SlideShare ist ein Scribd-Unternehmen logo

Social, Mobile and Cloud Security Paradigm Shift

Tyler Shields
Tyler Shields

This document discusses the rise of mobile, social, and cloud computing as a "new computing paradigm" that requires a new approach to security. It notes that traditional security methods like firewalls and relying on application permissions are no longer effective due to the decentralized and interconnected nature of modern applications and data. The document provides statistics on mobile application permissions and third-party libraries that indicate many apps are overprivileged and reuse code of unknown integrity. It argues that securing data as it flows between devices, networks, and services is now critical and that the only real defense is to secure all code through practices like secure development and verification.

Technologie
1 von 32
Social and Mobile and Cloud OH Tyler Shields MY! Researcher The Story of a “New Computing Paradigm” October 20, 2011
What is the same with these twitter accounts?
They have all been hacked!
Social Networking
Mobile Computing
Mobile Computing
The Cloud
The Times They Are a Changing..
I’m Secure, I Have A Firewall!
Malware Is for PCs!
Viral Adoption Refers to a system architecture that can be adopted incrementally, and gains momentum as it scales. http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19 th 2003
New Age Malware • Decentralized • Interconnected • Mobile • Quick Content Publishing • Decentralized • Interconnected • Mobile • Has Access to Data
KoobFace • Social media worm • Propagation via Facebook messages • Propagation via Facebook wall posts • Spams your friend list to an “update for Adobe Flash” • Installs pay per install malware on target • Infected computers operate as a botnet
I Know EXACTLY Where All My Data Lives Sure it’s Safe in the Cloud!
The Path Your Data Takes Approved Cloud Vendor The Office Central Server Sub-Cloud Vendor Sub-Cloud Vendor The Calendar Mirrored via Google Laptop ‟ Stolen At The Airport The Lost iPhone The Hacked Home PC Google Docs To Share Indirect: Ooops Did I Say That With remote Co- on Facebook?! Worker
Own The Borg, Own The WORLD! In 2009, Twitter gets COMPLETELY owned… TWICE! Brute force password attack of targeted user reveals a password of “Happiness” ‟ User is a Twitter admin… OWNED! A French hacker owns the Yahoo email account of a user on twitter. He then resets that users twitter password and views the email in the Yahoo account. User is a twitter admin… OWNED!
Own The Borg, Own The WORLD! 6/19/11 1:54 PM: Dropbox pushes code breaking authentication 6/19/11 5:46 PM: Dropbox pushes fix to authentication bug What can YOU do with four hours of access to every user’s data?!
I Know Exactly What My Code Does! Besides, Application Permissions Keep Me Safe!
Code Reuse, Outsourcing, And Third Party Libraries Most Code Is: Reused Outsourced Third Party Libraries (with source) Third Party Libraries (binary format) Your vendors don’t know what their code does either!
Android Manifest Permissions • ACCESS_CHECKIN_PROPERTIES • DUMP • RECEIVE_WAP_PUSH • ACCESS_COARSE_LOCATION • EXPAND_STATUS_BAR • RECORD_AUDIO • ACCESS_FINE_LOCATION • FACTORY_TEST • REORDER_TASKS • ACCESS_LOCATION_EXTRA_COMMANDS • FLASHLIGHT • RESTART_PACKAGES • ACCESS_MOCK_LOCATION • FORCE_BACK • SEND_SMS • ACCESS_NETWORK_STATE • GET_ACCOUNTS • SET_ACTIVITY_WATCHER • ACCESS_SURFACE_FLINGER • GET_PACKAGE_SIZE • SET_ALARM • ACCESS_WIFI_STATE • GET_TASKS • SET_ALWAYS_FINISH • ACCOUNT_MANAGER • GLOBAL_SEARCH • SET_ANIMATION_SCALE • AUTHENTICATE_ACCOUNTS • HARDWARE_TEST • SET_DEBUG_APP • BATTERY_STATS • INJECT_EVENTS • SET_ORIENTATION • BIND_APPWIDGET • INSTALL_LOCATION_PROVIDER • SET_PREFERRED_APPLICATIONS • BIND_DEVICE_ADMIN • INSTALL_PACKAGES • SET_PROCESS_LIMIT • BIND_INPUT_METHOD • INTERNAL_SYSTEM_WINDOW • SET_TIME • BIND_REMOTEVIEWS • INTERNET • SET_TIME_ZONE • BIND_WALLPAPER • KILL_BACKGROUND_PROCESSES • SET_WALLPAPER • BLUETOOTH • MANAGE_ACCOUNTS • SET_WALLPAPER_HINTS • BLUETOOTH_ADMIN • MANAGE_APP_TOKENS • SIGNAL_PERSISTENT_PROCESSES • BRICK • MASTER_CLEAR • STATUS_BAR • BROADCAST_PACKAGE_REMOVED • MODIFY_AUDIO_SETTINGS • SUBSCRIBED_FEEDS_READ • BROADCAST_SMS • MODIFY_PHONE_STATE • SUBSCRIBED_FEEDS_WRITE • BROADCAST_STICKY • MOUNT_FORMAT_FILESYSTEMS • SYSTEM_ALERT_WINDOW • BROADCAST_WAP_PUSH • MOUNT_UNMOUNT_FILESYSTEMS • UPDATE_DEVICE_STATS • CALL_PHONE • NFC • USE_CREDENTIALS • CALL_PRIVILEGED • PERSISTENT_ACTIVITY • USE_SIP • CAMERA • PROCESS_OUTGOING_CALLS • VIBRATE • CHANGE_COMPONENT_ENABLED_STAT • READ_CALENDAR • WAKE_LOCK E • READ_CONTACTS • WRITE_APN_SETTINGS • CHANGE_CONFIGURATION • READ_FRAME_BUFFER • WRITE_CALENDAR • CHANGE_NETWORK_STATE • READ_HISTORY_BOOKMARKS • WRITE_CONTACTS • CHANGE_WIFI_MULTICAST_STATE • READ_INPUT_STATE • WRITE_EXTERNAL_STORAGE • CHANGE_WIFI_STATE • READ_LOGS • WRITE_GSERVICES • CLEAR_APP_CACHE • READ_PHONE_STATE • WRITE_HISTORY_BOOKMARKS • CLEAR_APP_USER_DATA • READ_SMS • WRITE_SECURE_SETTINGS • CONTROL_LOCATION_UPDATES • READ_SYNC_SETTINGS • WRITE_SETTINGS • DELETE_CACHE_FILES • READ_SYNC_STATS • WRITE_SMS • DELETE_PACKAGES • REBOOT • WRITE_SYNC_SETTINGS • DEVICE_POWER • RECEIVE_BOOT_COMPLETED • DIAGNOSTIC • RECEIVE_MMS • DISABLE_KEYGUARD • RECEIVE_SMS
Just Let Me Fling Birds at Pigs Already!
WSJ Article Discloses NJ Prosecutor’s Investigation JD-GUI Pandora App Publish Blog Post „ Location „ Bearing „ Altitude Investigate Other „ Android ID Applications Publish second blog posting with updated findings regarding permissions and other apps Pandora Removes Ad Libraries
Here’s Some Numbers… 53,000 Applications Analyzed Android Market: ~48,000 3rd Party Markets: ~5,000 Permissions Requested Average: 3 Most Requested: 117 Top “Interesting” Permissions GPS information: 24% (11,929) Read Contacts: 8% (3,626) Send SMS: 4% (1,693) Receive SMS: 3% (1262) Record Audio: 2% (1100) Read SMS: 2% (832) Process Outgoing Calls: % (323) Use Credentials : 0.5% (248)
Here’s Some Numbers… Third Party Libraries Total Third Party Libraries: ~83,000 Top Shared Libraries com.admob 38% (18,426 apps ) org.apache 8% ( 3,684 apps ) com.google.android 6% ( 2,838 apps ) com.google.ads 6% ( 2,779 apps ) com.flurry 6% ( 2,762 apps ) com.mobclix 4% ( 2,055 apps ) com.millennialmedia 4% ( 1,758 apps) com.facebook 4% ( 1,707 apps)
Of Course It’s Secure, It’s Got A Password On It!
Passwords and Password Reuse Passwords STINK! • Passwords < 6 characters long ~30% • Passwords from limited alpha-numeric key set ~60% • Used names, slang words, dictionary words trivial passwords, consecutive digits, etc. ~50% • Not only a user problem • Secret questions ‟ bad idea! • SQL Injection compromises up 43% year over year • HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, … • Sony, Sony, Sony… oh.. Yeah.. SONY! • Password reuse? http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
The Golden Rule
The Golden Rule
In Summary Mobile The perimeter is dead Must secure from the data out Computing will be ubiquitous and hidden Social The perfect breeding ground for malware Passwords STINK! Cloud The path of data is uncontrollable You can’t rely on permissions ‟ It just won’t work Securing ALL of your code is the only real defense
Mobile + Social + Cloud = A New Security Paradigm Think Different
Email: tshields@veracode.com @txs

Empfohlen

News Bytes - January 2013
News Bytes - January 2013News Bytes - January 2013
News Bytes - January 2013n|u - The Open Security Community
 
Smart n' Secure - SnS
Smart n' Secure - SnS Smart n' Secure - SnS
Smart n' Secure - SnS Charlie Tai
 
Spice Stellar Virtuoso Pro
Spice Stellar Virtuoso ProSpice Stellar Virtuoso Pro
Spice Stellar Virtuoso ProSpice Mobility
 
How to find stolen laptop
How to find stolen laptopHow to find stolen laptop
How to find stolen laptopsellalaptop.com
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyTyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...Tyler Shields
 

Empfohlen

News Bytes - January 2013
News Bytes - January 2013News Bytes - January 2013
News Bytes - January 2013n|u - The Open Security Community
 
Smart n' Secure - SnS
Smart n' Secure - SnS Smart n' Secure - SnS
Smart n' Secure - SnS Charlie Tai
 
Spice Stellar Virtuoso Pro
Spice Stellar Virtuoso ProSpice Stellar Virtuoso Pro
Spice Stellar Virtuoso ProSpice Mobility
 
How to find stolen laptop
How to find stolen laptopHow to find stolen laptop
How to find stolen laptopsellalaptop.com
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyTyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...Tyler Shields
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaTyler Shields
 
Del Garabateo A La Escritura Convencional
Del Garabateo A La Escritura ConvencionalDel Garabateo A La Escritura Convencional
Del Garabateo A La Escritura Convencionalguest57e31527
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
My dog is a hacker and will steal your data!
My dog is a hacker and will steal your data!My dog is a hacker and will steal your data!
My dog is a hacker and will steal your data!rafa_el_souza
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Giles Greenway
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 
Android enterprise application development
Android enterprise application developmentAndroid enterprise application development
Android enterprise application developmentParamvir Singh
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of thingsMonika Keerthi
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile appskunwaratul hax0r
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3Setia Juli Irzal Ismail
 
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast IFIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast IChereCheek752
 
The Mobile Web Revealed For The Java Developer
The Mobile Web Revealed For The Java DeveloperThe Mobile Web Revealed For The Java Developer
The Mobile Web Revealed For The Java Developerbalunasj
 

Weitere ähnliche Inhalte

Andere mochten auch

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaTyler Shields
 
Del Garabateo A La Escritura Convencional
Del Garabateo A La Escritura ConvencionalDel Garabateo A La Escritura Convencional
Del Garabateo A La Escritura Convencionalguest57e31527
 

Andere mochten auch (6)

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social Media
 
Del Garabateo A La Escritura Convencional
Del Garabateo A La Escritura ConvencionalDel Garabateo A La Escritura Convencional
Del Garabateo A La Escritura Convencional
 

Ähnlich wie Social, Mobile and Cloud Security Paradigm Shift

Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
My dog is a hacker and will steal your data!
My dog is a hacker and will steal your data!My dog is a hacker and will steal your data!
My dog is a hacker and will steal your data!rafa_el_souza
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Giles Greenway
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsPriyanka Aash
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 
Android enterprise application development
Android enterprise application developmentAndroid enterprise application development
Android enterprise application developmentParamvir Singh
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of thingsMonika Keerthi
 
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast IFIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast IChereCheek752
 
The Mobile Web Revealed For The Java Developer
The Mobile Web Revealed For The Java DeveloperThe Mobile Web Revealed For The Java Developer
The Mobile Web Revealed For The Java Developerbalunasj
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud ComputingMitesh Katira
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 

Ähnlich wie Social, Mobile and Cloud Security Paradigm Shift (20)

Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application development
 
My dog is a hacker and will steal your data!
My dog is a hacker and will steal your data!My dog is a hacker and will steal your data!
My dog is a hacker and will steal your data!
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
Our Data, Ourselves: The Data Democracy Deficit (EMF CAmp 2014)
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutionsBad for Enterprise: Attacking BYOD enterprise mobility security solutions
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
 
