Security and the Smartphone Revolution

Transcription

1 Security and the Smartphone Revolution

2 About the Speaker Joseph Granneman, MBA, CISSP Joseph Granneman has developed a passion and expertise in information security in his 20 years of experience as a CIO, CTO and CSO of hospitals and clinics in the Chicago region. His passion drove him to be an independent author, presenter and professor in the health care information technology and information security fields. He has been frequently consulted by the media and interviewed on various health care information technology and security topics. He has also been a member in many information security standards groups, including identifying security vulnerabilities in HIEs as part of the Health Information Security and Privacy Security Working Group for Illinois. He was also a volunteer for Certification Commission for Health Information Technology (CCHIT) Security Working Group, which developed the information security standards for ARRA certification of electronic medical records. He also continues to be involved in the FBI InfraGard program.

3

4 PUTTING MOBILE IN PERSPECTIVE

5 August 12, 1981

6 PC Growth April billion PCs shipped* billion PCs Shipped** *Gartner Dataquest statistics **Forrester Research

7 PC Growth Over 1 billion PCs in use today** 2 billion PCs in use by 2015** *Gartner Dataquest statistics **Forrester Research

8 PC Growth 27 years to reach first billion PCs in use.** Only 7 more years to reach 2 billion PCs in use.** *Gartner Dataquest statistics **Forrester Research

9 June 29, 2007

10 October 22, 2008

11 By the numbers 2 billion mobile devices in use by 2015 PC shipments decline by 10.6% in 2013 Tablet shipments increase by 67.9% Source: Gartner (June 2013)

12 By the numbers Worldwide Devices Shipments by Segment (Thousands of Units) Device Type PC 341, , ,239 Ultramobile 9,787 20,301 39,824 Tablet 120, , ,178 Mobile Phone 1,746,177 1,821,193 1,901,188 Total 2,217,440 2,348,497 2,506,429 Source: Gartner (June 2013)

13 OUR COMPUTING MODEL HAS FUNDAMENTALLY CHANGED

14 New Capabilities Fingerprint Scanner Heartrate Relative humidity Env. Temperature Barometer NFC Accelerometer Magnetic Field Light Flux Battery temp. GPS Proximity RGB Ambient Light Gyroscope

15 New Use Cases Always connected User proximity Personalized services Fitness Banking Healthcare Travel Shopping Mobile Payments

16 Health Care Perspective Providers Access EMR Hospital Rounding Coding Schedule Medical Imaging Prescriptions Photos Dictation Patients Access PHR Pay bills Schedule Appointments physician IOT (Internet of Things) Weight, BP, Pulse, etc.

17 The Perfect Storm Always on Full of personal information Adopted by almost everyone Rapid adoption without consideration for security Mobile = Increased Risk

18 Criminal Attention Cybercrime is quickly turning to mobile More profitable than PC malware Evolving much faster Infrastructure was already built over the last 10 years. People more trusting of phishing on mobile

19 Mobile Cybercrime Pricing Source: Antiphishing Workgroup Mobile Report

20 Nowhere to hide

21 Mobile/BYOD Risks Classified 1. Design/Architectural Vulnerabilities 2. Operating System Vulnerabilities 3. Application Vulnerabilities 4. Network Vulnerabilities 5. Cloud reliance

22 DESIGN/ARCHITECTURE VULNERABILITIES

23 Design/Architecture Mobile device storage issues Flash memory differences Limited number of write cycles Nothing is truly deleted DOD style data wipes cannot be used Differences in Android vs ios Differences in models of devices Standard forensic techniques very successful

24 Design/Architecture Encryption of Devices - Apple ios encrypted by default Hardware based AES 256 Bit encryption FIPS Certified Wipes after 10 incorrect PIN entries

25 Design/Architecture Encryption of Devices Apple Private Key is NOT based on PIN Developer mode bypass allows brute force Older devices use software based keys Recovery times around 2 minutes

26 Design/Architecture Encryption of Devices Optional on Android device Various states of FIPS Compliance Software based Key and Salt stored in boot footer Performance penalty 4 Digit pins recovered in seconds

27 Example Open source tools for security testing Santoko Linux Free for downloading Mobile Forensics Password Recovery Penetration testing Network Manipulation

28 Example

29 Example

30 Example

31 Technology Makes PINS Obsolete

32 Password Recovery Times Recovery times with a $1,500 PC: Password: 'Pa5$w0d - 2m12.367s Password: 'K#n&r4Z - 1m51.962s 7 Character passwords 40GB of possible combinations Dictionary words are almost instantaneous Only around 70,000 possible combinations. 4 Digit PINS only 10,000 possible combinations.

33 No Cracking Necessary ios Backups easier to recover Newer devices backup to icloud

34 OPERATING SYSTEM VULNERABILITIES

35 BYOD/Mobile Don t Forget the Basics Patching is still a key defense Many users do not apply patches but still access company data Apple pushes out patches Planned Obsolescence old devices Android devices left to the carrier Patches are not pushed out Many devices still vulnerable

36 Android MasterKey Hole Discovered in August 2013 Simple way to install malware How it works - Android Apps are simply digitally signed.zip files Modified.ZIP files fail digital signature checks Simply place two files with the same name in the.zip file. Android verifies the first but not the second.

