Mobile Data Loss. Threats & Countermeasures. Michael T.Raggo, CISSP, NSA-IAM, ACE, CSI.

Transcription

1 Mobile Data Loss Threats & Countermeasures Michael T.Raggo, CISSP, NSA-IAM, ACE,

2 Mobile DataLoss Threat Vectors

3 Users have become the low hanging fruit Copyright 2000,2007Farworks, Inc. All Rights Reserved 3

4 Mobile Device Data Loss Vectors Spyware - Data harvested and sent to malicious User Data Leakage copy/paste, screenshot, open-in site, remotecnc Malware Protection when user is not on Corp Wi-Fi Jailbroken/rooted devices open device to network vulnerabilities leading to data exposure (Rogue AP, MITM, etc.) Steals/Leaks Data Hotspot 4

5 Wireless Network Security Concerns 1 Rogue AP Connected to Network Network Edge Blurred, New Attack NetworkBreach, Data Leakage, NetworkBackdoor Vectors Behind the Firewall Hacker Server INTRANET INTERNET Mobile Hotspot Device Evil Twin Desktop 3 Evil Twin AP DataLeakage, NetworkBackdoor Mobile User 2 Hotspot Phishing MITM, DataLeakage 5 Evil Twin

6 Man-in-the-Middle Attack Corporate Man-in-the-Middle Intruder Active Directory Mobile device Certs Evil Twin AP SSID =CoffeeShop Apps Content X Deauth/Disassociate Packet SSID =CoffeeShop Intruder perform a MITM attack capturing passwords, cookies, and possibly corporate data 6

7 Google s Skeleton Key Who: Craig Young atdefcon21 What: Using the Google token and cookies to authenticate and access a user s Google Drive, Calendar, etc. How: Google creates weblogin unique tokens to authenticate users on Google websites (hybrid of cookies) Created from the accounts they already have configured on their mobile devices Demonstrated a Rogue App (googlefinance app) that steals theseweblogintokens and sends them to the attacker (over an encrypted connection) <= RemoteCnC(command-and-control) The attacker then replays them in a web browser to impersonate the user and obtain access to Google Apps, Gmail, Drive, Calendar, Voice, and other Google services The Rogue App resided on Google Play for about a month before it was detected and taken down, and Google Play has since enhanced it s vetting and scanning of malicious apps submitted to the Google Play Store 7 7

8 Google s Skeleton Key How? UpdateCnCSite CnCSite 1. Attacker uploads malicious Google App to Google Play 5.CnCserver harvests and send commands to infected device 4.MalcodecontactsCnCserver on Internet 7.Hacker uses thewebloginsto login to the user s Dropper 2. Google App is a financial app and works as expected, but & Data includesmalcode 6. Commands are parsed by themalwareto obtain weblogins 3. Userinstalls App and unknowingly Victim 8 infects/roots their device Commands Google account and download user s files, data, etc.

9 Anatomy of Recent Retail Breach 1. Russian hacker 5. Hacker accesses FTP dump site and sellsblackposmalware for $2,300 downloads card data to later allowtransfer ondarknet. Attacker uses this to stage of funds from accounts attack. Dump Site 2.Malware distributed to Retailer internal DistributionServers POS 4. Malware scrapes unencrypted RAM in Update Server POS 3. Distribution Servers distributes malware to legacy POS terminals 99 real-time and sends card information to Dump Site

10 Heartbleed how does the attack work? 6.Attacker analyzes packet and sensitive data to see if there is anything interesting, if not reruns attack to capture more 1. Attacker creates a custom memory. HeartbeatTLS/DTLSpacket 7.If web server s certificate private key is captured, it can be used to decrypt current and historical user 5.Web Server responds by sending a packet Dropper 2. Packet is transmitted tovulnerableopensslweb server data and credentials back which unknowingly includes this extra sensitive data 4.The code grabs up to 64KB of extra memory in hopes of capturing something sensitive from memory Victim 3. Web Server processes packet Web Server 10 Username Password

