January 10, 2007 January 10, 2007 1 ECET 581/CPET/ECET 499 ECET 581/CPET/ECET 499 Mobile Computing Technologies & Mobile Computing Technologies & Apps Apps Mobile and Wireless Security Mobile and Wireless Security 1 of 2 1 of 2 Paul I-Hai Lin, Professor Paul I-Hai Lin, Professor Electrical and Computer Engineering Technology Electrical and Computer Engineering Technology Indiana University-Purdue University Fort Wayne Indiana University-Purdue University Fort Wayne
23
Embed
January 10, 20071 ECET 581/CPET/ECET 499 Mobile Computing Technologies & Apps Mobile and Wireless Security 1 of 2 Paul I-Hai Lin, Professor Electrical.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Mobile and Wireless SecurityMobile and Wireless Security
1 of 21 of 2
Paul I-Hai Lin, Professor Paul I-Hai Lin, Professor Electrical and Computer Engineering TechnologyElectrical and Computer Engineering Technology
Indiana University-Purdue University Fort WayneIndiana University-Purdue University Fort Wayne
January 10, 2007January 10, 2007 22
Mobile and Wireless SecurityMobile and Wireless Security Various Security RisksVarious Security Risks Traditional Security IssuesTraditional Security Issues Mobile and Wireless Security Issues Mobile and Wireless Security Issues Problems in Ad Hoc NetworksProblems in Ad Hoc Networks Additional Issues: CommerceAdditional Issues: Commerce Additional Types of AttacksAdditional Types of Attacks
January 10, 2007January 10, 2007 33
Various Security RisksVarious Security Risks Various Security RisksVarious Security Risks
Traditional Security IssuesTraditional Security Issues IntegrityIntegrity ConfidentialityConfidentiality NonrepudiationNonrepudiation AvailabilityAvailability
January 10, 2007January 10, 2007 55
Traditional Security Issues Traditional Security Issues (cont.)(cont.)
IntegrityIntegrity• System Integrity: perform its intended functions in an System Integrity: perform its intended functions in an
unimpaired manner, free from deliberate or unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the systeminadvertent unauthorized manipulation of the system
• Data Integrity: the receiver of the data can verify that Data Integrity: the receiver of the data can verify that the data have not been modified; in addition, no one the data have not been modified; in addition, no one should be able to substitute fake datashould be able to substitute fake data
• Integrity of Files and Information in transmissionIntegrity of Files and Information in transmission ConfidentialityConfidentiality
• Only intended recipient (s) can read the provided dataOnly intended recipient (s) can read the provided data• Confidentiality of Files and Information in transmissionConfidentiality of Files and Information in transmission• Traffic flow confidentiality Traffic flow confidentiality
January 10, 2007January 10, 2007 66
Traditional Security Issues Traditional Security Issues (cont.)(cont.)
NonrepudiationNonrepudiation• The sender should not be able to falsely deny The sender should not be able to falsely deny
Denial-of-Service Attacks (DoS)Denial-of-Service Attacks (DoS)• Denial of access to informationDenial of access to information• Denial of access to applicationsDenial of access to applications• Denial of access to systemsDenial of access to systems• Denial of access to communicationsDenial of access to communications
Repudiation AttacksRepudiation Attacks• MasqueradingMasquerading• Denying an eventDenying an event
January 10, 2007January 10, 2007 1010
DoS Attacks - InformationDoS Attacks - Information The Computer Emergency Response The Computer Emergency Response
Team Coordination Center (CERT/CC) Team Coordination Center (CERT/CC) www.cert.org/advisories/www.cert.org/advisories/, , Denial of Services: Denial of Services: http://www.cert.org/tech_tips/denial_of_service.hhttp://www.cert.org/tech_tips/denial_of_service.htmltml
DoS AttacksDoS Attacks Syn_flood, Syn_flood, http://www.cert.org/advisories/CA-1996-http://www.cert.org/advisories/CA-1996-
21.html21.html
• TCP SYNC Flooding and IP Spoofing AttacksTCP SYNC Flooding and IP Spoofing Attacks Smurf, Smurf, http://www.cert.org/advisories/CA-1998-01.html http://www.cert.org/advisories/CA-1998-01.html
• Smurf IP Denial-of-Service AttacksSmurf IP Denial-of-Service Attacks
• Denial-of-Service via pingDenial-of-Service via ping Teardrop, Teardrop, http://www.cert.org/advisories/CA-1997-http://www.cert.org/advisories/CA-1997-
28.html 28.html
January 10, 2007January 10, 2007 1212
Distributed DoS AttacksDistributed DoS Attacks Distributed Denial of Service (DDos) Distributed Denial of Service (DDos)
Distributed DOS attack software,Distributed DOS attack software, http://www.tenebril.com/src/spyware/distributed-dos-http://www.tenebril.com/src/spyware/distributed-dos-attack-software.phpattack-software.php
January 10, 2007January 10, 2007 1313
Mobile and Wireless SecurityMobile and Wireless Security Physical SecurityPhysical Security Information SecurityInformation Security
• EmailEmail• Contact databaseContact database• Price listsPrice lists• Personal Information ManagerPersonal Information Manager• Business plan, documentsBusiness plan, documents
January 10, 2007January 10, 2007 1414
Mobile and Wireless Security IssuesMobile and Wireless Security Issues Physical SecurityPhysical Security
• Detectability Detectability RF signalRF signal Changing frequenciesChanging frequencies Use very directional antennaUse very directional antenna Use minimal powerUse minimal power
• Resource Depletion/Exhaustion attack Resource Depletion/Exhaustion attack Shortens the lifespan of the battery, consumes all Shortens the lifespan of the battery, consumes all
the power in a batterythe power in a battery In Ad Hoc networks – attacks cause key routing In Ad Hoc networks – attacks cause key routing
nodes to fail, and leaving parts of the network nodes to fail, and leaving parts of the network unreachableunreachable
January 10, 2007January 10, 2007 1515
Mobile and Wireless Security Issues Mobile and Wireless Security Issues (cont.)(cont.)
Mobile and Wireless Security Issues Mobile and Wireless Security Issues (cont.)(cont.)
Theft of DevicesTheft of Devices War DrivingWar Driving
• Wireless card running some detection softwareWireless card running some detection software• GPSGPS• Driving around: detect the presence of wireless Driving around: detect the presence of wireless
networks, and GPS gives the location for later networks, and GPS gives the location for later referencereference
Problems in Ad Hoc NetworksProblems in Ad Hoc Networks Problems in Ad Hoc NetworksProblems in Ad Hoc Networks
• Data pass through several other Ad Hoc networksData pass through several other Ad Hoc networks• Man in the middle attack to copy or corrupt data in Man in the middle attack to copy or corrupt data in
transittransit Routing (risks)Routing (risks)
• SpoofingSpoofing ARP Spoofing: request an address and pass data to ARP Spoofing: request an address and pass data to
impersonatorimpersonator
• ARP cache poisoning: actively corrupt data as it pass ARP cache poisoning: actively corrupt data as it pass throughthrough
airports, etc)airports, etc)• Ad Hoc networks of soldiersAd Hoc networks of soldiers
January 10, 2007January 10, 2007 2121
Additional Issues: CommerceAdditional Issues: Commerce LiabilityLiability Fear, uncertainty, and doubtFear, uncertainty, and doubt FraudFraud Big bucks at stakeBig bucks at stake
January 10, 2007January 10, 2007 2222
Additional Issues: CommerceAdditional Issues: Commerce LiabilityLiability Fear, uncertainty, and doubtFear, uncertainty, and doubt FraudFraud Big bucks at stakeBig bucks at stake
January 10, 2007January 10, 2007 2323
Additional Types of AttacksAdditional Types of Attacks ““Man in the Middle” AttacksMan in the Middle” Attacks Traffic AnalysisTraffic Analysis Reply AttacksReply Attacks
• Reusing data in a packet observed by a malicious Reusing data in a packet observed by a malicious nodenode
Buffer-Overflow AttacksBuffer-Overflow Attacks• Extra data cause the program to execute different Extra data cause the program to execute different
code by changing variables values, program flow, or code by changing variables values, program flow, or similarsimilar