This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Transcription

1 The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit com To invite Jim Stickley to speak at your next event, him at or call his cell at

2 The Hidden Risks Of Mobile Applications Presented by Jim Stickley

3 Today Android now has over 1 million apps with Apple close behind With the entire world moving to mobile devices, hackers are shifting their focus

4 Mobile Technology Installing malicious apps

5 Hacking mobile technology Applications require permissions to access certain information In many cases the permissions are necessary to allow the application to perform properly While mobile devices will warn you about the permissions i required, do people really pay attention?

6 6

7 7

8 8

9 Purpose of this attack Test 1 See how many people would download and install my app even though it required access to everything Pull address off phone Because Android uses gmail, often multiple address will be added to phone Pull phone number and mobile carrier

10 10

11 11

12 Hacking mobile technology Permissions I required Your Personal Information (Read contact data, Write contact data) Network Communication (Allows the application to accept cloud to device messages from applications service, full internet access) Storage (Modify / Delete SD Storage) Phone Calls (modify phone state, read phone state and identity) System Tools (Automatically start at boot, Prevent phone from sleeping, write sync settings) Your Messages (Read SMS or MMS, Receive SMS, Read Gmail including sending and deleting mail) Services that cost you money (Send SMS Messages)

13 Results Over 1300 downloads in 3 month period Received over addresses Applications remained in contact with my server during this time Never reported as suspicious Never received notice to discontinue application Averaged 3 stars on feedback

14 What does this mean? People are willing to install an app even if the permissions i have access to things not needed d to function properly Often people will not be aware of the permissions required because they scroll off the screen If I wanted to create a malicious app that would need people to allow all permissions, that will not be an issue

15 Mobile Technology Hacking online accounts

16 Hacking online accounts Mobile apps can be designed to manage: , text messages, photos, contacts, etc. Malicious apps could be designed to capture this same data. Could look legitimate to Google and Apple Probably could be used to gain access to online accounts

17 Purpose of this attack Test 2 Using the same app originally created to test permission, modify the app to have the ability to be malicious Attempt to steal online account login credentials (Login & Password) via the app Because the app is now malicious, only test on friends and family

18 Hacking mobile technology User installs Gmail counter app After the app is installed, it simply retrieves addresses from phone and sends them to the hacker

19 Hacking mobile technology What can you do with an address?

20 Hacking mobile technology Hacker sends forgot password and or forgot User ID request to all major online applications using acquired addresses

21 Hacking mobile technology Hacker sends forgot password and or forgot User ID request to all major online applications using acquired addresses

22 Forgot password? RBKYHU

23 Forgot password? RBKYHU

24 Hacking mobile technology Online applications send temporary password or User ID back to address

25 Hacking mobile technology Online applications send temporary password or User ID back to address

26 Hacking mobile technology Mobile App checks for messages from defined d list of online applications

27 Hacking mobile technology Any s that match password requests are forwarded d to hacker

28 Hacking mobile technology Any s that match password requests are forwarded d to hacker

29 Hacking mobile technology

30 Hacking mobile technology ******** ********

31 Hacking mobile technology

32 Hacking mobile technology Hacker now has the login ( address) for the account and a link to a temporary password Problem: Real owner of account might see containing i forgot password request

33 Hacking mobile technology Hacker now has the login ( address) for the account and a link to a temporary password Problem: Real owner of account might see containing i forgot password request

34 Hacking mobile technology Mobile App designed to delete the original i after it forwards to hacker

35 Hacking mobile technology Hacker now has temporary passwords for all accounts Hacker can now login to accounts using address and temporary password Hacker can change settings, order items online, etc. Until real user attempts t to login to hijacked account, hacker has full access

36 Results Loaded malicious app onto 20 mobile devices These people all agreed to let me hack them Able to change the password on over 100 online applications Able to gain access to online banking accounts through multifactor

37 Results Can also be used to gain real passwords

38 38

39 39

40 40

41 How risky is it? Hacker has complete access to Hacker has complete access to text messages Send and receive Hacker has ability to access numerous accounts Hacker has ability to learn your password

42 How risky is it? Extremely important to have unique password at every site Not always easy to remember Simple solution

43 What can you do? Pay attention to permissions Even if the application has been downloaded / installed thousands of times, it doesn t guarantee it s secure When in doubt, don t install the application Password no longer working is a red flag

44 What can you do? How do I know what permissions my apps have? Android Apple

45 Mobile Technology Attacking the network

46 When phones attack Can a mobile device be used for hacking? Android is Linux based Written in Java with all the normal sockets Supports C code Supports native Libraries In theory you could use an Android device for hacking

47 Purpose of this attack Test 3 Crash server on network RDP Remote Code Execution Vulnerability Published March 2012 (MS12-020) Used for remote code execution and denial of service attacks

48 When phones attack Target system Windows 2008 Server Attack software RDPKill4Android Video

49 This is the title text box

50 When phones attack What happened? Android device has access to network via Wi-Fi Android device was able to connect to Windows computer Android device was able to send denial of service code via RDP Windows 2008 server crashed with blue screen

51 When phones attack What does this mean? Mobile devices can be used to attack computers on the local network via a Wi-Fi connection

52 When phones attack Why stop there? If an app on a phone can cause a windows machine to crash, what else could it do?

53 Mobile Technology Hacking a computer

54 Purpose of this attack Test 4 Create a malicious app that could take over a desktop computer App would be designed to look like Wi-Fi speed tester Because app only requires permission i to access network via Wi-Fi, the only permission required will be expected by user

55 When phones attack Can this really be done? Video

56 56

57 When phones attack What just happened?

58 When phones attack 58

59 When phones attack Mobile device port scans network for vulnerable systems 59

60 When phones attack App finds a computer vulnerable to RPD MS exploit

61 When phones attack App installs malware on vulnerable system

62 When phones attack Mobile device no longer required to exploit system

63 When phones attack Mobile device no longer required to exploit system

64 When phones attack Exploited computer connects to hacker server allowing remote communication

65 When phones attack Hacker site uploads additional tools and sends commands for exploited computer to execute

66 When phones attack How bad is it? Complete compromise of any un-patched systems on network Internal networks often less secure then external facing networks Remote access with the ability to install and execute code Ability to record the screen, webcam and keyboard entries Full access to contents on the hard drive and launch point for additional network attacks

67 When phones attack What does this mean? If you allow mobile devices on your network, they can put your entire network at risk

68 When phones attack Just how bad could it get?

69 Mobile Technology Automated hacking

70 Automated hacking Many of the new attacks are focused on exploiting vulnerabilities in the browser IT security staff will often place desktops behind proxy servers designed d to protect t against viruses and other outside attacks Adobe Acrobat and Flash exploits Internal desktops and servers are often missing critical patches

71 Automated hacking If a hacker is on the internal network, they could exploit these vulnerabilities Mobile devices give hackers the ability to bypass firewall protection ti Malware placed on system designed to automate an attack could cause serious damage

72 Targeting corporate America Test 4 Steal complete financial institution member database Video

73 73

74 What is at risk? Complete download of ALL customer information Name Address Phone Number Birthday Social Security Number Account Number Mothers Maiden Name Debit / Credit Card number & Exp Financial Institution IP address

75 What does this mean? Hackers can attack your organization without even knowing you exist via malicious i apps Your network can be hacked and all confidential data on the database stolen in minutes Hackers can attack your network while not at their computers When the attack is over, your network shows no obvious signs a breach took place

76 Conservative damages estimate 2% of 16,000 = 320 financial institutions exploited 10, members / customers at a financial institution $ stolen from each member / customer Calculation: 320*10,000*100 = Total Damages: $320,000,000

77 Your future Manual hacking is an outdated practice Organization attacks will become fully automated What used to take days or months will now take just minutes BYOD bypassed firewall and places hackers directly on internal network

78 What can you do? Awareness Training / Education Comprehensive Security Policies Limit Internet Access Monitor Network Risks / Vulnerabilities Personal Firewalls, Anti Virus Intrusion Detection / Prevention

79 What can you do? Even if the application has been downloaded / installed dthousands of ftimes, itd doesn t guarantee it s secure When in doubt, don t install the application Patch all computers on local network, even computers that generally do not connect to the Internet

80 Mobile Technology Dangers of Wireless access points

81 Wireless access points Wireless access points are everywhere Hotels Airports Coffee Shops Malls Parks Apartments Business complexes Some are free, some charge

82 Wireless access points People seem focused on one security of the device itself Insecure Access points Flaws in wep Launch point for malicious attacks Easy to attack home users Easy to monitor traffic on local networks

83 Wireless access points There are other security concerns that are often overlooked Gaining access to confidential information through wireless Video

84 84

85 Wireless access points Other risks beyond just credit card Many mobile apps do not verify SSL connections or even communicate securely Used to monitor all transactions Record Passwords Online Banking Purchases

86 What can you do? Awareness training Be careful what apps you use while on insecure wireless access points When in doubt, use carrier service instead of Wi-Fi

87 Manage BYOD Risk Top 5 Issues

88 Manage BYOD Risk Issue 1: Users installing unapproved apps Organizations need to designate approved apps Apps that store login credentials on cloud sites need security review of the cloud provider Be very suspicious about apps from unofficial sources, which is relatively easy to enable on most Android devices Most Mobile Device Management (MDM) platforms let you publish a list of approved apps to devices, restricting users from installing any app they like

89 Manage BYOD Risk Issue 2: Users sharing devices Strict polices should be implemented that prohibit sharing devices. Often parents will share tablets with their kids. Never assume the device connecting to the network is being operated by the approved user. Approve only by login credentials, not hardware. MAC address can be spoofed

90 Manage BYOD Risk Issue 3: Browsing malicious web sites People forget that phisihng scams can happen through mobile devices Criminals target mobile devices via and txt messages with the goal of gaining i login credentials MDM platforms support whitelisting approved websites or implementing more advanced anti-phishing filters Mobile devices required to connect through corporate VPNs can also be limited through web proxy servers

91 Manage BYOD Risk Issue 4: Users losing devices & employees quitting Make sure you have a defined procedure in place when a device is lost or stolen or an employee quits MDM solutions can quickly wipe devices remotely Apple s icloud can also be used to wipe devices remotely Android requires third party apps for remote wipe

92 Manage BYOD Risk Issue 5: Network monitoring When users use public networks, the information passed on their phones could be monitored Employees should only connect to corporate wi-fi access points and those that they directly control Some MDM solutions can be setup to block wi-fi access

93 In the end

94 In the end Mobile devices will continue to become more integrated into the work place Organizations need to make sure they are conducting risk assessments, creating policies i and auditing their procedures to ensure their networks remain secure Because mobile technology is rapidly changing, organizations should have scheduled reviews of the existing policies to make sure they remain relevant and effective

95 In the end Every organization must deal with Governance, Risk and Compliance (GRC) If you have not properly defined the risk in your organization, it is impossible ibl to understand d the controls required to protect your most valuable assets If your not continually updating and redefining the risks as your organization changes, you will fail at managing your security Without a centralized solution, maintaining all aspects of the GRC program is unlikely

96 GRC Simplified - Need a self-contained solution that integrates all functional areas necessary to manage an on-going risk-based information security program Risk Policy Vulnerability Training Vendor Audit Compliance Incident Response Business Impact tanalysis Business Continuity Planning Process Reporting

97 GRC Simplified - Need a self-contained solution that integrates all functional areas necessary to manage an on-going risk-based information security program Risk Policy Vulnerability Training Vendor Audit Compliance Incident Response Business Impact tanalysis Business Continuity Planning Process Reporting

98 TraceSecurity Inc. Comprehensive Security Assessments Risk Assessments Penetration Testing IT Audits Vendor Management Comprehensive Regulation Compliance Review Online Banking Application Testing Remote and Onsite Social Engineering Policy Development and Review Training (Onsite / Online) Employee & Customer twitter.com/tracesecurity twitter.com/jimstickley

99 99

100 Security Education Solution Enjoyed this presentation? The Stickley on Security online training solution allows you to bring Stickley to your organization and customers through comprehensive online security training i videos. Visit to learn more!

101 The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit com To invite Jim Stickley to speak at your next event, him at or call his cell at