Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

David Rogers, Copper Horse Solutions Ltd.
DARK CLOUDS AND RAINY DAYS, THE BAD SIDE
OF CLOUD COMPUTING
CLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

ABOUT ME
 12 years in the mobile industry
 Hardware and software background
 Head of Product Security at Panasonic Mobile
 Worked with industry and government on IMEI and
SIMlock security
 Pioneered some early work in mobile phone forensics
 Brought industry together on security information sharing
 Director of External Relations at OMTP
 Programme Manager for advanced hardware security
tasks
 Chair of Incident Handling task
 Head of Security and Chair of Security Group at WAC
 Owner and Director at Copper Horse Solutions

ABOUT COPPER HORSE SOLUTIONS LTD

 Established in 2011
 Software and security company
 Focused on the mobile phone industry
 Services:
 Mobile phone security consultancy
 Industry expertise
 Standards representation
 Mobile application development
 http://www.copperhorsesolutions.com


WHAT I WILL TALK ABOUT

 Dark Clouds and Rainy Days – the dark side
of cloud computing
 Thin air – issues around device theft and
tampering
 Condensation – how much data is left on the
device?
 The problem with web apps

 Slurping data, not coffee – insecure networks

 How much do you trust your cloud provider?


THIN AIR – ISSUES AROUND DEVICE
THEFT AND TAMPERING

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: 416style

DEVICES – LOST AND STOLEN
 Large numbers of devices are lost or stolen on a daily basis
 iphone prototypes – 2 left in bars
 UK – National Mobile Phone Crime Unit
 IMEI blocking
 Window between theft and blocking
 Same problem with lock and wipe services
 NMPR – National Mobile Property Register
 Allows stolen / lost items to be returned to right owner
 www.immobilise.com
 EIRs and the CEIR
 Lots of stolen phones are exported but not blocked
 Users do not protect access to their devices
 Barrier to usability
 Most cloud services have authentication tokens – non-password access (see also faceniff)
 Need to be told the basics: http://www.carphonewarehouse.com/security
 Smartphone hacking is a major target right now
 Hardware (SIMlock and IMEI) hacking has been going on for years

CONDENSATION – HOW MUCH DATA IS
LEFT ON THE DEVICE?


DATA RESIDUE ISSUES
 Devices move around:
 Phone recycling companies
 Phones left in drawers / thrown in bins
 Phones passed onto another employee
 Service returns and refurbishment issues
 Repeated attacks on celebrities
 Repeated mistakes in data clearing
 Lots of “cloud” access data available
 Browser data cache / local storage
 Credentials for network APIs and services stored on device
(not in secure hardware)
 Users storing passwords insecurely on local machines
 Apps / browsers providing “no-login” functionality
 Note: These are all still issues in the non „cloud‟ world!!

THE PROBLEM WITH WEB APPLICATIONS

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Clearly Ambiguous

THE PROBLEM WITH WEBAPPS
 Trust issues – e.g. Chrome application permissions issue / lack or
proper triage with Android and Chrome apps.
 Everyone is jumping on HTML5 but there will be hidden security issues
 Ultimately there needs to be some form of local usage
 HTML5 Cache, offline mechanisms still immature
 No access to trusted hardware on device
 Everything is transferred over a network
 Even if you don‟t want it to be
 Existing protection is weak
 Web foundations are not secure (see later)
 No such thing as a “secure web runtime”
 In-app billing and other network APIs offer great fraud / attack potential
 Targets will be identity and payment
 Future: Device APIs & M2M
 How to sync data without compromising users
 How to control access
 Public safety aspects – web for safety critical applications?!

RELIANCE ON CONNECTIVITY
 Network access is not ubiquitous
 Extremely poor wireless connections in rural areas (even in
developed countries)
 There is always an „offline‟ scenario for users, but few
technical solutions for offline web

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: John Leach

SLURPING DATA, NOT COFFEE –
INSECURE NETWORKS

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Thomas Dwyer (on a break from flickr)

SLURPING DATA, NOT COFFEE
 Incidents in internet cafes and airports, libraries
 Very widespread
 Expensive roaming costs push users onto WiFi
 Fake WiFi Networks
 Low hanging fruit
 Temptation, temptation – open and free!
 Recent attack demonstration of stealing data while
charging phone at a charge booth
 Femtocells
 Recent hacker interest in femtocells (base stations in
people‟s houses)
 Can capture and break traffic
 What about metrocells?

