PISA Journal Issue 22 by Professional Information Security Association

Professional Information Security Association

SEP-2015

PISA Journal

Transaction Security of Mobile Apps in Hong Kong Practice Guide (SSL Implementation) for Mobile Development Securing your Home Automation IoT No Friend or No Privacy www.pisa.org.hk

Issue

Mobile App Security 06 14

Transaction Security of Mobile Apps in Hong Kong Best Practice Guide (SSL Implementation) for Mobile App Development

Security for Privacy 16 Secure your Home Automation IoT 28 No Friend or No Privacy

Page 2 of 44

An Organization for Information Security Professionals

Editor: editor@pisa.org.hk

 2015

Professional Information Security Association

Intranet 04 27 35 43 44

Message from the Chair The Editorial Board Event Snapshot The CCFP Self-Study Group Joining PISA

Royalty free images used from http://freeimages.com Cover #1314999 by Rotorhead p.2-3: #1432896 by Marcus Österberg p.6-7: #1174575 by Péter Farkas p.14-15 #1244058 by iceviking p.16-17 #1493394 by Péter Farkas p.25 #1493394 by Péter Farkas Page 3 of 44

A Publication of Professional Information Security Association

Professional Information Security Association

Message from the

Chair

he year 2014/2015 has been another monumental year of security and privacy.

In September 2014 , we have seen iCloud securi-

In April 2015, Honeynet SIG arranged a work-

ty instance. It has raised user concerns on Cloud

shop for the members to learn the use of Honey-

Computing, and has reminded the public about

pots. In July, (ISC)2 Hong Kong Chapter lined

the importance of Cloud Security and to take

up with (ISC)2 to hold a seminar and panel dis-

further steps to protect their data in the cyber

cussion with the (ISC)2 Management, including

world. We have conducted a couple of public

David Shearer, the CEO of (ISC)2.

awareness sessions on Cloud Security and Privacy.

tion services apps in Hong Kong, Mobile Securi-

We have also seen a steadily development within

ty SIG worked with HKCERT for a co-project

PISA with the establishment of eight special in-

about â&#x20AC;&#x153;Mobile Apps SSL Securityâ&#x20AC;?, in which

terest groups (SIGs) - (ISC)2 Hong Kong Chap-

around 130 commonly used Hong Kong online

ter, Honeynet, Cloud Security, Mobile Security,

transaction services apps were studied. After the

Core Infrastructure, PISA CERT, Big Data and

collaboration with HKCERT and other govern-

(FIRE)2 and a study group on Certified Cyber

ment departments, the findings were announced

Forensics Professional (CCFP) They have al-

to the public in September.

ready conducted a couple of researches and projects in the past year.

Page 4 of 44

When seeing the popular usage of online transac-

PISA Executive Committee (EXCO) and SIGs

An Organization for Information Security Professionals

SEP-2015

have been developing plans and activities in the

searches can be done for the community in the

coming year. Such achievements could not have

coming future.

been possible without your dedication and contributions. We will continually explore member benefits and promote security best practices to the public in the coming year.

Finally, we would like to say "Thank You" to the nominators for the electrons to PISA EXCO, PISA EXCO, SIGs, those members who have advised us in the last few years, and particularly

Another good news was the awards obtained by

Eric Fan, our immediate past Chairperson for the

our members. We would like to congratulate Mr.

great leadership; and YOU for your participa-

Eric Fan, Mr. Frankie Leung, Mr. Frankie Li,

tions.

and Mr. Frankie Wong who were awarded the honorees of the (ISC)2 Asia Pacific ISLA. They had set up good examples for information security professionals to collaborate for the betterment

Let us work together to bring PISA toward another successful year in 2015/2016 - 2016 will be our 15th anniversary. Let celebrate together!

of the community. As always, PISA provides a platform for information security professionals to build trust, to share information and to collaborate for addressing the challenges of emerging threats. We re-

Page 5 of 44

quire your involvement and commitment to keep

Otto Lee

PISA going forward. Hope more studies and re-

Chairperson

A Publication of Professional Information Security Association

Professional Information Security Association

Transaction Security of

Mobile Apps in Hong Kong

Eric Fan Eric Fan is the Immediate Past Chairperson of PISA. He has 10 years of experience in IT and specializes in hosting and domain. He has started initiatives in promoting security awareness via public education platform (Learn.plus) and he is also involved in big data & smart city development in Hong Kong.

Page 6 of 44

An Organization for Information Security Professionals

SEP-2015

In September 2015, Professional Information Security Association (PISA) and Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) published a study on “Transaction Security of Mobile Apps in Hong Kong”. Among the 130 mobile apps with online transaction service commonly used in Hong Kong being tested, over one-third lack adequate encryption security in processing credential or transaction data and are vulnerable to man-in-themiddle (MITM) attacks…

Frankie Wong CISSP

Frankie Wong is working at HKCERT as a Senior Security Analyst with interest in mobile security and Honeynet project. He joined the Mobile Security SIG and Honeynet SIG since 2013. He was a speaker in Honeynet workshops and Android workshops of PISA.

