Cybercrime: Mobile and Wireless

Devices
 Learning Objectives

Understand the security challenges presented by mobile devices and
information systems access in the cybercrime world.

Understand challenges faced by the mobile workforce and implication
under the cybercrime era

Mitigation strategy – credit card users.

Security issues due to use of media players

Organizational security implications with electronic gadgets

Organizational measures for protecting information systems from
threats in mobile computing area.

Smishing, vishing attacks in mobile world.

Security issues arising due to use of removable media – pen drives.
Proliferation of mobile and wireless
devices

You see them everywhere: people hunched over
their smartphones or tablets in cafes, airports,
supermarkets and even at bus stops, seemingly
oblivious to anything or anyone around them.

They play games, download email, go shopping or
check their bank balances on the go.

They might even access corporate networks and
pull up a document or two on their mobile gadgets.
 Security?

But as wireless devices become increasingly
ingrained into our daily lives, they open the door to
heightened security risks.

Not only do such devices become points of access
for cybercriminals, but they also may be more
easily breached than personal computers since
many consumers do not secure their smartphones
or tablets with antivirus software or take simple
precautions such as enabling password protection.
 Risk Factor:

The dangers, of course, are plentry.

Rogue mobile apps can record the information that users type into a device, such as
bank account numbers and PINs

They can read data stored on a handset, such as emails, text messages,
attachements, credit card numbers, and log-ins and passwords to corporate
networks.

A phone can even secretly record conversations within earsot.

Data that leaves a mobile device wirelessly to connect to a Wi-Fi network could be
hijacked in midair in “man in the middle” attacks.

Consumers may not be a concerned about securing a wireless device because they
do not view it as a small computer. “They think, ‘Oh, it’s just my phone.

He risks are transferred to the workplace as more people bring their devices to the
office for both personal and professional use, a phenomenon known as BYOD or
“Bring Your Own Device.”
Polular types of attacks against 3G
mobile networks:

Malware, viruses and worms
 Skull Trojans
 Cabir worm
 Mosquito worm

Denial-of-service

Overbilling attack

Spoofed policy development process

Signaling-level attacks
 Skul Trojan

A trojan horse piece of code that targets mainly
Sumbian OS. Once downloaded, the virus
replaces all phone desktop icons with images of
a skull. It also renders all phone applications
useless. This malware also tends to mass text
messages containing malicious links to all
contacts accessible through the device in order
to spread the damage. This mass texting can
also give rise to high expenses.
 Cabir Worm

This malware infects mobile phones running on
Symbian OS and was first identified in June
2004. When a phone is infected, the message
‘Caribe’ is displayed on the phione’s screen and
is displayed every time the phone is turned on.
The worm then attempts to spread to other
phones in the area using wireless Bluetooth
signals, although the recipient has to confirm
this manually.
 Mosquito worm

In June 2004, it as discovered that a company called
Ojam had engineered an anti-piracy Trojan virus in
older versions of its mobile phone game, Mosquito.

This virus sent SMS text messages to the company
without the user’s knowledge.

Although this malware was removed from the game’s
more recent versions, it still exists in older, unlicensed
versions, and these may still be distributed on file-
sharing networks and free software download web
sites.
 List of mobile vulnerabilities

Mobile devices often do not have passwords enabled.

Two-factor authentication is not always used when conducting sensitive
transactions on mobile devices.

Wireless transmissions are not always encrypted

Mobile devices may contains malware.

Mobile devices often do not use security software.

Operating systems may be out-of-date.

Software on mobile devices may be out-of-date

Mobile devices often do not limit internet connections.

An unsecured WiFi network could let an attacker access personal
information from a device, putting users at risk for data and identity theft.
 Credit Card Fraud

Traditional technique
 Application fraud: ID theft and Financial Fraud

Modern technique
 Trangulation
 Credit Card generators
 Security challenges posed by
mobile devices:

One at the device level: microchallenges

Another at organizational level:
macrochallenges
 Well know challenges in mobile
security:

Managing the registry setting and configuration

Authentication Service Security

Cryptography Security

Lightweight Directory Access Protocol (LDAP)
Security

Remote Access Server (RAS) security

Media Player Control Security

Network Application Program Interface (API) security
 1. Registry settings for mobile
devices: example

Microsoft Active Sync: synchronize PCs and MS
Outlook

Gateway between Windows-Powered PC and
Windows mobile-Powered device

Enables transfer of Outlook information, MS Office
documents, pictures, music, videos and applications

Active sync can synchronize directly with MS
Exchange Server so that the user can keep their E-
Mails, calendar, notes and contacts update wirelessly.
 Managing the registry setting and
configuration:

If you use an Active Directory environment to
administer the computers in you network, Group Policy
privices a comprehensive set of policy settings to
manage Windows Inter Explorer 8 after you have
deployed it to your users’ computers.

You can use the Administrative Template policy
settings to establish and lick registry-based policies for
hundreds of Internet Explorer 8 options, including
security opetiuions

1700 settings in a standard group policy
 Managing the registry setting and
configuration:

Even if the user go through every control panel
setting and group policy option-no desired
baseline security

So make additional registry changes that are
not exposed to any interface: avoid “registry
hacks”
 Example

When using Pick-IT ASP in
Internet Explorer, the SIP
(Software input panel, or
virtual keyboard) will pop
up when a textbox is
activated. We cann not
control this panel through
Pick-IT,
 2. Authentication Service Security
 Two components of security in mobile computing:

Security of devices

Security in Networks
 Involves mutual authentication between the device
and the base station/servers.
 Ensures that only authenticated devices can be
connected to the network
 Hence, no malicious code can impersonate the
service provider to trick the device.
Eminent kinds of attacks on mobile
devices:

Push Attacks

Pull Attacks

Crash attack
3. Cryptographic Security for Mobile
Devices:

Cryptographically Generated Address (CGA)

CGA is IPv6: generated by hashing owner’s public-key address

The address the owner uses is the corresponding private key to
assert address ownership and

To sing messages sent from the address without a Public-Key
Infrastructure (PKI)

CGA-based Authentication can be used to protect IP-Layer
signaling protocols

Also used in key – exchange and create an IPSec security
association for encryption and data authentication
 Example: Palm OS5

Cryptographic Provider Manage (CPM) in Palm
OS5 is a system-wide suite of cryptographic
services for securing data and resources on a
Palm-powered device.
 4. LDAP security fir hand held
mobile computing devices

LDAP is a software protocol for enabling anyone to locate
individuals, organizations and other resources like files
and devices on the network

LDAP is light weight version of Directory Access Protocol
(DAP) since it does not include security features in its
initial version.

It originated at the University of Michigan

Endorsed by atleast 40 companies

Centralized directories such as LDAP make revoking
permissions quick and easy.
 LDAP directory Structure: Simple
tree structure

Root Directory

Countries

Organizations

Organizational units

Individuals
 5. RAS security for mobile devices

RAS is important for protecting business sensitive data that
are reside on the employees mobile devices.

Vulnerable to unauthorized access: resulting in providing a
route into the systems with which they connect
 By impersonating or masquerading to these systems, a cracker is
able to steal data or compromise corporate systems in other ways.

Another threat is by port scanning: DNS server -locate IP
address – scan the port on this IP address that are
unprotected.

Precautions: a personal firewall
 RAS system security for Mobile
device clients

The security of the RAS server

The security of the RAS client

The secure data transmission
 6. Media Player Control Security

Potential security attacks on mobile devices through the
“music gateways”

Windows media player: MS warned about security loop
holes

Corrupt files posing as normal music and video files
 May open a website from where the Javascript can be
operated.
 Allow attacker to download and use the code on user’s
machine
 Create buffer overrun errors
 7. Networking API security for
mobile computing applications

Developement of various API’s to enable
software and hardware developers to write
single applications to target multiple security
platforms
 Attacks on Mobile/ Cell Phones

Mobile Phone Theft

Mobile Viruses

Mishing

Vishing

Smishing

Hacking Bluetooth
 Mobile Phone Theft

With mobiles or cell phones becoming fancier, more popular,
and more expensive, they are increasingly liable to theft.

