Social Media and Mobile Risk - CIO Perspective - Michalis Mavis - iCompetences RSI2012

7/30/2019 Social Media and Mobile Risk - CIO Perspective - Michalis Mavis - iCompetences RSI2012

http://slidepdf.com/reader/full/social-media-and-mobile-risk-cio-perspective-michalis-mavis-icompetences 1/50

Risk case studies- Social Networks Risk Management - A CIO Perspective

- Mobile applications risks in the modern business environment

byMichalisMavis,MSc,MSc

f.ChairmanofHellenicFraudForumSecurityCountermeasures



2

SNsinthe21stcentury

OnlineSocialNetworks(SNs),orweb2.0are

oneofthemostremarkabletechnological

phenomenaofthe21stcentury,

withseveralSNs

nowamongthemost

visitedwebsitesglobally.

2



Agenda• UnderstandingtheopportuniGesandtherisks

ofsocialnetworks(SNs)tocorporatesecurity

andthedangersfortheindustry.

• CIOconcernsrelatedtoSN,onhowtoprotecttheITinfrastructure,thecompanybusiness&

reputaGon.

• RisksofmobileapplicaGonsandcounter-

measures.

• ConclusionsandRecommendaGons.



4

THE ENISA Report

• AccordingtoENISAreportexperiencingonlineSocialNetworkingSites(SNSs)hasbecomeoneofthemostpopularacGviGescarriedouton

theInternet,forstayingintouchwithbusinessandpersonalcontacts.

• RecentstaGsGcsshowedthatmorethan80millionacGve

usersareaccessingFacebookthroughtheirmobiledevices.



Social Network popularity around

the world in 2012 • Onlinesocialnetworksareeverywherethesedays,atrulyglobalphenomenon.

• Butwherearethedifferentsocialnetworkshavingthemostsuccessin

termsofpopularity?



Countrieswiththehighestinterestin

Facebook

1. Turkey

2. Venezuela

3. Tunisia

4. Colombia

5. Dominican

Republic



7

Opportunies-1(ISACAwhitepaper)

• Enterprisesthataggressivelyembracesocialmediaaspartoftheirstrategyaremorefinanciallysuccessful.

• UseofSocialNetworkshascreatedhighlyeffecGvecommunicaonplaHormswhereanyuser,virtually

anywhereintheworld,canfreelycreatecontentand

disseminatethisinfoinrealGmetoaglobalaudience,

ofpotenGallymillionsofpeople,inlessGmethanit

takestoreadasmalldocument.

• S.N.provides the ability to reachlargepopulaons

almostinstantly.





Butarethereany

securityconcerns?



10

Social Networks risks, the CIO headaches (security and privacy concerns)

• S.N.useisabenefit,buttheenterprisesshouldalsoconsiderrisksvs.opportunies.

• Variousvulnerabilies,suchasinsecureapplicaGonsforexample,maycauseunacceptableexposureofthecorporatenetworktovariousrisks.

• Maliciousoutsiderscoulduseemployeesocialmedia

pagestolaunchtargeteda_acksbygatheringinfoto

executesophisGcatedsocialengineeringcampaigns,orhackinga_acks.



11

Majorrisksandthreats

• IdenGtythe`.• MalwarepropagaGon

• CorporatedataleakageandreputaGonrisk.

• User’sposiGontracking(whentheusermobilephoneisequippedwiththenecessary

technology–mapfuncGon).

• Datamisuseandmore…



MorePhishingbyusingSNs

• Thereisatrendofhighlytargetedphishinga_acks,facilitatedbyfakedprofiles.

• SNsaremorevulnerabletosocialengineering

techniques.

12



13

Itissoeasy...to

buildacompanydirectory

Icompetenceslistofemployeesbya

simpleLinkedinsearch.

13



14

CorporateEspionage

SNswillbeusedmoreandmoreinthe futureforgatheringsensiGveenterprise

databyusingtheemployeesposGngs.