Page 7 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

The Next Generation of HTTP

Objectives

●

The objectives of the study is to identify vulnerability in the implementation of Secure Sockets Layer (SSL) in commonly-used mobile apps in Hong Kong and to raise the awareness of the public, apps owners and developers on the SSL issue of mobile apps.

The scope of mobile app testing is set to the

●

apps owned by Hong Kong organizations apps which provides online transaction, which would handle personal information, credential and password, or payment information. apps available for download from the official iOS App Store and Android Google Play Store in the period April to July 2015. Category

Page 8 of 44

Areas to Study  Did the app use SSL ?  If SSL was used, did the app validate digi-

tal certificate of the SSL connection and handled correctly?

Scope

●

apps which runs HTTP or HTTPS transfer protocols only

 Did the app apply advanced certificate

validation (e.g. certificate pinning) to provide advanced MITM protection?  Did the app encode/encrypt sensitive data

on application layer? There were totally 130 mobile were tested — 64 Android apps and 66 iOS apps. They were classified into seven categories according to the service:

No. of mobile apps

Mobile Banking

Cinema Ticketing

Financial Securities

Online Shopping / Group Buy

Travel Booking Service

Online Food Ordering

Digital Wallet / Payment Service

An Organization for Information Security Professionals

SEP-2015

Issue

Methodology The testing environment simulates Man-in-the-Middle (MITM) attack between mobile client and the server through a proxy. (See Figure 1)

Fig 1. Testing Environment

When the mobile client connects to the Internet through Wi-Fi access point, which is connected to the proxy, the traffic will be captured by the proxy. In order to listen to the "https" communication, the proxy impersonates the server by presenting a fake certificate to the mobile client. The mobile device, if not able to identify the fake certificate, will continue to communicate with the proxy, as if it is a real server, over SSL using the encryption keys exchanged with the proxy. They proxy server is able to decrypt all data transfer via it to the server. Burp Suite proxy is used as the proxy server. It is a well known and cross platform web proxy for security testing. For the mobile devices, Android version 4 or above and iOS 4 or above is required, due to the support of proxy configuration. In our test, LG Nexus 5 (Android 5.1) and Apple iPhone 4S (iOS 8.3) were used. A secure mobile app should be able to validate digital certificate and stop any traffic be-

Page 9 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

The Next Generation of HTTP

tween the mobile app and the server. When an untrusted certificate (Burp Suite's certificate) is injected in the middle, the mobile app should be able to detect it and to deny establishing a SSL connection.

In this case, even if the mobile device has been compromised to trust the certificate of a fake CA (for example, Burp Proxy's CA certificate), the mobile app is able to detect and deny establishing an SSL connection.

If the mobile device cannot identify the fake certificate, it will continue to communicate with the proxy, as if it is a real server, over SSL using the encryption keys exchanged with the proxy. They proxy server is able to decrypt all data transfer via it to the server.

During the test, we run the mobile apps tap by tap manually. Fake information and credential will be inputted, including user name, password, email, phone number, credit card number, credit card expiry date and credit card secure code (CVV). The connection establishment and the traffic pass through the proxy can be observed.

An advanced secure mobile app may apply MITM resist protection, for example, certificate pinning. An SSL connection can only be established when an identified certificate of the server has been pinned in the mobile app. Level

DescripƟon

A Most Secure B Secure

Each app was rated with a grading scheme into grade A to grade E (See Fig. 2).

SSL and advanced cerƟficate validaƟon applied SSL applied, and correct SSL validaƟon

C Vulnerable

SSL applied, but no SSL validaƟon. Encoded Text can be captured.

D Vulnerable

SSL applied, but no SSL validaƟon. Plain Text can be captured.

E Serious

No SSL applied. Sensi ve data are involved. Fig 2. Grading Scheme

Page 10 of 44

An Organization for Information Security Professionals

SEP-2015

Issue

Result of Study The majority (66%) of the mobile apps involving payment transaction and personal information were found to be secure and be safe to the mobile users with 11% in Grade A and 55% in Grade B. The rest of about 34% of the mobile apps did not apply SSL (15.4%, Grade E) or did not validate the digital certificate used in SSL (18.5% Grade C and D). They are insecure for use.

See Figure 3 for the grading distribution of 130 apps.

Fig 3. Grading Distribution of 130 Apps

Page 11 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

The Next Generation of HTTP

Analysis into the seven types of services offered by these apps revealed that digital wallet/ payment service and mobile banking apps feature better encryption security, with over 87% attaining “secure” and “most secure” grading. The transaction security of cinema ticketing and online food ordering apps was in the medium level. Over half of the financial securities, online shopping/group buy and travel booking service apps tested were found to be “vulnerable”, or even “serious”, with no encryption at all.