Following factors contribute for outbreaks on mobile devices:
 Enough target terminals: First mobile virus in 2004 :- Mosquito –
this virus sent SMS text messages to the organization (Ojam)
 Enough functionality: Office functionality, critical data and
applications protected insufficiently or not at all. Expanded
functionality increases the probability of malware
 Enough connectivity: SMS, MMS, Synchronization, bluetooth,
infrared (IR) and WLAN connections
How to Protect a Mobile Phone from
Being Stolen

Keep details: Make a record of all you phone
information and keep this in a safe place. Include the
following elements in the information: Your Phone
number

The Make and Model

Color and appearance details

The pin or security lock code

The EMEI number (on GSM phones)
 International Mobile Equipment Identity

Add a security mask: Use an ultra violet pen to print
your post code and house number onto both your
mobile handset and battery. This makes it easily
identifiable as you property if lost or stolen. It would
also be good if you write your alternate contact
number or email id on your phone.

This would help the finder of you handset to contact
you if he or she intents to return it. The ultra-violet
pen marking will wear off every couple of months, so
reapply it when you feel necessary.

Use the security lock code, or PIN feature, to
lock your phone. This will make it less
valuable to a thief and deny them access to
personal numbers stored on you SIM card.

Register you phone with your network operator. If you phone is
stolen, report the loss to them immediately. Using you IMEI number,
they may be able to block you hand set and account details.

Some wireless carriers are willing to do this, and some aren’t. If
done, this will prevent anyone from using the phone across any
network, even if the SIM card is changed. Keep in mind that once
the phone is disabled, it may not be able to be used again, even if
you get it back.

Keep records of this call-the date, time, name of the person you
spoke to, what they said, and their extension Ask for confirmation in
writing that you phone has been disabled. Tjhis is iportant in case
the thief makes fraudulent charges on you account.

Have your phone number disabled. In addition to reporting
your phone lost or stolen, you should also disable your phone
number (not account) so that no further charges can be applied.
This is I case the thief figures out how to access you account
through another hand set, or in case the carrier is unwilling to
block the handset.

Remember that, as mentioned earlier, many thieves stand to
benefit from using your service rather than selling your phone,
especially between the moment they steal it and the moment
you realize your phone is missing. As in the previous step, keep
detailed records of when you requested you account to be
disabled.

Request an immediate, formal investigation from your
carrier. Sometimes this can prevent (or at least delay) the
carrier from launching a collections effort and tainting your
credit, if things get ugly.

File a police report immediately. Time is money, literally. A thief
can add over US$10,000 to your cell phone bill in just hours by
making international calls, and you might end up being asked
to foot the bill. Some phone companies may require proof that
the phone was actually stolen, versus it having been lost. A
police report serves as evidence, which will make you wireless
provider more cooperative, especially if insurance is involved.

Install anti phone theft software. There are
suppliers that provide modern anti theft software for
you phone. The software enables you to remotely
contact your mobile and stay in control. For
example, one of the recently published solutions for
Symbian and Android is Theft Aware; others provide
Windows mobile or Blackberry support

Never let the phone get out of your sight. Unless
you are sleeping of course, always have your eyes
on the phone.
 2. Mobile Viruses

40 virus families

300+ mobile viruses identified

First mobile virus: june 2004

Spread through dominant communication
protocols
 Bluetooth, MMS
How to protect from mobile malware
attacks

Download or accpet programs and content only
from a trusted source

Turn off bluebooth or set it to non-discoverable
when not in use

Receive IR beams only from trusted source

Install antivirus software
 Mobile Phone Virus Hoax

Forwarded messages claim that a destructive
virus will infect your mobile (cell) phone if you
receive a call that displays “ACE” or “XALAN”
on the screen.
 Example

All mobile users pay attention!!!!!!

If you receive a phone call and your mobile phone displays (XALAN)
on the screen don;t answer the call, END THE CALL IMMEDIATELY, if
you answer the call, you phone will infected by a virus. This virus WILL
ERASE all IMEI and IMSI information from both your phone and your
SIM card, which will make your phone unable to connect with the
telephone network. You will have to buy a new phone. This information
has been confirmed by both Motorola and Nokia. There are over 3
Million mobile phones being infected by this virus in all around the
world now. You can also check this news in the CNN web site.

