SlideShare ist ein Scribd-Unternehmen logo
1 von 41
Downloaden Sie, um offline zu lesen
Session 810: The Security Risks of
        Mobile Environments and How to
             Protect Against Them
Ken Huang, Director of Security Engineering, CGI
Who am I ?

• Ken Huang
  – Director of Security Engineering, CGI
     •   Cloud/Mobile Security
     •   Security testing and evaluation
     •   Identity and Access Management
     •   Frequent Speaker
     •   Blog: http://mobile-cloud-security.blogspot.com/
     •   Linkedin: www.linkedin.com/in/kenhuang8
     •   Twitter: http://twitter.com/#!/kenhuangus
Topics

•   Mobile Technology and Trends
•   Mobile Application and Trends
•   Mobile Security and Trends
•   Defense in Depth Solutions
•   Conclusion and Questions
Mobile Technology and Trends

Technology                  Trends
               •More Wi-Fi hotspots will be added
   Wi-Fi
               •Wi-Fi still plays a huge role in WLAN
               •3G will gradually phase out
               •4G networks will increase, as it is a
  3G & 4G
               major competing ground for carriers
               to attract new customers
               •Will continue to be used to connect
 Bluetooth
               personal network devices
               •Will gain more momentum for
   NFC         payment, ticketing, and check-in
               devices
3G vs 4G Networks

                    3G                                           4G
DSL speeds                                   Wired network speeds

Max speed up to 3.1 Mbps                     Max speed up to 100+ Mbps

Includes all 2G and 2.5G features plus:      Includes all 3G features plus:
•Real-time location-based services           •On-demand video
•Full motion videos                          •Video conferencing
•Streaming music                             •High-quality streaming video
•3D gaming                                   •High-quality Voice-over-IP (VoIP)
•Faster web browsing                         •Added security features

                              Trends: 4G will be the winner
WiMAX vs. Wi-Fi
                       WiMAX                       Wi-Fi
             Speed Up to 4 Mbps                    Up to 2 Mbps

         Bandwidth Up to 75 Mbps                   Up to 54 Mbps

             Range 30 miles (50 km)                100 feet (30 m)

Intended Number of
                   100+                            20
            Users
                       Weaker encryption (WEP or   Stronger encryption (TDES
  Quality of Service
                       WPP)                        or AES)

Trends: Both WiMAX and Wi-Fi will co-exist for the foreseeable future
NFC
•   Uses less power than Bluetooth
•   Does not need pairing
•   Based on RFID Technology at 13.56 MHz
•   Operating distance typically up to 10 cm



    Trends: NFC will get wider use due to payment and ticketing apps
Mobile Application Trends

• Payment
  – Using your phone to pay will become a reality
• Federal Government Adoption
  – Mobile apps will become more widely used
  – Cloud and Mobile Computing
     • During an appearance in Silicon Valley, Aneesh Chopra, the
       nation’s first-ever CTO, acknowledged the inevitable emergence of
       cloud and mobile as solutions for the federal government, but sees
       them as supplementing, rather than replacing, legacy systems
  – Transportation Department gets $100 million for
    mobile apps
Mobile Application Trends (cont.)

