General Background

A possible and classical definition of mobile security is the following one:

Mobile security is the protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. Mobile security is also known as wireless security.

However, this definition only covers a portion of the problem. Defining more precisely what the mobile security is for modern workforces needs to define what the modern workforces are.

Nowadays, more and more services gather personal data (different services collect different data). In order to verify users’ identity (and decide whether to grant access) machines collect personal data from users who want to have access to services. Users want to use those services and are therefore willing to give away personal data, following a business data for services logic. At the same time, our identity, trust and privacy constraints are different in the context of different environments we act in (business identity, cultural identity, administrative identity etc.). These two points contribute to define the modern ubiquitous workforces and beside this also the role of the mobile terminals that are used.

Figure 1 depicts a simplified model of mobile forces and terminals: simplifying, in the area of mobile security, the picture models a user as an entity that modifies a dataspace with his/her work through an enabling technology in a location, following a use case or workflow.

Modern mobile forces

Figure 1. Schematization of modern mobile forces (Source: CEFRIEL)

 

There are therefore four directions to explore.

  • Dataspace: the user actions mean is always to modify access and extend his/her dataspace, eventually with the collaboration of other persons. A dataspace is made of data, trust relations and policies that secure terminals must enforce to do not corrupt the dataspace’s integrity. For example, the personal data stored locally into a smartphone can be seen as a partial mirror of a remote dataspace, kept locally (securely) for convenience. Nowadays we still assist to different detached either working or personal dataspaces, that can be separated in different instances of the applications, not always integrated o misaligned. This is a rapidly disappearing trend, which is shaping the future.
  • User Location: Thanks to mobile and ubiquitous terminals, a user could complete a task in any possible place, home, public spaces or company office. It does not matter where he performs the work: only ergonomics matters (for example doing a task with a laptop has not the same ergonomy if in public transportation such as a train or a desk). Therefore, sensing the context and adapt the user experience becomes relevant, also in terms of security. Full definition of menaces not only need to define the type of victims but also the places and external conditions where the exploit actually happens. For example securing a process, which access a relevant asset in a dataspace, is different through a mobile network, a public Wi-Fi or a private VPN.
  • Use cases: a use-case or workflow is usually independent from the mean used to perform it, the correct terminal could just make its completion easier. A task must be carried out always performing the same steps, even if in different fashions and ways and through different channels/tools/terminals. Consider as an example, the task of answering an e-mail or access a document, the role of mobile security is to ensure the same level of security in all the possible situations.
  • Enabling technologies: the mobile terminals and the cloud technologies are the nowadays-enabling technologies, which play a key role to define new ways of working. Bring your Own Device (BYOD) policies and the proliferation of mobile platforms all with different security performances are just two of the key elements, and those shaping the market. However, the foreseen evolution of wearable terminals even more complicates this scenario, tightly integrating the personal behaviour, the working forces and the accesses to work/personal dataspaces. However, it is useful to define a broader view, dissociating what the technology is able to do now, from what the technologies will allow. The enabling technologies can be depicted as the portal between a local physical context (local sensing) and a virtual dataspace with its own rules. A perfect match between local sensing, the dataspace own rules own policies and the use-case that the user wants to complete is what actually defines the ideal goal of the mobile security.

This complex scenario raises several huge security problems that will shape what secure terminals and dataspaces will be. Some recent EU IST calls also concentrate on the development of secure mobile terminals (e.g. FP7-ICT-2011-8) and secure trusted exchange of data (e.g. Objective ICT-2013.1.5 Trustworthy ICT), but very few are investigating the integrated scenario where all the elements are considered as a whole.

 

The raise of the Social Engineering economy

Social Engineering (SE) is a well-known method of deception, used since historic times. What completely changed the landscape in the recent years, are the following two important evolutions:

  • the evolution of the social network especially through mobile platforms and the corresponding new people’s habits;
  • the appearance of some new technologies which allowed to greatly automate most of the SE steps against a large number of people/victims at the same time.

 

These two factors contributed to the evolution of the social engineering into a new multifaceted phenomenon that we call Social Engineering 2.0 (SE 2.0), which increased the number of potential victims directly exposed on the internet and greatly uses advanced automatic methods to gather and elaborate the information needed to select precisely the “victims”.

Social Engineering 2.0 is a complex phenomenon that involves several heterogeneous technologies and competences. Figure 2 shows the most important technological and scientific areas involved.

Social engineering 2.0

Figure 2. Overview of the main characteristics of Social Engineering 2.0 (Source: CEFRIEL)

SE 2.0 includes many renewed and new technologies such as Open Source Intelligence (OSINT) and Social Network Analysis (SNA), psychological profiling (for example through personality profiling to identify most vulnerable persons), “memetics” [2] and sentiment analysis and new trends in contextualizing attacks one-to-one [3]. Most of the technologies mentioned for SE 2.0 have been developed in the social marketing to help catching and influencing the social trends of the huge mass of people, which are sharing opinions and assets on the internet. However, Social Engineering is all about the art of influencing people thinking and ideas, similarly to marketing, but for malicious intents.

These technologies are therefore used for a proper meaning, but at the same time could be abused by social engineers to perform attacks and collect information, which are exploited for highly contextualized attacks. Summing up, the real essence of SE 2.0 is the abuse versus the use of these technologies. The problematic is hence not only limited to the technical world, because overhangs in the psychology and cyber-sociology[3] areas of expertise.

The Malware 2.0 model

The main Malware 2.0 characteristics are the followings:

  • Absence of a single command and control centre for networks of infected computers;
  • Active use of methods to combat the analysis of malicious code and attempts to gain control over a botnet;
  • Short-lived mass mailings of malicious code;
  • Effective use of social engineering;
  • Use of a range of methods to spread malicious programs and a gradual move away from the use of methods (e.g. email) which attract attention;
  • Using a range of modules (rather than a single one) in order to deliver a set of malicious payloads;
  • Malware as-a-service.
  • Multi-channel exploits (expecially including mobile terminals)

The technical skills required to develop a new malware are reduced[4]: having software engineering in place before the real exploit (the technological attack) means being able to attack those few useful victims with 1:1 customized ad-hoc attacks[5]. As a result, Malware 2.0 does not need to spread across a network or to escalate privilege or even use unknown 0-day bugs. What it needs is a strongly customized behaviour to hit just one user on one machine[6], a user that owns the asset the attacker wants. This situation recently led Symantec to declare that standard defence system as anti-viruses are dead [4].

Recent statistics

There are several statistics showing the raising trend of mobile malware, especially on android terminals. Nevertheless, we would like to concentrate on one particular element, Android terminals seems to be the preferred target of most cybercriminals while iOS is almost ignored[7];

We will not discuss here the security models of Android and iOS, but we underline that malware authors are targeting the Android users who treat their device like a simple feature-phone, the users who never install apps. However as shown in [5] the Social Engineering threat is always present, because at the logical level it exploits a weakness that is outside the informatics world, since it lies in the human side of security.

For all these reasons, an holistic approach to mobile security is required and this is exactly the idea behind MUSES.

References

[1]   Kaspersky Labs, , “Social Engineering, Hacking The Human OS”

[2]   S. Blackmore, The Meme Machine, Oxford University Press, 1999. ISBN 0198503652.

[3]   Symantec, Internet Security Threat Report 2014

[4]   , Symantec Develops New Attack on Cyberhacking. Declaring Antivirus Software Dead, Firm Turns to Minimizing Damage From Breaches

[5]   E. Frumento et al., ‘Cognitive Approach for Social Engineering’, DeepSec Conference 2010, Nov 2010.

 

[1]http://whatis.techtarget.com/definition/mobile-security

[2] For example see M.Huber, S.Kowalsky et al., “Towards Automating Social Engineering Using Social Networking Sites”, 2009 International Conference on Computational Science and Engineering

[3] A fundamental evolution in the attack techniques is the application of cognitive sciences and semantics technologies in the modern social engineering attacks, in order to automatically profile personalities and find potential victims on large mass of online persons.

[4] Source: PandaLabs Report 2013, http://goo.gl/MjFYBm

[5] Therefore the watering pool attacks and the malware ad-hoc infections are nowadays one of the most actively exploited techniques of infection [Ref.41].

[6] A recent sample is the Trojan.VikNok.2014 http://thehackernews.com/2014/05/beware-cyber-criminals-spreading-click.html?m=1

[7] See F-Secure Mobile Threat Report Q1.2013: “The Android malware ecosystem is beginning to resemble that which surrounds Windows, where highly specialized suppliers provide commoditized malware services”, http://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q1_2013.pdf