Security gets Personal - SS · Image:NASA . Blackhole v2 . Blackhole deliveries August – September 2012 . ... IDC BYOD Survey Australia 2012 . Reality . unaware that smartphones

Security gets Personal

Sean Richmond, SOPHOS

March 2013

Oops!

More oops!

Targeted Oops!

Reality

Topics

Overview • 2012 in review

Specific threats • The year’s most widespread threats

Predictions • What 2013 will bring

2012 in review Plus ça change …

Faster adoption of

exploits

Web delivery still

rules supreme

More platforms

attacked

New

moneymaking

schemes

Java

Java

Blackhole

Image:NASA

Blackhole v2

Blackhole deliveries August – September 2012

Ransomware

75% unique

Polymorphism

3J-448481K3J-2443N4A4C-8293N4E3N-6464C1K4C-03J4A3P3N-04C1K3L4A

3J-948481K3J-5443N4A4C-4293N4E3N-4464C1K4C-23J4A3P3N-04C1K3L4A

3J-448481K3J-6443N4A4C-8293N4E3N-5464C1K4C-43J4A3P3N-74C1K3L4A

100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,

000,000,000,000,000,000

16

Patchdays

17

Moar Patching!

18

Secure the post-PC world

19

PASSWORDS!

If you’re responsible for password databases:

•Don’t ever store passwords in clear text.

•Always apply a randomly-generated salt to each password before hashing and

encrypting it for storage.

•Don’t just hash your salted password once and store it. Hash multiple times to

increase the complexity of testing each password during an attack. It’s best to

use a recognized password crunching algorithm such as bcrypt, scrypt or

PBKDF2.

•Compare your site’s potential vulnerabilities to the OWASP Top Ten security

risks, especially potential password vulnerabilities associated with broken

authentication and session management

•Finally, protect your password database, network and servers with layered

defenses.

20

PASSWORDS!

21

Secure the post-PC world

Anatomy of a threat: Targeted

information stealing •Compromise the web server via SQL injection

• Or spearphishing

• Or follow up on a Trojan keylogger

•Break into the greater network

• Install password crackers and remote administration tools

•Find and exfiltrate data

• Credit card track data from point-of-sale systems

• Confidential documents from executives PCs

How are they stealing data?

SQL Injection attacks against

web-accessible databases…

24

Profiling drive-by attack

Hijacked trusted site with lots of potential victims

JavaScript or iframe redirects to a TDS to determine a suitable attack

site

Heavily obfuscated exploit toolkit looks for vulnerabilities

Exploits are downloaded and run (PDF’s, scripts, flash, etc.)

Download and execution of the malware payload

Multi-stage model derives from economics and mechanics of attack

Entry point

Traffic Distribution

Penetration

Infection

Execution

25

Cloud exposure

26

Secure Collaboration in the Cloud

File reader with password-

protected access

Passphrase access Smartphone screenshots with Sophos Mobile Encryption

Enter passphrase

Access file

BYOD

BYOD: The new IT challenge New challenges for IT departments

Customers need

tools to control

devices

Accessing the network

User is the admin Many different apps

Compliance & security

Mixed ownership

Device Diversity

Enterprise vs. Personal Apps

IT productivity

All work and no play

Smartphones and tablets add

2 hours to the working day

The multi-device user

1.96 mobile

devices used for

work in 2012 iPass Mobile Workforce Report, 2012

(Tablets, smartphones and mobile phones)

Stats ++

IDC BYOD Survey Australia 2012

Reality

unaware that smartphones can transmit

confidential payment information such as credit

card details without the user being prompted

65%

59%

Stats

do not use keypad locks or passwords

89%

worry more about security on their laptop or

desktop PC

Stats ++

Stats ++

Stats ++

Stats ++

Stats ++

Stats ++

Myth: No Malware for Phones

The threats we’ve seen • Physical theft

• Data exfiltration via rogue applications

• Ikee / Dutch Ransom

• Geinimi

• Droid Dream

• Zeus in the Mobile

• Vulnerabilities: OS, SMS, browser, Applications

• Not just on Android!

Old fashioned physical theft

• Boring... but perhaps the most common

• Smash and grab for $$$

• Targeted theft

• No password, full access!

Ikee / Dutch Ransom

• Worm affecting

jailbroken iPhones with

default ssh passwords

• User: root

• Pass: alpine

Droid Dream

• Real vs. fake security update

Zeus in the Mobile

• Trick users into installing a “certificate

update”

• Intercept banking-related SMS

messages

• Seen on Symbian, Windows Mobile,

and BlackBerry

Myth?: Antivirus (iOS)

Myth?: Antivirus (Android)

Enables IT-enforced malware

protection

If removed by user, access is blocked

Adds protection from malicious

websites

Stops user from changing settings

Allows IT full control of what is

scanned and when

Optional add-on license to SMC

Deeper dive: Sophos Mobile Security in SMC

50

Scan results

Sophos Mobile Security Management

51

Sophos Mobile Security Management Compliance results

Marketplaces: Apple Introduction

We're pleased that you want to invest your talents and time to develop applications for iOS. It has been a

rewarding experience - both professionally and financially - for tens of thousands of developers and we

want to help you join this successful group. We have published our App Store Review Guidelines in the

hope that they will help you steer clear of issues as you develop your app and speed you through the

approval process when you submit it.

We view Apps different than books or songs, which we do not curate. If you want to criticize a religion, write

a book. If you want to describe sex, write a book or a song, or create a medical app. It can get complicated,

but we have decided to not allow certain kinds of content in the App Store. It may help to keep some of our

broader themes in mind:

■We have lots of kids downloading lots of apps, and parental controls don't work unless the parents set

them up (many don't). So know that we're keeping an eye out for the kids.

■We have over 350,000 apps in the App Store. We don't need any more Fart apps. If your app doesn't do

something useful or provide some form of lasting entertainment, it may not be accepted.

■If your App looks like it was cobbled together in a few days, or you're trying to get your first practice App

into the store to impress your friends, please brace yourself for rejection. We have lots of serious

developers who don't want their quality Apps to be surrounded by amateur hour...

Marketplaces: Phishing(?)

Get the best PATTERN CODE Security System for less than your morning coffee!

Marketplaces: Google Android and Security Thursday, February 2, 2012 | 12:03 PM

By Hiroshi Lockheimer, VP of Engineering, Android

...

Adding a new layer to Android security

Today we’re revealing a service we’ve developed, codenamed Bouncer, which provides automated

scanning of Android Market for potentially malicious software without disrupting the user experience of

Android Market or requiring developers to go through an application approval process.

The service performs a set of analyses on new applications, applications already in Android Market, and

developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts

analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application

might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We

actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android

device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent

malicious and repeat-offending developers from coming back...

Marketplaces: Google

Marketplaces: Google

Mobile threats

2013

“Irreversible”

attacks

Premium

attack kits

Better exploit

mitigation

IT selects features available to users

Can empower the user to:

Register their own device/s

Lock a device

Reset their password

Wipe a device

Reconfigure their device

Decommission a device

See compliance violations

Reduce the burden for IT

Ideal for BYOD environments

Deeper dive: Self-service Portal

Get Your Threat Report

www.sophos.com/threatreport

Staying ahead of the curve

Feel free to contact me:

[email protected]

http://nakedsecurity.sophos.com