1 Exactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP Program Manager GO Cyber Security TVA v 1.0
1
Exactly the Same, but Different
Shayne Champion, CISSP, CISA, GSEC, ABCP
Program ManagerGO Cyber SecurityTVA
v 1.0
2
Agenda
� Define Mobile Device Security
o Similarities
o Differences
� Things you Should be Doing
3
Mobile Device Security
“There is no question that mobile security will eventually equal – if not surpass – PC security as a threat to IT departments.”Denise Culver, Heavy Reading Mobile Networks Insider
4
Mobile Device vs. Computers:SIMILARITIES
5
Definitions: Level Setting
Com·put·er [kuhm-pyoo-ter] : An electronic device designed to accept data, perform prescribed mathematical and logical operations at high speed, and display the results of these operations.
Mo·bile De·vice [moh-buhl dih-vahys] :A portable, wireless computing device that is small enough to be used while held in the hand; a hand-held.
Source: http://dictionary.reference.com/browse/computer
6
7
NEWS FLASH:
MobileDevices
AREComputers!!!
Sources: http://nordhaus.econ.yale.edu/prog_030402_all.pdf http://www.anandtech.com/show/4215/apple-ipad-2-benchmarked-dualcore-cortex-a9-powervr-sgx-543mp2/2http://www.slashgear.com/ipad-2-benchmarks-blast-competition-show-less-than-1ghz-processor-speed-13139678/
…and we can do something about that, can’t we?
8
Same Kind of Different…
Same kind of security controls you *should* use anyway:� Encryption� NAC� DLP� AV / Malware� Inventory Management� Controlled Admin Privileges� Port & Service Management
9
Similarity: Order of Magnitude
Risk from an OSI perspective:
� Most risk shifting to applications
� Lower-level layers becoming relativelymore ‘tame’
Source: http://www.sans.org/top-cyber-security-risks/trends.php
10
Define: Metadata
Metadata : Data that defines or describes another piece of data.
Metadata may reveal more about you, your organization, or your devices than you realize. Many devices, such as your computer, camera, or smart phone, automatically embed metadata in any digital files they create.
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
11
Metadata
Some examples of metadata include:� File creation date and time� The address or geographic location where the file was created� Your name, organization’s name, and computer’s name or IP address� The names of any contributors to the document or their comments� Type of camera you are using and its settings when the photo was
taken� Type of audio or video recording device you are using and its settings
when a recording was taken� Make, model, and service provider of your smart phone
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
12
Metadata Solutions
Metadata Tools:
� Document Inspector : http://preview.tinyurl.com/3996c2a
� EXIF Metadata Explanation: http://preview.tinyurl.com/775mbxc
� Free Metadata Extraction Tool: http://meta-extractor.sourceforge.netor http://preview.tinyurl.com/aueb4
� Disabling Geo-location for Smartphone Camerashttp://preview.tinyurl.com/3v4xznm
Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf
* ( + )=
13
Unsecured WAP – Sidejack Math
� Sidejacking - A well-known Wi-Fi hotspot attack that takes advantage of websites that don’t use SSL/TLS encryption correctly by pirating the legitimate user’s cookies and using those in the attacker’s session (session hijacking)
� Firesheep – A Mozilla Firefox plug-in that automates session hijacking attacks over unsecured Wi-Fi networks. The packet sniffer analyzes traffic between a Wi-Fi router and a person’s laptop or smartphone and captures the session cookie ("point-and-click" sidejacking)
Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012http://searchnetworking.techtarget.com/answer/Be-aware-of-Wi-Fi-security-to-deal-with-Firesheep-at-public-hotspots
14
Mobile Device vs. Computers:DIFFERENCES
15
Risk Remediation
Mobile Device risks are the same as many of the risks we already face everyday. For example…
Source: http://www.youtube.com/watch?v=I4_qg22Onak&feature=related
16
Difference 1: BYOD