Fig 4. Grading Distribution by Service Categories

Figure 4 shows the grade distribution of grades across different service categories. Mobile apps not applying SSL encryption are majorly found in several service categories — Online Shopping/ Group Buy, Travel Booking Service and Online Food Ordering. They cannot be sniffed easily over untrusted communication channels. There are also mobile apps that used SSL but not validating the digital certificate. An attacker can intercept the traffic and present a fake certificate to view all “encrypted” traffic. Financial Securities apps belonged to this.

Page 12 of 44

An Organization for Information Security Professionals

SEP-2015

Issue

Most apps in Mobile Banking and Digital Wallet/ Payment Service are secure and safe to users. For mobile apps handling high risk transactions, "Most Secure" level is recommended. Apps in this level adopted more advanced digital certificate validation to cater conditions when the mobile devices are installed with fake certificate.

Follow up of Insecure Apps HKCERT had coordinated with the appropriate regulating institutions including Hong Kong Monetary Authority, Securities and the Future Commission and the Office of Privacy Commissioner on Personal Data to follow up the insecure mobile apps found in the study.

PISA and HKCERT has published the Study Report [1] to alert the public of the findings on a press conference.

Frankie Wong & Eric Fan â&#x2013;

Fig 4. At the Press Conference Copyright & Disclaimer

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

Page 13 of 44

Reference [1] HKCERT and PISA (2015) "Transaction Security of Mobile Apps in Hong Kong" Study Report. Available: https://www.hkcert.org/my_url/en/blog/15092402

A Publication of Professional Information Security Association

Professional Information Security Association

Practice Guide

Further to the study on the “Transaction Security of Mobile Apps in Hong Kong”, HKCERT and PISA jointly published the Best Practice Guide (SSL Implementa-

tion) for Mobile App Development [1] for mobile app owners and developers to improve mobile apps security. This document mentions common practices which help mobile application developers to handle SSL connection with appropriate ways to provide secure channel between mobile app and server and also prevent from MITM attack.

[1] HKCERT and PISA (2015) “Best Practice Guide (SSL Implementation) for Mobile App Development. Available: https://www.hkcert.org/my_url/en/guideline/15091401 [2] Office of the Privacy Commissioner for Personal Data (2014) “Best Practice Guide for Mobile App Development” Available: https://www.pcpd.org.hk/english/resources_centre/publications/files/Mobileapp_guide_e.pdf

Page 14 of 44

An Organization for Information Security Professionals

SEP-2015

We here share the Table of Content of the Practice Guide for your reference. You can refer to the Practice Guide directly.

Table of Content ●

Relevance of the Personal Data (Privacy) Ordinance to the Security of SSL Implementation in Mobile Application Development

●

Possible reasons of invalidation of SSL

●

Secure SSL/TLS connection checklist

●

Best Practices

●

General Best Practices ●

●

Page 15 of 44

iOS Specific Best Practices Android Specific Best Practices

Recommendations on Practical Programming 

Android Scenarios



iOS Scenarios

●

Certificate Pinning

●

Conclusion

A Publication of Professional Information Security Association

Professional Information Security Association

Secure your Home Automation

Wallace Wong CISSP CISA PMP ITIL

Wallace Wong has different IT exposure in private and public sectors. He is currently working as a Senior System Analyst in the Government for security, audit and project management.

Page 16 of 44

An Organization for Information Security Professionals

SEP-2015

owadays, there are many smart-home initiative with Internet of Things (IoT) known to mankind, such as Apple “HomeKit”, Google “Nest” and Samsung “SmartThings”, which can provide some sort of open Software Development Kit (SDK) to develop everything together for home automation. On the other hand, some companies are integrating everything itself and then selling them to customers, such as Xiaomi “Smart Home Set”, “Plug”, “Camera” and even “Water Purifier”.

However, what are their security designs? Any security measures have been implemented in those IoT for home automation? Any security issues have been found? Any recommendations to secure these IoTs? These are the questions which will try to be covered as much as possible.

WHAT HOW

security measures are design and implemented? security issues are found?

to secure these IoTs?

Design With reference to the introduction from one of these IoT, it is a framework for communicating with and controlling connected home automation accessories that support for IoT. Related mobile apps enable users to discover compatible accessories and configure them. Users can also create actions to control them. Some protocol objects are stored on the user’s portable device, which can be even synchronized over the cloud to other portable devices. Some can support remote access to the accessories, multiple devices and users. More importantly,

Page 17 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

Secure your Home Automation IoT

some could handle security and privacy.

