Summary of Network Security Conference

(#NetworkSecurity) May 2013

The only secure mobile is one that is switched off with battery removed - Charles Brookson, GSMA/ETSI at #NetworkSecurity

Professor Ed Candy, Technology Strategist, 3 Group: Diversity in devices is great. It allows no collective threats to be posed due to their diversity of make models, OS’s, apps, etc. Firewalls in the networks are good too but too many of them can slow the network down. In the beginning when ‘3’ UK rolled out 3G, 14 seconds were being lost due to them.

Charles Brookson mentioned that he turns off 3G and uses GSM/GPRS to save battery life

Apps should store data on the cloud and not the device so if the device is lost or compromised then the user data is not lost to the third parties

Users should be made aware of the background functions and services on the device and also the threat/safety level of these.

Interesting comments, questions, etc. - #1

The operators can provide more security but it costs them to do this. They have to work out a way to pass this on to the users.

Very little malware on google play. Risk is v.low. Android malware hits countries where 3rd party appstores are the norm

Consumer education is key. Good to not be complacent about malware, generally unnecessary to have mob antivirus.

Mobile network should not be the only technology for critical access. There should be other means as well

A5/3 (security algorithm for GSM/GPRS) was standardised in 2001 and is more secure than the previous algorithms but was not available widely till quite late because it was not IOT tested and mandated by operators.

Interesting comments, questions, etc. - #2

Day 1

Day 1 began with a Panel Discussion moderated by Charles Brookson from GSMA with some of the points I have already mentioned earlier

David Rogers from Copper Horse spoke on Incident Management for Mobile Malware and on Responsible Disclosure. He also distributed a leaflet prepared for the UK police regarding phone security. More details on that here.

Eric Gauthier, Head of Technical Fraud and Revenue Assurance, Orange gave an Introduction on LTE and how Security was handled all the way from 0G (pre-cellular) to 4G/LTE.

Talal Faroug, Quality Assurance Manager, MTN, SUDAN gave a talk on Understanding the Business Case for Network Security. His main focus was on SIM Box Fraud.

Telecom Concepts Blog has a nice write-up on this topic here - http://telecomconcepts.wordpress.com/2010/02/01/simbox-fraud-detection-and-billing/ Another useful writeup on this topic here.

See Also GSMA press release: Raids on SIM box/GSM gateway fraudsters save mobile operators millions

Feride Cetin, Group Strategy & Innovation Security & Intelligence, Swisscom focussed her presentation on some of the initiatives taken by Swisscom on Apps Security and Rating

There were some good examples on how developers manage to ignore basic security guidelines while making excellent apps. The result is they have to go back and fix the issues at a much later stage and at the same time get a lots of negative publicity that can be sometimes harmful for the business.

5 Rating Criteria to understand how apps behave; Permission, Privacy, Data Traffic, Data Storage and Man in the Middle

Day 2

David Rogers from Copper Horse Solutions Limited chaired the second day proceedings. I think his main message is as shown in the slide above and is self explanatory. Ps: In case you are not from the UK, the above picture highlights beef (horsemeat) scandal

Dr. Christoph Peylo, VP Deutsche Telekom Innovation Laboratories started the day with an interesting presentation on "Remote Control and Device Security: How Cyber-Attacks Can Impact M2M"

The talk was so interesting that I should put up the slides or more detailed presentation on this topic sometime later

Christoph showing http://www.sicherheitstacho.eu - Real time cyber-attacks.

Gert Pauwels, M2M Marketing Director, Mobistar spoke on the operator Orange’s position on M2M. The key takeaway was the GMA Certification Program as shown in the slide above.

Carlos Olea, Network Security Manager, Telefonica International focussed on DDoS (distributed denial-of-service) and how Telefonica handled the Spamhaus and other Ddos attacks and what they have learnt from this.

Adrian Drury, Lead analyst, Ovum spoke about RTB. I don’t remember him mentioning what RTB is but my understanding it stands for Real Time Bidding - http://en.wikipedia.org/wiki/Real-time_bidding

Raj Samani, Vice President, EMEA CTO, McAfee spoke about how connected devices have changed our lifestle and the security issues that we are facing in this connected world.

Raj had some very interesting bits that he mentioned but the slides let him a bit down. Here are some that were mentioned on twitter during the event: • In Germany, the smart meters polling interval was reduced to 2 sec and

it can tell the name of movie being watched. This is because each movie has its own unique energy consumption pattern.

• Privacy a big issue for smart meters. Easy to analyse usage; what is being used and when.

• In USA in some new buildings, connected devices are even being put in the bricks to track humidity, etc.

• Everyone has a price when it comes to giving up private data • A powergrid in US said that they face 10K cyber attacks per month as per

@Raj_Samani

Jon Howes, Technology Director, Beecham Research spoke on "M2M Solution Security“. A whitepaper on this topic is also available on their website here.

Reinder Wolthuis, Project Manager Information Security, TNO spoke on "M2M Security" and gave us the results of the etis M2M security survey

Personally I am a bit surprised that M2M devices would move to UMTS. The biggest issue for M2M devices using UMTS is the battery power consumption. Its better to stay on GSM/GPRS is the amount of data transfer is low or move to LTE if the amount of data transfer required is high.

“Dutch research found that network operators worry about physical tampering but don't do anything about it”

The final talk of the day was by Ravishankar Borgaonkar, Researcher, Deutsche Telekom on the topic of “Small Cells in Hostile Environment“. I have covered earlier presentations by Ravi on the blog here and here. One of the issue highlighted above and by others as well is that a security feature may be asked by the operator but may not be supplied by vendor.

Hope you've enjoyed

the summary

Prepared by: Zahid Ghadialy

eXplanoTech & 3G4G Blog

Additional Reading

• Small Cells and the City – My presentation from Small Cells Global Congress 2012

• Rel-11/12 3GPP Security Update – 3GPP

• Present and future Standards for mobile internet and smart phone information security - ETSI

• Evolution of 3GPP Security

• Femto Hacking in UMTS and LTE