PLEASE FORWARD THIS PIECE OF INFORMATION TO ALL YOU
FRIENDS HAVING A MOBILE PHONE

Variants of this hoax have been circulating
since 1999, The information in the email is
completely untrue and has certainly not been
“confirmed by both Motorola and Nokia”.
 3. Mishing

Mishing is a combination of the words mobile phone and
phishing.

Mishing is very similar to phishing – the only difference is
the technology.

Phishing involves the use of emails to trick you into
providing your personal details, whereas mishing
involves mobile phones.

If you use your mobile phone for purchasing goods and
services and convenient banking, you could be more
vulnerable to a mishing scam.
 Variants of Mishing

Vishing : Mishing attacker makes call for
phishing

Smishing : Mishing attacker sends SMS for
phishing
 Vishing

The term “vishing” is a socially engineered technique for stealing
information or money from consumers using the telephone network.

The term comes from combining “voice” with “phishing” which are
online scams that get people to give up personal information.

Vishing is very similar to phishing – the only difference is the
technology.

Vishing involves voice or telephone services. If you use a Voice
over Internet Protocol (VoIP) phone service, you are particularly
vulnerable to vishing scam.

Vishing is usually used to steal credit card numbers or other related
data used in ID theft schemes from individuals.
 Profitable uses of the information
gained through a Vishing attack
include:

ID theft

Purchasing luxury goods and services

Transferring money/funds

Monitoring the victims bank accounts

Making applications for loans and credit cards
 How Vishing Works?

A vishing perpetrator (Visher0 may gain access to a
group of private customer phone numbers.

The visher may then call the group (may use war dialer)

When a potential victim answers the phone, he or she
hears and automated recording informing him that his
bank account has been compromised.

He then calls the specified toll-free number to reset his
security settings and hears another automated message
requesting the user’s bank account number and/or other
personal details via the phone keypad.
How to protect from Vishing attack?

Be suspicious of all unknown callers

Don’t trust caller ID: caller ID spoofing is easy

Ask questions: ask them to identify who they work for,
and them check them out to see if they are legitimate.

Call them back: call them back using a number from
your bill or your card. Never provide credit card
information or other private information to anyone who
calls you.

Report incidents: to nearest cyberpolice cell
 Smishing

Short for SMS Phishing, smishing is a variant of
phishing email scams that instead utilizes Short
Message Service (SMS) systems to send
bogus test messages.

Also written as SmiShing, SMS phishing made
recent headlines when a vulnerability in the
iPhone;s SMS text messaging system was
discovered that made smishing on the mobile
device possible.
 How smishing works?

Smishing scams frequently seek to direct the
rext message recipient to visit a website or call
a phone number, at which point the person
being scammed is enticed to provide sensitive
information such as credit card details or
passwords.

Smishing websites are also known to attempt to
infect the person’s computer with malware.
 Example
 Text message originating from either notice@jpecu or
message@cccu :

ABC CU - has – deactivated – your Debit_card. To
reactivate contact:210957XXXX
 This is an automated message from ABC Bank.

Your ATM card has been suspended. To reactivate call
urget at 1 866 215 XXXX
 Text message originating from [email protected]:

[email protected]/VISA. (Card Blocked) Alert. For
more information please call 1-877-269-XXXX
 How to protect from Smishing
attacks?

Do not answer a text message

Avoid calling any phone numbers

Never click on a hot link received through
messages.
 Hacking bluetooth

Bluetooth hacking is a technique used to get information
from another Bluetooth enabled device without any
permissions from the host.

This event takes place due to security fklaws in the
Bluetooth technology.

It is also known as Bluesnarfing.

Bluetooth hacking is not limited to cell phones, but is also
used to hack PDAs, Laptops and desktop computers

Bluetooth hacking is illegal and can lead to serious
consequences.
 Following are threats a person can
face when his/per mobile phone gets
bluesnarfed:

The hacker can steal, delete contacts

Hacker can extract personal files/pictures etc

Your cell phone can be used for making calls and using
internet at your expense

The hacker may call or text your contacts to annoy them

Your mobile phone can be reset to default factory settings
hence deleting your personal settings

Hacker can even access your calendar, clock,
International Mobile Equipment Identity (IMEI) number
IMEI number can be used to clone your cell phone so that
your messages are also routed to another number. Cloning
is also considered illegal.
 Common attacks

Bluejacking

Bluesnarfing

Bluebugging

Car wishper
 Bluejacking

Bluejacking is the sending of unsolicited messages over
Bluetooth to Bluetooth-enabled devices such as mobile
phones, PDAs or laptop computers, sending a vCard
which typically contains a message in the name field (i.e.
for bluedating or bluechat) to another Bluetooth-enabled
device.

