Exactly the Same, but Different

Exactly the Same, but Different 1 Shayne Champion, CISSP, CISA, GSEC, ABCP Program Manager GO Cyber Security TVA v1.0

Agenda Define Mobile Device Security o o Similarities Differences Things you Should be Doing 2

Mobile Device Security There is no question that mobile security will eventually equal if not surpass PC security as a threat to IT departments. Denise Culver, Heavy Reading Mobile Networks Insider 3

Mobile Device vs. Computers: SIMILARITIES 4

Definitions: Level Setting Com put er [kuhm-pyoo-ter] : An electronic device designed to accept data, perform prescribed mathematical and logical operations at high speed, and display the results of these operations. Mo bile De vice [moh-buhl dih-vahys] : A portable, wireless computing device that is small enough to be used while held in the hand; a hand-held. 5 Source: http://dictionary.reference.com/browse/computer

6

NEWS FLASH: Mobile Devices ARE Computers!!! and we can do something about that, can t we? 7 Sources: http://nordhaus.econ.yale.edu/prog_030402_all.pdf http://www.anandtech.com/show/4215/apple-ipad-2-benchmarked-dualcore-cortex-a9-powervr-sgx-543mp2/2 http://www.slashgear.com/ipad-2-benchmarks-blast-competition-show-less-than-1ghz-processor-speed-13139678/

Same Kind of Different Same kind of security controls you *should* use anyway: Encryption NAC DLP AV / Malware Inventory Management Controlled Admin Privileges Port & Service Management 8

Similarity: Order of Magnitude Risk from an OSI perspective: Most risk shifting to applications Lower-level layers becoming relatively more tame 9 Source: http://www.sans.org/top-cyber-security-risks/trends.php

Define: Metadata Metadata : Data that defines or describes another piece of data. Metadata may reveal more about you, your organization, or your devices than you realize. Many devices, such as your computer, camera, or smart phone, automatically embed metadata in any digital files they create. 10 Source: http://www.securingthehuman.org/newsletters/ouch/issues/ouch-201204_en.pdf

Metadata Some examples of metadata include: File creation date and time The address or geographic location where the file was created Your name, organization s name, and computer s name or IP address The names of any contributors to the document or their comments Type of camera you are using and its settings when the photo was taken Type of audio or video recording device you are using and its settings when a recording was taken Make, model, and service provider of your smart phone 11 Source: http://www.securingthehuman.org/newsletters/ouch/issues/ouch-201204_en.pdf

Metadata Solutions Metadata Tools: Document Inspector : http://preview.tinyurl.com/3996c2a EXIF Metadata Explanation: http://preview.tinyurl.com/775mbxc Free Metadata Extraction Tool: http://meta-extractor.sourceforge.net or http://preview.tinyurl.com/aueb4 Disabling Geo-location for Smartphone Cameras http://preview.tinyurl.com/3v4xznm 12 Source: http://www.securingthehuman.org/newsletters/ouch/issues/ouch-201204_en.pdf

Unsecured WAP Sidejack Math * ( + )= Sidejacking - A well-known Wi-Fi hotspot attack that takes advantage of websites that don t use SSL/TLS encryption correctly by pirating the legitimate user s cookies and using those in the attacker s session (session hijacking) 13 Firesheep A Mozilla Firefox plug-in that automates session hijacking attacks over unsecured Wi-Fi networks. The packet sniffer analyzes traffic between a Wi-Fi router and a person s laptop or smartphone and captures the session cookie ("point-and-click" sidejacking) Source: http://searchsecurity.techtarget.com/news/2240112288/top-5-mobile-phone-security-threats-in-2012 http://searchnetworking.techtarget.com/answer/be-aware-of-wi-fi-security-to-deal-with-firesheep-at-public-hotspots

Mobile Device vs. Computers: DIFFERENCES 14

Risk Remediation Mobile Device risks are the same as many of the risks we already face everyday. For example 15 Source: http://www.youtube.com/watch?v=i4_qg22onak&feature=related

Difference 1: BYOD How do you handle user-owned devices? Applications Data Ownership Encryption SANS Survey: 16 NetworkWorld BYOD Survey: 65.3% necessary tools not in place 46.2% increased end user productivity 5.7% said it lead to breech, while 66.7% said no 47.2% increased end users' ability to work from home Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012 http://www.networkworld.com/news/2012/041712-byod-258264.html?page=3

Difference 2: SMS SMS: Short Messaging Service, or text messages Common Vulnerabilities: 1) SMS of Death 2) Midnight Raid Business Card Attack 3) SMS Tokens 4) Smishing Attacks 17 Source: http://www.infosecisland.com/blogview/12656-the-sms-of-death-mobile-phone-attack-explained.html http://www.csoonline.com/article/491200/3-simple-steps-to-hack-a-smartphone-includes-video-

SANS Survey: Platform Support 18 Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

SANS Survey: Platform Support 19 Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

Difference 3: Hardware / Carrier Each platform even within the same OS have unique characteristics, default settings, and/or vulnerabilities: PIN settings Service Carrier Like default passwords on routers or admin accounts iphone / ipad batteries Scope: Android Fragmentation 281+ different products 850,000 daily activations 300,000,000+ total devices 20 Sources: http://www.securingthehuman.org/newsletters/ouch/issues/ouch-201204_en.pdf http://en.wikipedia.org/wiki/comparison_of_android_devices

Hardware / Carrier: PIN Codes Ten numbers represent 15% of all cell phone pass codes 21 Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/techeurope/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011. http://www.phonearena.com/news/do-you-use-one-of-the-mostcommon-lock-pins_id19533

Hardware / Carrier: PIN Codes Ten numbers represent 15% of all cell phone pass codes: 1) 1234 2) 0000 3) 2580 4) 1111 5) 5555 6) 5683 (spells 'LOVE') 7) 0852 8) 2222 9) 1212 10) 1998 Other popular choices include Year of birth & Year of graduation (social triangulation!). 22 Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-agood-password/. Retrieved 8 July 2011. http://www.phonearena.com/news/do-you-use-one-of-the-most-common-lock-pins_id19533

PIN Code >>> Data Loss CASE STUDY: VERIZON WIRELESS Corporate Support Web Page How do I access my Voice Mail to retrieve messages? To access your Voice Mail, press "*VM" (*86), then "SEND." Follow the prompts to enter your password and retrieve your messages. If you press "*VM" (*86) and hear your own or a system greeting, press the # key to interrupt the greeting and follow the prompts to enter your password and retrieve your messages. 23 Source: http://support.verizonwireless.com/clc/faqs/features and Optional Services/faq_voice_mail.html

Difference 4: Caller ID / ANI ANI : Automatic Number Identification (NAC for cell phones) Masquerading as the target cell number, threat actors may be able to steal unsecured data. Possible vectors include: VXML Social Engineering Orange Box Spoofing 24 Sources: http://wiki.docdroppers.org/index.php?title=ani_and_caller_id_spoofing#so.2c_just_what_is_ani.3f http://www.ncvc.org/src/agp.net/components/documentviewer/download.aspxnz?documentid=44055

Social Engineering: Telco Social Hack Scenario: You pick up the phone, at the dial tone call 10102880 AT&T Automated Operator: "AT&T,toplaceacall "Enter 800-646-0000 AT&T Automated Operator: "ThankyouforusingAT&T"<RING> Telus: ThisistheTelusoperator,Lisaspeaking.(or, ThisistheTelusoperator,whatnumberareyou callingfrom?) You: HiLisa,ThisistheTelustechnician,youshould seeananifailureonyourscreen,i'mcallingfrom [number to spoof] Ineedyoutoplaceatestcallto [number to call] Telus: ThankyoufromTelus 25 Source: http://wiki.docdroppers.org/index.php?title=ani_and_caller_id_spoofing#so.2c_just_what_is_ani.3f

Threat Actors The APT in action 26 Source: http://www.youtube.com/watch?v=etmkub3nwk0

Application Vulnerabilities Native to many mobile OS (smart phone & tablet) Mobile Device Management (MDM) Default Permissions may be invasive e.g., Apple log file stores all visited geo-locations Open Web Application Security Consortium (OWASP) https://www.owasp.org/index.php/mobile Application security is the next big trend in penetration testing which means it s already the big trend for hackers. Joe McCray, Strategic Security LLC 27 Source: http://en.wikipedia.org/wiki/mobile_device_management

Lessons Learned Top 5 from the 2012 SANS Mobile Device Security Summit 1) Jailbreaking & Rooting is BAD for mobile device security 2) The OWASP Mobile Top 10 is going to be just as important 3) Mobile Threats are an evolving, moving target; security teams have to be quick to adapt to new mobile technology 4) Mobile Device Management (MDM) solutions are a requirement for any deployment 28 5) Apple ios devices are preferred over Android in the enterprise Source: http://www.infosecisland.com/blogview/20752-top-5-things-learned-at-the-sans-mobile-device-security-conference

Things You Should Be Doing For many professionals, the mobile phone has become a mobile office. Mike Jones, Symantec 29

Control Starts at the Policy 30 Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

Mobile Policy Best Practices o o o Think from a threat controls perspective: Consider capabilities of mobile devices and apps in your environment Identify threat vectors & mitigate Identify non-technically enforceable controls and address with administrative policies & awareness Assess how mobile devices are already managed Use existing policies as a guideline Consider how to test successful control implementation 31 Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

2012 Top 5 Mobile Security Threats 1) Geolocation exploits 2) Excessive Permissions 3) Mobile Application Vulnerabilities 4) Unsecure Wi-Fi 5) Lost and Stolen Devices 32 Source: http://searchsecurity.techtarget.com/news/2240112288/top-5-mobile-phone-security-threats-in-2012

Mobile Risk Management Tools 33 Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

Protecting the Mobile Executive Considerations for your Mobile Policy / Best Practices: USER EDUCATION Physical Security Fear Public Wireless Use Conference WAPs Corporate VPNs Leave it at Home Clean Loaner Devices Prepaid Cellular devices Blank SIM cards * + Google Voice 2G = No E! Don t Blab 34 Source: http://threatpost.com/en_us/slideshow/how%20to%20avoid%20getting%20hacked%20while%20traveling?page=0

Its About the Basics Verizon Business 2011 Data Breach Investigations Report (DBIR) Analysis of 2011 attacks determined that: 83% were targets of opportunity 92% were not highly difficult 95% were avoidable through simple or intermediate controls 35 Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

SANS Top 20 Controls (v 3.1) 36 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, & Servers 4: Continuous Vulnerability Assessment & Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Device Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Security Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Loss Prevention 18: Incident Response Capability 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises

Summary Mobile Devices vs. Computers o o Similarities (yes Forrest, they are computers) Differences SMS Native Metadata Hardware / Carrier Issues (PINs, etc) Sidejacking Application Vulnerabilities 37 o o o o Things you Should be Doing Policies User Education Protect the Execs SANS Top 20 <-> Top 5 Mobile

38 Questions

New Mobile Security Tools Bleeding Edge Mobile Security Solutions 39

New Mobile Security Tools Can you hear me NOW, punk?!? 40

New Mobile Security Tools Android Security If you need to ask, you don t need to know. Really. 41 Source: http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto

New Mobile Security Tools Sometimes Simple Security = Great Solutions 42

New Mobile Security Tools Hot from the UK: Less Mobile = Harder to Steal 43

New Mobile Security Tools Old School Tech 44

New Mobile Security Tools Keeping ahead of the Technology Curve 45 Source: http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto