4th Annual Mobile Security 2008

• GSM Association algorithms and protocols, technical security aspects of customer, and recommended infrastructure solutions to combat fraud

• Establishing the main aims of hackers and data harvesters
• What security protection does technology afford us?
• Analysing the user-patterns of different sector customers; timeframes for company and customer survival without adequate security protection
• Determining the right level of security on an individual company basis
• Establishing an effective line of command/responsibility for security policy implementation
• What is going on out there? When will security attacks hit our mobile device - or have they already?

Extending security of your Information Systems to accommodate mobile technology is a challenge that is not well understood by many and consequently associated risks and complexities are often miscalculated. This session will cover:

• How organizations can set and implement corporate security policies for mobile technology, supported by real-world case studies
• Technologies and techniques for mitigating risks, as well as lessons learned from trying to mobilize an organization's information
• The importance of innovation in the security domain, including a demonstration of a two-factor authentication smartcard Key Learning Points
  1. Understanding of threats and limitations in wireless world
  2. Paradigms and approaches that work.
  3. Enterprise tools for effective and efficient control of mobile deployment

• Effectively securing sensitive information across shared and converged networks
• How can device content be protected through a combination of hardware, software and executive policy for the everyday user?
• Assessing over-the-air encryption options: IPsec tunnelling to a corporate VPN gateway; Wi-Fi data encryption using WPA/WPA2; other methods deterring eavesdropping on messages in transit
• What are the benefits and drawbacks of one time passwords, fixed codes and token-based systems, all-time access, and kill-pill final solutions?
• How can employee use of third-party applications, IM and Bluetooth, be best utilised and controlled?

• From intrusion to extrusion - determining the importance of extrusion by looking at high profile leakages, moles, and financial impacts of data loss.
• What are the best DLP methods to security at MNO’s and corporates at large?

• Risk-analysis of increasing mobility across the home. (Femtocells, WCDMA, WIFI - and shared operator cost and gain)
• Prevention of unsolicited communication (abuse of low-cost SMS and spam over internet telephony and other technologies)
• VOIP - the security risks of IP telephony and how the gaps can be closed

• Establishing the work of the Radboud University Digital Security Group
• Assessing the impact of the Mifare Classic exposure - is it right to expose security flaws? What would be the future impact if results had not been published?
• What are the positive mobile security developments following security R&D? - the next steps for smart card security development and vertical integration sectors utilising RFID tag technology

• Advanced operating systems and how they are dealing with security
• Device loss, CAC cards, and ensuring untouchable data at all times
• The impact of smart phones; corporate usage, security levels, and balancing sexiness with security risk!

• Recap of use of trusted modules and secure element
• Strengths and weakness of the UICC vs trusted modules/secure elements
• Operator concerns with replacement of UICCs
• Standardisation initiatives - SA3 Machine to Machine (M2M), ETSI SCP non-removable UICC, 3GPP LTE requirements for USIM application from non-LTE handsets (but no stipulation that USIM must be on a UICC)
• The LTE and NGMN opportunity for v small low cost terminals as a driver for integrated USIM
• Conclusions

• Open source vs. proprietary security solutions: what is the pay-off between functionality and integrity?
• Educating end-users: assessing the common perception of mobile devices as a benign object as a role in securing mobile content security
• Determining the need for a common regulator of security solutions, legal back-up and potential standardisation to security innovation
• Best practice combination of trusted execution environments and open source - common examples and future hopes

Security solutions awards ceremony

• Secure service development and long term security thinking

• Security challenges of a mature mobile operator taking over an operation in a deficiently regulated market and a state in political transition, the Telenor Serbia experience
• Mobile as a tool for terrorism and serious crime: ''It’s not difficult to hide yourself in mobile network"
• Fraudulent usage of mobile as an illegal revenue stream for the crime eco-system; blurred delimitation with cyber and trans-national organised crime
• Mobile as a target of criminals, industrial espionage and the private security sector. A threat to both trust and confidence in services and business credibility of mobile operators
• Are we missing the big picture of converging (both ICT and criminal) networks? Liaison of regulators, law enforcement, telecom operators and industry as an imperative part of solution

• Working with industry - securing networks, handsets and immobilising criminals cross network and region (Biometrics, pin and 2d barcodes)
• Organised criminal networks and their movements in m-payments fields
• Working with networks and operators to accelerate phone blocking after loss/theft
• NMPU - a history and background research into the security concerns of mobile banking and payments services

• Establishing the concerns of the committee: recent identity security risks (passport/data cards) and how to mobilise identity information without compromising security
• How will mobile devices be utilised for identity authentication - social impacts and considerations

HOW TO EFFECTIVELY AUTHENTICATE IDENTITY

• Should users be able to modify their handsets?
• Assessing the impact of unlocking possibilities and extrusion/intrusion leakages
• Getting ahead of reverse engineering : securing mobile 2.0
• How can DRM be upheld and piracy stopped - best practice conditional access
• Consenting to surveillance and security - where is the line drawn?
• The ins and outs of biometrics and forensics in the mobile domain

• Mobile security from a forensic evidential point of view
• Current security measures on mobile devices and how this effects obtaining evidence
• How to overcome measures for forensic examination, their weaknesses and strengths
• The forensic problems caused by methods of circumventing security features

• Public vs. Private vertical integration NGMN applications: maintaining reputations and consumer trust with security stratagems
• Software defined networks; opportunities and remote sensing security concerns

• How can sites best protect consumer information from malware harvesting identity data? - identifying formulaic behaviour and acting fast
• Site responsibility to prevent damaging mass behaviour; filtering damaging user-content vs. protecting user-privacy
• Assessing the future role of converged log in sites

• Consistent access to key interfaces across mobile devices
• Appropriate security to enable user trust
• Which reference implementation will cement the BONDI recommendations?
• Co-ordinating web and mobile communities to maximise success
• Achieving interoperable new services for users across multiple devices and operators

• The art of securing high value audio visual content. What does it mean for mobile security? Where does the responsibility lie?
• How can contents right management be best upheld and piracy addressed? Establishing the technical and policy methods which ensure an adequate level of content security and DRM.

• Newspaper headlines and real problems
• Security characteristics of the interface and environment
• Risk analysis for payment systems: the security lifecycle for mobile phone banking
• Some thoughts, experiences and recommendations

• What are the potential costs of mobile security breaches?
• Desktop vs. mobile - viral infection on the desktop and keeping the mobile clean
• Analysing the benefits of applications remaining signed / sandboxed to prevent security defects vs. the sacrifices of ‘closing’ applications developments.
• Is layered signing the answer for mobile?
• Prompting versus not prompting the user
• Usability issues
• The need for a secure hardware platform and where the real threats are - embedded hackers