Your SlideShare is downloading. ×
The 7 Insecure Habits Of Highly Effective Smartphones P.Ceelen & M.Smeets Infosecuritycongress Nov2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

The 7 Insecure Habits Of Highly Effective Smartphones P.Ceelen & M.Smeets Infosecuritycongress Nov2011

681
views

Published on

Sheets as presented at the 2011 Infosecurity conference about the insecurities of mobile devices.

Sheets as presented at the 2011 Infosecurity conference about the insecurities of mobile devices.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
681
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The 7 insecure habits of highly effective smartphones and tablets 2 November 2011, Infosecurity.nl seminar Pieter Ceelen Marc Smeets
  • 2. 1© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Agenda Intro ■  Who are we? ■  What’s the buzz? The 7 insecure habits Solutions Wrap up
  • 3. 2© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Who are we? Pieter Ceelen ■  Loves hacking, cooking and reading books ■  Android user Marc Smeets: ■  Loves fast cars and champagne (not together) ■  Loves IT security ■  Apple user Ethical hackers @ KPMG IT Advisory ■  Team of over 15 IT security testers ■  Combining strong technical skills with IT auditing skills ■  Translating impact of deep technical issues to management, from bit to board
  • 4. 3© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. What’s the buzz? History ■  Blackberry served the corporate world ■  As of 2007 major growth market share of smartphones (iPhone, Android) Recent years ■  Explosion of smartphone penetration ■  Emergence of tablets ■  Corporate and private phones get mixed: “Bring your own device” Recent years ■  Intuitive/Usable interface ■  Internet/cloud integration ■  Affordable pricing ■  Explosion Share of worldwide 2011 Q2 smartphone sales to end users by operating system, according to Gartner. Image from Wikipedia, user Eraserhead1
  • 5. The 7 habits
  • 6. 5© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is
  • 7. 6© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is INTERNET CORPORATE EXCHANGE SERVICES DEVICES WIFI / UMTS / GPRS Mobile Device Management
  • 8. 7© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is INTERNET CORPORATE EXCHANGE SERVICES Mobile Device Management INTERNETSERVICES DEVICES WIFI / UMTS / GPRS WIFI / USB USB WEB CLOUD SERVICES Bluetooth LOCALSERVICES CORPORATE / PRIVATE NETWORK PERIPHERALS
  • 9. 8© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is Habit 2: ActiveSync doesn’t make all secure
  • 10. 9© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 2: ActiveSync doesn’t make all secure ActiveSync: ■  “Exchange ActiveSync is a Microsoft Exchange synchronization protocol that's optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML [..] enables mobile phone users to access their e-mail, calendar, contacts, and tasks“ ■  De-facto standard, widely supported by devices. ActiveSync can perform security checks: ■  Require password ■  Length of password ■  Require encryption on device ■  Etc.
  • 11. 10© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 2: ActiveSync doesn’t make all secure - cont. Two major security issues with ActiveSync ■  1. ActiveSync checks are device local security checks ■  2. It relies on XML over HTTP(S) 1. security checks are device local security checks ■  ActiveSync server asks : “Do you have a screen lock?” ■  Device answers: “Yeah, sure! Now give me the latest emails.”
  • 12. 11© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 2: ActiveSync doesn’t make all secure - cont. Two major security issues with ActiveSync ■  1. Security checks are device local security checks ■  2. Relies on XML over HTTP(S) 2. Relies on XML over HTTP(S) ■  Man-in-the-middle attacks –  HTTP is clear text –  HTTPS allows for rogue certificates ■  Intercepted data contains: –  sync data (e.g. Email data) –  Authentication data!
  • 13. 12© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is Habit 2: ActiveSync doesn’t make all secure Habit 3: Disk encryption doesn’t keep my data secure
  • 14. 13© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 3: Disk encryption doesn’t keep my data secure Disk encryption is iOS only, Android has no official disk encryption yet. iOS Disk encryption: ■  Technically it is hard disk encryption ■  But, it decrypts itself without user input ■  Main reason: fast wiping via crypto-shredding Better solution is encryption based on: Something you know (passcode) + something you have (crypto chip) -> Data Protection Critical flaws in iOS allow for retrieval of all data on an iOS device if stolen.
  • 15. 14© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 3: Disk encryption doesn’t keep my data secure
  • 16. 15© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is Habit 2: ActiveSync doesn’t make all secure Habit 3: Disk encryption doesn’t keep my data secure Habit 4: Theft is an issue, despite remote wipe
  • 17. 16© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 4: Theft is an issue, despite remote wipe Remote wipe procedure: ■  1. End user or administrator commands the device to perform a wipe ■  2. Smartphone receives a message and performs the wipe Implementation differences between systems ■  iOS : Push notifications from Apple’s servers ■  Android : Web or SMS messages for Android (custom apps) ■  ActiveSync : Next sync attempt device receive a wipe command What if the device never receives the wipe message?
  • 18. 17© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 4: Theft is an issue, despite remote wipe
  • 19. 18© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is Habit 2: ActiveSync doesn’t make all secure Habit 3: Disk encryption doesn’t keep my data secure Habit 4: Theft is an issue, despite remote wipe Habit 5: Jailbreaking isn’t only for hackers
  • 20. 19© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 5: Jailbreaking isn’t only for hackers Jailbreaking (iOS) = removing the ‘jail’ Apple has put in ■  Install Apps Apple did not approve Rooting and custom roms (Android) ■  Rooting = gaining root level access to device ■  Custom rom = custom OS (faster, newer, better) Jailbreaking and rooting can be done via running applications and via boot loader It is not that hard!
  • 21. 20© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 5: Jailbreaking isn’t only for hackers
  • 22. 21© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is Habit 2: ActiveSync doesn’t make all secure Habit 3: Disk encryption doesn’t keep my data secure Habit 4: Theft is an issue, despite remote wipe Habit 5: Jailbreaking isn’t only for hackers Habit 6: Quality assured AppStore doesn’t prevent malware and viruses
  • 23. 22© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 6: Qa’ed AppStore doesn’t prevent malware and viruses Google checks: ■  Are you a developer? Was the 25 dollar developer fee paid? ■  Are users complaining once released? ■  Afterwards: remove known rogue apps remote from device with ‘kill switch’ Apple has ‘strict’ checks in AppStore ■  Some security checks on code ■  Adhere to Apple’s guideline ■  Brand / trademark protection Android allows to install apps from non-Google App stores with a few clicks
  • 24. 23© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 6: Qa’ed AppStore doesn’t prevent malware and viruses
  • 25. 24© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 1: I don’t know where my data is Habit 2: ActiveSync doesn’t make all secure Habit 3: Disk encryption doesn’t keep my data secure Habit 4: Theft is an issue, despite remote wipe Habit 5: Jailbreaking isn’t only for hackers Habit 6: Quality assured AppStore doesn’t prevent malware and viruses Habit 7. Google and Apple don’t fix security issues in time
  • 26. 25© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habit 7. Google and Apple don’t fix security issues in time Android ■  Security updates rely on Google, device vendor, telco and user ■  Major releases lagging by over 6 months ■  Average device less than a year of security updates ■  Some currently sold devices already 2 major releases behind ■  Distribution “over the air” or via USB cable ■  No clear statements from vendors on support Apple ■  Security updates rely on Apple and user ■  Less diversity, more enforcement by Apple ■  Critical security issues not fixed in release updates
  • 27. 26© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. There are even more habits
  • 28. 27© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Habits we didn’t even mention ■  Life cycle and diversity ■  App permissions ■  Legal ■  iTunes and mp3s on corporate computer ■  Privacy and geotracking ■  Publishing apps by your organisation ■  Unauthorized apps that use your branding/website ■  Technical vulnerabilities ■  Asset management processes ■  User awareness and security incident reporting without a phone
  • 29. Solutions
  • 30. 29© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Solution 1: Fine grained security checks
  • 31. 30© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Fine grained security checks Functionality ■  Additional security checks on device, for example: –  Jailbreak detection –  Application/malware checks ■  Data processed using regular device software Operating system Pro ■  Native apps Con ■  Various risks not fully mitigated, e.g. remote wiping, malware, encryption risks
  • 32. 31© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Solution 1: Fine grained security checks Solution 2: Virtualization
  • 33. 32© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Virtualization Functionality ■  Two operating systems: –  playground –  hardened environment under full control of a central Management environment Operating system Pro ■  Native apps Con ■  Various risks not fully mitigated, e.g. remote wiping, malware, encryption risks ■  Hypervisor specific attacks
  • 34. 33© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Solution 1: Fine grained security checks Solution 2: Virtualization Solution 3: Secure container
  • 35. 34© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Secure container Functionality ■  All data encrypted on device ■  Application includes functionality for rendering Word/ Excel files, intranet ■  Encryption between app and corporate network Operating system Pro ■  Data always encrypted, prevents various security issues Con ■  Attacks on secure container, e.g. implementation flaws ■  Attacks outside container, e.g. key loggers and screen scrapers
  • 36. 35© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Solution 1: Fine grained security checks Solution 2: Virtualization Solution 3: Secure container Solution 4: Remote desktop
  • 37. 36© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Remote desktop Functionality ■  Render view/desktop from remote system ■  No data stored on device itself Operating system Pro ■  No data on device Con ■  Usability, e.g. App interface ■  Availability, e.g. working in a airplane ■  Attacks outside container, e.g. key loggers and screen scrapers
  • 38. Wrap up
  • 39. 38© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Wrap up Enrolling mobile devices results in new risks ■  Broader then expected, e.g. legal, technology, cloud integration, backups ■  Security controls work differently on mobile devices Technical Solutions ■  Different security architectures to reduce risks of mobile devices ■  No technical solution fixes it all, mitigate risks by people, processes and technology How to continue ■  Perform risk assessment before implementation ■  Consult with relevant experts ■  Implement security controls for people, process and technology ■  Test effectiveness of security controls ■  Stay up-to-date with recent developments
  • 40. Thank you Presentation by : Marc Smeets MSc. CISSP CISA smeets.marc@kpmg.nl +31 6 513 66680 Pieter Ceelen MSc. ceelen.pieter@kpmg.nl +31 6 515 72696
  • 41. © 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks or trademarks of KPMG International.