3} Cybercrime: Mobile and Wireless Devices Learning Objectives Ae eading this chapter, you will be able to: Understand the security challenges presented Understand the organizational security impli- by mobile devices and information systems cations with electronic gadgets and learn what access in the cybercrime world. organizational measures need to be imple- ‘+s Understand the challenges faced by the mobile mented for protecting information systems workforce and their implications under the from threats in mobile computing area. cybercrime era. ‘© Understand Smishing and Vishing attacks in «+ Get an overview on mitigation strategy like the Mobile World. the CLEW for possible protection of credit © Understand the security issues arising due to card users. daily use of removable media such as pen/zip ‘© Learn about security issues arising due to use _drives in this mobile environment. of media players. 3.1 Introduction In this modern era, the rising importance of electronic gadgets (i.c., mobile hand-held devices) — which became an integral part of business, providing connectivity with the Internet outside the office — brings many challenges to secute these devices from being a victim of cybercrime. In the recent years, the use of lpops, personal digital assistants (PDAS), and mobile phones has grown from limited user communities ro widespread desktop replacement and broad deployment. According to Quocirca Insight Report (2009),!) by the end of 2008 around 1.5 billion individuals around the world had the Internet access. In November 2007, mobile phone users were numbered 3.3 billion, with a growing proportion of those mobile devices enabled forthe Internet access. The complexity of managing these devices outside the walls of the offce is senting that the information technology (ITT) departments in the organizations need to address. Remote on a extended from fixed location dial-in to wireless-on-the-move, and smart hand-held devices reat have become networked, converging with mobile phones. Furthermore, the maturation of the defen vancerent in cellular phone technology have converged into a new category of mobile phone the Snarphone, bina ates combine the best aspects of mobile and wireless technologies and blend them into a useful |. Although IT departments of organizations as yet are not swapping employees! company-provided PW~~ 82 Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Pers i Sctives PDAs as the case may be) forthe Smartphones, many users may bring these devices from home ay if the office, Rescarch in Motion’s (RIM) Blackberry Wireless Hand-held isan alternate technology hat, Reseatch in Motion Annual Report (2008), theeare over 175,000 organizations with Blackie Se Server installed behind the conporate firewall (i.e. corporations that use the BlackBerry emery) eye dlent/scrver sofvare for data commanication between corporate BlackBerry devices and othe pea ‘Thus, the larger and more diverse community of mobile users and their devices increase the dea? Ne IT fantion vo secure the device, data and connection to the network, keeping conta of the coy 4 while at the same time supporting mobile user productivity. Clearly, these technological devel “| % ts pment py “e a new set of security challenges to the global organizations. oe 3.2 Proliferation of Mobile and Wireless Devices ‘Te proc 1 incredible advances are being made for mobile devices. ‘The trend is for smaller dey sing power. A few years ago, the choice was between a witeless phone and a simple buyers have a choice between high-end PDAs with integrated wireless modems and small ph less Web-browsing capabilities. A long list of options is available to the mobile mobile device provides enough computing power to run small applications, pl make voice calls. key driver for the growth of mobile technology is the rapid ga ‘ICES and PDA. Now ONES With wi Users. A simple hand ay games and mui ‘owth of business slug yea into hand-held devices. Figure 3.1 shows some typical hand-held devices. As the term “mobile devic ncludes many products. \ terms: mobile computing, wireless computing and hand-held these terms are related. Let us understand the tse provide a clear distinction among thle devices. Figure 3.2 helps us understand fe concept of mobile computing, and the various types of doe Figure 3.1 Typical hand-held devices, source: Nina Godbole (2009) Frameworks and Best Practices, Wiley pias etait Security: Security Management, Metrics ), Information s,c ¢ Figure 3.2 Me Cybercrime: Mobile and Wireless Devices _83 Standard Taptop ‘Standard PDA = go Laptop with : wireless i access Handheld, aa Wireless, Desktop PC. with wireless. access xa ‘Smartphone OAD PDA — Personal digital assistant - Mobile device A - Wireless device © —Handheld device Mobile, wireless and hand-held devices. 3 Source: Nina Godbole (2009), Information Systems Security: Secunty Management, Metrics, Frameworks and Best Practices, Wiley India. computing is “taking a computer and all necessary files and software out into the field.” Many types of mobile computers have been introduced since 1990s." They are as follows: L 2 3. Portable computer: It is a general-purpose computer that can be easily moved from one place to another, but cannot be used while in transit, usually because it requires some “setting-up” and an AC power source. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper notebook and has features of a touch- screen witha stylus and handwriting recognition software. Tablets may not be best suited for appli- cations requiring a physical keyboard for typing, but are otherwise capable of carrying our most tasks that an ordinary laptop would be able to perform. Internet tablet: It is the Internet appliance in tablet\form. Unlike a Tablet PC, the Internet tablet does not have much computing power and its applications suite is limited. Also it cannot replace a general-purpose computer. The Internet tablets typically feacure an MP3 and video player, a Web browser, a chat application and a picture viewer. Seu Personal digital assistant (PDA): It is a small, usually pocket-sized, computer with limited func- tionality, Iris intended to supplement and synchronize with a desktop compuren, BNINB 2° Is a system-wide suite of cryptograp resources on a palm-powered device. ‘The CP take advantage of these capabil on the device, ; ! ication weitten M extends cncryption services to any application writte® es, allowing th ne encryption of only selected data or of all data and resoure® 3.7.2 LDAP Security for Hand-Hel LDAP is a software protocol for such as files and devices on the Ima network, a directory tells yo id Mobile Computing Devices enabling anyone to lo network (i.e. on the tu where an entity is loc iv, sources cate individuals, organizations and other rene! Public Internet or on the organizations’ bene ated in the network, LDAP is a light weight (Cybercrime: ime: Mobile and Wireless Devices_ 95 Captured E-Mail, logins, passwords, etc. _ EP Ente WEP Encrypted | Togie Accasa Point . 7 Js all traffic WEP En icrypted including packets with passwords ~~, WEP Encrypted [~~~ Legitimate ‘Access Point ‘Unaware of these attacks Captured files, E-Mail, passwords, etc Rogue Peer Scans for open ports, copies files from pocket PC device n mobile devices. . Gedbole (2009), Informatio, systems Security: Security Management, Metrics, Sat Practices, Wiley Indl Pull attack 1 Source: Nina Frameworks and on of Directory Ac dat the Universit Figure 3.9 features in AP) because ic does not include security teen endorsed by at amount of code) versi its initial version. Ic originate’ nies. Centralized directories sue directory structure of LDAP. 3.7.3 RAS Security for Mobil RAS is an imy "cation for protecting tHE pusinesssensitive dat ; portant ion for pro sensi eves ae 8 fo fe pobilhand eld dev es carried Pyemployers In addition to ings toute into the systems wil weranating ox masquerading) © systems~ Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives 96 Attacker Attacker Sends pens) t hard reset Lindon code bom HTTP Response Malicious Activex File Beamed Over IR Port Fite Syne from] Random Rogue PC IP Packets Attacker Attacker Sends Sends hard reset DoS flood code bomb Pocket PC Device Hard reset, invoked Programs, files and passwords lost Figure 3.10 | Crash attack on mobile devices. DoS - Denial-of-service attack. ‘Source: Nina Godbole (2008), Information Systems Security: Security Management, Metrics, Frameworks and Best Practices, Wiley India. Box 3.4 \ LDAP Directory Structure An LDAP directory is organized into a simple “tree” structure that consists of the following levels: }. Root Directory (the source of the tree or the starting point) which branches out to 2. Counties, which branches out to 3. Organizations, which branches out to 4 Organizational units (divisions/departments and so forth), which further branches out to 5: Individuals (which, in umn, include fes, shared If resources such os printers and people) An LDAP server is called a Directory Systems Agent (DSA). It receives a request from a uset takes responsibilty it ‘Another threat comes from the practice of port scanning (refer to Box 2.5 in Chapter 2). Fits ataek use a domain name system (DNS) server to locate the IP addres of a connected computer (ether the mobil device itself or a gateway server to which it connects). A domain isa collection of sie chat ane related i? a sense. Second, they scan the ports on this known IP address, working their way through ies Transso" Control Protocol (TCP)/User Datagram Protocol (UDP) stack to see what communication ports ate we tected by firewalls. For instance, File Transfer Protocol (FTP) transmissions are typically assigned © PO" If this pore is lefe unprotected, it can be misused by the attackers (sce Box 3.5). "Cybercrime: Mobile and Wireless Devices _97 Information store W Phone network “application server RAS - Remote access server was Database (Wireless ill Application Protocol) e gateway Figure 3.11 | Communication from mobile client to organization information store. Source: Nina Godbole (2009), Information Systems Security: Security Management, Metrics, Frameworks and Best Practices, Wiley India. Box 3.5 \ RAS System Security for Mobile Device Clients he security of a RAS system can be divided into following three areas: 1. The secutity of the RAS server: 2. the security of the RAS client: 3. the security of data transmission. Amnough the desired level of security of the RAS server can be controled through implementation ile hand-held device) is typically not under oflocal security guidelines. the RAS client (e.9.. 0 mo the complete control of the IT personnel who is responsible for the local area network (LAN). The ‘Zeutty of he data transmission media is generaly completely ou! of Ine control, For this reason. getecton of communications between the client and the server must De secured by additional meons, Nine Godbole (2003), Information Systems Secunly Security Management, Metrics, Frameworks and Best #1, Wiey Indio. Protecting against port scanning, requires software that can trap unauthorized incoming Gs a rackets "sd pevenea mobile device from revealing its existence and 1D. persona fcwall on a pocket DC or atghone device can be an effective protective screen against this form of attack for the wsers connecting ough a diet Incrves oc AAS connection. For sications where ll connec the capone never 2 though a gateway, placing the personal firewall on the BY inl coukt be the ingles son seat itavids the need to place a personal firewall on each mati deve a ether eae 8 “Smethods tac implement strong authentication ke Wi provide an addivionf7 ics and Legal Perspectives i 98 Cyber Security: Understanding ©) 3.7.4 Media Player Control Security Given the lifestyle of today’s yor hand-held devices as a means fo are the two important aspects in ciate how this can be a source for tions have been warning the users about ic gateways.” There are many examp| common to expect them embracing the moby | ie eomorking and entertainment. Music and i generation. Given this, itis easy ans F . hosevurity breaches. Various leading pirate Orit | aoe he porential security actacks OM their mobile devices through, & | le to show how a media player can turn out to be a source OF threat ; i oratior | a ees For example, inthe year 2002, Microsoft Corporation warned aby formation held on mobile devices. -1 4 warned people that a series of flaws in its Windg,, | this" According co this news Hem “ker to hijack people's computer systems and perform a varey oy | Media Payer could a3 ing from Microsofi, inthe most severe exploit ofa law, a hacker could ey | actions. According to this warni ° » . to do, such as openi over a computer system and perform any task the computer's owner is allowed , pening files o, | / accessing certain parts of a network. , , : ‘As another example, consider the following news item of the year 2004: corrupt files posing as noua music and video files could allow an attacker to gain control of the-downloader’s computer (see Ref. $5, Additional Useful Web References, Further Reading). With this-appening, there are three vulnerability | | sung generation, it is. quite i i 2CCSS, 1 information 2c day-to-day aspects forthe Youn: (a) files could be created that will open a website on the user's browser (e.g,, the user could be accessing from hissher hand-held device) from where remote JavaScript can be operated; (b) files could be created which alloy the attacker ro download and use the code on a user's machine or (c) media files could be created that vi create buffer overrun errors. We will continue further technical discussion on “buffer overflow” in Chapter 4 In Section 3.6, we have discussed registry settings in connection with the mobile devices’ security. This topic becomes important in the context of the current section too. Registry of a computing device is . important concept; it stores information necessary to configure the system for applications and hard ne devices. Ie also contains information that the OS continually references during an ‘sed some keys control the behavior of the Windows Media Pl: 7 network MSDN, describes details of registry value settings operation. In the resist, layer control. Microsoft, through its develope on the mobile devices, With the increase in out With the adv ent of electronic coy mmerce Payments are it ce) and i becoming comman phenomenon with des ee OF shoot nto M- Commer, nl wirelessly. Furthermore, wi rm (ee Ref: #3, Articles acd et he ENE OF Web services and thei ae Sr remotely and posi mobi