3} Cybercrime: Mobile and Wireless Devices Learning Objectives Ae eading this chapter, you will be able to: Understand the security challenges presented Understand the organizational security impli- by mobile devices and information systems cations with electronic gadgets and learn what access in the cybercrime world. organizational measures need to be imple- ‘+s Understand the challenges faced by the mobile mented for protecting information systems workforce and their implications under the from threats in mobile computing area. cybercrime era. ‘© Understand Smishing and Vishing attacks in «+ Get an overview on mitigation strategy like the Mobile World. the CLEW for possible protection of credit © Understand the security issues arising due to card users. daily use of removable media such as pen/zip ‘© Learn about security issues arising due to use _drives in this mobile environment. of media players. 3.1 Introduction In this modern era, the rising importance of electronic gadgets (i.c., mobile hand-held devices) — which became an integral part of business, providing connectivity with the Internet outside the office — brings many challenges to secute these devices from being a victim of cybercrime. In the recent years, the use of lpops, personal digital assistants (PDAS), and mobile phones has grown from limited user communities ro widespread desktop replacement and broad deployment. According to Quocirca Insight Report (2009),!) by the end of 2008 around 1.5 billion individuals around the world had the Internet access. In November 2007, mobile phone users were numbered 3.3 billion, with a growing proportion of those mobile devices enabled forthe Internet access. The complexity of managing these devices outside the walls of the offce is senting that the information technology (ITT) departments in the organizations need to address. Remote on a extended from fixed location dial-in to wireless-on-the-move, and smart hand-held devices reat have become networked, converging with mobile phones. Furthermore, the maturation of the defen vancerent in cellular phone technology have converged into a new category of mobile phone the Snarphone, bina ates combine the best aspects of mobile and wireless technologies and blend them into a useful |. Although IT departments of organizations as yet are not swapping employees! company-provided PW~~ 82 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Pers i Sctives PDAs as the case may be) forthe Smartphones, many users may bring these devices from home ay if the office, Rescarch in Motion’s (RIM) Blackberry Wireless Hand-held isan alternate technology hat, Reseatch in Motion Annual Report (2008), theeare over 175,000 organizations with Blackie Se Server installed behind the conporate firewall (i.e. corporations that use the BlackBerry emery) eye dlent/scrver sofvare for data commanication between corporate BlackBerry devices and othe pea ‘Thus, the larger and more diverse community of mobile users and their devices increase the dea? Ne IT fantion vo secure the device, data and connection to the network, keeping conta of the coy 4 while at the same time supporting mobile user productivity. Clearly, these technological devel “| % ts pment py “e a new set of security challenges to the global organizations. oe 3.2 Proliferation of Mobile and Wireless Devices ‘Te proc 1 incredible advances are being made for mobile devices. ‘The trend is for smaller dey sing power. A few years ago, the choice was between a witeless phone and a simple buyers have a choice between high-end PDAs with integrated wireless modems and small ph less Web-browsing capabilities. A long list of options is available to the mobile mobile device provides enough computing power to run small applications, pl make voice calls. key driver for the growth of mobile technology is the rapid ga ‘ICES and PDA. Now ONES With wi Users. A simple hand ay games and mui ‘owth of business slug yea into hand-held devices. Figure 3.1 shows some typical hand-held devices. As the term “mobile devic ncludes many products. \ terms: mobile computing, wireless computing and hand-held these terms are related. Let us understand the tse provide a clear distinction among thle devices. Figure 3.2 helps us understand fe concept of mobile computing, and the various types of doe Figure 3.1 Typical hand-held devices, source: Nina Godbole (2009) Frameworks and Best Practices, Wiley pias etait Security: Security Management, Metrics ), Information s,c ¢ Figure 3.2 Me Cybercrime: Mobile and Wireless Devices _83 Standard Taptop ‘Standard PDA = go Laptop with : wireless i access Handheld, aa Wireless, Desktop PC. with wireless. access xa ‘Smartphone OAD PDA — Personal digital assistant - Mobile device A - Wireless device © —Handheld device Mobile, wireless and hand-held devices. 3 Source: Nina Godbole (2009), Information Systems Security: Secunty Management, Metrics, Frameworks and Best Practices, Wiley India. computing is “taking a computer and all necessary files and software out into the field.” Many types of mobile computers have been introduced since 1990s." They are as follows: L 2 3. Portable computer: It is a general-purpose computer that can be easily moved from one place to another, but cannot be used while in transit, usually because it requires some “setting-up” and an AC power source. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper notebook and has features of a touch- screen witha stylus and handwriting recognition software. Tablets may not be best suited for appli- cations requiring a physical keyboard for typing, but are otherwise capable of carrying our most tasks that an ordinary laptop would be able to perform. Internet tablet: It is the Internet appliance in tablet\form. Unlike a Tablet PC, the Internet tablet does not have much computing power and its applications suite is limited. Also it cannot replace a general-purpose computer. The Internet tablets typically feacure an MP3 and video player, a Web browser, a chat application and a picture viewer. Seu Personal digital assistant (PDA): It is a small, usually pocket-sized, computer with limited func- tionality, Iris intended to supplement and synchronize with a desktop compuren, BNINB 2°<=S5 (0 contacts, address book, notes, E-Mail and other features. Ultramobile PC: It is a full-featured, PDA-sized comp! system (OS), Smartphone It isa PDA with an integrated cell phone fu Wide range of features and installable applications. ; ser a comuiing device sae ed in an automobile, It operates a8 @ es compute Sound system, global positioning system (GPS) and DVD playeti-It also contains word’ p iB software and is Bluetooth compatible. 'y Fusion Pentop computer: It is a computing 48 vrting utensil, MP3 player, language translator uter running a general-purpose operating nctionality. Current Smartphones have a the size and shape of a pen. Te functions jevice with rage device and calculator. digital sto4_ Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspect, << information between a computing device (such as « p Wireless refers to the method of transferring info ener es 2 PDA a, ee eda ier ee technologies are mobile. For exat Chis ime Mobile simply ea bes neanies device that is not nk toa desktop, thats no tethered. As more personal devices find their way into the enterprises eat reStigg rain bens sncome slog ah the bees chiered with mob alsin ns ee ‘computing does not necessarily require wireless communteaion. In fact, it may noe Tei. eation among devi a al Thus while "wires subst of abil” in most ees, an ppc can be mobile without being wireless. Smart hand-helds are defined as hand-held or Pocker-sized deve < PDAs and Smartphones. In this chapter the term “hand-held! is used as an all-embracing term, 3.3 Trends in Mobility i i reneration (3G), which Mobile computing is moving into a new era, third g ( c applications and have highly improved usability as well as speedier networking, Google-ed “Android” phones are the best examples ofthis tend and there are plenty of other developmen thar point in this direction, This smart mobile technology is rapidly gaining popularity and the tacky (hackers and crackers) are among its biggest fans, ; Ie is worth noting the trends in mobile computing; this will help readers to realize the setiousnes sues inthe mobile computing domain. Figure 3.3 shows the diferent types of maby: Promises greater vai Phone” from Apple cybersecuti their implications. ions. ‘Types of Mobility and its Impii What is the difference? (2) User interaction Mode! Smaller, battery-driven devices, mutiple hetero- Device mobility generous networks or often no network Position becomes parameter Session mobility tssues in dat istribution Distributed lite cycle Service mobility (Code mobility) = eee em Figure 3.3 | Mobility types and implications, ‘urce: Nina Godbole (2009), Information 5) istoms Security: Metrics, ‘Frameworks and Bost Practices, Wiley India’ donna a erneerer- Cybercrime: Mobile and Wireloss Devices _85 ‘Jo assess major challenges in the mobility domain, let us see the statistics found during the surveys. 7 th surveys"! reported by Quocirca, employces working in government oe have lost ce mislaid over 1,000 laptops, Jost more than 500 phones or mobile E-Mail gadgets and lost over 700 other Mrobile devices (Le.» probably memory sticks, cameras, etc.) Another such survey, reported by Quocirca,”™ ‘eke 2,853 respondents, 29% had a broad experience of wireless laptops, 14% had a broad experience of Spatt hand-helds, with around a further 60% in each case having a more limited or unofficial experience. Fadings from surveys like these help us demystify many perceptions about mobile and wireless connect tis The results of surveys like these indicate that we are grappling with a “perception problem’; most people fave not as yet come to terms with the fact chat the hand-held devices may look “ha ‘que serious cybersecurity issues to the organizations (see Box 3.1). The new technology 3G networks are not entirely buile with IP data security. Moreover, IP data world ‘when compared to voice-centric security threats is new to mobile operators. ‘There are numerous attacks that ‘an be committed against mobile networks and they can originate from two primary vectors. One is from sutside the mobile network — that is, public Internet, private networks and other operator's networks ~ and the other is within the mobile networks ~ that is, devices such as data-capable handsets and Smartphones, notebook computers or even desktop computers connected to the 3G network. less” but they can Box 3.1 \ Key Findings for Mobile Computing Security Scenario 1. With usage experience, awareness of mobile users gets enhanced: Survey showed that those with broad wireless laptop experience place less emphasis on this aspect for the deployment of smart hand-helds, However, an experience of small hand-held deployment boosted the num- bers seeing the need for increased provision of user support and training. 