Session810 ken huang
-
Upload
ken-huang -
Category
Technology
-
view
636 -
download
5
description
Transcript of Session810 ken huang
Session 810: The Security Risks of Mobile Environments and How
to Protect Against Them
Ken Huang, Director of Security Engineering, CGI
Who am I ?
• Ken Huang– Director of Security Engineering, CGI• Cloud/Mobile Security• Security testing and evaluation• Identity and Access Management• Frequent Speaker• Blog: http://mobile-cloud-security.blogspot.com/• Linkedin: www.linkedin.com/in/kenhuang8• Twitter: http://twitter.com/#!/kenhuangus
Topics
• Mobile Technology and Trends• Mobile Application and Trends• Mobile Security and Trends• Defense in Depth Solutions• Conclusion and Questions
Mobile Technology and Trends
Technology Trends
Wi-Fi •More Wi-Fi hotspots will be added•Wi-Fi still plays a huge role in WLAN
3G & 4G•3G will gradually phase out•4G networks will increase, as it is a major competing ground for carriers to attract new customers
Bluetooth •Will continue to be used to connect personal network devices
NFC•Will gain more momentum for payment, ticketing, and check-in devices
3G vs 4G Networks
3G 4G
DSL speeds Wired network speeds
Max speed up to 3.1 Mbps Max speed up to 100+ Mbps
Includes all 2G and 2.5G features plus:•Real-time location-based services•Full motion videos•Streaming music•3D gaming•Faster web browsing
Includes all 3G features plus:•On-demand video•Video conferencing•High-quality streaming video•High-quality Voice-over-IP (VoIP)•Added security features
Trends: 4G will be the winner
WiMAX vs. Wi-Fi
WiMAX Wi-Fi
Speed Up to 4 Mbps Up to 2 Mbps
Bandwidth Up to 75 Mbps Up to 54 Mbps
Range 30 miles (50 km) 100 feet (30 m)
Intended Number of Users 100+ 20
Quality of Service Weaker encryption (WEP or WPP)
Stronger encryption (TDES or AES)
Trends: Both WiMAX and Wi-Fi will co-exist for the foreseeable future
NFC
• Uses less power than Bluetooth• Does not need pairing• Based on RFID Technology at 13.56 MHz• Operating distance typically up to 10 cm
Trends: NFC will get wider use due to payment and ticketing apps
Mobile Application Trends
• Payment– Using your phone to pay will become a reality
• Federal Government Adoption– Mobile apps will become more widely used– Cloud and Mobile Computing
• During an appearance in Silicon Valley, Aneesh Chopra, the nation’s first-ever CTO, acknowledged the inevitable emergence of cloud and mobile as solutions for the federal government, but sees them as supplementing, rather than replacing, legacy systems
– Transportation Department gets $100 million for mobile apps
Mobile Application Trends (cont.)
• Federal Government Adoption (cont.)– FBI – most wanted listing app on iPhone– IRS – check refund status– The White House mobile app – news, videos, podcasts, blogs,
etc.– More than half of federal websites are planning to develop a
mobile-optimized website, according to a poll by ForeSee Results.
• Productivity tool– Mobile apps will become more mature over time
• Banking and Mobile Commerce– Check balances, transfer funds, etc.
Mobile Application Trends (cont.)
• Entertainment– Videos, gaming, etc.
• Social networking– Facebook– Twitter– Foursquare– Linkedin– Instagram
• Activists– Collective bargaining
and strikes• Other– Price comparison for
various products (Sanptell)
Wi-Fi Security
• Use a strong password• Don’t broadcast your SSID• Use good wireless encryption (WPA, not WEP)• Use another layer of encryption when possible (e.g. VPN, SSL)• Restrict access by MAC address• Shut down the network and wireless network when not in use• Monitor your network for intruders• Use a firewall
Trends: More Wi-Fi hotspots (but more attacks on hotspots as well) – avoid free Wi-Fi whenever possible; Wi-Fi-enabled mobile devices can become the stepping stone to your secured network
4G Security Trends
• Backward compatibility to 3G or GSM capabilities exposes 4G to 3G and GSM security vulnerabilities
• 4G also has a roaming vulnerability associated with mutual authentication: a fake network can easily claim to be a “roaming
partner”
Trends: More bandwidth comes with a greater possibility of being attacked
Bluetooth Security Trends
• Bluejacking– Sending either a picture or a message from one user to an unsuspecting
user through Bluetooth wireless technology.
• DoS Attacks• Eavesdropping• Man-in-the-middle attacks• Message modification• NIST published a Guide to Bluetooth Security in 2008
Trends: Dependent on new apps on bluetooth – I don’t see any significant increase in attacks on bluetooth
NFC Security Trends
• Eavesdropping– Hacker must have a good receiver and stay close– To avoid this, use a secure channel as compensating control
• Data Corruption and Modification– Jams the data so that it is not readable by the receiver– Check RF field as compensating control.
Trends: • wide spread adoption expected at 2015• Secure channels for NFC• Payments through smartphones will replace plastic cards and keys
Attack on the app
• Currently, Androids are the target due to Google’s loose vetting process– Law360, New York (March 15, 2012, 10:18 PM ET) --
Android cellphone users sued Google Inc over faulty Android App
• iPhones and iPads are lightly hacked – but will become targets in the futureTrends: Apps will be more vulnerable to attacks in the future
OWASP Top 10 Mobile Risks • Insecure Data Storage• Weak Server Side Controls• Insufficient Transport Layer Protection• Client Side Injection• Poor Authorization and Authentication• Improper Session Handling• Security Decisions Via Untrusted Inputs• Side Channel Data Leakage• Broken Cryptography• Sensitive Information Disclosure• Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
M1: Insecure Data Storage
• Sensitive data left unprotected• Applies to locally stored data + cloud synced• Generally a result of:
– Not encrypting data– Persist data not intended for long-term storage– Weak or global permissions– Not leveraging platform best-practices
• Risk– Confidentiality of data lost– Credentials disclosed– Privacy violations– Non-compliance
M2: Weak Server Side Controls
• We cannot trust mobile client app• Risk: confidentiality and integrity of data
M3: Insufficient Transport Layer Protection
• No encryption for data in transit• Weak encryption. Encoding is not encryption• Strong encryption but ignoring the security
warnings. – If certificate validation errors happen, fall back to
clear text. • Risk: confidentiality and integrity of data
M4: Client Side Injection
• XSS or SQL injection• SMS injection (Apple patched iphone SMS flaw
in iOS 3.0.1 in Aug. 2009).• Risk: toll fraud, device compromise, privilege
escalation etc.
M5: Poor Authorization and Authentication
• Device authentication based on IMEI, IMSI, UUID is not sufficient
• Hardware identifiers persist across data wipes and factory resets
• Adding contextual information is useful, but not foolproof
• Out of band does not work for the same device. • Risk: Privilege escalation and Unauthorized access
M6: Improper Session Handling
• Mobile session is usually longer for usability and convenience
• Why it is bad idea to use device identifier as session token?
• Risk: unauthorized access and privilege escalation
M7: Security Decisions Via Untrusted Inputs
• Security needs to be based on server side variables, not client input data
• Risk: Can cause privilege escalation and consume paid resources
M8: Side Channel Data Leakage
• Caused by platform feature or app flaws• Potential channel– Caches – Keystroke logging– Screenshots– Logs (system, crash, app)– Temp directory
• Risk: Privacy violation
M9: Broken Cryptography
• Broken implementation using strong encryption library
• Custom weak encryption implementation.• Risk: loss of data confidentiality
M10: Sensitive Information Disclosure
• Hard coded sensitive information– User id, password– SSN– API keys– Sensitive business logic
• Risk: credentials disclosed, IP disclosed.