FACENIFF AND FIRESHEEP
 MITM attack captures authentication
cookies
 Even on encrypted WiFi networks
 Traffic is routed through attack device
 Techniques available for years – made
much easier by these kind of tools
 Companies still not using SSL
 Mobile version of facebook page has to be
manually set as https by the user – most users
cannot do this
 Many phone applications send data in the
clear
 Google and Facebook have both been guilty of
this

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: http://www.geekword.net

HIDDEN NEAR A CAFÉ IN YOUR AREA…

Image: http://cheezburger.com/View/1608846080

HOW MUCH DO YOU TRUST YOUR CLOUD
PROVIDER?

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Caza_No_7

TRUST IN CLOUD PROVIDERS (1)

 Poor security techniques employed
 Phone hacking scandal
 No user notification of accesses from other
machines / times
 Previous data issues – e.g. T-Mobile, Paris Hilton
etc.
 Password reminders have compromised online
email accounts e.g. Sarah Palin
 Facebook dragged into providing privacy
protection for users

 Who do your cloud provider trust?
 Who are their suppliers?
 What technology are they using?
 RSA –targeted cyber attack
 SecurID keys being replaced in many organisations
 Diginotar – Fake (genuine) SSL certificates
 Compromised Google Docs, Gmail and lots of other
services
 Shows how fragile the whole foundations of the „secure‟
web are
 19th September (Monday) – BEAST attack against
SSL
 Can decrypt PayPal cookies


VIRTUALISATION
 Platform agnostic dream
 Does virtualisation on mobile handsets really
bring extra security?
 It offers a solution to companies wanting to own
parts of a device e.g. for corporate policy
management
 It brings new (unknown) security risks
 Immature products on mobile
 Mobilemarket is still very fragmented
 Same issues if the device is lost or stolen


TECHNICAL OUTAGES
“for a currently unknown reason, the update
did not work correctly”
Microsoft response to DNS issue, September 2011

 Unforeseen technical outages:
 Google: Googledocs down for hours
 Microsoft: DNS issue during maintenance

http://cloudtechsite.com/blogposts/microsoft-and-google-suffer-
from-recent-cloud-interruptions.html

TARGETED HACKTIVISM
 Attacks on Amazon by Anonymous – unrelated to most users‟
services
 DDoS attack failed – Amazon were servers capable of the demand
 Companies like Mastercard did not fare as well
 collateral damage issue
 Conversely – Amazon‟s EC2 cloud capability was used against Sony
 Lulzsec
 Simplistic but devastating attacks
 Difficult to track down
 What groups come next?

 F-Secure‟s Mikko Hypponen has called for an international Police
Force: http://betanews.com/2011/09/12/we-need-an-international-
police-force-to-fight-cybercrime/

TARGETED HACKTIVISM (2)
 Anonymous is the direction of hacktivist attacks for various
ideals
 Decentralised, no „head‟
 #opfacebook
 5th November 2011
 Published rationale is
Facebook privacy policy


 At what point in the future does a cloud provider
decide to sneak a look at the data it is storing?
 What is the EULA?
 What country is your data being held in?
 What are the data protection and privacy laws?
 Have you got customer data within your business data?
 What happens when something goes wrong?
 Business continuity
 Despite operating agreements, what if a natural disaster
happens?
 Might not be the data centre that is affected
 Cable theft is a huge issue
 What about conflict and war?

WHAT THEN?

Image: https://tooze.wordpress.com/tag/singtel/


THE SILVER LINING?
 Not quite silver yet:
 Cloud services do provide a lot of
good, but are not a panacea!
 Primary business driver for cloud
is cost. Security is a secondary
concern
 But:
 Many attacks in the “offline”
world can / have been much
worse
 Cloud providers and companies
are recognising issues
 Users are not accepting bad
security / privacy
 Not everything will live in the
cloud
Image: Nick Coombe


THANKS FOR LISTENING!

 Any questions?

 Contact me:
david.rogers@copperhorses.com

 Twitter:
@drogersuk

 Blog:
http://blog.mobilephonesecurity.org


Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

Similar to Dark Clouds and Rainy Days, the Bad Side of Cloud Computing(20)

Recently uploaded

Recently uploaded(20)

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing