What is the same with these    twitter accounts?
They have all been hacked!
Social Networking
Mobile Computing
Mobile Computing
The Cloud
The Times They Are a Changing..
I’m Secure, I Have    A Firewall!
Malware Is for PCs!
Viral AdoptionRefers to a system architecture that can beadopted incrementally, and gains momentum as                  it ...
New Age Malware•   Decentralized•   Interconnected•   Mobile•   Quick Content    Publishing•   Decentralized•   Interconne...
KoobFace•   Social media worm•   Propagation via Facebook messages•   Propagation via Facebook wall posts•   Spams your fr...
I Know EXACTLY Where   All My Data LivesSure it’s Safe in the Cloud!
The Path Your Data Takes           Approved Cloud               Vendor                     The Office Central            S...
Own The Borg, Own The WORLD!In 2009, Twitter gets COMPLETELY owned…      TWICE!Brute force password attack of targeted use...
Own The Borg, Own The WORLD!6/19/11 1:54 PM: Dropbox pushes code breaking authentication6/19/11 5:46 PM: Dropbox pushes fi...
I Know Exactly What My      Code Does!Besides, Application Permissions Keep Me Safe!
Code Reuse, Outsourcing,     And Third Party Libraries                   Most Code Is:                       Reused       ...
•   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •   ••   •...
WSJ Article Discloses NJProsecutor’s Investigation                         JD-GUI Pandora App     Publish Blog Post     • ...
Here’s Some Numbers…53,000 Applications AnalyzedAndroid Market:                 ~48,0003rd Party Markets:              ~5,...
Here’s Some Numbers…Third Party LibrariesTotal Third Party Libraries:         ~83,000Top Shared Libraries  com.admob      ...
Of Course It’s Secure,It’s Got A Password On          It!
Passwords and Password Reuse               Passwords STINK!• Passwords < 6 characters long ~30%• Passwords from limited al...
The Golden Rule
The Golden Rule
In Summary                     Mobile             The perimeter is dead        Must secure from the data out     Computing...
Mobile + Social + Cloud           =A New Security Paradigm    Think Different
Email: tshields@veracode.com   @txs
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!
Upcoming SlideShare
Loading in …5
×

Social and Mobile and Cloud OH MY!

666 views
571 views

Published on

Presented at InnoTech Oklahoma by Tyler Shields on 11-3-2011. All rights reserved.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
666
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social and Mobile and Cloud OH MY!

  1. 1. What is the same with these twitter accounts?
  2. 2. They have all been hacked!
  3. 3. Social Networking
  4. 4. Mobile Computing
  5. 5. Mobile Computing
  6. 6. The Cloud
  7. 7. The Times They Are a Changing..
  8. 8. I’m Secure, I Have A Firewall!
  9. 9. Malware Is for PCs!
  10. 10. Viral AdoptionRefers to a system architecture that can beadopted incrementally, and gains momentum as it scales.http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19 th 2003
  11. 11. New Age Malware• Decentralized• Interconnected• Mobile• Quick Content Publishing• Decentralized• Interconnected• Mobile• Has Access to Data
  12. 12. KoobFace• Social media worm• Propagation via Facebook messages• Propagation via Facebook wall posts• Spams your friend list to an “update for Adobe Flash”• Installs pay per install malware on target• Infected computers operate as a botnet
  13. 13. I Know EXACTLY Where All My Data LivesSure it’s Safe in the Cloud!
  14. 14. The Path Your Data Takes Approved Cloud Vendor The Office Central Sub-Cloud Vendor Server Sub-Cloud Vendor The Calendar Mirrored via Google Laptop – Stolen At The Airport The Lost iPhone The Hacked Home PC Google Docs ToIndirect: Ooops Did I Say Share With remote That on Facebook?! Co-Worker
  15. 15. Own The Borg, Own The WORLD!In 2009, Twitter gets COMPLETELY owned… TWICE!Brute force password attack of targeted user reveals a passwordof “Happiness” – User is a Twitter admin… OWNED!A French hacker owns the Yahoo email account of a user ontwitter. He then resets that users twitter password and views theemail in the Yahoo account. User is a twitter admin… OWNED!
  16. 16. Own The Borg, Own The WORLD!6/19/11 1:54 PM: Dropbox pushes code breaking authentication6/19/11 5:46 PM: Dropbox pushes fix to authentication bug What can YOU do with four hours of access to every user’s data?!
  17. 17. I Know Exactly What My Code Does!Besides, Application Permissions Keep Me Safe!
  18. 18. Code Reuse, Outsourcing, And Third Party Libraries Most Code Is: Reused Outsourced Third Party Libraries (with source) Third Party Libraries (binary format)Your vendors don’t know what their code does either!
  19. 19. • • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• • •• •• •• •• •
  20. 20. WSJ Article Discloses NJProsecutor’s Investigation JD-GUI Pandora App Publish Blog Post • Location • Bearing Investigate Other • Altitude Applications • Android ID Publish second blog postingwith updated findings regarding permissions and other apps Pandora Removes Ad Libraries
  21. 21. Here’s Some Numbers…53,000 Applications AnalyzedAndroid Market: ~48,0003rd Party Markets: ~5,000Permissions RequestedAverage: 3Most Requested: 117Top “Interesting” PermissionsGPS information: 24% (11,929)Read Contacts: 8% (3,626)Send SMS: 4% (1,693)Receive SMS: 3% (1262)Record Audio: 2% (1100)Read SMS: 2% (832)Process Outgoing Calls: % (323)Use Credentials : 0.5% (248)
  22. 22. Here’s Some Numbers…Third Party LibrariesTotal Third Party Libraries: ~83,000Top Shared Libraries com.admob 38% (18,426 apps ) org.apache 8% ( 3,684 apps ) com.google.android 6% ( 2,838 apps ) com.google.ads 6% ( 2,779 apps ) com.flurry 6% ( 2,762 apps ) com.mobclix 4% ( 2,055 apps ) com.millennialmedia 4% ( 1,758 apps) com.facebook 4% ( 1,707 apps)
  23. 23. Of Course It’s Secure,It’s Got A Password On It!
  24. 24. Passwords and Password Reuse Passwords STINK!• Passwords < 6 characters long ~30%• Passwords from limited alpha-numeric key set ~60%• Used names, slang words, dictionary words trivial passwords, consecutive digits, etc. ~50%• Not only a user problem• Secret questions – bad idea!• SQL Injection compromises up 43% year over year • HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, … • Sony, Sony, Sony… oh.. Yeah.. SONY! • Password reuse?http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
  25. 25. The Golden Rule
  26. 26. The Golden Rule
  27. 27. In Summary Mobile The perimeter is dead Must secure from the data out Computing will be ubiquitous and hidden Social The perfect breeding ground for malware Passwords STINK! Cloud The path of data is uncontrollableYou can’t rely on permissions – It just won’t workSecuring ALL of your code is the only real defense
  28. 28. Mobile + Social + Cloud =A New Security Paradigm Think Different
  29. 29. Email: tshields@veracode.com @txs

×