April 25, 2017

Beware of Hacking in Your MobileHKBU IS Awareness Seminars

Stephen Chan CGEIT, PMP, CISSP, ISO27001 Lead Auditor

Note to audience:

The information in this document is strictly for educational purpose

within HKBU, and shall not be further distributed or duplicated

without due permission.

Agenda

• Using mobile

• Hacking mobile

• Protecting mobile

• Protecting yourself

USING MOBILE

This is the age of mobile-obsession..

Hey, how often do you use your mobile

• We’re obsessed with our phones, a new study has found. The heaviest smartphone users click, tap or swipe on their phone 5,427 times a day

• The rest of us still touch the addictive things 2,617 times a day on average. No small number.

Do you panic..

Even worse here

Bad..

We craved for mobile

• Sudden change in behavior

• Mood swings; irritable and grumpy and then suddenly happy and bright

• Withdrawal from family members

• Careless about personal grooming

• Loss of interest in hobbies, sports and other favorite activities

• Changed sleeping pattern; up at night and sleeping during the day

• Red or glassy eyes

• Sniffy or runny nose

All the above are:

Data in mobile – who & what?

Browser histories, records of items purchased,

movies watched, and info created by mobile

apps…

Phone misuse

• Mobile Phone misuse in public places creates social problems like

1. In attention blindness: overload – both physical and mental2. Caller Hegemony: asymmetric relationship between the caller and answerer3. Cognitive load4. Accidents

Phone OS

The World

Blurred distinction between human selves and digital selves

Connectivity is Destiny

HACKING MOBILE

A simple App can expose your entire phone

Security features must be kept ON

• To install malicious app, hackers turn OFF security scanning features

The App NOT from authorized app store

Hack an iPhone

“Doesn’t matter how secure the operating system is there is always flaws yon can get around with don’t even have to be a hacker always carefully protect you phone”

One-stop-shop for Cyber Crime

Specialized for both criminals as well as the victims:

- criminal upload stolen data which contains user credentials, credit data, stolen identities and any other kind of cyber-loot

- victims pay for the removal of those stolen data from the Dark Net, where any cyber criminal can buy the stolen data

Business model is quite simple as well as very user-friendly

Symptoms

• Unexpected / strange charges on statements

• Unexpected / unusual data usage

• Rapid battery drain

• Somebody has used your phone (physical access)

• Anti-virus stopped / security switch disabled

PROTECTING YOUR MOBILE

Very simple – Don’t be stupid

• Disabling the lock feature on the phone

• Keeping secrets in phone – plain-text, plain-sight

• Opening an application from an unsecured/unknown source

• Using the phone to access dangerous/risky sites

• Leaving the device open to access

Storing Sensitive data as Plain-text??

• Password is hard to remember

• A lot of them for all the online accounts – shopping, social networking, emails…

• No matter what, don’t store them plain-text in the phone!

Damage of phonebeing hacked Multiplies

through your Online Accounts

Even “legitimate” apps see your data

• Tons of legitimate apps that access contact information:

– Your social network apps

– Your shopping apps

– Utilities, personal productivities

– Emails

– Health and home kits

– Map and driving assistance

• Your data is being used by all these apps on your phone

Don’t root / jailbreak / use untrusted app

• Jailbreaking: The process of bypassing restrictions on iPhones and iPads to install other apps and tweaks not approved by Apple.

• Rooting: A process similar to jailbreaking for hacking Android devices, game consoles, and so on.

• App Store / Google Play / Windows Store

Keep update – it is about hygiene

• There are many critical security fixes that get pushed through these OS and app updates

• If ignored, we leave ourselves to attacks

• They won’t say it over the release notes

Wi-Fi

• Man-in-the-middle attack is a situation in which a malicious eavesdropper (the “man in the middle”) is able to read (or write) data that is being transmitted between you and the website you’re browsing.

Fake Wi-Fi captures your…

• Capture the webpages you are visiting

• Login Credentials

• Hijacking accounts

Wi-Fi

• Do not use Wi-Fi connections that aren’t yours

• Insist to use HTTPS

• Delete Wi-Fi networks from your devices that aren’t yours

A phone is different from a computer by

usage behaviour.. more easily phished

• At their computers, users are:

– Sitting at a desk

– Frequently in an office environment

– Often working

– Sometimes randomly surfing the web

– Often creating content

– Focused on the computer, not so much on their environment

• On a mobile device, however, users tend to be:

– Sitting on the couch at home

– Walking around, inside or outside

– Queuing for something

– Waiting for a bus, train, or plane, or travelling

– Looking for a specific piece of information

– Mostly consuming content

– Easily distracted by their environment

Beware of Phishing

Phishing email on Desktop

Source: berkeley.edu

www.i_am_actually_a_malicious_website.com

On desktop, you can move your mouse over suspicious links and

have a look

Phishing on mobile

# WHATSAPP

1 新一批WhatsApp Emoji又準備推出啦，想知道更多同埋搶先使用？立即點擊以下連結登記試用啦！https://goo.gl/8ABCDEF

3 花1分鐘完成問卷，立即獲得Starbcuks $50現金禮券。https://goo.gl/8ABCDE8

On a mobile, you can just click or not click

Don’t get phished

• Control your fingers

Recap

• Sensitive data in phone / accessible by phone

• Apps

• Devices

• Update

• Wi-Fi

• Your fingers

• Backup

PROTECTING YOUR VERY SELF

Mobile is fixated into our psyche

1. I am my phone?

2. Personas and digital identities

3. Segregate your digital universe

4. Be truthful

5. Turn off your phone and return onto Earth

Thank You