Exactly the Same, but Different

1

Exactly the Same,

but Different

Shayne Champion,

CISSP, CISA, GSEC, ABCP

Program Manager

GO Cyber Security

TVA

2

Agenda

z

Define Mobile Device Security

o

Similarities

o

Differences

3

Mobile Device Security

“There is no question that mobile security will

eventually equal – if not surpass – PC security as

a threat to IT departments.”

4

Mobile Device vs. Computers:

5

Definitions: Level Setting

Com·put·er [kuhm-pyoo-ter] :

An electronic device designed to accept data, perform

prescribed mathematical and logical operations at high speed,

and display the results of these operations.

Mo·bile De·vice [moh-buhl dih-vahys] :

A portable, wireless

computing device

that is small enough to

be used while held in the hand; a hand-held.

7

NEWS FLASH:

Mobile

Devices

ARE

Computers!!!

Sources: http://nordhaus.econ.yale.edu/prog_030402_all.pdf http://www.anandtech.com/show/4215/apple-ipad-2-benchmarked-dualcore-cortex-a9-powervr-sgx-543mp2/2 http://www.slashgear.com/ipad-2-benchmarks-blast-competition-show-less-than-1ghz-processor-speed-13139678/

…and we can do something

about that, can’t we?

8

Same Kind of Different…

Same kind of security

controls you *should*

use anyway:

z

Encryption

z

NAC

z

DLP

z

AV / Malware

z

Inventory Management

z

Controlled Admin Privileges

9

Similarity: Order of Magnitude

Risk from an OSI perspective:

z

Most risk

shifting to

applications

z

Lower-level layers

becoming relatively

more ‘tame’

Source: http://www.sans.org/top-cyber-security-risks/trends.php

10

Define: Metadata

Metadata

:

Data that defines or describes another piece of data.

Metadata may reveal more about you, your organization, or your

devices than you realize. Many devices, such as your computer,

camera, or smart phone, automatically embed metadata in any

digital files they create.

11

Metadata

Some examples of metadata include:

z

File creation date and time

z

The address or

geographic location

where the file was created

z

Your name, organization’s name, and computer’s name or IP address

z

The names of any contributors to the document or their comments

z

Type of camera you are using and its settings when the photo was

taken

z

Type of audio or video recording device you are using and its settings

when a recording was taken

z

Make, model, and service provider of your smart phone

12

Metadata Solutions

Metadata Tools:

z

Document Inspector :

http://preview.tinyurl.com/3996c2a

z

EXIF Metadata Explanation:

http://preview.tinyurl.com/775mbxc

z

Free Metadata Extraction Tool:

http://meta-extractor.sourceforge.net

or http://preview.tinyurl.com/aueb4

z

Disabling Geo-location for Smartphone Cameras

http://preview.tinyurl.com/3v4xznm

* ( + )=

13

Unsecured WAP – Sidejack Math

z

Sidejacking

- A well-known Wi-Fi hotspot attack that takes

advantage of websites that don’t use SSL/TLS encryption correctly by

pirating the legitimate user’s cookies and using those in the attacker’s

session (session hijacking)

z

Firesheep

– A Mozilla Firefox plug-in that automates session

hijacking attacks over unsecured Wi-Fi networks. The packet sniffer

analyzes traffic between a Wi-Fi router and a person’s laptop or

smartphone and captures the session cookie

("point-and-click" sidejacking)

Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012

14

Mobile Device vs. Computers:

15

Risk Remediation

Mobile Device risks are the same as many of the

risks we already face everyday. For example…

16

Difference 1: BYOD

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012 http://www.networkworld.com/news/2012/041712-byod-258264.html?page=3

How do you handle user-owned

devices?

z

Applications

z

Data Ownership

z

Encryption

NetworkWorld BYOD Survey:

65.3%

necessary tools not in place

46.2%

increased end user productivity

5.7%

said it lead to breech, while

66.7%

said no

47.2%

increased end users' ability to work from home

17

Difference 2: SMS

SMS:

Short Messaging Service, or text messages

Common Vulnerabilities:

1)

SMS of Death

2)

Midnight Raid Business Card Attack

3)

SMS Tokens

4)

Smishing Attacks

Source: http://www.infosecisland.com/blogview/12656-The-SMS-of-Death-Mobile-Phone-Attack-Explained.html

http://www.csoonline.com/article/491200/3-simple-steps-to-hack-a-smartphone-includes-video-18

SANS Survey: Platform Support

19

SANS Survey: Platform Support

20

Each platform – even within the same OS – have unique characteristics,

default settings, and/or vulnerabilities:

z

PIN settings

–

Service Carrier

–

Like default passwords on

routers or admin accounts

z

iPhone / iPad batteries

Scope: Android Fragmentation

z

281+ different products

z

850,000 daily activations

z

300,000,000+ total devices

Sources: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf http://en.wikipedia.org/wiki/Comparison_of_Android_devices

21

Hardware / Carrier: PIN Codes

Ten numbers represent 15% of all cell phone pass codes

Sources:

Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011.

http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533

22

Hardware / Carrier: PIN Codes

Ten numbers represent 15% of all cell phone pass codes:

1)

1234

2)

0000

3)

2580

4)

1111

5)

5555

Sources:

Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011.

http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533

6)

5683 (spells 'LOVE')

7)

0852

8)

2222

9)

1212

10)

1998

Other popular choices include Year of birth

23

PIN Code >>> Data Loss

CASE STUDY: VERIZON WIRELESS

Corporate Support Web Page

How do I access my Voice Mail to retrieve messages?

z

To access your Voice Mail,

press "*VM" (*86), then "SEND."

