DOCSLIB.ORG

Mobile Security and Risk Review Second Edition

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Mobile Security and Risk Review Second Edition v 1.5 | © 2016 MobileIron, Inc. 1 Mobile Security and Risk Review Executive Summary Welcome to the second edition of the Mobile Security and Risk Review. In this edition we update the mobile threat landscape, discuss emerging risks, report OS enterprise share, and list the top blacklisted consumer apps. We conclude with our recommendations for enterprises to protect their assets against mobile risks and threats. Several new mobile attacks have emerged that threaten enterprises. Most are re-using old tactics against mobile- specific services, such as SideStepper’s use of Man-In- the-Middle (MITM) against MDM, rather than employing new techniques or exploiting new vulnerabilities. However, when attacks against users are successful, they can result in the loss of both personal and business data. This quarter saw the following employee compliance incidents increase: • Devices with out-of-date policies • Missing devices • Devices where the EMM app was removed While the following risky behaviors decreased: • Compromised devices • Devices where the PIN was removed Other out-of-compliance events stayed largely flat. However, enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices, as illustrated by the very small number of companies using App Reputation or Mobile Threat Detection software or enforcing OS updates. 2 Mobile Security and Risk Review OS vendors continue to patch vulnerabilities As with any software, the longer it is in market, the more likely it is that vulnerabilities will be identified. Similarly, the more features that are added, the greater the chances that bugs will be introduced. Mobile operating systems are no exception. Apple and Google each released three 1 updates for their mobile OSes during the quarter. iOS updates included fixes for a number of issues mostly related to memory corruption and 2 potential data leakage, as well as some privilege escalation vulnerabilities. Android security updates released during the quarter addressed 20 critical and 36 high risk Common Vulnerabilities and Exposures (CVEs), many focused on privilege escalation or remote code execution. Also of note, Google continues to patch flaws in both libstagefright and the Android mediaserver libraries, both of which garnered attention in connection with the 3 Stagefright vulnerabilities identified by Zimperium researcher Joshua Drake last year. Mobile threat landscape Mobile devices and apps are becoming an increasingly attractive target. In many cases, a mobile device used for work purposes is often used for personal purposes as well. Mobile threats are as much a risk to enterprises as they are to consumers. Enterprise users are especially vulnerable to these attacks if they don’t have EMM security on their devices. Recent mobile attacks include: Android GMBot This spyware remotely controls infected devices in order to trick victims into providing their bank credentials. In December 2015, the source code was leaked online. Not only were cyber attackers able to access this code for free, but there was a tutorial and server-side instruction manual to make it easier to perpetrate attacks. Recommendation: The release of the source code likely means that more GMBot variants will appear. Because malware that successfully bypasses initial scans in the commercial app stores is often found and removed very quickly, the most common way for it to spread is via third-party stores or “side-loading.” To protect against the malware, monitor devices that allow installation from “Unknown Sources” or have “USB Debugging” enabled and take appropriate enforcement actions. 1 Apple officially release iOS 9.3.1 on March 31st, 2016 - the last day of Q1. 2 https://support.apple.com/en-us/HT206568, https://support.apple.com/en-us/HT206902 3 https://source.android.com/security/bulletin/2016-04-02.html https://source.android.com/security/bulletin/2016-05-01.html https://source.android.com/security/bulletin/2016-06-01.html 3 Mobile Security and Risk Review AceDeceiver iOS malware AceDeceiver malware is designed to steal a person’s Apple ID. This malware, which was disguised as wallpaper and uploaded to the App Store in late 2015, has been able to infect devices that do not have a compromised operating system. Nor does it rely on an enterprise certificate issued by Apple. The bogus wallpaper induces users to connect to a third-party app store where users are asked to enter their Apple IDs, which are then stolen and uploaded to a server. We include AceDeceiver in our list of Q2 threats because it abuses flaws in Apple DRM that allows it to reinstall the malware even after it has been removed from the store, so it can persist in a way that things haven’t been able to before. Recommendation: It’s important to note that only three apps containing the AceDeceiver malware were identified and, while they evaded initial detection, they were found and removed. It’s also important to reiterate that AceDeceiver can re-install itself on Apple iOS devices using separate malware on a PC. Somewhat ironically, the best way to protect against AceDeceiver is to use traditional PC anti-virus/anti-malware solutions to prevent PCs from being infected with the utility that is used to re-load AceDeceiver. SideStepper iOS “vulnerability” In March 2016, security researchers at Check Point again underscored the risks of MITM attacks, using the technique to intercept and manipulate traffic between an MDM server and a managed device, specifically targeting MDM-initiated app installation commands to install apps that could “side-step” normal app approval processes. The SideStepper attack requires the end user to be tricked into installing a malicious configuration profile, usually the result of a phishing attack. The user must confirm the installation of the profile and also confirm additional prompts to install any malicious applications. Recommendation: The risk from SideStepper stems primarily from a successful execution of a MITM attack. To protect against these kind of attacks, configure iOS Restrictions to prevent users from accepting untrusted SSL certificates and installation of configuration profiles. For MobileIron customers with more stringent security policies, consider enabling FIPS Mode. 4 Mobile Security and Risk Review High-severity OpenSSL issues 4 In May 2016, OpenSSL disclosed two flaws. One of the flaws, CVE-2016-2107, opens the door to a padding Oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC cipher and the server supports AES-NI. The second issue is a memory corruption vulnerability in the ASN.1 encoder used in OpenSSL. These vulnerabilities can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion. Recommendation: The high-severity OpenSSL issues are not limited in scope to mobile. We highlight them here because they are representative of a new class of risks created by the use of open source and shared components. Vulnerabilities in these types of components can create widespread exposures, due to their ubiquity. Protecting against these types of vulnerabilities requires cataloging the open source components that may be in use in your environment and performing source code analysis of the applications and services that use these components. Marcher Android malware Since it first appeared in 2013, Marcher has evolved to mimic bank web pages that trick users into entering their login information through e-commerce web sites. Recommendation: Here again, we have malware that is fairly old and, not only continues to persist, but expands its targets. We mention Marcher in this report because it has begun to target additional banks over the last quarter. The recommendations to protect against Marcher are the same as those outlined for GMBot: monitor devices that allow installation from “Unknown Sources” or have “USB Debugging” enabled and take appropriate enforcement actions. 4 https://threatpost.com/openssl-patches-two-high-severity-vulnerabilities/117792/ 5 Mobile security risks and costs on the rise Security incidents are often the precursor to a breach because they leave a device or app vulnerable and that can put enterprise data at risk. A mobile device that is compromised or out of compliance increases an enterprise’s vulnerability and data breaches are getting more expensive. In 2016 the Ponemon Institute conducted a survey of 383 companies in 12 countries. The results showed that the average total cost of a data breach is $4 million — an increase of 5 29% since 2013. Employee compliance incidents increased Missing Devices A missing device is defined as one that is out of contact for an extended period. It could be lost, stolen, not in use, or turned off. Forty percent of companies had missing devices, up from 33% in Q4 2015. German companies were the most likely to have missing devices (50%) and Spanish companies were the least likely (25%). Recommendation: In cases of missing devices, it’s important to “close the loop” with the end user to determine the actual state of a device that appears to be missing. In addition to quarantining the device to prevent access to enterprise resources, organizations should leverage automated notification mechanisms to alert both end users and IT to the condition so that the state of the device can be determined and, if necessary, additional action can be taken. Out-of-date policies Out-of-date policies occur when the mobile IT administrator has changed a policy on the console but that change has not propagated to all devices under management. Companies with out-of-date policies increased from 20% in Q4 2015 to 27% in Q2 2016. U.S. companies were the most likely to have out-of-date policies (33%) and Spanish companies were the least likely (20%). Recommendation: Like missing devices, out-of-date policies require action on the part of IT, and potentially, the end user.
Recommended publications
  • (U//Fouo) Assessment of Anonymous Threat to Control Systems

    (U//Fouo) Assessment of Anonymous Threat to Control Systems

    UNCLASSIFIED//FOR OFFICIAL USE ONLY A‐0020‐NCCIC / ICS‐CERT –120020110916 DISTRIBUTION NOTICE (A): THIS PRODUCT IS INTENDED FOR MISION PARTNERS AT THE “FOR OFFICIAL USE ONLY” LEVEL, ACROSS THE CYBERSECURITY, CRITICAL INFRASTRUCTURE AND / OR KEY RESOURCES COMMUNITY AT LARGE. (U//FOUO) ASSESSMENT OF ANONYMOUS THREAT TO CONTROL SYSTEMS EXECUTIVE SUMMARY (U) The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting inDustrial control systems (ICS). This proDuct characterizes Anonymous’ capabilities and intent in this area, based on expert input from DHS’s Control Systems Security Program/Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) in coordination with the other NCCIC components. (U//FOUO) While Anonymous recently expressed intent to target ICS, they have not Demonstrated a capability to inflict Damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methoDs, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web‐based applications and windows systems) by employing tactics such as denial of service. Anonymous’ increased interest may indicate intent to Develop an offensive ICS capability in the future. ICS‐CERT assesses that the publically available information regarding exploitation of ICS coulD be leveraged to reDuce the amount of time to develop offensive ICS capabilities. However, the lack of centralized leadership/coordination anD specific expertise may pose challenges to this effort. DISCUSSION (U//FOUO) Several racist, homophobic, hateful, and otherwise maliciously intolerant cyber and physical inciDents throughout the past Decadea have been attributeD to Anonymous, though recently, their targets and apparent motivations have evolved to what appears to be a hacktivist1 agenda.
  • Ten Steps to Smartphone Security

    Ten Steps to Smartphone Security

    Ten Steps to Smartphone Security Smartphones continue to grow in popularity and are now as powerful and functional as many computers. It is important to protect your smartphone just like you protect your computer as mobile cybersecurity threats are growing. These mobile security tips can help you reduce the risk of exposure to mobile security threats: 1. Set PINs and passwords. To prevent unauthorized access to your phone, set a password or Personal Identification Number (PIN) on your phone’s home screen as a first line of defense in case your phone is lost or stolen. When possible, use a different password for each of your important log-ins (email, banking, personal sites, etc.). You should configure your phone to automatically lock after five minutes or less when your phone is idle, as well as use the SIM password capability available on most smartphones. 2. Do not modify your smartphone’s security settings. Do not alter security settings for convenience. Tampering with your phone’s factory settings, jailbreaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone, while making it more susceptible to an attack. 3. Backup and secure your data. You should backup all of the data stored on your phone – such as your contacts, documents, and photos. These files can be stored on your computer, on a removal storage card, or in the cloud. This will allow you to conveniently restore the information to your phone should it be lost, stolen, or otherwise erased. 4. Only install apps from trusted sources.
  • Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches

    Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches

    Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches OVERVIEW Over the past several years, the Cybersecurity and Infrastructure Security Ransomware is a serious and increasing threat to all government and Agency (CISA) and our partners have responded to a significant number of private sector organizations, including ransomware incidents, including recent attacks against a U.S. pipeline critical infrastructure organizations. In company and a U.S. software company, which affected managed service response, the U.S. government providers (MSPs) and their downstream customers. launched StopRansomware.gov, a centralized, whole-of-government Ransomware is malware designed to encrypt files on a device, rendering webpage providing ransomware files and the systems that rely on them unusable. Traditionally, malicious resources, guidance, and alerts. actors demand ransom in exchange for decryption. Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful. Malicious actors increasingly exfiltrate data and then threaten to sell or leak it—including sensitive or personal information—if the ransom is not paid. These data breaches can cause financial loss to the victim organization and erode customer trust. All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems. This fact sheet provides information for all government and private sector organizations, including critical infrastructure organizations, on preventing and responding to ransomware-caused data breaches. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations below. PREVENTING RANSOMWARE ATTACKS 1. Maintain offline, encrypted backups of data and regularly test your backups.
  • About the Sony Hack

    About the Sony Hack

    All About the Sony Hack Sony Pictures Entertainment was hacked in late November by a group called the Guardians of Peace. The hackers stole a significant amount of data off of Sony’s servers, including employee conversations through email and other documents, executive salaries, and copies of unreleased January/February 2015 Sony movies. Sony’s network was down for a few days as administrators worked to assess the damage. According to the FBI, the hackers are believed have ties with the North Korean government, which has denied any involvement with the hack and has even offered to help the United States discover the identities of the hackers. Various analysts and security experts have stated that it is unlikely All About the Sony Hack that the North Korean government is involved, claiming that the government likely doesn’t have the Learn how Sony was attacked and infrastructure to succeed in a hack of this magnitude. what the potential ramifications are. The hackers quickly turned their focus to an upcoming Sony film, “The Interview,” a comedy about Securing Your Files in Cloud two Americans who assassinate North Korean leader Kim Jong-un. The hackers contacted Storage reporters on Dec. 16, threatening to commit acts of terrorism towards people going to see the Storing files in the cloud is easy movie, which was scheduled to be released on Dec. 25. Despite the lack of credible evidence that and convenient—but definitely not attacks would take place, Sony decided to postpone the movie’s release. On Dec. 19, President risk-free. Obama went on record calling the movie’s cancelation a mistake.
  • Sophos Mobile Security

    Sophos Mobile Security

    Sophos Mobile Security Protect your Android devices against malware and other threats The market dominance of Android devices and the inherent openness of Android led to the proliferation of malware and Potentially Unwanted Applications (PUA). SophosLabs detected over a million new pieces of malware in 2014 alone, and the growth rate is accelerating. Malware can lead to data loss, reputation loss, additional costs, and reduced performance. Highlights Protection and performance The Sophos Mobile Security antivirus app protects your Android devices without compromising Ì Privacy Advisor warns performance or battery life. The app uses up-to-the-minute intelligence from SophosLabs and the Sophos of potential privacy core antivirus engine. This means your apps are automatically scanned for malware as you install them. breaches Sophos Mobile Security’s consistent performance has earned recognition from independent testing agencies including AV-Test. Ì Security Advisor gives tips to improve device Malware protection security Our Sophos Mobile Security antivirus app protects your Android devices with proactive identification of malware. Your apps are automatically scanned for malware as you install them. Sophos includes protection Ì Loss and Theft for PUAs and low-reputation apps—new apps that have no known history and may pose a threat. PUAs Protection include adware, rootkits, diallers, and any association the app may have to previous malicious behaviour such as a certificate that has been compromised. Ì App Protection with additional passwords for Web protection sensitive apps Surf securely on the internet from your Android device. Sophos Mobile Security checks all websites against a Ì Spam Filter SophosLabs database for known malicious sites and prevents users from accessing them.
  • Sample Iis Publication Page

    Sample Iis Publication Page

    https://doi.org/10.48009/1_iis_2012_133-143 Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012 HACKERS GONE WILD: THE 2011 SPRING BREAK OF LULZSEC Stan Pendergrass, Robert Morris University, [email protected] ABSTRACT Computer hackers, like the group known as Anonymous, have made themselves more and more relevant to our modern life. As we create and expand more and more data within our interconnected electronic universe, the threat that they bring to its fragile structure grows as well. However Anonymous is not the only group of hackers/activists or hacktivists that have made their presence known. LulzSec was a group that wreaked havoc with information systems in 2011. This will be a case study examination of their activities so that a better understanding of five aspects can be obtained: the Timeline of activities, the Targets of attack, the Tactics the group used, the makeup of the Team and a category which will be referred to as The Twist for reasons which will be made clear at the end of the paper. Keywords: LulzSec, Hackers, Security, AntiSec, Anonymous, Sabu INTRODUCTION Information systems lie at the heart of our modern existence. We deal with them when we work, when we play and when we relax; texting, checking email, posting on Facebook, Tweeting, gaming, conducting e-commerce and e- banking have become so commonplace as to be nearly invisible in modern life. Yet, within each of these electronic interactions lies the danger that the perceived line of security and privacy might be breached and our most important information and secrets might be revealed and exploited.
  • Total Defense Mobile Security

    Total Defense Mobile Security

    USER'S GUIDE Total Defense Mobile Security Total Defense Mobile Security User's Guide Publication date 2015.04.09 Copyright© 2015 Total Defense Mobile Security Legal Notice All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from an authorized representative of Total Defense. The inclusion of brief quotations in reviews may be possible only with the mention of the quoted source. The content can not be modified in any way. Warning and Disclaimer. This product and its documentation are protected by copyright. The information in this document is provided on an “as is” basis, without warranty. Although every precaution has been taken in the preparation of this document, the authors will not have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work. This book contains links to third-party Websites that are not under the control of Total Defense, therefore Total Defense is not responsible for the content of any linked site. If you access a third-party website listed in this document, you will do so at your own risk. Total Defense provides these links only as a convenience, and the inclusion of the link does not imply that Total Defense endorses or accepts any responsibility for the content of the third-party site. Trademarks. Trademark names may appear in this book.
  • The 2014 Sony Hack and the Role of International Law

    The 2014 Sony Hack and the Role of International Law

    The 2014 Sony Hack and the Role of International Law Clare Sullivan* INTRODUCTION 2014 has been dubbed “the year of the hack” because of the number of hacks reported by the U.S. federal government and major U.S. corporations in busi- nesses ranging from retail to banking and communications. According to one report there were 1,541 incidents resulting in the breach of 1,023,108,267 records, a 78 percent increase in the number of personal data records compro- mised compared to 2013.1 However, the 2014 hack of Sony Pictures Entertain- ment Inc. (Sony) was unique in nature and in the way it was orchestrated and its effects. Based in Culver City, California, Sony is the movie making and entertain- ment unit of Sony Corporation of America,2 the U.S. arm of Japanese electron- ics company Sony Corporation.3 The hack, discovered in November 2014, did not follow the usual pattern of hackers attempting illicit activities against a business. It did not specifically target credit card and banking information, nor did the hackers appear to have the usual motive of personal financial gain. The nature of the wrong and the harm inflicted was more wide ranging and their motivation was apparently ideological. Identifying the source and nature of the wrong and harm is crucial for the allocation of legal consequences. Analysis of the wrong and the harm show that the 2014 Sony hack4 was more than a breach of privacy and a criminal act. If, as the United States maintains, the Democratic People’s Republic of Korea (herein- after North Korea) was behind the Sony hack, the incident is governed by international law.
  • Android (Operating System) 1 Android (Operating System)

    Android (Operating System) 1 Android (Operating System)

    Android (operating system) 1 Android (operating system) Android Android 4.4 home screen Company / developer Google Open Handset Alliance Android Open Source Project (AOSP) Programmed in C (core), C++, Java (UI) OS family Unix-like Working state Current Source model Open source with proprietary components Initial release September 23, 2008 Latest stable release 4.4.2 KitKat / December 9, 2013 Marketing target Smartphones Tablet computers Available language(s) Multi-lingual (46 languages) Package manager Google Play, APK Supported platforms 32-bit ARM, MIPS, x86 Kernel type Monolithic (modified Linux kernel) [1] [2] [3] Userland Bionic libc, shell from NetBSD, native core utilities with a few from NetBSD Default user interface Graphical (Multi-touch) License Apache License 2.0 Linux kernel patches under GNU GPL v2 [4] Official website www.android.com Android is an operating system based on the Linux kernel, and designed primarily for touchscreen mobile devices such as smartphones and tablet computers. Initially developed by Android, Inc., which Google backed financially Android (operating system) 2 and later bought in 2005, Android was unveiled in 2007 along with the founding of the Open Handset Alliance: a consortium of hardware, software, and telecommunication companies devoted to advancing open standards for mobile devices. The first publicly available smartphone running Android, the HTC Dream, was released on October 22, 2008. The user interface of Android is based on direct manipulation, using touch inputs that loosely correspond to real-world actions, like swiping, tapping, pinching and reverse pinching to manipulate on-screen objects. Internal hardware such as accelerometers, gyroscopes and proximity sensors are used by some applications to respond to additional user actions, for example adjusting the screen from portrait to landscape depending on how the device is oriented.
  • Risk Report Back in October 2016, Dyn Encountered a Massive DNS Ddos Attack That Knocked

    Risk Report Back in October 2016, Dyn Encountered a Massive DNS Ddos Attack That Knocked

    Dyn DNS Cyberattack By Bryce Kolton 12/7/2016 | INFO 312 Introduction On October 21st 2016, a terabit sized attack took down internet connectivity for users across the globe. Over three waves, millions of users were interrupted during main business hours. The attack targeted Dyn (pronounced “dine”), a company that in part provides Domain Name Service registration for websites. Companies affected included Amazon, BBC, CNN, Comcast, Fox, GitHub, Netflix, PayPal, Reddit, Starbucks, Twitter, Verizon, Visa, Wikia and hundreds more. Credit card terminals were inoperative, news sites unavailable, and users unable to reach some of the internet’s most popular websites. The internet ground to a halt for several hours, with major Fortune 500 companies among those affected. The focus of this risk management report will be the cyberattack at large; The background, causes, previous mitigations, response, still present risks, and recommendations after one of the largest cyberattacks ever recorded. Understanding the Domain Name Service As an illustrative example, let’s say you want to visit a new grocery store your friend just told you about, “Sya’s Grocery.” You know the name, but you need to find the physical address. By using a service like Google Maps, you can transcribe the human-readable name into the destination. The Domain Name Service works much the same way, but for URLs. When you type in “google.com,” your computer is clueless to the ‘real address’ it’s supposed to go to. That’s where DNS steps in: your device asks its closes DNS server “Who is ‘google.com’?” If the server doesn’t know, it’ll pass the request along until it finds a server that does.
  • Attack on Sony 2014 Sammy Lui

    Attack on Sony 2014 Sammy Lui

    Attack on Sony 2014 Sammy Lui 1 Index • Overview • Timeline • Tools • Wiper Malware • Implications • Need for physical security • Employees – Accomplices? • Dangers of Cyberterrorism • Danger to Other Companies • Damage and Repercussions • Dangers of Malware • Defense • Reparations • Aftermath • Similar Attacks • Sony Attack 2011 • Target Attack • NotPetya • Sources 2 Overview • Attack lead by the Guardians of Peace hacker group • Stole huge amounts of data from Sony’s network and leaked it online on Wikileaks • Data leaks spanned over a few weeks • Threatening Sony to not release The Interview with a terrorist attack 3 Timeline • 11/24/14 - Employees find Terabytes of data stolen from computers and threat messages • 11/26/14 - Hackers post 5 Sony movies to file sharing networks • 12/1/14 - Hackers leak emails and password protected files • 12/3/14 – Hackers leak files with plaintext credentials and internal and external account credentials • 12/5/14 – Hackers release invitation along with financial data from Sony 4 Timeline • 12/07/14 – Hackers threaten several employees to sign statement disassociating themselves with Sony • 12/08/14 - Hackers threaten Sony to not release The Interview • 12/16/14 – Hackers leaks personal emails from employees. Last day of data leaks. • 12/25/14 - Sony releases The Interview to select movie theaters and online • 12/26/14 –No further messages from the hackers 5 Tools • Targeted attack • Inside attack • Wikileaks to leak data • The hackers used a Wiper malware to infiltrate and steal data from Sony employee
  • Account Protections a Google Perspective

    Account Protections a Google Perspective

    Account Protections a Google Perspective Elie Bursztein Google, @elie with the help of many Googlers updated March 2021 Security and Privacy Group Slides available here: https://elie.net/account Security and Privacy Group 4 in 10 US Internet users report having their online information compromised Source the United States of P@ssw0rd$ - Harris / Google poll Security and Privacy Group How do attacker compromise accounts? Security and Privacy Group Main source of compromised accounts Data breach Phishing Keyloggers Security and Privacy Group The blackmarket is fueling the account compromised ecosystem Security and Privacy Group Accounts and hacking tools are readily available on the blackmarket Security and Privacy Group Volume of credentials stolen in 2016: a lower bound Data breach Phishing Keyloggers 4.3B+ 12M+ 1M+ Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials CCS’17 Security and Privacy Group Data breach Phishing Keyloggers Stolen credentials volume credentials Stolen Targeted attack Risk Security and Privacy Group Stolen credential origin takeaways The black market Password reuse is Phishing and fuels account the largest source keyloggers poses compromise of compromise a significant risk Security and Privacy Group How can we prevent account compromise? Security and Privacy Group Defense in depth leveraging many competing technologies Security and Privacy Group Increasing security comes at the expense of additional friction including lock-out risk, monetary cost, and user education Security and Privacy