16
Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Embed Size (px)

Citation preview

Page 1: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Mobile Security & Precautions Using Case StudiesALANA ANDERSON – DECEMBER 2014

Page 2: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Overview

1. Introduction – Why I chose this topic

2. Course Module

3. Case Study – Masa Kagawa

4. Case Study – StealthGenie

5. Results – Homework

6. Results – Survey

7. Conclusion

8. Questions

Page 3: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Introduction

Mobile device and application security has become a major issue as the world becomes more technically centered.

Everyday applications and functions can be used to exploit a device.

Mobile malware continues to rise and more companies are experiencing data breaches.

Appeal to the interest of students

Page 4: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Purpose

Educate students on mobile security issues and current events

Provide real world examples of how the exploitations are abused

Peak interest in mobile security

Inform users of simple techniques to aid in protecting a mobile device

Page 5: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Case Study – Masa Kagawa

Sept 2012 – April :Arrested for running an Android malware ring and operating a scam dating site in the form of an Android Application.

Alleged to be behind the distribution of spam with Anroid.Enesoluty.

Android.Enesoluty: requests permissions that will allow it to read and write contacts to an external device in a remote location.

First introduced as a game, it later served as a frame for a fraudulent dating site. The user would pay for “talking tokens” to other “users”.

Kagawa and his counterparts were “able to collect around 37 million email addresses from over 800,000 Android devices.

Page 6: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Case Study – Masa Kagawa Analysis

Kagawa was able to appeal to a user’s emotion. Not only did he install an information stealing Trojan on the device, he was able to obtain funds from exploiting a person’s heart.

Importance: This case teaches us that we should not only be mindful of what we download and the permissions it request but of the overall purpose and function of the application.

Key takeaways:

Be weary of the permissions that an application requests

Be mindful of the functions of an application and the way it behaves.

Do not respond to or open suspicious emails

Check for suspicious icons on the device.

Page 7: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Case Study – StealthGenie

Creator indicted for allegedly conspiring to advertise and sell StealthGenie.

Allows reading of text messages viewing of call logs, access to emails, GPS location tracking, spying on instant messenger chats, remotely monitoring their phone, and listening in on their live calls.

This is the first case surrounding the sale and advertisement of mobile spyware.

Hammad Akbar, creator of StealthGenie

Page 8: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Case Study – StealthGenie Analysis

This case showcases the capability that mobile devices have. It is important to not only protect ourselves from the known threats but the unknown as well.

Importance: Case makes users aware potential vulnerability of a simple mobile phone and the software inside of it. StealthGenie provided a real life example of how mobile devices can truly invade our personal lives

Key takeaways:

StealthGenie allows user to see what type of potential is in the palm of there hands.

Be mindful of how your devices operates

Be mindful of who uses or operates a personal device

Page 9: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Course Module Components

Student Pre-Test/Post Test:

Measure the students current knowledge on mobile device security and potential threats. It is not aimed at being too difficult or too easy.

Practical information that a device user should know, as well as information that may not be common knowledge.

Pre Test/Post Test Questions1. Apart from a physical computer what are some

reasons why security must be enhanced for a mobile device?

2. What is Bluesnarfing?3. True/False. The Android operating system has a

higher threat level than IOS, meaning more malware is targeted at Android devices

4. What does it mean to jailbreak an Apple device?5. What does a Tapjacking attack do?6. Which category of applications provides the

greatest amount of mobile malware?7. Name some mobile hardware components that could

make cellular devices insecure?8. What is mobile malware?9. What is a denial of service attack?10.What is spyware?11.Is it illegal to sale privacy invasive applications

or software. This can be any software that monitors a target without their knowledge. Yes/No

Page 10: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Course Module Components (cont.)

Topics Covered include:

Information on various device exploits(web browser, bluetooth, GPS)

Overview between differences of mobile devices and desktops

Incidents to back up exploitations

Apple Vs. Android Debate

Basic Malware Targets and popular application incidents

SMS Malware

Protection mechanisms (Strong passwords, using approved download locations, anti-virus)

Page 11: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Course Module Components (cont.)

Mobile Security Homework:

Reinforce the lecture slides and information surrounding the case studies.

Aids in providing practical practice of keeping our mobile devices secure while still hammering in the facts.

Topics Covered include:

Identifying fraudulent applications

Definitions surrounding Bluetooth attacks

Potential mobile security concerns

Current Events surrounding insecurities

Web browser exploitation

Comparing fraudulent applications

Homework Questions1. Find copies popular application/game within your device’s

respective app store. Find copycat versions of the application and search the description and comments about the app to determine how we know it is not legit. List the name of the real app and the fake version app names below. Also, list at least 3 red flags for the copy apps. 

2. Define bluesnarfing, bluejacking and bluebugging. Provides an example of how it could be used for each.

3. Mobile Developer Concerns - In your opinion, what are the three biggest security issues that mobile application developers should consider in their design and implementation? Describe each of these issues in detail, and make an argument for their importance over other security concerns.

4. Find a recent story about an application being hacked or a breach in information via mobile devices. Give a basic summary of that incident.

5. When choosing to download an application are user comments and ratings taken into account. Yes/No

6. If an app opens in a web-browser, would you think that it is a malicious application? Why or Why not.

7. Find and list more spyware applications like StealthGenie that are still available for download and use. List them below.

Page 12: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Results – Pre Test/Post Test

Average Pre Test Score – 71%

Average Post Test Score – 82% (11 Point increase after the lecture)

Most Commonly Missed Questions:

What does a tapjacking attacking do?

What is mobile malware? (Many chose “Software or hardware aimed at taking over or disrupting service to a mobile device”)

Page 13: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Results – Survey

Was the material worthwhile?

Avg. 4.31 – Very Worthwhile

How motivated were you to learn about mobile security issues?

Avg. 3.7 Moderately – Very Motivated

“Provide live or simulated examples”

“Explain every topic more detailed”

“Very informative added knowledge and insight.”

Additional material on – “Methods proposed for protecting mobile devices.”

Page 14: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Results – Homework

Intended to reinforce the lecture but to get users to find practical real world examples and emphasize the importance behind the information provided to them.

Students found an array of fraudulent apps and were able to clearly articulate red flags based on common knowledge and found information

Students were able to think in terms of a mobile developer to come up with many concerns that developers should be worried about. These include:

Insecurity of app stores

Lack of encryption or weak encryption

Secure connections or safety of data while in transit back to server

Amount of testing that an application has been through

Page 15: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Conclusion

Success was measured based on the result of the homework, pre/post test and survey results.

The course module served as an overview for mobile security using the case studies as real world examples.

Overall the course module proved to be a success. This is based on the survey given at the end of the lesson as well as the 11% increase in the average on the Post Test Vs. the Pre Test.

Based on the survey students are interested in learning about mobile security and were interested in the topics presented to them.

Page 16: Mobile Security & Precautions Using Case Studies ALANA ANDERSON – DECEMBER 2014

Questions