1

Christos VentourisInformation Security SpecialistSymantec EMEA

Watch your stepin the waterhole ….

eBusinessWorld & Social Media World

Agenda

A 10 minute tribute on how things go wrong ...and possibly get you to

think twice(10mins for the next 13 slides. Keep focused :] )

eBusinessWorld & Social Media World 2

7 Years ago …

Clicking on an email or attachment link was dangerous

3eBusinessWorld & Social Media World

Today …

eBusinessWorld & Social Media World 4

Visiting your favorite website is dangerous.

1 in 532 websites infected.

browseLegitimateWeb site

Most common: DriveBy Download infections

Infection Browser is analysed312 Plug-in vulnerabilities (2012) 891 Browser vulnerabilities (2012)

Malicious Script

• hacked website• Misconfigured server

• Weak password• Banner Ads

• …

No user interaction

required

eBusinessWorld & Social Media World 5

eBusinessWorld & Social Media World 6

Your password could be hacked by Social engineering or if a website was hacked.

7 years ago …

Today : Data Breaches - again and again

• Twitter - 250‘000 user records stolen in 2013• Scribd - 500‘000 user records stolen in 2013 • Evernote resets 50 Mio accounts after data breach in 2013• LinkedIn - 6.5 Mio user records stolen in 2012• Who‘s next ?

• Many of them happen due to SQL injection on the website– Very old attack, could be protected by following the best practice

7

Are you sure that your data is well protected?

eBusinessWorld & Social Media World

Today …

eBusinessWorld & Social Media World 8

Oversharing allows the attacker to gain access to your

online resources by simply putting the pieces together

A lot of information in social networks• „Luca2013“ could be my password

• Service to reset lost passwords

• Also for spammers

• or for Phishing

9

my pet: Luca

Hey, here you get cheap rabbit food

Security QuestionName of your pet: LUCA

Hey, is that your bunny in that picture?

Fake Facebook <login>

eBusinessWorld & Social Media World

~5 years ago …

It was almost impossible to get your smartphone infected.

eBusinessWorld & Social Media World 10

Today’s mobile threats

11

eBusinessWorld & Social Media World

Today’s Android Malware• Making money with premium SMS

– Profit with SMS between $1.6K-9K / day

• Mobile BotNets exist already• DriveBy Downloads possible• Privacy is also an issue• Mobile vulnerabilities

– 416 (2012) / 315 (2011)

Heavy use of social engineering

Fake app markets

Unique (bad) APK every time

Sends Premium SMSs

12

eBusinessWorld & Social Media World

Jan

'11

Apr

Jul Oct

Jan

'12

Apr

Jul Oct

0

20

40

60

80

100

120

140

160

180

200

Android Malware Growth

eBusinessWorld & Social Media World 13

5,000

4,500

4,000

3,500

3,000

2,500

2,000

1,500

1,000

500

0

Cumulative Android Families 2011-2012

Cumulative Android Variants 2011-2012

Hacktivism

Different Motivation – Different Attacks

14

Money

Targeted Attacks

Sabotage Espionage

DDoS

Defacement

Banking Trojan

Extortion

Scam

eBusinessWorld & Social Media World

Tips of advice …• Think “What is the impact to my customers?”• Assess and Control your risks.• Implement best practices for building your eBusiness platform

– OWASP Top 10

– Find your own holes before others find them first

– Lookout for past and new platform vulnerabilities. Fix them as soon as they are announced and fix is available

• Share responsibly.– If you think you have nothing to hide, tweet a picture while in the WC

• Watch what you click ?• Protect your assets based on the threats and risks you identify.

eBusinessWorld & Social Media World 15