0% found this document useful (0 votes)
51 views59 pages

Unit 3

This document discusses security issues related to mobile and wireless devices. It begins by describing the proliferation of these devices and trends in mobility. It then discusses credit card frauds that can occur in the mobile computing era, including risks of wireless credit card processing. Security challenges posed by mobile devices are also examined, such as malware, denial-of-service attacks, and spoofing attacks on cellular networks. The document concludes by providing tips to prevent credit card fraud.

Uploaded by

Rithik Barsal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
51 views59 pages

Unit 3

This document discusses security issues related to mobile and wireless devices. It begins by describing the proliferation of these devices and trends in mobility. It then discusses credit card frauds that can occur in the mobile computing era, including risks of wireless credit card processing. Security challenges posed by mobile devices are also examined, such as malware, denial-of-service attacks, and spoofing attacks on cellular networks. The document concludes by providing tips to prevent credit card fraud.

Uploaded by

Rithik Barsal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 59

Unit-3

► Cybercrime: Mobile and Wireless Devices: Introduction, Proliferation of Mobile and

Wireless Devices, Trends in Mobility, Credit card Frauds in Mobile and Wireless

Computing Era, Security Challenges Posed by Mobile Devices, Registry Settings for

Mobile Devices, Authentication service Security, Attacks on Mobile/Cell Phones,

► Mobile Devices: Security Implications for Organizations, Organizational Measures

for Handling Mobile, Organizational Security Policies an Measures in Mobile

Computing Era, Laptops.


INTRODUCTION
► In the recent years, the use of laptops, personal digital assistants (PDAs), and mobile
phones has grown from limited user communities to widespread desktop replacement
and broad deployment.

► Smartphones combine the best aspects of mobile and wireless technologies and blend
them into a useful business tool
3.2 Proliferation (Growth) of Mobile and Wireless Devices

🕐 Today, incredible advances are being made for mobile devices.

🕐 The trend is for smaller devices and more processing power.

🕐 A few years ago, the choice was between a wireless phone and a simple PDA (
Personal digital assistant)

🕐 Now the buyers have a choice between high-end PDAs and small phones with wireless
Web-browsing capabilities.

🕐 A simple hand-held mobile device provides enough computing power to run small
applications, play games and music, and make voice calls.

🕐 As the term “mobile device” includes many products. We first provide a clear
distinction among the key terms: mobile computing, wireless computing and hand-held
devices.
Mobile computing
► Mobile Computing refers a technology that allows transmission of data, voice
and video via a computer or any other wireless enabled device.
1. Portable computer: It is a general-purpose computer that can be easily moved from
one place to another, but cannot be used while in transit, usually because it requires
some “setting-up” and an AC power source.
2. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper notebook and has
features of a touch screen with a stylus and handwriting recognition software. Tablets
may not be best suited for applications requiring a physical keyboard for typing, but
are otherwise capable of carrying out most tasks that an ordinary laptop would be able
to perform.
3. Internet tablet: It is the Internet appliance in tablet form. Unlike a Tablet PC, the
Internet tablet does not have much computing power and its applications suite is
limited. Also it cannot replace a general-purpose computer. The Internet tablets
typically feature an MP3 and video player, a Web browser, a chat application and a
picture viewer.
4. Personal digital assistant (PDA): It is a small, usually pocket-sized, computer with
limited functionality. It is intended to supplement and synchronize with a desktop
computer, giving access to contacts, address book, notes, E-Mail and other features.
5. Ultramobile PC: It is a full-featured, PDA-sized computer running a general-
purpose operating system (OS).
6. Smartphone: It is a PDA with integrated cell phone functionality. Current
Smartphones have a wide range of features and installable applications.
7. Carputer: It is a computing device installed in an automobile. It operates as a
wireless computer, sound system, global positioning system (GPS) and DVD
player. It also contains word processing software and is Bluetooth compatible.
8. Fly Fusion Pentop computer: It is a computing device with the size and shape
of a pen. It functions as a writing utensil, MP3 player, language translator,
digital storage device and calculator.
Wireless computing

► Wireless refers to the method of transferring information between a computing device


(such as a PDA) and a data source (such as an agency database server) without a
physical connection
► Smart hand-helds are defined as hand-held or pocket-sized devices that connect to a
wireless or cellular network, and can have software installed on them; this includes
networked PDAs and Smartphones
3.3 Trends in Mobility
Popular types of attacks against 3G mobile networks are as follows:

1. Malwares, viruses and worms: Although many users are still in the transient process of switching from 2G, to 3G, it

is a growing need to educate the community people and provide awareness of such threats that exist while using mobile

devices. Here are few examples of malware(s) specific to mobile devices:

• Skull Trojan: It targets Series 60 phones equipped with the Symbian mobile OS.

