With this issue of (IN)SECURE Magazine, we enter our seventh year of publication. This time around we focus on Android sec...
Online scam susceptibility of                    Regionally, respondents who indicated they                               ...
Brazen Brazilian hackers opening                   spotted another business venture initiated by                          ...
Mozilla offers alternative to OpenID               "Many web sites store extensive user data                              ...
Researchers demonstrate tragic                    The remaining five (General Electrics D20ME,                             ...
Pwn2Own 2012: Changed rules,                       browser will be awarded 32 points," say the                            ...
Targeted attacks will change the                   than 250 employees will have to appoint a                              ...
The popularity of Android-based devices is driving their increased adoption in enterprise mobile applications, where secur...
In November, hackers discovered a way to            These vulnerabilities are specific to the An- install arbitrary program...
The term rooting originates from the UNIX          In this case, rooting is usually accomplished concept of root privilege...
Figure 1 - Multiple layers of encryption within Android. The concept of defense-in-depth originated in          attacker m...
Android sandboxing approaches                       Multi-boot Separate hardware                                   The mul...
Figure 3 - Android webtop environment. While webtop was most likely not intended as          and its own encryption of the...
Figure 4 - MDM containers. While the result is a neutered device that de-      Type-2 hypervisor feats the purpose of havi...
Type-2 mobile hypervisor products, such as            Type-1 hypervisor VMware MVP, are used to provide an enter- prise ma...
The real-time microkernel is an excellent         comparable to today’s Trusted Platform Mod- choice for practically any m...
Figure 8 - Adding physical security protection via attached smartcard to the microkernel Type-1 hypervisor.Kirk Spring is ...
Joe Sullivan is the Chief Security Officer at Facebook, where he manages a small part of a company-wide effort to ensure a ...
spectrum of technology, communication and         port meaningful bugs. On the contrary, we other companies to work with g...
I cant remember the last time I saw a bo-           These changes instituted granular enforce- gus or information-collecti...
The goal of this article is to plant a seed of the idea that shellcode has a place in your defense toolbox. I do not want ...
Say you use a trojan to test your sandbox. You     So how can you reliably test your sandbox notice that your machine is n...
SetProcessDEPPolicy has one advantage                  ProcessDEPPolicy with argument 1 - some- over the NO_EXECUTE flag – ...
If you open a PDF document with an util.printf         But when we inject our own NOP sled and exploit with Adobe Reader 8...
RSA Conference 2012                                  The Amphion Forum    www.rsaconference.com/events/2012/usa           ...
Like it or not, enterprise IT organizations are quickly realizing that mobile de- vices are eclipsing PCs and laptops as t...
likely to embrace today’s mobile world – and       • Physical access benefit from it.                                    • ...
The matrix                                        applications, and also often leave the device                           ...
the organization with some access. Finally,        The apps story Tier Three would be individuals to whom a minimal level ...
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Insecure mag-33
Upcoming SlideShare
Loading in...5
×

Insecure mag-33

1,721

Published on

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,721
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Insecure mag-33"

  1. 1. With this issue of (IN)SECURE Magazine, we enter our seventh year of publication. This time around we focus on Android security, we bring you the thoughts of the Facebook CSO and THE man behind Metasploit. To top if off, there are articles on web security, shellcode, mobile security, and more! February is going to be a busy time for every information security company. The monumental RSA Conference is opening its doors later this month, and well be there to cover all the news and meet with companies and readers. Im looking forward to the expo floor safari, theres always interesting technologies to discover. Look out for our camera, you might just be featured in an upcoming issue! Mirko Zorz Editor in Chief Visit the magazine website at www.insecuremag.com (IN)SECURE Magazine contacts Feedback and contributions: Mirko Zorz, Editor in Chief - mzorz@net-security.org News: Zeljka Zorz, Managing Editor - zzorz@net-security.org Marketing: Berislav Kucan, Director of Operations - bkucan@net-security.org Distribution (IN)SECURE Magazine can be freely distributed in the form of the original, non-modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. Copyright (IN)SECURE Magazine 2012.www.insecuremag.com
  2. 2. Online scam susceptibility of Regionally, respondents who indicated they are from the Southwest are the most American consumers susceptible, while respondents from the Midwest and Pacific are the least. PC Tools, in collaboration with the Ponemon Institute, announced the findings of its online The survey results also indicated that scam susceptibility study of 1,858 American respondents from the following demographics consumers. are more susceptible to online scams: The results of the survey show that close to • 18-25 year olds half of US respondents think that they would • Females be likely to provide personal or financial • Less than a high school diploma information online in each of the test • Household income of $25,000 - $50,000 scenarios presented: • Reside in the Southwest. Unfortunately, many consumers don’t realize that some online scams don’t involve malware. Traditional internet security is essential to maintain protection against viruses or The survey results also indicate that certain malicious files and websites, but demographic groups are more susceptible cybercriminals are changing their methods by than others. For example, respondents who tricking consumers into revealing their indicated they are Independent supporters are personal information, so this requires a very the most susceptible to online scams, while different protection approach. supporters from the Green Party are the least.www.insecuremag.com 5
  3. 3. Brazen Brazilian hackers opening spotted another business venture initiated by the criminals. cybercrime schools "To help new entrepreneurs or beginners interested in a life of cybercrime, some Brazilian bad guys started to offer paid courses," he revealed. "Others went even further, creating a Cybercrime school to sell the necessary skills to anyone who fancies a life of computer crime but lacks the technical know-how." A number of different courses are offered, and while some seem like legitimate ones - how to Brazilian hackers are known for their become a designer, a Web designer, a hacker, preference for stealing and misusing phished a programmer - other not so much as they banking credentials and credit card numbers, offer to teach how to become a "banker", a but also for their penchant to openly brag defacer or a spammer. online about their illegal activities. The courses can be bought online but - as This relaxed attitude regarding the possibility unbelievable as it sounds - aspiring of getting caught and tried for their illegal cybercriminals can also attend real-world actions is due to the countrys extremely classes at a location that is shared freely and, inadequate anti-cybercrime laws, explained obviously, without any fear of law enforcement Kaspersky Labs Fabio Assolini, who recently reactions. Hackers steal $6.7 million in bank and compromising an employee computer in the Rustenburg Post Office. cyber heist Once the offices were closed for the New Year holidays, the gang put their plan in motion. They accessed the computer from a remote location and used it to break into Postbanks server system and transfer money from various accounts into the ones they opened. Having also raised the withdrawal limits on those accounts, money mules had no problem withdrawing great amounts of money from ATMs in Gauteng, KwaZulu-Natal and the Free State during the next few days, stopping A perfectly planned and coordinated bank completely when the offices were opened robbery was executed during the first three again on January 3. days of the new year in Johannesburg, and left the targeted South African Postbank - part Unfortunately, the Postbanks fraud detection of the nations Post Office service - with a loss system hasnt performed as it should, and the of some $6.7 million. crime was discovered only after everyone returned to work after the holiday break. According to the Sunday Times, the cyber Apparently, it should not come as a surprise - gang behind the heist was obviously very well according to a banking security expert, "the informed about the post offices IT systems, Postbank network and security systems are and began preparing the ground for its shocking and in desperate need of an execution a few months before by opening overhaul." accounts in post offices across the countrywww.insecuremag.com 6
