12. Viral Adoption
Refers to a system architecture that can be
adopted incrementally, and gains momentum as
it scales.
http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19 th 2003
13. New Age Malware
• Decentralized
• Interconnected
• Mobile
• Quick Content
Publishing
• Decentralized
• Interconnected
• Mobile
• Has Access to Data
14. KoobFace
• Social media worm
• Propagation via Facebook messages
• Propagation via Facebook wall posts
• Spams your friend list to an “update for
Adobe Flash”
• Installs pay per install malware on target
• Infected computers operate as a botnet
15. I Know EXACTLY Where
All My Data Lives
Sure it’s Safe in the Cloud!
16. The Path Your Data Takes
Approved Cloud
Vendor The Office Central
Sub-Cloud Vendor
Server
Sub-Cloud Vendor
The Calendar Mirrored
via Google
Laptop – Stolen At
The Airport
The Lost iPhone The Hacked Home PC
Google Docs To
Indirect: Ooops Did I Say Share With remote
That on Facebook?! Co-Worker
17. Own The Borg, Own The WORLD!
In 2009, Twitter gets COMPLETELY owned… TWICE!
Brute force password attack of targeted user reveals a password
of “Happiness” – User is a Twitter admin… OWNED!
A French hacker owns the Yahoo email account of a user on
twitter. He then resets that users twitter password and views the
email in the Yahoo account. User is a twitter admin… OWNED!
18. Own The Borg, Own The WORLD!
6/19/11 1:54 PM: Dropbox pushes code breaking authentication
6/19/11 5:46 PM: Dropbox pushes fix to authentication bug
What can YOU do with four hours of
access to every user’s data?!
19. I Know Exactly What My
Code Does!
Besides, Application Permissions Keep Me Safe!
20. Code Reuse, Outsourcing,
And Third Party Libraries
Most Code Is:
Reused
Outsourced
Third Party Libraries (with source)
Third Party Libraries (binary format)
Your vendors don’t know what their code does either!
23. WSJ Article Discloses NJ
Prosecutor’s Investigation
JD-GUI Pandora App
Publish Blog Post
• Location
• Bearing Investigate Other
• Altitude
Applications
• Android ID
Publish second blog posting
with updated findings regarding
permissions and other apps
Pandora Removes Ad Libraries
24. Here’s Some Numbers…
53,000 Applications Analyzed
Android Market: ~48,000
3rd Party Markets: ~5,000
Permissions Requested
Average: 3
Most Requested: 117
Top “Interesting” Permissions
GPS information: 24% (11,929)
Read Contacts: 8% (3,626)
Send SMS: 4% (1,693)
Receive SMS: 3% (1262)
Record Audio: 2% (1100)
Read SMS: 2% (832)
Process Outgoing Calls: % (323)
Use Credentials : 0.5% (248)
25. Here’s Some Numbers…
Third Party Libraries
Total Third Party Libraries: ~83,000
Top Shared Libraries
com.admob 38% (18,426 apps )
org.apache 8% ( 3,684 apps )
com.google.android 6% ( 2,838 apps )
com.google.ads 6% ( 2,779 apps )
com.flurry 6% ( 2,762 apps )
com.mobclix 4% ( 2,055 apps )
com.millennialmedia 4% ( 1,758 apps)
com.facebook 4% ( 1,707 apps)
27. Passwords and Password Reuse
Passwords STINK!
• Passwords < 6 characters long ~30%
• Passwords from limited alpha-numeric key set ~60%
• Used names, slang words, dictionary words
trivial passwords, consecutive digits, etc. ~50%
• Not only a user problem
• Secret questions – bad idea!
• SQL Injection compromises up 43% year over year
• HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, …
• Sony, Sony, Sony… oh.. Yeah.. SONY!
• Password reuse?
http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
30. In Summary
Mobile
The perimeter is dead
Must secure from the data out
Computing will be ubiquitous and hidden
Social
The perfect breeding ground for malware
Passwords STINK!
Cloud
The path of data is uncontrollable
You can’t rely on permissions – It just won’t work
Securing ALL of your code is the only real defense
31. Mobile + Social + Cloud
=
A New Security Paradigm
Think Different