dark clouds and rainy days, the bad side of cloud computing

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

DARK CLOUDS AND RAINY DAYS, THE BAD SIDE OF CLOUD COMPUTINGCLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM

David Rogers, Copper Horse Solutions Ltd.


ABOUT ME

12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile

Worked with industry and government on IMEI and SIMlock security

Pioneered some early work in mobile phone forensics Brought industry together on security information sharing

Director of External Relations at OMTP Programme Manager for advanced hardware security tasks Chair of Incident Handling task

Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions


ABOUT COPPER HORSE SOLUTIONS LTD

Established in 2011 Software and security company

Focused on the mobile phone industry Services:

Mobile phone security consultancy Industry expertise Standards representation Mobile application development

http://www.copperhorsesolutions.com

http://www.copperhorsesolutions.com/


WHAT I WILL TALK ABOUT

Dark Clouds and Rainy Days – the dark side of cloud computing Thin air – issues around device theft and

tampering Condensation – how much data is left on the

device? The problem with web apps Slurping data, not coffee – insecure networks How much do you trust your cloud provider?


THIN AIR – ISSUES AROUND DEVICE THEFT AND TAMPERING

Image: 416style

http://www.everystockphoto.com/photographer.php?photographer_id=1499


DEVICES – LOST AND STOLEN

Large numbers of devices are lost or stolen on a daily basis iphone prototypes – 2 left in bars

UK – National Mobile Phone Crime Unit IMEI blocking

Window between theft and blocking Same problem with lock and wipe services

NMPR – National Mobile Property Register Allows stolen / lost items to be returned to right owner www.immobilise.com

EIRs and the CEIR Lots of stolen phones are exported but not blocked

Users do not protect access to their devices Barrier to usability Most cloud services have authentication tokens – non-password access (see also faceniff) Need to be told the basics: http://www.carphonewarehouse.com/security

Smartphone hacking is a major target right now Hardware (SIMlock and IMEI) hacking has been going on for years

http://www.immobilise.com/

http://www.carphonewarehouse.com/security


CONDENSATION – HOW MUCH DATA IS LEFT ON THE DEVICE?


DATA RESIDUE ISSUES

Devices move around: Phone recycling companies Phones left in drawers / thrown in bins Phones passed onto another employee Service returns and refurbishment issues

Repeated attacks on celebrities Repeated mistakes in data clearing

Lots of “cloud” access data available Browser data cache / local storage Credentials for network APIs and services stored on device (not in

secure hardware) Users storing passwords insecurely on local machines Apps / browsers providing “no-login” functionality

Note: These are all still issues in the non ‘cloud’ world!!


THE PROBLEM WITH WEB APPLICATIONS

Image: Clearly Ambiguous



THE PROBLEM WITH WEBAPPS

Trust issues – e.g. Chrome application permissions issue / lack or proper triage with Android and Chrome apps.

Everyone is jumping on HTML5 but there will be hidden security issues Ultimately there needs to be some form of local usage

HTML5 Cache, offline mechanisms still immature No access to trusted hardware on device

Everything is transferred over a network Even if you don’t want it to be

Existing protection is weak Web foundations are not secure (see later) No such thing as a “secure web runtime”

In-app billing and other network APIs offer great fraud / attack potential Targets will be identity and payment

Future: Device APIs & M2M How to sync data without compromising users How to control access Public safety aspects – web for safety critical applications?!


RELIANCE ON CONNECTIVITY

Network access is not ubiquitous Extremely poor wireless connections in rural areas (even in

developed countries) There is always an ‘offline’ scenario for users, but few

technical solutions for offline web

Image: John Leach



SLURPING DATA, NOT COFFEE – INSECURE NETWORKS

Image: Thomas Dwyer (on a break from flickr)





SLURPING DATA, NOT COFFEE

Incidents in internet cafes and airports, libraries Very widespread Expensive roaming costs push users onto WiFi

Fake WiFi Networks Low hanging fruit Temptation, temptation – open and free!

Recent attack demonstration of stealing data while charging phone at a charge booth

Femtocells Recent hacker interest in femtocells (base stations in people’s

houses) Can capture and break traffic What about metrocells?