• Dataiso`engatheredgradually,piecebypiece.

• Forexample,severalprofessionalSNspublishinformaGononlistsof

employees.Itallowsa_ackerstoseetheconnecGonsbetweenemployees.

• IfanemployeepublishessensiGveinformaGononaSN,thismightposeaseriousthreattoacompany.

• Themainriskhereisthelossofcorporate

intellectualproperty,blackmailingofemployees

torevealsensiGvecustomerinformaGonand

eventoaccessphysicalassets.

14



15

Whereandhow…?

• Intelligencegathering.SomeGmesthereisnoreasontospendalotofmoneytogatherusefulinformaGon.ItisavailablefreeontheInternet,byusingtherighttools.

• WiththeuseoftherighttoolsandtechniquesyoumayfindextremelyusefulinformaGonaboutcompeGtors,individuals,governments,companiesandnotonly.

• ItispossiblebyusinglegiGmateorillegalways.

• Butyoushouldknowhowandwheretosearchfor…• YoushouldmakeaDEEPwebsearch!



16

LeakageofconfidenalInfo

• Doyouknowwhatisbeingpostedbyyouremployees,customers,oryourcompeGGon?

• WhatdoestheInternetsayaboutyourcompany?

• WeallknowinformaGonorintelligencegatheringis

oneofthemostimportantphasesofapenetraGontest.

• However,gatheringinformaGonandintelligenceabout

yourowncompanyisevenmorevaluableandcan

helpanorganizaGonproacGvelydeterminethe

informaGonthatmaydamageyourbrand,reputaGon

andhelpmiGgateleakageofconfidenGalinformaGon.



AREALRISKSCENARIO

• YouareconnectedtoLinkedinnetworkatofficeorhomeandsomeonecapturesthecookiesin

traffice.g.byusingFiresheepandyouraccountis

hijacked.

• Youasauserwillnotknowthatthecookieisstolenortherehavebeenanyparallelloginby

thea_acker.

• Thehackersareusingyourhijackedaccounttoaackyouandthereputaonofyourcompany!





Firesheep characteriscs• Firesheeptargets26onlineservices,andincludesmanypopularonlineservicessuchas

Amazon,Facebook,Foursquare,oogle,The

NewYorkTimes,Twi_er,WindowsLive,

WordpressandYahoo.• Theextensionisalsocustomizableallowinga

hackertotargetotherWebsites

notlistedbyFiresheep.• ItworksoverWiFiconnecGons.

d h Y



Id-TheYinSNs• IdenGtythe`inSNsisoneofthemostimportant

threatsasitmayaffectthereputaGonandprivacyoftheuser.Itmaytakeplaceindifferentways.

• Incasethea_ackerisabletotakefullcontroloftheuser’saccount,hemaypublishcommentsinthe

nameofthelegiGmateuser,changethecurrentpasswordande-mailaddress.Thenusethecompromisedaccounttospreadmaliciouss/w.

• Id-the`mayhaveveryseriousimpact

touser’spersonallifeandreputaGonatwork.



21

BLOGSposngs

• BlogscanbesearchedviaanytradiGonalsearchengine,however,thechallengewithblogsarenotthepoststhemselvesbutthe

comments.• EspeciallycommentscomingfromcurrentorformeremployeesorcustomersonhighlysensiGvepublicrelaGonsissues.

• Itisimportanttobemonitoringblogsandtheircomments,beforetheygoviral.



Countermeasures?



23

Trainingandpolicy-standards

• TrainingshouldbeconductedonaregularbasisandshouldfocusonthebenefitsandopportuniGesaswell

asonthedangersrelatedtouseofsocialmedia.

• Emphasisshouldbeplacedonspecificdangersand

methodsofsocialengineering,commonexploitsand

threatstoprivacy.

• Effecvecontrolsshouldbeinplace.Professionalswithintheenterpriseshouldvalidateandmonitorthecontrolsaccordingtoawelldefinedsocialmedia

securitypolicy.



24

Sothat:

• TheyknowhowtouseS.N.intheworkplace.• Theyknowwhatisallowedandwhatnot,outsidetheworkplace.

• HowtouseS.N.forbusinessuse.Whoisapproving

publishingofinformaGonrelatedtothecompany.

• Whatisnotallowedandwhenitisnotallowed.

Employees

shouldbetrained…



25

GoldenRules?

• Paya_enGontowhatyoupostandupload.Considercarefullywhichimages,videosandinformaGonyouchoosetopublish.

• Neverpostsensiveinfoandifneededuseapseudonym.

• Verifyallyourcontactsanddonotacceptfriendrequestsfrompeopleyoudon’tknow.

• Protectyourworkenvironmentandavoidreputaonrisk

• Useprivacyandsecurityorientedse]ngsinyourprofile.

• Deacvatelocaonbasesservicesofyourmobilephoneif

youdon’tneedthem.



Anexample:LinkedInhousekeepingsecuritymeasures...

Plselp!MySNprofilehasbeenhacked!!



owtobackupyourLinkedinProfile

• Saveyourfullprofiletoapdfdocument,bypressingthepdficonunderyourphoto.

• Saveyourconnecons,byfollowingthelink:h_p://www.linkedin.com/addressBookExport

• Restoretheconneconsincaseofproblem

fromtherelevantfile.LinkedinConnecGons

=>AddConnecGons=>ContactsFile..........

i k di



ExportLinkedinConnecons



QuickpsonSecurityandPrivacy

• Alwayshaveatleastoneotheremailaddressassignedtoyouraccountshouldyoulose

accesstotheprimaryemailaddress.

• Log-outyourLinkedinAccountwhenfinished.• Ensureyourcomputer’ssecurityso`wareis

uptodate.

• Don’tclickonalinkyoudon’ttrust.• SetyourProfilesengs.



Twoimportantse]ngs

• Preventyourconneconsfromseeingwhoyouaredirectlyconnectedtoo.Thiswillmake

surekeyvendorscontactsandclients

connectedthroughLinkedInremains

confidenGal.

• ProfileViews –Whatothersseewhenyou

visittheirprofile.



Recommendaon

• NeverprovideyourLinkedincredenGals(email+password)whenclickingonalink.Always

useh_ps://www.linkedin.comtologin.

• Log-outimmediatelywhenfinished.• Setyourbrowsertodeleteallcookiesattheendofthesession

(whenbrowserisclosed).



32

Internetposngsmetadata

• Metadata(dataaboutdata)areindocumentstradiGonallyusedforindexingfiles,andfindingoutinformaGonabout:

– Thedocumentcreator.

– s/wusedtocreatethedocument,andmanymore...

• Byreadingmetadatayoumaydiscover

– vulnerableversionsofs/w,thatcanbeusedforclientsidea_acks,

– OSversions, – pathdisclosure, – userid’sandmore…



33

Metadata(thesilentKiller…)

• Metadataarehiddenfromtheuser.

• Therearelotsoftoolstopulloutmetadatafromdocumentsandpictures(seepaperby

LarryPesceinwww.sans.org).• Onaposteddocumentalotofrevealingmetadatamayexist,likeuserid,OS,s/wversionnumber,telephonenumber&emailaddressofdocumentowner,MACaddress,documentpath,LocaGon(city),etc…



MobileAppsandphonefeatures

securityconcerns



Mobile Apps plus & minus points• Mobile apps make our lives

easier, but they also give a wider group of application developersand advertising networks theability to collect information aboutour activities and leverage the

functionality of our devices.• Even though a list of permissions

is presented when installing anapp, most people don’tunderstand what they areagreeing to.

• Free apps are more dangerous.

Séminaire International RSI'2012 Morocco, 19 & 20 Novembre 2012



Some of the

major risks ?



Whatfreemobileappsmaybedoing?

• TheymaygetpermissiontotrackyourlocaGon.

• Theymayhavepermissiontoaccesstoyouraddressbook.

• Theymayhavepermissiontosilentlysendtextmessages!

• TheymayiniGatecallsinthebackground(acGngasaspy

device).• Theymayhavepermissiontoaccess

thedevicecamera.

• Theymaysilentlyconnecttothe

Internet…



Spyingonyourphone

• Unauthorizedtransferof Mobiledatathataackerscanintercept:

– Calls(CDRs)andbrowsinghistory(sites). – ourcurrentlocaon. – Contacts(addressbook). – EmailsandSMSssent&received. – Acvateaudio&video(online–realme). – Datafiles(personalphotos,videos,recordingsetc.).



Fraud• Enforcethecompromiseddeviceto...

– MakePRScalls(highcost) – SendPRSSMSmessages. – Makeunauthorizedmobilepayments. – Propagatevirusandworms – Contributetobotnets.



Phishing&Impersonaon

• Vicmisaskedtoauthencatethinkingitisconnecngtoasecuresiteandendsup

sendinghiscredenalstoanaacker.

• ThemaliciousappcreatesaUserInterfacethatimpersonatesalegimateapplicaon,

forobviousreasons.



Rootkitbehavior

• Rootkitsaremalwarethatstealthilyachievetheirgoalsbymodifyingoperangsystem

codeanddatainordertohidetheir

presence.

• Forexampletheyaremodifyingtheproxyconfiguraonand/ortheysetupe-mail

forwardingtocopyreceivedemailswithoutbeenidenfied.



Legimateappsvulnerabilies

• Poorsecurityimplementaonofalegimateapplicaonsmayexposedeviceinformaon

andauthencaoncredenalsandother

sensivedatato3rdpares.

• ExamplesincludelocaonandownerIDinformaon,telephonenumberanddevice

ID,authencaoncredenalsandauthorizaontokens.

Social Network on your Iphone !



Social Network on your Iphone !

Wh t i G T i ?



Whatis Geo Tagging ?

Geo Tagging is the processof adding geographical

idenGficaGon metadata to

various media such as a

photos, videos, websites,SMSmessages,etc.

Any use of geo tagging ?



Any use of geo tagging ?

• GeotaggingcanhelpusersfindawidevarietyoflocaGon-specificinformaGon.

• Forinstance,onecanfindimagestakenneara

givenlocaGonbyenteringlaGtudeandlongitudecoordinatesintoasuitable

imageSearchEngine.



Geo Tagging concerns

• Smartphonesmayallowsomeonewiththenecessarytechnicalknowledgetofindwhere

youareoneverymoment,withafewsimple

clicks?



LocationBased Services (LBS)

• SocialNetworkswithgeotaggingfacilityONmayallowsomeintruderstolinkinformaonaboutyou

moreeasily.

• DoyoureallyneedLBS?SomeonemayconnectthepiecesofinformaGonrelatedtoyouracGviGes,and

leadtoproblems.

• IfneededlimitpeoplewhoareabletouseandseenetworklocaonservicesinyourSNprofile.



Which mobile OS is more secure ?

• Android• iOS• Blackberry• WindowsPhone

• Symbian



CONCLUSIONS

• Socialnetworksareheretostay,andastheycanbringbusinessbenefitsaswellasrisks,it

isbe_ertoensurethatuserscanparGcipate

insocialnetworkssensiblyandsafelyrather

thanbanningthemfromtakingpartatall.

• TrainingandpublishingofSMpolicyiscriGcal.

• MobileappsareextremelyusefulbuttheypotenGallyopendoorstomaliciousbehaviour.



ThankyouMichalisMavis,MSc,MSc

//gr.linkedin.com/in/mmavis

Documents

Social Media and Mobile Risk - CIO Perspective - Michalis Mavis - iCompetences RSI2012