Published on

Basic vulnerabilities associated with most smartphones.

Published in: Education, Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Which one of these definitions is closer to what a smart phone is? Are we using the right terminology?
  • Only about two years ago, the circled words on this screen were used to describe computers and their capabilities.Do you associate any of these words with your home phone? That is if you still have one.
  • Does this slide depict the decline of the home computer? Instead of a computer in every home, will we have two, three or maybe more in every household?
  • The smartphone has made information sharing quick,easy and able to be conducted on the run. What about The talking piece? There is no stats on the percentage of time spent TALKING!
  • Based on all the functions available for a smartphone, we really need to treat them as a computer. This is just a to illustrate how vulnerable our computers are and they have been around longer than smartphones. If we have protection measures in place for our computers and we are still having problems with keeping them secure and healthy, are people really aware of the vulnerabilities of smartphones and how to keep them secure?
  • This study shows that people continue to use technology without understanding the risk or vulnerabilities associated with it. These numbers should be a wakeup call for all of us.
  • Assuming that Americans are not that different from our friends in the U.K., let look at the practices of the U.K. and then consider our numbers from the previous slide. Does 21% seem like a low number? People usually do not admit short comings. Example, How many people would admit not being a good driver?
  • A snapshot in time on the internet, 90% of all threats detected were after confidential information. With this in mind, is your smartphone protected? 40% of Android users in the US have experienced a malicious link. Do you have personal data on your phone? Or do you use the web to update or post personal data?
  • Contact lists, location data, text messages, Social Networking and banking information are just some of the things stored on or conducted with smartphones. Is this information important to you? How cautious are you with your information?
  • Facebook continues to be a prime source of personal information. It also allows for ease of communication based on your privacy settings. With smartphones, as you see in the slide, bad guys are using this to their advantage. Yes, the bad guys are using the same resources that we do.
  • Like professional Angler (Fisherman) Fred Arbogast, people who phish on the internet know what lures or bait to use to hook their prey. The bad guys have now set their sights on smartphone users and this type of phishing is now referred to as smishing.
  • Man in the middle attacks leave little clues for people to identify when they have been a victim. No questionable e-mail that the victim has to respond to, know suspicious links clicked on or no noticeable interaction with questionable entities. The only thing you may question is if you used a Wi-Fi hotspot prior to the compromise of whatever you are missing. Question: So what are you doing on your smartphone while on a Wi-Fi hotspot?
  • Over 500,000 cleared by Apple. There are many, many more available and not always for good things.
  • The answer is up for you as the user to decide. While any one system is not better than another it IS important to know your phone and the vulnerabilities specific to the type of phone you have.
  • 30 random apps selected and the results are a bit scary. What did you agree to when you downloaded your apps? The app developers can claim that permission (from the user) was granted, but the reality is that in most cases the app developer never spelled out why it needs access to sensitive information or what will be done with it.
  • Geo-tagging still remains an issue. This has been briefed and discussed in the past and awareness has been raised for the people who already own smartphones. However, new users remain unaware of this vulnerability and do not turn this feature off.
  • This is an example of a low tech hack on a high tech piece of equipment. Do we really need to make it this easy for a bad guy?
  • can introduce malicious code to the network, provide an avenue to exfiltrate data from the device, or provide adversaries access to critical unclassified or classified networks
  • Just some of the headlines on smartphones. As the actor Kevin Costner heard in “the field of dreams” “If you build it, they will come” The smartphone was built and the vulnerabilities did come, along with those willing to exploit the weaknesses.
  • Smartphone

    1. 1. Smartphone Necessity orInformation Sieve UNCLASSIFIED
    2. 2. The purpose of this brief is to raise awareness of the vulnerabilities associated withsmartphones. For the purpose of this brief, when the term smartphone is used, it alsoincludes iPhones and blackberries unless otherwise specified. UNCLASSIFIED
    3. 3. Definitionscom·put·ernoun1. An electronic device designed to accept data, perform prescribed mathematical and logical operations at high speed, and display the results of these·e·phonenoun1. An apparatus, system, or process for transmission of sound or speech to a distant point, especially by an electric device. UNCLASSIFIED
    4. 4. Phone…..Really? UNCLASSIFIED
    5. 5. The FutureSmartphone sales eclipsed standard cellular phone sales as well as PCsales last year. According to Google, over 200,000 Android smartphonesare activated each day- Ellis Holman UNCLASSIFIED
    6. 6. Hello?We are talking about a phone …. Right? UNCLASSIFIED
    7. 7. Computer health statistics UNCLASSIFIED
    8. 8. Security RiskWhat is the biggest security risk when it comes to Smartphones?HINT: This risk most likely is the same as internet capablecomputers or Wi-Fi laptop use.Answer: You……. The user.Like most people, when it comes to new technology, we want itand we want it now. We usually start using this technology forall the benefits promised without understanding thevulnerabilities or the security features available. UNCLASSIFIED
    9. 9. The NumbersA study conducted by the Ponemon Institute in concert with AVGTechnologies;•734 random US consumers over age 18 questioned regarding mobilecommunications behavior.• 89 percent respondents unaware smartphone applications cantransmit confidential payment information without the user’sknowledge or consent.• 91 percent respondents unaware financial applications forsmartphones can be infected with specialized malware designed tosteal credit card numbers and online banking credentials. 29 percentreport already storing credit and debit card information on theirdevices. 35 percent report storing “confidential” work relateddocuments.• 56 percent respondents unaware; failing to properly log off a socialnetwork app could allow an imposter to post malicious details orchange personal settings. UNCLASSIFIED
    10. 10. U.K. National Statistics• 45 percent of Internet users used a mobile phone to connect to the Internet• 6 million people accessed the Internet over their mobile phone for the first time in the previous 12 months• The use of wireless hotspots almost doubled in the last 12 months to 4.9 million users• 21 per cent of Internet users did not believe their skills were sufficient to protect their personal data• 77 per cent of households had Internet access- Office of National Statistics “Internet Access - Households and Individuals, 2011 “ UNCLASSIFIED
    11. 11. Malware• An average of 9 out of every 100 smartphones in use is infected with malware of some type UNCLASSIFIED
    12. 12. DefinitionsKey Logger: A computer program that records every keystroke made by a computer or Smartphone user. The “key-logger” will then send the information to an outside server. This is often used in order to gain fraudulent access to passwords and other confidential information. Worm: A computer worm is a self-replicating malware computer program that can replicate to such an extent as to take up enough bandwidth to cause a denial of service. Virus: A Virus is a software program capable of reproducing itself to corrupt and cause major damage to files or other programs. They can spread quickly, infecting other computers or smartphones.Trojan: A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user prior to run or install instead facilitates unauthorized access of the user‘s computer system. UNCLASSIFIED
    13. 13. SpywareSoftware that self-installs on a computer, enabling information to be gathered covertly about a persons knowledge including – inbound and outbound texts, emails, and phone calls – Web browsing activity – Information stored on phone – Contacts – Can even turn on the phone’s camera to capture images and video UNCLASSIFIED
    14. 14. Information Hemorrhage on the WWW Web surfing is the primary source of new infections, with attackers relying more and more on customized malicious code toolkits to develop and distribute their threats. 90 percent of all threats detected by Symantec, during a study period, attempted to steal confidential information. - Michael Dinan, TMCnet EditorWeb browsing is becoming a big threat, with 38 percent of Android owners encountering amalicious link — 40 percent if you only consider the United States.- Lookout’s chief technology officer Kevin Mahaffey UNCLASSIFIED
    15. 15. Think Before You Click UNCLASSIFIED
    16. 16. What’s on Your Phone"Mobile phones are a huge source of vulnerability. We are definitely seeing an increase incriminal activity.“ - Gordon Snow, assistant director of the Federal Bureau of Investigations Cyber Division. UNCLASSIFIED
    17. 17. Keeping in Touch The “Bad Guy” is using the same tools and resources that we (the recreational user) use, and a lot of the time, they know more about the tool.Across the U.S. and beyond, inmates are using social networks and smartphones smuggledinto prisons and jails to harass their victims or accusers and intimidate witnesses.In California, home to the nations largest inmate population, the corrections departmentconfiscated 12,625 phones in just 10 months this year. - DON THOMPSON, Associated Press November 2011 UNCLASSIFIED
    18. 18. Smart Phishing (Smishing) for SmartphonesEmails or texts messages offering a free one-year warranty extension for a popularsmartphone, links to a company-branded web page. That web page asks for an email addressand then smartphone serial number, IMEI number, type of phone, and capacity of phone.Cybercriminals use the information requested on the web page to clone the smartphone. – UNCLASSIFIED
    19. 19. Man In The Middle (MITM) AttackThe attacker machine forces traffic between the victim’s machines to route through it bysending a false Address Resolution Protocol (ARP) reply to both machines. The attacker canthan create new connections and kill existing connections, as well as view and replayanything that is private between the targets machines.A testing team has adequately shown that with a mobile laptop in a Wi‐Fi network, it ispossible to intercept communications between a smartphone and the Wi‐Fi hotspot.- Smobile Systems UNCLASSIFIED
    20. 20. “There’s an APP for that” UNCLASSIFIED
    21. 21. Jailbreaking• Gives the user root level access to the phone• Strips away security measures designed to protect the smartphone• A majority of smartphone malware comes from third party app stores UNCLASSIFIED
    22. 22. “Trojanized” AppsThe malicious developer selects popular apps to “trojanize” and delivers malware along with the clean content UNCLASSIFIED
    23. 23. Which System is Better? UNCLASSIFIED
    24. 24. How You are “Protected” Google Bouncer iTunes App WorldScans all uploaded Apple authenticates Vets applications Android its developers, before Marketplace apps tests and digitally distribution and 40% decrease in signs each app allows user to potential malicious before set permissions apps in the distribution for each item marketplace in making malware within an app 2011 occurrences rare separately to give user control UNCLASSIFIED
    25. 25. Defensive software Malware Anti Virus March 2012AV-TEST an independentIT security institute, has inspected 41 different virus scanners for Android with regard to their detection performance. UNCLASSIFIED
    26. 26. What’s in Your App?The most common malicious Android apps contain spyware and (SMS) Trojans that:• collect and send GPS coordinates, contact lists, e-mail addresses etc. to third parties• send Short Message Service (SMS) to premium-rate numbers• subscribe infected phones to premium services• record phone conversations and send them to attackers• take control over the infected phone• download other malware onto infected phones - UNCLASSIFIED
    27. 27. Some Android Apps Use Personal Data SuspiciouslyA study conducted (2010) by Penn State, Duke, and Intel Labs ;Found that 358 apps in the Android Market require Internet permissions, aswell as permissions to access location, camera, or audio data. Of those 358,researchers randomly selected 30 apps, including ones for The WeatherChannel and BBC News.15 of the 30 apps reported user locations to remote advertising servers, andseven apps collected the device ID, and sometimes the phone number and SIMcard serial number. One app even transmitted phone information every timethe phone booted – even if the app has not been used. Overall, two-thirds ofthe apps used data suspiciously, researchers concluded.- UNCLASSIFIED
    28. 28. App Security• Despite increased security in legitimate app marketplaces, malware still comes through• Scrutinize apps before downloading – Do you know the developer? – How long has it been available? – What are the permissions required? UNCLASSIFIED
    29. 29. Mobile Banking• Mobile banking has grown 129% in the last year alone• Android users alone lost more than one million dollars to cyber-thieves in 2011 and the numbers are climbing UNCLASSIFIED
    30. 30. Geo-tagMost smartphones and some cameras made today are equipped with geo tags. Geotags are imbedded in the picture and use the same concept as GPS. UNCLASSIFIED
    31. 31. Physical ConsiderationIf you leave your phone unattended, loose or have it stolen, depending on what securityfeatures you have set, a Smudge attack can be conducted. The picture illustrates how easy itwould be to access this phone.Maintain positive control of your phone and clean the screen after every use if you have atouch screen keypad. UNCLASSIFIED
    32. 32. Navy NetworksIn October 2010, CTO 10-084 was released prohibiting the connection of unapproved USB mass storage devices to government networks. This includes connecting a smartphone to a DON computer “just to charge it”. Lack of compliance could result in data exfiltration, spillage and the spread of malware UNCLASSIFIED
    33. 33. Smartphone Headlines HTC Smartphone Vulnerability Exposes Your Personal Data Your Smartphone Is Spying on You Smartphone pictures pose privacy risksReport Reveals Data Loss as Primary Concernfor Smartphone Users Tens of Millions of Smartphones Come With Spyware Preinstalled, Security Analyst SaysSmartphones evidence a boon for divorcelawyers Android super smartphones: Too much of a good thing?Smartphones overtook PC shipments in 2011 Smartphone scams: Owners warned over malware apps UNCLASSIFIED
    34. 34. Recommendations for a More Secure SmartphoneNever store sensitive data on smart phones Do not leave phone unattended in publicEnable password protection Activate the lock-out screenUpdate your device regularly, to includeanti-virus software Enable encryption where possibleDo not open suspicious email or clickunknown links from unsolicited texts or email Take precautions to avoid theft and recover from lossAvoid using smartphones to conduct onlinefinancial transactions UNCLASSIFIED
    35. 35. Recommendations for a More Secure SmartphoneOnly purchase apps from legitimate marketplaces Understand the apps you download/use and what data the app accessesTurn off GPS & Bluetooth when not in use Disable Geo-taggingNever “jailbreak” or “root” a smartphone Keep phone screen clean if using touch screen keypads Enable “safe mode” to prevent applicationsfrom running in the background withoutpermission Data sanitize your device before redistributing it UNCLASSIFIED
    36. 36. Summary• Computer health statistics• The climb of smartphones• Activities executed on smartphones• Security issues involving smartphones• Application uses and the vulnerabilities• Physical issues involving smartphones• Recommendations for smartphones UNCLASSIFIED
    37. 37. YOU Decide! UNCLASSIFIED