Five Lessons in Mobile Security - Preso for Lunch & Learn
-
Upload
criverata8534 -
Category
Documents
-
view
10 -
download
6
description
Transcript of Five Lessons in Mobile Security - Preso for Lunch & Learn
Five Lessons in Mobile Security
Brian Tokuyoshi – Solution Analyst
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Are mobile users safe?
Attacks on the Network Connection
Sniffing on Wi Fi Networks Open Wi-Fi sniffable by everyone Easy-use GUI tools make it easy
to try different attacks on WEP / WPA / WPA2
Fern Cracker from BackTrack 5 / Kali Linux
Stealing Session Cookies without a PasswordWireShark Mozilla Add & Edit
Attacking Internal WiFi Networks by Snail MailLoad attack
software on cheap, generic prepaid
smartphone
Snail mail the device to victim
Attacker can now perform a local attack on WiFi / bluetooth devices in the
mailroom’s proximity
Inserting a Man-in-the-Middle with Reaver
Attacker uses brute force against WiFi Protected Setup (reaver attack) to
get access to admin console
Attacker modifies the hotspot and
sets up DNS spoofing
Social Engineering Toolkit used to
generate copy of legitimate site with an
exploit embedded
Victim is redirected to the
modified web page
21
3
4
Man in the Middle - The Pineapple
Low cost wireless pen testing tool
Runs the Jasaeger / Karma attack
Hardware & Accessories Has USB port to run 3G Modem or
a second wifi interface to tether Can use a ethernet connection to
tether New version has dual antennas to
run a bridge to the existing network Optional battery pack
Supports plugins for packet capture, SSL interception
Normal Wireless Network Discovery
Normal Wireless Network Discovery
SSID: JoesHome
Probe: “Is JoesHome There?
Probe Response: “Yes”
Client
Probe: “Is ACME_Corp There?
No Response
Probe: “Is CoffeeShop There?
No Response
Man in the Middle: The PineappleProbe: “Is ACME_Corp There?
Modified Access Point
Probe: “Is CoffeeShop There?
Probe: “Is JoesHome There?
Probe Response: “Yes”
• Generates a deauth• Pretends to be whatever access point the
beacon wants• Attacker controls ALL of the content the
victim sees
Probe Response: “Yes”
Probe Response: “Yes”Client
What’s Wrong with this Page?
This is a FavIcon No HTTPS
This is in the clear!
Man in the Middle with SSLstrip
Server sends its Certificate
VictimWebServer
Request SSL Connection Modified
Access Point
SSL Handshake
Session Key
User sees non-encrypted page
Server sends encrypted content
User sends non-encrypted content
Content received
iOS7
Small B&W Icon
Traffic Encrypted
Traffic intercepted by the Pineapple
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Apps Behaving Badly
Don’t Depend on the App’s Security
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Security Measures and Permissions
Android app permission requests are all or nothing
Android App Ops (in 4.3) removed in 4.4 Had a granular app permission system
Downloaded code (plug ins, ad networks) run with the app’s permissions
Exploits to apps assume the app’s permissions
Some apps upload content to the cloud
Jailbroken devices remove even the basic checks
15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
File Binders
Malware PayloadBinders hide the malware to bypass app verification
“Legitimate App”
Source: Symantec
Commercial Spying Software Dual-purpose software (Can be used for good/bad)
Monitors just about everything (calls, email, text, photos, video)
Not detectable by the user
Can be used for remote surveillance
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The Threat Landscape Continues to Evolve
The Basics on Threats
Threat What it is What it does
Exploit Bad application input usually in the form of network traffic.
Targets a vulnerability to hijack control of the target application or machine.
Malware Malicious application or code.
Anything – Downloads, hacks, explores, steals…
Command and Control (C2)
Network traffic generated by malware.
Keeps the remote attacker in control ands coordinates the attack.
Today’s Threats Use Blended Techniques
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
EstablishBack-Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
20 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Webview Exploit
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Website Javascript opens a shell to the attacker• Affects all Android devices < 4.2• Big question on whether affected devices will be patched• Added to Metasploit last week
Android Master Key Vulnerability
Android Application Package (APK)
META-INFlibresAssetsAndroidManifest.XML
Signature of the original file is fine
AndroidManifest.XML
Modified file does not get checked and overwrites the original
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Why is Malware Targetting Android?
Malware by Platform
Why isn’t there more iOS malware?
iOS has a limited number of ways to install software App Store Ad Hoc Provisioning Profile for
software testing Otherwise the device has to be
jailbroken
Effectively App Store acts as A whitelist for vetting apps A choke point for updates
No system is invulnerable, however
Why is Malware Focusing on Android?
Android app sources Can support multiple App
Stores, some of dubious quality
Does not need to be jailbroken to run unsigned code
Users can turn off app store restrictions
People want to turn off the app store restrictions
Android Verify App feature added in 4.2 does app profiling
DPlug Android Malware TTPod App in Google Play
In App Purchase
Attacker
Mobile Ad Network Code
DPlug
Sends IMSI / IMEI via SMS
Prem
ium
SM
S
Forged SubscribeConfirm?
Victim
Accept
Premium SMS Billing
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Rethinking Mobile Security
Unlocking The Potential of Mobile Depends On Security
Intranet
Running Your Business on
Mobile Devices
Ben
efits
to B
usin
ess
Mobile Maturity
Accessing Business Apps
29 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Existing Approaches for Mobile Security Don’t Work
Approach Exposure to Risk
Block mobile devices People will still use mobile devices, except without your control
Hope existing security protects mobile
devicesDon’t know if existing measures will be effective
for mobile devices
Use basic mobile security like ActiveSync
Doesn’t address mobile threats and won’t secure apps and data
30 | ©2014, Palo Alto Networks. Confidential and Proprietary.
New approach to safely enabling mobile devices
Protect the Device Control the DataManage the Device
Ensure devices are safely enabled while simplifying deployment & setup• Ensure proper settings
in place, such as strong passcodes and encryption
• Simplify provisioning of common configuration like email and certificates
Protect the mobile device from exploits and malware• Protecting the device
from infection also protects confidential data and unauthorized network access
Control access to data and movement of between applications• Control access by app,
user, and device state• Extend data movement
controls to the device to ensure data stays within “business apps”
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
GlobalProtect Mobile Security Solution
GlobalProtect App
GlobalProtect GatewayDelivers mobile threat prevention and policy
enforcement based on apps, users, content and device
state
Enables device management, provides device state information,
and establishes secure connectivity
GlobalProtect Mobile Security Manager
Provides device management, malware
detection, and device state
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Manage The Device
Manage device settings• Enforce security settings such as passcode
• Restricts device functions such as camera
• Configure accounts such as email, VPN, Wi-Fi settings
Understand device state• Monitor and report device state for policy
enforcement, such as:
• Whitelisted / blacklisted apps
• Rooted / jailbroken
Perform key operations• Ex: lock, unlock, wipe, send a message
Detect Android Malware• Detect and react to the presence of
malware
GlobalProtect Mobile Security Manager
GlobalProtect App
33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Protect The Device
Consistent security everywhere• IPsec/SSL VPN connection to a purpose
built next generation security platform for policy enforcement regardless of the device location
Mobile threat prevention• Vulnerability (IPS) and malware (AV)
protection for mobile threats
• URL filtering for protection against malicious websites
• WildFire static and dynamic analysis for advanced mobile threats
Threats
GlobalProtect Gateway
34 | ©2014, Palo Alto Networks. Confidential and Proprietary.
GlobalProtect App
Control The Data Control access to applications and data• Granular policy determines which
users and devices can access sensitive applications and data
• Policy criteria based on application, user, content, device, and device state for control and visibility
• Identify device types such as iOS, Android, Windows, Mac devices
• Identify device ownership such as personal (BYOD) or corporate issued
• Identify device states such as rooted/jailbroken
• File blocking based on content and content type
Control data movement between apps on the device• Solution provides the foundation for
future developments in data protection
Applications and Data
35 | ©2014, Palo Alto Networks. Confidential and Proprietary.
GlobalProtect Gateway
GlobalProtect App
How the integrated solution works
Why Palo Alto Networks for Mobile Security
Integrates the necessary technologies – VPN, policy, threat prevention, management
Uniquely capable of protecting the device by leveraging WildFire, IPS, and app policy
Rich security platform that can protect all traffic, devices, applications and data – in the network
38 | ©2014, Palo Alto Networks. Confidential and Proprietary.
GlobalProtect Mobile Security Manager Ordering, Licensing and Availability
Mobile Security Manager runs on the new GP-100 appliance
GP-100 comes with support for up to 500 mobile devices Additional capacity licenses (perpetual) to support additional devices
1K, 2K, 5K, 10K, 25K, 50K, and 100k WildFire subscription (optional add-on) for Android malware detection
Price varies based on underlying capacity license
Orders and shipments expected February 2014
GP-100 is not designed to be sold as a stand alone product Requires other GlobalProtect components for full functionality (app, portal,
gateway)
39 | ©2014, Palo Alto Networks. Confidential and Proprietary.
40 | ©2012, Palo Alto Networks. Confidential and Proprietary.