Shevirah founder and CTO, Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She has presented and conducted training around the world including venues such as NSA, West Point, and Black Hat. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project- Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. She is on the board of advisors of the angel backed security training startup Cybrary, an Adjunct Professor at the University of Maryland University College, a member of the CyberWatch Center's National Visiting Committee, and served as a judge for the FTC’s 2017 Home Inspector IoT security challenge. Georgia is also occasionally an angel investor in cybersecurity startups.
Bypassing iOS Security using Enterprise Provisioning Hooks and Enterprise Mobility Management
This talk demonstrates how features Apple includes in their iOS ecosystem to support corporate enterprise provisioning and management can be used to exploit all iOS devices. We will cover the faculties that Apple includes to allow enterprises and mobile security vendors to remotely provision settings and load applications and how a malicious attacker could take advantage of these vectors.
We will discuss Configuration Profile options with security implications and using the Enterprise Development Program to bypass Apple’s anti-malware app controls. Though Apple considers this a “feature not a bug” and a phishing issue, no anti-phishing training readily available for either consumers or corporations specifically address these phishing attacks. However, according to the Verizon Breach Report over 90% of enterprise compromises came in through endpoints, largely from phishing.
Mobile devices open up a wide range of additional phishing options than the email scenarios. We will demonstrate how penetration testers and red teams can simulate these attacks to raise user awareness and perform impact analysis of a potential breach begun by a compromised iOS device.
Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She is a member of the CyberWatch Center's National Visiting Committee, on the board of advisors at Cybrary, and an Adjunct Professor at UMUC and Tulane University. She is a New America Cybersecurity Policy Fellow. She has presented or conducted training around the world and is regularly featured internationally in print and on television. She authored Penetration Testing: A Hands-On Introduction to Hacking. Georgia founded the security consulting firm Bulb Security and was awarded a DARPA Cyber Fast Track grant for her work in mobile device security culminating in the release of the Smartphone Pentest Framework. She founded Shevirah whose products assess and manage the risk of mobile devices in the enterprise and is a graduate of the Mach37 cybersecurity accelerator. She was the 2015 Women’s Society of CyberJutsu Pentest Ninja. She holds a MS in computer science and CISSP, CEH, and OSCP certifications.