Lookout: Securing Mobility Tim LeMaster | John Cuddehe August 2018 "The views expressed in this presentation are those of the author(s) and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the U.S. Government."
23
Embed
Lookout: Securing Mobility · 2018-09-06 · August 2016 September 2016 November 2016 March 2017 Jan 2018 June 2018 ... media reports, including Good Morning America, Lookout researchers
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Lookout: Securing MobilityTim LeMaster | John Cuddehe
August 2018
"The views expressed in this presentation are those of the author(s) and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the U.S. Government."
Your users are going mobile.
Starbucks is your fall-back Wi-Fi.
Your mobile device is a gold mine for hackers
ENTERPRISE EMAIL
ENTERPRISE NETWORKVPN, WiFi
ENTERPRISE APPSSaaS, Custom Apps
CREDENTIALSStored, Soft Tokens
PHOTO ALBUMWhiteboard Screenshots, IDs
SENSORSGPS, Microphone, Camera
Lookout 2017 | Confidential and Proprietary
DEVICE NETWORK WEB & CONTENT
PC
Selected, purchased, and managed by user*
Always on cellularUser selected Wi-Fi
Filtered at organizational perimeter
- Secure Web Gateways
Often unfiltered
MOBILE
LAN / corporate Wi-FiVPN when traveling
- On device firewalls- perimeter firewall- TIC
Selected, purchased, and managed by organization
- Administered by IT- Managed by SCCM- OS version control- OS integrity monitoring- Behavioral monitoring
- Malformed content that triggers OS or app vulnerabilities
- Opening attachments and visiting links to potentially unsafe content
RISK MATRIX
746 Lookout-discovered threats in the Google Play Store (2017)
= Discovered by Lookout in Play Store and subsequently removed by Google.
AppInsite
Mobile malware that opens tunnels through enterprise firewalls. Sleeps while app is in use to evade detection. Up to 1 million downloads.
January 2018April 2017 May 2017 December 2017 February 2018
Malware that spies on victims through otherwise benign apps by downloading malicious plugins. Over 500 apps available on Google Play used the Igexinad SDK.
Apps in Play that pretended to be Bitcoin wallet apps. Tricks users into sending the attacker’s wallet address, not their own, to the payer.
PickBitPocket
50 out of 1000 devices encounter app-based threats
100 in 1000 devices encounter a phishing URL every year
5 in 1000 enterprise devices have been rooted
Igexin skyGoFree
Sophisticated Android spyware created by an Italian company for targeted surveillance.
January 2018
Pallas
Android based mAPTused in Dark Caracal global espionage campaign against military personnel, enterprises, journalists, universities, and activists.
MoneroCryptomining
Drive-by cryptominingcampaign targeting millions of Android users leveraging forced redirects and trojanized apps.
June 2018
Sonvpay
Android apps were “re-packaged” to secretly sign up for premium paid services in the background. Some apps are in Play.
Select Android Threats Discovered Over The Last 12 Months
iOS Security Highlights (2016 - 2018)Jan 2018August 2016 November 2016 March 2017 June 2018September 2016
* Looking at all updates between iOS 9 and iOS 11
Dribble – app that jailbreaks iPhone
Lookout discovered the Dribble client that can jailbreak your iPhone, on apple store. It appears that the app had been in the App Store since July 30th
Fake retail apps in App Store
Fraudsters were able to get fake retail apps into the App Store. Victims were subject to ID and sensitive data theft, including credit card and home address details. In media reports, including Good Morning America, Lookout researchers provided advice to users.
Scareware demanding ransom
Lookout discovered a scareware campaign on iOS where attackers blocked use of Safari until the victim paid the attacker money in the form of an iTunes Gift Card.
Repackaged or modified “++” apps
Sideloaded repackaged or modified apps, such as Facebook++,Instagram+, YouTube++, and Line++. These modified apps can often include unknown or unvetted code, which has not passed Apple’s review and could potentially be malicious.
= Discovered by Lookout.
8 in 1000 devices encountered a man-in-the-middle threat
110 in 1000 devices encountered a sideloaded app
29, on average, vulnerabilities disclosed each iOS update*
Trident Vulnerabilities*Lookout discovered three zero-day vulnerabilities, one in Safari and two in the iOS kernel. Exploited by attackers to silently implant Pegasus surveillanceware.
The most sophisticated attack we’ve seen on any endpoint. A full take of data off the iOS device and device’s surroundings.
Pegasus Surveillanceware*
iOS 11.3.1 Jailbreak
iOS jailbreaks are always being sought and worth a lot of money. Apple closes them quickly when public.
history, installed apps, device information–Videos, Images, and Audio Files on ext storage•Tracks device via GPS •Very configurable - record more or less data•Tries to upload databases of popular apps–Facebook, Skype, Instagram, Instagram, Tinder,
WhatsApp, etc.
Capabilities
Stealth Mango Data Exfiltration
Analysis of the EXIF metadata contained in stolen images found that many contained information identifying the phone’s make and model on which they were taken. While this doesn’t definitely mean victims were using these makes and models, it is interesting to note that the majority are from iPhones.
Breakdown of the media types of exfiltrated content.
Stealth Mango Data Exfiltration - Samples
A redacted snippet of the original photo taken of exfiltrated image from the U.S. Central Command Afghan Assistant Minister of Defense.
Exfiltrated content was found to contain military photos including a series of images from an event with military attendees from numerous countries including U.S. Army personnel.
The full detailed report is available from https://blog.lookout.com/stealth-mango
How Do We Address the Threat?
Gartner Market Guide for Mobile Threat Defense Solutions
Source: Gartner Market Guide for Mobile Threat Defense Solutions, Dionisio Zumerle and John Girard, August 2017
The Gartner document is available upon request from Lookout.Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with thehighest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements offact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Mobile malware is on the rise
“The signs are clear that mobile threats can no longer be ignored.”
“By 2019, mobile malware will amount to one-third of total malware reported in standard tests, up from 7.5% today."
X
X
INCIDENT RESPONSE
OrganizationalData
LOOKOUT SECURITY CLOUD
LOOKOUT CONSOLE
SECURITY POLICY
!CONDITIONAL ACCESS
Lookout Mobile Endpoint Security - How It Works
Lookout MES Solution
Capability Features1. Malware and vulnerability Detection • Automated analysis using Machine Learning
2. Risky/Non-compliant application visibility
• Data exfiltration• Sideload detection• Insecure data handling• Policy enforcement / Blacklisting• Enterprise application upload