  4. 4. Mozilla offers alternative to OpenID "Many web sites store extensive user data and act on behalf of the user. While the browser may be fully under the user’s control, many of the services that users enjoy are not. Sometimes, these web services handle data in ways that are of questionable value to the user, even detrimental," says Ben Adida, Mozillas Tech Lead on Identity and User Data. Mozilla has been working for a while now on a "It’s clear that Mozilla needs to step up and new browser-based system for identifying and provide, in addition to the Firefox browser, authenticating users it calls BrowserID, but its certain services to enhance users’ control only this January that all of its sites have over their online experience and personal finally been outfitted with the technology. data." Mozilla aims for BrowserID to become a more Apart from BrowserID, Mozilla is also looking secure alternative to OpenID, the to launch Boot to Gecko (B2G), a standalone decentralized authentication system offered to mobile web-based operating system, and an users of popular sites such as Google, app store. Yahoo!, PayPal, MySpace and others. Stratfor hack exposes UK, US and exchanged and worked on by the organizations employees; and around 75,000 NATO officials to danger, phishing credit card details complete with security codes required for no card present transactions. The Guardian has hired cyber-security expert John Bumgarner to rifle through the information already leaked by the hacker group, and he has ascertained that thousand of emails and passwords belonging to UK, US and NATO officials were thusly made public. 19,000 email addresses and passwords and During the last days of 2011, Anonymous other personal data belonging to US military attacked Stratfor, a US-based research group personnel were revealed, as well as those of that gathers intelligence and produces seven officials of the UKs Cabinet Office, 45 political, economic and military reports that of the Foreign Office, 14 of the Home Office, help government organizations and major 67 police officers of the London Metropolitan corporations asses risk. Police and other officials, two employees with the royal household, 23 workers/members of Among the data they have managed to steal the Houses of Parliament, and a number of from its servers were names, home intelligence officers. 242 Nato staffers have addresses, credit card details and passwords also had their emails revealed. of Stratfor clients, 17,000 of which they have immediately shared with the public in order to British officials and the government are still prove the veracity of their claims. not worried about the revealed information posing any threat to national security. To be All in all, the hackers said that they have sure, the revealed (easily decryptable) managed to put their hands on around passwords are those used by Stratford 860,000 usernames, emails, and hashed customers to access the content offered by passwords; internal emails and documents the think-tank and not their email accounts.www.insecuremag.com 7
  5. 5. Researchers demonstrate tragic The remaining five (General Electrics D20ME, Koyos Direct LOGIC H4-ES, Rockwell state of SCADA security Automations Allen-Bradley ControlLogix and Allen-Bradley MicroLogix, Schneider Electrics Modicon Quantum, and Schweitzers SEL-2032) displayed a dazzling array of back door accounts, old hardware and firmware, lousy security controls, configuration files easily obtainable by attackers, buffer overflow and remotely exploitable vulnerabilities, unexpected crashes, weak password implementation and authentication protection, and inability to upload custom firmware. Despite the reservations of some security experts that have questioned the researchers action of making this information public before sharing it with the vendors, most industrial control security experts are satisfied that someone has finally pointed out these things they knew for years. "A large percentage of these vulnerabilities the vendor already knows about and has chosen to live with, so this is not news to them," commented Dale Peterson, CEO of SCADA security firm Digital Bond, which At the SCADA Security Scientific Symposium organized the project, and said that the best held in Miami, visitors had the opportunity to way to avoid uncomfortable disclosures is to hear a damning presentation held by do a better job making secure products. researchers grouped around Project Basecamp which revealed that their testing of He expressed his belief that this presentation six widely used programmable logic should be the moment when SCADA systems controllers (PLCs) resulted in the discovery of and PLC vendors finally realize that they have alarming security bugs that are mostly design to take security more seriously. For their part, flaws and (even!) features, and of the fact that the researchers collaborated with Rapid 7 and some of them cant even take a probing Tenable in order to create test modules for the without crashing. Metasploit Framework and the Nessus scanner for these vulnerabilities, in the hope One of the devices, the Control Microsystems that vendors will be pushed to make changes SCADAPack, bricked early on into testing. with security in mind. Qualys expands its FreeScan service help SMBs audit and protect their web sites from security vulnerabilities and malware infections. The new FreeScan service allows SMBs to scan their web sites for of malware, network and web application vulnerabilities, as well as SSL certificate validation, helping web site owners identify risk before hackers do in order Qualys announced its new and improved to prevent data beaches and protect online FreeScan service (freescan.qualys.com) to visitors from infections.www.insecuremag.com 8
  6. 6. Pwn2Own 2012: Changed rules, browser will be awarded 32 points," say the rules. "When the contest begins we will be bigger prizes, no more mobile hacks announcing 2 vulnerabilities per target that were patched in recent years. The first contestant (or team) who is able to write an exploit for the announced vulnerabilities will be awarded 10, 9, or 8 points depending on the day the exploit is demonstrated." For exploiting the already known vulnerabilities, contestants will only have to Pwn2Own, one of the most anticipated overcome DEP, and dont have to escape from hacking contests that takes place each year at a sandbox or protected mode. The browsers the CanSecWest conference in Vancouver, will be installed on Windows XP and Snow British Columbia, is set to unfold under Leopard, and their versions will be made dramatically different rules this year. public at the beginning of the contest. First and foremost, smartphone hacking is no For the zero-days, hackers will be targeting longer on the table. This year edition will also browsers on fully patched Windows 7 and reward the three most successful participants Mac OS X Lion machines. Also, one with cash prizes of $60,000, $30,000 and requirement that contestants must fulfill in $15,000, respectively (plus the laptops they order to win is to demonstrate at least one manage to compromise). zero-day vulnerability on one of the targets. Also, a successfully compromised target will As the in the previous year, Google is offering not be pulled from the competition as in special prizes for Chrome "ownage": $20,000 previous years. All contestants can attack all for a set of bugs present only in Chrome that targets during the whole three days of the allow full unsandboxed code execution, and contest, and the contest will be point-based. $10,000 for a compromise that used bugs both in Chrome and the OS for the same type "Any contestant who demonstrates a working of code execution. 0day exploit against the latest version of the Entrust Discovery now offers "Understanding that todays organization often manages complex certificate environments, Microsoft CAPI query capabilities we provide more methods of discovering certificates and enhance the policy options once under management," said Entrust President and CEO Bill Conner. Entrust Discovery assists organizations in gaining a complete perspective of deployed certificates. The solution finds, inventories and manages digital certificates across diverse systems to help prevent outages, data breach Entrust expands its certificate discovery and non-compliance. solution, Entrust Discovery, by broadening search capabilities for digital certificates The solution now offers more policy alert residing within Microsofts Cryptographic APIs fields, including issuer DN, expiry status, (CAPI). And now with more than 25 basic or subject DN, key (e.g., RSA 2048), time valid, custom policy alert fields, Entrust Discovery subject alt names (SAN) and certificate offers stronger compliance tools. signature method.www.insecuremag.com 9
  7. 7. Targeted attacks will change the than 250 employees will have to appoint a privacy officer. economics of security Corporations risk being fined up to 2 per cent of their global turnover for failure to adequately secure citizens’ information. In addition, in a new “right to be forgotten” ruling, customers can request details of the information that companies hold about them and ask for it to be amended or removed. European Justice Commissioner, Viviane Bruce Green, Chief Operating Officer at M86 Reding, unveiled the new European Privacy Security, commented: “While we applaud the Directive, designed to safeguard personal, move to strengthen safeguards around identifiable information that is stored by individuals’ private information, we recognize private and public sector organizations. that this harmonization of data privacy rules across Europe will increase the data All 27 European member states will be management overhead for companies of all governed by the new rules, which could see sizes. The prospect of being fined two per companies being fined 2 per cent of global cent of turnover will change the economics of turnover if their customers’ privacy is security, because the cost of compliance breached. compared to the financial risk of a breach will now fall firmly in favor of security for global Under the new rules, all UK companies that enterprises. This will make information suffer a security breach will have to inform the security a discussion for the boardroom, not Information Commissioner within 24 hours of just the domain of compliance specialists and discovering a breach. Companies with more privacy officers.” Symantec advises customers to stop control sessions and, thus, access to systems and sensitive data. If the cryptographic key using pcAnywhere itself is using Active Directory credentials, they can also carry out other malicious activities on the network. - If the attackers place a network sniffer on a customer’s internal network and have access to the encryption details, the pcAnywhere traffic - including exchanged user login credentials - could be intercepted and decoded. In a perhaps not wholly unexpected move, The white paper also contains security Symantec has advised the customers of its recommendations for minimizing the potential pcAnywhere remote control application to stop risk of using the software, since some using it until patches for a slew of customers cannot stop using it because its of vulnerabilities are issued. According to a critical importance to their business. company white paper, the risks for the users are the following: Martin McKeay, Security Evangelist at Akamai Technologies, pointed out that most remote - Man-in-the-middle attacks (depending on the desktop applications are directly exposed to configuration and use of the product) because the Internet because they are used by service of vulnerable encoding and encryption providers for troubleshooting their clients elements within the software. network equipment, and that that is unlikely to - If the attackers get their hands on the change in the near future. cryptographic key they can launch remotewww.insecuremag.com 10
  8. 8. The popularity of Android-based devices is driving their increased adoption in enterprise mobile applications, where security is a significant concern. In ad- dition, designers of embedded systems are considering using Android for all forms of human-machine interfaces (HMI) in practically all major industri- es—automotive center stacks, medical device graphical interfaces, and home smart energy management panels, just to name a few. Android brings to electronic products the based devices in order to make them more power of open source Linux augmented with suitable for enterprise, government, and other the graphical interfaces and app store infra- mission-critical environments. structure of one of the world’s most popular mobile operating systems. Android security retrospective In addition, the rapidly emerging market for As part of Android’s original introduction in Android Mobile Device Management (MDM) 2008, Google touted improved security in its solutions provides developers with the prom- smartphones. Google’s website ise of a world-class remote device manage- (code.google.com/android) lauded the plat- ment infrastructure that can seamlessly tie form’s security: “A central design point of the into traditional back-end IT systems. MDM Android security architecture is that no appli- functions include remote monitoring and audit- cation, by default, has permission to perform ing, firmware updates, application configura- any operations that would adversely impact tion management and control, data-at-rest en- other applications, the operating system, or cryption, VPN services, remote wipe (e.g., the user.” Days after the release of the first when an embedded device is believed to be Android phone, the G1, a well-publicized, se- compromised), and more. vere vulnerability was found in the phone’s Web browser. But the G1’s security woes This article discusses the challenges and so- didn’t end there. lutions for improving the security of Android-www.insecuremag.com 12
  9. 9. In November, hackers discovered a way to These vulnerabilities are specific to the An- install arbitrary programs on the phone, droid stack that runs on top of Linux. Android prompting this lament from Google: "We tried is, of course, susceptible to Linux kernel vul- really hard to secure Android. This is definitely nerabilities as well. The rapid development a big bug. The reason why we consider it a and monolithic architecture of Linux has been large security issue is because root access on well publicized. Lead Linux kernel authors the device breaks our application sandbox." have published multiple installments of a Linux kernel development statistical overview, In fact, the Android bug would silently and in- and the numbers are staggering. visibly interpret every word typed as a com- mand, and then execute it with superuser With 20,000 lines of code modified per day, privileges. 6,000 unique authors, and rapid growth in its overall code base, it should come as no sur- In late 2010, security researchers uploaded to prise that dozens of Linux kernel vulnerabili- the Android market a spoofed Angry Birds ties are reported each year, and that a steady game application that surreptitiously down- stream of undiscovered vulnerabilities are la- loaded other apps without the user’s approval tent in every Linux distribution deployed to the or knowledge. field. The extra downloads were malicious, stealing While a significant portion of the growth and the phone’s location information and contacts, churn in the Linux kernel code base is due to and sending illicit text messages. As part of the continual adding of support for new micro- their work, the researchers reported numerous processors and peripherals, the core kernel weaknesses in Android, including a faulty use itself, including networking and file system of SSL, a lack of application authentication, an support, also undergoes rapid change. easy method of breaking out of the Android Dalvik virtual machine sandbox via native CVE-2009-1185 documents a flaw in the Linux code, and the focus of the attack—a weak netlink socket implementation, and is but one permissions architecture. example of a Linux vulnerability that has al- legedly been used to compromise Android de- Next, we visit our favorite website, the U.S. vices. CVE-2009-2692, informally known as CERT National Vulnerability Database. A the proto-ops flaw, is a set of bugs in the Linux search on Android turns up numerous vulner- kernel’s management of file and network ac- abilities of varying severity. Here is a sampling cess objects. of the worst offenders: ! A trivial user mode program can be used to • CVE-2011-0680: Allows remote attackers to subvert an Android system using this vulner- read SMS messages intended for other re- ability. The proto-ops flaw was latent in the cipients. Linux kernel for eight years before research- • CVE-2010-1807: Allows remote attackers to ers discovered it. execute arbitrary code. • CVE-2009-2999, -2656: Allows remote at- Because its architecture for kernel object tackers to cause a denial of service (applica- management is so entrenched, Linux remains tion restart and network disconnection). susceptible to the vulnerability as new device • CVE-2009-1754: Allows remote attackers to drivers and communication mechanisms are access application data. added to the code base. • CVE-2009-0985, -0986: Buffer overflows al- low remote attackers to execute arbitrary Android device rooting code. Android rooting (also known as jailbreaking) is We point out these particular vulnerabilities the process of replacing the manufacturer- because they fall into the most serious sever- installed kernel (Linux) and/or its critical file ity category of remote exploitability. system partitions. Once a device is rooted, the hacker can change Android’s behavior to suit his or hers particular desires.www.insecuremag.com 13
  10. 10. The term rooting originates from the UNIX In this case, rooting is usually accomplished concept of root privilege, which is needed to with a form of side-loading/booting using an modify protected functions. The goals of An- SD card or USB to host or install the custom droid hackers range from the hobbyist’s desire ROM. The manufacturer-installed boot loader to overclock a CPU for better performance (at does not cryptographically authenticate the the expense of battery life) and install custom Android firmware, paving the way for ROM applications, to more malicious pursuits, such execution. as illegally obtaining carrier network services, and installing key loggers and SMS snoopers. Some device makers have gone to great lengths to prevent rooting for various reasons. The collection of new and replaced files in- Obviously, many developers using Android will stalled by the hacker is referred to as a cus- want to lock down the Android OS completely tom ROM, another imperfect reference to the to prevent unauthorized modification and ma- concept of firmware that is often deployed in licious tampering. read-only memory. One of the most high-profile secure boot fail- Android vulnerabilities are often used by ures in this realm is the Amazon Kindle. The hackers to root Android phones. The rate of presumed aim of locking down the Kindle is to vulnerability discovery is such that practically force users to access Amazon content and every Android consumer device has been require use of the Kindle e-reader software. rooted within a short period of time, some- The Amazon secure boot approach attempted times within a day or two of release. to authenticate critical system files at startup using digital signature checks. Hackers used In addition to software vulnerabilities, secure vulnerabilities in Linux to circumvent these boot problems are another major source of checks and run malicious boot code, rooting Android rooting attacks. Some Android device the device. makers, such as Barnes and Noble with its Nook Color, have permitted (if not encour- Yes, we paint a grim picture of Android secu- aged) rooting in order to facilitate a wider de- rity. However, the picture is based on a simple veloper community and device sales. fact that shouldn’t be surprising—Android was never designed to provide a high assurance of security. ANDROID VULNERABILITIES ARE OFTEN USED BY HACKERS TO ROOT ANDROID PHONES Mobile phone data protection: A case can use a layer four (OSI model) SSL VPN study of defense-in-depth client to establish a protected data communi- cation session. An IPsec VPN application, Android’s tremendous popularity, juxtaposed running at layer three, can be used to create a with its lack of strong security, has sparked a second, independent connection between the rigorous scramble by software vendors, de- smartphone and the remote endpoint (Figure vice OEMs, systems integrators, and govern- 1). ment security evaluators to find ways to retro- fit Android-based devices with improved sys- This secondary connection uses independent tem security. public keys to represent the static identities of the endpoints. The data in transit is doubly One approach to raising the level of assur- encrypted within these two concurrent con- ance in data protection within an Android- nections. This layered security approach is an based device is to employ multiple encryption example of defense-in-depth. layers. For example, an Android smartphonewww.insecuremag.com 14
