Security gets Personal Sean Richmond, SOPHOS March 2013
Topics
Overview • 2012 in review
Specific threats • The year’s most widespread threats
Predictions • What 2013 will bring
2012 in review Plus ça change …
Faster adoption of
exploits
Web delivery still
rules supreme
More platforms
attacked
New
moneymaking
schemes
Polymorphism
3J-448481K3J-2443N4A4C-8293N4E3N-6464C1K4C-03J4A3P3N-04C1K3L4A
3J-948481K3J-5443N4A4C-4293N4E3N-4464C1K4C-23J4A3P3N-04C1K3L4A
3J-448481K3J-6443N4A4C-8293N4E3N-5464C1K4C-43J4A3P3N-74C1K3L4A
100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000
19
PASSWORDS!
If you’re responsible for password databases:
•Don’t ever store passwords in clear text.
•Always apply a randomly-generated salt to each password before hashing and
encrypting it for storage.
•Don’t just hash your salted password once and store it. Hash multiple times to
increase the complexity of testing each password during an attack. It’s best to
use a recognized password crunching algorithm such as bcrypt, scrypt or
PBKDF2.
•Compare your site’s potential vulnerabilities to the OWASP Top Ten security
risks, especially potential password vulnerabilities associated with broken
authentication and session management
•Finally, protect your password database, network and servers with layered
defenses.
Anatomy of a threat: Targeted
information stealing •Compromise the web server via SQL injection
• Or spearphishing
• Or follow up on a Trojan keylogger
•Break into the greater network
• Install password crackers and remote administration tools
•Find and exfiltrate data
• Credit card track data from point-of-sale systems
• Confidential documents from executives PCs
24
Profiling drive-by attack
Hijacked trusted site with lots of potential victims
JavaScript or iframe redirects to a TDS to determine a suitable attack
site
Heavily obfuscated exploit toolkit looks for vulnerabilities
Exploits are downloaded and run (PDF’s, scripts, flash, etc.)
Download and execution of the malware payload
Multi-stage model derives from economics and mechanics of attack
Entry point
Traffic Distribution
Penetration
Infection
Execution
BYOD: The new IT challenge New challenges for IT departments
Customers need
tools to control
devices
Accessing the network
User is the admin Many different apps
Compliance & security
Mixed ownership
Device Diversity
Enterprise vs. Personal Apps
IT productivity
The multi-device user
1.96 mobile
devices used for
work in 2012 iPass Mobile Workforce Report, 2012
(Tablets, smartphones and mobile phones)
unaware that smartphones can transmit
confidential payment information such as credit
card details without the user being prompted
65%
59%
Stats
do not use keypad locks or passwords
89%
worry more about security on their laptop or
desktop PC
The threats we’ve seen • Physical theft
• Data exfiltration via rogue applications
• Ikee / Dutch Ransom
• Geinimi
• Droid Dream
• Zeus in the Mobile
• Vulnerabilities: OS, SMS, browser, Applications
• Not just on Android!
Old fashioned physical theft
• Boring... but perhaps the most common
• Smash and grab for $$$
• Targeted theft
• No password, full access!
Ikee / Dutch Ransom
• Worm affecting
jailbroken iPhones with
default ssh passwords
• User: root
• Pass: alpine
Zeus in the Mobile
• Trick users into installing a “certificate
update”
• Intercept banking-related SMS
messages
• Seen on Symbian, Windows Mobile,
and BlackBerry
Enables IT-enforced malware
protection
If removed by user, access is blocked
Adds protection from malicious
websites
Stops user from changing settings
Allows IT full control of what is
scanned and when
Optional add-on license to SMC
Deeper dive: Sophos Mobile Security in SMC
Marketplaces: Apple Introduction
We're pleased that you want to invest your talents and time to develop applications for iOS. It has been a
rewarding experience - both professionally and financially - for tens of thousands of developers and we
want to help you join this successful group. We have published our App Store Review Guidelines in the
hope that they will help you steer clear of issues as you develop your app and speed you through the
approval process when you submit it.
We view Apps different than books or songs, which we do not curate. If you want to criticize a religion, write
a book. If you want to describe sex, write a book or a song, or create a medical app. It can get complicated,
but we have decided to not allow certain kinds of content in the App Store. It may help to keep some of our
broader themes in mind:
■We have lots of kids downloading lots of apps, and parental controls don't work unless the parents set
them up (many don't). So know that we're keeping an eye out for the kids.
■We have over 350,000 apps in the App Store. We don't need any more Fart apps. If your app doesn't do
something useful or provide some form of lasting entertainment, it may not be accepted.
■If your App looks like it was cobbled together in a few days, or you're trying to get your first practice App
into the store to impress your friends, please brace yourself for rejection. We have lots of serious
developers who don't want their quality Apps to be surrounded by amateur hour...
Marketplaces: Phishing(?)
Get the best PATTERN CODE Security System for less than your morning coffee!
Marketplaces: Google Android and Security Thursday, February 2, 2012 | 12:03 PM
By Hiroshi Lockheimer, VP of Engineering, Android
...
Adding a new layer to Android security
Today we’re revealing a service we’ve developed, codenamed Bouncer, which provides automated
scanning of Android Market for potentially malicious software without disrupting the user experience of
Android Market or requiring developers to go through an application approval process.
The service performs a set of analyses on new applications, applications already in Android Market, and
developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts
analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application
might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We
actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android
device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent
malicious and repeat-offending developers from coming back...
IT selects features available to users
Can empower the user to:
Register their own device/s
Lock a device
Reset their password
Wipe a device
Reconfigure their device
Decommission a device
See compliance violations
Reduce the burden for IT
Ideal for BYOD environments
Deeper dive: Self-service Portal
Staying ahead of the curve
Feel free to contact me:
http://nakedsecurity.sophos.com