• Cabir Worm: It is the first dedicated mobile-phone worm; infects phones running on Symbian OS and scans other

mobile devices to send a copy of itself to the first vulnerable phone it finds through Bluetooth Wireless technology.

The worst thing about this worm is that the source code for the Cabir-H and Cabir-I viruses is available online.

• Mosquito Trojan: It affects the Series 60 Smart phones and is a cracked version of “Mosquitos” mobile phone

game.

• Brador Trojan: It affects the Windows CE OS by creating a svchost.exe file in the Windows start-up folder which

allows full control of the device. This executable file is conductive to traditional worm propagation vector such as

E-Mail file attachments.

• Lasco Worm: It was released first in 2005 to target PDAs and mobile phones running the Symbian OS. Lasco is

based on Cabir’s source code and replicates over Bluetooth connection.


Contin….
2. Denial-of-service (DoS): The main objective behind this attack is to make the system
unavailable to the intended users. Virus attacks can be used to damage the system to
make the system unavailable.
3. Overbilling attack: Overbilling involves an attacker hijacking a subscriber’s IP
address and then using it (i.e., the connection) to initiate downloads that are not “Free
downloads” or simply use it for his/her own purposes. In either case, the legitimate
user is charged for the activity which the user did not conduct.
4. Spoofed policy development process (PDP): These types of attacks exploit the
vulnerabilities in the GTP [General Packet Radio Service (GPRS) Tunneling
Protocol].
5. Signalling-level attacks: The Session Initiation Protocol (SIP) is a signaling protocol
used in IP multimedia subsystem (IMS) networks to provide Voice Over Internet
Protocol (VoIP) services. There are several vulnerabilities with SIP-based VoIP
systems.
3.4 Credit Card Frauds in Mobile and Wireless Computing Era

► These are new trends in cybercrime that are coming up with mobile computing –
mobile commerce (M- Commerce) and mobile banking (M-Banking).

🕐 Wireless credit card processing is a very desirable system, because it allows


businesses to process transactions from mobile locations quickly, efficiently and
professionally.
► Credit card companies, normally, do a good job of helping consumers resolve identity
(ID) theft problems once they occur. But they could reduce ID fraud even more if they
give consumers better tools to monitor their accounts and limit high-risk transactions
1. Merchant sends a transaction to bank;
2. The bank transmits the request to the authorized
cardholder
3. The cardholder approves or rejects (password protected);
4. The bank/merchant is notified;
5. Credit card transaction is complete
(Box 3.2). Tips to Prevent Credit Card Frauds

∙ The current topic is about credit card frauds in mobile and wireless computing era, however, we
would like to include these tips to prevent credit card frauds caused due to individual ignorance
about a few known facts.
Do’s
1. Put your signature on the card immediately upon its receipt.

2. Make the photocopy of both the sides of your card and preserve it at a safe place to remember

the card number, expiration date in case of loss of card.


3. Change the default personal identification number (PIN) received from the bank before doing any
transaction.

4. Always carry the details about contact numbers of your bank in case of loss of your card.

5. Carry your cards in a separate pouch/card holder than your wallet.


6. Keep an eye on your card during the transaction, and ensure to get it back immediately.
7. Preserve all the receipts to compare with credit card invoice.

8. Reconcile your monthly invoice/statement with your receipts.

9. Report immediately any discrepancy observed in the monthly invoice/statement.

10. Destroy all the receipts after reconciling it with the monthly invoice/statement.

11. Inform your bank in advance, about any change in your contact details such as home address, cell phone number and E-Mail
address.

12. Ensure the legitimacy of the website before providing any of your card details.

13. Report the loss of the card immediately in your bank and at the police station, if necessary.
Dont’s

►1. Store your card number and PINs in your cell.


