Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Thanks for attending!
I just wanted to take a quick moment to thankeveryone from the ISACA Orange County Chaptereveryone from the ISACA Orange County Chapterfor allowing me to come speak at your event.
If you would like to reach me my email isIf you would like to reach me, my email [email protected]
You can visit TraceSecurity atwww.tracesecurity.com
Jim StickleyCell: 619-337-5467T S it I
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
TraceSecurity Inc.
h Hidd Ri The Hidden Risks
Of Mobile ApplicationsOf Mobile Applications
TraceSecurity Inc. Copyright 2012
Presented by Jim Stickley
Today
Android and Apple have over 1 million apps
With the entire world moving to mobile devices, hackers are shifting their focus
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Mobile Technology
Installing malicious apps
TraceSecurity Inc. Copyright 2012
Hacking mobile technology
Applications require permissions to access certain informationcertain information
In many cases the permissions are In many cases the permissions are necessary to allow the application to perform properly
While mobile devices will warn you about h i i i d d l llthe permissions required, do people really pay attention?
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
6
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
7
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
8
Purpose of this attack
Test 1
See how many people would download and install my app even though it required access toinstall my app even though it required access to everything
Pull email address off phone • Because Android uses gmail, often multiple email address will be added to phoneadded to phone
Pull phone number and mobile carrier
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
10
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
11
Hacking mobile technology
Permissions I required
• Your Personal Information (Read contact data, Write contact data)• Network Communication (Allows the application to accept cloud to device messages from applications service full internet access)device messages from applications service, full internet access)• Storage (Modify / Delete SD Storage)• Phone Calls (modify phone state, read phone state and identity)• System Tools (Automatically start at boot, Prevent phone from sleeping, write sync settings) • Your Messages (Read SMS or MMS, Receive SMS, Read Gmail including sending and deleting mail)• Services that cost you money (Send SMS Messages)
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Results
Over 1300 downloads in 3 month period
Received over 1950 email addresses
Applications remained in contact with my server during this timeg
Never reported as suspicious
Never received notice to discontinue applicationAveraged 3 stars on feedback
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
• Averaged 3 stars on feedback
What does this mean?
People are willing to install an app even if the i i h t thi t d d tpermissions have access to things not needed to
function properly
Often people will not be aware of the permissions required because they scroll off the screen
If I wanted to create a malicious app that would need people to allow all permissions that will notneed people to allow all permissions, that will not be an issue
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Mobile Technology
Hacking online accounts
TraceSecurity Inc. Copyright 2012
Hacking online accounts
Mobile apps can be designed to manage:• email, text messages, photos, contacts, etc.
Malicious apps could be designed to capture this Malicious apps could be designed to capture this same data.
Could look legitimate to Google and Apple
Probably could be used to gain access to online Probably could be used to gain access to online accounts
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Purpose of this attack
Test 2
Using the same app originally created to test permission modify the app to have the ability topermission, modify the app to have the ability to be malicious
Attempt to steal online account login credentials (Login & Password) via the app
Because the app is now malicious, only test on friends and family
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
User installs Gmail counter app
After the app is installed, it simply retrieves email addresses from phone and sends them to the hacker
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
What can you do with an email address?
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Hacker sends forgot password and or forgot User ID request to all major online applications using acquired email addresses
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Hacker sends forgot password and or forgot User ID request to all major online applications using acquired email addresses
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Forgot password?
jim@tracesecurity [email protected]
RBKYHU
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Forgot password?
jim@tracesecurity [email protected]
RBKYHU
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Online applications send temporary password or User ID back to email address
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Online applications send temporary password or User ID back to email address
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Mobile App checks email for f d fi d li t fmessages from defined list of
online applications
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Any emails that match password t f d d t h krequests are forwarded to hacker
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Any emails that match password t f d d t h krequests are forwarded to hacker
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
****************
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Hacker now has the login (email address) for the account and a link to a temporary passwordaccount and a link to a temporary password
Problem: Real owner of account might see email t i i f t d tcontaining forgot password request
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Hacker now has the login (email address) for the account and a link to a temporary passwordaccount and a link to a temporary password
Problem: Real owner of account might see email t i i f t d tcontaining forgot password request
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Mobile App designed to delete the i i l il ft it f d toriginal email after it forwards to
hacker
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Hacking mobile technology
Hacker now has temporary passwords for ll tall accounts
Hacker can now login to accounts using g gemail address and temporary password
Hacker can change settings order itemsHacker can change settings, order items online, etc.
U til l tt t t l i t hij k dUntil real user attempts to login to hijacked account, hacker has full access
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Results
Loaded malicious app onto 20 mobile devices • These people all agreed to let me hack them
Able to change the password on over 100 online Able to change the password on over 100 online applications
Able to gain access to online banking accounts through multifactor
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Results
Can also be used to gain real passwords
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
38
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
39
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
40
How risky is it?
Hacker has complete access to email
Hacker has complete access to text messagesS d d i• Send and receive
Hacker has ability to access numerous accountsHacker has ability to access numerous accounts
Hacker has ability to learn your password
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
How risky is it?
Extremely important to have unique password at itevery site
Not always easy to remember Not always easy to remember
Simple solutionp
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
What can you do?
Pay attention to permissions
Even if the application has been downloaded / installed thousands of times it doesn’t guaranteeinstalled thousands of times, it doesn t guarantee it’s secure
When in doubt, don’t install the application
P d l ki i d fl Password no longer working is a red flag
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
What can you do?
How do I know what permissions my apps have?Android Apple
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Mobile Technology
Attacking the network
TraceSecurity Inc. Copyright 2012
When phones attack
Can a mobile device be used for hacking?
• Android is Linux based• Written in Java with all the normal sockets• Supports C code• Supports native Libraries
In theory you could use an Android device for hacking
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Purpose of this attack
Test 3
Crash server on network
• RDP Remote Code Execution Vulnerability
• Published March 2012 (MS12-020)
• Used for remote code execution and denial of service attacks
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
When phones attack
Target system
• Windows 2008 Server
Attack software
• RDPKill4Android
Video
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Video
This is the title text boxThis is the title text box
TraceSecurity Inc. Copyright 2012
When phones attack
What happened?
• Android device has access to network via Wi-Fi
• Android device was able to connect to Windows computer
• Android device was able to send denial of service code via RDP
• Windows 2008 server crashed with blue screen
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
When phones attack
What does this mean?
• Mobile devices can be used to attack computers on the local network via a Wi-Fi connection
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
When phones attack
Why stop there?
If an app on a phone can cause a windows machine to crash, what else could it do?
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Mobile Technology
Hacking a computer
TraceSecurity Inc. Copyright 2012
Purpose of this attack
Test 4
Create a malicious app that could take over a desktop computerdesktop computer
App would be designed to look like Wi-Fi speed pp g ptester
B l i i i t Because app only requires permission to access network via Wi-Fi, the only permission required will be expected by user
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
When phones attack
Can this really be done?
Video
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
56
When phones attack
What just happened?
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
When phones attack
Mobile device port scans network for vulnerable systems
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
58
When phones attack
Mobile device port scans network for vulnerable systems
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
59
When phones attack
App finds a computer vulnerable to RPD MS12-020 exploit
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
RPD MS12 020 exploit
When phones attack
App installs malware on vulnerable system
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
system
When phones attack
Mobile device no longer required to exploit system
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
exploit system
When phones attack
Mobile device no longer required to exploit system
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
exploit system
When phones attack
Exploited computer connects to hacker server allowing remote
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
gcommunication
When phones attack
Hacker site uploads additional tools and sends commands for exploited
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
and sends commands for exploited computer to execute
When phones attack
How bad is it?
• Complete compromise of any un-patched systems on networkInternal networks often less secure then external facing networks
• Remote access with the ability to install and execute code
• Ability to record the screen, webcam and keyboard entries
• Full access to contents on the hard drive and launch point for• Full access to contents on the hard drive and launch point for additional network attacks
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
When phones attack
What does this mean?
• If you allow mobile devices on your network, they can put your entire network at risk
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
…
When phones attack
Just how bad could it get?
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Mobile Technology
Automated hacking
TraceSecurity Inc. Copyright 2012
Automated hacking
Many of the new attacks are focused on exploiting vulnerabilities in the browserexploiting vulnerabilities in the browser
IT security staff will often place desktops behind d i d t t t i t iproxy servers designed to protect against viruses
and other outside attacks• Adobe Acrobat and Flash exploitsp
Internal desktops and servers are often missing critical patchescritical patches
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Automated hacking
If a hacker is on the internal network, they could exploit these vulnerabilitiesexploit these vulnerabilities
Mobile devices give hackers the ability to bypass fi ll t tifirewall protection
Malware placed on system designed to automate Malware placed on system designed to automate an attack could cause serious damage
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Targeting corporate America
Test 4
Steal complete financial institution member database
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Video
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
73
What is at risk?
Complete download of ALL customer information• Name• Address• Phone NumberPhone Number• Birthday• Social Security Number
A t N b• Account Number• Mothers Maiden Name• Debit / Credit Card number & Exp• Financial Institution IP address
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
What does this mean?
Hackers can attack your organization without k i i t i li ieven knowing you exist via malicious apps
Your network can be hacked and all confidential Your network can be hacked and all confidential data on the database stolen in minutes
Hackers can attack your network while not at their computers
When the attack is over, your network shows no obvious signs a breach took place
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Conservative damages estimate
2% of 16,000 = 320 financial institutions l it dexploited
10 000 members / customers at a financial 10,000 members / customers at a financial institution
$100.00 stolen from each member / customer
Calculation: 320*10,000*100 =
Total Damages: $320,000,000
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Your future
Manual hacking is an outdated practice
Organization attacks will become fully automated
What used to take days or months will now take just minutesj
BYOD bypassed firewall and places hackers di tl i t l t kdirectly on internal network
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
What can you do?
Awareness Training / Education
Comprehensive Security Policies• Limit Internet Access
Monitor Network Risks / Vulnerabilities
Personal Firewalls, Anti Virus
/ Intrusion Detection / Prevention
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
What can you do?
Even if the application has been downloaded / i t ll d th d f ti it d ’t tinstalled thousands of times, it doesn’t guarantee it’s secure
When in doubt, don’t install the application
Patch all computers on local network, even computers that generally do not connect to the InternetInternet
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
…
Mobile Technology
Dangers of Wireless
p i taccess points
TraceSecurity Inc. Copyright 2012
Wireless access points
• Wireless access points are everywherep y• Hotels• Airports
Coffee Shops• Coffee Shops• Malls• Parks• Apartments• Business complexes
• Some are free, some charge
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Wireless access points
• People seem focused on one security of the device itself
• Insecure Access points
• Flaws in wep
• Launch point for malicious attacksp
• Easy to attack home users
• Easy to monitor traffic on local networks
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Wireless access points
• There are other security concerns that are often yoverlooked
• Gaining access to confidential information through wireless
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Video
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
84
Wireless access points
Other risks beyond just credit card y j
Many mobile apps do not verify SSLMany mobile apps do not verify SSL connections or even communicate securely
• Used to monitor all transactions
• Record Passwords• Online Banking• Email
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Email• Purchases
What can you do?
Awareness trainingg
Be careful what apps you use while onBe careful what apps you use while on insecure wireless access points
When in doubt, use carrier service instead of Wi-Fiof Wi Fi
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
…
This is the title text boxThis is the title text box
Changing Subjects
TraceSecurity Inc. Copyright 2012
After hours concerns
Hacking is not the only threat to g yorganizations
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
After hours concerns
How do you gain complete control of an organizations internal network?internal network?
The Cleaning Crew
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
After hours concerns
Why go after the cleaning crew?y g g
• Cleaning crews have complete access to the facility
• Employees often are recognized by cleaning crew
• No one ever knows you were there
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
Video
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
91
After hours concerns
Other ways to get iny g
• An ID card is as good as a key
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
After hours concerns
What can you do to protect your y p yorganization?
• Strict policies for cleaning crew• Do not allow anyone in after hours without a key• Do not allow anyone in after hours without a key• Even if you know the person, they are not allowed in• When they exit to take out trash, do not prop open doors
• Contact list available for cleaning crew• Easy to access list of contacts in case of problems / questions
• Test cleaning crew• Send real employees from time to time after hours and see if they can gain
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
access…
After hours concerns
What happens when cleaning crews follow pp gproper procedures?
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
After Hours Concerns
…
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
In the end…
TraceSecurity Inc. Copyright 2012
…
In the end
Mobile devices will continue to become more integrated into the work placeinto the work place
Organizations need to make sure they are conducting risk t ti li i d diti th iassessments, creating policies and auditing their
procedures to ensure their networks remain secure
Because mobile technology is rapidly changing, organizations should have scheduled reviews of the existing policies to make sure they remain relevant and effectiveeffective
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
TraceSecurity Inc.
Comprehensive Security Assessments Risk Assessments Risk Assessments Penetration Testing IT Audits
Reach me at: [email protected]
Vendor Management Comprehensive Regulation Compliance Review Online Banking Application Testing Remote and Onsite Social Engineering Policy Development and Review Policy Development and Review Training – (Onsite / Online) Employee & Customer
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
www.tracesecurity.com
GRC Simplified
- Need a self-contained solution that integrates all functional areas necessary to manage an on-going risk-based information security program
• Risk
• Policy
• VulnerabilityVulnerability
• Training
• Vendor
• Audit• Audit
• Compliance
• Incident Response
• B i I t A l i• Business Impact Analysis
• Business Continuity Planning
• Process
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
• Reporting
TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.
100www.TraceSecurity.com