• Federal Government Adoption (cont.)
   – FBI – most wanted listing app on iPhone
   – IRS – check refund status
   – The White House mobile app – news, videos, podcasts,
     blogs, etc.
   – More than half of federal websites are planning to develop
     a mobile-optimized website, according to a poll by ForeSee
     Results.
• Productivity tool
   – Mobile apps will become more mature over time
• Banking and Mobile Commerce
   – Check balances, transfer funds, etc.
Mobile Application Trends (cont.)
• Entertainment
  – Videos, gaming, etc.
• Social networking        • Activists
  – Facebook                 – Collective bargaining
  – Twitter                    and strikes
  – Foursquare             • Other
  – Linkedin                 – Price comparison for
  – Instagram                  various products
                               (Sanptell)
Wi-Fi Security
 •   Use a strong password
 •   Don’t broadcast your SSID
 •   Use good wireless encryption (WPA, not WEP)
 •   Use another layer of encryption when possible (e.g. VPN, SSL)
 •   Restrict access by MAC address
 •   Shut down the network and wireless network when not in use
 •   Monitor your network for intruders
 •   Use a firewall
Trends: More Wi-Fi hotspots (but more attacks on hotspots as well) – avoid free Wi-Fi
whenever possible; Wi-Fi-enabled mobile devices can become the stepping stone to your
      secured network
4G Security Trends
• Backward compatibility to 3G or GSM capabilities exposes 4G to
  3G and GSM security vulnerabilities
• 4G also has a roaming vulnerability associated with mutual
  authentication: a fake network can easily claim to be a “roaming
  partner”


Trends: More bandwidth comes with a greater possibility of being
                         attacked
Bluetooth Security Trends
• Bluejacking
     – Sending either a picture or a message from one user to an unsuspecting
       user through Bluetooth wireless technology.
•   DoS Attacks
•   Eavesdropping
•   Man-in-the-middle attacks
•   Message modification
•   NIST published a Guide to Bluetooth Security in 2008
    Trends: Dependent on new apps on bluetooth – I don’t see any
              significant increase in attacks on bluetooth
NFC Security Trends
• Eavesdropping
   – Hacker must have a good receiver and stay close
   – To avoid this, use a secure channel as compensating control
• Data Corruption and Modification
   – Jams the data so that it is not readable by the receiver
   – Check RF field as compensating control.

    Trends:
    • wide spread adoption expected at 2015
    • Secure channels for NFC
    • Payments through smartphones will replace plastic cards and keys
Attack on the app
• Currently, Androids are the target due to Google’s
  loose vetting process
   – Law360, New York (March 15, 2012, 10:18 PM ET) --
     Android cellphone users sued Google Inc over faulty
     Android App