2. People continue to remain the weakest link for laptop security: Antivirus software, secured virtual private network (VPN) access and personal firewalls are deployed over two-thirds of If profes- sionals, but those with a broad wireless experience regard loss, damage or unauthorized use as their major concerns. These depend on the care taken by the users and well-communicated secutty policies. 3. Wireless connectivity does litle to increase burden of managing laptops: The cost and complexity of device management is seen as an issue by around half of the IT professionals surveyed. However, the level of challenge perceived to affect security, device management and use sup- pot is unatfected by a broader experience of wireless laptop deployment. 4. laptop experience changes the view of staring a smart hand-held pilot: The key concerns for starting a smart hand-held are security and the cost of devices, but these lessen for those with ‘a broad wireless laptop experience. However, the concern over choosing the most appropriate devices rises with experience: users cite further concerns ‘over interoperability and compatibility. There Is naivety and/or neglect in smart hand-held security: Although plenty of emphasis is Placed on security, a large number of IT departments do not enforce security for smart hand- helds as well as for laptops or they leave it in the hands of the users. This is more prevalent in those with limited or unofficial smart hand-held activity, but even those with a broad exper ae (almost one-third of those surveyed) do not treat smart hand-held security os seriously os laptops, ie Rules rather than technology keep smart hand-helds' usage In check: Businesses wilh on oxiting ex i Jled deployment, with almost two- ‘Petience of smart hand-helds favored a policy of control a say Yrethied ‘of the surveyed thirds of th be ne Vasvices Ise surveyed providing a limited choice of devices, 0 rd of population was ae of technolooy solution based on continuous synchronization. However, ae experience increases the use of other automated sol ‘cnagement and remote device deactivation. lutions, such as centralized software lent, Metrics, Frameworks ond Best86 Cyber Security: Understanding Cyber Crimes. Computer Forensics and Legal Perspectives 4 are as follows: i still in the transient process of sw) J. Malwares, viruses and worms: Although many users are sti OF sitchin from 2G, growing need to educate the community people and provide awarenc, of auch threats that exist while using mobile devices. Here are few examples of malware(s) specifi, Ie targets Series 60 phones equipped with the Symbian mobile OS. | Cabir Whom Ie is the first dedicated mobile-phone worm: infects phones running on Symbiz, OS and scans other mobile devices to send a copy of itself to the first vulnerable phone it fing through Bluetooth Wireless technology. The worst thing about this worm is thar the source coy for the Cabir-H and Cabir-I viruses is available online. + Mosquito Trojan: e affects the Series 60 Smartphones and is a cracked version of “Mosquito jobile phone game. : + Brador Tojant Ie affecs the Windows CE OS by creating a svchostexe file in the Window startup folder which allows full control of the device. This executable file is conductive to tag. tional worm propagation vector such as E-Mail fle attachments (refer to Appendix C), Lasco Worm: It was released first in 2005 to target PDAs and mobile phones running the “5 source code and replicates over Bluetooth connection, Popular types of attacks against 3G mobile networks” Symbian OS. Lasco is based on Cal Denial-of-service (DoS): The main objective behind this attack is to make the system unavailable the intended users. Virus attacks can be used to damage the system to make the system unavailable (we will address this attack in detail under Chapter 4). Presently, one of the most common cyber security threats to wired Internet service providers (ISPs) is a distributed denial-of-service (DDoS) attack. DDoS attacks are used to flood the target system with the data so that the response from the targer system is cither slowed or stopped. Botnets/zombies are used to create enough traffic to impose that kind of damage (we have addressed zombies in Chapter 1 and Botnets in Chapter 2), Overbilling attack: Overbilling involves an attacker hijacking a subscriber's IP address and then using it (i.e., the connection) to initiate downloads that are not “Free downloads” or simply use it for his/her own purposes. In cither case, the legitimate user is charged for the activity which the user did not conduct or authorize to conduct. Spoofed policy development process (PDP): These types of attacks exploit the vulnerabilities in the GTP [General Packer Radio Service (GPRS) Tunneling Protocol]. Signaling-level attacks: The Session Initiation Protocol (SIP) is a signaling protocol used in IP mul- timedia subsystem (IMS) networks to provide Voice Over Internet Protocol (VoIP) services. ‘There are several vulnerabilities with SIP-based VoIP systems. -inc.com/uploads/free_white_papers/3G_ To know more on this topic, readers may visit http://www. MobileSecurity_Jan07.pdf | Mobile Security Processing System (MOSES) is a programmable security processor platform that “enables secure data and multimedia communications in next-generation wireless mobile computing. | MOSES was developed to meet the security challenges in emerging mobile technology such as 36 and | 4G mobile phones and PDAs. It is a security processing architecture to provide secure (i.e., tampe” | resistant) and efficient (i.e., high performance, low power) execution of security processing functions. _ Tt constitutes three key components, such as Security Processing Engine (SPE), a hierarchical secure | memiory subsystem and security-enhanced communication architecture, from hardware perspective-Cybercrime: Mobile and Wireless Devices _87 3,4 credit Card Frauds in Mobile and Wirele: Shoe are new tends in eybettime that are THeEommerce) and mobile banking (M-Banking) Crake nea nike everincessing power and the everreducing wine sen gt uc in esy availablity of these gadgew to almec eng ey sy factors wey common; new technologies combine low-cost mobile phone tchusk cand maniacs ate now Ste POS) terminal Phone technologies with the capabilites of a belongs to “mobile computing,” + an snology have fuelled this ney eee anywhere anytime computing. The developments in F workin, /hite collar workers. Thi i 5 ig for white collar workers. This i fe : Y k . This is true for redit card processing too; wireless credit card processing is a relatively new service that will allow 4 person to process credit cards electronically, virtually anywhere, Wireless credit card processing is avery desirable system, because it allows businesses to process transactions from mobile locations quickly, efficiently and professionally. It is most often used by businesses that operate mainly in a mobile environment. These businesses include mobile utility repair service businesses, locksmiths, pile windshield repair and others. Some upscale restaurants ate using wireless processing equipment for the security of their credit card paying customers. Figure 3.4 shows the basic flow of transactions involved in purchases done using credit cards.U"1 Credit card companies, normally, do a good job of helping consumers resolve identity (ID) theft problems (refer to Chapter 5) once they occur. Bur they could reduce ID fraud even more if they give consumers better tools to monitor their accounts and limit high-risk transactions (Box 3.2). ss Computing Era oming it i uP with mobile computing ~ mobile commerce Security control module Card swiped to obtain Cardholder magnetic stripe data magnetic stripe card Magnetic stripe Merchant reader and server PIN pad ‘Security , a control module hese PI inside Oe encrypted PIN block- m apn with optional oe er PIN offset data Card issuing bank ; a tres, Figure 3.4 | Online environment for credit card Tas "Seouriy: Security ‘Management, Met lion Source: Nina Godbole (2009). Informal! Frameworks and Best Practices, Wiley India.88_Cyber 1 2 7 Box 3.2 \ Tips t ic it card The current topic is about credit would like to include these tips to prev about a few known facts. Do's |. Inform your bank in advance, about any change in your contact details such as home address, Dont’s ‘Source: hitp:// wwwstc.gov/bcp/edu/pubs/consumer/credit/cre07 shim ity: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives Security: o Prevent Credit Card Frauds nd wireless computing era, however, we bile a , frauds in mo! .ds caused due to individual ignoraneg ent credit card frau ae a the card immediately upon its receipt natocopy h the sides of your card and preserv in case of loss of card. Sent umber (PIN) received from the bank before doing Put your sigh Make the photocopy of bot! the card number, expiration Change the default personal identification n any transaction. Always camry the d e it at a safe place to remembe; {étails about contact numbers of your bank in Ke of loss of your card, eparate pouch/card holder than your wallet. | ; co on oor four od duting tne ensaction, ond ensute 10 get I back immediately Preserve all the receipts to compare with credit card invoice. Reconcile your monthly invoice/statement with your receipts. Report immediately any discrepancy observed in the monthly invoice/statement. Destroy all the receipts after reconciling it with the monthly invoice/statement. cell phone number and E-Mail address. Ensure the legitimacy of the website before providing any of your card details. Report the loss of the card immediately in your bank and at the police station, if necessary. Store your card number and PINs in your cell. Lend your cards to anyone. Leave cards or transaction receipts lying around. Sign a blank receipt [if the transaction details are not legible, ask for another receipt to ensure the amount instead of trusting the seller). Write your card number/PIN on a postcard or the outside of an envelope. ve out ninety your account number over the phone (unless you are calling to a com- Destroy credit card receipts by simply dropping into garbage box/dustbin, _ There is a system available from an Australian com wireless (CLEW). Figure 3.5 shows the flow of events with CLEW which is a cy used here only to demonstrate the flow in this envitoni As shown in Figure 3.5, i 2 3. 4. 5. ipany “Alacrity” called closed-loop environment for gistered trademark of Alacrity ment.) the basic flow is as follows: Merchant sends a transaction to banks the bank transmits the request to the authorized cardhol the cardholder approves o rejects the bank/merchant is notified a Perego the credic card transaction is completed Ider [nor shore message service (SMS)Ii 3.4.1 Types and Techniques of Credit Card Frauds Traditional Techniques “The traditional!" and the first yy pe of credit card fraud is nal uss stolen or fake documents suchas uly bills and eg ae lcaton flan, whercin 2c Identifiable Information (PII) (refer to Ch: nk statements that can build up useful perso"! apter 5) to open a ; ter 5) to open an account in someone elses nanvy x © 'ybercrime: Mobile and Wireless Devices 89 NEW EC seourity | Merchant contrat moaule Yes — Approve transaction No~ Reject transaction Request for approval from credit card owner Advises bank Yes or no \ Individual card holder using cell phone for credit card transaction Figure 25 | Closed-loop environment for wireless (CLEW). Source: Nina Godbole (2009), Information Systems Security: Security Management, Metrics, Frameworks and Best Practices, Wiley India. Box 3.3 \ Potential Wireless Users - Beware! Although wireless processing is a very good system for many companies, however It is not for all mobile busineswes. There are some drawbacks to wireless processing that many potential wireless te’s should be aware of before they venture into wireless processing. They are as follows: 1. Wireless processi ment is expensive: There is no way to get around this. Wireless creait Miele: processing equinmen ovr procesing terminae avaloble Tov oe a and fort For a wireless terminal with a printer, expect to Poy at least US$ 800 for a new termina ka eI US$ 700 for a refurbished terminal. If you are purchasing © terminal that is mug ie eopet than ‘any other you find, it is most likely outdated ‘equipment that uses So etl b other words, it is a scam, and you are about fo buy areally expensive operwe ight —_ Wireless processing comes with extra fees: Jus! ke ¢ cell phone, wiles clog coe operate on celular networks. You have to pay for Ins celulr Service nat hey ore fr cell cost of equipment, Luckily, wireless fees for processing care nowhere Phones. Expect to pay US§ 20-25 pet month for & wirele’ Sssenice yal YOU ore 2 NO Viteless oat cord machines are subject fo cellular covets blackouts thinking ~""My cell phone works almost everywher fe, so my wireless creat cass moctine va too" Sadly fhisis te he cose. Wireless credit cord processing uses 0 busines celia network cole treet nol he ose. tHe cir cell phone MAY DE LATS TiC system for mobile COM, Thulple aecess (CDMA) or lime division multiple eee {DMA lobe cal munications foamy cr some other technology-based Te he Co ates Bhone gels is much greater than the witless Procee’ Your county with no coverage for wireless Process~~ 90 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives Box 3.3 \ Potential Wireless . . . (Continued) wireless network: Currenth 4, You cannot process checks or debit transactions over a 'V owin, federal regulations, itis impossible to process debit transaction or electronic checks over a ee less network. This fs something that will probably end up being allowed in the future, but gs no there is not sufficient security or encryption to process these transactions wireless, Source: Nina Godbole (2007), Information Systems Securily: Securily Management, Metrics, Frameworks nd Bey Proctices, Wiley India, Application fraud can be divided into 1. ID theft: Where an individual pretends to be someone else (see more on ID ‘Theft in Ch, 2. Financial fraud: Where an individual gives false information about his or her financi acquire credit. apter 5) al statu Ulegal use of lose and stolen cards is another form of traditional echnique. Stealing a creditcard is cither§ pickpocket or from postal service before it reaches its final destination. Modern Techniques Sophisticated techniques!” enable criminals to produce fake and doctored cards. Then there are alo tho who use skimming to commit fraud. Skimming is where the information the back of the credit card or the data stored on the smart chip are copied on skimming frauds in Chapter 11 in CD). Site cloning and false merchant sites on the Intemer nn becomin 3 popular method of fraud and to ditect the users to such bogus/fake sites is called Phishing (see more on ti it Chapter 5) Such sites are designed to get people to hand over their credit card detaily uy they have been directed to a fake weblink/webste (ie., they have been scammed). held on either the magnetic sepa from one card to another (see mor 1+ THangulation: Ieis another method of credie card fraud and works inthe fashion as explained furth * The criminal offers the goods with heavy discounted rates through a website designed and host by him, which appears to be legitimate merchandise websive ‘The customer registers on this website with his/her name, credit card details. ‘The criminal orders the goods details and supply shipping add on the criminal’s website The goods are shipped to the customer and the transaction gets completed. * The crminal keeps on purchasing other goods using fraudulent credit card details of differe™ fistamers tll the criminal closes existing website and starts a new one. Such websites are usually available for few weeks/months, till the authorities track the webs als to reveal their personal details, which ensbl creditcard details ofthese customers. The <™* Se ctiminals is time-consuming, and the cris that may cause farther difficulty wo trace the fusion for the