OWASP: Top 10 Security Mobile Controls
• Identify and protect sensitive data • Handle password credentials securely on the device• Ensure sensitive data is protected in transit• Implement user authentication/authorization and session management
correctly• Keep the backend APIs (Rest vs. SOAP) Secure• Secure integration with third party app and data (ID Federation)• Get user consent for the collection and use of the data• Implement Access Control and Digital Rights Management for paid
resources• secure distribution/provisioning of mobile apps• check runtime code errors
VPN for Smartphone
• Provide secure mobile access to enterprise network
• Sample Mobile VPN products– PandaPowVPN for Android– Hotspot Shield for iphone– CISCO
Virus Scan and Personal Firewall for Mobile Device
• Lookout Premium• Trend Micro Mobile Security• F-Secure Mobile Security• NetQin Mobile Security• Webroot Secure Anywhere Mobile
Mobile Device Management Features• Remote Locate - Shows you the location of your phone via Web or SMS, so
you can find it if it’s lost or stolen.• Remote Lock - Lets you remotely lock your lost or stolen phone via Web or
SMS to prevent strangers from seeing your private stuff or running up your mobile bill.
• Remote Wipe - Lets you remotely erase the stuff on your phone via SMS if it’s lost or stolen, including any data on your phone’s memory card.
• Web-based Lost Notice - Displays a customizable message to anyone who finds your missing device, so you can make arrangements to get it back.
• Web-based Sneak Peek - Snaps photos of anyone in front of your device then saves the images. (Webcam devices only.)
• Antiphishing Web Protection - Blocks fraudulent (phishing) websites. Protects your device and your stuff on mobile networks and Wi-Fi connectionsi
• Download Threat Protection - Automatically scans all the apps and app updates you download to your mobile device for threats.
Gartner Magic Quadrant for MDM
Mobile Application Management (MAM)
• The BYOD (“Bring Your Own Device”) phenomenon is a factor behind MAM
• Manage Business Apps using internal App Store for both BOYD and Company Mobile Device
• Key Features– App delivery– App updating– User authentication– User authorization– Version checking– Push services– Reporting and tracking
Current MAM Players
• App47• SOTI MobiControl• AppBlade from Raizlabs• AppCentral• Apperian• Better MDM• JackBe• Nukona• Partnerpedia• WorkLight
Mobile Data Protection (MDP)
• MDP is an established market • Safeguard stored data on mobile devices by
means of encryption and authentication• Provide evidence that the protection is
working.• Widely used in Window based Laptop• Not yet available for mobile phone or tablet
Gartner Magic Quadrant for MDP
Smartphone Encryption• Android
– WhisperCore: whole flash memory– Droid Crypt: files– AnDisk Encryption: file– RedPhone: voice– Text Secure: text
• iPhone– Impossible to encrypt the whole system– Update to iOS5 to encrypt outgoing iMessage.– Voice Encryption App
• Kryptos• Cellcrypt
– Text Encryption App: Encrypt SMS– E-mail Encryption: SecureMail use OpenPGP
Mobile Virtualization
• Support multiple domains/operating systems on the same hardware
• Enterprise IT department can securely manage one domain (in a virtual machine), and the mobile operator can separately manage the other domain (in a virtual machine)
Current Players in Mobile Virtualization
• Green Hills Software• Open Kernel Labs• Red Bend Software• VMware• B Labs• Bitzer Mobile IncReference: http://www.virtualization.net/tag/mobile/
Mobile User willing to pay more for security
• AdaptiveMobile published the third "Global Security Insights in Mobile" report which indicates that 83% people surveyed willing to pay more for security.
Conclusion and Questions
• Defense in depth for mobile environment• Device Security vs. App Security• OWASP Top 10 Risk and Controls• VPN, Virus Scan, MDM, MAM, MDP,
Encryption and Mobile Virtualization• Questions?
Thank you for attending this session. Don’t forget to complete the evaluation!