View
119
Download
3
Category
Tags:
Preview:
DESCRIPTION
This presentation was given at the Informa Cloud Mobility event in Amsterdam on the 21st of September. As with a lot of things in the technology world, things move quickly and events have superseded a couple of things in the slides. The idea of the presentation was to give an alternative view to the conference. The attendees and presenters struggled even to define "cloud"; a marketing term, which is part of the problem of this topic. Please note, there are no slide notes to this presentation.
Citation preview
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DARK CLOUDS AND RAINY DAYS, THE BAD SIDE OF CLOUD COMPUTINGCLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM
David Rogers, Copper Horse Solutions Ltd.
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ABOUT ME
12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile
Worked with industry and government on IMEI and SIMlock security
Pioneered some early work in mobile phone forensics Brought industry together on security information sharing
Director of External Relations at OMTP Programme Manager for advanced hardware security tasks Chair of Incident Handling task
Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ABOUT COPPER HORSE SOLUTIONS LTD
Established in 2011 Software and security company
Focused on the mobile phone industry Services:
Mobile phone security consultancy Industry expertise Standards representation Mobile application development
http://www.copperhorsesolutions.com
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
WHAT I WILL TALK ABOUT
Dark Clouds and Rainy Days – the dark side of cloud computing Thin air – issues around device theft and
tampering Condensation – how much data is left on the
device? The problem with web apps Slurping data, not coffee – insecure networks How much do you trust your cloud provider?
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THIN AIR – ISSUES AROUND DEVICE THEFT AND TAMPERING
Image: 416style
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DEVICES – LOST AND STOLEN
Large numbers of devices are lost or stolen on a daily basis iphone prototypes – 2 left in bars
UK – National Mobile Phone Crime Unit IMEI blocking
Window between theft and blocking Same problem with lock and wipe services
NMPR – National Mobile Property Register Allows stolen / lost items to be returned to right owner www.immobilise.com
EIRs and the CEIR Lots of stolen phones are exported but not blocked
Users do not protect access to their devices Barrier to usability Most cloud services have authentication tokens – non-password access (see also faceniff) Need to be told the basics: http://www.carphonewarehouse.com/security
Smartphone hacking is a major target right now Hardware (SIMlock and IMEI) hacking has been going on for years
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CONDENSATION – HOW MUCH DATA IS LEFT ON THE DEVICE?
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DATA RESIDUE ISSUES
Devices move around: Phone recycling companies Phones left in drawers / thrown in bins Phones passed onto another employee Service returns and refurbishment issues
Repeated attacks on celebrities Repeated mistakes in data clearing
Lots of “cloud” access data available Browser data cache / local storage Credentials for network APIs and services stored on device (not in
secure hardware) Users storing passwords insecurely on local machines Apps / browsers providing “no-login” functionality
Note: These are all still issues in the non ‘cloud’ world!!
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE PROBLEM WITH WEB APPLICATIONS
Image: Clearly Ambiguous
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE PROBLEM WITH WEBAPPS
Trust issues – e.g. Chrome application permissions issue / lack or proper triage with Android and Chrome apps.
Everyone is jumping on HTML5 but there will be hidden security issues Ultimately there needs to be some form of local usage
HTML5 Cache, offline mechanisms still immature No access to trusted hardware on device
Everything is transferred over a network Even if you don’t want it to be
Existing protection is weak Web foundations are not secure (see later) No such thing as a “secure web runtime”
In-app billing and other network APIs offer great fraud / attack potential Targets will be identity and payment
Future: Device APIs & M2M How to sync data without compromising users How to control access Public safety aspects – web for safety critical applications?!
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
RELIANCE ON CONNECTIVITY
Network access is not ubiquitous Extremely poor wireless connections in rural areas (even in
developed countries) There is always an ‘offline’ scenario for users, but few
technical solutions for offline web
Image: John Leach
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
SLURPING DATA, NOT COFFEE – INSECURE NETWORKS
Image: Thomas Dwyer (on a break from flickr)
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
SLURPING DATA, NOT COFFEE
Incidents in internet cafes and airports, libraries Very widespread Expensive roaming costs push users onto WiFi
Fake WiFi Networks Low hanging fruit Temptation, temptation – open and free!
Recent attack demonstration of stealing data while charging phone at a charge booth
Femtocells Recent hacker interest in femtocells (base stations in people’s
houses) Can capture and break traffic What about metrocells?
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
FACENIFF AND FIRESHEEP MITM attack captures authentication cookies Even on encrypted WiFi networks
Traffic is routed through attack device Techniques available for years – made much
easier by these kind of tools Companies still not using SSL
Mobile version of facebook page has to be manually set as https by the user – most users cannot do this
Many phone applications send data in the clear Google and Facebook have both been guilty of
this
Image: http://www.geekword.net
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HIDDEN NEAR A CAFÉ IN YOUR AREA…
Image: http://cheezburger.com/View/1608846080
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HOW MUCH DO YOU TRUST YOUR CLOUD PROVIDER?
Image: Caza_No_7
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRUST IN CLOUD PROVIDERS (1)
Poor security techniques employed Phone hacking scandal No user notification of accesses from other
machines / times Previous data issues – e.g. T-Mobile, Paris Hilton
etc. Password reminders have compromised online
email accounts e.g. Sarah Palin Facebook dragged into providing privacy
protection for users
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRUST IN CLOUD PROVIDERS (2)
Who do your cloud provider trust? Who are their suppliers? What technology are they using? RSA –targeted cyber attack
SecurID keys being replaced in many organisations Diginotar – Fake (genuine) SSL certificates
Compromised Google Docs, Gmail and lots of other services Shows how fragile the whole foundations of the ‘secure’ web
are 19th September (Monday) – BEAST attack against SSL
Can decrypt PayPal cookies
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
VIRTUALISATION
Platform agnostic dream Does virtualisation on mobile handsets really
bring extra security? It offers a solution to companies wanting to own
parts of a device e.g. for corporate policy management
It brings new (unknown) security risks Immature products on mobile
Mobile market is still very fragmented Same issues if the device is lost or stolen
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TECHNICAL OUTAGES
Unforeseen technical outages: Google: Googledocs down for hours Microsoft: DNS issue during maintenance
http://cloudtechsite.com/blogposts/microsoft-and-google-suffer-from-recent-cloud-interruptions.html
“for a currently unknown reason, the update did not work correctly” Microsoft response to DNS issue, September 2011
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TARGETED HACKTIVISM
Attacks on Amazon by Anonymous – unrelated to most users’ services DDoS attack failed – Amazon were servers capable of the demand Companies like Mastercard did not fare as well collateral damage issue Conversely – Amazon’s EC2 cloud capability was used against Sony
Lulzsec Simplistic but devastating attacks Difficult to track down
What groups come next?
F-Secure’s Mikko Hypponen has called for an international Police Force: http://betanews.com/2011/09/12/we-need-an-international-police-force-to-fight-cybercrime/
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TARGETED HACKTIVISM (2)
Anonymous is the direction of hacktivist attacks for various ideals
Decentralised, no ‘head’ #opfacebook 5th November 2011 Published rationale is
Facebook privacy policy
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRUST IN CLOUD PROVIDERS (2)
At what point in the future does a cloud provider decide to sneak a look at the data it is storing?
What is the EULA? What country is your data being held in?
What are the data protection and privacy laws? Have you got customer data within your business data? What happens when something goes wrong?
Business continuity Despite operating agreements, what if a natural disaster
happens? Might not be the data centre that is affected Cable theft is a huge issue
What about conflict and war?
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
WHAT THEN?
Image: https://tooze.wordpress.com/tag/singtel/
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE SILVER LINING?
Image: Nick Coombe
Not quite silver yet: Cloud services do provide a lot of
good, but are not a panacea! Primary business driver for cloud
is cost. Security is a secondary concern
But: Many attacks in the “offline” world
can / have been much worse Cloud providers and companies
are recognising issues Users are not accepting bad
security / privacy Not everything will live in the
cloud
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
Any questions?
Contact me:david.rogers@copperhorses.com
Twitter: @drogersuk
Blog:http://blog.mobilephonesecurity.org
THANKS FOR LISTENING!
Recommended