authorities so that they can one ' purchased through such fraudulent rans cchnique ~ computer emulation sofeware ~ A : to ‘The criminals highly rely on these gene™ are available for free download on the Internet address, shipping address and vali from a legitimate website with the help of stolen credit ca ress that have been provided by the customer while register inal. The criminals aim to create a great deal of cor long enough to accumulate a vast amount of good 2 Credit card generators: It is another modern creates valid credit card numbers and expiry dave create valid credit cards. ‘TheseCybororine: Mobilo and Wirolons Dovicos 91 3.5 Security Challenges Posed by Mobile Devices tay ings 80 wl cae 9 eyerecaniy Men aside the plysllly contol eavlionmentandccrt a \ snment sein pianted Petceptions ofthe onpunbationstareg eh Pee ta Ht ani devs appropriate security operating procedure, When peaple me led does peace ae lmpanant in yc of mobile devices, tl to be thinking, of the oes alow I Mi or “me 8 0 challenges ane pn hed von the hand-held devices, Information is being ingaliverse 140 seal number of mobile device user achallenges" and another at the onyganteay wanted: ane at the device level called ale action and mittens tn the weetaeri en une men Sone well-Rnown technical challenges in mobile security ave: managlag the rogtry setings and configura tions, authentication service security, eryptagnaphy security, Lightweight Directury Access Pratacal (LDAP) security, remote aces server RAS) security. media player contol security, netumking application progr interface (APD) security ete, In this section, we provide a brief discussion on these eybersceuiy aspects, For most of the dis- cussion here, the reference point is Windows mobile development given that the developers of the Windows OS are on the forefront of the technology in terms of their mobile computing, technologie w of the discussion in Section 3.4, the ID thei (we will address i in Chapter 5) i now becom fiaud in credit cand business domain, wherein individuals Personally Identifiable information (PI) is misused to open new credit accounts, take new loans oF engage in other types of xt acetlon, auds, such as misuse of the victim's 0% 10% 20% 90% 40% 0% 60% 70% Y Security challonges Cost and complexity of devico management User technical support issues perience of both smart handholds a ind wireless laptops Allrespondents —[Z] Broad ox jevices. Figure 3.6 stams Securit Important issues for managing mobllo di Source: Nina Godbole (2009), Information Sys! Frameworks and Bost Practices, Wily India. iy: Socuriy Managomont, Metrics,92 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Porspoctivas , jon wi is charged with a crime, when renting an apart information when someone is charg 1 I care. name and identifyi when obraining mé 3.6 Registry Settings for Mobile Devices through an example: nd Mictosoli Oulu ke Aicrosolt Actives, y settings on mobil dows-powered personal computers (PCs) and A en Windows-powered PC and Windows mobile-powered devi ion, Microsoft Otfice documents, pictun” Lecus understand the issue of regist is meant for synchronization with Wi ActiveSync acts as the gaeway betwe: ; enabling the transfer of applications such as Outlook informati i HS, pct, music, videos and applications from a user's desktop to his/her device. In addition to synchronizing with, | PC, ActiveSyne can synchronize directly with the Microsoft exchange server so that the users can keep hp E-Mails, calendar, notes and contacts updated wirelessly when they are away from their PC «Ln this contey, Action [Update tnd Hive: HKEY_LOCAL_MACHINE x Key Path: SYSTEM \CurrentControlSet\Services\usbstor Velue ype: REG_DWORD a Value data: 4 Base © Hexadecimal © Decimal Figure 3.7 | Registry value browsing, Source: Nina Godbole (2009), Informatian cx.Cybercrime: Mobile and Wireless Devices 93 i peti oie vecablisi en 88 ore operat , rectory. As a supporting point, consider the a gin se st 2 year, Microsoft has doubled the numberof group pole setings tha ships iy be OS, Tere ae now neatly 1,700 settings in a standard group policy, The emphasis on most of the we ppolcy stings is security a ‘There is one more dimension to mobile device security: new mobile applications are constantly being ed help protect aginst Sprware viruses, worms, malware (we will address it in Chapter 4) and other Malicious Codes that rund ae the networks and the Internet. Microsoft and other companies are trying to develop solutions as fast as they can, but the core problem is still not being addressed. According to the tents the core problem ro many of the mobile security issues on a Windows platform is that the baseline security is not configured properly. When You get a computer installed or use a mobile device for the first fin, it may not be 100% secute. Even if users go through every Control Panel seting and group policy option, they may not get the computer to the desired baseline security. For example, the only way to get a Windows computer toa security level that will be near bulletproof is to make additional registry changes that are not exposed through any interface. There are many ways to complete these registry changes on every computer, suesome are certainly more efficient than others. Naive users may think that for solving the problem of mobile device security there are not many registry settings to tackle. However, the reality is far different! The reality of the overall problem becomes prevalent when you start researching and investigating the abundance of “registry hacks” that are discussed in Microsoft Knowledge Base articles. Figure 3.7 displays an illustration of how some tools allow users to browse to the desired registry value on their mobile devices. 3.7 Authentication Service Security There are two components of security in mobile computing: security of devices and security in networks, Asecure network access involves mutual authentication between the device and the base stations or Web seoves, This isto ensure that only authenticated devices can be connected to the network for obtaining the "equested services. No Malicious Code can impersonate the service provider to trick the device into doing something it does not mean to. Thus, the networks also play a crucial role in security of mobile devices. Some eminent kinds of attacks to which mobile devices are subjected to are: push attacks, pull attacks and ‘rah atacks (see Figs. 3.8-3.10). Authentication services security is important given the typical attacks on mobile devices through wireless networks: DoS attacks, rafic analysis, eavesdropping, man-in-she-middle attacks and sesion hijacking. We will tinue further technical discussion on such topics in Chapter 4. Security measures in this scenario come a Wireless Application Protocols (WADs), use of VPNs, media access control (MAC) addres filtering and. “‘elopment in 802.1% standards. 4, F F 14 Cryptographic Security for Mobile Devices Iran’ tion we will discuss a technique known as exspiographically generated addreses (CGA). CGA is pbg't "tocol version 6 (IPv6) that addresses up to 64 address bits that are generated by hashing owners key addres. The address the camer uses is the corresponding private key to assert address ownership ~~m1 i Pi 94 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives y : Attacker Launches blended attack over rogue ad hoc network (802.11, bluetooth, infrared) Worm / Zombie Pocket PC Device Reads E-Mail Worm / Zombie zombie installed ae worm progogates | DDos Zombies Enterprises server Worm / Zombie Worm / Zombie Gill. Contact list a of victim: Desktop PC Worn’ ambi ¥ 4 4 Figure 3.8 | Push attack on mobile devices. DDoS implies distributed denial-of-service attack. Pouce: Nina Godbole (2008), Information Systems Secunty: Security ‘Management, Metrics, Frameworks and Best Practices, Wiley India, > Is a system-wide suite of cryptograp resources on a palm-powered device. ‘The CP take advantage of these capabil on the device, ; ! ication weitten M extends cncryption services to any application writte® es, allowing th ne encryption of only selected data or of all data and resoure® 3.7.2 LDAP Security for Hand-Hel LDAP is a software protocol for such as files and devices on the Ima network, a directory tells yo id Mobile Computing Devices enabling anyone to lo network (i.e. on the tu where an entity is loc iv, sources cate individuals, organizations and other rene! Public Internet or on the organizations’ bene ated in the network, LDAP is a light weight (Cybercrime: ime: Mobile and Wireless Devices_ 95 Captured E-Mail, logins, passwords, etc. _ EP Ente WEP Encrypted | Togie Accasa Point . 7 Js all traffic WEP En icrypted including packets with passwords ~~, WEP Encrypted [~~~ Legitimate ‘Access Point ‘Unaware of these attacks Captured files, E-Mail, passwords, etc Rogue Peer Scans for open ports, copies files from pocket PC device n mobile devices. . Gedbole (2009), Informatio, systems Security: Security Management, Metrics, Sat Practices, Wiley Indl Pull attack 1 Source: Nina Frameworks and on of Directory Ac dat the Universit Figure 3.9 features in AP) because ic does not include security teen endorsed by at amount of code) versi its initial version. Ic originate’ nies. Centralized directories sue directory structure of LDAP. 3.7.3 RAS Security for Mobil RAS is an imy "cation for protecting tHE pusinesssensitive dat ; portant ion for pro sensi eves ae 8 fo fe pobilhand eld dev es carried Pyemployers In addition to ings toute into the systems wil weranating ox masquerading) © systems~ Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives 96 Attacker Attacker Sends pens) t hard reset Lindon code bom HTTP Response Malicious Activex File Beamed Over IR Port Fite Syne from] Random Rogue PC IP Packets Attacker Attacker Sends Sends hard reset DoS flood code bomb Pocket PC Device Hard reset, invoked Programs, files and passwords lost Figure 3.10 | Crash attack on mobile devices. DoS - Denial-of-service attack. ‘Source: Nina Godbole (2008), Information Systems Security: Security Management, Metrics, Frameworks and Best Practices, Wiley India. Box 3.4 \ LDAP Directory Structure An LDAP directory is organized into a simple “tree” structure that consists of the following levels: }. Root Directory (the source of the tree or the starting point) which branches out to 2. Counties, which branches out to 3. Organizations, which branches out to 4 Organizational units (divisions/departments and so forth), which further branches out to 5: Individuals (which, in umn, include fes, shared If resources such os printers and people) An LDAP server is called a Directory Systems Agent (DSA). It receives a request from a uset takes responsibilty it ‘Another threat comes from the practice of port scanning (refer to Box 2.5 in Chapter 