PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

Similar documents
The Sophisticated Attack Myth: Hiding Unsophisticated Security Programs: The Irari Rules of Classifying Sophisticated Attacks

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

How To Protect Your Mobile Device From Attack

8 Steps for Network Security Protection

8 Steps For Network Security Protection

Information Security Services

Network and Host-based Vulnerability Assessment

Protecting Your Organisation from Targeted Cyber Intrusion

Locking down a Hitachi ID Suite server

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

What is Really Needed to Secure the Internet of Things?

Thick Client Application Security

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

10 Quick Tips to Mobile Security

Enterprise Apps: Bypassing the Gatekeeper

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Passing PCI Compliance How to Address the Application Security Mandates

Securing OS Legacy Systems Alexander Rau

Application Intrusion Detection

Kaspersky Security for Mobile

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Common Criteria Web Application Security Scoring CCWAPSS

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Top 10 Tips to Keep Your Small Business Safe

Modern two-factor authentication: Easy. Affordable. Secure.

Top five strategies for combating modern threats Is anti-virus dead?

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

8070.S000 Application Security

BYOD in the Enterprise

Marble & MobileIron Mobile App Risk Mitigation

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Intelligent Security Design, Development and Acquisition

MONTHLY WEBSITE MAINTENANCE PACKAGES

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

Security Testing in Critical Systems

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

12 Security Camera System Best Practices - Cyber Safe

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

NATIONAL CYBER SECURITY AWARENESS MONTH

Software Development: The Next Security Frontier

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

A Decision Maker s Guide to Securing an IT Infrastructure

Why SMS for 2FA? MessageMedia Industry Intelligence

Enterprise Mobile Threat Report

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Functional vs. Load Testing

10 Smart Ideas for. Keeping Data Safe. From Hackers

Cyber R &D Research Roundtable

2012 Data Breach Investigations Report

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Penetration Testing //Vulnerability Assessment //Remedy

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Tom Schauer TrustCC cell

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Why The Security You Bought Yesterday, Won t Save You Today

CYBER SECURITY. Is your Industrial Control System prepared?

Website Maintenance Information For My Clients Bob Spies, Flying Seal Systems, LLC Updated: 08- Nov- 2015

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Desktop and Laptop Security Policy

Web Application Security

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Defending Against Data Beaches: Internal Controls for Cybersecurity

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Spear Phishing Attacks Why They are Successful and How to Stop Them

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Securing Database Servers. Database security for enterprise information systems and security professionals

Application Security Testing

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

Transcription:

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES Ira Winkler Codenomicon Session ID: MBS-W05 Session Classification: Intermediate

Zero Day Attacks Zero day attacks are rising in prominence They tend to be behind the most devastating attacks these days Generally used by very high end criminals and nation states You usually don t know about the attack unless there are other indicators 2

Zero Day Examples Stuxtnet Combined 4 zero day attacks that we know of in a specific Siemans SCADA software system Supposedly delivered via USB drive Caused centrifuge systems to essentially self destruct to set back Iranian nuclear capabilities Only detected because of a lack of a kill switch once it left the Iranian facilities 3

Zero Day Examples RSA hack Spear phishing message retrieved from spam filter of RSA employee Exploited an IE 6 vulnerability Established a foothold on the network, which was then used to compromise the RSA network SecurID source code stolen Attempts to brute force remote access system of defense contractors via a new zero day likely found via source code review 4

What exactly is a Zero Day attack? 5

Only Two Ways to Hack a Computer Despite all of the technologies out there, there are only two fundamental ways to hack computers The basics can be applied to any computer system or network You might contend that there are more basics, but I promise you that I can force fit it into the only two

Take Advantage of Configuration Problems How an admin configures a system Bad configurations, architectures, file shares, default privileges, improper patching, etc How a user uses or maintains the system Violates privileges, bad passwords, vulnerable to social engineering attacks, bypasses security processes, goes to malicious websites, etc

Take Advantage of Vulnerabilities in the Software All Software has bugs Some bugs create elevated privileges or cause information leaks Those are security vulnerabilities Nothing a user or admin can do, except stop the service

Typical Vulnerability Lifecycle Developer writes software with vulnerability Begins to get used Vulnerability is found by accident or on purpose Developer hopefully finds out about it and issues a patch Users then implement the patch

Where Problems Occur Vendors aren t alerted about the problem, so they can t fix it Zero Day Vulnerability The more common problem: Users don t implement the fix Ironically the developers look bad, because nobody wants to blame the user Fix cannot readily be implemented Hopefully you don t have a person who wants credit or full disclosure Embedded devices require physical upgrades

Who and Why? Enthusiasts For fun Hackers For ego Black market For profit Criminals For profit

Who and Why? Security researchers? For marketing For profit For good High end criminals For their own intelligence purposes For major profits Nation states CNO, CNI, CNE

Embedded Devices Embedded devices are usually firmware and you can t easily make changes Traditionally very simple and basic components Little functionality They are usually there for the lifespan of the product and cannot be swapped out Unfortunately, devices are becoming more complicated, so there will be more bugs

Mobile Devices Mobile devices are pretty much ubiquitous now More plentiful than regular computers in the first world There is no security software suite in common use to mitigate even widely known vulnerabilities Rarely do people perform updates

Beginning to See Problems Many problems with Android phones Vulnerabilities found with ios and all other operating systems Vulnerabilities can be for the apps as well as the OS Beginning to be used for critical applications Used for financial applications Proliferation is too big of a target to ignore

Developers Not in a Position to Fix Process Developers cannot address how users or admins do things They can make things easier to maintain, and should, but there is a limit Can limit user options

Zero Days are Expensive Reputation alone can be critical Exponential increase in cost to fix a bug in each phase it s detected Expensive to test Expensive to push out Potential liability issues for some sectors

Proactive Testing for Prevention The best way to prevent zero days is to proactively find them early in the lifecycle As much testing as possible should be implemented as early in the development process as possible Automation is cheaper and more effective Fuzz testing is extremely effective in rapidly identifying zero day vulnerabilities

What is Fuzzing? Black box testing Tests as many condition as possible Throws as much data as it can at the application Causes even security software to fail in seconds Iterative testing in nature This is how the bad guys will come after you

Make Fuzzing Value Known The fact of the matter is that many people don t understand the vulnerability lifecycle and how mobile devices are wide open, and will remain wide open Fuzzing is significantly more cost effective than replacing millions of smart phones Businesses have to acknowledge that mobile devices are prime targets, especially those widely distributed

BACK DOOR ATTACKS

Helper App Attacks Many mobile attacks are at an application level beyond the control of most developers iphones have some protections NFC and other base protocols can call a helper app Browser, readers, viewers, etc. Helper apps can be very vulnerable Secure application triggers an insecure one

Don t Ignore Configurations Default configurations to use helper applications Default configurations to enable minimal application permissions Only enable minimally required services The more apps running, the more insecure If an app/service isn t running, it can t be exploited Bluetooth for example Never rely on users not to jailbreak phones Never assume a user will always leave settings strong

DON T FORGET ABOUT AWARENESS

Good Practices Stop Zero Days They don t stop them from existing, but they stop them from being executed If a user doesn t open an attachment, it can t exploit the device RSA hack If a user doesn t download a random app, it can t exploit the device Research on security awareness critical success factors samantha@securementem.com

Awareness for Developers Developers write bad software and don t know it Many arent familiar with the concept of buffer overflows Most don t know what an SQL injection attack is If they did we wouldn t have most of the bad software problems

Summary Zero day exploits are coming to mobile devices Ensure that you have an appropriate development process to reduce the existence of easily discoverable vulnerabilities Fuzz testing is a very efficient step rapidly finding such vulnerabilities Ensure that proper configurations are implemented Create an awareness process to instill users with good security behaviors

For More Information Ira Winkler, CISSP ira@securementem.com +1-410-544-3435 http://www.facebook.com/ira.winkler @irawinkler http://www.linkedin.com/in/irawinkler

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information