SlideShare una empresa de Scribd logo
1 de 26
Descargar para leer sin conexión
David Rogers, Copper Horse Solutions Ltd.
DARK CLOUDS AND RAINY DAYS, THE BAD SIDE
OF CLOUD COMPUTING
CLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM


  Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ABOUT ME
   12 years in the mobile industry
   Hardware and software background
   Head of Product Security at Panasonic Mobile
        Worked with industry and government on IMEI and
         SIMlock security
        Pioneered some early work in mobile phone forensics
        Brought industry together on security information sharing
   Director of External Relations at OMTP
        Programme Manager for advanced hardware security
         tasks
        Chair of Incident Handling task
   Head of Security and Chair of Security Group at WAC
   Owner and Director at Copper Horse Solutions
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ABOUT COPPER HORSE SOLUTIONS LTD

   Established in 2011
   Software and security company
        Focused on the mobile phone industry
   Services:
        Mobile phone security consultancy
        Industry expertise
        Standards representation
        Mobile application development
   http://www.copperhorsesolutions.com

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
WHAT I WILL TALK ABOUT

   Dark Clouds and Rainy Days – the dark side
    of cloud computing
      Thin air – issues around device theft and
       tampering
      Condensation – how much data is left on the
       device?
      The problem with web apps

      Slurping data, not coffee – insecure networks

      How much do you trust your cloud provider?


    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THIN AIR – ISSUES AROUND DEVICE
                          THEFT AND TAMPERING




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: 416style
DEVICES – LOST AND STOLEN
   Large numbers of devices are lost or stolen on a daily basis
        iphone prototypes – 2 left in bars
   UK – National Mobile Phone Crime Unit
   IMEI blocking
        Window between theft and blocking
        Same problem with lock and wipe services
   NMPR – National Mobile Property Register
        Allows stolen / lost items to be returned to right owner
        www.immobilise.com
   EIRs and the CEIR
        Lots of stolen phones are exported but not blocked
   Users do not protect access to their devices
        Barrier to usability
        Most cloud services have authentication tokens – non-password access (see also faceniff)
        Need to be told the basics: http://www.carphonewarehouse.com/security
   Smartphone hacking is a major target right now
        Hardware (SIMlock and IMEI) hacking has been going on for years
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CONDENSATION – HOW MUCH DATA IS
                 LEFT ON THE DEVICE?




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DATA RESIDUE ISSUES
   Devices move around:
        Phone recycling companies
        Phones left in drawers / thrown in bins
        Phones passed onto another employee
        Service returns and refurbishment issues
               Repeated attacks on celebrities
               Repeated mistakes in data clearing
   Lots of “cloud” access data available
        Browser data cache / local storage
        Credentials for network APIs and services stored on device
         (not in secure hardware)
        Users storing passwords insecurely on local machines
        Apps / browsers providing “no-login” functionality
   Note: These are all still issues in the non „cloud‟ world!!
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE PROBLEM WITH WEB APPLICATIONS




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: Clearly Ambiguous
THE PROBLEM WITH WEBAPPS
   Trust issues – e.g. Chrome application permissions issue / lack or
    proper triage with Android and Chrome apps.
   Everyone is jumping on HTML5 but there will be hidden security issues
   Ultimately there needs to be some form of local usage
        HTML5 Cache, offline mechanisms still immature
        No access to trusted hardware on device
   Everything is transferred over a network
        Even if you don‟t want it to be
   Existing protection is weak
        Web foundations are not secure (see later)
        No such thing as a “secure web runtime”
   In-app billing and other network APIs offer great fraud / attack potential
        Targets will be identity and payment
   Future: Device APIs & M2M
        How to sync data without compromising users
        How to control access
        Public safety aspects – web for safety critical applications?!
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
RELIANCE ON CONNECTIVITY
   Network access is not ubiquitous
        Extremely poor wireless connections in rural areas (even in
         developed countries)
   There is always an „offline‟ scenario for users, but few
    technical solutions for offline web




    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: John Leach
SLURPING DATA, NOT COFFEE –
                                 INSECURE NETWORKS




