norman m. sadeh professor, school of computer science director, mobile commerce lab
Post on 03-Jan-2016
19 Views
Preview:
DESCRIPTION
TRANSCRIPT
Norman M. SadehProfessor, School of Computer Science
Director, Mobile Commerce Lab.
Carnegie Mellon University
www.cs.cmu.edu/~sadeh
Smart Phone Security & Privacy: Smart Phone Security & Privacy: What Should We Teach Our Users?What Should We Teach Our Users?
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 2
Outline
Smart phone security and privacy awareness: unique challenges
Phishing: much worse with smart phone users
What can we do?
Mobile Apps and Social Networking
What we can we teach users?
Concluding remarks
Q&A
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 3
SMART PHONE SECURITY and PRIVACY AWARENESS:UNIQUE CHALLENGES
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 4
Cyber Security Training Awareness
…Has been compared to trying to nail Jell-O to a wall
Copyright © 2007-2011 Norman M. Sadeh
Yet…
Filters, firewalls, IDS etc. have their limitations
Users are the last line of defense
Universities: A Dual Objective
Protect the university’s infrastructure and sensitive data
Educational mission
EDUCAUSE Webinar – April 2011 - Slide 5
Copyright © 2007-2011 Norman M. Sadeh
Universities
Diversity of users Faculty, staff, students
Diversity of cultures and environments Fragmented administration
Diversity of needs Research vs. education vs. admin
Diversity of devices Some managed & some not
...Yet the price of security breaches can be dire…
EDUCAUSE Webinar – April 2011 - Slide 6
Copyright © 2007-2011 Norman M. Sadeh
Smart Phones: The New Frontier
EDUCAUSE Webinar – April 2011 - Slide 7
Smart Phone Adoption to
Approach 50% in the US
in 2011
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 8
Our cell phones are now coming with the same vulnerabilities we have on our computers…
…Along the Way…
…and more…
Copyright © 2007-2011 Norman M. Sadeh
Universities at High Risk
EDUCAUSE Webinar – April 2011 - Slide 9
University
Students…
Copyright © 2007-2011 Norman M. Sadeh
Mobile Email & Social Networking are Big
EDUCAUSE Webinar – April 2011 - Slide 10
Copyright © 2007-2011 Norman M. Sadeh
Diversity of Devices & OS’s
EDUCAUSE Webinar – April 2011 - Slide 11
Best practices are harder to articulate
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 12
The Biggest Security Risk?
Millions of cell phones lost or stolen each year
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 13
Lost or Stolen Phone….
Private data & sensitive apps
e.g. contacts list, pictures, phone calls, messages, email, calendar, apps, etc
Risk of someone using your phone
Impersonating you – SMS, voice, email, social networks, etc.
Placing expensive international calls
Reselling your phone
etc.
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 14
What Can We Teach?
Don’t leave your phone unattended
Goes beyond theft and loss: malware is easy to install
Use a PIN to protect your cell phone
Different options (e.g. iPhone)
Write down your IMEI number as well as phone make and model and cell phone number
Quickly report lost/stolen phone
Copyright © 2007-2011 Norman M. Sadeh
Quickly Tips Become Device-Specific
EDUCAUSE Webinar – April 2011 - Slide 15
Requires MobileMe Loud noise + contact info + map
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 16
Remote Erase
A number of solutions…
…Hopefully you’ve backed up your data
…Some products combine both back up and “remote wipe”
Watch out for malware - read reviews and select reputable solutions…
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 17
Dangers of Multi-Tasking
Phone call, SMS, email, etc.
While driving, crossing the street..
•Illegal in some places
•Not wise elsewhere
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 18
Understanding the risks…
Even more challenging than on a computer
Cell phones are highly personal devices with access to lots of sensitive information
…yet fewer people understand the risks
Lots of different cell phone models
Not all with the same functionality or settings…
Users need to invest time in understanding and tweaking their security settings
Copyright © 2007-2011 Norman M. Sadeh
Different Activities Lead to Different Risks
Voice
SMS
Bluetooth
Browsing
WiFi
Location
App Downloads
Social networks
…and more
EDUCAUSE Webinar – April 2011 - Slide 19
…A rather daunting
task…
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 20
PHISHING: MUCH WORSE ON SMART PHONES
Copyright © 2007-2011 Norman M. Sadeh
E-Mail Phishing: Worse on Mobile Phones
Trusteer – Jan 2011:
Mobile users are first to arrive at phishing websites
Mobile users 3x more likely to submit credentials than desktop users
EDUCAUSE Webinar – April 2011 - Slide 21
Copyright © 2007-2011 Norman M. Sadeh
Beyond e-mail Phishing
SMS-ishing
Vishing
IM phishing
Phishing via social networks
Phishing apps
EDUCAUSE Webinar – April 2011 - Slide 22
Copyright © 2007-2011 Norman M. Sadeh
What To Do?
Better filters can help
Most spam filters rely on manually maintained blacklists that are several hours behind
Example: Wombat’s PhishPatrol
Teach people to recognize traps in phishing emails
EDUCAUSE Webinar – April 2011 - Slide 23
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 24
Teach people in the context they would be attacked
If a person falls for simulated phish, then show intervention as to what just happened
Unique “teachable moment”
Training via Mock Attacks: PhishGuru
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 25EDUCAUSE Webinar – April 2011 - Slide 25
Select
Target
Employees
Customize
Fake
Phishing
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 26EDUCAUSE Webinar – April 2011 - Slide 26
Select
Target
Employees
Customize
Fake
Phishing
Select
Training
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 27EDUCAUSE Webinar – April 2011 - Slide 27
Select
Target
Employees
Customize
Fake
Phishing
Select
Training
Internal
Test and
Approval
Process
Hit
Send
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 28EDUCAUSE Webinar – April 2011 - Slide 28
Select
Target
Employees
Customize
Fake
Phishing
Select
Training
Internal
Test and
Approval
Process
Hit
Send
Monitor
& Analyze
Employee
Response
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 29
0 10 20 30 40
Campaign 3
Campaign 2
Campaign 1
Viewed Email and Clicked Link
Viewed Email Only
It works!
Reduces the chance of falling for an attack by more than 50% !
(Actual Results)
percentage
Copyright © 2007-2011 Norman M. Sadeh
Reinforce with Training Modules – Incl. Games
EDUCAUSE Webinar – April 2011 - Slide 30
• Traditional training doesn’t work - but people like games
• Games teach users about phishing
• People more willing to play games than read training
• Shows higher long-term retention
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 31
Teaches people to identify “red flags”
in fraudulent emails
Copyright © 2007-2011 Norman M. Sadeh
Phishing is a Generic Threat
It is possible to identify device-independent tips and strategies
It is possible to teach these tips and strategies in a matter of minutes
Universities like CMU are using PhishGuru and training games (Phil and Phyllis training games) to train staff, faculty and students
A dedicated anti-phishing email filter can also make a difference (e.g. PhishPatrol)
EDUCAUSE Webinar – April 2011 - Slide 32
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 33
MOBILE APPS & SOCIAL NETWORKING: WHAT CAN WE TEACH USERS?
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 34
Social Networking – Facebook, Twitter & Co.
Sharing is wonderful…
…until you regret you did it
Think and ask yourself whether: You really know who you are sharing with
A week or a year from now, you’ll still be happy you did
Colleagues, friends, new acquaintances…
Beware of pictures and links that seem to come from friends….
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 35
All Those Great Apps
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 36
Malicious Apps
In January of 2010, the first malicious mobile banking app was detected
Stole your banking credentials
Android doesn’t review applications
Apple does, but that’s no guarantee
Many apps collect a lot more information than they need to – e.g. location
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 37
Some Recommendations
Research apps before you download them
Best to wait until enough other people have tried them
Check ratings – but do not rely entirely on them
If you are courageous, take time to review privacy provisions
Possibly create a Google alert for apps you download
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 38
Location Sharing Apps.
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 39
Also referred to by some as…
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 40
If you are going to share
your location, at least do it under conditions you
control
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 41
Promoting Our Own Location Sharing Platform
More expressive privacy settings “My colleagues can only see
my location when I’m on campus and only weekdays 9am-5pm”
Invisible button Auditing functionality Available on Android Market,
iPhone client, Ovi, laptop clients Tens of thousands of downloads
over the past year
www.locaccino.org
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 42
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 43
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 44
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 45
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 46
CONCLUDING REMARKS
Copyright © 2007-2011 Norman M. Sadeh
Concluding Remarks
EDUCAUSE Webinar – April 2011 - Slide 47
Cell phones are wonderful devices …
Most of us can’t even remember how we could operate without them
…Yet they come with many risks
…General guidelines are difficult to articulate
Diversity of cell phones and usage scenarios
Yet in some areas such as phishing, results indicate that training can make a difference
We are extending this approach to mobile security at large
Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 48
http://wombatsecurity.com
http://mcom.cs.cmu.edu
Q&A
Copyright © 2007-2011 Norman M. Sadeh
References Scientific References
How to Foil “Phishing Scams”, Scientific American, L. Cranor
Teaching Johnny Not to Fall for PhishP. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31.
Learning to Detect Phishing EmailsI. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.
Locaccino scientific publications: www.locaccino.org/science
Case Studies & White Papers
“A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)”
“Empirical Evaluation of PhishGuru Embedded Training”,
“Cyber Security Training Game Teaches People to Avoid Phishing Attacks”
EDUCAUSE Webinar – April 2011 - Slide 49
top related