SlideShare a Scribd company logo
David Rogers, Copper Horse Solutions Ltd.
DARK CLOUDS AND RAINY DAYS, THE BAD SIDE
OF CLOUD COMPUTING
CLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM


  Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ABOUT ME
   12 years in the mobile industry
   Hardware and software background
   Head of Product Security at Panasonic Mobile
        Worked with industry and government on IMEI and
         SIMlock security
        Pioneered some early work in mobile phone forensics
        Brought industry together on security information sharing
   Director of External Relations at OMTP
        Programme Manager for advanced hardware security
         tasks
        Chair of Incident Handling task
   Head of Security and Chair of Security Group at WAC
   Owner and Director at Copper Horse Solutions
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ABOUT COPPER HORSE SOLUTIONS LTD

   Established in 2011
   Software and security company
        Focused on the mobile phone industry
   Services:
        Mobile phone security consultancy
        Industry expertise
        Standards representation
        Mobile application development
   http://www.copperhorsesolutions.com

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
WHAT I WILL TALK ABOUT

   Dark Clouds and Rainy Days – the dark side
    of cloud computing
      Thin air – issues around device theft and
       tampering
      Condensation – how much data is left on the
       device?
      The problem with web apps

      Slurping data, not coffee – insecure networks

      How much do you trust your cloud provider?


    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THIN AIR – ISSUES AROUND DEVICE
                          THEFT AND TAMPERING




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: 416style
DEVICES – LOST AND STOLEN
   Large numbers of devices are lost or stolen on a daily basis
        iphone prototypes – 2 left in bars
   UK – National Mobile Phone Crime Unit
   IMEI blocking
        Window between theft and blocking
        Same problem with lock and wipe services
   NMPR – National Mobile Property Register
        Allows stolen / lost items to be returned to right owner
        www.immobilise.com
   EIRs and the CEIR
        Lots of stolen phones are exported but not blocked
   Users do not protect access to their devices
        Barrier to usability
        Most cloud services have authentication tokens – non-password access (see also faceniff)
        Need to be told the basics: http://www.carphonewarehouse.com/security
   Smartphone hacking is a major target right now
        Hardware (SIMlock and IMEI) hacking has been going on for years
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CONDENSATION – HOW MUCH DATA IS
                 LEFT ON THE DEVICE?




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DATA RESIDUE ISSUES
   Devices move around:
        Phone recycling companies
        Phones left in drawers / thrown in bins
        Phones passed onto another employee
        Service returns and refurbishment issues
               Repeated attacks on celebrities
               Repeated mistakes in data clearing
   Lots of “cloud” access data available
        Browser data cache / local storage
        Credentials for network APIs and services stored on device
         (not in secure hardware)
        Users storing passwords insecurely on local machines
        Apps / browsers providing “no-login” functionality
   Note: These are all still issues in the non „cloud‟ world!!
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE PROBLEM WITH WEB APPLICATIONS




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: Clearly Ambiguous
THE PROBLEM WITH WEBAPPS
   Trust issues – e.g. Chrome application permissions issue / lack or
    proper triage with Android and Chrome apps.
   Everyone is jumping on HTML5 but there will be hidden security issues
   Ultimately there needs to be some form of local usage
        HTML5 Cache, offline mechanisms still immature
        No access to trusted hardware on device
   Everything is transferred over a network
        Even if you don‟t want it to be
   Existing protection is weak
        Web foundations are not secure (see later)
        No such thing as a “secure web runtime”
   In-app billing and other network APIs offer great fraud / attack potential
        Targets will be identity and payment
   Future: Device APIs & M2M
        How to sync data without compromising users
        How to control access
        Public safety aspects – web for safety critical applications?!
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
RELIANCE ON CONNECTIVITY
   Network access is not ubiquitous
        Extremely poor wireless connections in rural areas (even in
         developed countries)
   There is always an „offline‟ scenario for users, but few
    technical solutions for offline web




    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: John Leach
SLURPING DATA, NOT COFFEE –
                                 INSECURE NETWORKS




Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: Thomas Dwyer (on a break from flickr)
SLURPING DATA, NOT COFFEE
   Incidents in internet cafes and airports, libraries
        Very widespread
        Expensive roaming costs push users onto WiFi
   Fake WiFi Networks
        Low hanging fruit
        Temptation, temptation – open and free!
   Recent attack demonstration of stealing data while
    charging phone at a charge booth
   Femtocells
        Recent hacker interest in femtocells (base stations in
         people‟s houses)
        Can capture and break traffic
        What about metrocells?
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
FACENIFF AND FIRESHEEP
                                        MITM attack captures authentication
                                         cookies
                                        Even on encrypted WiFi networks
                                               Traffic is routed through attack device
                                        Techniques available for years – made
                                         much easier by these kind of tools
                                        Companies still not using SSL
                                               Mobile version of facebook page has to be
                                                manually set as https by the user – most users
                                                cannot do this
                                        Many phone applications send data in the
                                         clear
                                               Google and Facebook have both been guilty of
                                                this

