Bio: Georgia Weidman is a penetration tester, security researcher, and trainer.She holds a Master of Science degree in computer science,secure software engineering,and information security as well as holding CISSP, CEH, NIST 4011, and OSCP certifications. Herworkinthe field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at top conferences around the world including Shmoocon, Blackhat, HackerHalted, and Bsides. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews. Building on her experience, Georgia founded Bulb SecurityLLC (http://www.bulbsecurity.com), security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security, culminating in the release of the Smartphone Pentest Framework (SPF) which allows pentesters to assess the security of mobile devices in an environment.
Can You Hear Me Now: Leveraging Mobile Devices on Pentests
BYOD is not a new concept. From contractor laptops to an employee’s game console in the break room, a compromised device in the corporate environment can lead to all sorts of bad things. In this talk we will look at the unique threats that BYOD for mobile devices brings to the table. The most security conscious corporations are deploying the latest devices and policies to stop attackers from breaching the perimeter and if they do to stop data exfiltration. We will discuss how mobile devices on a corporate network and/or handling company data undermines these efforts. We will look at multiple mobile platforms gathering sensitive information, attacking other devices such as other mobile devices, servers, and workstations, and using out of band communication to perform data exfiltration and communicate with internal devices. Multiple live demo scenarios will be shown and some useful code for pentesters will be released.
Attacking and Securing Mobile Devices
As smartphones take over the workplace, and customers begin deploying smartphone applications as frequently as traditional web applications, it falls to security professionals to integrate these new technologies into penetration testing. How will your organization fair when the smartphone apocalypse arrives? In this course we will study in-depth the techniques used by hackers to exploit mobile phone platforms and applications. We will look at smartphone jailbreaks/roots and real malicious code samples seen in the wild. We will look analyze smartphone apps, using open source tools and manual skills to detect potential attacks and vulnerabilities. Additionally, we will look at real world examples of smartphone apps with vulnerabilities exploitable by attackers. We will cover hands-on exercises exploiting real smartphone platforms and applications. After brushing up on the offensive side, we will switch gears and discuss available methods of defending smartphones in the workplace against the myriad attack vectors. We will look at using the same methods used by attackers for evil, for good to defend smartphone devices and the sensitive data they access. In this course we will use several open source tools for assessing smartphones such as the instructors own Smartphone Pentesting Framework.