- Ensuring personal data protection while securing cyber...

Centre for Security Cooperation

Sarajevo, 29-30 October 2014.

American University in Bosnia and Herzegovina

-- Ensuring personal data protection while securing Ensuring personal data protection while securing

cyber space cyber space --

-- Challenges and perspectives for the South East Challenges and perspectives for the South East

European Countries European Countries --

Ministry of Defence

Bosnia and Herzegovina

Ministry of Foreign Affairs

Bosnia and Herzegovina

Ministry of Security

Bosnia and Herzegovina

Military Academy "General Mihailo

Apostolski"-Skopje

29 Oct 2014 1 Cyber Warfare using Mobile Devices as

Weapon - Sasa Mrdovic

Cyber Warfare using

Mobile Device as a

Weapon

29 Oct 2014 Cyber Warfare using Mobile Devices as

Weapon - Sasa Mrdovic 2

Agenda

•BYOD

•Mobile device – security issues

•Perimeter defense

•Mobile devices – weapon for deperimeterization

•Attack scenario – practical example

•Conclusion and open issues

29 Oct 2014 3 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic

BYOD

•Bring Your Own Device

•Popular

•Convenient

• Inevitable

•Dangerous (possibly)

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 4

Mobile device – security issues

•Many • Data on device, surveillance, access to

connected accounts, privacy, …

•Presentation focus • Mobile device as a stepping stone to

protected network

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 5

Medieval castle

• Nothing comes in/out • Except through the gates

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 6

Network perimeter

• Nothing comes in/out • Except through the firewalls

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 7

Mobile devices can “climb the walls”

• They come in/out as they (users) please • Completely avoiding the firewalls (“deperimeterization”)

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 8

Attack scenario

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 9

Secret

document -

available

only within

internal

network

Attack scenario (2)

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 10

Secret

document -

available

only within

internal

network

EvilApp.apk

or other attack on mobile

device app. or OS

Attack scenario (3)

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 11

Secret

document -

available

only within

internal

network

EvilApp.apk

:80

• EvilApp connects back to attacker on HTTP port (80) • Permitted by firewall (“web surfing”)

Attack scenario (4)

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 12

Secret

document -

available

only within

internal

network

:80

• Through this connection attacker has full control of mobile device

Attack scenario (5)

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 13

Secret

document -

available

only within

internal

network

:80

• including using it as a tunnel to internal network

Secret

document -

available

only within

internal

network

Web browser

Attack scenario (6)

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 14

Secret

document -

available

only within

internal

network

• or using it to attack other PC on internal network • taking it completely over (no need for mob. dev.)

Conclusion

•Mobile devices are useful

• They are here to stay

• They could be used as a weapon • Against user and his organization

•Can we protect ourselves • Sure • But it takes some effort

29 Oct 2014 Cyber Warfare using Mobile Devices as Weapon - Sasa Mrdovic 15