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012 http://www.networkworld.com/news/2012/041712-byod-258264.html?page=3
How do you handle user-owned devices?� Applications� Data Ownership� Encryption
NetworkWorld BYOD Survey:65.3% necessary tools not in place46.2% increased end user productivity5.7% said it lead to breech, while 66.7% said no 47.2% increased end users' ability to work from home
SANS Survey:
17
Difference 2: SMS
SMS: Short Messaging Service, or text messages
Common Vulnerabilities:
1) SMS of Death2) Midnight Raid Business Card Attack3) SMS Tokens4) Smishing Attacks
Source: http://www.infosecisland.com/blogview/12656-The-SMS-of-Death-Mobile-Phone-Attack-Explained.htmlhttp://www.csoonline.com/article/491200/3-simple-steps-to-hack-a-smartphone-includes-video-
18
SANS Survey: Platform Support
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
19
SANS Survey: Platform Support
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
20
Each platform – even within the same OS – have unique characteristics, default settings, and/or vulnerabilities:
� PIN settings– Service Carrier– Like default passwords on
routers or admin accounts� iPhone / iPad batteries
Scope: Android Fragmentation� 281+ different products� 850,000 daily activations� 300,000,000+ total devices
Sources: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdfhttp://en.wikipedia.org/wiki/Comparison_of_Android_devices
Difference 3: Hardware / Carrier
21
Hardware / Carrier: PIN Codes
Ten numbers represent 15% of all cell phone pass codes
Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/.Retrieved 8 July 2011.
http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533
22
Hardware / Carrier: PIN Codes
Ten numbers represent 15% of all cell phone pass codes:
1) 12342) 00003) 25804) 11115) 5555
Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011.
http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533
6) 5683 (spells 'LOVE')7) 08528) 22229) 121210) 1998
Other popular choices include Year of birth & Year of graduation (social triangulation!).
23
PIN Code >>> Data Loss
CASE STUDY: VERIZON WIRELESS
Corporate Support Web Page
How do I access my Voice Mail to retrieve messages?� To access your Voice Mail, press "*VM" (*86), then "SEND." Follow
the prompts to enter your password and retrieve your messages. If you press "*VM" (*86) and hear your own or a system greeting, press the # key to interrupt the greeting and follow the prompts to enter your password and retrieve your messages.
Source: http://support.verizonwireless.com/clc/faqs/Features and Optional Services/faq_voice_mail.html
24
Difference 4: Caller ID / ANI
ANI : Automatic Number Identification (NAC for cell phones)
Masquerading as the target cell number, threat actors may be able to steal unsecured data. Possible vectors include:
� VXML� Social Engineering� Orange Box Spoofing
Sources: http://wiki.docdroppers.org/index.php?title=ANI_and_Caller_ID_Spoofing#So.2C_just_what_is_ANI.3Fhttp://www.ncvc.org/src/AGP.Net/Components/DocumentViewer/Download.aspxnz?DocumentID=44055
25
Social Engineering: Telco
Social Hack Scenario:You pick up the phone, at the dial tone call 10102880
AT&T Automated Operator: "AT&T,�to�place�a�call…"�Enter 800-646-0000
AT&T Automated Operator: "Thank�you�for�using�AT&T"�<RING>�
Telus: This�is�the�Telus�operator,�Lisa�speaking.�(or,�This�is�the�Telus�operator,�what�number�are�you�calling�from?)�
You: Hi�Lisa,�This�is�the�Telus�technician,�you�should�see�an�ANI�failure�on�your�screen,�I'm�calling�from�[number to spoof] I�need�you�to�place�a�test�call�to�[number to call]
Telus: Thank�you�from�Telus�
Source: http://wiki.docdroppers.org/index.php?title=ANI_and_Caller_ID_Spoofing#So.2C_just_what_is_ANI.3F
26
Threat Actors
The APT in action…
Source: http://www.youtube.com/watch?v=ETMkub3NwK0
27
Application Vulnerabilities
� Native to many mobile OS (smart phone & tablet)Mobile Device Management (MDM)
� Default Permissions may be invasivee.g., Apple log file stores all visited geo-locations
� Open Web Application Security Consortium (OWASP)https://www.owasp.org/index.php/Mobile
Source: http://en.wikipedia.org/wiki/Mobile_device_management
“Application security is the next big trend in penetration testing… which means it’s already the big trend for hackers.”Joe McCray, Strategic Security LLC
28
Lessons Learned
Top 5 from the 2012 SANS Mobile Device Security Summit
1) Jailbreaking & Rooting is BAD for mobile device security
2) The OWASP Mobile Top 10 is going to be just as important
3) Mobile Threats are an evolving, moving target; security teams have to be quick to adapt to new mobile technology
4) Mobile Device Management (MDM) solutions are a requirement for any deployment
5) Apple iOS devices are preferred over Android in the enterprise
Source: http://www.infosecisland.com/blogview/20752-Top-5-Things-Learned-at-the-SANS-Mobile-Device-Security-Conference
Mike Jones, Symantec
29
Things You Should Be Doing
“For many professionals, the mobile phone has become a mobile office.”
Mike Jones, Symantec
30
Control Starts at the Policy
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
31
Mobile Policy Best Practices
� Think from a threat controls perspective:
o Consider capabilities of mobile devices and apps in your environment
o Identify threat vectors & mitigate
o Identify non-technically enforceable controls and address with administrative policies & awareness
� Assess how mobile devices are already managed
� Use existing policies as a guideline
� Consider how to test successful control implementation
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
32
2012 Top 5 Mobile Security Threats
1) Geolocation exploits2) Excessive Permissions3) Mobile Application Vulnerabilities4) Unsecure Wi-Fi5) Lost and Stolen Devices
Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012
33
Mobile Risk Management Tools
Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012
34
Protecting the Mobile Executive
Considerations for your Mobile Policy / Best Practices:
� USER EDUCATION
� Physical Security
� Leave it at Home– Clean Loaner Devices– Prepaid Cellular devices– Blank SIM cards– * + Google Voice
Source: http://threatpost.com/en_us/slideshow/How%20to%20Avoid%20Getting%20Hacked%20While%20Traveling?page=0
� Fear Public Wireless– Use Conference WAPs– Corporate VPNs
� 2G = No E!
� Don’t Blab
35
Its About the Basics
Verizon Business 2011 Data Breach Investigations Report (DBIR)
Analysis of 2011 attacks determined that:
� 83% were targets of opportunity
� 92% were not highly difficult
� 95% were avoidable through simple or intermediate controls
Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
SANS Top 20 Controls (v 3.1)
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops, Workstations, & Servers
4: Continuous Vulnerability Assessment & Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Device Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps36
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Security Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Loss Prevention
18: Incident Response Capability
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
37
Summary
� Mobile Devices vs. Computerso Similarities (yes Forrest, they are computers)
o Differences� SMS� Native Metadata� Hardware / Carrier Issues (PINs, etc)� Sidejacking� Application Vulnerabilities
� Things you Should be Doingo Policieso User Educationo Protect the Execso SANS Top 20 <-> Top 5 Mobile
38
Questions
39
New Mobile Security Tools
“Bleeding Edge” Mobile Security Solutions
40
New Mobile Security Tools
Can you hear me NOW, punk?!?
41
New Mobile Security Tools
AndroidSecurity
If you need to ask, you don’t need to know.
Really.
Source:http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto
42
New Mobile Security Tools
Sometimes Simple Security = Great Solutions…
43
New Mobile Security Tools
Hot from the UK: Less Mobile = Harder to Steal
44
New Mobile Security Tools
Old School Tech
45
New Mobile Security Tools
Keeping ahead of the Technology Curve…
Source:http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto