Observa(on & Empirical Research. Advanced Persistent Threats & Social Engineering. Observa(on of complex systems

Similar documents
EHR: System Architecture and Systems Security An Analysis of Interdependencies. SBA Research & Vienna University of Technology Edgar R.

Welcome to SBA Research! NIST/ACTS Team Visit Vienna, April 10 th, 2015

Cloud Security and Mobile Applica4on Security

Cloud Security and Mobile Application Security. SBA Research & Vienna University of Technology Edgar R. Weippl

SBA Research. Angewandte Forschung Angewandtes Wissen. UBIT Club IT, 12. Mai 2015 Best of Cybersecurity

AppInspect: Large-scale Evaluation of Social Networking Apps

Re-evaluating Smartphone Messaging Application Security

Guess Who s Texting You? Evaluating the Security of Smartphone Messaging Applications

Guess Who s Texting You? Evaluating the Security of Smartphone Messaging Applications

Big Data & Security. Edgar Weippl SBA Research

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner IAIK

Network and device forensic analysis of Android social- messaging applica=ons

Spoiled Onions: Exposing Malicious Tor Exit Relays

How To Manage A Mobile Device Management At Harvard

Adventures in Bouncerland. Nicholas J. Percoco Sean Schulte Trustwave SpiderLabs

Protecting against Mobile Attacks

Incident Response Using Splunk for State and Local Governments

Cloud Storage & Tools. Ford s Colony Computer & Technology Club

Privacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik

A Brief Overview of the Mobile App Ecosystem. September 13, 2012

OAuth2 Ready or not? Dominick Baier

Mobile Weblink Security

Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov

Perception and knowledge of IT threats: the consumer s point of view

BYPASSING THE ios GATEKEEPER

Certified Secure Computer User

/Endpoint Security and More Rondi Jamison

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

Cloud Security: Yesterday, Today, and Tomorrow

Some Security Challenges of Cloud Compu6ng. Kui Ren Associate Professor Department of Computer Science and Engineering SUNY at Buffalo

DATA BREACH RISK INTELLIGENCE FOR HIGHER ED. Financial prioritization of data breach risk in the language of the C-suite

Tutorial on Smartphone Security

Backing Up Your Files. External Hard Drives

Cloud Compu)ng and Global Communica)ons. Steven M. Bellovin h:ps://

Course Content: Session 1. Ethics & Hacking

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Digital Consumer s Online Trends and Risks

How To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

Introduction to Dropbox. Jim Miller, LCITO Office Mobile

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

No Cloud Allowed. Denying Service to DDOS Protection Services

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Rich Communication Suite Enabler. plus integration with your existing VoIP services

CRYPTOGRAPHY AS A SERVICE

Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound

Tips for Banking Online Safely

Workday Mobile Security FAQ

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

Pu?ng B2B Research to the Legal Test

Enterprise Apps: Bypassing the Gatekeeper

Keeping Data Safe. Patients, Research Subjects, and You

Cloud Computing for Education Workshop

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

AppInspect Large-scale Evaluation of Social Apps

16 CLOUD APPS YOU NEED TO KNOW IF EMPLOYEES ARE USING

Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

Encrypting Business Files in the Cloud

DIGITAL FORENSIC INVESTIGATION OF CLOUD STORAGE SERVICES

Why you need. McAfee. Multi Acess PARTNER SERVICES

Report on Consumer Behaviors and Perceptions of Mobile Security. Presented by NQ Mobile & NCSA January 25, 2012

Gyrus: A Framework for User- Intent Monitoring of Text- Based Networked ApplicaAons

Looking Ahead The Path to Moving Security into the Cloud

Cloud Compu)ng in Educa)on and Research

The downturn and the cloud..challenge and solution?

