Mobile ad fraud costs advertisers $1 billion a year, study says

Mobile devices are easy targets and when more dependency on wifi is enabled the conduct of fraud is easier to execute without detection. Also thinking this would be pretty to execute such advertising fraud, as described in the article, by installing similar tech onto all of the unsecured/patched/Internet of Things devices on the internet. Imagine this fraud with all of the consumer internet routers!

Details from the Fortune article:

The firm said that it tracked down more than 5,000 apps that were exhibiting suspicious behavior. It found the apps by using the real-time tracking data that it gets from the various mobile ad networks that it is integrated with, which allowed it to look for the kind of rapid ad-loading and background functions that most malicious apps exhibit…

Forensiq said its research showed that more than 13% of total mobile app inventory was at risk, and 14% of all mobile apps on iOS, Android and Windows Mobile platforms.

Over a period of 10 days, Forensiq says it observed more than 12 million unique devices with installed apps that exhibited fraudulent behavior: about 1% of all devices it observed in the U.S. and between 2% and 3% of those in Europe & Asia.

Mobile ad fraud costs advertisers $1 billion a year, study says.

… My comments on this report (not posted on Fortune due requirement to link social media account):

It’d be valuable to know how those Apps identified for fraud were ranked in the ‘App stores’. This way we could identify the popularity and likely spread of these apps. The 12 million figure is large, but out of a possible 1.3 billion devices it is hard to understand the sampling effect.

I’d love more intelligence on the ‘what’, so that regular readers of the article and users of the devices could clean out these Apps off their devices.

Gotta love Blackhat and DefCon week! All the research docs are released.

James

Passwords are Dead, Part II 2nd False Premise – a collaborative research effort, being presented at RSA 2013

The advent of user created, managed and handled passwords as the sole means of authenticating is coming to an end. The utility of these was defined in an era based on assumptions of brute force capability, system computing power and pro-active security teams.   – After much debate and analysis … there is the thesis

This is Part II of the topic being explored and discussed at my Wednesday session at the RSA Conference in San Francisco (2013).  To see the first thesis and False Premise 1, please see the original post.  Jumping right in – looking forward to more feedback (thanks for a generous emails, but don’t be shy at the comment field below)!

————————————————————————

FALSE PREMISE TWO: Password strength should transcend devices – mobile, tablets (iPad, surface) [Updated 2/12/2013]

MOBILE devices:
What is the intent of the password? To stop high CPU encryption cracking systems .. or prevent inadvertent strangers from accessing the data?  Today we wrap in mobile (BYOD type if that suits you) systems into the corporate password requirement sphere, and in some cases are being more creative than other platforms.

For instance, it is recommended on a popular Apple iOS device site to use “accent characters for creating a super strong password“. Agreed these are more difficult to guess, but is that the threat we are seeking to mitigate?  In the space of X character spaces how creative must we get?

What are the risks to these mobile devices:

• Theft
• Data leakage violating regulatory, contractual, or privacy expectations of customers

If we consider the two threats – Theft is not mitigated by the password, as the device will simply be wiped.

[Updated 2/09/13] Data leakage is only possible if the device is ON and the password guessed before it locks itself permanently.  A feature readily available and easily implemented by the end-user, even more robust with corporate implementation technologies.

• So in this case, the password only needs to not be one of the top 10 most common phone passwords.  At that point the device locks and can self wipe.
• Another scenario is that the password was gleaned through recording / shoulder surfing / or simply left unlocked.  Each case the password strength was not an issue.  Other situations?

As we move into an ever mobile, data everywhere, and always connected scenario an interesting ecosystem of access & authentication appears, that requires continued serious challenge against the assumptions of our security and assurance programs.

Diving in …

Data is mobile – what role does a single password play in accessing sensitive data? Data stored on device (Cloud storage we can address on the integration point below) is at risk to a number of threats:

• The device can be attacked directly (similar to any other computing device with IP addresses and Ports) wirelessly, but typically requires physical proximity (simplest) which is reserved for either random or very targeted attackers.
• The device can be stolen, and if no OS passwords, than the Data itself is attacked/accessed directly. An unlocked device introduces risk mitigation techniques that are harder, so password is EASIEST. A password on the data within an application is a worthless without some form of self-destruct functionality similar to that of the OS level safeguards.

>> Why are passwords WORTHLESS at the application level in this situation?

>>> If the attacker is ON the device (physically or remotely) and our Use Case is an encrypted database – the attacker can copy that encrypted database to their system for local attacking (easy and zero user awareness), or they can access the database locally via brute force until they get in.

The data is at risk regardless without some form of self-destruct and tremendous levels of assurance related to the encryption of the data(base) itself.

• Other thoughts here?
• What is missing?

Passwords plays a significant role at certain tollgates upon the data (when stored on the device), and less the more “access” the attacker gets to the underlying system. A common refrain of attackers is – with “physical” access I can break into anything. We must today deal with ALL ACCESS is PHYSICAL when the data is mobile.

Plethora of devices – Today data is accessed from many devices, some owned by corporations, by end-users, or nobody – kiosks. Single passwords entered into systems allowing single thread authentication where NO assurance is understood of the underlying system and no situational awareness of the User presence seeking authentication results in failed security.