Bluejacking is also known as bluehacking.

Blujacking exploits a basic Bluetooth feature that allows
devices to send messages to contacts withing range.

Bluejacking is harmless.
 Bluesnarfing

Bluesnarfing is the unauthorized access of information from a
wireless device through a Bluetooth connection, often between
phones, desktops, laptops, and PDAs ( personal digital assistant).

This allows access to a calendar, contact list, emails and text
messages, and on some phones, users can copy pictures and
private videos.

Both Bluesnarfing and Bluejacking exploit others’ Bluetooth
connections without their knowledge.

While Bluejacking is essentially harmless as it only transmits data
to the target device, Bluesnarfing is the theft of information from
the target device.
 Bluebugging

Bluebugging is a form of Bluetooth attack often caused by a lack of
awareness.

It was developed after the onset of bluejacking and bluesnarfing. Similar to
bluesnarfing, bluebugging accesses and uses all phone features.

Bluebuggin manipulates a target phone into compromising its security, This
to create backdoor attack before returning control of the phone to its owner.
Once control of a phone has been established, it is used to call back the
hacker who is then able to listen-in to conversations.

The Bluebug program also has the capability to create a call forwarding
application whereby the hacker receives calls intended for the target
phone.

Not only can a hacker receive calls intended for the target phone, he can
send messages, read phonebooks, and examine calendars.
 Car Whisperer

Software that intercepts a hands-free Bluetooth conversation in
a car.

The Car Whisperer enables an attacker to speak to the driver as
well as eavesdrop on a conversation.

By exploiting the fact that a common security code (passkey) is
used by many Bluetooth hands-free system vendors, the Car
Whisperer sets up a two-way session with the car and a Linux
Computer.

An attacker could access a telephone address book once he has
connected with the Bluetooth system.

May disable airbags or breaks.

The best way to avoid being “Car Whispered” is
to simply connect the in-car system to a
Bluetooth phone, because only one such device
can be connected at a time.
 Common bluetooth attack tools

BTScanner

Bluesnarfer

Bluediving

Blue bugger

Bluesniff
 Mobile Devices: Security
Implecations for Organizations

1. Managing diversity and proliferation of Hand-
Held devices

2. Unconventional/ Stealth storage devices

3. Threat through lost and stolen devices

4. Protecting data on lost devices

5. Educating the laptop users
 1. Managing diversity and
proliferation of Hand-Held devices

Employees aren’t just bringing their mobile devices to
the workplace – they’re living on them.

As smartphones and tablets become constant
companions, cyber attackers are using every avenue
available to break into them.

With the right (inexpensive) equipment, hackers can
gain access to a nearby mobile device in less than 30
seconds and either mirror the device and see
everything on it, or install malware that will enable them
to siphon data from it at their leisure.
Managing diversity and proliferation
of Hand-Held Devices

Analysts predict that by 2016, 25 percent of corporate
data will completely bypass perimeter security and flow
directly from mobile devices to the cloud.

Chief information security officers (CISOs) and other
security executives are finding that the proliferation of
mobile devices and cloud services and their biggest
barriers to effective breach response

In order to secure the corporate data passing through
or residing on mobile devices, it is imperative to fully
understand the issues they present.
 Security Risks and a Surprising
Challenge

Physical access

Malicious Code

Device Attacks

Communication Interception

Insider Threats
 Physical Access

Mobile devices are small, easily portable and extremely lightweight.

Hence easy to steal or leave behind in airports, airplanes or taxicabs.

As with more traditional devices, physical access to a mobile device
equals “game over.”

The cleverest intrusion-detection system and best anti-virus software
are useless against a malicious person with physical access.

Circumventing a password or lock is a trivial task for seasoned attacker,
and even encrypted data can be accessed.

