Professional Documents
Culture Documents
[ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.chemerkin@gmail.com
Experienced in : Reverse Engineering & AV Software Programming & Documentation Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing Hakin9 Magazine, PenTest Magazine, eForensics Magazine, Groteck Business Media Participation at conferences InfoSecurityRussia, NullCon, CONFidence, PHDays CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec ICITST, CyberTimes, ITA, I-Society
KNOWN ISSUES
MALWARE BOUNDSBECOME UNCLEAR
BLACKBERRY HANDLES SEVERAL TECHNOLOGIES
NATIVE BLACKBERRY 10, BLACKBERY PLAYBOOK OLD BLACKBERRY DEVICES THIRD PARTY ADOBE AIR FOR NEW BB DEVICES ANDROID APPLICATIONS & DEVICES IOS DEVICES EVERY CONTROLLED LIMITED BY SANDBOX PERMISSIONS SECURITY FEATURES ON DEVICEs & MDMs
CAMERA, VIDEO, VIDEO CONF CERTIFICATES (UNTRUSTED CERTs) CLOUD SERVICES BACKUP / DOCUMENT / PICTURE / SHARING NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS CONNECTIVITY
MESSAGING (DEFAULT APP) PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES) PHONE AND MESSAGING (VOICE DIALING) PROFILE & CERTs (INTERACTIVE INSTALLATION) SOCIAL (DEFAULT APP) SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION
CONTENT
PASSWORD (THE SAME WITH ANDROID, iOS) BES MANAGEMENT (SMARTPHONES, TABLETS) SOFTWARE OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION
NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK
EMAIL PROFILES
WI-FI PROFILES
SECURITY
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS
UPDATE APP THAT CALLS THIS API USE GENERAL API REMOVE APP THAT CALLS THIS APPS USE GENERAL API REMOVE ANY OTHER APP UNDER THE SAME API WITHOUT NOTIFICATION HANDLE WITH PC TOOLS ON OLD BB DEVICES WITHOUT DEBUG / DEVELOPMENT MODE OLD BB: CLIPBOARD (HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)
REVEAL THE DATA IN REAL TIME BY ONE API CALL NATIVE WALLETS PROTECTS BY RETURNING NJULL WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS EVERY USER CASE MUST MINIMIZE APP TO PASTE A PASSWORD
CONCLUSION - I
PRIVILEGEDGENERAL PERMISSIONS
DENIAL OF SERVICE
REPLACING/REMOVING EXEC FILES DOSing EVENTs, NOISING FIELDS GUI INTERCEPT INFORMATION DISCLOSURE
CLIPBOARD, SCREEN CAPTURE GUI INTERCEPT DUMPING .COD FILES, SHARED FILES MITM (INTERCEPTION / SPOOFING)
MESSAGES GUI INTERCEPT, THIRD PARTY APPs FAKE WINDOW/CLICKJACKING
BUT COMBINED INTO GENERAL PERMISSION A SCREENSHOT PERMISSION IS PART OF THE CAMERA GENERAL PERMISSIONS
INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs
CONCLUSION - II
THE VENDOR SECURITY VISION
AGGRAVATEDBY SIMPLICITY
SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST
Q&A