Five Lessons in Mobile Security

Brian Tokuyoshi – Solution Analyst

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Are mobile users safe?

Attacks on the Network Connection

Sniffing on Wi Fi Networks Open Wi-Fi sniffable by everyone Easy-use GUI tools make it easy

to try different attacks on WEP / WPA / WPA2

Fern Cracker from BackTrack 5 / Kali Linux

Stealing Session Cookies without a PasswordWireShark Mozilla Add & Edit

Attacking Internal WiFi Networks by Snail MailLoad attack

software on cheap, generic prepaid

smartphone

Snail mail the device to victim

Attacker can now perform a local attack on WiFi / bluetooth devices in the

mailroom’s proximity

Inserting a Man-in-the-Middle with Reaver

Attacker uses brute force against WiFi Protected Setup (reaver attack) to

get access to admin console

Attacker modifies the hotspot and

sets up DNS spoofing

Social Engineering Toolkit used to

generate copy of legitimate site with an

exploit embedded

Victim is redirected to the

modified web page

21

3

4

Man in the Middle - The Pineapple

Low cost wireless pen testing tool

Runs the Jasaeger / Karma attack

Hardware & Accessories Has USB port to run 3G Modem or

a second wifi interface to tether Can use a ethernet connection to

tether New version has dual antennas to

run a bridge to the existing network Optional battery pack

Supports plugins for packet capture, SSL interception

Normal Wireless Network Discovery

Normal Wireless Network Discovery

SSID: JoesHome

Probe: “Is JoesHome There?

Probe Response: “Yes”

Client

Probe: “Is ACME_Corp There?

No Response

Probe: “Is CoffeeShop There?

No Response

Man in the Middle: The PineappleProbe: “Is ACME_Corp There?

Modified Access Point

Probe: “Is CoffeeShop There?

Probe: “Is JoesHome There?

Probe Response: “Yes”

• Generates a deauth• Pretends to be whatever access point the

beacon wants• Attacker controls ALL of the content the

victim sees

Probe Response: “Yes”

Probe Response: “Yes”Client

What’s Wrong with this Page?

This is a FavIcon No HTTPS

This is in the clear!

Man in the Middle with SSLstrip

Server sends its Certificate

VictimWebServer

Request SSL Connection Modified

Access Point

SSL Handshake

Session Key

User sees non-encrypted page

Server sends encrypted content

User sends non-encrypted content

Content received

iOS7

Small B&W Icon

Traffic Encrypted

Traffic intercepted by the Pineapple

13 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Apps Behaving Badly

Don’t Depend on the App’s Security

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Security Measures and Permissions

Android app permission requests are all or nothing

Android App Ops (in 4.3) removed in 4.4 Had a granular app permission system

Downloaded code (plug ins, ad networks) run with the app’s permissions

Exploits to apps assume the app’s permissions

Some apps upload content to the cloud

Jailbroken devices remove even the basic checks

15 | ©2012, Palo Alto Networks. Confidential and Proprietary.

File Binders

Malware PayloadBinders hide the malware to bypass app verification

“Legitimate App”

Source: Symantec

Commercial Spying Software Dual-purpose software (Can be used for good/bad)

Monitors just about everything (calls, email, text, photos, video)

Not detectable by the user

Can be used for remote surveillance

18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

The Threat Landscape Continues to Evolve

The Basics on Threats

Threat What it is What it does

Exploit Bad application input usually in the form of network traffic.

Targets a vulnerability to hijack control of the target application or machine.

Malware Malicious application or code.

Anything – Downloads, hacks, explores, steals…

Command and Control (C2)

Network traffic generated by malware.

Keeps the remote attacker in control ands coordinates the attack.

Today’s Threats Use Blended Techniques

Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

Exploit

2

Infected content exploits the end-user, often without their knowledge

DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

EstablishBack-Channel

4

Malware establishes an outbound connection to the attacker for ongoing control

Explore & Steal

5

Remote attacker has control inside the network and escalates the attack

20 | ©2014, Palo Alto Networks. Confidential and Proprietary.

The Webview Exploit

21 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• Website Javascript opens a shell to the attacker• Affects all Android devices < 4.2• Big question on whether affected devices will be patched• Added to Metasploit last week

Android Master Key Vulnerability

Android Application Package (APK)

META-INFlibresAssetsAndroidManifest.XML

Signature of the original file is fine

AndroidManifest.XML

Modified file does not get checked and overwrites the original

23 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Why is Malware Targetting Android?

Malware by Platform

Why isn’t there more iOS malware?

iOS has a limited number of ways to install software App Store Ad Hoc Provisioning Profile for

software testing Otherwise the device has to be

jailbroken

Effectively App Store acts as A whitelist for vetting apps A choke point for updates

No system is invulnerable, however

Why is Malware Focusing on Android?

Android app sources Can support multiple App

Stores, some of dubious quality

Does not need to be jailbroken to run unsigned code

Users can turn off app store restrictions

People want to turn off the app store restrictions

Android Verify App feature added in 4.2 does app profiling

DPlug Android Malware TTPod App in Google Play

In App Purchase

Attacker

Mobile Ad Network Code

DPlug

Sends IMSI / IMEI via SMS

Prem

ium

SM

S

Forged SubscribeConfirm?

Victim

Accept

Premium SMS Billing

28 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Rethinking Mobile Security

Unlocking The Potential of Mobile Depends On Security

Intranet

Running Your Business on

Mobile Devices

Ben

efits

to B

usin

ess

Mobile Maturity

Email

Accessing Business Apps

29 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Existing Approaches for Mobile Security Don’t Work

Approach Exposure to Risk

Block mobile devices People will still use mobile devices, except without your control

Hope existing security protects mobile

devicesDon’t know if existing measures will be effective

for mobile devices

Use basic mobile security like ActiveSync

Doesn’t address mobile threats and won’t secure apps and data

30 | ©2014, Palo Alto Networks. Confidential and Proprietary.

New approach to safely enabling mobile devices

Protect the Device Control the DataManage the Device

Ensure devices are safely enabled while simplifying deployment & setup• Ensure proper settings

in place, such as strong passcodes and encryption

• Simplify provisioning of common configuration like email and certificates

Protect the mobile device from exploits and malware• Protecting the device

from infection also protects confidential data and unauthorized network access

Control access to data and movement of between applications• Control access by app,

user, and device state• Extend data movement

controls to the device to ensure data stays within “business apps”

31 | ©2014, Palo Alto Networks. Confidential and Proprietary.

GlobalProtect Mobile Security Solution

GlobalProtect App

GlobalProtect GatewayDelivers mobile threat prevention and policy

enforcement based on apps, users, content and device

state

Enables device management, provides device state information,

and establishes secure connectivity

GlobalProtect Mobile Security Manager

Provides device management, malware

detection, and device state

32 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Manage The Device

Manage device settings• Enforce security settings such as passcode

• Restricts device functions such as camera

• Configure accounts such as email, VPN, Wi-Fi settings

Understand device state• Monitor and report device state for policy

enforcement, such as:

• Whitelisted / blacklisted apps

• Rooted / jailbroken

Perform key operations• Ex: lock, unlock, wipe, send a message

Detect Android Malware• Detect and react to the presence of

malware

GlobalProtect Mobile Security Manager

GlobalProtect App

33 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Protect The Device

Consistent security everywhere• IPsec/SSL VPN connection to a purpose

built next generation security platform for policy enforcement regardless of the device location

Mobile threat prevention• Vulnerability (IPS) and malware (AV)

protection for mobile threats

• URL filtering for protection against malicious websites

• WildFire static and dynamic analysis for advanced mobile threats

Threats

GlobalProtect Gateway

34 | ©2014, Palo Alto Networks. Confidential and Proprietary.

GlobalProtect App

Control The Data Control access to applications and data• Granular policy determines which

users and devices can access sensitive applications and data

• Policy criteria based on application, user, content, device, and device state for control and visibility

• Identify device types such as iOS, Android, Windows, Mac devices

• Identify device ownership such as personal (BYOD) or corporate issued

• Identify device states such as rooted/jailbroken

• File blocking based on content and content type

Control data movement between apps on the device• Solution provides the foundation for

future developments in data protection

Applications and Data

35 | ©2014, Palo Alto Networks. Confidential and Proprietary.

GlobalProtect Gateway

GlobalProtect App

How the integrated solution works

Why Palo Alto Networks for Mobile Security

Integrates the necessary technologies – VPN, policy, threat prevention, management

Uniquely capable of protecting the device by leveraging WildFire, IPS, and app policy

Rich security platform that can protect all traffic, devices, applications and data – in the network

38 | ©2014, Palo Alto Networks. Confidential and Proprietary.

GlobalProtect Mobile Security Manager Ordering, Licensing and Availability

Mobile Security Manager runs on the new GP-100 appliance

GP-100 comes with support for up to 500 mobile devices Additional capacity licenses (perpetual) to support additional devices

1K, 2K, 5K, 10K, 25K, 50K, and 100k WildFire subscription (optional add-on) for Android malware detection

Price varies based on underlying capacity license

Orders and shipments expected February 2014

GP-100 is not designed to be sold as a stand alone product Requires other GlobalProtect components for full functionality (app, portal,

gateway)

39 | ©2014, Palo Alto Networks. Confidential and Proprietary.

40 | ©2012, Palo Alto Networks. Confidential and Proprietary.