Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University sadeh Smart Phone Security

Norman M. SadehProfessor, School of Computer Science

Director, Mobile Commerce Lab.

Carnegie Mellon University

www.cs.cmu.edu/~sadeh

Smart Phone Security & Privacy: Smart Phone Security & Privacy: What Should We Teach Our Users?What Should We Teach Our Users?

Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 2

Outline

Smart phone security and privacy awareness: unique challenges

Phishing: much worse with smart phone users

What can we do?

Mobile Apps and Social Networking

What we can we teach users?

Concluding remarks

Q&A


SMART PHONE SECURITY and PRIVACY AWARENESS:UNIQUE CHALLENGES


Cyber Security Training Awareness

…Has been compared to trying to nail Jell-O to a wall

Copyright © 2007-2011 Norman M. Sadeh

Yet…

Filters, firewalls, IDS etc. have their limitations

Users are the last line of defense

Universities: A Dual Objective

Protect the university’s infrastructure and sensitive data

Educational mission

EDUCAUSE Webinar – April 2011 - Slide 5


Universities

Diversity of users Faculty, staff, students

Diversity of cultures and environments Fragmented administration

Diversity of needs Research vs. education vs. admin

Diversity of devices Some managed & some not

...Yet the price of security breaches can be dire…



Smart Phones: The New Frontier


Smart Phone Adoption to

Approach 50% in the US

in 2011


Our cell phones are now coming with the same vulnerabilities we have on our computers…

…Along the Way…

…and more…


Universities at High Risk


University

Students…


Mobile Email & Social Networking are Big



Diversity of Devices & OS’s


Best practices are harder to articulate


The Biggest Security Risk?

Millions of cell phones lost or stolen each year


Lost or Stolen Phone….

Private data & sensitive apps

e.g. contacts list, pictures, phone calls, messages, email, calendar, apps, etc

Risk of someone using your phone

Impersonating you – SMS, voice, email, social networks, etc.

Placing expensive international calls

Reselling your phone

etc.


What Can We Teach?

Don’t leave your phone unattended

Goes beyond theft and loss: malware is easy to install

Use a PIN to protect your cell phone

Different options (e.g. iPhone)

Write down your IMEI number as well as phone make and model and cell phone number

Quickly report lost/stolen phone


Quickly Tips Become Device-Specific


Requires MobileMe Loud noise + contact info + map


Remote Erase

A number of solutions…

…Hopefully you’ve backed up your data

…Some products combine both back up and “remote wipe”

Watch out for malware - read reviews and select reputable solutions…


Dangers of Multi-Tasking

Phone call, SMS, email, etc.

While driving, crossing the street..

•Illegal in some places

•Not wise elsewhere


Understanding the risks…

Even more challenging than on a computer

Cell phones are highly personal devices with access to lots of sensitive information

…yet fewer people understand the risks

Lots of different cell phone models

Not all with the same functionality or settings…

Users need to invest time in understanding and tweaking their security settings


Different Activities Lead to Different Risks

Voice

Email

SMS

Bluetooth

Browsing

WiFi

Location

App Downloads

Social networks

…and more


…A rather daunting

task…


PHISHING: MUCH WORSE ON SMART PHONES


E-Mail Phishing: Worse on Mobile Phones

Trusteer – Jan 2011:

Mobile users are first to arrive at phishing websites

Mobile users 3x more likely to submit credentials than desktop users



Beyond e-mail Phishing

SMS-ishing

Vishing

IM phishing

Phishing via social networks

Phishing apps



What To Do?

Better filters can help

Most spam filters rely on manually maintained blacklists that are several hours behind

Example: Wombat’s PhishPatrol

Teach people to recognize traps in phishing emails



Teach people in the context they would be attacked

If a person falls for simulated phish, then show intervention as to what just happened

Unique “teachable moment”

Training via Mock Attacks: PhishGuru

Copyright © 2007-2011 Norman M. Sadeh EDUCAUSE Webinar – April 2011 - Slide 25EDUCAUSE Webinar – April 2011 - Slide 25

Select

Target

Employees

Customize

Fake

Phishing

Email


Select

Target

Employees

Customize

Fake

Phishing

Email

Select

Training


Select

Target

Employees

Customize

Fake

Phishing

Email

Select

Training

Internal

Test and

Approval

Process

Hit

Send


Select

Target

Employees

Customize

Fake

Phishing

Email

Select

Training

Internal

Test and

Approval

Process

Hit

Send

Monitor

& Analyze

Employee

Response


0 10 20 30 40

Campaign 3

Campaign 2

Campaign 1

Viewed Email and Clicked Link

Viewed Email Only

It works!

Reduces the chance of falling for an attack by more than 50% !

(Actual Results)

percentage


Reinforce with Training Modules – Incl. Games


• Traditional training doesn’t work - but people like games

• Games teach users about phishing

• People more willing to play games than read training

• Shows higher long-term retention


Teaches people to identify “red flags”

in fraudulent emails


Phishing is a Generic Threat

It is possible to identify device-independent tips and strategies

It is possible to teach these tips and strategies in a matter of minutes

Universities like CMU are using PhishGuru and training games (Phil and Phyllis training games) to train staff, faculty and students

A dedicated anti-phishing email filter can also make a difference (e.g. PhishPatrol)



MOBILE APPS & SOCIAL NETWORKING: WHAT CAN WE TEACH USERS?


Social Networking – Facebook, Twitter & Co.

Sharing is wonderful…

…until you regret you did it

Think and ask yourself whether: You really know who you are sharing with

A week or a year from now, you’ll still be happy you did

Colleagues, friends, new acquaintances…

Beware of pictures and links that seem to come from friends….


All Those Great Apps


Malicious Apps

In January of 2010, the first malicious mobile banking app was detected

Stole your banking credentials

Android doesn’t review applications

Apple does, but that’s no guarantee

Many apps collect a lot more information than they need to – e.g. location


Some Recommendations

Research apps before you download them

Best to wait until enough other people have tried them

Check ratings – but do not rely entirely on them

If you are courageous, take time to review privacy provisions

Possibly create a Google alert for apps you download


Location Sharing Apps.


Also referred to by some as…


If you are going to share

your location, at least do it under conditions you

control


Promoting Our Own Location Sharing Platform

More expressive privacy settings “My colleagues can only see

my location when I’m on campus and only weekdays 9am-5pm”

Invisible button Auditing functionality Available on Android Market,

iPhone client, Ovi, laptop clients Tens of thousands of downloads

over the past year

www.locaccino.org






CONCLUDING REMARKS


Concluding Remarks


Cell phones are wonderful devices …

Most of us can’t even remember how we could operate without them

…Yet they come with many risks

…General guidelines are difficult to articulate

Diversity of cell phones and usage scenarios

Yet in some areas such as phishing, results indicate that training can make a difference

We are extending this approach to mobile security at large


http://wombatsecurity.com

http://mcom.cs.cmu.edu

Q&A


References Scientific References

How to Foil “Phishing Scams”, Scientific American, L. Cranor

Teaching Johnny Not to Fall for PhishP. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31.

Learning to Detect Phishing EmailsI. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007.

Locaccino scientific publications: www.locaccino.org/science

Case Studies & White Papers

“A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)”

“Empirical Evaluation of PhishGuru Embedded Training”,

“Cyber Security Training Game Teaches People to Avoid Phishing Attacks”


Documents

Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University sadeh Smart Phone Security