37 Android Fragmentation

38 BYOD - Audits

39 Example Vulnerable iphone

40 APPLICATION VULNERABILITIES

41 Trust the App Store? The App Store Security Model Applications are tested before being posted Apple more closed but more scrutiny Android more open but less scrutiny

42 Trust the Google Play Store? Trend Micro Study Analyzed 700,000 Google Play apps Found more than 68,740 malicious 1 in 10 applications Cloning popular titles Angry Birds, Cut the Rope, Riptide GP Sent premium SMS messages

43 BYOD - Risky Behavior Rooted Phones Use vulnerability to bypass OS protections Third Party App Stores Pirated material more malware Android App Side Loading Direct loading of unverified apps Custom Android ROMS Full custom versions of Android from unknown sources None of these devices should be allowed to connect to sensitive networks.

44 Careless Mobile Apps Mobile App Security Study Tested for unencrypted private data Performed by NowSecure - Financial Apps 25% Failed, 31% Warning, 44% Pass Best category tested Recovered password, payment history, partial credit card numbers

45 Careless Mobile Apps Social Networking 74% Failed, 26% Warning, 0% Pass Included Facebook, Twitter, LinkedIn, Foursquare All stored username in cleartext IM Logs, Direct Messages, passwords stored in cleartext Retail 14% Failed, 86% Warning, 0% Pass Included Best Buy, Amazon, Groupon and Starbucks Storing search history, name and address Groupon was storing password Starbucks was storing full 16-digit credit card number

46 Careless Mobile Apps UUID serial number for ios devices AntiSec a subgroup of Anonymous Claimed to have 12 Million UUIDs from the FBI Released on Internet Bluetoad electronic publisher Stored customer s UUIDs Found that their systems compromised

47 Example 'ec166427e203c6302e2573a965f2a0b895a809d36da021be1ede10fb a','aandrew..?','ipod touch' '02a7441f686282e9ecea010f977fa6bf9ca144d b2676faabb26e016','aandrews s ipad','ipad' '900c55c8a03fede9896d9efbfd8c2f980a17d28aee6ebd63e300c1df7e047cae','Aanemy','iPad 20f22415fe803f444f46320a3819fa391b6057bee786c0bce9da7aad59cb6d6c','Aang','iPad' 'cbcbb2c2893dbb680c02bcf3800c2981b f1c369e4dfbbd366de91cb47','aangle ipad','ipad' '7a4525b51996cac60d5c7c69cdd2e1650b c9b37e c e','aan','iPad' 'fb277bff d3dbf42bc8db482d3e6b6b6438a2fca0eae4e4e8ef32e5851','aan iphone 4','iPhone' 'fcb77c4ceb9fe7d9bdeab9783b42240d8a403e2b83a1a990908afa9dfb928be1','aanisha\'s ipad','ipad' '3fe6671e670acf9d2fcb7fdd9b2df5df ec6553d7b08bdaec09c0f20e6','AANN','iPad' '647a3eba bf860615cfbde050f641972a9f166159b4ddea0e4399fb43','Aansh Jagwani','iPad' '4d0ee301f8d44c7fdd40a2e80d8c28c f159a1a184fbe fc','Aan\'s ipad','ipad' '6f80d5941a78da97bf05ca2b00b797339cba4f86ab a2d48c3c1b70b','aan s iphone','iphone' '6555e43aabaeb5fa47be4f1a0e1f4457ed729b4e9b3f1adc0fd6d1bff ','AANS Meeting','iPod touch' '8cffd1e5f4259c9c6c0ec dbbc e3f9b86bea384c038','AAntonov','iPad' b8731eda235df1a94f3c3e6b78821ab3e8f5b2314eb260aa80383a64b','AAntonov','iPhone'

48 NETWORK VULNERABILITIES

49

50 Insecure Communication Mobile devices are broadcasting for known wireless networks Malicious devices answer and route communications through How many have attwifi on their phone?

51 Man-in-the-Middle Attacks

52 Near Field Communication NFC mobile payments are projected to be a $1T market NFC risks Eavesdropping Data corruption Data manipulation MITM Attacks

53 RELIANCE ON THE CLOUD

54 icloud Weaknesses

55 Importance of Dual Factor

56 Google Wallet Brute Force

57 Google 2-Step Verification

58 MOBILE DEVICE MITIGATION ADVICE

59 Securing BYOD/Mobile Utilize some form of Mobile Device Management Disallow rooted devices Require updates to be installed Disallow 3 rd party app stores and apps Require stronger pin codes Require timeouts Require encrypted devices

60 Securing BYOD/Mobile Disallow clear communications over public networks. Inspect mobile applications for security flaws Use sandboxing when needed Utilize remote wiping

61 Securing BYOD/Mobile End User Training Lost phones must be reported immediately. Phishing identification Physical security Dangers of malicious applications

62 QUESTIONS?