f58ec85ff8c Device Name: Mark K. Mellis's iphone User Name: mkmellis Model: iphone 4S Last Check-in: 2012-01-02 20:03:09 OS Version: ios 5.0.1 (9A405) Cert Expires: 2013-01-01 20:02:18 WiFi Mac Address: 3c:d0:f8:4e:df:16 [continued]
Support Management Interface 3 [continued] Phone Number: +16504756859 Cellular Technology: GSM Cellular NetworkId: 01 300400 333769 5 Sim Carrier: AT&T Last Carrier: Serial Number: C39GPJ9QDT9V Carrier Settings Version: 11.0 Modem Firmware Version: 1.0.13 Capacity (GB): 13.58082199096700 Last Updated: 2012-01-02 20:02:42 Profiles Installed: MDM Regular [v20110815-9] ActiveSync [v20110815-13] Cisco VPN [v20110815-15] $
Support Management Interface 3 $ remctl mdm1 mdm show-apps fde2f92601f64fb48fb7847cf9599f58ec85ff8c Applications Installed: AirPort(100.14) BayAreaNews(1.02) BodyMedia(2413) Calc 16C(1.1.0) [ ] Yelp(5.5.1) Z-Subsonic(2.8) $
Here s what you do 1. Review these tips (and more) at http://securecomputing.stanford.edu/ mobile 2. Put them into practice today! 3. Enroll in Mobile Device Management at https://mdm.stanford.edu/register Mobile Devices Using Without Losing
Questions? Mark K. Mellis mkmellis@stanford.edu http://securecomputing.stanford.edu Mobile Devices Using Without Losing