 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved      Image: http://www.geekword.net
HIDDEN NEAR A CAFÉ IN YOUR AREA…




                                                                        Image: http://cheezburger.com/View/1608846080
 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HOW MUCH DO YOU TRUST YOUR CLOUD
                       PROVIDER?




 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved   Image: Caza_No_7
TRUST IN CLOUD PROVIDERS (1)

   Poor security techniques employed
      Phone  hacking scandal
      No user notification of accesses from other
       machines / times
      Previous data issues – e.g. T-Mobile, Paris Hilton
       etc.
      Password reminders have compromised online
       email accounts e.g. Sarah Palin
      Facebook dragged into providing privacy
       protection for users
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRUST IN CLOUD PROVIDERS (2)
   Who do your cloud provider trust?
      Who are their suppliers?
      What technology are they using?
      RSA –targeted cyber attack
             SecurID             keys being replaced in many organisations
        Diginotar – Fake (genuine) SSL certificates
             Compromised                     Google Docs, Gmail and lots of other
              services
             Shows how fragile the whole foundations of the „secure‟
              web are
        19th September (Monday) – BEAST attack against
         SSL
             Can         decrypt PayPal cookies

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
VIRTUALISATION
 Platform agnostic dream
 Does virtualisation on mobile handsets really
  bring extra security?
      It offers a solution to companies wanting to own
       parts of a device e.g. for corporate policy
       management
      It brings new (unknown) security risks
             Immature                 products on mobile
      Mobilemarket is still very fragmented
      Same issues if the device is lost or stolen

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TECHNICAL OUTAGES
         “for a currently unknown reason, the update
         did not work correctly”
         Microsoft response to DNS issue, September 2011



   Unforeseen technical outages:
        Google: Googledocs down for hours
        Microsoft: DNS issue during maintenance




                                                                           http://cloudtechsite.com/blogposts/microsoft-and-google-suffer-
                                                                           from-recent-cloud-interruptions.html
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TARGETED HACKTIVISM
   Attacks on Amazon by Anonymous – unrelated to most users‟
    services
        DDoS attack failed – Amazon were servers capable of the demand
        Companies like Mastercard did not fare as well
        collateral damage issue
        Conversely – Amazon‟s EC2 cloud capability was used against Sony
   Lulzsec
        Simplistic but devastating attacks
        Difficult to track down
   What groups come next?

   F-Secure‟s Mikko Hypponen has called for an international Police
    Force: http://betanews.com/2011/09/12/we-need-an-international-
    police-force-to-fight-cybercrime/
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TARGETED HACKTIVISM (2)
   Anonymous is the direction of hacktivist attacks for various
    ideals
   Decentralised, no „head‟
        #opfacebook
        5th November 2011
        Published rationale is
         Facebook privacy policy




    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
TRUST IN CLOUD PROVIDERS (2)
   At what point in the future does a cloud provider
    decide to sneak a look at the data it is storing?
   What is the EULA?
   What country is your data being held in?
        What are the data protection and privacy laws?
        Have you got customer data within your business data?
        What happens when something goes wrong?
   Business continuity
        Despite operating agreements, what if a natural disaster
         happens?
             Might not be the data centre that is affected
             Cable theft is a huge issue
        What about conflict and war?
    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
WHAT THEN?




                                  Image: https://tooze.wordpress.com/tag/singtel/

 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THE SILVER LINING?
   Not quite silver yet:
        Cloud services do provide a lot of
         good, but are not a panacea!
        Primary business driver for cloud
         is cost. Security is a secondary
         concern
   But:
        Many attacks in the “offline”
         world can / have been much
         worse
        Cloud providers and companies
         are recognising issues
        Users are not accepting bad
         security / privacy
        Not everything will live in the
         cloud
                                                                           Image: Nick Coombe

    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
THANKS FOR LISTENING!

   Any questions?