11 Mobile DataLoss Countermeasures

12 Dataat rest Security Data in Transit Data in the Application

13 Secure and Manage Content Active Maintain separation Directory between personal and work apps and data Secure enterprise traffic Certs Apps Get your enterprise apps Content Enterprise Resources 13

14 MobileIron App & Content Security Distribute Private Storefront App Delivery Network App Control Containerize Tunnel Protect data-at-rest Protect data-in-motion AppConnect AppConnect SDK Wrapping Authentication Authorization Configuration Usage Tracking AppTunnel Deletion 1414 AppConnect AppSentry

15 Corporate Application SecurityPolicy 15

16 FIREWALL VPN vs.apptunnel Traditional VPN AppTunnel AppTunnel SENTRY AppTunnel 16 AppTunnel

17 Encryption: On-device Encryption and the Over-the-air withapptunnel WatchDox Active Directory Certs Apps Content 17

18 Encryption: On-device Encryption and the Over-the-air withapptunnel WatchDox Active Directory Certs Apps Secure communication between enabled apps Content Secure, App-specific connections with enterprise resources 18

19 Auto-Quarantine - SelectiveRemote Wipe Active REMOVE Directory Certs Apps Secure content Content Sharepoint WatchDox WatchDox 19

20 Thwart Man-in-the-Middle Attacks Corporate Mobile device with client Active certificate Man-in-the-Middle Intruder Directory Certs Apps Content By using certificates, the mutual authentication fails between the Device certificate and Sentry server certificate due to fake certificate presented by attacker. Therefore, no SSL connection is established and no data is exposed. 20

21 Google s Skeleton Key Lessons Learned: While although some of these Google services have been patched/fixed over the last few months, some Google services still are vulnerable Someone can download your entire Google Drive! MobileIron Mitigation: 21 If a device is rooted, your Google Apps data and tokens are exposed 21 NeedEMMeven when using Google Apps MobileIron EMM canidentifymalicious apps and rooted devices

22 MobileIron Mobile Attack Countermeasures 1.Hacker attempts MITM attack or targeted attack on mobile device, brute- Mobile Device force attacks mitigated through use of certs X 4.VSP identifies malicious app and alerts 5.AsJailbreak/rooting occurs, MobileIron Auto-Quarantines device Cert-based authentication Encrypted corporate persona Secure tunnel for App-only (not MobileIron VSP whole device) 6.Quarantine removes Managed Corp App & Data to mitigate exposure 2.VSP enforces security policies, lockdowns, restrictions 3. VSP monitors, alerts, and reports on outof-compliance devices, ensures closedloop actions X 2222 Lockdowns/restrictions Malicious App Detection Jailbreak/root auto-quarantine

23 Other recommendations Use MobileIron Sentry Secure Mobile Gateway Can provide additional protection for your servers! (ActiveSync, Web,Sharepoint, Apps, etc. that are using SSL/TLS) LeverageMobileIronAppTunnel(MobileIron-enabled or wrapped Apps) ormobileiron Tunnel(nativeiOSApps) to securely access internal servers. Sentry mitigatesheartbleedthreat Sentry will not negotiate Heartbeat request Disallow packet, Sentry Corporate doesn t allow Heartbeat Malicious Heartbeat Packet Attacker packets (DTLS) Active Directory Certs Apps Web Servers & Content 2323 MobileIron

24 Proactive & Reactive Countermeasures Holistic Mobile Security Proactive Encryption Containerize Corp Content & Apps Malicious App Detection Ongoing jailbreak/root detection User or device certificate to thwart MITM attacks Reactive Closed-loop compliance actions Block Remove Corporate Managed Apps & Data Selective Wipe (Corp Apps, Data, , etc.) Compliance Reporting Alerting

25 Core Security Elements VSP: Mobile Policy Configuration Engine ofmobileiron splatform Mobile Device Management Mobile Application Management Identity And Certs User Self-Service Rules & Reporting MobileIron Client Enforces Configuration and Security Sentry policies on the device, apps and content at rest and in real time Provides Access Control by Enforcing Security Policies on Apps and Contentin-flight 25

26 Michael T.Raggo, CISSP, NSA-IAM, ACE,