►2. Lend your cards to anyone.
►3. Leave cards or transaction receipts lying around.
►4. Sign a blank receipt (if the transaction details are not legible, ask for another receipt to
ensure the amount instead of trusting the seller).
►5. Write your card number/PIN on a postcard or the outside of an envelope.
►6. Give out immediately your account number over the phone (unless you are calling to a
company/ to your bank).
►7. Destroy credit card receipts by simply dropping into garbage box/dustbin.
4.1 Types and Techniques of Credit Card Frauds

►Traditional Techniques

🕐 The traditional and the first type of credit card fraud is paper-based fraud –
application fraud, wherein a criminal uses stolen or fake documents such as utility
bills and bank statements that can build up useful personally Identifiable Information
(PII) to open an account in someone else’s name.
🕐 Application fraud can be divided into
1. ID theft: Where an individual pretends to be someone else
2. Financial fraud: Where an individual gives false information about his or her
financial status to acquire credit.
3. Illegal use of lost and stolen cards is another form of traditional technique.
4. Stealing a credit card is either by pickpocket or from postal service before it reaches
its final destination.
Modern Techniques

🕐 Skimming is where the information held on either the magnetic strip on the back of
the credit card or the data stored on the smart chip are copied from one card to
another.
🕐 Site cloning and false merchant sites on the Internet are becoming a popular method
of fraud and to direct the users to such bogus/fake sites is called Phishing.
🕐 Such sites are designed to get people to hand over their credit card details without
realizing that they have been directed to a fake weblink /website (i.e., they have been
scammed).
1.Triangulation
• The criminal offers the goods with heavy discounted rates through a website designed
and hosted by him, which appears to be legitimate merchandise website.

• The customer registers on this website with his/her name, address, shipping address
and valid credit card details.

• The criminal orders the goods from a legitimate website with the help of stolen credit
card details and supply shipping address that have been provided by the customer while
registering on the criminal’s website.

• The goods are shipped to the customer and the transaction gets completed.

• The criminal keeps on purchasing other goods using fraudulent credit card details of
different customers till the criminal closes existing website and starts a new one.
2. Credit card generators: It is another modern technique – computer emulation software
– that creates valid credit card numbers and expiry dates. The criminals highly rely on
these generators to create valid credit cards. These are available for free download on the
Internet
3.5 Security Challenges Posed by Mobile Devices

► https://www.youtube.com/watch?v=OOQHxAs2tiE

❖ As the number of mobile device users increases, two challenges are


presented:

1. at the device level called “microchallenges”

2. at the organizational level called “macrochallenges.”


Some well-known technical challenges in mobile security are:

1. Managing The Registry Settings And Configurations


2. Authentication Service Security
3. Cryptography Security
4. Lightweight Directory Access Protocol (LDAP) Security
5. Remote Access Server (RAS ) Security
6. Media Player Control Security
7. Networking Application Program Interface (API ) Security, Etc.
3.6 Registry Settings for Mobile Devices

►Microsoft ActiveSync is meant for synchronization with Windows-powered


personal computers (PCs) and Microsoft Outlook.
►ActiveSync acts as the gateway between Windows-powered PC and Windows
mobile-powered device, enabling the transfer of applications such as Outlook
information, Microsoft Office documents, pictures, music, videos and applications
from a user’s desktop to his/her device.
►In addition to synchronizing with a PC, ActiveSync can synchronize directly with
the Microsoft exchange server so that the users can keep their E-Mails, calendar,
notes and contacts updated wirelessly when they are away from their PCs.
❑ In this context, registry setting becomes an important issue given the ease with
which various applications allow a free flow of information.
🕐 Thus, establishing trusted groups through appropriate registry settings becomes
crucial. One of the most prevalent areas where this attention to security is applicable
is within “group policy.” Group policy is one of the core operations that are
performed by Windows Active Directory. (Run command box, type GPEDIT.MSC
command to initiate the Local Group Policy Editor)
3.7 Authentication Service Security

❖ There are two components of security in mobile computing: security of devices


and security in networks.
❖ A secure network access involves mutual authentication between the device
and the base stations or Web servers.
❖ This is to ensure that only authenticated devices can be connected to the
network for obtaining the requested services.
❖ Some eminent kinds of attacks to which mobile devices are subjected to
are: push attacks, pull attacks and crash attacks
3.7.1 Cryptographic Security for Mobile Devices

🕐 Cryptographically Generated Addresses (CGA) is Internet Protocol version 6 (IPv6)


that addresses up to 64 address bits that are generated by hashing owner’s public-key
address.
🕐 The address the owner uses is the corresponding private key to assert address
ownership and to sign messages sent from the address without a public-key
infrastructure (PKI) or other security infrastructure.
🕐 Deployment of PKI provides many benefits for users to secure their financial
transactions initiated from mobile devices.
🕐 CGA-based authentication can be used to protect IP-layer signaling protocols
including neighbor discovery (as in context-aware mobile computing applications)
and mobility protocols.
🕐 It can also be used for key exchange in opportunistic Internet Protocol Security
(IPSec). Palms (devices that can be held in one’s palm) are one of the most common
hand-held devices used in mobile computing.

🕐 Cryptographic security controls are deployed on these devices.

🕐 For example, the Cryptographic Provider Manager (CPM) in Palm OS5 is a


system- wide suite of cryptographic services for securing data and resources on a
palm-powered device.

🕐 The CPM extends encryption services to any application written to take advantage
of these capabilities, allowing the encryption of only selected data or of all data and
resources on the device.
3.7.4 LDAP (Lightweight Directory Access Protocol) Security for
Hand-Held Mobile Computing Devices

❖ LDAP is a software protocol for enabling anyone to locate individuals,


organizations and other resources such as files and devices on the network

❖ In a network, a directory tells you where an entity is located in the network.

❖ LDAP is a light code version of Directory Access Protocol (DAP) because


it does not include security features in its initial version.
3.7.3 RAS (Remote Access Server) Security for Mobile Devices
 

► RAS (Remote Access Server) is an important consideration for protecting the business-
sensitive data that may reside on the employees’ mobile devices
► In terms of cybersecurity, mobile devices are sensitive. Figure 3.11 : organization’s
sensitive data can happen through mobile hand-held devices carried by employees.
► A RAS is deployed within an organization and directly connected with the
organization's internal network and systems. Once connected with a RAS, a
user can access his or her data, desktop, application, print and/or other
supported services.
RAS is deployed within an organization and directly connected with the
organization's internal network and systems. Once connected with a RAS, a user can
access his or her data, desktop, application, print and/or other supported
services.
WAP enables the access of internet in the mobile devices. 
3.7.4 Media Player Control Security

🕐 Various leading software development organizations have been warning the users
about the potential security attacks on their mobile devices through the “music
gateways.”
🕐 There are many examples to show how a media player can turn out to be a source of
threat to information held on mobile devices.
🕐 For example, in the year 2002, Microsoft Corporation warned about this.
🕐 According to this news item, Microsoft had warned people that a series of flaws in its
Windows Media Player could allow a malicious hacker to hijack people’s computer
systems and perform a variety of actions.
🕐 According to this warning from Microsoft, in the most severe exploit of a flaw, a
hacker could take over a computer system and perform any task the computer’s owner
is allowed to do, such as opening files or accessing certain parts of a network.
3.7.5 Networking API Security for Mobile Computing Applications

🕐 With the advent of electronic commerce (E-Commerce) and its further off -shoot into M-
Commerce, online payments are becoming a common phenomenon with the payment gateways
accessed remotely and possibly wirelessly.

🕐 Furthermore, with the advent of Web services and their use in mobile computing
applications, the API becomes an important consideration.

🕐 Already, there are organizations announcing the development of various APIs to enable
software and hardware developers to write single applications

🕐 Most of these developments are targeted specifically at securing a range of embedded and
consumer products, including those running OSs such as Linux, Symbian, Microsoft Windows
CE and Microsoft Windows Mobile (the last three are the most commonly used OSs for mobile
devices).

🕐 Technological developments such as these provide the ability to significantly improve


cybersecurity of a wide range of consumer as well as mobile devices. Providing a common
software framework, APIs will become an important enabler of new and higher value services.
3.8 Attacks on Mobile/Cell Phones

🕐 Mobile phones have become an integral part of everbody’s life and the mobile
phone has transformed from being a luxury to a bare necessity.
🕐 Theft of mobile phones has risen dramatically over the past few years.
► Many Insurance Companies have stopped offering Mobile Theft Insurance due to a
large number of false claim
🕐 After PC, the criminals’ (i.e., attackers’) new playground has been cell phones,
reason being the increasing usage of cell phones and availability of Internet using
cell phones.
🕐 Another reason is increasing demand for Wi-Fi zones in the metropolitans and
extensive usage of cell phones in the youths with lack of awareness/knowledge about
the vulnerabilities of the technology.
The following factors contribute for outbreaks on mobile devices:

1. Enough target terminals: Enough terminals or more devices to attack.

2. Enough functionality: The expanded functionality ie. office functionality and


applications also increases the probability of malware.

3. Enough connectivity: Smartphones offer multiple communication options, such as


SMS, MMS, synchronization, Bluetooth, infrared (IR) and WLAN connections.
Tips to Secure your Cell/Mobile Phone from being Stolen/Lost

Ensure to note the following details about your cell phone and preserve it in a safe place:
1. Your phone number;
2. the make and model;
3. color and appearance details;
4. PIN and/or security lock code;
5. IMEI number.
The International Mobile Equipment Identity (IMEI)

∙ It is a number unique to every GSM, WCDMA and iDEN cell phone. It is a 15-digit
number and can be obtained by entering *#06# from the keypad.

∙ The IMEI number is used by the GSM network to identify valid devices and therefore
can be used to stop a stolen phone from accessing the network in that country.

∙ For example, if a mobile phone is stolen, the owner can call his or her service provider
and instruct them to “lock” the phone using its IMEI number.

∙ This will help to stop the usage of phone in that country, even if a SIM is changed.

► Visit the weblink http://www.numberingplans.com/?page=analysis&sub=imeinr to check


all information about your cell phone such as manufacturer, model type and country of
approval of a handset.
Following are few antitheft software(s) available in the market:

1. GadgetTrak: http://www.gadgettrak.com/products/mobile/

2. Back2u: http://www.bak2u.com/phonebakmobilephone.php

3. Wavesecure: https://www.wavesecure.com/

► F-Secure: http://www.f-secure.com/
3.8.2 Mobile Viruses

► A mobile virus is similar to a computer virus that targets mobile phone data or
applications/software installed in it.
🕐 In total, 40 mobile virus families and more than 300(+) mobile viruses have been
identified.
► First mobile virus was identified in 2004 and it was the beginning to understand that
mobile devices can act as vectors to enter the computer network
🕐 Mobile viruses get spread through two dominant communication protocols –
Bluetooth and MMS.
🕐 Bluetooth virus can easily spread within a distance of 10–30 m, through Bluetooth-
activated phones
🕐 MMS virus can send a copy of itself to all mobile users whose numbers are
available in the infected mobile phone’s address book.
How to Protect from Mobile Malwares Attacks

►Following are some tips to protect mobile from mobile malware attacks:
1. Download or accept programs and content (including ring tones, games, video clips
and photos) only from a trusted source.
2. If a mobile is equipped with Bluetooth, turn it OFF or set it to non-discoverable mode
when it is not in use and/or not required to use.
3. If a mobile is equipped with beam (i.e., IR), allow it to receive incoming beams, only
from the trusted source.
4. Download and install antivirus software for mobile devices.
3.8.3 Mishing
🕐 Mishing is a combination of mobile and Phishing.
🕐 Mishing attacks are attempted using mobile phone technology.
🕐 M-Commerce is fast becoming a part of everyday life. If you use your mobile phone
for purchasing goods/services and for banking, you could be more vulnerable to a
Mishing scam.
🕐 A typical Mishing attacker uses call termed as Vishing or message (SMS) known as
► Smishing.
🕐 Attacker will pretend to be an employee from your bank or another organization and
will claim a need for your personal details.
🕐 Attackers are very creative and they would try to convince you with diferent reasons
why they need this information from you.
3.8.4 Vishing

🕐 The term is a combination of V – voice and Phishing.


🕐 Vishing is usually used to steal credit card numbers or other related data used in ID
theft schemes from individuals.
🕐 The most profitable uses of the information gained through a Vishing attack include:
1. ID theft;
2. purchasing luxury goods and services;
3. transferring money/funds;
4. monitoring the victims’ bank accounts;
5. making applications for loans and credit cards.
The criminal can initiate a Vishing attack using a variety of
methods, each of which depends upon information gathered by a
criminal and criminal’s will to reach a particular audience.
1. Internet E-Mail:
2. Mobile text messaging:
3. Voicemail:
4. Direct phone call:
EXAMPLE CALL the customers and direct it to voice call.
Smishing

🕐 The name is derived from “SMS PhISHING.”


► SMS can be abused by using different methods and techniques other than information
gathering under cybercrime
► The popular technique to “hook” (method used to actually “capture” your
information) the victim is either provide a phone number to force the victim to call or
provide a website URL to force the victim to access the URL, wherein, the victim gets
connected with bogus website (i.e., duplicate but fake site created by the criminal) and
submits his/her PI.
Hacking Bluetooth

► Bluetooth is a short-range wireless communication service/technology that uses the 2.4-


GHz frequency range for its transmission/communication
🕐 This makes Bluetooth use simple and straightforward, and it also makes easier to
identify the target for attackers.
🕐 The attacker installs special software [Bluetooth hacking tools] on a laptop and then
installs a Bluetooth antenna.
🕐 Whenever an attacker moves around public places, the software installed on laptop
constantly scans the nearby surroundings of the hacker for active Bluetooth
connections. Once the software tool used by the attacker finds and connects to a
vulnerable Bluetooth- enabled cell phone, it can do things like download address book
information, photos, calendars, SIM card details, make long-distance phone calls
using the hacked device, bug phone calls and much more.
Table 3.1 | Bluetooth hacking tools
1. BlueScanner: This tool enables to search for Bluetooth enable device and will try to extract as much
information as possible for each newly discovered device after connecting it with the target.

2. BlueSniff: This is a GUI-based utility for fi nding discoverable and hidden Bluetooth enabled devices.

3. BlueBugger: The buggers exploit the vulnerability of the device and access the images, phonebook, messages
and other personal information.

4.Bluesnarfer: If a Bluetooth of a device is switched ON, then Bluesnarfing makes it possible to connect to
the phone without alerting the owner and to gain access to restricted portions of the stored data.

5. BlueDiving: Bluediving is testing Bluetooth penetration. It implements attacks like Bluebug and BlueSnarf.
 
3.9 Mobile Devices: Security Implications for Organizations
3.9.1 Managing Diversity and Proliferation of Hand-Held Devices
🕐 Most organizations fail to see the long-term significance of keeping track of who
owns what kind of mobile devices.
🕐 Mobile devices of employees should be registered to the organization.
🕐 When an employee leaves, it is important to remove logical and physical access to
organization networks.
🕐 Thus, mobile devices that belong to the company should be returned to the IT
department and, at the very least, should be deactivated and cleansed.
 
3.9.2 Unconventional/Stealth Storage Devices

► Compact disks (CDs) and Universal Serial Bus (USB) drives (also called zip drive,
memory sticks) used by employees are the key factors for cyber attacks.
🕐 It is advisable to prohibit the employees in using these devices.
► Not only can viruses, worms and Trojans get into the organization network, but can
also destroy valuable data in the organization network
► Using “DeviceLock” software solution, one can have control over unauthorized access
to plug and play devices
 
3.9.3Threats through Lost and Stolen Devices

🕐 Often mobile hand-held devices are lost while people are on the move.
► Lost mobile devices are becoming even a larger security risk to corporations
🕐 The cybersecurity threat under this scenario is scary; owing to a general lack of security
► in mobile devices, it is often not the value of the hand-held device that is important
but rather the content that, if lost or stolen, can put a company at a serious risk of
sabotage, exploitation or damage to its professional integrity, as most of the times
the mobile hand-held devices are provided by the organization.
3.9.4 Organizational Measures for Handling Mobile

1. Encrypting Organizational Databases


❑ Critical and sensitive data reside on databases and with the advances in technology,
access to these data is possible through mobiles.
❑ Through encryption we can protect organization data.
❑ Two algorithms that are typically used to implement strong encryption of database
files: Rijndael (pronounced rain-dahl or Rhine-doll), a block encryption algorithm,
chosen as the new Advanced Encryption Standard (AES) for block ciphers by the
National Institute of Standards and Technology (NIST).
❑ The other algorithm used to implement strong encryption of database files is the Multi-
Dimensional Space Rotation (MDSR) algorithm developed by Casio
2. Including Mobile Devices in Security Strategy

🕐 Encryption of corporate databases is not the end of everything.


🕐 For example, there are ways to make devices lock or destroy the lost data by
sending the machine a special message.
🕐 few things that organization can use are:
1. Implement strong asset management, virus checking, loss prevention and other
controls for mobile systems that will prohibit unauthorized access .
2. Investigate alternatives that allow a secure access to the company information
through a firewall, such as mobile VPNs.
3. Develop a system of more frequent and thorough security audits for mobile devices.
4. Incorporate security awareness into your mobile training and support programs so that
everyone understands just how important an issue security is within a company’s
overall IT strategy.
5. Notify the appropriate law-enforcement agency and change passwords. User accounts
are closely monitored for any unusual activity for a period of time.
3.11 Organizational Security Policies and Measures in Mobile Computing Era

🕐 people are storing more types of confidential information on mobile computing


devices than their employers or they themselves know; they listen to music using their
hand-held devices
🕐 One should think about not to keep credit card and bank account numbers,
passwords, confidential E-Mails and strategic information about organization.
Operating Guidelines for Implementing Mobile Device Security
Policies
1. Determine whether the employees in the organization need to use mobile computing
devices or not.
2. Implement additional security technologies like strong encryption, device passwords
3.
and physical locks.

Standardize the mobile computing devices and the associated security tools being
used with them.
4. Develop a specific framework for using mobile computing devices.
5. Maintain an inventory so that you know who is using what kinds of devices.
6. Establish patching procedures for software on mobile devices.
7. Label the devices and register them with a suitable service.
8. Establish procedures to disable remote access for any mobile.
9. Remove data from computing devices that are not in use
10. Provide education and awareness training to personnel using mobile devices.
3.12 Laptops
🕐 The thefts of laptops have always been a major issue, according to the cybersecurity industry
and insurance company statistics.
🕐 Cybercriminals are targeting laptops that are expensive, to enable them to fetch a quick
profit in the black market.
🕐 Most laptops contain personal and corporate information that could be sensitive.
🕐 Such information can be misused if found by a malicious user.
Physical Security Countermeasures
1. Cables and hardwired locks: The most cost-efficient and ideal solution to safeguard any
mobile device is securing with cables and locks, specially designed for laptops.
2. Laptop safes: Safes made of polycarbonate – the same material that is used in bulletproof
windows, police riot shields and bank security screens – can be used to carry and safeguard
the laptops
3. Motion sensors and alarms: Alarms and motion sensors are very efficient in securing
laptops.
4. Warning labels and stamps: Warning labels containing tracking information and
identification details can be fixed onto the laptop to deter aspiring thieves. These labels cannot
be removed easily and are a low-cost solution to a laptop theft.
Other measures for Protecting laptops are as follows:
• keeping the laptop close to oneself wherever possible;
• carrying the laptop in a different and unobvious bag
• creating the awareness among the employees about the sensitive information contained in the
laptop;
• making a copy of the purchase receipt of laptop
• installing encryption software to protect information stored on the laptop;
• using personal firewall software to block unwanted access and intrusion;
• updating the antivirus software regularly;
• tight office security using security guards and securing the laptop by locking it down in lockers
when not in use;
• never leaving the laptop unattended in public places
• disabling IR ports and wireless cards when not in use.
• Choosing a secure OS
• Registering the laptop with the laptop manufacturer to track down the laptop in case of theft.
• Disabling unnecessary user accounts and renaming the administrator account.
• Backing up data on a regular basis.
Box 3.13 | Spy Phone Software!!!
Spy Phone software is installed on the mobile/cell phone of employees, if the employers wants to monitor phone usage.
The Spy Phone software is completely hidden from the user, once it is installed and collects all the available data such as
SMS messages, ingoing/outgoing call history, location tracking, GPRS usage and uploads the collected data to a remote
server.

The employer can simply access the designated website hosted by Spy Phone vendor, and after entering his/her account
details, he/she can have full access to all the data collected 24 hours a day, 7 days a week. The employer can access this
website through the Internet; hence, he/she can keep an eye on their employees, regardless where he/she is in the
world. The employer can read all SMS messages (both incoming and outgoing), know who they (employees) are calling or
who is calling them and where they were when the call was received.

Following are few Spy Phone Software(s) available in the market:


1. SpyPhonePlus: http://www.spyphoneplus.com/
2. FlexiSpy: http://www.flexispy.com/
3. TheSpyPhone: http://www.thespyphone.com/spyphone.html
4. Mobile Spy: http://www.mobile-spy.com/

You might also like