Docstoc

_Risk_

Document Sample
_Risk_ Powered By Docstoc
					           (Risk)



(ysjung@inca.co.kr)
1.
2.
3.
4.
5.
     1.

1)
2)
3)
4)        Apps
5)
1.
     1)




                  Feature phone                                  Smartphone
                  “Do It as You Get”                          “Do It Yourself”
                  handset                                             handset
                                                • “PC Like” user environment
                                                • Internet / Data service
                                                  concentric device
     Definition   • Voice call / SMS oriented   • You can install / uninstall
                                                  huge applications
                                                • Various application fields
                                                • Rich multimedia applications
                                                • Much more applications than
       Major      • WAP based browsers            feature phones
      Feature     • Web surfing                 • Lots more next generation
                                                  Internet Services
1.
     1)


      A Smartphone is a mobile phone offering advanced capabilities,
      often with PC-like functionality (PC-mobile handset convergence).
      There is no industry standard definition of a Smartphone. For
      some, a Smartphone is a phone that runs complete operating
      system software providing a standardized interface and platform for
      application developers. For others, a Smartphone is simply a phone
      with advanced features like e-mail, Internet and e-book reader
      capabilities, and/or a built-in full keyboard or external USB keyboard
      and VGA connector. In other words, it is a miniature computer that
      has phone capability.
      Growth in demand for advanced mobile devices boasting powerful
      processors, abundant memory, larger screens and open operating
      systems has outpaced the rest of the mobile phone market for
      several years.
                                     http://en.wikipedia.org/wiki/Smartphone
1.
     2)


      1992   • Simon, IBM, Las Vegas COMDEX
      1993   • BellSouth
             • a calendar, address book, world clock, calculator, note pad, e-mail, send
               and receive fax, and games
             • no physical buttons, touch-screen

      1996   •   Nokia 9000
             •   Hewlett Packard PDA + Nokia’s phone
             •   Nokia 9210 as the first color screen with open OS
             •   Nokia 9500 is first camera phone and WiFi phone

      2000   • Ericsson R380, Touch screen
             • Symbian OS
             • not run native third-party application.
      2002   • Sony Ericsson, P800, Symbian OS
             • color touch screen, camera, polyphonic ring tones, email attachment
               viewers, video playback and an MP3 player with a standard 2.5 mm
               headset jack
1.
     2)


       2008     • Google, Android, Open Source
                • Intel, HTC, ARM, Motorola, Samsung, LG …. => Open HandSet Alliance(65)
                • The software suite included on the phone consists of integration with
                  Google's proprietary applications, such as Maps, Calendar, and Gmail, as
                  well as Google's Chrome Lite full HTML web browser
                • Third party apps are available via the Android Market, including both free
                  and paid apps

     Jul. 2008 • introduced its App Store with both free and paid applications
                  The app store can deliver smartphone applications developed by third
                  parties directly to the iPhone or iPod Touch over wifi or cellular network
                  without using a PC to download.
                  The App Store has been a huge success for Apple and by February 2010
                  hosted more than 140,000 applications.
                  The app store hit three billion application downloads in early January 2010


     Jan. 2010 • Google launches Nexus One using its Android OS
1.
     3)


                   Android        Windows Phone             Symbian
          App
                    App                App                    App




                      JSE
                       JSE
          WISE,
           WISE,     (Java
                     (Java     WIN 32,
                               WIN 32,                     S60
                                                           S60      UIQ
                                                                     UIQ
          BREW,
          BREW,                          Java
                                         Java    .NET
                                                  .NET
                   Standard
                   Standard     MFC
                                MFC                      (Nokia) (Ericsson)
                                                         (Nokia) (Ericsson)
           WIPI
           WIPI     Edition)
                    Edition)




         REX,
         REX,       Linux
                    Linux           Windows CE
                                    Windows CE              Symbian
                                                            Symbian
     L4 / Iguana
     L4 / Iguana
1.
     4)



                           WindowsMobile      iPhone         Android
                            (Marketplace)   (AppStore)   (Android Market)

                                                             $25+$25
                              $100/1         $100/1
                                                         (    app       )

            App
                             $100/apps

          App
                                 2              1              N/A


                                7:3            7:3             7:3
     (          :Market)

                App               1K        100K             20K
1.
     5)   -
1.
     5)   –   , OS
2.

 1)
 2)
 3)
 4)   Total Risk
2.
     1)




      1.   Personal data and Identity thief
      2.   High speed and permanent connection (3G)
      3.   Small variability (few security updates)
      4.   High bug-count (few audits, small time-to-market)




                     Hacker Target
2.
     2)




          Trendmicro, 2009
2.
     3)




                                                                ISO7498-2
                                                                                NIST 800-33


          ITU-T.X800

                   Security Attack                   Security Mechanism     Security Services
     Passive     Interception    Eavesdropping            Encryption          Confidentiality

                                 Modification of            Hash                 Integrity
                Modification                                                    Integrity,
                                   Message                Key Hash
                                                                              Authentication
      Active
                 Interception      DoS, DDoS              Anti-DoS             Availability
                                 Session Hijacking
                 Fabrication                            Anti-spoofing         Authentication
                                -sniffing+spoofing
2.
     4)          Total Risk

              Total Risk = Threat * Vulnerability * Asset Value




          ?                  ?                       ?
                        Open Source

                                                         (+USB+   )
                        PC
                             ,   ,

                             ,
3.

     1)
     2)
     3)
     4)   -
3.
     1)



          • “lock the phone”,     • BlackBerry Devices
          • “wipe the data”           PhoneSnoop
          •           “LookOut”   •                 on       ,
          •
                                  •       2000
                                  •




          • ESN, MIN              •
          •
                                  •
                                      (                  )
3.
     2)
          Open Source
            • CORE-2008-0124: Multiple vulnerabilities in Google's Android SDK
              : Browser exploit for the BMP format.
            • CORE-2008-0603: iPhone Safari JavaScript alert Denial of Service
              : Webcore process denial of service.
            •      11           “Storm8” game
            •    3
            •         “SandBoxing”


            •                  SMS
            • 2009.11.          ,         iPhone
          SMIshing
            •            ,

          Risk Astley Worm
            • iPhone           80
3.
     3)

          Jamming (RF DoS)
            • Client Jamming for rogue client
            • AP Jamming for rogue AP : Evil Twin
          Eavesdropping(      )
            •                              AP
           Bluetooth                     disable    Bluesnarfing
           VPN, SSL
           Cryptography Threat(WEP–RC4/40Bit)                , Replay Attach
           Default SSID
                        Wi-Fi / 3G
           ( )                           3G
           FMC(Fixed Mobile Convergence)
                        “    PC +              ”        DDOS


                SSLD broadcasting  , 40Bit 64/128Bit WEP               ,
                          WPA or WPA2     , AES, TKIP
3.
     4)   -
4.
4.


                                                       Trade-Off
          Defense in Depth
                  2Factor


     •                      (Smartphone                            )
                               (           ,   ,   ,       )
         FAR(           ), FRR(      )

     •              USB         ,     USB

     •
          3

     •

     •                              DDOS
              ,

     •                               API
5.
5.

                       Smartphone        +




                     (Access Control)
                                             2
             •
             •
             •               H/W, S/W,




     Software            ,


         ,       ,

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:5/1/2012
language:
pages:25