• iPhones and iPads are lightly hacked – but will
  become targets in the future
  Trends: Apps will be more vulnerable to attacks in the future
OWASP Top 10 Mobile Risks
•   Insecure Data Storage
•   Weak Server Side Controls
•   Insufficient Transport Layer Protection
•   Client Side Injection
•   Poor Authorization and Authentication
•   Improper Session Handling
•   Security Decisions Via Untrusted Inputs
•   Side Channel Data Leakage
•   Broken Cryptography
•   Sensitive Information Disclosure
•   Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
M1: Insecure Data Storage
• Sensitive data left unprotected
• Applies to locally stored data + cloud synced
• Generally a result of:
   –   Not encrypting data
   –   Persist data not intended for long-term storage
   –   Weak or global permissions
   –   Not leveraging platform best-practices
• Risk
   –   Confidentiality of data lost
   –   Credentials disclosed
   –   Privacy violations
   –   Non-compliance
M2: Weak Server Side Controls
• We cannot trust mobile client app
• Risk: confidentiality and integrity of data
M3: Insufficient Transport Layer
               Protection
• No encryption for data in transit
• Weak encryption. Encoding is not encryption
• Strong encryption but ignoring the security
  warnings.
  – If certificate validation errors happen, fall back to
    clear text.
• Risk: confidentiality and integrity of data
M4: Client Side Injection
• XSS or SQL injection
• SMS injection (Apple patched iphone SMS
  flaw in iOS 3.0.1 in Aug. 2009).
• Risk: toll fraud, device compromise, privilege
  escalation etc.
M5: Poor Authorization and
            Authentication
• Device authentication based on IMEI, IMSI, UUID
  is not sufficient
• Hardware identifiers persist across data wipes
  and factory resets
• Adding contextual information is useful, but not
  foolproof
• Out of band does not work for the same device.
• Risk: Privilege escalation and Unauthorized
  access
M6: Improper Session Handling
• Mobile session is usually longer for usability
  and convenience
• Why it is bad idea to use device identifier as
  session token?
• Risk: unauthorized access and privilege
  escalation
M7: Security Decisions Via Untrusted
                Inputs
• Security needs to be based on server side
  variables, not client input data
• Risk: Can cause privilege escalation and
  consume paid resources
M8: Side Channel Data Leakage
• Caused by platform feature or app flaws
• Potential channel
  – Caches
  – Keystroke logging
  – Screenshots
  – Logs (system, crash, app)
  – Temp directory
• Risk: Privacy violation
M9: Broken Cryptography
• Broken implementation using strong
  encryption library
• Custom weak encryption implementation.
• Risk: loss of data confidentiality
M10: Sensitive Information Disclosure
• Hard coded sensitive information
  – User id, password
  – SSN
  – API keys
  – Sensitive business logic
• Risk: credentials disclosed, IP disclosed.
OWASP: Top 10 Security Mobile Controls
•   Identify and protect sensitive data
•   Handle password credentials securely on the device
•   Ensure sensitive data is protected in transit
•   Implement user authentication/authorization and session
    management correctly
•   Keep the backend APIs (Rest vs. SOAP) Secure
•   Secure integration with third party app and data (ID Federation)
•   Get user consent for the collection and use of the data
•   Implement Access Control and Digital Rights Management for
    paid resources
•   secure distribution/provisioning of mobile apps
•   check runtime code errors
VPN for Smartphone
• Provide secure mobile access to enterprise
  network
• Sample Mobile VPN products
  – PandaPowVPN for Android
  – Hotspot Shield for iphone
  – CISCO
Virus Scan and Personal Firewall for
               Mobile Device
•   Lookout Premium
•   Trend Micro Mobile Security
•   F-Secure Mobile Security
•   NetQin Mobile Security
•   Webroot Secure Anywhere Mobile
Mobile Device Management Features
• Remote Locate - Shows you the location of your phone via Web or SMS, so
  you can find it if it’s lost or stolen.
• Remote Lock - Lets you remotely lock your lost or stolen phone via Web or
  SMS to prevent strangers from seeing your private stuff or running up your
  mobile bill.
• Remote Wipe - Lets you remotely erase the stuff on your phone via SMS if
  it’s lost or stolen, including any data on your phone’s memory card.
• Web-based Lost Notice - Displays a customizable message to anyone who
  finds your missing device, so you can make arrangements to get it back.
• Web-based Sneak Peek - Snaps photos of anyone in front of your device
  then saves the images. (Webcam devices only.)
• Antiphishing Web Protection - Blocks fraudulent (phishing) websites.
  Protects your device and your stuff on mobile networks and Wi-Fi
  connectionsi
• Download Threat Protection - Automatically scans all the apps and app
  updates you download to your mobile device for threats.
Gartner Magic Quadrant for MDM
Mobile Application Management (MAM)
• The BYOD (“Bring Your Own Device”) phenomenon is a
  factor behind MAM
• Manage Business Apps using internal App Store for
  both BOYD and Company Mobile Device
• Key Features
   –   App delivery
   –   App updating
   –   User authentication
   –   User authorization
   –   Version checking
   –   Push services
   –   Reporting and tracking
Current MAM Players

•   App47
•   SOTI MobiControl
•   AppBlade from Raizlabs
•   AppCentral
•   Apperian
•   Better MDM
•   JackBe
•   Nukona
•   Partnerpedia
•   WorkLight
Mobile Data Protection (MDP)
• MDP is an established market
• Safeguard stored data on mobile devices by
  means of encryption and authentication
• Provide evidence that the protection is
  working.
• Widely used in Window based Laptop
• Not yet available for mobile phone or tablet
Gartner Magic Quadrant for MDP
Smartphone Encryption
• Android
   –   WhisperCore: whole flash memory
   –   Droid Crypt: files
   –   AnDisk Encryption: file
   –   RedPhone: voice
   –   Text Secure: text
• iPhone
   – Impossible to encrypt the whole system
   – Update to iOS5 to encrypt outgoing iMessage.
   – Voice Encryption App
        • Kryptos
        • Cellcrypt
   – Text Encryption App: Encrypt SMS
   – E-mail Encryption: SecureMail use OpenPGP
Mobile Virtualization
• Support multiple domains/operating systems
  on the same hardware
• Enterprise IT department can securely manage
  one domain (in a virtual machine), and the
  mobile operator can separately manage the
  other domain (in a virtual machine)
Current Players in Mobile Virtualization

