Presentation is loading. Please wait.

Presentation is loading. Please wait.

Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh Smart Phone Security.

Published byDayna Stone Modified over 8 years ago

Similar presentations

Presentation on theme: "Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh Smart Phone Security."— Presentation transcript:

1 Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh Smart Phone Security & Privacy: What Should We Teach Our Users?

2 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 2 Outline  Smart phone security and privacy awareness: unique challenges  Phishing: much worse with smart phone users What can we do?  Mobile Apps and Social Networking What we can we teach users?  Concluding remarks  Q&A

3 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 3 SMART PHONE SECURITY and PRIVACY AWARENESS: UNIQUE CHALLENGES

4 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 4 Cyber Security Training Awareness …Has been compared to trying to nail Jell-O to a wall

5 Copyright © 2007-2011 Norman M. Sadeh Yet…  Filters, firewalls, IDS etc. have their limitations  Users are the last line of defense  Universities: A Dual Objective Protect the university’s infrastructure and sensitive data Educational mission EDUCAUSE Webinar – April 2011 - Slide 5

6 Copyright © 2007-2011 Norman M. Sadeh Universities  Diversity of users Faculty, staff, students  Diversity of cultures and environments Fragmented administration  Diversity of needs Research vs. education vs. admin  Diversity of devices Some managed & some not ...Yet the price of security breaches can be dire… EDUCAUSE Webinar – April 2011 - Slide 6

7 Copyright © 2007-2011 Norman M. Sadeh Smart Phones: The New Frontier EDUCAUSE Webinar – April 2011 - Slide 7 Smart Phone Adoption to Approach 50% in the US in 2011

8 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 8  Our cell phones are now coming with the same vulnerabilities we have on our computers… …Along the Way… …and more…

9 Copyright © 2007-2011 Norman M. Sadeh Universities at High Risk EDUCAUSE Webinar – April 2011 - Slide 9 University Students…

10 Copyright © 2007-2011 Norman M. Sadeh Mobile Email & Social Networking are Big EDUCAUSE Webinar – April 2011 - Slide 10

11 Copyright © 2007-2011 Norman M. Sadeh Diversity of Devices & OS’s EDUCAUSE Webinar – April 2011 - Slide 11 Best practices are harder to articulate

12 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 12 The Biggest Security Risk? Millions of cell phones lost or stolen each year

13 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 13 Lost or Stolen Phone….  Private data & sensitive apps e.g. contacts list, pictures, phone calls, messages, email, calendar, apps, etc  Risk of someone using your phone Impersonating you – SMS, voice, email, social networks, etc. Placing expensive international calls  Reselling your phone  etc.

14 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 14 What Can We Teach?  Don’t leave your phone unattended Goes beyond theft and loss: malware is easy to install  Use a PIN to protect your cell phone Different options (e.g. iPhone)  Write down your IMEI number as well as phone make and model and cell phone number  Quickly report lost/stolen phone

15 Copyright © 2007-2011 Norman M. Sadeh Quickly Tips Become Device-Specific EDUCAUSE Webinar – April 2011 - Slide 15 Requires MobileMe Loud noise + contact info + map

16 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 16 Remote Erase  A number of solutions…  …Hopefully you’ve backed up your data  …Some products combine both back up and “remote wipe”  Watch out for malware - read reviews and select reputable solutions…

17 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 17 Dangers of Multi-Tasking  Phone call, SMS, email, etc.  While driving, crossing the street.. Illegal in some places Not wise elsewhere

18 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 18 Understanding the risks…  Even more challenging than on a computer  Cell phones are highly personal devices with access to lots of sensitive information  …yet fewer people understand the risks  Lots of different cell phone models Not all with the same functionality or settings…  Users need to invest time in understanding and tweaking their security settings

19 Copyright © 2007-2011 Norman M. Sadeh Different Activities Lead to Different Risks Voice Email SMS Bluetooth Browsing WiFi Location App Downloads Social networks …and more EDUCAUSE Webinar – April 2011 - Slide 19 …A rather daunting task…

20 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 20 PHISHING: MUCH WORSE ON SMART PHONES

21 Copyright © 2007-2011 Norman M. Sadeh E-Mail Phishing: Worse on Mobile Phones  Trusteer – Jan 2011: Mobile users are first to arrive at phishing websites Mobile users 3x more likely to submit credentials than desktop users EDUCAUSE Webinar – April 2011 - Slide 21

22 Copyright © 2007-2011 Norman M. Sadeh Beyond e-mail Phishing  SMS-ishing  Vishing  IM phishing  Phishing via social networks  Phishing apps EDUCAUSE Webinar – April 2011 - Slide 22

23 Copyright © 2007-2011 Norman M. Sadeh What To Do?  Better filters can help Most spam filters rely on manually maintained blacklists that are several hours behind Example: Wombat’s PhishPatrol  Teach people to recognize traps in phishing emails EDUCAUSE Webinar – April 2011 - Slide 23

24 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 24 Teach people in the context they would be attacked If a person falls for simulated phish, then show intervention as to what just happened Unique “teachable moment” Training via Mock Attacks: PhishGuru

25 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 25 Select Target Employees Customize Fake Phishing Email

26 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 26 Select Target Employees Customize Fake Phishing Email Select Training

27 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 27 Select Target Employees Customize Fake Phishing Email Select Training Internal Test and Approval Process Hit Send

28 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 28 Select Target Employees Customize Fake Phishing Email Select Training Internal Test and Approval Process Hit Send Monitor & Analyze Employee Response

29 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 29 It works! Reduces the chance of falling for an attack by more than 50% ! (Actual Results) percentage

30 Copyright © 2007-2011 Norman M. Sadeh Reinforce with Training Modules – Incl. Games EDUCAUSE Webinar – April 2011 - Slide 30 Traditional training doesn’t work - but people like games Games teach users about phishing People more willing to play games than read training Shows higher long- term retention

31 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 31 Teaches people to identify “red flags” in fraudulent emails

32 Copyright © 2007-2011 Norman M. Sadeh Phishing is a Generic Threat  It is possible to identify device- independent tips and strategies  It is possible to teach these tips and strategies in a matter of minutes  Universities like CMU are using PhishGuru and training games (Phil and Phyllis training games) to train staff, faculty and students  A dedicated anti-phishing email filter can also make a difference (e.g. PhishPatrol) EDUCAUSE Webinar – April 2011 - Slide 32

33 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 33 MOBILE APPS & SOCIAL NETWORKING: WHAT CAN WE TEACH USERS?

34 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 34 Social Networking – Facebook, Twitter & Co.  Sharing is wonderful…  …until you regret you did it  Think and ask yourself whether: You really know who you are sharing with A week or a year from now, you’ll still be happy you did  Colleagues, friends, new acquaintances…  Beware of pictures and links that seem to come from friends….

35 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 35 All Those Great Apps

36 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 36 Malicious Apps  In January of 2010, the first malicious mobile banking app was detected Stole your banking credentials  Android doesn’t review applications  Apple does, but that’s no guarantee  Many apps collect a lot more information than they need to – e.g. location

37 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 37 Some Recommendations  Research apps before you download them  Best to wait until enough other people have tried them  Check ratings – but do not rely entirely on them  If you are courageous, take time to review privacy provisions  Possibly create a Google alert for apps you download

38 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 38 Location Sharing Apps.

39 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 39 Also referred to by some as…

40 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 40 If you are going to share your location, at least do it under conditions you control

41 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 41 Promoting Our Own Location Sharing Platform  More expressive privacy settings “My colleagues can only see my location when I’m on campus and only weekdays 9am-5pm” Invisible button  Auditing functionality  Available on Android Market, iPhone client, Ovi, laptop clients  Tens of thousands of downloads over the past year www.locaccino.org

42 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 42

43 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 43

44 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 44

45 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 45

46 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 46 CONCLUDING REMARKS

47 Copyright © 2007-2011 Norman M. Sadeh Concluding Remarks EDUCAUSE Webinar – April 2011 - Slide 47  Cell phones are wonderful devices …  Most of us can’t even remember how we could operate without them  …Yet they come with many risks  …General guidelines are difficult to articulate Diversity of cell phones and usage scenarios  Yet in some areas such as phishing, results indicate that training can make a difference  We are extending this approach to mobile security at large

48 Copyright © 2007-2011 Norman M. SadehEDUCAUSE Webinar – April 2011 - Slide 48 http://wombatsecurity.com http://mcom.cs.cmu.edu Q&A

49 Copyright © 2007-2011 Norman M. Sadeh References  Scientific References How to Foil “Phishing Scams”, Scientific American, L. Cranor How to Foil “Phishing Scams”, Teaching Johnny Not to Fall for Phish P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31. Teaching Johnny Not to Fall for Phish Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta, Canada, May 8-12, 2007. Learning to Detect Phishing Emails Locaccino scientific publications: www.locaccino.org/sciencewww.locaccino.org/science  Case Studies & White Papers “A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)” “A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)” “Empirical Evaluation of PhishGuru Embedded Training”,Empirical Evaluation of PhishGuru Embedded Training “Cyber Security Training Game Teaches People to Avoid Phishing Attacks”Cyber Security Training Game Teaches People to Avoid Phishing Attacks EDUCAUSE Webinar – April 2011 - Slide 49

Download ppt "Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh Smart Phone Security."

Similar presentations

Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.

Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.

Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Mobile Phone Theft. Serving our communities and protecting them from harm Introduction Mobile Phone Theft There were an estimated 742,000 victims of mobile.

Mobile Phone Theft. Serving our communities and protecting them from harm Introduction Mobile Phone Theft There were an estimated 742,000 victims of mobile.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.

Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.
Welcome to BYOT PD Informational Training By: Mr. Kirkpatrick & Mr. Saintvilus.

Welcome to BYOT PD Informational Training By: Mr. Kirkpatrick & Mr. Saintvilus.
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
Protecting your Family From the dark places on the Internet Going beyond the standard PC Filter, and dealing with the multiple devices that access the.

Protecting your Family From the dark places on the Internet Going beyond the standard PC Filter, and dealing with the multiple devices that access the.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Protecting Yourself Online (Information Assurance)

Protecting Yourself Online (Information Assurance)
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Phish your victims in 5 quick steps. Phish yourself today In less than 5 minutes What is Phish5? Phish5 is a Security Awareness service With Phish5, a.

Phish your victims in 5 quick steps. Phish yourself today In less than 5 minutes What is Phish5? Phish5 is a Security Awareness service With Phish5, a.

Similar presentations

Ads by Google