David Rogers, Copper Horse Solutions Ltd.DARK CLOUDS AND RAINY DAYS, THE BAD SIDEOF CLOUD COMPUTINGCLOUD MOBILITY, 21ST SE...
ABOUT ME   12 years in the mobile industry   Hardware and software background   Head of Product Security at Panasonic M...
ABOUT COPPER HORSE SOLUTIONS LTD   Established in 2011   Software and security company        Focused on the mobile pho...
WHAT I WILL TALK ABOUT   Dark Clouds and Rainy Days – the dark side    of cloud computing      Thin air – issues around ...
THIN AIR – ISSUES AROUND DEVICE                          THEFT AND TAMPERINGCopyright © 2011 Copper Horse Solutions Limite...
DEVICES – LOST AND STOLEN   Large numbers of devices are lost or stolen on a daily basis        iphone prototypes – 2 le...
CONDENSATION – HOW MUCH DATA IS                 LEFT ON THE DEVICE?Copyright © 2011 Copper Horse Solutions Limited. All ri...
DATA RESIDUE ISSUES   Devices move around:        Phone recycling companies        Phones left in drawers / thrown in b...
THE PROBLEM WITH WEB APPLICATIONSCopyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: Clearly Amb...
THE PROBLEM WITH WEBAPPS   Trust issues – e.g. Chrome application permissions issue / lack or    proper triage with Andro...
RELIANCE ON CONNECTIVITY   Network access is not ubiquitous        Extremely poor wireless connections in rural areas (e...
SLURPING DATA, NOT COFFEE –                                 INSECURE NETWORKSCopyright © 2011 Copper Horse Solutions Limit...
SLURPING DATA, NOT COFFEE   Incidents in internet cafes and airports, libraries        Very widespread        Expensive...
FACENIFF AND FIRESHEEP                                        MITM attack captures authentication                        ...
HIDDEN NEAR A CAFÉ IN YOUR AREA…                                                                        Image: http://chee...
HOW MUCH DO YOU TRUST YOUR CLOUD                       PROVIDER? Copyright © 2011 Copper Horse Solutions Limited. All righ...
TRUST IN CLOUD PROVIDERS (1)   Poor security techniques employed      Phone  hacking scandal      No user notification ...
TRUST IN CLOUD PROVIDERS (2)   Who do your cloud provider trust?      Who are their suppliers?      What technology are...
VIRTUALISATION Platform agnostic dream Does virtualisation on mobile handsets really  bring extra security?      It off...
TECHNICAL OUTAGES         “for a currently unknown reason, the update         did not work correctly”         Microsoft re...
TARGETED HACKTIVISM   Attacks on Amazon by Anonymous – unrelated to most users‟    services        DDoS attack failed – ...
TARGETED HACKTIVISM (2)   Anonymous is the direction of hacktivist attacks for various    ideals   Decentralised, no „he...
TRUST IN CLOUD PROVIDERS (2)   At what point in the future does a cloud provider    decide to sneak a look at the data it...
WHAT THEN?                                  Image: https://tooze.wordpress.com/tag/singtel/ Copyright © 2011 Copper Horse ...
THE SILVER LINING?   Not quite silver yet:        Cloud services do provide a lot of         good, but are not a panacea...
THANKS FOR LISTENING!   Any questions?   Contact me:    david.rogers@copperhorses.com   Twitter:                     @d...
Upcoming SlideShare
Loading in …5
×

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

3,017
-1

Published on

This presentation was given at the Informa Cloud Mobility event in Amsterdam on the 21st of September. As with a lot of things in the technology world, things move quickly and events have superseded a couple of things in the slides. The idea of the presentation was to give an alternative view to the conference. The attendees and presenters struggled even to define "cloud"; a marketing term, which is part of the problem of this topic.

Please note, there are no slide notes to this presentation.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,017
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

  1. 1. David Rogers, Copper Horse Solutions Ltd.DARK CLOUDS AND RAINY DAYS, THE BAD SIDEOF CLOUD COMPUTINGCLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  2. 2. ABOUT ME 12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile  Worked with industry and government on IMEI and SIMlock security  Pioneered some early work in mobile phone forensics  Brought industry together on security information sharing Director of External Relations at OMTP  Programme Manager for advanced hardware security tasks  Chair of Incident Handling task Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  3. 3. ABOUT COPPER HORSE SOLUTIONS LTD Established in 2011 Software and security company  Focused on the mobile phone industry Services:  Mobile phone security consultancy  Industry expertise  Standards representation  Mobile application development http://www.copperhorsesolutions.com Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  4. 4. WHAT I WILL TALK ABOUT Dark Clouds and Rainy Days – the dark side of cloud computing  Thin air – issues around device theft and tampering  Condensation – how much data is left on the device?  The problem with web apps  Slurping data, not coffee – insecure networks  How much do you trust your cloud provider? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  5. 5. THIN AIR – ISSUES AROUND DEVICE THEFT AND TAMPERINGCopyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: 416style
  6. 6. DEVICES – LOST AND STOLEN Large numbers of devices are lost or stolen on a daily basis  iphone prototypes – 2 left in bars UK – National Mobile Phone Crime Unit IMEI blocking  Window between theft and blocking  Same problem with lock and wipe services NMPR – National Mobile Property Register  Allows stolen / lost items to be returned to right owner  www.immobilise.com EIRs and the CEIR  Lots of stolen phones are exported but not blocked Users do not protect access to their devices  Barrier to usability  Most cloud services have authentication tokens – non-password access (see also faceniff)  Need to be told the basics: http://www.carphonewarehouse.com/security Smartphone hacking is a major target right now  Hardware (SIMlock and IMEI) hacking has been going on for years Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  7. 7. CONDENSATION – HOW MUCH DATA IS LEFT ON THE DEVICE?Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  8. 8. DATA RESIDUE ISSUES Devices move around:  Phone recycling companies  Phones left in drawers / thrown in bins  Phones passed onto another employee  Service returns and refurbishment issues  Repeated attacks on celebrities  Repeated mistakes in data clearing Lots of “cloud” access data available  Browser data cache / local storage  Credentials for network APIs and services stored on device (not in secure hardware)  Users storing passwords insecurely on local machines  Apps / browsers providing “no-login” functionality Note: These are all still issues in the non „cloud‟ world!! Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  9. 9. THE PROBLEM WITH WEB APPLICATIONSCopyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Clearly Ambiguous
  10. 10. THE PROBLEM WITH WEBAPPS Trust issues – e.g. Chrome application permissions issue / lack or proper triage with Android and Chrome apps. Everyone is jumping on HTML5 but there will be hidden security issues Ultimately there needs to be some form of local usage  HTML5 Cache, offline mechanisms still immature  No access to trusted hardware on device Everything is transferred over a network  Even if you don‟t want it to be Existing protection is weak  Web foundations are not secure (see later)  No such thing as a “secure web runtime” In-app billing and other network APIs offer great fraud / attack potential  Targets will be identity and payment Future: Device APIs & M2M  How to sync data without compromising users  How to control access  Public safety aspects – web for safety critical applications?! Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  11. 11. RELIANCE ON CONNECTIVITY Network access is not ubiquitous  Extremely poor wireless connections in rural areas (even in developed countries) There is always an „offline‟ scenario for users, but few technical solutions for offline web Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: John Leach
  12. 12. SLURPING DATA, NOT COFFEE – INSECURE NETWORKSCopyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Thomas Dwyer (on a break from flickr)
  13. 13. SLURPING DATA, NOT COFFEE Incidents in internet cafes and airports, libraries  Very widespread  Expensive roaming costs push users onto WiFi Fake WiFi Networks  Low hanging fruit  Temptation, temptation – open and free! Recent attack demonstration of stealing data while charging phone at a charge booth Femtocells  Recent hacker interest in femtocells (base stations in people‟s houses)  Can capture and break traffic  What about metrocells? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  14. 14. FACENIFF AND FIRESHEEP  MITM attack captures authentication cookies  Even on encrypted WiFi networks  Traffic is routed through attack device  Techniques available for years – made much easier by these kind of tools  Companies still not using SSL  Mobile version of facebook page has to be manually set as https by the user – most users cannot do this  Many phone applications send data in the clear  Google and Facebook have both been guilty of this Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: http://www.geekword.net
  15. 15. HIDDEN NEAR A CAFÉ IN YOUR AREA… Image: http://cheezburger.com/View/1608846080 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  16. 16. HOW MUCH DO YOU TRUST YOUR CLOUD PROVIDER? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Caza_No_7
  17. 17. TRUST IN CLOUD PROVIDERS (1) Poor security techniques employed  Phone hacking scandal  No user notification of accesses from other machines / times  Previous data issues – e.g. T-Mobile, Paris Hilton etc.  Password reminders have compromised online email accounts e.g. Sarah Palin  Facebook dragged into providing privacy protection for users Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  18. 18. TRUST IN CLOUD PROVIDERS (2) Who do your cloud provider trust?  Who are their suppliers?  What technology are they using?  RSA –targeted cyber attack  SecurID keys being replaced in many organisations  Diginotar – Fake (genuine) SSL certificates  Compromised Google Docs, Gmail and lots of other services  Shows how fragile the whole foundations of the „secure‟ web are  19th September (Monday) – BEAST attack against SSL  Can decrypt PayPal cookies Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  19. 19. VIRTUALISATION Platform agnostic dream Does virtualisation on mobile handsets really bring extra security?  It offers a solution to companies wanting to own parts of a device e.g. for corporate policy management  It brings new (unknown) security risks  Immature products on mobile  Mobilemarket is still very fragmented  Same issues if the device is lost or stolen Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  20. 20. TECHNICAL OUTAGES “for a currently unknown reason, the update did not work correctly” Microsoft response to DNS issue, September 2011 Unforeseen technical outages:  Google: Googledocs down for hours  Microsoft: DNS issue during maintenance http://cloudtechsite.com/blogposts/microsoft-and-google-suffer- from-recent-cloud-interruptions.html Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  21. 21. TARGETED HACKTIVISM Attacks on Amazon by Anonymous – unrelated to most users‟ services  DDoS attack failed – Amazon were servers capable of the demand  Companies like Mastercard did not fare as well  collateral damage issue  Conversely – Amazon‟s EC2 cloud capability was used against Sony Lulzsec  Simplistic but devastating attacks  Difficult to track down What groups come next? F-Secure‟s Mikko Hypponen has called for an international Police Force: http://betanews.com/2011/09/12/we-need-an-international- police-force-to-fight-cybercrime/ Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  22. 22. TARGETED HACKTIVISM (2) Anonymous is the direction of hacktivist attacks for various ideals Decentralised, no „head‟  #opfacebook  5th November 2011  Published rationale is Facebook privacy policy Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  23. 23. TRUST IN CLOUD PROVIDERS (2) At what point in the future does a cloud provider decide to sneak a look at the data it is storing? What is the EULA? What country is your data being held in?  What are the data protection and privacy laws?  Have you got customer data within your business data?  What happens when something goes wrong? Business continuity  Despite operating agreements, what if a natural disaster happens?  Might not be the data centre that is affected  Cable theft is a huge issue  What about conflict and war? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  24. 24. WHAT THEN? Image: https://tooze.wordpress.com/tag/singtel/ Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  25. 25. THE SILVER LINING? Not quite silver yet:  Cloud services do provide a lot of good, but are not a panacea!  Primary business driver for cloud is cost. Security is a secondary concern But:  Many attacks in the “offline” world can / have been much worse  Cloud providers and companies are recognising issues  Users are not accepting bad security / privacy  Not everything will live in the cloud Image: Nick Coombe Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  26. 26. THANKS FOR LISTENING! Any questions? Contact me: david.rogers@copperhorses.com Twitter: @drogersuk Blog: http://blog.mobilephonesecurity.org Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×