Tuesday, April 3, 2012

Panel Members:

• Saurabh Bagchi, Purdue
• David Keppler, MITRE
• Jeremy Rasmussen, CACI

Panel summary by Robert Winkworth.

The panel was moderated by Keith Watson, CERIAS, Purdue University.

In light of its unprecedented growth, wireless mobile communications remains a major focus of security research. The stated purpose of this panel was to address the challenges in securing data and processing, limiting communication to designated parties, protecting sensitive data from loss of device, and handling new classes of malware.

Professor Bagchi opens the discussion with these key points and predictions:

• 3G routing often circumvents institutional barriers and filters.
• Information is leaking from one application to another within the device.
• More anti-malware software packages are sold now. This will increase.
• Virulent code will spread by near-field technologies, such as Bluetooth.
• It is becoming more lucrative to commit unauthorized remote monitoring.
• Encryption for mobile services will improve in the future.
• Behavior-based detection will become more popular.
• New features are often rushed to market before being functionally secure.

MITRE’s David Keppler joins the discussion with these thoughts:

• Mobile devices are single-user devices, and are highly personalized.
• On the device, we are separating apps rather than users.
• Contacts, social network data, banking info, etc. are stored in mobiles.
• Locking down devices can reduce productivity.
• Users like to have one device for many different actions.
• A single compromised device can enable a threat against many network users.
• Mobiles are “always connected”, and that brings security implications.

CACI’s Jeremy Rasmussen contributes:

• DoD facilities are still trying to prevent mobile activity on premises.
• New proposals would extend popular connectedness to government workers.
• Policy is lagging behind what technology provides.
• Everything needed, even for NSA standards, is available as free software.
• Vouching for a unit is vouching for every combination of apps it can run.
• The US government struggles greatly to keep pace with technology.

The audience submits questions:

Attendant: “What will it take to make mobiles as secure as desktops?”

David: “I would argue that the vulnerabilities of a handheld are actually no worse than those of a laptop. A proper risk assessment should be done for each. Expect that exploits will always be possible, but invest for them accordingly.”

Saurabh: “Protocols and architecture need to be standardized. This will be helpful to developers. And we need openness in standards.”

Attendant: “Does it seem inevitable that Android will allow lower-level access to the hardware in the future?”

Jeremy: “Yes, and that can benefit the user, who really should unlock the device and install a personalized solution. We must have root access to the phone to get better security. An app cannot protect the user from system abuses that occur at a lower level than app.”

David: “I agree. What we must do is break the current security in order to rebuild it in a more robust way. There are also some underling market issues at work here. Commercial products are unfortunately vendor-specific, but need to be standardized. How can this happen where there is DRM?”

Attendant: “What are the key differences in user experience between desktop and mobile?”

Saurabh: “Energy consumption, bandwidth, and limitations in the user interface.”

David: “Users trust mobiles MORE rather than less than their desktops. They have not grasped the magnitude of the mobile threat.”

Keith: “What advice would you have for CSO/CIO as they face these threats?”

Saurabh: “CSOs and CIOs don’t ask me for advice! [laughter] What I would recommend, though is strong isolation between applications, and a means to certify them before loading.”

David: “There are some utilities available that employers can have users run if they’re going to be on a private network. Some risk is inevitable, though. There is no perfect solution.”

Jeremy: “Yes—NAC (Network Access Control) used to be required for user devices if they’d be allowed on a corporate network. We need that for mobiles, but I don’t see how it’s possible; we can be circumvented so easily.”