Security is sexy againSecurity is sexy again------------

no, not that kind of sexyno, not that kind of sexy

by Vitor Domingos@ IDC -Information Security

Vitor DomingosVitor Domingosvd@prt.scvd@prt.schttp://vitordomingos.comhttp://vitordomingos.com

- cloud computing & security consultant- thenextweb.com editor- mobilemonday founder- videocaster

- ex failed entrepreneur- ex ITIJ / MJ- ex CGD- ex forumB2B- ex Maxitel- ex Jazztel

VERY IMPORTANT AGENDAVERY IMPORTANT AGENDA

- First- First

- Second - Second

- Third- Third

OLD SCHOOLOLD SCHOOL

- anti virus- anti virus

- IDS, firewall, scanners- IDS, firewall, scanners

- encryption, DMZ, password enforcement- encryption, DMZ, password enforcement

- data protection & security governance- data protection & security governance

- some other commercial bullshit bingo- some other commercial bullshit bingo

- social engineering- social engineering

NEW SCHOOLNEW SCHOOL

- social engineering and hacking- social engineering and hacking

- id theft (banks)- id theft (banks)

- phishing, spoofing, vishing, brandjacking- phishing, spoofing, vishing, brandjacking

- spam, bot networks, malware, pharming- spam, bot networks, malware, pharming

- XSS (twitter)- XSS (twitter)

- private data harvesting (facebook)- private data harvesting (facebook)

Security Menace HistorySecurity Menace History

1.0 – FUN - Virus, Stealing Information

2.0 – MONEY - Worms, Trojans, Virus

3.0 – MONEY 2.0 - DDoS, Trojans, ID Theft

4.0 – MARKETINGFarmVille, Mafia Wars, Data Theft

Security is (now) personalSecurity is (now) personal

1.0- Direct- One-on-One- Hardware/Software

2.0

- Cloud- Distributed- Social- Personal

Firewall HistoryFirewall History

1 Gen – Packet Filter1 Gen – Packet Filter

2 Gen – Application Layer2 Gen – Application Layer

3 Gen – Stateful Filter3 Gen – Stateful Filter

4 Gen – Semantic4 Gen – Semantic

5 Gen – Personal 5 Gen – Personal

Security got smaller and distributedSecurity got smaller and distributed

USB PENUSB PENSD CardSD Card

PhonePhoneSmartphoneSmartphone

CloudCloudSaaSSaaSIaaSIaaSNaaSNaaSDaaS DaaS ......

Phones ...Phones ...

- 15 years of pure unsecurity and few exploits

- mobile is the most personal and private item we own

- phones are now computers, the personal kind

- they even run full operating systems

What's in ...What's in ...

- phone calls; - addressbook; - emails; - sms; - mms; - browser history; - pictures and some documents; - calendar;- gps tracking data; - shop details; - credit card info; - other sync evilness

GSM CrackedGSM Cracked

- A51 Rainbowtable cracking software (reflextor.com/trac/a51)

- GSM interception software (airprobe.org)

- Software defined radio (gnuradio.org)

- Cheap radion software (ettus.com/products)

20102010

- UTMS cracked (on paper) - Sandwich attack

- MMS Remote Exploit

- iPhone SMS Remote Exploit

- Bluetooth Spamming and Attacks (bluesnarfing, bluebug, bluebugging) -$18 bluetooth sniffer

- Bluetooth audio flow to headset interception

- Over the air wire tapping

- ... and what about flash ? :)

Future (risks?)Future (risks?)

- Near Field Communications2008: hacking NFC phones, URI spoofing, NDEF worm; 2010: Nokia announces that all phones will be NFC ready

- Mobile javascript in the browser (2000 called and they want to block javascript all again)

- Phone SSL, VPN

- Location Based something - gowalla//forsquare problems

Future (risks?)Future (risks?)

- Spyware disguised as apps (cydia iphone appstore, android apps)

- Virus/Worm/Botnet - iphone; vodafone memory card spyware bug on android phones - Tinyurl problems (?)

- Social phishing from fake call centers

- Data Leaks

- Startups with little security concerns

New world out (t)hereNew world out (t)here

- Earth calling security, hello ?

- Fresh new start (cloud, distributed, mobile, web)

- Think global

- Same old-school practices apply; new skills

- SME/SMB

- Security as a Service