This document discusses emerging security challenges in an increasingly mobile, social, and cloud-based computing landscape. It notes that traditional perimeter-based security is ineffective as computing becomes more ubiquitous and decentralized. Mobile applications and social networks provide fertile ground for malware propagation. Cloud services mean data can take complex, indirect paths outside of a user's control. Passwords are often trivial to guess. Code from third parties and libraries may introduce vulnerabilities. A new security paradigm is needed to address these challenges, as permissions alone will not suffice. Users must think differently about security in this new environment.

2. What is the same with these
twitter accounts?

3. They have all been hacked!

4. Social Networking

5. Mobile Computing

6. Mobile Computing

7. The Cloud

8. The Times They Are a Changing..

9. I’m Secure, I Have
A Firewall!

11. Malware Is for PCs!

12. Viral Adoption
Refers to a system architecture that can be
adopted incrementally, and gains momentum as
it scales.
http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19 th 2003

13. New Age Malware
• Decentralized
• Interconnected
• Mobile
• Quick Content
Publishing
• Decentralized
• Interconnected
• Mobile
• Has Access to Data

14. KoobFace
• Social media worm
• Propagation via Facebook messages
• Propagation via Facebook wall posts
• Spams your friend list to an “update for
Adobe Flash”
• Installs pay per install malware on target
• Infected computers operate as a botnet

15. I Know EXACTLY Where
All My Data Lives
Sure it’s Safe in the Cloud!

16. The Path Your Data Takes
Approved Cloud
Vendor The Office Central
Sub-Cloud Vendor
Server
Sub-Cloud Vendor
The Calendar Mirrored
via Google
Laptop – Stolen At
The Airport
The Lost iPhone The Hacked Home PC
Google Docs To
Indirect: Ooops Did I Say Share With remote
That on Facebook?! Co-Worker

17. Own The Borg, Own The WORLD!
In 2009, Twitter gets COMPLETELY owned… TWICE!
Brute force password attack of targeted user reveals a password
of “Happiness” – User is a Twitter admin… OWNED!
A French hacker owns the Yahoo email account of a user on
twitter. He then resets that users twitter password and views the
email in the Yahoo account. User is a twitter admin… OWNED!

18. Own The Borg, Own The WORLD!
6/19/11 1:54 PM: Dropbox pushes code breaking authentication
6/19/11 5:46 PM: Dropbox pushes fix to authentication bug
What can YOU do with four hours of
access to every user’s data?!

19. I Know Exactly What My
Code Does!
Besides, Application Permissions Keep Me Safe!

20. Code Reuse, Outsourcing,
And Third Party Libraries
Most Code Is:
Reused
Outsourced
Third Party Libraries (with source)
Third Party Libraries (binary format)
Your vendors don’t know what their code does either!

21. • • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• • •
• •
• •
• •
• •

23. WSJ Article Discloses NJ
Prosecutor’s Investigation
JD-GUI Pandora App
Publish Blog Post
• Location
• Bearing Investigate Other
• Altitude
Applications
• Android ID
Publish second blog posting
with updated findings regarding
permissions and other apps
Pandora Removes Ad Libraries

24. Here’s Some Numbers…
53,000 Applications Analyzed
Android Market: ~48,000
3rd Party Markets: ~5,000
Permissions Requested
Average: 3
Most Requested: 117
Top “Interesting” Permissions
GPS information: 24% (11,929)
Read Contacts: 8% (3,626)
Send SMS: 4% (1,693)
Receive SMS: 3% (1262)
Record Audio: 2% (1100)
Read SMS: 2% (832)
Process Outgoing Calls: % (323)
Use Credentials : 0.5% (248)

25. Here’s Some Numbers…
Third Party Libraries
Total Third Party Libraries: ~83,000
Top Shared Libraries
com.admob 38% (18,426 apps )
org.apache 8% ( 3,684 apps )
com.google.android 6% ( 2,838 apps )
com.google.ads 6% ( 2,779 apps )
com.flurry 6% ( 2,762 apps )
com.mobclix 4% ( 2,055 apps )
com.millennialmedia 4% ( 1,758 apps)
com.facebook 4% ( 1,707 apps)

26. Of Course It’s Secure,
It’s Got A Password On
It!

27. Passwords and Password Reuse
Passwords STINK!
• Passwords < 6 characters long ~30%
• Passwords from limited alpha-numeric key set ~60%
• Used names, slang words, dictionary words
trivial passwords, consecutive digits, etc. ~50%
• Not only a user problem
• Secret questions – bad idea!
• SQL Injection compromises up 43% year over year
• HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, …
• Sony, Sony, Sony… oh.. Yeah.. SONY!
• Password reuse?
http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/

28. The Golden Rule

29. The Golden Rule

30. In Summary
Mobile
The perimeter is dead
Must secure from the data out
Computing will be ubiquitous and hidden
Social
The perfect breeding ground for malware
Passwords STINK!
Cloud
The path of data is uncontrollable
You can’t rely on permissions – It just won’t work
Securing ALL of your code is the only real defense

31. Mobile + Social + Cloud
=
A New Security Paradigm
Think Different

32. Email: tshields@veracode.com @txs