   Contact me:
    david.rogers@copperhorses.com


   Twitter:
                     @drogersuk


   Blog:
      http://blog.mobilephonesecurity.org



    Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

More Related Content

What's hot

Technology update
Technology updateTechnology update
Technology update
jumus jumbuck
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Vince Verbeke
 
Atm Communication Online Meeting
Atm Communication Online MeetingAtm Communication Online Meeting
Atm Communication Online Meeting
mazlilah subadi
 
I Brought My Own Device. Now What?
I Brought My Own Device. Now What?I Brought My Own Device. Now What?
I Brought My Own Device. Now What?
Array Networks
 
Aerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondAerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyond
J
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
Relayware
 
Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2
Relayware
 
Juniper Provision - 13martie2012
Juniper Provision - 13martie2012Juniper Provision - 13martie2012
Juniper Provision - 13martie2012
Agora Group
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy
Anna O'Neal
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
Parag Deodhar
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy
Anna O'Neal
 
The Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial ServicesThe Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial Services
Relayware
 
MobileIron Presentation
MobileIron PresentationMobileIron Presentation
MobileIron Presentation
Wing Venture Capital
 
Wp byod
Wp byodWp byod
Wp byod
J
 
MobileIrn Presentation
MobileIrn PresentationMobileIrn Presentation
MobileIrn Presentation
Wing Venture Capital
 
Video communications industry history
Video communications industry historyVideo communications industry history
Video communications industry history
Paul Richards
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 Predictions
Skycure
 
Technology update
Technology updateTechnology update
Technology update
jumus jumbuck
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
Michael Davis
 
BPOS sales deck
BPOS sales deckBPOS sales deck
BPOS sales deck
davidphogan
 

What's hot (20)

Technology update
Technology updateTechnology update
Technology update
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Atm Communication Online Meeting
Atm Communication Online MeetingAtm Communication Online Meeting
Atm Communication Online Meeting
 
I Brought My Own Device. Now What?
I Brought My Own Device. Now What?I Brought My Own Device. Now What?
I Brought My Own Device. Now What?
 
Aerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyondAerohive whitepaper-byod-and-beyond
Aerohive whitepaper-byod-and-beyond
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2Demystifying the Mobile Container - PART 2
Demystifying the Mobile Container - PART 2
 
Juniper Provision - 13martie2012
Juniper Provision - 13martie2012Juniper Provision - 13martie2012
Juniper Provision - 13martie2012
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 
2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy2011 IBM Collaboration Solutions Directions and Strategy
2011 IBM Collaboration Solutions Directions and Strategy
 
The Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial ServicesThe Big Flip: Mobile Apps in Financial Services
The Big Flip: Mobile Apps in Financial Services
 
MobileIron Presentation
MobileIron PresentationMobileIron Presentation
MobileIron Presentation
 
Wp byod
Wp byodWp byod
Wp byod
 
MobileIrn Presentation
MobileIrn PresentationMobileIrn Presentation
MobileIrn Presentation
 
Video communications industry history
Video communications industry historyVideo communications industry history
Video communications industry history
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 Predictions
 
Technology update
Technology updateTechnology update
Technology update
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
BPOS sales deck
BPOS sales deckBPOS sales deck
BPOS sales deck
 

Similar to Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
SecureAuth
 
La sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SILa sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SI
Microsoft Ideas
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
Courtland Smith
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
K Singh
 
Securing mobile devices 1
Securing mobile devices 1Securing mobile devices 1
Securing mobile devices 1
Kamaljeet Singh Matharu (Kam)
 
Countering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldCountering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT World
Brad Nicholas
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
PrivateWave Italia SpA
 
Education webinar april 2012
Education webinar april 2012Education webinar april 2012
Education webinar april 2012
Infoblox
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
HIPAA Compliance in the Cloud
HIPAA Compliance in the CloudHIPAA Compliance in the Cloud
HIPAA Compliance in the Cloud
Online Tech
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_security
Jessica Hirst
 
Zabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíZabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředí
MarketingArrowECS_CZ
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
Fortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxFortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptx
ThanhBoHoaluaVn
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
GaytriDhingra1
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlook3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlook
Peter Hewer
 

Similar to Dark Clouds and Rainy Days, the Bad Side of Cloud Computing (20)

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
 
La sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SILa sécurité de l'emploi : protégez votre SI
La sécurité de l'emploi : protégez votre SI
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
 
Securing mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environmentSecuring mobile devices_in_the_business_environment
Securing mobile devices_in_the_business_environment
 
Securing mobile devices 1
Securing mobile devices 1Securing mobile devices 1
Securing mobile devices 1
 
Countering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT WorldCountering Cybersecurity Risk in Today's IoT World
Countering Cybersecurity Risk in Today's IoT World
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
 
Education webinar april 2012
Education webinar april 2012Education webinar april 2012
Education webinar april 2012
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
HIPAA Compliance in the Cloud
HIPAA Compliance in the CloudHIPAA Compliance in the Cloud
HIPAA Compliance in the Cloud
 
