Misc

Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices

On Friday we released our latest technical newsletter with the fancy title “Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices”. It is the result of a field study on decommissioned mobile business devices bought on eBay and about how stored data may be extracted in different ways.

As always we love to share plenty of practical advise: At the end of the newsletter you will find the mitigating controls to securely handle mobile devices at the end of their life cycle process.

Find the newsletter here.
And a digitally signed version here.

Special thanks go to Sergej Schmidt for performing the field study.

Talking about our great team: Meet the whole ERNW crew at TROOPERS12, or even better: Dig deeper into mobile security together with Rene Graf during the mobile security workshop. There are a few slots left.

Enjoy the newsletter & hopefully see you soon in Heidelberg!
Florian

Continue reading
Breaking

A Wrap-up on MFD Security

On last year’s TROOPERS11, Matthias (mluft) and I gave a talk on Multifunction Devices. Hardly surprising: It was related to the state of secure operation of MFDs. It was heavily motivated by experiences we collected out in the wild. We faced a frightening low level of awareness concerning the role of MFDs for the overall security picture – in particular regarding the processing of sensitive data…

However, instead of only showing and proving well-known weaknesses and vulnerabilities, we decided to adapt ERNW’s Seven Sisters model in order to match the needs of secure MFD operation and to develop some kind of guideline. As Matthias already lost some words on this, I’m not gonna waste your valuable time by repeating, what has already been said. However I described our approach and our thoughts on that topic in a recently published ERNW Newsletter. If for what ever reason you didn’t see our talk or even didn’t attend TROOPERS11 at all, have a look on Newsletter 37 and give us feedback on what you think about the whole topic…

Btw: Enno just wrote some lines about what’s so special about the TROOPERS conference. In case you might want to discuss mentioned and related topics at first hand, think about joining TROOPERS12. For our part, we cannot wait to come together at Heidelberg next March.

See you there
Michael alias Micele

Continue reading
Building

Certificate Based Device Authentication with iOS Devices

We recently performed a Proof-of-Concept (PoC) implementation of certificate based auth with iPads in some large environment. So far the focus has been mainly on WLAN access; VPN and EAS authentication are going to follow in the next step.

As we figure that the topic might be of interest for some of you, we’ve extracted a certain, not-too-customer-specific part of the deliverable and converted it into an ERNW newsletter. Special thanks go to Rene Graf for leading the project! 😉

Of course, this stuff is going to be covered in much more detail in the Troopers12 edition of our “iOS Security Workshop” (see here for the agenda of this year or here for a German version of the current one).

Enjoy reading (& implementing)!

thanks

Enno

Continue reading
Breaking

Research on “Application Virtualization” – Results online now

Just wanted to let you know that we sent out ERNW Newsletter 32 end of last week. As we promised it includes the results of  research regarding the question “Is browser virtualization a valid security control in order to mitigate browser based security risks?”.

Simon did a great job with writing the latest newsletter. It’s a 30-page document which should help you to have a basis for well-informed decisions when it comes to the deployment of an application virtualization technology.

Download a signed version of the PDF here, or visit the archive to browse other issues of our highly technical newsletters.

Best wishes,
Florian

Continue reading