­
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions (Black Hat Conference 2016) - All Articles - CISO Platform

Bad for Enterprise: Attacking BYOD enterprise mobility security solutions

The global market for Bring Your Own Device (BYOD) and enterprise mobility is expected to quadruple in size over the next four years, hitting $284 billion by 2019. BYOD software is used by some of the largest organizations and governments around the world. Barclays, Walmart, AT&T, Vodafone, United States Department of Homeland Security, United States Army, Australian Department of Environment and numerous other organizations, big and small, all over the world. Enterprise Mobile Security (EMS) is a component of BYOD solutions that promises data, device and communications security for enterprises. Amongst others, it aims to solve Data Loss, Network Privacy and jailbreaking/rooting of devices. 
Using the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely ineffective and in some cases can even expose an organization to unexpected risks. I will show attacks against EMS protected apps on jailbroken and non-jailbroken devices, putting to rest the rebuttal that CxOs and solution vendors often give penetration testers, ""We do not support jailbroken devices."" I will also introduce a groundbreaking tool, Swizzler, to help penetration testers confronted with apps wrapped into EMS protections. The tool conveniently automates a large amount of attacks that allows pen-testers to bypass each of the protections that Good and similar solutions implement. In a live demonstration of Swizzler I will show how to disable tampering detection mechanisms and application locks, intercept & decrypt encrypted data, and route ""secure"" HTTP requests through BURP into established Good VPN tunnels to attack servers on an organization's internal network. Swizzler will be released to the world along with my talk at Blackhat USA. Whether you are a CxO, administrator or user, you can't afford not to understand the risks associated with BYOD.

Speakers

Vincent Tan ( @vincent_tky )

Vincent Tan has over 4 years of experience in information security, whose expertise spans almost the entire enterprise technology eco-system. His expertise and experience includes software engineering, vulnerability research, penetration testing, source code auditing, reverse engineering and network analysis as well as many other areas within the information security industry. This broad and deep capability gives Vincent a unique insight into the complexities of enterprise eco-systems and how they can be undermined. He has spent the past year focused on understanding, analyzing and attacking mobile applications across different platforms and operating systems. His work with hostile and complex mobile applications has given him the necessary knowledge and understanding on how to securely develop mobile application and also measures that mobile security solution provided need to take in order to properly secure mobile devices.

Detailed Presentation:

(Source: Black Hat USA 2016, Las Vegas)

8669803288?profile=original

 

Votes: 0
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

City Round Table Meetup - Mumbai, Bangalore, Delhi, Chennai, Pune, Kolkata

  • Description:
    CISO Playbook Round Table Overview : 
    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology Implementation: From…
  • Created by: Biswajit Banerjee
  • Tags: ciso, playbook, round table

Round Table Dubai 2025 | GISEC

  • Description:
    CISO Playbook Round Table Overview : 

    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology…
  • Created by: Biswajit Banerjee

Fireside Chat With Dan Bowden (Global Business CISO, Marsh McLennan (Marsh, Guy Carpenter, Mercer, Oliver Wyman))

  • Description:

    We’re excited to bring you an insightful fireside chat on "Navigating the Cyber Insurance Landscape: Key Considerations for CISOs" with Dan Bowden (Global Business CISO, Marsh McLennan) and Erik Laird (Vice President - North America, FireCompass). In this fireside chat, we'll decode the complexities of cyber insurance from a CISO’s lens and uncover how to make smarter, security-aligned decisions when it comes to policy design, claims, and ROI.

    As cyberattacks grow in…

  • Created by: Biswajit Banerjee
  • Tags: ciso, cyber insurance, dan bowden

CISO Platform: CISO 100 Awards & Future CISO Awards @ Atlanta

  • Description:

    Nominate for the CISOPlatform CISO 100 Awards & Future CISO Awards - Recognizing Cybersecurity Leaders. Recommend someone you know deserving of this prestigious accolade....Nominate your colleague, mentor, someone you admire or yourself !

    CISO Platform is collaborating as a community partner with EC-Council’s Global CISO Forum, supporting initiatives such as the CISO Platform…

  • Created by: Biswajit Banerjee