Tyler ShieldsSenior Researcher at VeracodeDay-to-day responsibilitieGoing to tak about Social, Mobile, and Cloud-- How they are changing security today--How you can stay ahead of the curve
Facebooks twitter feedBritney’sUSA TODAYDalai LamaThey have all had the same issue.. What is it?
All Been HackedUse for practical jokes, spam, or malwareOnly a sample set on this pageFunny comments and posts.. Go google them.We now potential outcome.Let’s talk big picture
Social Networking--First companies that come to mindFacebook, LinkedIn, Twitter, and possibly MySpaceThat’s about it.Big subscriber countsBig name recognitionOwners of sites have tough decisions.. Like which private jet do I fly around in today.I assert: small selectionMuch larger than just a few web properties.Expand the picture a bitLooks a little better.YouTube, Blogger.com, Apple’s Ping, FourSquare, Vimeo,Google. Amuch more realistic picture I assert: Much more than thisTHIS is social networking realityIt’s not about websitesIt’s not about mobile apps. Social networking is a paradigm shiftLess about individual isolated avenues for people to socializeMore about adding a social aspect to every piece of technology and modern innovation.First steps the social networking sitesSecond steps mobile devices (mobility)Step three, cloud.Add together and get ubiquityBecoming a core component of any successful Internet innovation.
Talk mobile computingWhen I say mobile computing this is what people think aboutMaybe add some Blackberry, WinMo, othersThis is also wrong.Not how I think about mobilityMobility is movement, it’s not a single device or set of devicesMobile Computing is…
THIS!You can’t see it.Mobile computing is:UbiquitousEverywhereMobileEnumerate some devicesPhonesCarsLaptopsTabletsHome AutomationPhysical security communicationThe future of mobile is ubiquitous computingAnd the only way to get there is the cloud…
Ahh the cloud..Today:Store a few filesMusicDataPhotosTomorrow:On demand knowledgeQuick and detailed answersStorage of anything 1/0Convergence is inevitable
Quote old Bylan song:“The Times They Are A Changin…”Rapidly leaving behind the normMoving into the age of Star TrekHow does this impact securityWhat are our currently held beliefs that are no longer trueJust as social/mobile/cloud is fundamentally changing businessWe must change as security practitioners to continue to safeguard our companies
You have a firewallMaybe even a few of themYou’ve segmented your network into trust zonesMetaphorically locked all your doors and windowsYou must be secure, right?Wrong.The perimeter is dead.
Completely dead.Six feet under and not coming back for Halloween DEAD! External firewall concept protecting from attackers is toastThe perimeter has shrunk to the point that it sits on each individual deviceDue to mobility, the cloud, and social networkingMobility has taken our devices and made them smaller, lighter, and more nimble. Along with they have become decentralized. Devices are fully mobile.Data is now fully mobile.Add in cloudEven without mobility we no longer have our own dataPhotos on personal server GONEGoing away is editing and storing of documents locallyWe’re moving all this data into the cloud. We have service providers that hose all of our photos (Flickr)We have service providers that hold all of our personal documents (DropBox, our online bank, etc.). Even corps are moving data rapidly into the cloud.Lower TCO – Good business reasonIt just makes sense. Finally add to this social networkingPersonal thoughtsQuestionsIdeasShared on Facebook for the world to seeSecurity has become, and will continue to be data centric. Must lookat the location of our sensitive dataHow do we secure it wherever is lives.This is the reality of today’s interconnected, highly social, Internet world.
Another fallacy of the new security paradigm…Malware is for PCs.This is also wrong.Not only is malware NOT only for the PCs (there is proof of this)It’s BETTER suited for the new paradigm than the old
Rate of adoption of ideas is VERY HIGHViral adoption is core issuePrevious to new paradigm:Rate limitedSpread through wires, physical networks, email via address books, etc.Worms only really began with the adoption of address books and contact listsThe more interconnected we get, the faster the possible viral adoption ratesAnd the faster the malicious activityAnd the faster someone can monetize the attacksPower NodesMalware will appear to come from a trusted sourceNew paradigm is perfect breeding ground
What makes a good malware distribution system.Decentralized – less chance of shutdownHigh interconnections – Faster propagationMobility to jump network gaps, air gaps, spread quickerClose to sensitive data as possible – MonetizeSocial networks do exactly this. Social networks designs are decentralized, highly interconnected, and mobile while allowing super fast content publication and communications. My ideal malware distribution system is decentralized, highly interconnected, mobile, and gets me close to sensitive data. This sounds like a GREAT fit for an attacker.
Example in the wild.KoobFace. (Anagram for Facebook)Propagates:Facebook messages to your friends listPeriodic wall postingsSocial Engineering:Update for Adobe FlashInstall = InfectPayload:Pay per install malwareOperated inside a botnetProfit:2 million dollars 6/09 – 6/10 aloneLarge number of variantsMonetary estimate is lowSocial networking malware can be very financially lucrative.
Another Fallacy :I know exactly where all my data livesSure it’s safe in the cloudYou might think you knowBut you really don’tWhat proof do you have that it is safe in the cloud?How many players are really touching your data?All great questions…
Look at the path data might takeMight start on the office central server.You saw me speak and know that the perimeter is so you secure the host at the data layer.This is great.But some of your data resides in the cloudAnd that cloud vendor has a sub vendor that hosts the network componentsAnd it also has a sub vendor for data storageOh and log files are pushed to yet another vendor…You data is disperse and decentralized in the cloud.. This is what gives the cloud its powerYou’ve got the sales guy who is mirroring his calendar to GoogleThe stolen laptop full of sensitive dataThe lost iPhoneThe travelling worker who uses his home machine to work late hoursHe gets ownedIndirect dropping of sensitive data on Facebook by chatty employeesOr using Google Docs to share data with a client or remote workerThe new age:DistributedDecentralizedQUICKPOWERFULBrings DIFFERENT risks
Even if you know where you data is:Another point to protectTwitter owned twice since 2009Full ownership of the systemAbuse any accountRead private messagesHijack accountsBoth cases were password abuse issuesFirst: Brute force password scriptHappiness was PWAdmin AccountChose based on node centralitySecond:A French hackerpassword reset and secret questions attack Gains control of Yahoo email for a targeted userReset users twitter accountAdministrative interface availableFailed:Why was administrative content available externallyWas was an admin using a yahoo account for password resetEasy to guess passwordsResulted in the potential compromise of EVERY users data on the site
A second example:This time it wasn’t even an attackerService provider blew itDropbox holds large quantity of user dataPushed an update to productionBroke authenticationAnyone could log in as anyone for four hoursWhat could YOU do with four hours of every users data
OK done picking on cloud.. Let’s pick on applications..If we secure at the data layer, the first thing that touches data is applicationsSo obviously we have to be sure that our applications are safeI’m going to use mobile as an example, but it’s ALL applications, not just mobile that have these issuesBesides.. In the mobile world permissions keep me safeDo you know what your code does?Code you write?Code you buy?Code you outsource?
The primary reason you don’t know what your code does is thisYour code, really isn’t yoursIt’s reusedIt’s outsourced to foreign developersSometimes given back to you as source which usually doesn’t get auditedOr given back to you as binary only format which very likely doesn’t get auditedYou embed third party libraries into your codeSometimes with source, sometimes not.. And you assume that it’s safe and should just workAnd the truly scary thingYou vendors and outsources don’t know what their code does eitherYou might outsource to a firm to develop something for you….They reuse code, they outsource, they use third party libraries…And rarely is any of this tested for security or code completely reviewedSo what's the corollary to this.. We have permissions that will save us right? At least in the mobile world we do right?
A slightly older list of permissions for AndroidWith this many permissions how does an end user ever know what he’s allowing to occurDoes the average consumer know what signal_persistant_processes does?How about inject_events?BRICK?! I don’t even know what BRICK does and I do mobile research!They way we have implemented permissions is fundamentally broken as a security mechanism.Asking the user will never result in the right answer.A quote from Bruce Scheneir: “Given the option of dancing pigs or security, users will take dancing pigs every time!”And he’s right!
What is the reality of applications.People run themThey don’t analyze themThey don’t secure themApplications are purchased not because they are secure, but because they serve a purpose for usThey provide a servicePeople don’t want hurdles to this servicePermissions?! Yeah sure whatever.. Just let me fling birds at pigs!People don’t want to be bothered with checking the appropriateness of the permissions of an appThis goes for mobile for sureAnd on non mobile platforms, many times we don’t even have this optionTrojan horses and spyware are all over the PC spaceNo real permissions model in the pc space with regards to some resourcesYou want to see my location?! Sure go aheadYou want to look at my contact lists? Whatever.. Time to fling birds at pigsYou want to steal all my SMS messages.. Sure.. CLICK GO!This is what people do.. Actively.. In real time… ALL THE TIME!
Let’s talk about a real case study…April 5th 2011. WSJ breaks story – NJ Fed prosecutors investigating Pandora for illegally obtaining and distributing personal private information to third party advertising groupsAllegations:Gathering GPS location, device identifiers, gender, user age, etc. without notice to the end user.101 Apps tested by WSJ 47 sent location off device, 56 send uniqueID off deviceSo I broke apart Pandora and analyzed it to determine what it was sending outFive advertising libraries were embedded into the applicationSome of the advertising libraries were indeed accessing private data (GPS, uniqueID, etc) and sending it to the ad networksWe released a blog post on the findingsTons of media attention.Some researchers pointed out that Pandora didn’t have application permissions for GPSThey were rightSince we new it was a third party library I did some googlingFound a partial client list for AdMob, one of the libraries in questionLooked through the Android marketplace for apps that had GPS enabled that were on the customer listGrabbed just a couple – CBS News and TV.COMFound the same codePublished a follow on blog postingPandora removed (or claimed they were going to remove) offending ad libraries from their appWINNING!Later researcher by Praetorian had some interesting findings
By now, this slide is going to feel a bit old. It’s the same thing that’s been said for a while now regarding passwords and the overall concept of passwords. Namely, passwords STINK! There really isn’t any other way to put it. And these horrible passwords are what is leading to a significant number of compromises in the social media world. In 2009, there was a major online property breached that lead to the disclosure of 32 million passwords. The compromised passwords were then analyzed by the security company Imperva and these are the highlights. 30% of all passwords were under 6 characters.60% of the passwords were basic alphanumeric in nature.And half of them were what is considered “easily guessed” by brute force dictionary style attacks. This isn’t the only place where these types of user mistakes have occurred Similar numbers were observed in the lulzsec data dumps of the last 12 months. People don’t choose strong passwords. It’ll never happen. This isn’t only a user problem. Take for example secret questions. Paris Hilton’s phone and Sarah Palins email account were both hacked due to easily guessed secret questions. With the ubiquity of social networking, the personal information that is commonly used in these so called “secret questions” is easily data mined by a determined attacker. Scarlet Johannsens’ naked pictures, Christina Agullira’s and Mila Kuniz email accounts along with up to fifty other celebrities were recently hacked. Just yesterday they arrested the man that attacked these accounts. In nearly every case the attacker used what is being termed “open source information” about the celebrities to break in through the reset password feature of the account. Also, In the last year we’ve seen a big uptake in SQL injection style attacks, and in these attacks a number of the companies weren’t storing their users passwords with any reasonable form of encryption. Additionally most people reuse passwords from site to site. This is a huge mistake. Once a large data breach has occurred, and your password is compromised, it’s trivial for attackers to continue to leverage this data trove for further intrusions.
If you wouldn’t yell it from the rooftops, don’t post it on the Internet. The Internet and especially social media is permanent. Anything that hits the Internet can and will be there forever. If you wouldn’t broadcast your comment on the radio or put your photo on the television for the world to see.. it has no place on social media and the Internet. If you live by this golden rule… you should be just fine.
In closing:Mobile + Social + Cloud equals what…A New Security ParadigmSo in the worlds of the Immortal Steve Jobs..Let’s try to “Think Different”Thank you.
My email address is firstname.lastname@example.org and my twitter is @txs. Feel free to reach me at either of those places. Any questions?!
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud OH Tyler Shields MY! ResearcherThe Story of a “New Computing Paradigm” October 20, 2011
Viral Adoption Refers to a system architecture that can be adopted incrementally, and gains momentum as it scales.http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19 th 2003
New Age Malware• Decentralized• Interconnected• Mobile• Quick Content Publishing• Decentralized• Interconnected• Mobile• Has Access to Data
KoobFace• Social media worm• Propagation via Facebook messages• Propagation via Facebook wall posts• Spams your friend list to an “update for Adobe Flash”• Installs pay per install malware on target• Infected computers operate as a botnet
I Know EXACTLY Where All My Data Lives Sure it’s Safe in the Cloud!
The Path Your Data Takes Approved Cloud Vendor The Office Central Server Sub-Cloud Vendor Sub-Cloud Vendor The Calendar Mirrored via Google Laptop ‟ Stolen At The Airport The Lost iPhone The Hacked Home PC Google Docs To ShareIndirect: Ooops Did I Say That With remote Co- on Facebook?! Worker
Own The Borg, Own The WORLD!In 2009, Twitter gets COMPLETELY owned… TWICE!Brute force password attack of targeted user reveals a password of“Happiness” ‟ User is a Twitter admin… OWNED!A French hacker owns the Yahoo email account of a user on twitter. Hethen resets that users twitter password and views the email in the Yahooaccount. User is a twitter admin… OWNED!
Own The Borg, Own The WORLD!6/19/11 1:54 PM: Dropbox pushes code breaking authentication6/19/11 5:46 PM: Dropbox pushes fix to authentication bug What can YOU do with four hours of access to every user’s data?!
I Know Exactly What My Code Does! Besides, Application Permissions Keep Me Safe!
Code Reuse, Outsourcing, And Third Party Libraries Most Code Is: Reused Outsourced Third Party Libraries (with source) Third Party Libraries (binary format)Your vendors don’t know what their code does either!
WSJ Article Discloses NJ Prosecutor’s Investigation JD-GUI Pandora App Publish Blog Post „ Location „ Bearing „ Altitude Investigate Other „ Android ID Applications Publish second blog posting with updated findings regarding permissions and other apps Pandora Removes Ad Libraries
Of Course It’s Secure, It’s Got A Password On It!
Passwords and Password Reuse Passwords STINK!• Passwords < 6 characters long ~30%• Passwords from limited alpha-numeric key set ~60%• Used names, slang words, dictionary words trivial passwords, consecutive digits, etc. ~50%• Not only a user problem• Secret questions ‟ bad idea!• SQL Injection compromises up 43% year over year • HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, … • Sony, Sony, Sony… oh.. Yeah.. SONY! • Password reuse?http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
In Summary Mobile The perimeter is dead Must secure from the data out Computing will be ubiquitous and hidden Social The perfect breeding ground for malware Passwords STINK! Cloud The path of data is uncontrollableYou can’t rely on permissions ‟ It just won’t workSecuring ALL of your code is the only real defense
Mobile + Social + Cloud =A New Security Paradigm Think Different