Page 15 - index
P. 15
Defcon reminds us to always update software
One presentation in the Wall of Sheep area of Defcon highlighted the recently publicized iOS
Attachment Vulnerability. The vulnerability was discovered by Andreas Kurtz in April 2014
who revealed that iOS Data Protection (enabled by using a PIN or Passcode on your iOS
device) was not protecting Mail Attachments.
This impacted iOS devices 7.1.1 and older. If an attacker booted one of these devices in
Device Firmware Update (DFU) mode they could leverage a custom RAMdisk, and login
over USBmux to read email attachments both from personal and corporate accounts in
clear-text (no encryption).
Fortunately, EMM solutions with attachment security proved to offer protection from this
threat. Attachment security encrypts corporate email attachments automatically. Apple has
since released iOS 7.1.2 fixing this bug, so enterprises are encouraged to upgrade their iOS
devices to the latest iOS release.
Top 6 takeaways
Three shows, 11 days, and thousands of attendees. These shows allowed the security
community to come together, reveal cutting edge security research, and learn how to better
fortify their networks. It was interesting to see that many of the mobile security themes from
previous years are still prevalent:
1. Security is not a silver bullet. Employ a layered security approach to minimize single
points of exposure.
2. Leverage encryption wherever possible both for data-at-rest and data-in-motion.
3. But Encryption alone doesn't protect data, so employ data loss prevention (DLP) as
well.
4. Certificates can help. Man-in-the-Middle (MitM) attacks continue plague
organizations, so ensure you’re using certificates with SSL/TLS mutual
authentications.
5. Be prepared. Ensure you have proactive and reactive countermeasures in place
because, as they say, “it’s not a matter of if, but when.”
6. Patch it. Keep up with your security patches from vendors to avoid unnecessary
threats.
Until next year, “may the force be with you”.
15 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