  11. 11. Figure 1 - Multiple layers of encryption within Android. The concept of defense-in-depth originated in attacker must break both the SSL and IPsec the military—multiple layers of defense, such encryption layers. as a combination of mines and barbed wire, rather than just mines or barbed wire alone, to Clearly, this layered approach depends on the increase the probability of a successful de- independence of the layers. Most importantly, fense, as well as potentially to slow the pro- the SSL and IPsec private keys must be inde- gress of an attacker. pendently stored and immune to a single point-of-failure compromise. However, in a Defense-in-depth has been successfully ap- typical Android environment, both the SSL and plied in war since ancient times, and the con- IPsec long-term private keys are stored within cept is alive and well in the information secu- the same flash device and file system. Fur- rity age. thermore, the key stores are not protected against physical attacks. Let’s consider a few of the threats against an SSL data protection application. An attacker This environment provides numerous single can attack the application directly, perhaps points of compromise that do not require so- exploiting a flaw in the SSL software stack, to phisticated attacks. A single Android root vul- disable encryption entirely or steal the encryp- nerability or physical attack on the storage de- tion keys residing in RAM during operation. An vice can compromise both sets of keys and attacker can try to steal the static public SSL encryption layers. keys stored on disk. If these keys are com- promised, the attacker can impersonate the The run-time environment must provide strong associated identity to gain access to the re- isolation of the SSL and IPsec application lay- mote client over a malicious SSL session. ers, and the run-time environment itself must not provide an attack surface through which to Malware elsewhere in the Android system can break that isolation. Much of the research and use side channel attacks to break the SSL en- product development aimed at Android secu- cryption and recover its keys. rity has focused, in one form or another, on providing sandboxes for data isolation and the Layered SSL/IPsec data protection is a sensi- protected execution of critical functions. Those ble application of defense-in-depth to counter sandboxes are used to realize the layered en- these threats. If an attacker is able to break cryption approach. the SSL encryption, the IPsec layer will con- tinue to protect the data. An attacker may be Let’s now compare and contrast the various able to steal the SSL keys but not the IPsec approaches for Android sandboxing. Develop- keys. The attacker may be able to install mal- ers considering the adoption of Android in ware into the SSL application but not the their next-generation designs can use this IPsec application. The SSL application may comparison to make sensible security exhibit side channel weaknesses to which the choices. IPsec application is immune. To succeed, thewww.insecuremag.com 15
  12. 12. Android sandboxing approaches Multi-boot Separate hardware The multi-boot concept has been attempted on a handful of laptops and netbooks over the One sandboxing approach is to have multiple years. In a dual boot laptop scenario, a sec- microprocessors dedicated to the differing ondary operating system, typically a scaled- tasks. While Android smartphone OEMs are down Linux, can be launched in lieu of the unlikely to add additional hardware cost to main platform operating system. The scaled- their designs, custom electronic product de- down system is typically only used for Web velopers may have more options depending browsing, and the primary goal is to enable on many factors, including form-factor flexibil- the user to browse within a handful of seconds ity. from cold boot. The secondary operating sys- tem resides in separate storage and never For example, a PCI-capable design may be runs at the same time as the primary platform able to host an IPsec VPN card that wraps the operating system. In some cases, the light- second layer encryption around the main weight environment executes on a secondary processor’s Android SSL. In some cases, microprocessor (e.g., an ARM SoC independ- however, the additional hardware size, weight, ent of the netbook’s main Intel processor). On power, and cost will be prohibitive for this ap- an Android mobile device, the primary Android proach. can be hosted on internal NAND flash, and a secondary Android can be hosted on an in- serted microSD card (Figure 2). Figure 2 – Dual-boot Android. The secondary operating system provides webtop runs as a set of applications on top of good isolation from a security perspective. the primary operating system. However, the inconvenience of rebooting and In the case of the Motorola Atrix Android the inability to seamlessly switch between en- smartphone released in 2011, the webtop vironments has severely limited adoption. The sandbox is an independent file system parti- multi-boot option is also impractical for the tion that contains a limited Ubuntu Linux- layered encryption use case that requires based personality (Figure 3). concurrent execution of the sandboxes. The primary Android partition is located on the Webtop same internal NAND flash device within the phone. The Atrix webtop is intended to provide The webtop concept provides a limited brows- a desktop-like environment for users that dock ing environment (the webtop), independent the phone on a separately purchased KVM from the primary operating system environ- (keyboard/video/mouse) apparatus. ment. However, instead of a dual boot, thewww.insecuremag.com 16
  13. 13. Figure 3 - Android webtop environment. While webtop was most likely not intended as and its own encryption of the e-mail folders a security capability, one mapping of this ap- resident on the phone. proach to the layered encryption use case is to execute IPsec from the primary Android en- Some MDM solutions use Android profiles to vironment and an SSL-based Web session divide the Android system into two sets of ap- from the webtop sandbox. plications—one for the user’s personal envi- ronment and one for the enterprise-managed The problem with this approach is that the en- environment (Figure 4). tire Linux kernel, including its TCP/IP stack, is depended upon for the isolation of the When the enterprise profile is invoked, the webtop’s SSL from the Android IPsec. MDM product may automatically turn on en- cryption for data associated with that profile. Mobile Device Management (MDM) Numerous other Linux controls can be used to encrypted containers improve the isolation of profiles, including chroot jails and operating system-level re- The growing popularity of Android mobile de- source grouping techniques like OpenVZ. vices and the desire to use them in the work- place has spawned dozens of MDM products Clearly, this approach can be used to imple- and companies. The two main purposes of ment the layered encryption use case—the MDM are to provide mobile data protection MDM application can create an SSL connec- and IT management services. tion on top of the underlying Android’s IPsec connection. Manageability includes application configura- tion (ensuring that all employees have an ap- However, once again, the underlying Android proved set of preloaded software), auditing, operating system is relied upon for the secu- document management, and remote wipe rity of both layers. (disabling the handset when an employee leaves the company). Remoting Data protection covers both data at rest and One approach to enterprise data protection in data in transit (e.g.VPN to the corporate net- Android is to not allow any of the enterprise work). data on the mobile device itself. Rather, the only way to access enterprise information is Android MDM solutions often use application- using a remote desktop and/or application vir- level encryption. For example, an enterprise tualization. When the device is not connected e-mail client may implement its own encryp- to the enterprise (e.g. offline operation), en- tion protocol for the connection between a terprise applications and services are unavail- mobile device and an enterprise e-mail server, able.www.insecuremag.com 17
  14. 14. Figure 4 - MDM containers. While the result is a neutered device that de- Type-2 hypervisor feats the purpose of having such a powerful hardware platform with multiple cores and Type-2 hypervisors are similar to webtops and multimedia accelerators, there are certainly MDM containers in that the secondary envi- use cases that can take advantage of remot- ronment runs as an application on top of the ing. primary operating system. However, instead of hosting only a browser, the secondary per- Remoting precludes the requirement for local sona is a full-fledged guest operating system data protection; however, our use case for running within a virtual machine created by layered data-in-motion protection remains. the hypervisor application (Figure 6). The remoting application (Figure 5) provides SSL encryption while the underlying Android The hypervisor uses the primary operating runs IPsec. Once again, the underlying An- system to handle I/O and other resource droid operating system is relied upon for the management functions. security of both layers. Figure 5 - Remoting. Figure 6 - Type-2 hypervisor.www.insecuremag.com 18
  15. 15. Type-2 mobile hypervisor products, such as Type-1 hypervisor VMware MVP, are used to provide an enter- prise management persona on top of the pri- Type-1 hypervisors also provide functional mary Android environment. The virtualized completeness and concurrent execution of a Android can use an SSL connection to the en- secondary enterprise persona. However, be- terprise while the underlying Android’s IPsec cause the hypervisor runs on the bare metal, is also used to wrap the communication be- persona isolation cannot be violated by weak- tween endpoints. nesses in the persona operating system. Thus, a Type-1 hypervisor represents a prom- However, once again, the Type-2 model fails ising approach from both a functionality and to provide strong isolation. Faults or security security perspective. But the hypervisor vul- vulnerabilities in the primary general-purpose nerability threat still exists, and not all Type-1 operating system will impact the critical func- hypervisors are designed to meet high levels tions running in the virtual machine. Further- of safety and security. more, Type-2 hypervisor applications de- ployed in the enterprise space have been One particular variant, the microkernel-based found to contain vulnerabilities that break the Type-1 hypervisor, is specifically designed to sandbox. meet high-assurance, security-critical re- quirements. Microkernels are well known to Sandboxes built on sand provide a superior architecture for safety and security relative to large, general-purpose op- Constant reader, hopefully you observe as erating systems such as Linux and Android. obvious the common weakness among all of the sandboxing approaches previously de- In a microkernel Type-1 hypervisor, system scribed. Multiple Android applications, MDM virtualization is built as a service on the mi- containers, remoting applications, webtops, crokernel. Thus, in addition to isolated virtual and Type-2 hypervisors all attempt to retrofit machines, the microkernel provides an open security to the Android kernel itself. standard interface for lightweight critical appli- cations, which cannot be entrusted to a The Android/Linux system, while providing rich general-purpose guest. For example, SSL can multimedia functionality of which mobile and be hosted as a microkernel application, pro- embedded designs can take good advantage, viding the highest possible level of assurance is riddled with security vulnerabilities that sim- for this encryption layer. IPsec packets origi- ply cannot be avoided. High-assurance secu- nating from Android are doubly encrypted with rity must be designed from the beginning. the high-assurance SSL layer service before transmission over the wireless interface (Fig- But while high assurance cannot be retrofitted ure 7). to Android itself, it can be retrofitted at a sys- tem level. Let’s take a look at how. Figure 7 - Microkernel Type-1 hypervisor approach to layered data-in-motion encryption.www.insecuremag.com 19
  16. 16. The real-time microkernel is an excellent comparable to today’s Trusted Platform Mod- choice for practically any mobile and embed- ules (TPMs) found in laptops and PCs. ded system since the microkernel can host any real-time application not appropriate for Most of the work being done in this area is in the Android/Linux environment. its infancy; full specifications are not complete, and commercial products that incorporate The microkernel Type-1 hypervisor typically these standards are not yet on the market. uses the microprocessor MMU to isolate the memory spaces of the primary Android envi- However, the concept of the MTM can be ronment and the native SSL encryption appli- combined with the functionality of a smartcard cation. However, device drivers in Android to provide a mobile hardware root of trust with may use DMA that can violate the memory secure key store capability. partitioning by bypassing the MMU entirely. This approach offers a single element that can Running the hypervisor in TrustZone on an provide a secure trust anchor for secure boot applicable ARM-based microprocessor, using and remote attestation, as well as a secure an IOMMU, or using the hypervisor itself to key store for device, user, and application mediate all DMA bus masters are all potential keys and certificates. approaches to guarding this attack vector. For example, a smartcard chip can be incor- The isolation properties of some secure mi- porated into a microSD device and attached to crokernels can even protect against sophisti- a smartphone (Figure 8). This approach pro- cated covert and side-channel, software-borne vides the physical security benefits of a se- attacks. cure element while allowing credentials to move with the user by removing and then in- Physical security serting the microSD into another device. Now that we have an approach that prevents Of course, implementations will vary depend- software attacks from breaking the sandbox ing on the types and sophistication of physical between protection layers, let’s take defense- protections available. But a hardware-based in-depth a step further and consider how the root of trust enables a higher-level FIPS-140 layered encryption system can be protected certification and provides an important addi- from physical attacks. For example, a lost or tional layer of security independent of the stolen mobile device in the hands of a sophis- microkernel-based runtime environment isola- ticated attacker is susceptible to memory tion. snooping, power analysis, and other invasive and non-invasive physical attacks. Summary While physical protection of the entire device Layered encryption as a defense-in-depth may not be practical, targeted physical protec- strategy is a sensible approach to increasing tions can make a huge difference in overall the assurance of Android-based data protec- system security. A secure element can be tion services. However, it is not sensible to run used to provide physical protection of critical both layers within the Android environment parameters, including private keys. Several itself. There is simply too much vulnerability to industry standards bodies are examining this prevent both layers from being simultaneously requirement and offering solutions. subverted. Designers considering Android must also carefully sandbox critical security For example, GlobalPlatform functions outside of the Android system. Mod- (www.globalplatform.org) recommends the ern microprocessors and system software so- use of TrustZone, coupled with some form of lutions provide the requisite features to get the secure element, to protect critical parameters best of both worlds—the power of Android’s and cryptographic functions used for mobile multimedia and applications deployment infra- payments. The Trusted Computing Group structure alongside, but securely separated (www.tcg.org) is working on the specification from critical system security functions. for a Mobile Trusted Module (MTM) that iswww.insecuremag.com 20
  17. 17. Figure 8 - Adding physical security protection via attached smartcard to the microkernel Type-1 hypervisor.Kirk Spring is the VP of Technology for SafeNet. Currently he oversees SafeNet’s strategic development ofsecurity solutions that includes technology sharing of both its commercial and government products. Mr.Spring earned his bachelor of science in Computer Engineering from Oakland University and has been withSafeNet since 2001. Prior to SafeNet, Mr. Spring was at Harris Corporation, Allied Signal Corporation, andHughes Ground Systems.David Kleidermacher is CTO at Green Hills Software where he is responsible for technology strategy, platformplanning, and solutions design. Kleidermacher is a leading authority in systems software and security, includ-ing secure operating systems, virtualization technology, and the application of high robustness security engi-neering principles to solve computing infrastructure problems. Kleidermacher earned his bachelor of science incomputer science from Cornell University and has been with Green Hills Software since 1991.www.insecuremag.com 21
  18. 18. Joe Sullivan is the Chief Security Officer at Facebook, where he manages a small part of a company-wide effort to ensure a safe internet experience for Facebook users. He and the Facebook Security Team work internally to de- velop and promote high product security standards, partner externally to promote safe internet practices, and coordinate internal investigations with outside law enforcement agencies. Being the CSO of Facebook certainly puts skills, the ability to develop creative solutions you into the spotlight. How have your prior to new and unique problems, and the ability to positions prepared you for your work at stay focused on addressing real risks and Facebook? threats while under great scrutiny, are critically important for succeeding in my role at Face- I can think of two important ways my prior po- book. sitions have helped prepare me for my current responsibilities. Before Facebook I worked as Facebook has partnered with the National a federal prosecutor working on cybercrime Cyber Security Alliance on the STOP. cases that were in the media every day and THINK. CONNECT. campaign over two then worked at eBay during the early part of years ago. What are your thoughts on how the 2000s when that company was celebrated public-awareness-raising campaigns can and scrutinized. be improved in the future? In both of those places I was challenged to If you look at internet education safety cam- develop creative solutions - because we were paigns before this effort by NCSA, you see a breaking new ground in areas where there bunch of different parallel efforts focused on was not much precedent. Likewise, in both I the same problems but using different tactics learned how to stay effective and focused and terminology. This initiative is important even when under a serious microscope. Both because it brings together an incredibly widewww.insecuremag.com 22
  19. 19. spectrum of technology, communication and port meaningful bugs. On the contrary, we other companies to work with government on have found that there is an incredibly vibrant developing unified messaging. entrepreneurial security community around the world that is passionate about engaging Having consistent terminology is critical to on web application security. education in a complex area and with this ef- fort the sum of our individual efforts working We have had submissions from over 16 coun- together is much greater than it would be if we tries and have already payed out over $150, invested the same in education but without 000 in bounties. In the process we have built this degree of coordination. great relationships with some amazing re- searchers from every corner of the globe. And Facebook launched its bug bounty pro- yes, we do have a summer intern coming who gram in August last year and has already we met through the program. doled out quite a sum to outside security experts. Have there been any great sur- I dont think it has influenced the way we re- prises? Has the program influenced the view code, but it does make us feel even bet- way that the security team approaches ter about the overall review process we have code reviewing? Did you offer employment in place being as complete as possible. We to a particularly successful bug hunter/are intend to keep investing in this program and you thinking about doing it? are always looking for feedback on how to make it better. The program has been successful beyond our expectations. First, it really blew up the as- Our latest iteration was to add a debit card as sumption that there are only a small number a payment option so that we can reload easily of quality researchers able and willing to re- for people who submit bugs regularly. We know that we will always be out-numbered by the bad guys, but we can overcome that by making sure that our systems are up to the challenge. As the number of Facebook users grows year. Self-XSS attacks used social engineer- seemingly exponentially, does your secu- ing to trick users into copying-and-pasting ma- rity team as well? What security-related licious javascript into their browser, thereby problems currently give you the biggest self-propagating the spam and evading our headaches? detection systems. We do continue to grow in size, but we are Before the attacks increased dramatically also constantly challenging ourselves to de- most experts would have doubted that a social velop in such a way that every employee fo- engineering scheme could work at such scale. cused on security has a greater individual im- pact tomorrow than that person did today. We Fortunately, we reacted quickly and have had can do that both by continuing to innovate on success beating it back. In addition to improv- our approaches to security and investing in ing internal detection mechanisms, we have system and infrastructure. worked with browser vendors to make it harder for spammers to take advantage of this We know that we will always be out-numbered vulnerability in the browser, and we have part- by the bad guys, but we can overcome that by nered with external companies to make our making sure that our systems are up to the malicious link detection system more robust. challenge. An example of how things change and new headaches arise the sudden in- We are still battling this but thankfully it is crease in what we call self-XSS during last much less of a headache than it use to be.www.insecuremag.com 23
  20. 20. I cant remember the last time I saw a bo- These changes instituted granular enforce- gus or information-collecting app being ment which selectively disables an apps abil- pushed onto users by third party develop- ity to propagate through Facebook based on ers, and I recall them being plentiful at one the amount of negative user feedback - so point in time. How did you solve that that an app that has been reported for abusing particular problem? chat will have this feature disabled until the developers have made substantial changes. We have several different teams that work closely together to ensure people have a great In the future, we are moving to more sophisti- experience when connecting with applications cated ranking models where the amount of that leverage our platform. distribution will be a function to the apps qual- ity. Good content will be seen by more people, Major props go to the platform integrity engi- while lower quality or spammy apps will be neers who have been constantly iterating on seen by fewer people or no one. the automated systems that we put in place to secure our Platform. Of particular note were We believe this will reward apps that provide the changes we made last July which made great experiences while minimizing the nega- significant improvement to the enforcement tive impact of poor quality apps. systems so we can identify and disable apps that violate our policies as quickly as possible.Zeljka Zorz is the Managing Editor of (IN)SECURE Magazine and Help Net Security.www.insecuremag.com 24
  21. 21. The goal of this article is to plant a seed of the idea that shellcode has a place in your defense toolbox. I do not want to teach you how to write shellcode, neither do I want to present a complete anthology of white hat shellcode. What I want is to show a few examples in order to help you be more creative, so that when you are facing a problem in your IT security job, you will also consider shellcode as a potential solution. When a system is attacked, be it by malware Shellcode is a tool, and it can be a solution to or by a human, shellcode is often involved. your problem. Shellcode is executed on the system to change its behavior, so that the system opens What is shellcode? Shellcode is a program, up to the attacker. But why couldnt you use but it has some characteristics that differenti- shellcode to change the behavior of your sys- ate it from applications like .exe files. Shell- tem, too, so that it defends itself against an code is a program that is location-independent attacker? There is no reason why you couldnt and comes as a binary file without any meta- do this. data. As the administrator of the system, you have Example 1: Testing a security setup an advantage over the attacker. While the at- tacker has to rely on exploits that often offer In the first example, we will test our security no guarantee that the shellcode will execute, setup with shellcode. People regularly ask me you, on the other hand, can use reliable meth- for malware so they can test their security ods to inject and execute shellcode. Shellcode setup. First, that is a bad idea, and second, is almost always used in attack scenarios, but you can do without. Why is using malware a it can also be used for defense. bad idea? It is dangerous and not reliable.www.insecuremag.com 26
  22. 22. Say you use a trojan to test your sandbox. You So how can you reliably test your sandbox notice that your machine is not compromised. without risking infection, or even worse, have But is it because your sandbox contained the malware escape into your corporate network? trojan, or because the trojan failed to execute properly? It might surprise you, but there is a You can do this with shellcode. Here is an ex- lot of unreliable malware out in the wild - mal- ample of simple shellcode that will create a file ware that will crash more often than not, mal- in the directory of your choice (This shellcode ware that will flat-out refuse to run in certain includes a library that is not discussed in this environments, like virtual machines. article): ! segment .text ! ! call geteip ! ! geteip: ! ! pop ebx ! ! ; Setup environment ! ! lea esi, [KERNEL32_FUNCTIONS_TABLE-geteip+ebx] ! ! push esi ! ! lea esi, [KERNEL32_HASHES_TABLE-geteip+ebx] ! ! push esi ! ! push KERNEL32_NUMBER_OF_FUNCTIONS ! ! push KERNEL32_HASH ! ! call LookupFunctions ! ! ; CREATEFILEA and CLOSEHANDLE ! ! push 0x0 ! ! push 0x80 ! ! push 0x2 ! ! push 0x0 ! ! push 0x0 ! ! push 0x0 ! ! lea eax, [FILENAME-geteip+ebx] ! ! push eax ! ! call [KERNEL32_CREATEFILEA-geteip+ebx] ! ! push eax ! ! call [KERNEL32_CLOSEHANDLE-geteip+ebx] ! ! ret Let us assume you sandboxed your preferred This method is very reliable, especially com- browser, Firefox, and now you want to test if pared with the use of real (unreliable) mal- Firefox is restricted from writing to the sys- ware. If you need to test access to other re- tem32 directory. sources, like the registry, you just need to use shellcode that writes to a particular key in the For this, we use shellcode that creates file registry. c:windowssystem32testfile.txt and inject this shellcode in process firefox.exe. Example 2: Enforcing Permanent DEP If the test file was not created in the system32, DEP is an important security feature intro- you have successfully verified that your sand- duced with Windows XP SP3. But not all ap- box prevents Firefox from writing to the sys- plications use DEP, so here is how you can tem32 directory. You can also start Sysinter- enforce it. DEP can be enabled by setting a nals procmon and look for “access denied” flag in the executable file (the NO_EXECUTE messages from Firefox. This is further proof flag) or by calling WIN32 API function Set- that the shellcode tried to write to system32 ProcessDEPPolicy. but was denied.www.insecuremag.com 27
  23. 23. SetProcessDEPPolicy has one advantage ProcessDEPPolicy with argument 1 - some- over the NO_EXECUTE flag – it can enable thing you can do with shellcode. Permanent DEP. Once Permanent DEP has been enabled, it cannot be disabled anymore. Shellcode to enable Permanent DEP is rather The only way to enforce Permanent DEP is to simple: it only has to call SetProcessDEP- make the application (like calc.exe) call Set- Policy with argument 1: ; Enable permanent DEP in current process push PROCESS_DEP_ENABLE call [KERNEL32_SETPROCESSDEPPOLICY-geteip+ebx] When you inject this shellcode in your applica- pose you to turn in on again. To get rid of this tion, Permanent DEP will be turned on. But nag screen, I developed a patch: replace byte how can you modify your application so that it sequence calls SetProcessDEPPolicy each time it is 50A16CBF9323FF90C805000039750859 with launched? You can inject the shellcode per- 50A16CBF9323B8020000009039750859 in manently in the application with a PE-file edi- file EScript.api. If you cannot change file tor such as LordPE. EScript.api, you can still change the code di- rectly in memory. First you make a copy of the application (e.g. calc.exe) and you open it with LordPE. Then I have developed shellcode to search and re- you create a new section with the shellcode, place a sequence of bytes in the virtual mem- and make the entrypoint point to the shell- ory of an application. This shellcode can be code. When finished, the shellcode jumps to used to apply the Adobe Reader patch I de- the original entrypoint. You rebuild the PE file scribed. To achieve this, you inject this shell- and save it. code (together with the search and replace byte sequences) in Adobe Reader. When you execute this copy of calc.exe, your shellcode will be the first thing to run. This Another advantage of patching dynamically in shellcode will enable Permanent DEP, and memory with shellcode, is that the patch will then jump to the start of the calculator pro- not be lost when you update your application gram. to a new version (Adobe Reader in our exam- ple). Example 3: Patching an application Example 4: Preventing heap sprays with Patches are changes to the binary code of an shellcode application. They typically fix bugs, security vulnerabilities or change features. But when Shellcode is often used in attacks and mal- you make changes to the files of an applica- ware together with heap sprays: the heap is tion (.exe or .dll), you invalidate the digital sig- filled with shellcode (preceded by a long NOP nature and you are probably breaking the sled), and then the vulnerability is triggered. EULA. EIP jumps to the heap, hits a NOP sled and slides to the shellcode. The shellcode exe- If you want to change an application but are cutes, and typically downloads and installs a not in a position to change the binary files, trojan. shellcode designed to patch in memory can help you. Successful heap sprays can be prevented by pre-allocating memory, so that the heap spray Two years ago I developed a patch to fix an cannot write shellcode to the pre-allocated annoying “feature” of Adobe Reader 9.1. If you memory. If we pre-allocate memory and fill it disabled JavaScript in Adobe Reader, each with our own NOP sled and shellcode, we can time you opened a PDF document with em- intercept the attack and block it. bedded JavaScript, Adobe Reader would re- mind you that JavaScript is disabled and pro-www.insecuremag.com 28
  24. 24. If you open a PDF document with an util.printf But when we inject our own NOP sled and exploit with Adobe Reader 8.1.2, it will crash shellcode at this address (0x30303030), we because this PDF document contains an ex- achieve code execution. The exploit triggers, ploit that makes EIP jump to 0x30303030 (this but it executes our shellcode, not the shell- might be a few bytes off). Since there is no code of the attacker. code at this address, an exception is gener- ated. This is because we planted our shellcode in But if we inject defensive shellcode that dis- the applications memory before the PDF plays a warning for the user, the user will document was opened and the heap spray know he is being attacked with a malicious executed. PDF document and he will have a chance to act appropriately. The heap spray will fill memory with its attack shellcode, but it cannot overwrite our defense Conclusion shellcode. So when the exploit triggers after the heap spray filled memory, our shellcode Shellcode is just a program, and it is up to the executes instead of the attackers shellcode. programmer to code the behavior of his pro- gram. We could also use shellcode that suspends the attacked application and warns the user. Shellcode is often programmed to attack, but For user applications, like Adobe Reader, this there is no inherent reason why it cannot be shellcode offers a huge advantage over pro- coded to defend. tection methods that just pre-allocate heap memory and do not inject defensive shellcode. I hope that these four examples give you an idea how to use shellcode to protect your sys- If you just pre-allocate heap memory, the ap- tem. If you want the shellcode of these exam- plication will just crash when it is exploited, ples so that you can test it out yourself, take a and the user will not know what happened. He look at my workshop exercises: could easily assume that Adobe reader just workshop-shellcode.didierstevens.com crashed because of a bug, and try to open the malicious PDF document again. Or even It also contains some tools (for example to in- worse, send it to a colleague so that she can ject shellcode), and I have produced a video try to open the malicious document. for the DEP exercise.Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCITP, MCSE/Security,RHCT, CCNA Security, OSWP) is an IT Security Consultant currently working at a large Belgian financial cor-poration.He is employed by Contraste Europe NV, an IT Consulting Services company (www.contraste.com). You canfind his open source security tools on his IT security related blog at blog.DidierStevens.com.www.insecuremag.com 29
  25. 25. RSA Conference 2012 The Amphion Forum www.rsaconference.com/events/2012/usa www.amphionforum.com Moscone Center, San Francisco Hotel Bayerischer Hof, Munich, Germany 27 February-2 March 2012. 28 March 2012. InfoSec World Conference & Expo Cyber Defence Summit 2012 www.cyberdefencesummit.com www.misti.com/infosecworld Grand Hyatt Hotel, Muscat, Oman Disneys Contemporary Resort, Orlando 2-3 April 2012 2-4 April 2012. HITBSecConf Amsterdam 2012 conference.hitb.org Okura Hotel, Amsterdam, the Netherlands 24-26 April 2012.www.insecuremag.com 30
  26. 26. Like it or not, enterprise IT organizations are quickly realizing that mobile de- vices are eclipsing PCs and laptops as the devices of choice for employees in the workplace and beyond. Mobile devices such as smartphones and tablets offer incredible power and flexibility in both our business and personal lives, which is leading to great pressure to integrate them within the enterprise. Mobile computing today, when done right, tight economic conditions – they continue to creates an opportunity for workers to be more struggle to address these issues. productive and happy, while also offering a major competitive advantage for the organiza- That is why many large, medium and even tion. However, if not done right, the conse- small corporations are seriously considering a quences can be quite devastating. formalized enterprise Mobile Device Man- agement (MDM) strategy to deal with the pro- This was the main topic of conversation dur- liferation of mobile devices knocking on their ing a recent series of workshops we hosted doors. This means not only using MDM spe- for public and private companies on the im- cific applications and products, but also com- pact the proliferation of mobile devices is hav- bining them with the right mix of policy, proce- ing on enterprises. Interestingly, not a single dures and end user training. organization in attendance had a fully formu- lated Mobile Device Management strategy. Done correctly, enterprise MDM can be a practical approach that first assesses the or- Most, if not all, were still on the ground floor ganization’s challenges, and then evolves with trying to figure out what to do. They realize the dynamic, constantly changing business there are significant risk mitigation issues that needs. By working together and developing a they need to address, but because IT is often pragmatic approach with MDM, an organiza- resource-constrained – especially in today’s tion’s IT and business leaders are much morewww.insecuremag.com 32
  27. 27. likely to embrace today’s mobile world – and • Physical access benefit from it. • Malicious code • Device and application attacks The mobility gold rush • The interception of communications • Insider threats. Its not hard to see why these devices have spurred this gold rush to mobility in the enter- Too often, the decision makers jump right to prise. Sometimes, it comes from the top. The which tools they should buy and want to know board or C-level execs may favor a certain what kinds of bells and whistles are out there device. Meanwhile, employees down the to “lock these things down.” To paraphrase chain are often adopting the latest devices, former U.S. Secretary of Defense Donald platforms and applications much faster than Rumsfeld, when it comes to mobility there are corporate IT departments can react. “known knowns,” “known unknowns,” and “unknown unknowns.” And most organizations Social media is growing as a business appli- don’t know what they don’t know when they cation as well, blurring the work and home look at how they are going to mitigate risk in a environments. Shifting business models also mobile environment. require tech-savvy employees, who are look- ing to connect to the enterprise with their So where do we begin? iPhones, iPads, Androids, Blackberries and other mobile platforms. And along the way, In our opinion, it is always best to use those employee expectations of corporate IT’s abil- tried and true methodologies, or best prac- ity to manage their mobile needs are chang- tices, that security professionals have been ing. preaching for years. But this consumerization of IT also presents An effective approach begins with a risk as- some significant challenges. Of course, the sessment that assesses, evaluates, manages cost of keeping up with the mobile world is and measures each of these security risks. It always a factor. Many companies simply can- is also important that the enterprise IT de- not afford to dedicate in-house resources to partment work with the business units to un- keep up. derstand their mobile requirements. Regardless of whether they do it themselves Without a comprehensive risk assessment, or engage outside expertise, organizations the purchasing decision will more than likely have to address the issue of integrating mo- not reflect the reality of what they are looking bile into existing business processes. This in- to protect. cludes managing the productivity of a remote workforce, determining the reliability of the Before moving forward, organizations need to mobile technologies, and most critical, secu- be able to answer several key questions: rity issues. 1. How many mobile devices are connected to For instance, a recent joint study by Carnegie our network? Mellons CyLab and McAfee found that almost 2. How do we know how many mobile devices half of users keep sensitive data on their mo- we have? bile devices, including passwords, PIN codes 3. How are these devices connecting? and credit card details. The ramifications of 4. How often are these devices connecting? losing a device or having it compromised can 5. What data and services are these devices be devastating – not only to the individual, but accessing? to the organization whose sensitive data, or at 6. How many of these devices are managed? least the keys to it (passwords, PINs, etc.), 7. How many comply with our corporate poli- may be held within the device. cies? 8. What would be the ramifications if any of For corporate IT, there are five major security these devices are compromised, lost or sto- risks that must be addressed: len?www.insecuremag.com 33
  28. 28. The matrix applications, and also often leave the device with a standard root password that may grant From here, a matrix of controls can be devel- an attacker administrator-level access to the oped to help enhance the risk mitigation. For device. instance, organizations need to determine what technologies and practices need to be The threat is real. Just last year, a hacker implemented to control different classes of in- pleaded guilty to electronically stealing data formation that mobile devices can access or from more than 100,000 iPad users. Employ- store. They also need to think ahead and ex- ees need to be aware that just because data tend acceptable use policies to all current and is contained in electronic form on their phone, future mobile devices. And all mobile device it is no less confidential and should be treated users must agree to company-defined proc- no less carefully than if it were on paper. And esses and regulations before being granted ideally, this requirement needs to be written access to corporate resources. into their employment contract and reinforced through regularly scheduled training. The next step is to design effective training and communication plans. Although the over- One very simple, yet elegant, solution is to whelming majority of organizations have poli- insist that users turn on the built-in security cies in place for mobile devices, fewer than mechanisms on their devices. Even before one in three employees are aware of their establishing a thorough risk mitigation strat- company’s mobile security policy. egy, organizations can insist that users must install a PIN number on their iPhone if they Consider this: many legit iPhone and iPad plan to use it to access the network. apps leak personal data to third parties. Users don’t help – some still insist on using 0000 or Mobile devices also have location awareness 1234 as their password, making it easy to tools that can help the IT department conduct hack the device. Jailbreaking also puts a remote wipe if the devices are lost or mis- iPhone users at risk for downloading infected placed.Although the overwhelming majority of organizations havepolicies in place for mobile devices, fewer than one in threeemployees are aware of their companys mobile security policy. One size does not fit all tralized security app for the variety of phones being released by vendors to the market. It is also important to realize that one size does not fit all when it comes to mobility. In It is most likely that within any corporate envi- fact, the ability to standardize on only one ronment there will never be a "one size fits all" mobile operating platform within the enter- solution. Employees, depending on their job prise is going the way of the rotary dial with requirements, will likely require varying levels the advent of these new devices and tech- of access to data and services. Thus it makes nologies. sense to consider some form of a multi-tiered answer to the problem. One suggestion is to Users are looking to blend their personal de- segment the environment into three basic lev- vices into their work lives, and that means or- els. ganizations need to prioritize which devices they will support and at what levels. For in- Tier One would be executives and others who stance, one issue that will need to be consid- need access to very specific types of highly ered is what images will be displayed on the sensitive information and services, and who various operating systems. And security re- will use the mobile devices as a critical facet mains an ever-present concern, since nobody of their jobs. Tier Two would be those whose has yet been able to develop a universal cen- mobile devices aren’t a necessity for the cor- poration, but can benefit both themselves andwww.insecuremag.com 34
  29. 29. the organization with some access. Finally, The apps story Tier Three would be individuals to whom a minimal level of access (perhaps email only) Over 300,000 mobile applications have been is granted, but strictly as a convenience to the developed in the last three years alone, and individual. users have downloaded 10.9 billion apps over that same time period. Clearly, the prolifera- For this scenario a multi-tiered solution may tion of apps has helped drive the consumeri- look something like this: zation of IT. • Tier One – Users qualify for corporate-liable The challenge is that most apps being pub- devices and are provisioned with Mobile De- lished to the app store are developed vice Management software and business ap- autonomously and don’t have a high level of plications. quality assurance when it comes to security. • Tier Two – Users qualify for personally- Yes, Apple and others will say they provide owned devices that are “lightly” managed and security checks, but those are mostly rudi- supported by the organization. mentary. Once the app is downloaded and in- • Tier Three – Users are free to connect their stalled, it is caveat emptor – back doors and own devices with web-based applications, but coding objection flaws probably haven’t been they don’t qualify for reimbursement of any addressed in today’s app stores. Users are at kind, nor are they supported by the organiza- the mercy of the app, and they aren’t really tion. seeing what’s being communicated and how it’s being communicated across the network. Organizations must also reserve the right to manage any and all mobile devices that re- For instance, a colleague recently accessed a quire access to corporate resources. This well-known airline’s mobile app to check in. management responsibility needs to be inde- He was shocked when he immediately re- pendent of who actually owns the mobile de- ceived a notification from his personal DLP vices, and may require the installation of the (Data Loss Protection) service that his check- firm’s security policies on the mobile devices in request had been blocked due to a violation as a condition of being granted access to cor- in the DLP security policy. It turns out that the porate resources. airline’s app did not enforce the transmission to be encrypted through a secure HTTPS One thing that can be easily overlooked is the connection, but rather simply passed it need to protect the integrity and privacy of through clear text HTTP. So sensitive informa- corporate data by isolating that data inside the tion – including his phone number, house ad- firewall from personal data. This can be done dress and flight information – would all have either by “sandboxing” or taking a virtualized been transmitted had the DLP not stepped in approach to data storage. and prevented it. Of course, the key to this matrix of controls is At the enterprise level, it’s critical to under- enforcement of strong security policies that stand which apps are mission-essential and prevent data security breaches. These polices standardize mobile users on those apps. should address encryption, PINs and pass- Those can be published for download only words, auto-lock capabilities, location track- while a user is on the corporate image and ing, remote wipes, disabling non-approved connected to the network. Organizations applications, features and functionality, and should also examine their internal app store policy removal prevention. and focus on setting restrictions on apps that are not business-essential. Once all of these controls are in place, or- ganizations can prioritize and determine how Location. Location. Location. and when users will be provisioned with enterprise-class applications, and address The big problem with mobility is that organiza- ramifications for non-compliance with these tions don’t know where people are going to be controls. Enterprise MDM risk mitigation poli- when they try to access the network with their cies should also be reviewed at least yearly. devices.www.insecuremag.com 35

×