Mobile 2012 Ben Forsyth
-
Upload
cebit-australia -
Category
Technology
-
view
820 -
download
1
description
Transcript of Mobile 2012 Ben Forsyth
![Page 1: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/1.jpg)
4 Oct 2011
Mobile & Emerging Tech.
Moving to Mobile
with Effective Security
Measures in PlaceCeBIT Mobile Conference 2012
Ben Forsyth
![Page 2: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/2.jpg)
Overview – what we’ll cover today
� Web-based and network-based attacks
� Mobile malware
Things you need to be aware of
� App code quality & dev best practices
� App distribution
� User education
Things you need to do
![Page 3: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/3.jpg)
Web & Network Based Attacks
� Browser exploits
� Phishing scams
� Drive-by downloads
� Network exploits
� Wi-Fi sniffing
Five general categories
![Page 4: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/4.jpg)
Mobile Malware – prevalence is rising
Total mobile malware samples
Source:
McAfee Threats Report:
4th Quarter 2011 – McAfee Labs
Total Malware Samples
at the end of 2011
(inc Desktop)
75M
![Page 5: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/5.jpg)
Mobile Malware – who is under attack?
Malware Statistics by Platform
Source: Mobile Threat Report Q4 2011 – F-Secure
![Page 6: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/6.jpg)
Mobile Malware – motivation
Mobile threats motivated by profit
Source: Mobile Threat Report Q1 2012 – F-Secure
![Page 7: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/7.jpg)
Mobile Malware – what does it look like?
� Attacker infected and redistributed 58
legitimate apps in the Google Market
� Affected up to 200K users in just 4 days
� Once installed, attempted to gain admin
control of the device via 2 vulnerabilities
� Installed other software and harvested
sensitive user data
Droid Dream (Feb 2011)
![Page 8: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/8.jpg)
Mobile Malware – what does it look like?
� Attacker compromises user account via PC trojan
� Victim’s mobile phone receives a text message with a
request to install an updated security certificate
� The link in the TXT message installs mobile version of
ZeuS
� Attacker makes a transaction via PC and the mobile
ZueS forwards the SMS security code
� Blackberry, Win mobile, Symbian & Android susceptible
Zitmo (Mobile ZuesS) / Spy Eye
![Page 9: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/9.jpg)
Mobile Malware – what does it look like?
� Targets specific banks posing as a
Token Generator app
� User must enter their password to
generate a one time token
� Sends password & device details to a
control server
� Listens for SMS auth codes and forwards
them to a constantly changing number
Remote-Controlled Banking Trojan
![Page 10: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/10.jpg)
Mobile Malware – why it is likely to get worse
� Underlying platform vulnerabilities
� Patch management
� Lack of attention to security by users
� Ease of gaining root access
� Differing app curation
� Unofficial distribution of apps
Problems with mobile platforms
![Page 11: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/11.jpg)
App code quality & dev best practices
� Who is writing your code?
� Do they adhere to secure coding principles?
� What data is being stored on the device?
� Is your app code independently reviewed/pen tested?
� Who has access to your appstore accounts?
� What is the process to publish the app?
� Can you disable features without a release?
� Do you have appropriate support agreements in place?
Considerations:
![Page 12: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/12.jpg)
App Distribution – getting to your users
� Having a presence in official distribution
channels is the first line of defence
� Do not distribute app directly or via
3rd party properties or even your own
� Monitor official and unofficial channels for
brand infringements and take action if it
occurs
Keep it official
![Page 13: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/13.jpg)
User education – help your users stay safe
� Keep the device locked with a PIN or passcode
� Only install apps from trusted sources
� Carefully review what apps have access to
� Keep the device patched
� Educate on the risk of Jailbroken/Rooted devices
� Be wary of public Wi-Fi and turn off network
connections when not needed.
� Install a mobile security app
They need all the help they can get
![Page 14: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/14.jpg)
Final thoughts
� Mobile threats are multidimensional and
increasing in line with adoption
�Be aware of malware evolution and respond
where appropriate
� Security needs to be at the forefront of your
mobile strategy. Your apps need to be rock solid
� Promotion and education of consumers on threat
abatement techniques is critical
![Page 15: Mobile 2012 Ben Forsyth](https://reader034.fdocuments.net/reader034/viewer/2022042601/54b7777e4a795921738b4664/html5/thumbnails/15.jpg)
Thank You
Questions?Ben Forsyth
Head of Mobile & Emerging Technologies – NAB
@benforsyth