• Green Hills Software
• Open Kernel Labs
• Red Bend Software
• VMware
• B Labs
• Bitzer Mobile Inc
Reference:
http://www.virtualization.net/tag/mobile/
Mobile User willing to pay more
           for security

• AdaptiveMobile published the third "Global
  Security Insights in Mobile" report which
  indicates that 83% people surveyed willing to
  pay more for security.
Conclusion and Questions
• Defense in depth for mobile environment
• Device Security vs. App Security
• OWASP Top 10 Risk and Controls
• VPN, Virus Scan, MDM, MAM, MDP,
  Encryption and Mobile Virtualization
• Questions?
Thank you for attending this session. Don’t
forget to complete the evaluation!

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Deepak Khari
 
4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint Settings4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint SettingsSophos
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Controlling Laptop and Smartphone Access to Corporate Networks
Controlling Laptop and Smartphone Access to Corporate NetworksControlling Laptop and Smartphone Access to Corporate Networks
Controlling Laptop and Smartphone Access to Corporate NetworksIcomm Technologies
 
Complete Security
Complete SecurityComplete Security
Complete SecuritySophos
 
Smartphone and mobile device safety & security
Smartphone and mobile device safety & securitySmartphone and mobile device safety & security
Smartphone and mobile device safety & securityAlbanMichael
 
Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudRH
 
BYOD - Protecting Your School
BYOD - Protecting Your SchoolBYOD - Protecting Your School
BYOD - Protecting Your SchoolSophos
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't StopSophos
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in ActionSatnam Singh
 
Preparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless ProtectionPreparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless ProtectionSophos
 
Building powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesBuilding powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesCambridge Intelligence
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 

Was ist angesagt? (20)

Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak Cyber Security Tips for students_Deepak
Cyber Security Tips for students_Deepak
 
Public Wi-Fi security 101
Public Wi-Fi security 101Public Wi-Fi security 101
Public Wi-Fi security 101
 
4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint Settings4 Steps to Optimal Endpoint Settings
4 Steps to Optimal Endpoint Settings
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Controlling Laptop and Smartphone Access to Corporate Networks
Controlling Laptop and Smartphone Access to Corporate NetworksControlling Laptop and Smartphone Access to Corporate Networks
Controlling Laptop and Smartphone Access to Corporate Networks
 
Complete Security
Complete SecurityComplete Security
Complete Security
 
Smartphone and mobile device safety & security
Smartphone and mobile device safety & securitySmartphone and mobile device safety & security
Smartphone and mobile device safety & security
 
Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for Cloud
 
BYOD - Protecting Your School
BYOD - Protecting Your SchoolBYOD - Protecting Your School
BYOD - Protecting Your School
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
 
InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in Action
 
Preparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless ProtectionPreparing Your School for BYOD with Sophos UTM Wireless Protection
Preparing Your School for BYOD with Sophos UTM Wireless Protection
 
Introduction to Raspberry Pi
Introduction to Raspberry PiIntroduction to Raspberry Pi
Introduction to Raspberry Pi
 
Building powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLinesBuilding powerful apps with ArangoDB & KeyLines
Building powerful apps with ArangoDB & KeyLines
 
Working From Home
Working From HomeWorking From Home
Working From Home
 
Wireless v2
Wireless v2Wireless v2
Wireless v2
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Home Tech
Home TechHome Tech
Home Tech
 

Ähnlich wie Session810 ken huang

Mobile computing
Mobile computingMobile computing
Mobile computingamellia27
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network securityFathima Rahaman
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information TransparencyUsman Arshad
 
Hotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and ChallengesHotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and ChallengesDr. Mazlan Abbas
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile ApplicationsGreg Patton
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problemPositiveTechnologies
 
D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf
D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdfD2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf
D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdff2po1
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Cellular wireless network security
Cellular wireless network securityCellular wireless network security
Cellular wireless network securityAnkit Anand
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Virtual private network chapter 1 PSU.pdf
Virtual private network chapter 1 PSU.pdfVirtual private network chapter 1 PSU.pdf
Virtual private network chapter 1 PSU.pdfAceAtigaVallo
 

Ähnlich wie Session810 ken huang (20)

Mobile computing
Mobile computingMobile computing
Mobile computing
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network security
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
 
Hotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and ChallengesHotspot 2.0 - Concept and Challenges
Hotspot 2.0 - Concept and Challenges
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
4G
4G4G
4G
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem5G mission diary: Houston, we have a problem
5G mission diary: Houston, we have a problem
 
D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf
D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdfD2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf
D2T2 - Bye Bye IMSI Catchers - Security Enhancements in 5g - Lin Huang.pdf
 
Architecture of 5G technology
Architecture of 5G technologyArchitecture of 5G technology
Architecture of 5G technology
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Cellular wireless network security
Cellular wireless network securityCellular wireless network security
Cellular wireless network security
 
Introduction to NFC
Introduction to NFCIntroduction to NFC
Introduction to NFC
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
IoT in ITS: Network Impacts
IoT in ITS: Network ImpactsIoT in ITS: Network Impacts
IoT in ITS: Network Impacts
 
Wi fi
Wi fiWi fi
Wi fi
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Virtual private network chapter 1 PSU.pdf
Virtual private network chapter 1 PSU.pdfVirtual private network chapter 1 PSU.pdf
Virtual private network chapter 1 PSU.pdf
 

Kürzlich hochgeladen

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 

Kürzlich hochgeladen (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 

Session810 ken huang

  • 1. Session 810: The Security Risks of Mobile Environments and How to Protect Against Them Ken Huang, Director of Security Engineering, CGI
  • 2. Who am I ? • Ken Huang – Director of Security Engineering, CGI • Cloud/Mobile Security • Security testing and evaluation • Identity and Access Management • Frequent Speaker • Blog: http://mobile-cloud-security.blogspot.com/ • Linkedin: www.linkedin.com/in/kenhuang8 • Twitter: http://twitter.com/#!/kenhuangus
  • 3. Topics • Mobile Technology and Trends • Mobile Application and Trends • Mobile Security and Trends • Defense in Depth Solutions • Conclusion and Questions
  • 4. Mobile Technology and Trends Technology Trends •More Wi-Fi hotspots will be added Wi-Fi •Wi-Fi still plays a huge role in WLAN •3G will gradually phase out •4G networks will increase, as it is a 3G & 4G major competing ground for carriers to attract new customers •Will continue to be used to connect Bluetooth personal network devices •Will gain more momentum for NFC payment, ticketing, and check-in devices
  • 5. 3G vs 4G Networks 3G 4G DSL speeds Wired network speeds Max speed up to 3.1 Mbps Max speed up to 100+ Mbps Includes all 2G and 2.5G features plus: Includes all 3G features plus: •Real-time location-based services •On-demand video •Full motion videos •Video conferencing •Streaming music •High-quality streaming video •3D gaming •High-quality Voice-over-IP (VoIP) •Faster web browsing •Added security features Trends: 4G will be the winner
  • 6. WiMAX vs. Wi-Fi WiMAX Wi-Fi Speed Up to 4 Mbps Up to 2 Mbps Bandwidth Up to 75 Mbps Up to 54 Mbps Range 30 miles (50 km) 100 feet (30 m) Intended Number of 100+ 20 Users Weaker encryption (WEP or Stronger encryption (TDES Quality of Service WPP) or AES) Trends: Both WiMAX and Wi-Fi will co-exist for the foreseeable future
  • 7. NFC • Uses less power than Bluetooth • Does not need pairing • Based on RFID Technology at 13.56 MHz • Operating distance typically up to 10 cm Trends: NFC will get wider use due to payment and ticketing apps
  • 8. Mobile Application Trends • Payment – Using your phone to pay will become a reality • Federal Government Adoption – Mobile apps will become more widely used – Cloud and Mobile Computing • During an appearance in Silicon Valley, Aneesh Chopra, the nation’s first-ever CTO, acknowledged the inevitable emergence of cloud and mobile as solutions for the federal government, but sees them as supplementing, rather than replacing, legacy systems – Transportation Department gets $100 million for mobile apps
  • 9. Mobile Application Trends (cont.) • Federal Government Adoption (cont.) – FBI – most wanted listing app on iPhone – IRS – check refund status – The White House mobile app – news, videos, podcasts, blogs, etc. – More than half of federal websites are planning to develop a mobile-optimized website, according to a poll by ForeSee Results. • Productivity tool – Mobile apps will become more mature over time • Banking and Mobile Commerce – Check balances, transfer funds, etc.
  • 10. Mobile Application Trends (cont.) • Entertainment – Videos, gaming, etc. • Social networking • Activists – Facebook – Collective bargaining – Twitter and strikes – Foursquare • Other – Linkedin – Price comparison for – Instagram various products (Sanptell)
  • 11. Wi-Fi Security • Use a strong password • Don’t broadcast your SSID • Use good wireless encryption (WPA, not WEP) • Use another layer of encryption when possible (e.g. VPN, SSL) • Restrict access by MAC address • Shut down the network and wireless network when not in use • Monitor your network for intruders • Use a firewall Trends: More Wi-Fi hotspots (but more attacks on hotspots as well) – avoid free Wi-Fi whenever possible; Wi-Fi-enabled mobile devices can become the stepping stone to your secured network
  • 12. 4G Security Trends • Backward compatibility to 3G or GSM capabilities exposes 4G to 3G and GSM security vulnerabilities • 4G also has a roaming vulnerability associated with mutual authentication: a fake network can easily claim to be a “roaming partner” Trends: More bandwidth comes with a greater possibility of being attacked
  • 13. Bluetooth Security Trends • Bluejacking – Sending either a picture or a message from one user to an unsuspecting user through Bluetooth wireless technology. • DoS Attacks • Eavesdropping • Man-in-the-middle attacks • Message modification • NIST published a Guide to Bluetooth Security in 2008 Trends: Dependent on new apps on bluetooth – I don’t see any significant increase in attacks on bluetooth
  • 14. NFC Security Trends • Eavesdropping – Hacker must have a good receiver and stay close – To avoid this, use a secure channel as compensating control • Data Corruption and Modification – Jams the data so that it is not readable by the receiver – Check RF field as compensating control. Trends: • wide spread adoption expected at 2015 • Secure channels for NFC • Payments through smartphones will replace plastic cards and keys
  • 15. Attack on the app • Currently, Androids are the target due to Google’s loose vetting process – Law360, New York (March 15, 2012, 10:18 PM ET) -- Android cellphone users sued Google Inc over faulty Android App • iPhones and iPads are lightly hacked – but will become targets in the future Trends: Apps will be more vulnerable to attacks in the future
  • 16. OWASP Top 10 Mobile Risks • Insecure Data Storage • Weak Server Side Controls • Insufficient Transport Layer Protection • Client Side Injection • Poor Authorization and Authentication • Improper Session Handling • Security Decisions Via Untrusted Inputs • Side Channel Data Leakage • Broken Cryptography • Sensitive Information Disclosure • Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 17. M1: Insecure Data Storage • Sensitive data left unprotected • Applies to locally stored data + cloud synced • Generally a result of: – Not encrypting data – Persist data not intended for long-term storage – Weak or global permissions – Not leveraging platform best-practices • Risk – Confidentiality of data lost – Credentials disclosed – Privacy violations – Non-compliance
  • 18. M2: Weak Server Side Controls • We cannot trust mobile client app • Risk: confidentiality and integrity of data
  • 19. M3: Insufficient Transport Layer Protection • No encryption for data in transit • Weak encryption. Encoding is not encryption • Strong encryption but ignoring the security warnings. – If certificate validation errors happen, fall back to clear text. • Risk: confidentiality and integrity of data
  • 20. M4: Client Side Injection • XSS or SQL injection • SMS injection (Apple patched iphone SMS flaw in iOS 3.0.1 in Aug. 2009). • Risk: toll fraud, device compromise, privilege escalation etc.
  • 21. M5: Poor Authorization and Authentication • Device authentication based on IMEI, IMSI, UUID is not sufficient • Hardware identifiers persist across data wipes and factory resets • Adding contextual information is useful, but not foolproof • Out of band does not work for the same device. • Risk: Privilege escalation and Unauthorized access
  • 22. M6: Improper Session Handling • Mobile session is usually longer for usability and convenience • Why it is bad idea to use device identifier as session token? • Risk: unauthorized access and privilege escalation
  • 23. M7: Security Decisions Via Untrusted Inputs • Security needs to be based on server side variables, not client input data • Risk: Can cause privilege escalation and consume paid resources
  • 24. M8: Side Channel Data Leakage • Caused by platform feature or app flaws • Potential channel – Caches – Keystroke logging – Screenshots – Logs (system, crash, app) – Temp directory • Risk: Privacy violation
  • 25. M9: Broken Cryptography • Broken implementation using strong encryption library • Custom weak encryption implementation. • Risk: loss of data confidentiality
  • 26. M10: Sensitive Information Disclosure • Hard coded sensitive information – User id, password – SSN – API keys – Sensitive business logic • Risk: credentials disclosed, IP disclosed.
  • 27. OWASP: Top 10 Security Mobile Controls • Identify and protect sensitive data • Handle password credentials securely on the device • Ensure sensitive data is protected in transit • Implement user authentication/authorization and session management correctly • Keep the backend APIs (Rest vs. SOAP) Secure • Secure integration with third party app and data (ID Federation) • Get user consent for the collection and use of the data • Implement Access Control and Digital Rights Management for paid resources • secure distribution/provisioning of mobile apps • check runtime code errors
  • 28. VPN for Smartphone • Provide secure mobile access to enterprise network • Sample Mobile VPN products – PandaPowVPN for Android – Hotspot Shield for iphone – CISCO
  • 29. Virus Scan and Personal Firewall for Mobile Device • Lookout Premium • Trend Micro Mobile Security • F-Secure Mobile Security • NetQin Mobile Security • Webroot Secure Anywhere Mobile
  • 30. Mobile Device Management Features • Remote Locate - Shows you the location of your phone via Web or SMS, so you can find it if it’s lost or stolen. • Remote Lock - Lets you remotely lock your lost or stolen phone via Web or SMS to prevent strangers from seeing your private stuff or running up your mobile bill. • Remote Wipe - Lets you remotely erase the stuff on your phone via SMS if it’s lost or stolen, including any data on your phone’s memory card. • Web-based Lost Notice - Displays a customizable message to anyone who finds your missing device, so you can make arrangements to get it back. • Web-based Sneak Peek - Snaps photos of anyone in front of your device then saves the images. (Webcam devices only.) • Antiphishing Web Protection - Blocks fraudulent (phishing) websites. Protects your device and your stuff on mobile networks and Wi-Fi connectionsi • Download Threat Protection - Automatically scans all the apps and app updates you download to your mobile device for threats.
  • 32. Mobile Application Management (MAM) • The BYOD (“Bring Your Own Device”) phenomenon is a factor behind MAM • Manage Business Apps using internal App Store for both BOYD and Company Mobile Device • Key Features – App delivery – App updating – User authentication – User authorization – Version checking – Push services – Reporting and tracking
  • 33. Current MAM Players • App47 • SOTI MobiControl • AppBlade from Raizlabs • AppCentral • Apperian • Better MDM • JackBe • Nukona • Partnerpedia • WorkLight
  • 34. Mobile Data Protection (MDP) • MDP is an established market • Safeguard stored data on mobile devices by means of encryption and authentication • Provide evidence that the protection is working. • Widely used in Window based Laptop • Not yet available for mobile phone or tablet
  • 36. Smartphone Encryption • Android – WhisperCore: whole flash memory – Droid Crypt: files – AnDisk Encryption: file – RedPhone: voice – Text Secure: text • iPhone – Impossible to encrypt the whole system – Update to iOS5 to encrypt outgoing iMessage. – Voice Encryption App • Kryptos • Cellcrypt – Text Encryption App: Encrypt SMS – E-mail Encryption: SecureMail use OpenPGP
  • 37. Mobile Virtualization • Support multiple domains/operating systems on the same hardware • Enterprise IT department can securely manage one domain (in a virtual machine), and the mobile operator can separately manage the other domain (in a virtual machine)
  • 38. Current Players in Mobile Virtualization • Green Hills Software • Open Kernel Labs • Red Bend Software • VMware • B Labs • Bitzer Mobile Inc Reference: http://www.virtualization.net/tag/mobile/
  • 39. Mobile User willing to pay more for security • AdaptiveMobile published the third "Global Security Insights in Mobile" report which indicates that 83% people surveyed willing to pay more for security.
  • 40. Conclusion and Questions • Defense in depth for mobile environment • Device Security vs. App Security • OWASP Top 10 Risk and Controls • VPN, Virus Scan, MDM, MAM, MDP, Encryption and Mobile Virtualization • Questions?
  • 41. Thank you for attending this session. Don’t forget to complete the evaluation!

Hinweis der Redaktion

  1. WiFi Protected Access (WPA) is the new security standard adopted by the WiFi Alliance consortium. WiFi compliance ensures interoperability between different manufacturer’s equipment. WPA delivers a level of security way beyond anything that WEP can offer, bridges the gap between WEP and 802.11i networks, and has the advantage that the firmware in older equipment may be upgradeable.
  2. The International Mobile Equipment Identity or IMEI ( /aɪˈmiː/) is a number, usually unique toidentify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone. It can also be displayed on the screen of the phone by entering *#06#into the keypad on most phones.The IMEI number is used by the GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing the network in that country. For example, if a mobile phone is stolen, the owner can call his or her network provider and instruct them to "blacklist" the phone using its IMEI number. This renders the phone useless on that network and sometimes other networks too, whether or not the phone's SIMis changed.An International Mobile Subscriber Identity or IMSI ( /ˈɪmziː/) is a unique identification associated with all GSM and UMTS network mobile phoneusers. It is stored as a 64 bit field in the SIM inside the phone and is sent by the phone to the network. It is also used for acquiring other details of the mobile in the Home Location Register (HLR) or as locally copied in the Visitor Location Register. To prevent eavesdroppers identifying and tracking the subscriber on the radio interface, the IMSI is sent as rarely as possible and a randomly-generated TMSI is sent instead.The IMSI is used in any mobile network that interconnects with other networks. This number is provisioned in the phone directly or in the R-UIM card (a CDMA analogue equivalent to a SIM card in GSM).
  3. Green Hills SoftwareOK LabsRed Bend SoftwareVMwareB Labs