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: Thomas Dwyer (on a break from flickr)
SLURPING DATA, NOT COFFEE
   Incidents in internet cafes and airports, libraries
        Very widespread
        Expensive roaming costs push users onto WiFi
   Fake WiFi Networks
        Low hanging fruit
        Temptation, temptation – open and free!
   Recent attack demonstration of stealing data while
    charging phone at a charge booth
   Femtocells
        Recent hacker interest in femtocells (base stations in
         people‟s houses)
        Can capture and break traffic
        What about metrocells?
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
FACENIFF AND FIRESHEEP
                                        MITM attack captures authentication
                                         cookies
                                        Even on encrypted WiFi networks
                                               Traffic is routed through attack device
                                        Techniques available for years – made
                                         much easier by these kind of tools
                                        Companies still not using SSL
                                               Mobile version of facebook page has to be
                                                manually set as https by the user – most users
                                                cannot do this
                                        Many phone applications send data in the
                                         clear
                                               Google and Facebook have both been guilty of
                                                this

 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved      Image: http://www.geekword.net
HIDDEN NEAR A CAFÉ IN YOUR AREA…




                                                                        Image: http://cheezburger.com/View/1608846080
 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HOW MUCH DO YOU TRUST YOUR CLOUD
                       PROVIDER?




 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: Caza_No_7
TRUST IN CLOUD PROVIDERS (1)

   Poor security techniques employed
      Phone  hacking scandal
      No user notification of accesses from other
       machines / times
      Previous data issues – e.g. T-Mobile, Paris Hilton
       etc.
      Password reminders have compromised online
       email accounts e.g. Sarah Palin
      Facebook dragged into providing privacy
       protection for users
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRUST IN CLOUD PROVIDERS (2)
   Who do your cloud provider trust?
      Who are their suppliers?
      What technology are they using?
      RSA –targeted cyber attack
             SecurID             keys being replaced in many organisations
        Diginotar – Fake (genuine) SSL certificates
             Compromised                     Google Docs, Gmail and lots of other
              services
             Shows how fragile the whole foundations of the „secure‟
              web are
        19th September (Monday) – BEAST attack against
         SSL
             Can         decrypt PayPal cookies

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
VIRTUALISATION
 Platform agnostic dream
 Does virtualisation on mobile handsets really
  bring extra security?
      It offers a solution to companies wanting to own
       parts of a device e.g. for corporate policy
       management
      It brings new (unknown) security risks
             Immature                 products on mobile
      Mobilemarket is still very fragmented
      Same issues if the device is lost or stolen

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TECHNICAL OUTAGES
         “for a currently unknown reason, the update
         did not work correctly”
         Microsoft response to DNS issue, September 2011



   Unforeseen technical outages:
        Google: Googledocs down for hours
        Microsoft: DNS issue during maintenance




                                                                           http://cloudtechsite.com/blogposts/microsoft-and-google-suffer-
                                                                           from-recent-cloud-interruptions.html
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TARGETED HACKTIVISM
   Attacks on Amazon by Anonymous – unrelated to most users‟
    services
        DDoS attack failed – Amazon were servers capable of the demand
        Companies like Mastercard did not fare as well
        collateral damage issue
        Conversely – Amazon‟s EC2 cloud capability was used against Sony
   Lulzsec
        Simplistic but devastating attacks
        Difficult to track down
   What groups come next?

   F-Secure‟s Mikko Hypponen has called for an international Police
    Force: http://betanews.com/2011/09/12/we-need-an-international-
    police-force-to-fight-cybercrime/
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TARGETED HACKTIVISM (2)
   Anonymous is the direction of hacktivist attacks for various
    ideals
   Decentralised, no „head‟
        #opfacebook
        5th November 2011
        Published rationale is
         Facebook privacy policy




    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRUST IN CLOUD PROVIDERS (2)
   At what point in the future does a cloud provider
    decide to sneak a look at the data it is storing?
   What is the EULA?
   What country is your data being held in?
        What are the data protection and privacy laws?
        Have you got customer data within your business data?
        What happens when something goes wrong?
   Business continuity
        Despite operating agreements, what if a natural disaster
         happens?
             Might not be the data centre that is affected
             Cable theft is a huge issue
        What about conflict and war?
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
WHAT THEN?




                                  Image: https://tooze.wordpress.com/tag/singtel/

 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE SILVER LINING?
   Not quite silver yet:
        Cloud services do provide a lot of
         good, but are not a panacea!
        Primary business driver for cloud
         is cost. Security is a secondary
         concern
   But:
        Many attacks in the “offline”
         world can / have been much
         worse
        Cloud providers and companies
         are recognising issues
        Users are not accepting bad
         security / privacy
        Not everything will live in the
         cloud
                                                                           Image: Nick Coombe

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THANKS FOR LISTENING!

   Any questions?

   Contact me:
    david.rogers@copperhorses.com


   Twitter:
                     @drogersuk


   Blog:
      http://blog.mobilephonesecurity.org



    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

Más contenido relacionado

La actualidad más candente

NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
Atm Communication Online Meeting
Atm Communication Online MeetingAtm Communication Online Meeting
Atm Communication Online Meetingmazlilah subadi
 
I Brought My Own Device. Now What?
I Brought My Own Device. Now What?I Brought My Own Device. Now What?
I Brought My Own Device. Now What? Array Networks
 
Aerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondAerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondJ
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 
Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2Relayware
 
Juniper Provision - 13martie2012
Juniper Provision - 13martie2012Juniper Provision - 13martie2012
Juniper Provision - 13martie2012Agora Group
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and StrategyAnna O'Neal
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and StrategyAnna O'Neal
 
The Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial ServicesThe Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial ServicesRelayware
 
Wp byod
Wp byodWp byod
Wp byodJ
 
Video communications industry history
Video communications industry historyVideo communications industry history
Video communications industry historyPaul Richards
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsSkycure
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMichael Davis
 

La actualidad más candente (20)

Technology update
Technology updateTechnology update
Technology update
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Atm Communication Online Meeting
Atm Communication Online MeetingAtm Communication Online Meeting
Atm Communication Online Meeting
 
I Brought My Own Device. Now What?
I Brought My Own Device. Now What?I Brought My Own Device. Now What?
I Brought My Own Device. Now What?
 
Aerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondAerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyond
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2
 
Juniper Provision - 13martie2012
Juniper Provision - 13martie2012Juniper Provision - 13martie2012
Juniper Provision - 13martie2012
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy
 
The Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial ServicesThe Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial Services
 
MobileIron Presentation
MobileIron PresentationMobileIron Presentation
MobileIron Presentation
 
Wp byod
Wp byodWp byod
Wp byod
 
MobileIrn Presentation
MobileIrn PresentationMobileIrn Presentation
MobileIrn Presentation
 
Video communications industry history
Video communications industry historyVideo communications industry history
Video communications industry history
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 Predictions
 
Technology update
Technology updateTechnology update
Technology update
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
BPOS sales deck
BPOS sales deckBPOS sales deck
BPOS sales deck
 

Similar a Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application SecuritySecureAuth
 
La sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SILa sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SIMicrosoft Ideas
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentK Singh
 
Countering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldCountering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldBrad Nicholas
 
Education webinar april 2012
Education webinar april 2012Education webinar april 2012
Education webinar april 2012Infoblox
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
HIPAA Compliance in the Cloud
HIPAA Compliance in the CloudHIPAA Compliance in the Cloud
HIPAA Compliance in the CloudOnline Tech
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_securityJessica Hirst
 
Zabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíZabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíMarketingArrowECS_CZ
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Fortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxFortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxThanhBoHoaluaVn
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlook3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlookPeter Hewer
 

Similar a Dark Clouds and Rainy Days, the Bad Side of Cloud Computing (20)

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
 
La sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SILa sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SI
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
 
Securing mobile devices 1
Securing mobile devices 1Securing mobile devices 1
Securing mobile devices 1
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
 
Countering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldCountering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT World
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
 
Education webinar april 2012
Education webinar april 2012Education webinar april 2012
Education webinar april 2012
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
HIPAA Compliance in the Cloud
HIPAA Compliance in the CloudHIPAA Compliance in the Cloud
HIPAA Compliance in the Cloud
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_security
 
Zabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíZabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředí
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Fortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxFortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptx
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlook3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlook
 

Último

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Último (20)

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

  • 1. David Rogers, Copper Horse Solutions Ltd. DARK CLOUDS AND RAINY DAYS, THE BAD SIDE OF CLOUD COMPUTING CLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 2. ABOUT ME  12 years in the mobile industry  Hardware and software background  Head of Product Security at Panasonic Mobile  Worked with industry and government on IMEI and SIMlock security  Pioneered some early work in mobile phone forensics  Brought industry together on security information sharing  Director of External Relations at OMTP  Programme Manager for advanced hardware security tasks  Chair of Incident Handling task  Head of Security and Chair of Security Group at WAC  Owner and Director at Copper Horse Solutions Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 3. ABOUT COPPER HORSE SOLUTIONS LTD  Established in 2011  Software and security company  Focused on the mobile phone industry  Services:  Mobile phone security consultancy  Industry expertise  Standards representation  Mobile application development  http://www.copperhorsesolutions.com Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 4. WHAT I WILL TALK ABOUT  Dark Clouds and Rainy Days – the dark side of cloud computing  Thin air – issues around device theft and tampering  Condensation – how much data is left on the device?  The problem with web apps  Slurping data, not coffee – insecure networks  How much do you trust your cloud provider? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 5. THIN AIR – ISSUES AROUND DEVICE THEFT AND TAMPERING Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: 416style
  • 6. DEVICES – LOST AND STOLEN  Large numbers of devices are lost or stolen on a daily basis  iphone prototypes – 2 left in bars  UK – National Mobile Phone Crime Unit  IMEI blocking  Window between theft and blocking  Same problem with lock and wipe services  NMPR – National Mobile Property Register  Allows stolen / lost items to be returned to right owner  www.immobilise.com  EIRs and the CEIR  Lots of stolen phones are exported but not blocked  Users do not protect access to their devices  Barrier to usability  Most cloud services have authentication tokens – non-password access (see also faceniff)  Need to be told the basics: http://www.carphonewarehouse.com/security  Smartphone hacking is a major target right now  Hardware (SIMlock and IMEI) hacking has been going on for years Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 7. CONDENSATION – HOW MUCH DATA IS LEFT ON THE DEVICE? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 8. DATA RESIDUE ISSUES  Devices move around:  Phone recycling companies  Phones left in drawers / thrown in bins  Phones passed onto another employee  Service returns and refurbishment issues  Repeated attacks on celebrities  Repeated mistakes in data clearing  Lots of “cloud” access data available  Browser data cache / local storage  Credentials for network APIs and services stored on device (not in secure hardware)  Users storing passwords insecurely on local machines  Apps / browsers providing “no-login” functionality  Note: These are all still issues in the non „cloud‟ world!! Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 9. THE PROBLEM WITH WEB APPLICATIONS Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Clearly Ambiguous
  • 10. THE PROBLEM WITH WEBAPPS  Trust issues – e.g. Chrome application permissions issue / lack or proper triage with Android and Chrome apps.  Everyone is jumping on HTML5 but there will be hidden security issues  Ultimately there needs to be some form of local usage  HTML5 Cache, offline mechanisms still immature  No access to trusted hardware on device  Everything is transferred over a network  Even if you don‟t want it to be  Existing protection is weak  Web foundations are not secure (see later)  No such thing as a “secure web runtime”  In-app billing and other network APIs offer great fraud / attack potential  Targets will be identity and payment  Future: Device APIs & M2M  How to sync data without compromising users  How to control access  Public safety aspects – web for safety critical applications?! Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 11. RELIANCE ON CONNECTIVITY  Network access is not ubiquitous  Extremely poor wireless connections in rural areas (even in developed countries)  There is always an „offline‟ scenario for users, but few technical solutions for offline web Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: John Leach
  • 12. SLURPING DATA, NOT COFFEE – INSECURE NETWORKS Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Thomas Dwyer (on a break from flickr)
  • 13. SLURPING DATA, NOT COFFEE  Incidents in internet cafes and airports, libraries  Very widespread  Expensive roaming costs push users onto WiFi  Fake WiFi Networks  Low hanging fruit  Temptation, temptation – open and free!  Recent attack demonstration of stealing data while charging phone at a charge booth  Femtocells  Recent hacker interest in femtocells (base stations in people‟s houses)  Can capture and break traffic  What about metrocells? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 14. FACENIFF AND FIRESHEEP  MITM attack captures authentication cookies  Even on encrypted WiFi networks  Traffic is routed through attack device  Techniques available for years – made much easier by these kind of tools  Companies still not using SSL  Mobile version of facebook page has to be manually set as https by the user – most users cannot do this  Many phone applications send data in the clear  Google and Facebook have both been guilty of this Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: http://www.geekword.net
  • 15. HIDDEN NEAR A CAFÉ IN YOUR AREA… Image: http://cheezburger.com/View/1608846080 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 16. HOW MUCH DO YOU TRUST YOUR CLOUD PROVIDER? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Caza_No_7
  • 17. TRUST IN CLOUD PROVIDERS (1)  Poor security techniques employed  Phone hacking scandal  No user notification of accesses from other machines / times  Previous data issues – e.g. T-Mobile, Paris Hilton etc.  Password reminders have compromised online email accounts e.g. Sarah Palin  Facebook dragged into providing privacy protection for users Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 18. TRUST IN CLOUD PROVIDERS (2)  Who do your cloud provider trust?  Who are their suppliers?  What technology are they using?  RSA –targeted cyber attack  SecurID keys being replaced in many organisations  Diginotar – Fake (genuine) SSL certificates  Compromised Google Docs, Gmail and lots of other services  Shows how fragile the whole foundations of the „secure‟ web are  19th September (Monday) – BEAST attack against SSL  Can decrypt PayPal cookies Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 19. VIRTUALISATION  Platform agnostic dream  Does virtualisation on mobile handsets really bring extra security?  It offers a solution to companies wanting to own parts of a device e.g. for corporate policy management  It brings new (unknown) security risks  Immature products on mobile  Mobilemarket is still very fragmented  Same issues if the device is lost or stolen Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 20. TECHNICAL OUTAGES “for a currently unknown reason, the update did not work correctly” Microsoft response to DNS issue, September 2011  Unforeseen technical outages:  Google: Googledocs down for hours  Microsoft: DNS issue during maintenance http://cloudtechsite.com/blogposts/microsoft-and-google-suffer- from-recent-cloud-interruptions.html Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 21. TARGETED HACKTIVISM  Attacks on Amazon by Anonymous – unrelated to most users‟ services  DDoS attack failed – Amazon were servers capable of the demand  Companies like Mastercard did not fare as well  collateral damage issue  Conversely – Amazon‟s EC2 cloud capability was used against Sony  Lulzsec  Simplistic but devastating attacks  Difficult to track down  What groups come next?  F-Secure‟s Mikko Hypponen has called for an international Police Force: http://betanews.com/2011/09/12/we-need-an-international- police-force-to-fight-cybercrime/ Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 22. TARGETED HACKTIVISM (2)  Anonymous is the direction of hacktivist attacks for various ideals  Decentralised, no „head‟  #opfacebook  5th November 2011  Published rationale is Facebook privacy policy Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 23. TRUST IN CLOUD PROVIDERS (2)  At what point in the future does a cloud provider decide to sneak a look at the data it is storing?  What is the EULA?  What country is your data being held in?  What are the data protection and privacy laws?  Have you got customer data within your business data?  What happens when something goes wrong?  Business continuity  Despite operating agreements, what if a natural disaster happens?  Might not be the data centre that is affected  Cable theft is a huge issue  What about conflict and war? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 24. WHAT THEN? Image: https://tooze.wordpress.com/tag/singtel/ Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 25. THE SILVER LINING?  Not quite silver yet:  Cloud services do provide a lot of good, but are not a panacea!  Primary business driver for cloud is cost. Security is a secondary concern  But:  Many attacks in the “offline” world can / have been much worse  Cloud providers and companies are recognising issues  Users are not accepting bad security / privacy  Not everything will live in the cloud Image: Nick Coombe Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 26. THANKS FOR LISTENING!  Any questions?  Contact me: david.rogers@copperhorses.com  Twitter: @drogersuk  Blog: http://blog.mobilephonesecurity.org Copyright © 2011 Copper Horse Solutions Limited. All rights reserved