Fig. 1: Introduction to HomeKit (Apple, 2015)

In the security guide of related operating system and mobile device, the IoT identity and security are based on the public-private key pairs. The key pair is generated on the mobile device for each user which becomes his or her IoT identity. It is used to authenticate the communication between the mobile devices and accessories. On the other hand, the accessories also generate their own key pair for use in communicating with mobile devices. If the accessory is restored to factory settings, a new key pair is generated. For data communication, a relationship is established between a mobile device and an IoT accessory, keys are usually exchanged using the secure protocol (e.g. 3072-bit), utilizing the code provided by the accessoryâ&#x20AC;&#x2122;s manufacturer and entered on the mobile device by the user, and then encrypted using with the derived keys (e.g. SHA-512). With the mobile device and the IoT accessory communicate during use, each authenticates the other utilizing the key exchanged in the above process. Each session is established using the protocol and is encrypted with derived keys (e.g. SHA-512) based on per-session keys. This applies to both IP-based and Bluetooth Low Energy accessories.

Page 18 of 44

An Organization for Information Security Professionals

SEP-2015

Issue

For data storage, the IoT stores data on a user’s mobile device. This stored data is encrypted using keys derived from the user’s IoT identity keys, plus a random nonce. Encrypted backup will also include IoT data while unencrypted backup do not contain. For data synchronization, it is done with encryption between a user’s mobile device using cloud and key store. This data is handled as an opaque blob and the most recent one is stored in cloud. Thus, the contents are inaccessible during transmission and cloud storage. For app access, it is controlled by the user’s Privacy settings and users are asked to grant access for accessing the home data.

Fig. 2: Observing HomeKit Database Changes (Apple, 2015)

Sampling Although there are many kinds of home automation accessories enabled with IoT on the market, the adoption rate of these accessories is still low when comparing with that of smartphones and tablets. Thus, it is also quite difficult to find out and test which of these accessories for home automation are concerned by general public.

Page 19 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

Secure your Home Automation IoT

Starting from the end of 2014, some Chinese manufacturers have started to change their product lines from their existing hardware or software to other new areas such as home automation. Since they are less expensive and offered in more varieties than the existing Western manufacturers, one of the Chinese IoT-enabled accessories has been used as the sample in this document. To control these home automated accessories at home, users can access the “Smart Home” system from the main menu of TV box (Fig. 3a). In the sub-menu of the TV box (Fig. 3b), users can find out which accessories are connected, including the router, power plug, wearable band, smart camera. Users can further drill down one of these accessories and then see their current status or contents (e.g. recorded video of the Wi-Fi camera or even purified air and water if equipped).

Fig. 3a & 3b: Main menu and sub-menu of TV box for home automation. (Xiaomi, 2015)

To control them when users are on the street, users can see their status by using the mobile app (Fig. 4a). They can change the settings of this Wi-Fi-enabled gateway and also review the logs of these 3 Bluetooth-connected door senor, remote control and motion detector in the “Smart Home Kit” (Fig. 4b). For example, users can quickly identify when the door has opened (Fig. 4c) and watch the respective recorded videos in the network camera. In addition, users can also reduce the recorded video by creating an automated rule in the door senor to trigger the power plug to enable the USB port for the network camera to start the video recording.

Page 20 of 44

An Organization for Information Security Professionals

SEP-2015

Issue

Fig. 4a, 4b & 4c: Devices in Mobile App, Status in Home Kit and Door Sensor. (Xiaomi, 2015)

Some mobile app will also show the Bluetooth-enabled weight scale (Fig. 5a) or wearable band with details in the app (Fig. 5b) or in the TV menu (Fig. 5c) of previous as â&#x20AC;&#x153;Smart Homeâ&#x20AC;? system.

Fig. 5a, 5b & 5c: List of Bluetooth accessories, wearable band in app and TV menu (Xiaomi, 2015)

Page 21 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

Secure your Home Automation IoT

Security Issues Although these sampled accessories are less expensive and very convenient to use, at least one security issue was reported. If users could connect to the network of the IoT accessory (e.g. Wi-Fi access for guest), the Wi-Fi network camera could be accessed without any authentication. Moreover, the Wi-Fi password and recorded videos were also found in the following screen captures (Figures 6).

Figures 6: Screen Captures from the Wi-Fi Camera (360 Bo Bao, 2015)

Since the issue was found half year ago, the vulnerability without user authentication should be patched with current capture as follows:

Page 22 of 44

An Organization for Information Security Professionals

SEP-2015

Issue

Fig 7: A red screen without list of content is shown from Wi-Fi camera “website”.

Categories of Security Problems Based on Emma’s article, vulnerabilities differ on the variety of home automation systems and devices on the market. However, most of them were classified under the following categories: ●

Unsecured communications protocols used to connect smart appliances to other devices;

●

Use of port forwarding to enable remote access to devices connected to the home system;

●

Lack of data transport encryption, even for downloads of software updates (and also for data communication, storage and synchronization); Poor authentication requirements for network control commands and lack of granular access permissions; and Unsecured web interfaces and mobile devices used to control an entire home network.

