Upload
scott-montgomery
View
216
Download
0
Embed Size (px)
Citation preview
Copyright2013-15
1
COMP 2410 – Networked Information Systems
SC3 – Mobile Security
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor, A.N.U. and U.N.S.W.
http://www.rogerclarke.com/II/NIS2410.html#L6http://www.rogerclarke.com/II/NIS2410-6 {.ppt, .pdf}
ANU RSCS, 2 April 2015
Copyright2013-15
2
Neworked Information SystemsThe Applications Layer
1. Application Architectures
.1 Master-Slave Architecture
.2 Client-Server Architecture• Cloud Computing
.3 Peer-to-Peer (P2P) Architecture2. Categories of Networked Application
.1 Mobile Computing
.2 Web 2.0 and Social Media
3. Networked Info Systems Security
.1 Security of Info and I.T.
.2 Malware and Other Attacks.3 Mobile Security
Copyright2013-15
3
1. Mobile Devices 'Any device that provides users with the capacity to
participate in Transactions with Adjacent and Remote devices by Wireless Means'• Nomadic / Untethered Portables
• Mobiles / Smartphones• Handheld Computing Devices
PDAs, games machines, music-players, 'converged' / multi-function devices,Tablets esp. iPad but now many followers
• Processing Capabilities in Other 'Form Factors'Credit-cards, RFID and NFC tags, subcutaneous chips
• Wearable Computing DevicesWatches, finger-rings, spectacles, key-rings, necklaces, bracelets, anklets, body-piercings ... chip implants
Copyright2013-15
4
Wireless Comms• Wide Area Networks – Satellite (Geosynch; Low-Orbit)
GS is Large footprint, very high latency (c. 2 secs)• Fixed-Wireless/Line-of-Sight – 802.16 (WiMAX) '08
TD-LTE/LTE-TDD '12(3-10 km per cell, high-capacity per user, local monopoly?, trees!)
• Wide Area Networks – Cellular (50m to 10km cell-radius, with increasing capacity per user, particularly 3G onwards)
1G – Analogue Cellular, e.g. AMPS, TACS2G – Digital Cellular, e.g. GSM, CDMA3G – GSM/GPRS/EDGE, CDMA2000, UMTS/HSPA4G – LTE, deployed / deploying
• Local Area Networks – ‘WiFi’ (10-100 m radius)primarily IEEE 802.11x, where x=a,b,g,n
• Personal Area Networks (1-10 metres) – Bluetooth? Infra-red?• Contactless Cards / RFID Tags / NFC Chips (1-10cm radius)
Copyright2013-15
5
Mobile Usage• Messaging – synch and asynch, 1-1 and m-
nEmail, Chat/IM, Voice, Video, ...
• Content AccessOpen Web, SearchSemi-Closed Wall-PostingsOrganisational Data
• Content Preparation / PublishingFormal Docs, Informal Postings /-bloggingOpen, Corporate, Personal
• TransactionsApplication Forms to Government Agencies, Purchases, Payments, Internet Banking, ...
Copyright2013-15
6
Mobile Usage• Messaging – synch and asynch, 1-1 and m-
nEmail, Chat/IM, Voice, Video, ...
• Content AccessOpen Web, SearchSemi-Closed Wall-PostingsOrganisational Data
• Content Preparation / PublishingFormal Docs, Informal Postings /-bloggingOpen, Corporate, Personal
• TransactionsApplication Forms to Government Agencies, Purchases, Payments, Internet Banking, ...
Copyright2013-15
7
Mobile Security
Agenda
1. Mobile Devices, Comms, Usage2. Case Studies
A. Contactless Chip PaymentB. Location and Tracking
3. Application of the Security Model4. What Do We Do About It?
Copyright2013-15
8
2. Case Study A – Contactless Chip Payment
• RFID / NFC chip embedded in card
• Wireless operation, up to 5cm from a terminal
• Visa Paywave and MasterCard PayPass
• Up to $100 (cf. original $25)
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Copyright2013-15
9
Contactless Chip-Cards as Payment Devices
• RFID / NFC chip embedded in card
• Wireless operation, up to 5cm from a terminal
• Visa Paywave and MasterCard PayPass
• Up to $100 and $35 resp. (cf. original $25)
• Presence of chip in card is not human-visible, butLogo / Brand may be visible
• No choice whether it's activated• No choice about the threshold• Operation of chip in card
is not human-apparent• No action required when within
5cm range, i.e. automatic payment• No receipt becomes the norm?• Used as Cr-Card:
Unauthenticated auto-lending• Used as Dr-Card:
PIN-less charge to bank account
Copyright2013-15
10
• Authentication – None / A Non-Secret // For Higher-Value Transactions Only / Always[UK RingGo Parking Payment Scheme – last 4 digits]
• Act of Consent – None / Unclear / Clear[e.g. Tap the Pad in Response to Display of Amount Due]
• Notification – None / Audio / Display[If 'None', surreptitious payment extraction is feasible]
• Receipt / Voucher – None / Option or Online / Y[Octopus, Toll-Roads, UK RingGo Parking Payment Scheme]
Key Safeguards for Chip Payment Schemes
Copyright2013-15
11
• Authentication – None / A Non-Secret (but Yes, for Transactions >$100 Only)
• Act of Consent – None? / Unclear? / Clear?If the card is within 5cm of a device, whether seen or notBut the 'consent' is by whoever possesses the card
• Notification – None? / Audio? / Display?If 'None', then enables surreptitious payment extraction
• Receipt / Voucher – None? / Option? / Y?
Are These Safeguards in Place for
Visa PayWave and MCard Paypass?
Copyright2013-15
12
2.Case Study B – Location and Tracking
Location is Inherent to Mobile Technologies• Insufficient capacity to broadcast all traffic in all
cells• The network needs to know the cell each mobile
is in• Mobiles send registration messages to base-
station(s)• Even if nominally switched off or placed on
standby
Copyright2013-15
13
2.Case Study B – Location and Tracking
Location is Inherent to the Technology• Insufficient capacity to broadcast all traffic in all cells• The network needs to know the cell each mobile is in• Mobiles send registration messages to base-station(s)• Even if nominally switched off or placed on standbyWhat's Being Tracked?• The SIM-card, an identifier of the device, e.g. IMSI• The mobile-phone id, an entifier of the device, e.g.
IMEI• The person the SIM-card and/or mobile-phone is
registered to (and may be required by law to be so)• Most handsets have one SIM-card, and one user
Copyright2013-15
14
The Precision of Handset Location
• Intrinsically, the Cell-Size:• 1km-10km radius for non-CBD Cells• c. 100m radius for Wifi & CBD
Cells
• Potentially much more fine-grained:• Directional Analysis• Differential Signal Analysis• Triangulation• Self-Reporting of GPS coordinates
Copyright2013-15
15
Handset Location – Accuracy and Reliability
• Directional AnalysisThe Case of the Cabramatta Murder Conviction
• Differential Signal AnalysisA Wide Array of Error-Factors
• TriangulationMultiple TransceiversMultiple Error-Factors
• Self-Reporting of GPS coordinatesHighly situation-dependent, and unknownDependent on US largesse, ‘operational requirements’
Copyright2013-15
16
The Primary Geolocation Technologies
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
http://www.rogerclarke.com/DV/LTMD.html
Copyright2013-15
17
Location and TrackingSome Scenarios
• Arresting a crook• Investigating the proximity of suspect to crime-
scene• Targeting an enemy
• Being accused of association with another person• Having your association with a person discovered• Being targeted by a marketer ...• ... who knows a great deal about you• Being monitored by your partner, or your next date• Being targeted by an enemy• Being found by a fan, stalker, abusive ex-partner
Copyright2013-15
18
3. Application of the Security Model
to Mobile Usage• Messaging – synch and asynch, 1-1 and m-nEmail, Chat/IM, Voice, Video, ...
• Content AccessOpen Web, SearchSemi-Closed Wall-PostingsOrganisational Data
• Content Preparation / PublishingFormal Docs, Informal Postings /-bloggingOpen, Corporate, Personal
• TransactionsApplication Forms to Government Agencies, Purchases, Payments, Internet Banking, ...
Copyright2013-15
19
http://www.rogerclarke.com/EC/PBAR.html#App1
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
ConventionalIT Security
Model
Copyright2013-15
20
The Harm Aspect• Injury to Persons• Damage to Property• Loss of Value of an Asset• Breach of Personal Data Security,
or Privacy more generally• Financial Loss• Inconvenience and Consequential Costs
arising from Identity Fraud (very common)• Serious Inconvenience and Consequential
Costs arising from Identity Theft (very rare)
• Loss of Reputation and Confidence
Copyright2013-15
21
The Vulnerability Aspect• The Environment
• Physical Surroundings• Organisational Context• Social Engineering
• The Device• Hardware, Systems Software• Applications• Server-Driven Apps
(ActiveX, Java, AJAX)• The Device's Functions:
Known, Unknown, Hidden• Software Installation• Software Activation
• Communications• Transaction
Partners• Data Transmission
• Intrusions• Malware Vectors• Malware Payloads• Hacking, incl.
Backdoors, Botnets
Copyright2013-15
22
Threat Aspects – Third-Party, Within the System
(Who else can get at you, where, and how?)
• Points-of-Trans'n Physical
• Observation• Coercion
• Points-of-Trans'n Electronic
• Rogue Devices• Rogue Transactions• Keystroke Loggers• Private Key Reapers
• Comms Network• Interception• Decryption• Man-in-the-
Middle Attacks• Points-of-
Processing• Rogue Employee• Rogue Company• Error
Copyright2013-15
23
Threat Aspects – Third-Party, Within the Device
• Physical Intrusion• Social Engineering
• Confidence Tricks• Phishing
• Masquerade• Abuse of Privilege
• Hardware• Software• Data
• Electronic Intrusion• Interception• Cracking / ‘Hacking’
• Bugs• Trojans• Backdoors• Masquerade
• Distributed Denialof Service (DDOS)
• Infiltration by Software with a Payload
Copyright2013-15
24
Threat Aspects – Second-Party• Situations of Threat
• Banks• Telcos / Mobile Phone Providers• Toll-Road eTag Providers• Intermediaries• Devices
• Safeguards• Terms of Contract• Risk Allocation• Enforceability• Consumer Rights
Copyright2013-15
25
Key Threat / Vulnerability Combinations
re Mobile Payments
• Unauthorised Conduct of Transactions
• Interference with Legitimate Transactions
• Acquisition of Identity Authenticatorse.g. Cr-Card Details (card-number as identifier, plus the associated identity authenticators)
e.g. Username (identifier) plus Password/PIN/Passphrase/Private Signing Key (id authenticator)
e.g. Biometrics capture and comparison
Copyright2013-15
26
4. What Do We Do About It?
• Consumers• Organisations
• Corporate Devices• BYOD
Copyright2013-15
27
The Status of Consumer Protection
• EFT Code of Conduct – longstanding, phased out
• ePayments Code – wef 30 March 2013http://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments-Code?openDocument
• Soft regulation of such things as receipts, risk apportionment, complaints, privacy, ...
• The banks have sought to weaken the protections (In NZ they succeeded, but were beaten back by the tide of public opinion, and withdrew the changes)
• The Code's provisions apply to contactless-card transactions – but with a lot of 'buts'
Copyright2013-15
28
The Absolute-Minimum Security Safeguards
1. Physical Safeuguards2. Access Control3. Malware Detection and Eradication4. Patching Procedures5. Firewalls6. Incident Management Processes7. Logging 8. Backup and Recovery Plans,
Procedures9. Training10. Responsibility
http://www.xamax.com.au/EC/ISInfo.pdf
Copyright2013-15
29
Beyond the Absolute-Minimum Safeguards
Risk Asssessment, leading to at least some of:
11. Data Communications Encryption12. Data Storage Encryption13. Vulnerability Testing14. Standard Operating Environments15. Application Whitelisting16. Device Authentication and
Authorisation17. Use of Virtual Private Networks 18. Intrusion Detection and Prevention19. User Authentication20. Firewall Configurations, Outbound
http://www.xamax.com.au/EC/ISInfo.pdf
Copyright2013-15
30
Mobile Security
Agenda
1. Mobile Devices, Comms, Usage2. Case Studies
A. Contactless Chip PaymentB. Location and Tracking
3. Application of the Security Model4. What Do We Do About It?
Copyright2013-15
31
Neworked Information SystemsThe Applications Layer
1. Application Architectures.1 Master-Slave Architecture.2 Client-Server Architecture
• Cloud Computing.3 Peer-to-Peer (P2P) Architecture
2. Categories of Networked Application.1 Mobile Computing.2 Web 2.0 and Social Media
3. Networked Info Systems Security.1 Security of Info and I.T..2 Malware and Other Attacks.3 Mobile Security
Copyright2013-15
32
COMP 2410 – Networked Information Systems
SC3 – Mobile Security
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor, A.N.U. and U.N.S.W.
http://www.rogerclarke.com/II/NIS2410.html#L6http://www.rogerclarke.com/II/NIS2410-6 {.ppt, .pdf}
ANU RSCS, 2 April 2015