2). Fits ataek use a domain name system (DNS) server to locate the IP addres of a connected computer (ether the mobil device itself or a gateway server to which it connects). A domain isa collection of sie chat ane related i? a sense. Second, they scan the ports on this known IP address, working their way through ies Transso" Control Protocol (TCP)/User Datagram Protocol (UDP) stack to see what communication ports ate we tected by firewalls. For instance, File Transfer Protocol (FTP) transmissions are typically assigned © PO" If this pore is lefe unprotected, it can be misused by the attackers (sce Box 3.5). "Cybercrime: Mobile and Wireless Devices _97 Information store W Phone network “application server RAS - Remote access server was Database (Wireless ill Application Protocol) e gateway Figure 3.11 | Communication from mobile client to organization information store. Source: Nina Godbole (2009), Information Systems Security: Security Management, Metrics, Frameworks and Best Practices, Wiley India. Box 3.5 \ RAS System Security for Mobile Device Clients he security of a RAS system can be divided into following three areas: 1. The secutity of the RAS server: 2. the security of the RAS client: 3. the security of data transmission. Amnough the desired level of security of the RAS server can be controled through implementation ile hand-held device) is typically not under oflocal security guidelines. the RAS client (e.9.. 0 mo the complete control of the IT personnel who is responsible for the local area network (LAN). The ‘Zeutty of he data transmission media is generaly completely ou! of Ine control, For this reason. getecton of communications between the client and the server must De secured by additional meons, Nine Godbole (2003), Information Systems Secunly Security Management, Metrics, Frameworks and Best #1, Wiey Indio. Protecting against port scanning, requires software that can trap unauthorized incoming Gs a rackets "sd pevenea mobile device from revealing its existence and 1D. persona fcwall on a pocket DC or atghone device can be an effective protective screen against this form of attack for the wsers connecting ough a diet Incrves oc AAS connection. For sications where ll connec the capone never 2 though a gateway, placing the personal firewall on the BY inl coukt be the ingles son seat itavids the need to place a personal firewall on each mati deve a ether eae 8 “Smethods tac implement strong authentication ke Wi provide an addivionf7 ics and Legal Perspectives i 98 Cyber Security: Understanding ©) 3.7.4 Media Player Control Security Given the lifestyle of today’s yor hand-held devices as a means fo are the two important aspects in ciate how this can be a source for tions have been warning the users about ic gateways.” There are many examp| common to expect them embracing the moby | ie eomorking and entertainment. Music and i generation. Given this, itis easy ans F . hosevurity breaches. Various leading pirate Orit | aoe he porential security actacks OM their mobile devices through, & | le to show how a media player can turn out to be a source OF threat ; i oratior | a ees For example, inthe year 2002, Microsoft Corporation warned aby formation held on mobile devices. -1 4 warned people that a series of flaws in its Windg,, | this" According co this news Hem “ker to hijack people's computer systems and perform a varey oy | Media Payer could a3 ing from Microsofi, inthe most severe exploit ofa law, a hacker could ey | actions. According to this warni ° » . to do, such as openi over a computer system and perform any task the computer's owner is allowed , pening files o, | / accessing certain parts of a network. , , : ‘As another example, consider the following news item of the year 2004: corrupt files posing as noua music and video files could allow an attacker to gain control of the-downloader’s computer (see Ref. $5, Additional Useful Web References, Further Reading). With this-appening, there are three vulnerability | | sung generation, it is. quite i i 2CCSS, 1 information 2c day-to-day aspects forthe Youn: (a) files could be created that will open a website on the user's browser (e.g,, the user could be accessing from hissher hand-held device) from where remote JavaScript can be operated; (b) files could be created which alloy the attacker ro download and use the code on a user's machine or (c) media files could be created that vi create buffer overrun errors. We will continue further technical discussion on “buffer overflow” in Chapter 4 In Section 3.6, we have discussed registry settings in connection with the mobile devices’ security. This topic becomes important in the context of the current section too. Registry of a computing device is . important concept; it stores information necessary to configure the system for applications and hard ne devices. Ie also contains information that the OS continually references during an ‘sed some keys control the behavior of the Windows Media Pl: 7 network MSDN, describes details of registry value settings operation. In the resist, layer control. Microsoft, through its develope on the mobile devices, With the increase in out With the adv ent of electronic coy mmerce Payments are it ce) and i becoming comman phenomenon with des ee OF shoot nto M- Commer, nl wirelessly. Furthermore, wi rm (ee Ref: #3, Articles acd et he ENE OF Web services and thei ae Sr remotely and posi mobi