By exploiting any of these categories, hackers may connect to users’ home network in order to reboot the devices, control the appliances, install the malware, steal sensitive / personal data, or even control the security to break into their houses.

Page 23 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

Secure your Home Automation IoT

Recommendations No matter the secure design of the IoT has been adopted by the manufacturers, users should protect their homes from the potential risks of these IoT-enabled accessories with FBI’s recommendation and additional remarks as follows: ●

●

Page 24 of 44

Isolate those IoT devices from the original networks. For wir ed networ k, separ ate logically to different Virtual LAN with Access Control List (ACL) or firewall rule and even physically from the internet gateway or networks. For wireless network, re-enable the Access Point (AP) isolation after IoT device registered, use different Service Set Identifier (SSID) or even AP for IoT communication; Disable Universal Plug and Play (UPnP) on routers. And also disable por t for war ding or unnecessary ports for those IoT enabled; Consider whether IoT devices are ideal for their intended purpose. Review whether the internet access or remote access is really required. If possible, further secure the remote access with Virtual Private Network (VPN) and restrict to local access only; Purchase IoT devices from manufacturers with a track record of providing secure devices. Cur r ently, those secur e devices may be usually mor e expensive and mor e difficult to produce by the manufacturers. However, it will be amazing for the consumer according to Aaron’s article; Update IoT devices with security patches when available. Although these devices or accessories may be only Bluetooth or Wi-Fi enabled, they should also be patched ASAP from the mobile app automatically or reviewed manually; Be aware of the capabilities of the devices and appliances installed in your homes and businesses. Since some manufactur er s might usually want to collect as much information as they can from your accessories and explore as many functions as possible to expand their market share in the home automation accessories or IoT devices, you have to think twice for the actual functions required and whether the excessive functions have been enabled; and Use strong passwords. In addition, differ ent passwor d fr om your existing networ k or device should be used to avoid the malicious attempt from the same password for IoT.

An Organization for Information Security Professionals

SEP-2015

Issue

Epilogue

When I have found those sampled home automation accessories with IoT nature released on the market in lower cost, it is very exciting to try and deploy accordingly as soon as possible. Initially, the AP isolation is required to disabled in my wireless router in order to register these accessories. Moreover, most of these accessories are required to connect the internet directly for mobile apps (instead of accessing these accessories by LAN IP after VPN) and also continuously (instead of storing the data to NAS for later review). As a result, those accessories have aroused my security concern and further study from other manufacturer (e.g. Apple HomeKit) as well as reference from others.

Wallace Wong â&#x2013;

Page 25 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

Page 26 of 44

Secure your Home Automation IoT

Reference 1. 360 Bo Bao. (2015). “小米公司智能家居解决方案’访客用户’越权控制漏洞” be on 3 February 2015. Available http://bobao.360.cn/news/detail/1192.html 2. Aaron, T. (2015). “Apple's HomeKit Is Proving To Be Too Demanding For Bluetooth Smart Home Devices” on 21 Jul 2015. Available http://www.forbes.com/sites/aarontilley/2015/07/21/whats-the-hold-up-for-appleshomekit/ 3. Apple (2015). “Introduction to HomeKit” be on 8 April 2015. Available https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/ HomeKitDeveloperGuide/Introduction/Introduction.html 4. Apple (2015). “iOS Security – White Paper (Section: HomeKit)” on Jun 2015. Available https://www.apple.com/business/docs/iOS_Security_Guide.pdf 5. Bob, B. (2015). “Even the FBI is worried about Internet of Things security” on 11 September 2015. Available http://www.networkworld.com/article/2983573/internet-of-things/even-the-fbi-is-worried -about-internet-of-things-security.html 6. Emma, B. (2014). “Smart Homes Controlled by Smartphones Need 3x Smarter Security” on 9 October 2014. Available http://oemhub.bitdefender.com/smart-homes-controlled-by-smartphone 7. Holly, K. (2014). “7 Ways to Protect Yourself From Home Automation Hackers” on 6 October, 2014. Available http://www.safewise.com/blog/7-ways-protect-home-automation-hackers/ 8. Patrick, N. (2015). “IoT to cause major security headaches, says report” on 11 Jun 2015. Available http://www.networkworld.com/article/2934432/security0/iot-to-cause-major-securityheadaches-says-report.html 9. Riusksk (2015). “潜伏在身边的危机：智能设备安全” on 6 September 2015. Available http://security.tencent.com/index.php/blog/msg/94/ 10. Robert, L. (2015). “5 steps to keep your smart home from being hacked” on 9 Jun 2015. Available http://www.pcworld.com/article/2925056/5-steps-to-keep-your-smart-home-frombeing-hacked.html 11. Xinhuanet (2015). “智能家居带来信息安全问题规模盲目扩增或引木桶效应” on 4 August 2015. Available http://news.xinhuanet.com/tech/2015-08/04/c_128088071.htm/

An Organization for Information Security Professionals

SEP-2015

PISA Journal The Editorial Board

SC Leung CISSP CISA CBCP

Joyce Fan

Ian Christofis

CISSP CRISC CISA

CISSP

Alan Ho CISSP CISA CISM CGEIT

You can contribute to PISA Journal by: ●

●

Joining the Editorial Board Submitting articles to the Journal

SC Leung, Chief Editor editor@pisa.org.hk Next Issue: Issue 23 (Mar‐2016)

Page 27 of 44

A Publication of Professional Information Security Association

Professional Information Security Association

Alan Tam PCI-QSA, CISSP, CEH, CCNP-Security Alan has been working and specialising in Information Security for 18 years. He worked for US-based and PRC-based consulting companies, as well as government-affiliated institution, and is now a security consultant in IBM. He is a founding member of the PISA and has led the Wireless LAN Security SIG in early years."

Page 28 of 44

An Organization for Information Security Professionals

SEP-2015

I hate Ads

, no matter they are so called “high

quality”, “targeted”, “context-sensitive”, “text-only”, “non-intrusive”. However, Ads keep the Internet running because it is a major revenue stream for content providers. Privacy experts have been working hard to find a solution balancing the crowds on two sides.

Why I hate Ads? A decade ago, a friend told me that having Ads around was actually not bad, they kept him informed of what’s happening and what were the city’s hot topics; context-sensitive Ads were of course better as they showed only what he had interest. He asked me

Page 29 of 44

“Why do you hate Ads?”. At that time, slow ADSL was the market dominant in household Internet service, therefore I replied “Ads increase page loading time and slow down Internet browsing, especially graphical Ads, not to mention those CPU intensive Flash Ads.”. Screening such Ads was easy by just installing a browser plugin like ”Adblock”,

A Publication of Professional Information Security Association

No Friend or No Privacy

PISA

Journal

Professional Information Security Association

available for Webkit browsers and Gecko browsers (i.e. Chrome, Safari, Firefox…). The developer of Adblock has also made a browser for smartphone, which has built-in feature to block Ads. Its initial version is releasing in September 2015. It is important because there had been no addon / plugins facilities in smartphone browsers, one can only use VPN to your home/a paid service to implement similar Adblocking. Moreover, it saves a bit of your carrier data transfer for image *and* video ads. However, if my friend asked me the same question again today, I will add one more point: “Ads is a KPI (key performance indicator) of privacy leakage.”

Page 30 of 44

The higher the

quality of the Ads, the more privacy has been leaked. Google is one of the most successful privacy harvesting firm. It gathers intelligence of whatever websites you visited, whatever topics you discussed in email, friends you have in contact list, phone calls you made, books you read, movies/music you liked, games you played, restaurants you have lunch appointments in, frequent locations you hang out… etc. If you save documents there, do you think Google is just helping you build an index for use by yourself only? Take a look at the Google Terms of Service [1], excerpt “Our automated systems analyze your content (including emails) to pro-

An Organization for Information Security Professionals

SEP-2015

Issue

vide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.â&#x20AC;?

The Case of Facebook Facebook is like Google. It is not a pioneer in virtual social networking. There were instant communications like MSN messaging and ICQ before. Speaking of collaboration, there had been another web service named eCircle, which helped you gather friends (by email addresses) for discussion and organising events through web, long time before Facebook born. By the way there are also

Page 31 of 44

bulletin/discussion boards, Yahoo groups, IRC chat rooms and BBS on modem. However, none of them is as successful as Facebook because they do not encourage you to write a lot about yourself, the real yourself. Facebook, with the combination of smartphone, encourages virtual social networking by sharing what you see and what you think. However, the more information you have written, the higher is the impact of the potential privacy leakage. If you have ever permit uploading your smartphone phonebook to Facebook for checking out friends, or simply provided your phone number to Facebook to ensure a secure login, then Facebook can identify exactly who you are. Like Google, Facebook is building a profile of yourself (not build for yourself),

A Publication of Professional Information Security Association

No Friend or No Privacy

PISA

Journal

Professional Information Security Association

with your interest, work, and human network all participating. Screening this tempting force of social networking is difficult. Once upon a time, I am reluctant to open a Facebook account. Until five years ago, I surrendered. It was because a friend group of badminton has imposed a pressure on me to open one, otherwise somebody in the group would need to register each game for me manually. It is a personal favour if the manual register happens occasionally, it would be an annoyance if it happens consistently and persistently. In my case, it happened once a week, for half a year. I had to compromise before all my friends were driven away by this annoyance. Though screening is difficult, information given for account opening can be “enough” instead of “true”.

Page 32 of 44

Like Facebook, there are other social networking apps, e.g. WeChat and Viber, that also requesting access to your phonebook. This sounds reasonable, isn’t it? Since general public is not skeptical and has no alert in giving out personal information, there are even online games starting to harvest information now. Have you ever wondered why WeChat can alert you that a friend in your phonebook is newly joining WeChat? In programming design, there are only two possible mechanisms: (1) Their server saved a copy of phonebook during installation of WeChat on your phone then do the matching at backend; (2) WeChat on your phone will upload phonebook to their server periodically then do the matching at backend. Either mechanism means no good to me, and I believe the second one is being implemented. A friend of mine once says even if he restricts his apps from uploading

An Organization for Information Security Professionals

SEP-2015

Issue

Difference of security partitioning in iOS and Android

cess privacy information, potential risk to cost money without explicit user consent, send/receive data to Ads Network… etc. Especially free games, apps usually have connections to multiple Ads Networks. On the other hand, there is no similar AppBrain Ad Detector on Apple platform because iOS apps are sandboxed and nothing except system process could access information of other apps.

In iOS, you can revoke certain security permission for an app and that app would still functioning. In Android, you cannot. It is either a all-permission-granted or nothingwould-run scenario in this Google platform. Kudos to Google. In Android, there is a security app named “AppBrain Ad Detector” which lists various security concerns of each app installed, including permissions to ac-

There is a new type of app collecting personal information in a “reasonable” way Health apps. Either it is for your good health or medial research purpose, I agree that anonymously contributing only the necessary information with explicit user consent is good to the world. Beyond that, I would have doubt since it is linked with potential

phonebook, his friends will do it anyway and the app company would get all information eventually. It is correct, but please “unfriend” me before doing so. If everyone is thinking the same and no one voices out, the situation will not be improved and app companies will continue their harvesting business.

Page 33 of 44

A Publication of Professional Information Security Association

PISA

Journal

Professional Information Security Association

No Friend or No Privacy

economical profit. Therefore the line should be drawn carefully.

only changes I observed is a dialogue box listing the privacy policy of this app.

Temptation to surrender your Privacy

The privacy policy described that user can choose to upload the data to vendor server for analysis because it has a larger capacity. Moreover, the user has to acknowledge that analysis could also happen outside Hong Kong. Frankly speaking, the amount of data for each running exercise is very very small. I do not think it worths uploading to a cloud storage. In my opinion, I believe it is just a dialogue box telling you that: “Hey, I am collecting your data, do you want to continue? If you do not want, I will stop.”

Recently I purchased a piece of interesting sports headphone, it has a music player, GPS, and a heart-rate sensor all built-in. With it on my head, I can go a running without carrying my smartphone. The human vital data would be synchronized back to smartphone for analysis of pace, heart-rate, and song playing at each segments of running. An attractive reason of buying it is because it cleverly selects songs with faster BPM (beats per minute) when my heart-rate goes up. When I install the companion app for analysis on smartphone, I found that I have to register my name and my birthday compulsorily, otherwise the app refuses to collect information from the headphone…

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

Page 34 of 44

What the heck? After giving “enough” information, I started to play with the app sometimes, but still with some feeling of being cheated. The vendor should include a clause on the product advertisement that some product features are only available with a registered account. I have seriously considered reporting this case to the Hong Kong Customs and Excise Department as it seems to me a violation of the Trade Descriptions Ordinance, Chapter 362, Laws of Hong Kong. Few weeks later, the smartphone app had gotten an update, the

Since the above headphone is sold worldwide, I guess someone else had already made comments to such information collection practice and the company has to do something to mitigate its legal liability. If no one is skeptical to information collection, privacy harvesting activities would just grow bigger and bigger. Finally, I would to thank the author of XCodeGhost. With his infamous work affecting different areas like Games (e.g. Angry Bird 2), Business (e.g. CamScanner), Social Networking (e.g. WeChat), more and more friends are asking me what are they losing during this malware/leakage incident.

Reference [1] Google Terms and Conditions (modified on April 14, 2014) https://www.google.com/intl/en/policies/terms/

An Organization for Information Security Professionals

Alan Tam ■

SEP-2015

Event Snapshot We Share. We Progress.

Information Security Summit 2015 (15-16-Sep-2015) PISA was one of the organizers of the Information Security Summit 2015. It was successfully held on 15-16 September 2015 at HKCEC. The theme of the Summit was "Information Anywhere Anytime – Mobile, Analytics, Cloud, IoTs – Security Friends or Foes". The response of the conference was extremely good.

Page 35 of 44

A Publication of Professional Information Security Association

Professional Information Security Association

Event Snapshot We Contribute. We Achieve.

Secure Hong Kong â&#x20AC;&#x201D; Protecting Our Infrastructure and Information Assets (11 -Sep-2015) PISA was one of the organizers of the Secure Hong Kong 2015. It was successfully held on 11 September 2015 at the Cyberport. Mr. David Shearer, CEO of (ISC)2, Mr. Victor Lam, Deputy Government Chief Information Officer and Hon. Charles Mok, Legislative Councillor (IT) were our Guestsof-Honour.

Page 36 of 44

An Organization for Information Security Professionals

SEP-2015

Event Snapshot We Share. We Progress.

Secure Hong Kong 2015 Mr. David Shearer, CEO of (ISC)2 giving an Welcome Address.

Mr. Victor Lam, Deputy Government Chief Information Officer giving an opening address

Hon. Charles Mok, Legislative Councillor (IT) giving an opening address

The Power Panel discussing the most concerned threats and the mitigating measures. (From left) Chester Soong (PCPD), David Shearer (ISC)2, S.C. Leung (HKCERT), Clara Cheung (Hospital Authority), Kawin Boonyapredee (Qualys),Frankie Li (Dragon Threat Lab) and

Page 37 of 44

A Publication of Professional Information Security Association

Professional Information Security Association

Event Snapshot We Contribute. We Achieve.

Annual General Meeting (29-Aug-2015)

Many PISA members attended the AGM and election.

Clayton Jones of (ISC)2 briefed the new services for members.

Cyber & Mobile Security Seminar for Elderly (22-Aug-2015)

Otto Lee spoke to a group of senior citizens on the cyber security

Page 38 of 44

An Organization for Information Security Professionals

SEP-2015

Event Snapshot We Share. We Progress.

Cloud Computing for SMEs Seminar by VTC (21-Aug-2015)

Otto Lee spoke to SMEs on cloud security at IVE

(Security in Today's Insecure World - A Dialogue on Security Threads and Smart City (24-Jul-2015)

The Board of Directors of (ISC)2 visited Hong Kong and shared with local professionals their perspective on smart city security.

Page 39 of 44

A Publication of Professional Information Security Association

Professional Information Security Association

Event Snapshot We Contribute. We Achieve.

(ISC)2 Security Congress 2015 and ISLA Award Presentation (29-Jul-2015)

The Asia-Pacific Information Security Leadership Achievements (ISLA) Honorees awards were presented at the Gala Dinner of (ISC)2 Security Congress 2015 in Manila, Philippines

(From left) S.C. Leung and the four ISLA honourees from Hong Kong, namely, Frankie Li, Frankie Wong, Eric Fan and Frankie Leung

Page 40 of 44

An Organization for Information Security Professionals

SEP-2015

Event Snapshot We Share. We Progress.

Safe WiFi Public Seminar (25 Jul 2015) Owen Wong, Chief Systems Manager of OGCIO delivered the opening address.

The panelists (From left) Jim Shek, Frankie Wong and Sang Young and (From Right) Eric Fan, the Moderator

Speakers: Disney Cheng, PISA Infrastructure SIG Member Daby Cheng

Page 41 of 44

A Publication of Professional Information Security Association

Professional Information Security Association

Event Snapshot We Contribute. We Achieve.

Forensics Ninjutsu Seminar (8 Jun 2015) Captain, a forensics guru shared Forensics Ninjutsu (鑑識忍術) with PISA members

IVE IA Program in Action (6 Jun 2015)

PISA professionals introduced information security skills to IVE students in a mentorship program.

Kung Fu in Computer Forensics Workshop (5 May 2015) Mr. Ivan Chau, Certified EnCase Instructor shared knowledge and skill in forensics analysis

Page 42 of 44

An Organization for Information Security Professionals

SEP-2015

Certified Cyber Forensics Professional (CCPF) Study Group

Certified Cyber Forensics Professional (CCPF) is one of the new credentials from (ISC)² Information Security Certification Programs. In Hong Kong, there is only one CCPF credentials holder and there is no official training course in the market. To address the keen interest of members in the CCFP Certification Programs., PISA formed a study group for the CCFP examination preparation in 2014 December. The founding members for the group are Billy Pang, Mike Lo and Frankie Leung. The first tutorial was held on March 13, 2015. Since then there were 6 classes:  Class 2 (25 Apr 2015)  Class 3 (13 June 2015) Frances Chu on Online Facebook Forensic and Dr. Ricci Ieong on CCSP examination experience sharing  Class 4 (11 Jul 2015)  Class 5 (15 Aug 2015)  Class 6 (12 Sep 2015)

Page 43 of 44

A Publication of Professional Information Security Association

Professional Information Security Association

Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and

Successful Career

Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.

Many Ways

Networking

Continued Education

Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date

Check out job listings information provided by members. Get information on continuing education and professional certification

Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.

Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.

You Can Benefit

Membership Information

Enquiry email:

Realize Your Potential

Professional Recognition

Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials

Benefit from the immediate access to professional recognition by using post-nominal designation

Membership Requirements

membership@pisa.org.hk

Membership Application Form: http://www.pisa.org.hk/ membership/member.htm

Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm

Page 44 of 44

• •

Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals