Mobile ActiveSync
 Russian Roulette
    Presented by Oliver “deathflu” Greiter



               assurance
Assurance / Oliver Greiter

   Assurance = compliance { penetration testing/ethical
   “hacking”, review, audit }, wireles...
Exchange ActiveSync
- Based on HTML and XML
- Platforms with Exchange ActiveSync compatible client
- Allows users to acces...
Simple Diagram




assurance
Default security
         configuration
   - SSL transport layer protection (HTTPS)
   - Basic Auth
   - Device ID
   - “En...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
Sample Sync Request
POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274
&DeviceType=IMEI351878010074...
autodiscover.{domain}.com
 Approximately 30% of “Top 500 domains”*
  had an autodiscover hostname in DNS




             ...
assurance
assurance
MITM Attack



                 ARP spoof?
               DNS poisoning?
              Fake WiFi Hotspot?
              Po...
MITM Fun
  Sniff Traffic - Emails, Contacts, Notes, User
  credentials (AD domain)
  Client Request Replay - Generate your ...
Kill Command Replay




assurance
Sample kill response
  HTTP/1.1 449 Retry after sending a PROVISION command
  Connection: Keep-Alive
  Date: Fri, 20 Nov 2...
Sample kill response
  HTTP/1.1 449 Retry after sending a PROVISION command
  Connection: Keep-Alive
  Date: Fri, 20 Nov 2...
Sample kill response
  HTTP/1.1 449 Retry after sending a PROVISION command
  Connection: Keep-Alive
  Date: Fri, 20 Nov 2...
Symbian OS


                Nokia N95
                Mail for Exchange v2.9.158




assurance
Symbian OS


                Nokia N95
                Mail for Exchange v2.9.158




assurance
iPhone OS


                 iPhone 3G
                 iPhone OS v3.1.2




assurance
iPhone OS


                 iPhone 3G
                 iPhone OS v3.1.2




assurance
Windows Mobile 6.1


            Dell AXIM X51v PDA
            Windows Mobile 6.1




assurance
Windows Mobile 6.1


            Dell AXIM X51v PDA
            Windows Mobile 6.1




assurance
What just happened?




assurance
In an ideal world...
   - Valid SSL Certificate on server
   - Unique Client Certificate on each device
   - Device (and sto...
Application
            Improvement
 How about
 introducing session
 management as a
 default component
 of the applicatio...
Where to from here?


            3G MITM Attacks?




assurance
Danke


 - y011
 - kiwicon crüe

assurance
Questions?




     oliver.greiter@assurance.com.au
assurance
Upcoming SlideShare
Loading in...5
×

Mobile Activesync Russian Roulette - Kiwicon 09

2,254

Published on

As the popularity of communication (especially email) using mobile devices increases so does the risk of data leakage and data theft. This presentation will review Microsoft Mobile Activesync looking at transport layer security, controls enforced on the mobile devices and some potentially lethal fun (to the device anyway).

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,254
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • How many of you have checked your email while sitting on the toilet?
    pause
    A report by Osterman Research focusing on mobile messaging in the North American Workplace found that 79% of respondence admitted to doing so.
    o 77% have done so while driving (when the car is moving)
    o 41% have done so on a commercial flight while in the air
    o 16% have done so during a funeral or memorial service
    o 11% have done so during a romantic moment
    pause
    I’m here to talk to you about the bad things that can happen while checking your email on the shitter.
  • - austrian by nationality, don’t hold an australian passport
    - there’s no kangaroos in austria
    - risky biz movember team
  • - it’s a basic web application

    - some organisations implement using the corporate owned devices and some organisations implement the solution using employee owned devices
  • - The server is normally named autodiscover.domain.name
    - sync also via USB Cradle Sync
    - IIS accepts the connection and then passes it onto the exchange server
    - (HTTPS)
  • - Basic Auth - Base64 easily decoded
    - Device ID - the administrative interface can be used to block or permit certain device IDs

    - All three platforms tested (WM, iPhone OS, Symbian OS) implemented the Microsoft API to different levels (device policy)

    - Nokia wipe interrupted - removed pin lock and emails were still in inbox

    Device policy consists of things such as:
    - enforcing a device password
    - min pass length
    - alphanumeric pass
    - max password age
    - pass history
    - account lockout threshold
    - idle session timeout
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - Just by sniffing traffic you can already start enumerating domain usernames from the URL.
    - Policy Key does not appear to change/increment (over a week it didn’t change)

    - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert

    #Binary Data
  • - explain the setup process and “automatically obtain settings” from exchange server
    - Setting are sent to the device via a XML response from the server
    - queried public DNS

    AUSTRALIA:
    autodiscover.firevibe.com.au
    autodiscover.awm.gov.au
    autodiscover.brisbane.qld.gov.au
    autodiscover.childsafety.qld.gov.au
    autodiscover.bendigobank.com.au
    autodiscover.banks.com.au
    autodiscover.adelaidebank.com.au
    autodiscover.benbank.com.au
    autodiscover.msn.com
    autodiscover.three.com
    autodiscover.vodafone.com
    autodiscover.altmedia.net.au
    autodiscover.abc.net.au
    autodiscover.pblmedia.com.au
    autodiscover.yahoo.com.au

    NEW ZEALAND:
    autodiscover.savethekiwi.org.nz
    autodiscover.policy.net.nz
    autodiscover.powergenerators.net.nz
    autodiscover.newzealandnow.govt.nz
    autodiscover.nzalpa.org.nz
    autodiscover.caa.govt.nz
    autodiscover.otago.ac.nz
    autodiscover.auckland.ac.nz
    autodiscover.massey.ac.nz
    autodiscover.lincoln.ac.nz
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • list of autodiscover domains
  • - Attack one endpoint or the other or the traffic in between

    - SSL has copped a battering this year (wildcard ssl cert, reneg flaw), this talk isn’t about that. The user still gets prompted about a dodgy SSL cert...in most cases. This talk is about the shitty implementation of security on the various clients.

    - port 443 is all we care about (maybe dns too!)

    - SSL cert - Moxie’s wildcard SSL cert (firefox 2 except the certs without warning, firefox 3 won’t prompt the user to accept the cert in default config)

    - proxy to pass, capture and replay traffic
  • Sniff Traffic - Pass on the traffic, while logging it. Use the creds to gain access to any other applications that are AD integrated such as Outlook Web Access or the internal domain through some other path (pysical access, wireless, etc.)
    Request Replay - Send emails (SPAM), retrieve emails, retreive attachments, search for contacts (mirror address book)
    Response Replay - Kill Response replay - explain - (central management function to deal with lost or stolen devices)
  • Overview of what is going to take place when executing kill command replay

    as we know the user can’t be relied upon to decide if a cert is valid or not, especially when very little information is provided like on mobile devices

    so how to each of the platform react when presented with a wildcard ssl cert?
  • -in response to any request we reply with this...
  • -in response to any request we reply with this...
  • - can view cert details (cn name etc.)
    - default action is continue
  • - can view cert details (cn name etc.)
    - default action is continue
  • The user is only prompted once

    iPhone OS 2.1 doesn’t prompt when presented with invalid cert
  • The user is only prompted once

    iPhone OS 2.1 doesn’t prompt when presented with invalid cert
  • 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported.

    - in reality this just means that the device won’t accept the dodgy cert.
    - user isn’t given the option to accept the cert
  • 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported.

    - in reality this just means that the device won’t accept the dodgy cert.
    - user isn’t given the option to accept the cert
  • - the device is nuked
    - reset to factory state (everything is gone!!!)
    - your high scores on your driving game (gone!)
  • - ensure devices are secure adequately (jailbroken iphones, first person to exploit this was a dutch hacker charging 5 euros to fix it)
    - only windows mobile supports enforced encryption
    - so instead of vodafone.net.nz your APN would be some company name for example
    Device policy at a minimum:
    - Enforce device password is set to TRUE
    - Minimum password length is 7 characters
    - Alphanumeric passwords is enforced
    - Maximum password age is set to 90 days
    - Password history is set to 12 remembered
    - Account lockout threshold is set to 3
    - Idle session timeout is set to 20 minutes
  • Pretty standard for web applications

    This way the user’s credentials don’t need to be sent to the server with each request.
  • 3G Micro Cells have recently become available to AT&T customers in the U.S.
    They cost US$149.
    How long before these are hacked and used to perform 3G MITM attacks?
    Kiwicon 2010 anyone?

    Are we going to have people sitting in airport lounges
    with micro cells, MITM 3G connections, exploiting SSL and sitting
    between cell phone users and their internet banking?
  • Mobile Activesync Russian Roulette - Kiwicon 09

    1. 1. Mobile ActiveSync Russian Roulette Presented by Oliver “deathflu” Greiter assurance
    2. 2. Assurance / Oliver Greiter Assurance = compliance { penetration testing/ethical “hacking”, review, audit }, wireless & mobility, UNIX/ Windows/network and security consulting/support Oliver = professional bio author and breaker of stuff assurance
    3. 3. Exchange ActiveSync - Based on HTML and XML - Platforms with Exchange ActiveSync compatible client - Allows users to access their e-mail, calendar, contacts, and tasks stored on Exchange server - Cheaper solution to implement (at first glance) when compared to other solutions such as BlackBerry - “Good” way to encourage (enslave) users to check corporate email on their own time assurance
    4. 4. Simple Diagram assurance
    5. 5. Default security configuration - SSL transport layer protection (HTTPS) - Basic Auth - Device ID - “Enforced” Device Security Policy assurance
    6. 6. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    7. 7. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    8. 8. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    9. 9. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    10. 10. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    11. 11. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    12. 12. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    13. 13. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
    14. 14. autodiscover.{domain}.com Approximately 30% of “Top 500 domains”* had an autodiscover hostname in DNS *http://www.seomoz.org/top500 assurance
    15. 15. assurance
    16. 16. assurance
    17. 17. MITM Attack ARP spoof? DNS poisoning? Fake WiFi Hotspot? Port re-direction? assurance
    18. 18. MITM Fun Sniff Traffic - Emails, Contacts, Notes, User credentials (AD domain) Client Request Replay - Generate your own requests and replay them to the server Server Response Replay - Generate your own responses and replay them to the client assurance
    19. 19. Kill Command Replay assurance
    20. 20. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
    21. 21. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
    22. 22. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
    23. 23. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
    24. 24. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
    25. 25. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
    26. 26. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
    27. 27. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
    28. 28. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
    29. 29. What just happened? assurance
    30. 30. In an ideal world... - Valid SSL Certificate on server - Unique Client Certificate on each device - Device (and storage card) encryption - Access to restricted to private Cell Network Access Point Name (APN) - HTTP Digest authentication - Exchange ActiveSync domain segregation - User education assurance
    31. 31. Application Improvement How about introducing session management as a default component of the application? assurance
    32. 32. Where to from here? 3G MITM Attacks? assurance
    33. 33. Danke - y011 - kiwicon crüe assurance
    34. 34. Questions? oliver.greiter@assurance.com.au assurance

    ×