mobile 2012 ben forsyth
DESCRIPTION
TRANSCRIPT
4 Oct 2011
Mobile & Emerging Tech.
Moving to Mobile
with Effective Security
Measures in PlaceCeBIT Mobile Conference 2012
Ben Forsyth
Overview – what we’ll cover today
� Web-based and network-based attacks
� Mobile malware
Things you need to be aware of
� App code quality & dev best practices
� App distribution
� User education
Things you need to do
Web & Network Based Attacks
� Browser exploits
� Phishing scams
� Drive-by downloads
� Network exploits
� Wi-Fi sniffing
Five general categories
Mobile Malware – prevalence is rising
Total mobile malware samples
Source:
McAfee Threats Report:
4th Quarter 2011 – McAfee Labs
Total Malware Samples
at the end of 2011
(inc Desktop)
75M
Mobile Malware – who is under attack?
Malware Statistics by Platform
Source: Mobile Threat Report Q4 2011 – F-Secure
Mobile Malware – motivation
Mobile threats motivated by profit
Source: Mobile Threat Report Q1 2012 – F-Secure
Mobile Malware – what does it look like?
� Attacker infected and redistributed 58
legitimate apps in the Google Market
� Affected up to 200K users in just 4 days
� Once installed, attempted to gain admin
control of the device via 2 vulnerabilities
� Installed other software and harvested
sensitive user data
Droid Dream (Feb 2011)
Mobile Malware – what does it look like?
� Attacker compromises user account via PC trojan
� Victim’s mobile phone receives a text message with a
request to install an updated security certificate
� The link in the TXT message installs mobile version of
ZeuS
� Attacker makes a transaction via PC and the mobile
ZueS forwards the SMS security code
� Blackberry, Win mobile, Symbian & Android susceptible
Zitmo (Mobile ZuesS) / Spy Eye
Mobile Malware – what does it look like?
� Targets specific banks posing as a
Token Generator app
� User must enter their password to
generate a one time token
� Sends password & device details to a
control server
� Listens for SMS auth codes and forwards
them to a constantly changing number
Remote-Controlled Banking Trojan
Mobile Malware – why it is likely to get worse
� Underlying platform vulnerabilities
� Patch management
� Lack of attention to security by users
� Ease of gaining root access
� Differing app curation
� Unofficial distribution of apps
Problems with mobile platforms
App code quality & dev best practices
� Who is writing your code?
� Do they adhere to secure coding principles?
� What data is being stored on the device?
� Is your app code independently reviewed/pen tested?
� Who has access to your appstore accounts?
� What is the process to publish the app?
� Can you disable features without a release?
� Do you have appropriate support agreements in place?
Considerations:
App Distribution – getting to your users
� Having a presence in official distribution
channels is the first line of defence
� Do not distribute app directly or via
3rd party properties or even your own
� Monitor official and unofficial channels for
brand infringements and take action if it
occurs
Keep it official
User education – help your users stay safe
� Keep the device locked with a PIN or passcode
� Only install apps from trusted sources
� Carefully review what apps have access to
� Keep the device patched
� Educate on the risk of Jailbroken/Rooted devices
� Be wary of public Wi-Fi and turn off network
connections when not needed.
� Install a mobile security app
They need all the help they can get
Final thoughts
� Mobile threats are multidimensional and
increasing in line with adoption
�Be aware of malware evolution and respond
where appropriate
� Security needs to be at the forefront of your
mobile strategy. Your apps need to be rock solid
� Promotion and education of consumers on threat
abatement techniques is critical
Thank You
Questions?Ben Forsyth
Head of Mobile & Emerging Technologies – NAB
@benforsyth