• The reuse of passwords across devices threatens the confidentiality of the password itself (as much as that matters).
• The multitude of devices increases the need to redefine what is “access” and the functions of authorization (I used “functions” instead of “rules” intentionally to draw attention on the necessity for a broader approach to solving this constraint)

Integration with third party service providers – [to be expanded…]

—————————-

Conclusion – a preview:

1. Stationarity, is defined as a quality of a process in which the statistical parameters (mean and standard deviation) of the process do not change with time.” – Challis and Kitney November 1991
2. Offline Data level authentication – Offline in an ‘always connected’ world

[Disclaimer: First off this is my research and not anyone else’s. Second, the examples above are meant to illustrate technical realities in a reasonably understood presentation. Lets focus on the problem .. identify weaknesses in the argument; and introduce the mitigation so greatly required in our online world.

I share and seek these answers for the preservation and enhancement for our way of life… as simple as that and I appreciate you being a part of my journey]

Always seek, everything…

James DeLuccia

Twitter: @jdeluccia

Securing to Compliance w/ iPads and Tablets in a PCI world

A growing and undeniable trend is the consumerization of devices.  The usage of iPads and tablets in the enterprise and corporate board room is rapidly growing.  Anecdotally, 90% of 1st class on my last 10 flights were using iPads, and the last CxO work session 50%.  Recent stats show 95% of tablet traffic is from iPads.  Needless to say these devices are here to stay and information security professionals must adopt rapid models to Enable-Securely these end-points.  It is not possible, practically, to simply block or deny the use of these devices, as the enterprise value will continue to increase.  In addition, most organizations see these devices being utilized even with no policies, no technology enabling their usage, and no methods of risk awareness (let alone risk assessment, risk treatment).

I was recently asked how the usage of these devices in an enterprise would effect their PCI compliance state, and the security risks in general.  Now I feel there are a lot of ‘it depends’ and assumptions that are necessary with such a fragile Use Case, but lets entertain the following question.

What risks should enterprises be aware of as it relates to these devices, and in particular sustaining their security program in a compliant manner that satisfies, such things as, PCI DSS?

Risks to consider, at least:

• Who owns the data?  When data is transferred or created on another device, who owns it?  This is important with forensic investigations; liability; and rights of usage laws.  This question on the surface with a consumer purchased iPad is one example, the actual in-store App purchases themselves are another example, but what of using Cloud enabled services (the Apps installed on the tablets themselves) – the necessity of understanding data ownership extends and rapidly becomes complex.
  • White list ; Black lists on service providers may be helpful here.  At the minimum understanding who owns the data; how responses will be managed; and guiding principles (that can be monitored w/ metrics) on usage of third party devices/apps/services would be key.
• All the security in the world can be bypassed with physical access, so devise a “when lost do x” plan; ensure configurations exist to support that activity, and establish a protocol for the Cloud provider accounts linked to device
• The above is directed at the device itself being lost (such as left on a plane), but when the device syncs with the home computer (who owns this computer and how secure is it?) usually the ENTIRE device is backed up as one large compressed file.  This file can be loaded in a host environment and provide access w/o the device.  Consideration of these sync systems is critical (note this is not iCloud or DropBox as those are over the air and this risk is aimed at over the wire activities)
• Accept that sensitive data is residing on these devices – confidential; proprietary; sensitive; etc …  Plan accordingly.  Instituting careful data management can ensure that such data is enabled through channels that are secure on these devices and repositories that match the data risk and device exposure risk.
  • (PCI considerations) If this device is being used as a point of sale terminal, than the common care and management utilized is appropriate.  If the device is part of the Card Data Network w/o being key to the transaction, than perhaps some segmentation efforts would simplify the broader risks (if all end points are in the card data environment this is probably a larger problem than the population of iPads).  The same safeguards on the technology deployed with consideration of Sensitive data (prior item) can satisfy the requirements of PCI DSS, so a non-issue when deployed “appropriately”.
• Mobile security safeguards and policies will not reflect the common computing system policies, as the use cases are different and there exists different advantages.  A nice point raised by Dave Whitelegg that mobile policies that enforce the complexity (alpha; upper/lower case; and special symbols) on a tablet would kill (my word) a key attractor of the tablets.  Therefore some balance needs to be achieved.  This is also true when deploying such applications such as “Good for Enterprise”.  The multi-layer password sandbox approach is the wrong approach in many cases, as it violate the first principle above and may not enable users sufficiently to prevent the Ghost-IT specter.
• The risk assessment of these devices within the enterprise must consider beyond the simple hardware and operating system (both important to understand and consider), but must also consider the applications installed and the risk of converging these applications.
  • Applications – How are these applications handling data?  How are the applications leveraging / integrating with other third parties (i.e., linking to DropBox)?  How are these applications transmitting data, and what data is being transmitted (the Pulse full contact list transmission comes to mind here, a technically permitted activity but unexpected)?  Finally, how are those applications managing the data once received (note: we are not stating that they are securing the data, but first must understand how they are managing it and then ultimately whether they should be securing it .. demonstrating this security .. and continue such security)

Ultimately these emerging (emerged?) devices require the care and attention of all elements of the computing environment, and it is the opportunity and task at hand to influence and sustain a secure computing environment – with each type of advice.

On the question of can these devices be deployed within a card data environment and or be used in commerce… the answer is yes, of course with the proper care and awareness.

There is an emerging market on enabling these devices in the enterprise.  As I identify any of interest I’ll include them below (I have not vetted these so consider this  a simple index if you will):

• ProjectFusion
• AirPatrol
• Mobile Active Defense

This is a complex area and I value all input, so feel free to share; challenge, and redirect as appropriate.

Best,

James DeLuccia