Follow

the prompts to enter your password and retrieve your messages. If you

press "*VM" (*86) and hear your own or a system greeting, press the #

key to interrupt the greeting and follow the prompts to enter your

password and retrieve your messages.

24

Difference 4: Caller ID / ANI

ANI :

Automatic Number Identification (NAC for cell phones)

Masquerading as the target cell number, threat actors may be able

to steal unsecured data. Possible vectors include:

z

VXML

z

Social Engineering

z

Orange Box Spoofing

Sources: http://wiki.docdroppers.org/index.php?title=ANI_and_Caller_ID_Spoofing#So.2C_just_what_is_ANI.3F http://www.ncvc.org/src/AGP.Net/Components/DocumentViewer/Download.aspxnz?DocumentID=44055

25

Social Engineering: Telco

Social Hack Scenario:

You pick up the phone, at the dial tone call 10102880

AT&T Automated Operator:

"AT&T,toplaceacall…"

Enter

800-646-0000

AT&T Automated Operator:

"ThankyouforusingAT&T"<RING>

Telus:

ThisistheTelusoperator,Lisaspeaking.(or,

ThisistheTelusoperator,whatnumberareyou

callingfrom?)

You:

HiLisa,ThisistheTelustechnician,youshould

seeanANIfailureonyourscreen,I'mcallingfrom

[number to spoof]

Ineedyoutoplaceatestcallto

[number to call]

Telus:

ThankyoufromTelus

26

Threat Actors

The APT in action…

27

Application Vulnerabilities

z

Native to many mobile OS (smart phone & tablet)

Mobile Device Management (MDM)

z

Default Permissions may be invasive

e.g., Apple log file stores all visited geo-locations

z

Open Web Application Security Consortium (OWASP)

https://www.owasp.org/index.php/Mobile

Source: http://en.wikipedia.org/wiki/Mobile_device_management

“Application security is the next big trend in

penetration testing… which means it’s already

the big trend for hackers.”

28

Lessons Learned

Top 5 from the 2012 SANS Mobile

Device Security Summit

1)

Jailbreaking & Rooting is BAD for mobile device security

2)

The OWASP Mobile Top 10 is going to be just as important

3)

Mobile Threats are an evolving, moving target; security

teams have to be quick to adapt to new mobile technology

4)

Mobile Device Management (MDM) solutions are a

requirement for any deployment

5)

Apple iOS devices are preferred over Android in the

enterprise

Mike Jones,

Symantec

29

Things You Should Be Doing

“For many professionals, the mobile phone has

become a mobile office.”

30

Control Starts at the Policy

31

Mobile Policy Best Practices

z

Think from a threat controls perspective:

o

Consider capabilities of mobile devices and apps in your

environment

o

Identify threat vectors & mitigate

o

Identify non-technically enforceable controls and address

with administrative policies & awareness

z

Assess how mobile devices are already managed

z

Use existing policies as a guideline

z

Consider how to test successful control implementation

32

2012 Top 5 Mobile Security Threats

1)

Geolocation exploits

2)

Excessive Permissions

3)

Mobile Application Vulnerabilities

4)

Unsecure Wi-Fi

5)

Lost and Stolen Devices

33

Mobile Risk Management Tools

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

34

Protecting the Mobile Executive

Considerations for your Mobile Policy / Best Practices:

z

USER EDUCATION

z

Physical Security

z

Leave it at Home

–

Clean Loaner Devices

–

Prepaid Cellular devices

–

Blank SIM cards

–

* + Google Voice

Source: http://threatpost.com/en_us/slideshow/How%20to%20Avoid%20Getting%20Hacked%20While%20Traveling?page=0

z

Fear Public Wireless

–

Use Conference WAPs

–

Corporate VPNs

z

2G = No E!

z

Don’t Blab

35

Its About the Basics

Verizon Business

2011 Data Breach Investigations Report (DBIR)

Analysis of 2011 attacks determined that:

z

83%

were targets of opportunity

z

92%

were not highly difficult

z

95%

were avoidable through simple or

intermediate controls

SANS Top 20 Controls (v 3.1)

1: Inventory of Authorized and Unauthorized

Devices

2: Inventory of Authorized and Unauthorized

Software

3: Secure Configurations for Hardware and

Software on Laptops, Workstations, &

Servers

4: Continuous Vulnerability Assessment &

Remediation

5: Malware Defenses

6: Application Software Security

7: Wireless Device Control

8: Data Recovery Capability

9: Security Skills Assessment and Appropriate

Training to Fill Gaps

36

10: Secure Configurations for Network Devices such

as Firewalls, Routers, and Switches

11: Limitation and Control of Network Ports,

Protocols, and Services

12: Controlled Use of Administrative Privileges

13: Boundary Defense

14: Maintenance, Monitoring, and Analysis of

Security Audit Logs

15: Controlled Access Based on the Need to Know

16: Account Monitoring and Control

17: Data Loss Prevention

18: Incident Response Capability

19: Secure Network Engineering

37

Summary

z

Mobile Devices vs. Computers

o

Similarities

(yes Forrest, they are computers)

o

Differences

ƒ

SMS

ƒ

Native Metadata

ƒ

Hardware / Carrier Issues (PINs, etc)

ƒ

Sidejacking

ƒ

Application Vulnerabilities

z

Things you Should be Doing

o

Policies

o

User Education

o

Protect the Execs

38

39

New Mobile Security Tools

40

New Mobile Security Tools

41

New Mobile Security Tools

Android

Security

If you need to ask,

you don’t need to

know.

Really.

Source:

42

New Mobile Security Tools

43

New Mobile Security Tools

44

New Mobile Security Tools

45

New Mobile Security Tools

Keeping ahead of the Technology Curve…

Source: