Viral AdoptionRefers to a system architecture that can beadopted incrementally, and gains momentum as it scales.http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19 th 2003
New Age Malware• Decentralized• Interconnected• Mobile• Quick Content Publishing• Decentralized• Interconnected• Mobile• Has Access to Data
KoobFace• Social media worm• Propagation via Facebook messages• Propagation via Facebook wall posts• Spams your friend list to an “update for Adobe Flash”• Installs pay per install malware on target• Infected computers operate as a botnet
I Know EXACTLY Where All My Data LivesSure it’s Safe in the Cloud!
The Path Your Data Takes Approved Cloud Vendor The Office Central Sub-Cloud Vendor Server Sub-Cloud Vendor The Calendar Mirrored via Google Laptop – Stolen At The Airport The Lost iPhone The Hacked Home PC Google Docs ToIndirect: Ooops Did I Say Share With remote That on Facebook?! Co-Worker
Own The Borg, Own The WORLD!In 2009, Twitter gets COMPLETELY owned… TWICE!Brute force password attack of targeted user reveals a passwordof “Happiness” – User is a Twitter admin… OWNED!A French hacker owns the Yahoo email account of a user ontwitter. He then resets that users twitter password and views theemail in the Yahoo account. User is a twitter admin… OWNED!
Own The Borg, Own The WORLD!6/19/11 1:54 PM: Dropbox pushes code breaking authentication6/19/11 5:46 PM: Dropbox pushes fix to authentication bug What can YOU do with four hours of access to every user’s data?!
I Know Exactly What My Code Does!Besides, Application Permissions Keep Me Safe!
Code Reuse, Outsourcing, And Third Party Libraries Most Code Is: Reused Outsourced Third Party Libraries (with source) Third Party Libraries (binary format)Your vendors don’t know what their code does either!
WSJ Article Discloses NJProsecutor’s Investigation JD-GUI Pandora App Publish Blog Post • Location • Bearing Investigate Other • Altitude Applications • Android ID Publish second blog postingwith updated findings regarding permissions and other apps Pandora Removes Ad Libraries
Of Course It’s Secure,It’s Got A Password On It!
Passwords and Password Reuse Passwords STINK!• Passwords < 6 characters long ~30%• Passwords from limited alpha-numeric key set ~60%• Used names, slang words, dictionary words trivial passwords, consecutive digits, etc. ~50%• Not only a user problem• Secret questions – bad idea!• SQL Injection compromises up 43% year over year • HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, … • Sony, Sony, Sony… oh.. Yeah.. SONY! • Password reuse?http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
In Summary Mobile The perimeter is dead Must secure from the data out Computing will be ubiquitous and hidden Social The perfect breeding ground for malware Passwords STINK! Cloud The path of data is uncontrollableYou can’t rely on permissions – It just won’t workSecuring ALL of your code is the only real defense
Mobile + Social + Cloud =A New Security Paradigm Think Different