FACENIFF AND FIRESHEEP MITM attack captures authentication cookies Even on encrypted WiFi networks

Traffic is routed through attack device Techniques available for years – made much

easier by these kind of tools Companies still not using SSL

Mobile version of facebook page has to be manually set as https by the user – most users cannot do this

Many phone applications send data in the clear Google and Facebook have both been guilty of

this

Image: http://www.geekword.net

http://www.geekword.net/

http://www.geekword.net/


HIDDEN NEAR A CAFÉ IN YOUR AREA…

Image: http://cheezburger.com/View/1608846080

http://cheezburger.com/View/1608846080

http://cheezburger.com/View/1608846080


HOW MUCH DO YOU TRUST YOUR CLOUD PROVIDER?

Image: Caza_No_7



TRUST IN CLOUD PROVIDERS (1)

Poor security techniques employed Phone hacking scandal No user notification of accesses from other

machines / times Previous data issues – e.g. T-Mobile, Paris Hilton

etc. Password reminders have compromised online

email accounts e.g. Sarah Palin Facebook dragged into providing privacy

protection for users



Who do your cloud provider trust? Who are their suppliers? What technology are they using? RSA –targeted cyber attack

SecurID keys being replaced in many organisations Diginotar – Fake (genuine) SSL certificates

Compromised Google Docs, Gmail and lots of other services Shows how fragile the whole foundations of the ‘secure’ web

are 19th September (Monday) – BEAST attack against SSL

Can decrypt PayPal cookies


VIRTUALISATION

Platform agnostic dream Does virtualisation on mobile handsets really

bring extra security? It offers a solution to companies wanting to own

parts of a device e.g. for corporate policy management

It brings new (unknown) security risks Immature products on mobile

Mobile market is still very fragmented Same issues if the device is lost or stolen


TECHNICAL OUTAGES

Unforeseen technical outages: Google: Googledocs down for hours Microsoft: DNS issue during maintenance

http://cloudtechsite.com/blogposts/microsoft-and-google-suffer-from-recent-cloud-interruptions.html

“for a currently unknown reason, the update did not work correctly” Microsoft response to DNS issue, September 2011





TARGETED HACKTIVISM

Attacks on Amazon by Anonymous – unrelated to most users’ services DDoS attack failed – Amazon were servers capable of the demand Companies like Mastercard did not fare as well collateral damage issue Conversely – Amazon’s EC2 cloud capability was used against Sony

Lulzsec Simplistic but devastating attacks Difficult to track down

What groups come next?

F-Secure’s Mikko Hypponen has called for an international Police Force: http://betanews.com/2011/09/12/we-need-an-international-police-force-to-fight-cybercrime/

http://betanews.com/2011/09/12/we-need-an-international-police-force-to-fight-cybercrime/

http://betanews.com/2011/09/12/we-need-an-international-police-force-to-fight-cybercrime/


TARGETED HACKTIVISM (2)

Anonymous is the direction of hacktivist attacks for various ideals

Decentralised, no ‘head’ #opfacebook 5th November 2011 Published rationale is

Facebook privacy policy



At what point in the future does a cloud provider decide to sneak a look at the data it is storing?

What is the EULA? What country is your data being held in?

What are the data protection and privacy laws? Have you got customer data within your business data? What happens when something goes wrong?

Business continuity Despite operating agreements, what if a natural disaster

happens? Might not be the data centre that is affected Cable theft is a huge issue

What about conflict and war?


WHAT THEN?

Image: https://tooze.wordpress.com/tag/singtel/

https://tooze.wordpress.com/tag/singtel/


THE SILVER LINING?

Image: Nick Coombe

Not quite silver yet: Cloud services do provide a lot of

good, but are not a panacea! Primary business driver for cloud

is cost. Security is a secondary concern

But: Many attacks in the “offline” world

can / have been much worse Cloud providers and companies

are recognising issues Users are not accepting bad

security / privacy Not everything will live in the

cloud



Any questions?

Contact me:[email protected]

Twitter: @drogersuk

Blog:http://blog.mobilephonesecurity.org

THANKS FOR LISTENING!

mailto:[email protected]

http://www.twitter.com/drogersuk

http://www.twitter.com/drogersuk

http://blog.mobilephonesecurity.org/

dark clouds and rainy days, the bad side of cloud computing

Technology

copper horse solutions

rights reserved image

fewtechnical solutions

mobile industry hardware

mobile phone industry

data residue issues

hidden security issues

simlock security