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Certified Secure Computer User

Cloud App Security. Tiberio Molino Sales Engineer

The smartphone revolution

Kaspersky Security for Mobile Administrator's Guide

FRONT RUNNER DIPLOMA PROGRAM INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

U.S. Cellular Mobile Data Security. User Guide Version 00.01

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

FileCloud Security FAQ

Detecting Cyber Attacks in a Mobile and BYOD Organization

A Practical Attack to De Anonymize Social Network Users

Monitoring commercial cloud service providers

This is a picture of a kiqen

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Secure Your Mobile Workplace

Google Drive lets you store and share all your stuff, including documents, videos, images and other files that are important to

Background. Personal cloud services are gaining popularity

INSTANT MESSAGING SECURITY

Security Evaluation CLX.Sentinel

activecho Frequently Asked Questions

Kaspersky Security for Mobile

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Connec(ng to the NC Educa(on Cloud

For example some Bookkeepers are using Dropbox to share the accounting files between them and their client.

Privileged Administra0on Best Prac0ces :: September 1, 2015

Cloud-Security: Show-Stopper or Enabling Technology?

Mobile Printing for Business Made Easy

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

M2M & Cybersecurity Workshop TIA 2013 M2M Standards and Security. Mihai Voicu CIO/CSO ILS Technology LLC

ECE 646, CRYPTOGRAPHY PROJECT SPECIFICATION GEORGE MASON UNIVERSITY FALL, 2013

Transcription:

17/03/15 Advanced Persistent Threats & Social Engineering SBA Research & Vienna University of Technology Edgar R. Weippl Observa(on & Empirical Research Observa(on of complex systems 1

Impact Real- World Problems NYT, By David E. Sanger and Nicole Perlroth February 14, 2015 2

17/03/15 Empirical Research Dropbox Mar(n Mulazzani, Sebas(an SchriDwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as adack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebas(an SchriDwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar(n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texfng you? evalua(ng the security of smartphone messaging applica(ons. In Network and Distributed System Security Symposium (NDSS 2012), Feb 2012. Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Compu(ng Security Workshop (CCSW) at ACM CCS 2013, 2013. Facebook Markus Huber, Sebas(an SchriDwieser, Mar(n Mulazzani, and Edgar Weippl. Appinspect: Large- scale evaluafon of social networking apps. In ACM Conference on Online Social Networks (COSN), 2013. Tor Philipp Winter and Richard Koewer and Mar(n Mulazzani and Markus Huber and Sebas(an SchriDwieser and Stefan Lindskog and Edgar R. Weippl, Spoiled Onions: Exposing Malicious Tor Exit Relays, in Proceedings of the 14th Privacy Enhancing Technologies Symposium, 2014 GSM Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Mar(n Mulazzani, and Edgar R. Weippl, IMSI- Catch Me If You Can: IMSI- Catcher- Catchers in Proceedings of ACSAC, 2014 Apple Email TwiDer ipdad iphone Mac Cool handle Digital Na(ves Google To buy stuff Amazon 1: Backup email unknown 4: forgot PW? Support asks for: 2: Google m..n@gmail.com 6: Add new CC: 9: Post nonsense to TwiDer Billing address 3: Backup: m n@me.com Email, CC (fake) Billing address Last 4 digits of CC 8: Devices iphone ipad Mac 5: Whois: Address 7: forgot PW? You need: Email, CC info Billing address Last 4 digits of other CCs are visible Slide by Christian Platzer, ISecLab, Vienna University of Technology 3

AppInspect: Large- scale Evalua(on of Social Networking Apps Social networks act as proxies between user and third- party providers Personal informa(on is transferred to providers App providers themselves rely on third- parfes (analy(cs, adver(sing products) Custom hosfng infrastructures Approval of apps with authenfcafon dialog System Architecture for Data Collec(on 4

Enumera(on Exhaus(ve search in June 2012 with character trigrams 434,687 unique applica(ons in two weeks Main obstacle: Facebook account rate limits Most Popular Apps 10,624 most popular app, 94.07% of samples cumula(ve applica(on usage Language: English (64.72%), 69 different languages 5

Permissions per Provider 4,747 applica(ons belonged to 1,646 dis(nct providers 60.24% of all providers requested personal email address Suspicious Apps 40 providers requested more than 10 permissions 139 web tracking / adver(sing providers used Manually verified requested permissions vs. app func(onality Legi(mate uses da(ng and job hun(ng applica(ons XBOX applica(on (not available anymore) Malprac(ces Horoscopo Diario, 2.5 million monthly users Would only require birthdate, 25 different permissions Wisdom of the Buddha etc. 6

Informa(on Leaks 315 apps directly transferred sensi(ve informa(on (via HTTP parameter) Informa(on Leaks 51 applica(ons leaked unique user iden(fiers (HTTP Referrer) 14 out of these 51 applica(ons also leaked API authoriza(on tokens 7

Facebook Summary Reported our findings to Facebook in November 2012 Facebook responded within one week Skype mee(ngs with Facebook Facebook acknowledged problems and contacted developers Fixed in May 2013 Security and privacy implica(ons Since January 2010 unproxied access to email address 60% of applica(on developers request email address Social phishing, context- aware spam Users trackable with real name Hos(ng Number of hosts possible vulnerable FTP/SSH bruteforce Amazon EC2 community images Data Deduplica(on At the server Same file only stored once Save storage space at server At the client Calculate hash or other digest Reduce communica(on 8

Hash manipulafon Stolen Host ID ADacks Direct Up- /Download Uploading without linking Simple HTTPS request hdps://dl- clientxx.dropbox.com/ store 1. Steal hashes 4. Download all files of the victim 3. Link hashes with fake client 2. Send hashes to Attacker Attackers PC Victim using Dropbox Solu(ons Anermath Dropbox fixed the flaws Host ID is now encrypted No more client- side deduplica(on Proof of ownership Take down no(ce 9

Authen(ca(on Viber, WhatsApp, fring, GupShup, hike, KakaoTalk, Line, ChatOn, textplus and WeChat Man- in- the- Middle 10

WhatsApp in 2012 Forfone (Iphone + Android) 11

Spoofing Forfone WowTalk 12

XMS, JaxtrSMS (Android,!Iphone) LegiFmate Registering Spoofing Enumera(on ADack 13

Enumera(on ADack Status Messages 14

Results 2012 Re- Evalua(on 2014 15

17/03/15 Empirical Research Dropbox Mar(n Mulazzani, Sebas(an SchriDwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as adack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebas(an SchriDwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar(n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texfng you? evalua(ng the security of smartphone messaging applica(ons. In Network and Distributed System Security Symposium (NDSS 2012), Feb 2012. Markus Huber, Sebas(an SchriDwieser, Mar(n Mulazzani, and Edgar Weippl. Appinspect: Large- scale evaluafon of social networking apps. In ACM Conference on Online Social Networks (COSN), 2013. Tor Philipp Winter and Richard Koewer and Mar(n Mulazzani and Markus Huber and Sebas(an SchriDwieser and Stefan Lindskog and Edgar R. Weippl, Spoiled Onions: Exposing Malicious Tor Exit Relays, in Proceedings of the 14th Privacy Enhancing Technologies Symposium, 2014 Facebook Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Compu(ng Security Workshop (CCSW) at ACM CCS 2013, 2013. GSM Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Mar(n Mulazzani, and Edgar R. Weippl, IMSI- Catch Me If You Can: IMSI- Catcher- Catchers in Proceedings of ACSAC, 2014 Upcoming Conferences Sacmat 2015 hdp://www.sacmat.org/2015/index.php ARES 2015 hdp://www.ares- conference.eu/conf/ Esorics 2015 hdp://esorics2015.sba- research.org/ ACM CCS 2016 16

17/03/15 Past Conferences 2014 GI Sicherheit 2014 hdp://sicherheit2014.sba- research.org/ DB Sec 2014 hdp://dbsec2014.sba- research.org/ IFIP WG 11.9 Interna(onal Conference on Digital Forensics eweippl@sba- research.org Edgar.Weippl@tuwien.ac.at eweippl@sba- research.org 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information