Re: Securing Ipad2

[noloader () gmail com]

On Tue, Jun 21, 2011 at 4:35 PM,  <abigdeale () gmail com> wrote:
> I need to successfully secure a limited amount of Ipad2's on our corporate network which gains access via vpn through 
> the 3G connection.
If your company has any buying power, you might request that the source code be reviewed by a firm knowledgeable in 
application security. For example, I would not trust the LogMeIn application without independent assurances. Its 
amazing the BS that will try to passed off as 'secure' (I've seen it first hand during audits).

> I understand that there are several applications available to secure the
> Ipad2 locally, and that when typed in incorrect password, you can actually wipe
> the pad of all data.
> (Q1. Is this recoverable from sync with itunes/desktop?)
I don't believe the data is recoverable on the desktop via iTunes *if* it has not been backed up (you can turn off back 
up, or encrypt the back up (IIRC)).

If the data was deleted from the device (and no desktop backup), it might still be available on the device during 
forensic analysis. See "Reliably Erasing Data From Flash-Based Solid State Drives", 
www.usenix.org/events/fast11/tech/full_papers/Wei.pdf.

Secure data deletion on the iDevices has caused me a lot of grief due to iOS's lack of true background processing. Even 
in iOS 4, an application does not run in the background (as a comp sci person understands things like preemptive 
multitasking). I believe Apple's use of the term is more marketing.

> On corporate side there are firewalls, proxies and the like to secure the connection/node.
> (Q2. What are the best practices to secure mobile devices on in such an environment?).
Apple has an enterprise security configuration guide at manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf. 
The DoD has a iPhone STIG (which should apply to iPad) at http://iase.disa.mil/stigs/index.html. The Center for 
Internet Security has a benchmark at 
http://benchmarks.cisecurity.org/tools2/iphone/CIS_iPhone_2.2.1_Benchmark_v1.0.0.pdf (again, should apply to iPad).

> The ipads has access to email, inter/intra net and several other requirements.
> (Q3. Tracking software and remote logins, are they available and do they work?)
There are a few tracking applications, but I have not used them. Ditto for remote login.

> Thanks for your time, I'm not familiar with any apple products as of yet, and a newbie in the infosec world. So the 
> questions may sound dumb.

When researching, the operating system of interest is iOS. It powers iPhone, iPad, and iPod. From a programmer's 
perspective, Apple tells us there is no difference between iPhones and iPads and iPods except screen sizes (some hand 
waiving). So what you read about an iPhone will apply to an iPad.

For reading on [some of] what your adversaries can achieve when trying to pick your data, pick up Morrisey's iOS 
Forensic Analysis. I found it to be a little better than Zdziarski's iPhone Forensics.

When I model threats, I include both government and corporate adversaries. While many object to modeling government, 
there's been a lot of abuses in the US since 9/11/2001, The ACLU is suing Michigan for illegal searches of cell phones 
during traffic stops, see http://www.thenewspaper.com/news/34/3458.asp. And the US's border search doctrine allows it 
to search a US citizen upon re-entering the country with no constitutional protections.

Jeff

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------