Android enterprise application development
Android enterprise application developmentAndroid enterprise application development
Android enterprise application development
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Security challenges for internet of things
Security challenges for internet of thingsSecurity challenges for internet of things
Security challenges for internet of things
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast IFIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
 
The Mobile Web Revealed For The Java Developer
The Mobile Web Revealed For The Java DeveloperThe Mobile Web Revealed For The Java Developer
The Mobile Web Revealed For The Java Developer
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 

Mehr von Tyler Shields

Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxTyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesTyler Shields
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers ViewTyler Shields
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityTyler Shields
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More ProblemsTyler Shields
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyTyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerTyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksTyler Shields
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareTyler Shields
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTyler Shields
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesTyler Shields
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRTyler Shields
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingTyler Shields
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101Tyler Shields
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101Tyler Shields
 

Mehr von Tyler Shields (20)

Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The Berries
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIR
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-Debugging
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Kürzlich hochgeladen (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Social, Mobile and Cloud Security Paradigm Shift

  • 1. Social and Mobile and Cloud OH Tyler Shields MY! Researcher The Story of a “New Computing Paradigm” October 20, 2011
  • 2. What is the same with these twitter accounts?
  • 3. They have all been hacked!
  • 8. The Times They Are a Changing..
  • 9. I’m Secure, I Have A Firewall!
  • 10.
  • 12. Viral Adoption Refers to a system architecture that can be adopted incrementally, and gains momentum as it scales. http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19 th 2003
  • 13. New Age Malware • Decentralized • Interconnected • Mobile • Quick Content Publishing • Decentralized • Interconnected • Mobile • Has Access to Data
  • 14. KoobFace • Social media worm • Propagation via Facebook messages • Propagation via Facebook wall posts • Spams your friend list to an “update for Adobe Flash” • Installs pay per install malware on target • Infected computers operate as a botnet
  • 15. I Know EXACTLY Where All My Data Lives Sure it’s Safe in the Cloud!
  • 16. The Path Your Data Takes Approved Cloud Vendor The Office Central Server Sub-Cloud Vendor Sub-Cloud Vendor The Calendar Mirrored via Google Laptop ‟ Stolen At The Airport The Lost iPhone The Hacked Home PC Google Docs To Share Indirect: Ooops Did I Say That With remote Co- on Facebook?! Worker
  • 17. Own The Borg, Own The WORLD! In 2009, Twitter gets COMPLETELY owned… TWICE! Brute force password attack of targeted user reveals a password of “Happiness” ‟ User is a Twitter admin… OWNED! A French hacker owns the Yahoo email account of a user on twitter. He then resets that users twitter password and views the email in the Yahoo account. User is a twitter admin… OWNED!
  • 18. Own The Borg, Own The WORLD! 6/19/11 1:54 PM: Dropbox pushes code breaking authentication 6/19/11 5:46 PM: Dropbox pushes fix to authentication bug What can YOU do with four hours of access to every user’s data?!
  • 19. I Know Exactly What My Code Does! Besides, Application Permissions Keep Me Safe!
  • 20. Code Reuse, Outsourcing, And Third Party Libraries Most Code Is: Reused Outsourced Third Party Libraries (with source) Third Party Libraries (binary format) Your vendors don’t know what their code does either!
  • 21. Android Manifest Permissions • ACCESS_CHECKIN_PROPERTIES • DUMP • RECEIVE_WAP_PUSH • ACCESS_COARSE_LOCATION • EXPAND_STATUS_BAR • RECORD_AUDIO • ACCESS_FINE_LOCATION • FACTORY_TEST • REORDER_TASKS • ACCESS_LOCATION_EXTRA_COMMANDS • FLASHLIGHT • RESTART_PACKAGES • ACCESS_MOCK_LOCATION • FORCE_BACK • SEND_SMS • ACCESS_NETWORK_STATE • GET_ACCOUNTS • SET_ACTIVITY_WATCHER • ACCESS_SURFACE_FLINGER • GET_PACKAGE_SIZE • SET_ALARM • ACCESS_WIFI_STATE • GET_TASKS • SET_ALWAYS_FINISH • ACCOUNT_MANAGER • GLOBAL_SEARCH • SET_ANIMATION_SCALE • AUTHENTICATE_ACCOUNTS • HARDWARE_TEST • SET_DEBUG_APP • BATTERY_STATS • INJECT_EVENTS • SET_ORIENTATION • BIND_APPWIDGET • INSTALL_LOCATION_PROVIDER • SET_PREFERRED_APPLICATIONS • BIND_DEVICE_ADMIN • INSTALL_PACKAGES • SET_PROCESS_LIMIT • BIND_INPUT_METHOD • INTERNAL_SYSTEM_WINDOW • SET_TIME • BIND_REMOTEVIEWS • INTERNET • SET_TIME_ZONE • BIND_WALLPAPER • KILL_BACKGROUND_PROCESSES • SET_WALLPAPER • BLUETOOTH • MANAGE_ACCOUNTS • SET_WALLPAPER_HINTS • BLUETOOTH_ADMIN • MANAGE_APP_TOKENS • SIGNAL_PERSISTENT_PROCESSES • BRICK • MASTER_CLEAR • STATUS_BAR • BROADCAST_PACKAGE_REMOVED • MODIFY_AUDIO_SETTINGS • SUBSCRIBED_FEEDS_READ • BROADCAST_SMS • MODIFY_PHONE_STATE • SUBSCRIBED_FEEDS_WRITE • BROADCAST_STICKY • MOUNT_FORMAT_FILESYSTEMS • SYSTEM_ALERT_WINDOW • BROADCAST_WAP_PUSH • MOUNT_UNMOUNT_FILESYSTEMS • UPDATE_DEVICE_STATS • CALL_PHONE • NFC • USE_CREDENTIALS • CALL_PRIVILEGED • PERSISTENT_ACTIVITY • USE_SIP • CAMERA • PROCESS_OUTGOING_CALLS • VIBRATE • CHANGE_COMPONENT_ENABLED_STAT • READ_CALENDAR • WAKE_LOCK E • READ_CONTACTS • WRITE_APN_SETTINGS • CHANGE_CONFIGURATION • READ_FRAME_BUFFER • WRITE_CALENDAR • CHANGE_NETWORK_STATE • READ_HISTORY_BOOKMARKS • WRITE_CONTACTS • CHANGE_WIFI_MULTICAST_STATE • READ_INPUT_STATE • WRITE_EXTERNAL_STORAGE • CHANGE_WIFI_STATE • READ_LOGS • WRITE_GSERVICES • CLEAR_APP_CACHE • READ_PHONE_STATE • WRITE_HISTORY_BOOKMARKS • CLEAR_APP_USER_DATA • READ_SMS • WRITE_SECURE_SETTINGS • CONTROL_LOCATION_UPDATES • READ_SYNC_SETTINGS • WRITE_SETTINGS • DELETE_CACHE_FILES • READ_SYNC_STATS • WRITE_SMS • DELETE_PACKAGES • REBOOT • WRITE_SYNC_SETTINGS • DEVICE_POWER • RECEIVE_BOOT_COMPLETED • DIAGNOSTIC • RECEIVE_MMS • DISABLE_KEYGUARD • RECEIVE_SMS
  • 22. Just Let Me Fling Birds at Pigs Already!
  • 23. WSJ Article Discloses NJ Prosecutor’s Investigation JD-GUI Pandora App Publish Blog Post „ Location „ Bearing „ Altitude Investigate Other „ Android ID Applications Publish second blog posting with updated findings regarding permissions and other apps Pandora Removes Ad Libraries
  • 24. Here’s Some Numbers… 53,000 Applications Analyzed Android Market: ~48,000 3rd Party Markets: ~5,000 Permissions Requested Average: 3 Most Requested: 117 Top “Interesting” Permissions GPS information: 24% (11,929) Read Contacts: 8% (3,626) Send SMS: 4% (1,693) Receive SMS: 3% (1262) Record Audio: 2% (1100) Read SMS: 2% (832) Process Outgoing Calls: % (323) Use Credentials : 0.5% (248)
  • 25. Here’s Some Numbers… Third Party Libraries Total Third Party Libraries: ~83,000 Top Shared Libraries com.admob 38% (18,426 apps ) org.apache 8% ( 3,684 apps ) com.google.android 6% ( 2,838 apps ) com.google.ads 6% ( 2,779 apps ) com.flurry 6% ( 2,762 apps ) com.mobclix 4% ( 2,055 apps ) com.millennialmedia 4% ( 1,758 apps) com.facebook 4% ( 1,707 apps)
  • 26. Of Course It’s Secure, It’s Got A Password On It!
  • 27. Passwords and Password Reuse Passwords STINK! • Passwords < 6 characters long ~30% • Passwords from limited alpha-numeric key set ~60% • Used names, slang words, dictionary words trivial passwords, consecutive digits, etc. ~50% • Not only a user problem • Secret questions ‟ bad idea! • SQL Injection compromises up 43% year over year • HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, … • Sony, Sony, Sony… oh.. Yeah.. SONY! • Password reuse? http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
  • 30. In Summary Mobile The perimeter is dead Must secure from the data out Computing will be ubiquitous and hidden Social The perfect breeding ground for malware Passwords STINK! Cloud The path of data is uncontrollable You can’t rely on permissions ‟ It just won’t work Securing ALL of your code is the only real defense
  • 31. Mobile + Social + Cloud = A New Security Paradigm Think Different

Hinweis der Redaktion

  1. Tyler ShieldsSenior Researcher at VeracodeDay-to-day responsibilitieGoing to tak about Social, Mobile, and Cloud-- How they are changing security today--How you can stay ahead of the curve
  2. Facebooks twitter feedBritney’sUSA TODAYDalai LamaThey have all had the same issue.. What is it?
  3. All Been HackedUse for practical jokes, spam, or malwareOnly a sample set on this pageFunny comments and posts.. Go google them.We now potential outcome.Let’s talk big picture
  4. Social Networking--First companies that come to mindFacebook, LinkedIn, Twitter, and possibly MySpaceThat’s about it.Big subscriber countsBig name recognitionOwners of sites have tough decisions.. Like which private jet do I fly around in today.I assert: small selectionMuch larger than just a few web properties.Expand the picture a bitLooks a little better.YouTube, Blogger.com, Apple’s Ping, FourSquare, Vimeo,Google. Amuch more realistic picture I assert: Much more than thisTHIS is social networking realityIt’s not about websitesIt’s not about mobile apps. Social networking is a paradigm shiftLess about individual isolated avenues for people to socializeMore about adding a social aspect to every piece of technology and modern innovation.First steps the social networking sitesSecond steps mobile devices (mobility)Step three, cloud.Add together and get ubiquityBecoming a core component of any successful Internet innovation.
  5. Talk mobile computingWhen I say mobile computing this is what people think aboutMaybe add some Blackberry, WinMo, othersThis is also wrong.Not how I think about mobilityMobility is movement, it’s not a single device or set of devicesMobile Computing is…
  6. THIS!You can’t see it.Mobile computing is:UbiquitousEverywhereMobileEnumerate some devicesPhonesCarsLaptopsTabletsHome AutomationPhysical security communicationThe future of mobile is ubiquitous computingAnd the only way to get there is the cloud…
  7. Ahh the cloud..Today:Store a few filesMusicDataPhotosTomorrow:On demand knowledgeQuick and detailed answersStorage of anything 1/0Convergence is inevitable
  8. Quote old Bylan song:“The Times They Are A Changin…”Rapidly leaving behind the normMoving into the age of Star TrekHow does this impact securityWhat are our currently held beliefs that are no longer trueJust as social/mobile/cloud is fundamentally changing businessWe must change as security practitioners to continue to safeguard our companies
  9. You have a firewallMaybe even a few of themYou’ve segmented your network into trust zonesMetaphorically locked all your doors and windowsYou must be secure, right?Wrong.The perimeter is dead.
  10. Completely dead.Six feet under and not coming back for Halloween DEAD! External firewall concept protecting from attackers is toastThe perimeter has shrunk to the point that it sits on each individual deviceDue to mobility, the cloud, and social networkingMobility has taken our devices and made them smaller, lighter, and more nimble. Along with they have become decentralized. Devices are fully mobile.Data is now fully mobile.Add in cloudEven without mobility we no longer have our own dataPhotos on personal server GONEGoing away is editing and storing of documents locallyWe’re moving all this data into the cloud. We have service providers that hose all of our photos (Flickr)We have service providers that hold all of our personal documents (DropBox, our online bank, etc.). Even corps are moving data rapidly into the cloud.Lower TCO – Good business reasonIt just makes sense. Finally add to this social networkingPersonal thoughtsQuestionsIdeasShared on Facebook for the world to seeSecurity has become, and will continue to be data centric. Must lookat the location of our sensitive dataHow do we secure it wherever is lives.This is the reality of today’s interconnected, highly social, Internet world.
  11. Another fallacy of the new security paradigm…Malware is for PCs.This is also wrong.Not only is malware NOT only for the PCs (there is proof of this)It’s BETTER suited for the new paradigm than the old
  12. Rate of adoption of ideas is VERY HIGHViral adoption is core issuePrevious to new paradigm:Rate limitedSpread through wires, physical networks, email via address books, etc.Worms only really began with the adoption of address books and contact listsThe more interconnected we get, the faster the possible viral adoption ratesAnd the faster the malicious activityAnd the faster someone can monetize the attacksPower NodesMalware will appear to come from a trusted sourceNew paradigm is perfect breeding ground
  13. What makes a good malware distribution system.Decentralized – less chance of shutdownHigh interconnections – Faster propagationMobility to jump network gaps, air gaps, spread quickerClose to sensitive data as possible – MonetizeSocial networks do exactly this. Social networks designs are decentralized, highly interconnected, and mobile while allowing super fast content publication and communications. My ideal malware distribution system is decentralized, highly interconnected, mobile, and gets me close to sensitive data. This sounds like a GREAT fit for an attacker.
  14. Example in the wild.KoobFace. (Anagram for Facebook)Propagates:Facebook messages to your friends listPeriodic wall postingsSocial Engineering:Update for Adobe FlashInstall = InfectPayload:Pay per install malwareOperated inside a botnetProfit:2 million dollars 6/09 – 6/10 aloneLarge number of variantsMonetary estimate is lowSocial networking malware can be very financially lucrative.
  15. Another Fallacy :I know exactly where all my data livesSure it’s safe in the cloudYou might think you knowBut you really don’tWhat proof do you have that it is safe in the cloud?How many players are really touching your data?All great questions…
  16. Look at the path data might takeMight start on the office central server.You saw me speak and know that the perimeter is so you secure the host at the data layer.This is great.But some of your data resides in the cloudAnd that cloud vendor has a sub vendor that hosts the network componentsAnd it also has a sub vendor for data storageOh and log files are pushed to yet another vendor…You data is disperse and decentralized in the cloud.. This is what gives the cloud its powerYou’ve got the sales guy who is mirroring his calendar to GoogleThe stolen laptop full of sensitive dataThe lost iPhoneThe travelling worker who uses his home machine to work late hoursHe gets ownedIndirect dropping of sensitive data on Facebook by chatty employeesOr using Google Docs to share data with a client or remote workerThe new age:DistributedDecentralizedQUICKPOWERFULBrings DIFFERENT risks
  17. Even if you know where you data is:Another point to protectTwitter owned twice since 2009Full ownership of the systemAbuse any accountRead private messagesHijack accountsBoth cases were password abuse issuesFirst: Brute force password scriptHappiness was PWAdmin AccountChose based on node centralitySecond:A French hackerpassword reset and secret questions attack Gains control of Yahoo email for a targeted userReset users twitter accountAdministrative interface availableFailed:Why was administrative content available externallyWas was an admin using a yahoo account for password resetEasy to guess passwordsResulted in the potential compromise of EVERY users data on the site
  18. A second example:This time it wasn’t even an attackerService provider blew itDropbox holds large quantity of user dataPushed an update to productionBroke authenticationAnyone could log in as anyone for four hoursWhat could YOU do with four hours of every users data
  19. OK done picking on cloud.. Let’s pick on applications..If we secure at the data layer, the first thing that touches data is applicationsSo obviously we have to be sure that our applications are safeI’m going to use mobile as an example, but it’s ALL applications, not just mobile that have these issuesBesides.. In the mobile world permissions keep me safeDo you know what your code does?Code you write?Code you buy?Code you outsource?
  20. The primary reason you don’t know what your code does is thisYour code, really isn’t yoursIt’s reusedIt’s outsourced to foreign developersSometimes given back to you as source which usually doesn’t get auditedOr given back to you as binary only format which very likely doesn’t get auditedYou embed third party libraries into your codeSometimes with source, sometimes not.. And you assume that it’s safe and should just workAnd the truly scary thingYou vendors and outsources don’t know what their code does eitherYou might outsource to a firm to develop something for you….They reuse code, they outsource, they use third party libraries…And rarely is any of this tested for security or code completely reviewedSo what&apos;s the corollary to this.. We have permissions that will save us right? At least in the mobile world we do right?
  21. A slightly older list of permissions for AndroidWith this many permissions how does an end user ever know what he’s allowing to occurDoes the average consumer know what signal_persistant_processes does?How about inject_events?BRICK?! I don’t even know what BRICK does and I do mobile research!They way we have implemented permissions is fundamentally broken as a security mechanism.Asking the user will never result in the right answer.A quote from Bruce Scheneir: “Given the option of dancing pigs or security, users will take dancing pigs every time!”And he’s right!
  22. What is the reality of applications.People run themThey don’t analyze themThey don’t secure themApplications are purchased not because they are secure, but because they serve a purpose for usThey provide a servicePeople don’t want hurdles to this servicePermissions?! Yeah sure whatever.. Just let me fling birds at pigs!People don’t want to be bothered with checking the appropriateness of the permissions of an appThis goes for mobile for sureAnd on non mobile platforms, many times we don’t even have this optionTrojan horses and spyware are all over the PC spaceNo real permissions model in the pc space with regards to some resourcesYou want to see my location?! Sure go aheadYou want to look at my contact lists? Whatever.. Time to fling birds at pigsYou want to steal all my SMS messages.. Sure.. CLICK GO!This is what people do.. Actively.. In real time… ALL THE TIME!
  23. Let’s talk about a real case study…April 5th 2011. WSJ breaks story – NJ Fed prosecutors investigating Pandora for illegally obtaining and distributing personal private information to third party advertising groupsAllegations:Gathering GPS location, device identifiers, gender, user age, etc. without notice to the end user.101 Apps tested by WSJ 47 sent location off device, 56 send uniqueID off deviceSo I broke apart Pandora and analyzed it to determine what it was sending outFive advertising libraries were embedded into the applicationSome of the advertising libraries were indeed accessing private data (GPS, uniqueID, etc) and sending it to the ad networksWe released a blog post on the findingsTons of media attention.Some researchers pointed out that Pandora didn’t have application permissions for GPSThey were rightSince we new it was a third party library I did some googlingFound a partial client list for AdMob, one of the libraries in questionLooked through the Android marketplace for apps that had GPS enabled that were on the customer listGrabbed just a couple – CBS News and TV.COMFound the same codePublished a follow on blog postingPandora removed (or claimed they were going to remove) offending ad libraries from their appWINNING!Later researcher by Praetorian had some interesting findings
  24. By now, this slide is going to feel a bit old. It’s the same thing that’s been said for a while now regarding passwords and the overall concept of passwords. Namely, passwords STINK! There really isn’t any other way to put it. And these horrible passwords are what is leading to a significant number of compromises in the social media world. In 2009, there was a major online property breached that lead to the disclosure of 32 million passwords. The compromised passwords were then analyzed by the security company Imperva and these are the highlights.  30% of all passwords were under 6 characters.60% of the passwords were basic alphanumeric in nature.And half of them were what is considered “easily guessed” by brute force dictionary style attacks. This isn’t the only place where these types of user mistakes have occurred Similar numbers were observed in the lulzsec data dumps of the last 12 months. People don’t choose strong passwords. It’ll never happen. This isn’t only a user problem. Take for example secret questions. Paris Hilton’s phone and Sarah Palins email account were both hacked due to easily guessed secret questions. With the ubiquity of social networking, the personal information that is commonly used in these so called “secret questions” is easily data mined by a determined attacker. Scarlet Johannsens’ naked pictures, Christina Agullira’s and Mila Kuniz email accounts along with up to fifty other celebrities were recently hacked. Just yesterday they arrested the man that attacked these accounts. In nearly every case the attacker used what is being termed “open source information” about the celebrities to break in through the reset password feature of the account. Also, In the last year we’ve seen a big uptake in SQL injection style attacks, and in these attacks a number of the companies weren’t storing their users passwords with any reasonable form of encryption. Additionally most people reuse passwords from site to site. This is a huge mistake. Once a large data breach has occurred, and your password is compromised, it’s trivial for attackers to continue to leverage this data trove for further intrusions.
  25. If you wouldn’t yell it from the rooftops, don’t post it on the Internet. The Internet and especially social media is permanent. Anything that hits the Internet can and will be there forever. If you wouldn’t broadcast your comment on the radio or put your photo on the television for the world to see.. it has no place on social media and the Internet. If you live by this golden rule… you should be just fine.
  26. In closing:Mobile + Social + Cloud equals what…A New Security ParadigmSo in the worlds of the Immortal Steve Jobs..Let’s try to “Think Different”Thank you.
  27. My email address is tshields@veracode.com and my twitter is @txs. Feel free to reach me at either of those places.  Any questions?!