This may include not only corporate data found in the device, but also
passwords residing in places like the iPhone Keychain, which could
grant access to corporate services such as email and virtual private
network (VPN)
 Malicious Code

Mobile malware threats are typically socially engineered and focus on tricking the
user into accepting what the hacker is selling.

The most prolific include spam, weaponized links on social networking sites and
rogue applications.

Android devices are the biggest targets, as they widely used and easy to develop
software for.

Mobiler malware Trojans designed to steal data can operate over either the mobile
phone network or any connected Wi-Fi network.

They are often sent via SMS (text message); once the user clicks on a link in the
message, the /Trojan is delivered by way of an application, where it is then free to
spread to other devices.

When these applications transmit their information over mobile phone networks,
they present a large information gap that is difficult to overcome in a corporate
environment.
 Device Attacks

Attacks targeted at the device itself are similar to the PC
attacks of the past.

Browser-based attacks, buffer overflow exploitation's
and other attacks are possible.

The short message service (SMS) and multimedia
message service (MMS) offered on mobile devices
afford additional avenues to hackers.

Device attacks are typically designed to either gain
control of the device and access data, or to attempt a
distributed denial of service (DDoS)
 Communication Interception

Wi-Fi enabled smartphones are susceptible to the same attacks that affect other
Wi-Fi capable devices.

The technology to hack into wireless networks is readily available, and much of it is
accessible online, making Wi-Fi hacking and main-in-the-middle (MITM) attacks
easy to perform.

Cellular data transmission can also be intercepted and decrypted.

Hackers can exploit weaknesses in these Wi-Fi and cellular data protocols to
eavesdrop on data transmission, or to hijack users sessions for online services,
including web-based email.

For companies with workers who use free Wi-Fi not spot services, the stakes are
high.

While losing a personal social networking login may be inconvenient, people
logging on to enterprise systems may be giving hackers access to an entire
corporate database.
 Insider Threats

Mobile devices can also facilitate threats from employees and other
insiders.

Malicious insiders can use a smartphone to misuse or misappropriate data
by downloading large amounts of corporate information to the device’s
secure digital (SD0 flash memory card, or by using the device to transmit
data via email services to external accounts.

The downloading of application’s can also lead to unintentional threats.

The misuse of personal cloud services through mobile applications is
another issue; when used to convey enterprise data, these applications can
lead to data leaks that the organization remains entirely unaware of.

Many device users remain unaware of threats, and the devices themselves
tend to lack basic tools that are readily available for other platforms, such
anti-virus, anti-spam, and endpoint firewalls.
 Policy making efforts

Organization needs to establish security practice subject to legal
and external constraints

Policy making efforts starts with the commitment of CEO,
president of Director who takes cybersecurity seriously

Mobile devices of the employees should be registered in the
corporate asset register

Close monitoring of these devices

Physical access to corporate resources must be removed from
mobile devices before the employee leaves

Employees register their device with the IT department: to control
the access
 2. Unconventional/ Stealth Storage
Devices

Secondary storage devices
 CDs
 USBs
 Portable external hard disks

Portable storage devices can be easily lost or stolen.

Decrease in size and emerge in new shape and sizes – difficult to detect

Prime challenge for organizational security

Firewalls and antivirus software are no defense against the open USB ports

Remedy – block these ports, but Windows OS do not support

Disgruntled employee can use these to download confidential data or
upload harmful virus
 Devicelock software

DeviceLock privides network administrators the
ability to set and enforce contextual policies for how,
when, where to , and by whom data can or can’t be
moved to or from company laptops or dekstop PCs
via devices like phones, digital cameras, USB sticks,
CD/DVD-R, tablets, printers or MP3 players.

In addition, policies can be set and enforced for copy
operations via the Windows Clipboard, as well as
screenshot operations on the endpoint computer.
Stealth Storage Devices
3. Threats through lost and stolen
devices
 4. Protecting data on lost devices

Encrypting sensitive data

Encrypting entire file system

Encrypting servers: third party solutions

Create a database action to delete the entire
data on the user’s device
 5. Educating the Laptop users

No free downloads

Illegal music files and movies

86% employees do this