120019_top5_security
120019_top5_security120019_top5_security
120019_top5_security
 
Zabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředíZabezpečení mobilních zařízení ve firemním prostředí
Zabezpečení mobilních zařízení ve firemním prostředí
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Fortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptxFortinet - Digital Government Cloud Security 2.pptx
Fortinet - Digital Government Cloud Security 2.pptx
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlook3 data leak possibilities that are easy to overlook
3 data leak possibilities that are easy to overlook
 

Recently uploaded

The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
paysquare consultancy
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
Andrey Yasko
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Bert Blevins
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
ChristopherTHyatt
 

Recently uploaded (20)

The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
 

Dark Clouds and Rainy Days, the Bad Side of Cloud Computing

  • 1. David Rogers, Copper Horse Solutions Ltd. DARK CLOUDS AND RAINY DAYS, THE BAD SIDE OF CLOUD COMPUTING CLOUD MOBILITY, 21ST SEPTEMBER 2011, AMSTERDAM Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 2. ABOUT ME  12 years in the mobile industry  Hardware and software background  Head of Product Security at Panasonic Mobile  Worked with industry and government on IMEI and SIMlock security  Pioneered some early work in mobile phone forensics  Brought industry together on security information sharing  Director of External Relations at OMTP  Programme Manager for advanced hardware security tasks  Chair of Incident Handling task  Head of Security and Chair of Security Group at WAC  Owner and Director at Copper Horse Solutions Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 3. ABOUT COPPER HORSE SOLUTIONS LTD  Established in 2011  Software and security company  Focused on the mobile phone industry  Services:  Mobile phone security consultancy  Industry expertise  Standards representation  Mobile application development  http://www.copperhorsesolutions.com Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 4. WHAT I WILL TALK ABOUT  Dark Clouds and Rainy Days – the dark side of cloud computing  Thin air – issues around device theft and tampering  Condensation – how much data is left on the device?  The problem with web apps  Slurping data, not coffee – insecure networks  How much do you trust your cloud provider? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 5. THIN AIR – ISSUES AROUND DEVICE THEFT AND TAMPERING Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: 416style
  • 6. DEVICES – LOST AND STOLEN  Large numbers of devices are lost or stolen on a daily basis  iphone prototypes – 2 left in bars  UK – National Mobile Phone Crime Unit  IMEI blocking  Window between theft and blocking  Same problem with lock and wipe services  NMPR – National Mobile Property Register  Allows stolen / lost items to be returned to right owner  www.immobilise.com  EIRs and the CEIR  Lots of stolen phones are exported but not blocked  Users do not protect access to their devices  Barrier to usability  Most cloud services have authentication tokens – non-password access (see also faceniff)  Need to be told the basics: http://www.carphonewarehouse.com/security  Smartphone hacking is a major target right now  Hardware (SIMlock and IMEI) hacking has been going on for years Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 7. CONDENSATION – HOW MUCH DATA IS LEFT ON THE DEVICE? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 8. DATA RESIDUE ISSUES  Devices move around:  Phone recycling companies  Phones left in drawers / thrown in bins  Phones passed onto another employee  Service returns and refurbishment issues  Repeated attacks on celebrities  Repeated mistakes in data clearing  Lots of “cloud” access data available  Browser data cache / local storage  Credentials for network APIs and services stored on device (not in secure hardware)  Users storing passwords insecurely on local machines  Apps / browsers providing “no-login” functionality  Note: These are all still issues in the non „cloud‟ world!! Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 9. THE PROBLEM WITH WEB APPLICATIONS Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Clearly Ambiguous
  • 10. THE PROBLEM WITH WEBAPPS  Trust issues – e.g. Chrome application permissions issue / lack or proper triage with Android and Chrome apps.  Everyone is jumping on HTML5 but there will be hidden security issues  Ultimately there needs to be some form of local usage  HTML5 Cache, offline mechanisms still immature  No access to trusted hardware on device  Everything is transferred over a network  Even if you don‟t want it to be  Existing protection is weak  Web foundations are not secure (see later)  No such thing as a “secure web runtime”  In-app billing and other network APIs offer great fraud / attack potential  Targets will be identity and payment  Future: Device APIs & M2M  How to sync data without compromising users  How to control access  Public safety aspects – web for safety critical applications?! Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 11. RELIANCE ON CONNECTIVITY  Network access is not ubiquitous  Extremely poor wireless connections in rural areas (even in developed countries)  There is always an „offline‟ scenario for users, but few technical solutions for offline web Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: John Leach
  • 12. SLURPING DATA, NOT COFFEE – INSECURE NETWORKS Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Thomas Dwyer (on a break from flickr)
  • 13. SLURPING DATA, NOT COFFEE  Incidents in internet cafes and airports, libraries  Very widespread  Expensive roaming costs push users onto WiFi  Fake WiFi Networks  Low hanging fruit  Temptation, temptation – open and free!  Recent attack demonstration of stealing data while charging phone at a charge booth  Femtocells  Recent hacker interest in femtocells (base stations in people‟s houses)  Can capture and break traffic  What about metrocells? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 14. FACENIFF AND FIRESHEEP  MITM attack captures authentication cookies  Even on encrypted WiFi networks  Traffic is routed through attack device  Techniques available for years – made much easier by these kind of tools  Companies still not using SSL  Mobile version of facebook page has to be manually set as https by the user – most users cannot do this  Many phone applications send data in the clear  Google and Facebook have both been guilty of this Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: http://www.geekword.net
  • 15. HIDDEN NEAR A CAFÉ IN YOUR AREA… Image: http://cheezburger.com/View/1608846080 Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 16. HOW MUCH DO YOU TRUST YOUR CLOUD PROVIDER? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved Image: Caza_No_7
  • 17. TRUST IN CLOUD PROVIDERS (1)  Poor security techniques employed  Phone hacking scandal  No user notification of accesses from other machines / times  Previous data issues – e.g. T-Mobile, Paris Hilton etc.  Password reminders have compromised online email accounts e.g. Sarah Palin  Facebook dragged into providing privacy protection for users Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 18. TRUST IN CLOUD PROVIDERS (2)  Who do your cloud provider trust?  Who are their suppliers?  What technology are they using?  RSA –targeted cyber attack  SecurID keys being replaced in many organisations  Diginotar – Fake (genuine) SSL certificates  Compromised Google Docs, Gmail and lots of other services  Shows how fragile the whole foundations of the „secure‟ web are  19th September (Monday) – BEAST attack against SSL  Can decrypt PayPal cookies Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 19. VIRTUALISATION  Platform agnostic dream  Does virtualisation on mobile handsets really bring extra security?  It offers a solution to companies wanting to own parts of a device e.g. for corporate policy management  It brings new (unknown) security risks  Immature products on mobile  Mobilemarket is still very fragmented  Same issues if the device is lost or stolen Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 20. TECHNICAL OUTAGES “for a currently unknown reason, the update did not work correctly” Microsoft response to DNS issue, September 2011  Unforeseen technical outages:  Google: Googledocs down for hours  Microsoft: DNS issue during maintenance http://cloudtechsite.com/blogposts/microsoft-and-google-suffer- from-recent-cloud-interruptions.html Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 21. TARGETED HACKTIVISM  Attacks on Amazon by Anonymous – unrelated to most users‟ services  DDoS attack failed – Amazon were servers capable of the demand  Companies like Mastercard did not fare as well  collateral damage issue  Conversely – Amazon‟s EC2 cloud capability was used against Sony  Lulzsec  Simplistic but devastating attacks  Difficult to track down  What groups come next?  F-Secure‟s Mikko Hypponen has called for an international Police Force: http://betanews.com/2011/09/12/we-need-an-international- police-force-to-fight-cybercrime/ Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 22. TARGETED HACKTIVISM (2)  Anonymous is the direction of hacktivist attacks for various ideals  Decentralised, no „head‟  #opfacebook  5th November 2011  Published rationale is Facebook privacy policy Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 23. TRUST IN CLOUD PROVIDERS (2)  At what point in the future does a cloud provider decide to sneak a look at the data it is storing?  What is the EULA?  What country is your data being held in?  What are the data protection and privacy laws?  Have you got customer data within your business data?  What happens when something goes wrong?  Business continuity  Despite operating agreements, what if a natural disaster happens?  Might not be the data centre that is affected  Cable theft is a huge issue  What about conflict and war? Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 24. WHAT THEN? Image: https://tooze.wordpress.com/tag/singtel/ Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 25. THE SILVER LINING?  Not quite silver yet:  Cloud services do provide a lot of good, but are not a panacea!  Primary business driver for cloud is cost. Security is a secondary concern  But:  Many attacks in the “offline” world can / have been much worse  Cloud providers and companies are recognising issues  Users are not accepting bad security / privacy  Not everything will live in the cloud Image: Nick Coombe Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
  • 26. THANKS FOR LISTENING!  Any questions?  Contact me: david.rogers@copperhorses.com  Twitter: @drogersuk  Blog: http://blog.mobilephonesecurity.org Copyright © 2011 Copper Horse Solutions Limited. All rights reserved