Emerging Threats and Attack Surfaces


Published on

Peter Wood and his team conduct ethical hacking engagements for multi-national organisations in varied business sectors. Peter will address the top three emerging threats, how they affect the attack surface of a typical business and how they can be exploited.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Activity monitoring and data retrieval are the core functionality of any spyware. Data can be intercepted real time as it is being generated on the device. Examples would be sending each email sent on the device to a hidden 3rd party address, letting an attacker listen in on phone calls or simply open microphone recording. Stored data such as a contact list or saved email messages can also be retrieved. Secret SMS Replicator for Android: http://www.switched.com/2010/10/28/sms-replicator-forwards-texts-banned-android/ RBackupPRO for Symbian: http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
  • http://www.f-secure.com/weblog/archives/00001852.html
  • Sensitive data leakage can be either inadvertent or side channel. A legitimate apps usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to 3rd parties. Location Owner ID info: name, number, device ID Authentication credentials Authorization tokens http://boingboing.net/2009/11/05/iphone-game-dev-accu.html
  • Citigroup warned customers of a security flaw in its free iPhone app and urged customers to update to the newest version, which fixes the problem. The Citigroup iPhone app accidentally stored sensitive customer information, potentially exposing it to compromise. Banks have been on the cutting edge--developing apps for smartphone platforms that let users view account balances, transfer funds, review pending transactions, make payments, and more. There are an estimated 18 million mobile banking customers in the United States, of which Citi has about 800,000--placing them in fifth place behind banks such as Bank of America. The security concern in the Citigroup iPhone app is related to a file within the app that is accidentally storing sensitive information. Data such as account numbers, bill payments and security access codes are stored on the iPhone where they could be accessed later by attackers or other unauthorized users. http://www.pcworld.com/businesscenter/article/201994/citi_iphone_app_ Wells Fargo Mobile Application for Android contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the program stores a username and password, along with account balances, in cleartext, which will disclose sensitive banking information to a physically present attacker who reads the application data. http://osvdb.org/show/osvdb/69217
  • With a vast increase in the number of people working from home or on the move, wireless networking has become pervasive. The average home user doesn’t want to know about the complexities of wireless security (WPA PSK versus WEP etc) so most home wireless networks are inadequately protected or just plain open. The same is true of many wireless hot spots of course, if you don’t have to authenticate and enter a key, then it’s unlikely to be safe.
  • Many people don’t understand that wireless networking is like a wired hub – there is no packet switching, so anyone connected to an open wireless access point can see everyone else’s traffic. Again discovering how to do this isn’t hard and the tools are free. A criminal attacker could be sitting some distance away with a directional antenna and watching everything on the unprotected network.
  • Emerging Threats and Attack Surfaces

    1. 1. Hackers and Threats SummitEmerging Threats and Attack Surfaces An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies LLP
    2. 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Member of ISACA Security Advisory Group Vice Chair of BCS Information Risk Management and Audit Group UK Chair, Corporate Executive Programme FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2012
    3. 3. Agenda Top issues for this year: •BYOD •Public WiFi (and home working) •Password quality •… I had more but not enough time! Beware: this presentation offers no easy solutions!Slide 3 © First Base Technologies 2012
    4. 4. Bring Your Own …Slide 4 © First Base Technologies 2012
    5. 5. Activity monitoring and data retrieval Mobile data that attackers can monitor and intercept: • Messaging (SMS and Email) • Audio (calls and open microphone recording) • Video (still and full-motion) • Location • Contact list • Call history • Browsing history • Input • Data filesSlide 5 Source: Jason Steer, Veracode © First Base Technologies 2012
    6. 6. Unauthorised network connectivity (exfiltration or command & control) • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker • Communication channels for exfiltration and command and control: - Email - SMS - HTTP get/post - TCP socket - UDP socket - DNS exfiltration - Bluetooth - Blackberry Messenger - Endless list………Slide 6 Source: Jason Steer, Veracode © First Base Technologies 2012
    7. 7. UI impersonation • Similar to phishing attacks that impersonate website of their bank or online service • Web view applications on the mobile device can proxy to legitimate website • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application • Victim is asked to authenticate and ends up sending their credentials to an attacker Proxy/MITM 09Droid Banking apps (fake banking apps for Android)Slide 7 Source: Jason Steer, Veracode © First Base Technologies 2012
    8. 8. Sensitive data leakageSlide 8 Source: Jason Steer, Veracode © First Base Technologies 2012
    9. 9. Unsafe sensitive data storage • Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords • Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system - Citibank insecure storage of sensitive data - Wells Fargo Mobile app 1.1 for AndroidSlide 9 Source: Jason Steer, Veracode © First Base Technologies 2012
    10. 10. Unsafe sensitive data transmission • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi • If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP • SSL could also be compromised if the app does not fail on invalid certificates, enabling a man-in-the- middle attackSlide 10 Source: Jason Steer, Veracode © First Base Technologies 2012
    11. 11. Drive-by vulnerabilitiesSlide 11 © First Base Technologies 2012
    12. 12. BYOD Issues • Activity monitoring and data retrieval • Unauthorised network connectivity • UI impersonation • Sensitive data leakage • Unsafe sensitive data storage • Unsafe sensitive data transmission • Drive-by vulnerabilitiesSlide 12 © First Base Technologies 2012
    13. 13. Public & Home WiFiSlide 13 © First Base Technologies 2012
    14. 14. Infosecurity Europe 2012 Experiment • Open WiFi on a laptop on our stand • Network name: ‘Infosec free wifi’ • Fake AP using airbase-ng on BackTrack • In one day we collected 86 unique devicesSlide 14 © First Base Technologies 2012
    15. 15. Home & Public WiFi • No encryption (or just WEP) • Plain text traffic (email, unencrypted sites) • SSL VPNs • False sense of securitySlide 15 © First Base Technologies 2012
    16. 16. Eavesdropping Packet sniffing unprotected WiFi can reveal: • logons and passwords for unencrypted sites • all plain-text traffic (e-mails, web browsing, file transfers)Slide 16 © First Base Technologies 2012
    17. 17. Firesheep capturingSlide 17 © First Base Technologies 2012
    18. 18. Firesheep: game overSlide 18 © First Base Technologies 2012
    19. 19. Open WiFi Issues • Open and WEP-encrypted WiFi networks are visible to anyone • Plain-text data on an insecure wireless network can be intercepted and read by anyone • SSL and TLS may be no protection at all • Password re-use is a major vulnerability (e.g. HB Gary) • Home networks are usually insecure and hence vulnerable to targeted attacksSlide 19 © First Base Technologies 2012
    20. 20. Password QualitySlide 20 © First Base Technologies 2012
    21. 21. Password ‘Quality’ • “I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, “We’ve been following the same patterns since the 1990s.” • Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. • The list was briefly posted on the Web, and hackers and security researchers downloaded it.Slide 21 © First Base Technologies 2012
    22. 22. List Windows privileged accounts and look for service accountsSlide 22 © First Base Technologies 2012
    23. 23. Case study: Administrator passwords admin5 crystal finance Global organisation: friday macadmin • 67 Administrator accounts monkey orange • 43 simple passwords (64%) password password1 prague • 15 were “password” (22%) pudding rocky4 • Some examples we found -> security security1 sparkle webadmin yellowSlide 23 © First Base Technologies 2012
    24. 24. Case study password crack • 26,310 passwords from a Windows domain • 11,279 (42.9%) cracked in 2½ minutes • It’s not a challenge!Slide 24 © First Base Technologies 2012
    25. 25. Typical passwords Account name Password administrator null, password, administrator arcserve arcserve, backup test test, testing, password backup backup tivoli tivoli backupexec backup smsservice smsservice any username password, monday, football any service account same as account nameSlide 25 © First Base Technologies 2012
    26. 26. If we can boot from CD or USB …Slide 26 © First Base Technologies 2012
    27. 27. Boot Ophcrack LiveSlide 27 © First Base Technologies 2012
    28. 28. We have some passwords!Slide 28 © First Base Technologies 2012
    29. 29. … or just read the diskSlide 29 © First Base Technologies 2012
    30. 30. Copy hashes to USB keySlide 30 © First Base Technologies 2012
    31. 31. … a few minutes laterSlide 31 © First Base Technologies 2012
    32. 32. Change the Administrator PasswordSlide 32 © First Base Technologies 2012
    33. 33. Password Issues • Passwords based on dictionary words and names • Service accounts with simple/stupid passwords • Other easy-to-guess passwords • Little or no use of passphrases • Password policies not tailored to specific environments (e.g. Windows LM hash problem) • Old fashioned rules no longer apply (rainbow tables, parallel cracking, video processors) • Just general ignorance and apathy?Slide 33 © First Base Technologies 2012
    34. 34. Do you know how vulnerable you are?Slide 34 © First Base Technologies 2012
    35. 35. Need more information? Peter Wood Chief Executive OfficerFirst•Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Blog: fpws.blogspot.com Twitter: peterwoodx