Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Consumerisation of Corporate IT


Published on

The Consumerisation of Corporate IT - An Ethical Hacker’s View

Published in: Technology, Business
  • Be the first to comment

The Consumerisation of Corporate IT

  1. 1. The Consumerisation of Corporate IT Peter Wood Chief Executive Officer First • Base Technologies LLP An Ethical Hacker’s View
  2. 2. Who is Peter Wood? <ul><li>Worked in computers & electronics since 1969 </li></ul><ul><li>Founded First • Base in 1989 (one of the first ethical hacking firms) </li></ul><ul><li>CEO First Base Technologies LLP </li></ul><ul><li>Social engineer & penetration tester </li></ul><ul><li>Conference speaker and security ‘expert’ </li></ul><ul><li>Chair of Advisory Board at CSA UK & Ireland </li></ul><ul><li>Vice Chair of BCS Information Risk Management and Audit Group </li></ul><ul><li>Vice President UK/EU Global Institute for Cyber Security + Research </li></ul><ul><li>Member of ISACA Security Advisory Group </li></ul><ul><li>Corporate Executive Programme Expert </li></ul><ul><li> Expert </li></ul><ul><li>IISP Interviewer </li></ul><ul><li>FBCS, CITP, CISSP, MIEEE, M.Inst.ISP </li></ul><ul><li>Registered BCS Security Consultant </li></ul><ul><li>Member of ACM, ISACA, ISSA, Mensa </li></ul>1969 1989
  3. 3. Agenda <ul><li>Context, motivation, responses </li></ul><ul><li>Why is consumerisation an issue? </li></ul><ul><li>Not cool enough yet? </li></ul>Note: this presentation offers no solutions … I break things, I don’t usually fix them
  4. 4. Consumerisation?
  5. 5. Consumer vs Corporate
  6. 6. I’ve seen this battle before …
  7. 7. MIT predicts …
  8. 8. Booz & Co. report <ul><li>Employees expect to be able to use all the innovative new devices at their disposal, both to do their jobs and to maintain their always-connected lifestyles, while being able to work whenever and wherever they need to. </li></ul>
  9. 9. Corporate vs. Consumer
  10. 10. Consumer vs. Corporate
  11. 11. Booz & Co. report <ul><li>… the efforts of corporate IT departments to maintain perimeter security by exerting tight control over their networks is ultimately doomed to failure . </li></ul>
  12. 12. BYOC/D/T/… <ul><li>When Henry Ford introduced the Model T in 1908, the speed limit in most places - provided you were outside city limits - was just 20 miles per hour (in town, it was usually just 10 mph). </li></ul><ul><li>That restriction seems hopelessly quaint today. You know what else will soon seem equally quaint? Your company's repressive approach towards employees' devices. </li></ul>Gary Kovacs, senior vice president at Sybase
  13. 13. Bruce Schneier says … <ul><li>Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it. </li></ul>
  14. 14. Consumerisation models?
  15. 15. Who’s doing it?
  16. 16. So why is this an issue?
  17. 18. Mobile risks at every layer <ul><li>NETWORK: Interception of data over the air </li></ul><ul><ul><li>WiFi has the same problems as laptops </li></ul></ul><ul><ul><li>GSM has some cracks (Chris Paget, DEFCON 2010) </li></ul></ul><ul><li>HARDWARE: Baseband layer attacks </li></ul><ul><ul><li>Memory corruption defects in firmware used to root your device (Ralf-Philipp Weinmann, Black Hat DC 2011) </li></ul></ul><ul><li>OS: Defects in kernel or vendor supplied system code </li></ul><ul><ul><li>Every time iPhone or Android rooted or jailbroken this is usually the cause </li></ul></ul><ul><li>APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors </li></ul><ul><ul><li>Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual </li></ul></ul>Content courtesy of Jason Steer at Veracode
  18. 19. Activity monitoring and data retrieval <ul><li>Messaging (SMS and Email) </li></ul><ul><li>Audio (calls and open microphone recording) </li></ul><ul><li>Video (still and full-motion) </li></ul><ul><li>Location </li></ul><ul><li>Contact list </li></ul><ul><li>Call history </li></ul><ul><li>Browsing history </li></ul><ul><li>Input </li></ul><ul><li>Data files </li></ul>Content courtesy of Jason Steer at Veracode Mobile data that attackers can monitor and intercept:
  19. 20. Activity monitoring and data retrieval <ul><li>Secret SMS Replicator for Android </li></ul><ul><li> </li></ul><ul><li>RBackupPRO for Symbian </li></ul><ul><li> </li></ul>Content courtesy of Jason Steer at Veracode
  20. 21. Unauthorized dialing, SMS, and payments <ul><li>Directly monetize a compromised device </li></ul><ul><li>Premium rate phone calls, premium rate SMS texts, mobile payments </li></ul><ul><li>SMS text message as a spreading vector for worms </li></ul><ul><ul><li>Premium rate SMS: </li></ul></ul><ul><ul><li>Trojan-MS.AndroidOS.FakePlayer.a </li></ul></ul><ul><ul><li>Premium rate phone call: </li></ul></ul><ul><ul><li>Windows Mobile Troj/Terdial-A </li></ul></ul>Content courtesy of Jason Steer at Veracode
  21. 22. Unauthorized network connectivity (exfiltration or command & control) <ul><li>Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker </li></ul><ul><li>Communication channels for exfiltration and command and control: </li></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>SMS </li></ul></ul><ul><ul><li>HTTP get/post </li></ul></ul><ul><ul><li>TCP socket </li></ul></ul><ul><ul><li>UDP socket </li></ul></ul><ul><ul><li>DNS exfiltration </li></ul></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><ul><li>Blackberry Messenger </li></ul></ul><ul><ul><li>Endless list……… </li></ul></ul>Content courtesy of Jason Steer at Veracode
  22. 23. UI impersonation <ul><li>Similar to phishing attacks that impersonate website of their bank or online service </li></ul><ul><li>Web view applications on the mobile device can proxy to legitimate website </li></ul><ul><li>Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application </li></ul><ul><li>Victim is asked to authenticate and ends up sending their credentials to an attacker </li></ul><ul><ul><ul><li>Proxy/MITM 09Droid Banking apps </li></ul></ul></ul><ul><ul><ul><li>(fake banking apps for Android) </li></ul></ul></ul>Content courtesy of Jason Steer at Veracode
  23. 24. Sensitive data leakage Content courtesy of Jason Steer at Veracode
  24. 25. Unsafe sensitive data storage <ul><li>Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords </li></ul><ul><li>Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system </li></ul><ul><ul><li>Citibank insecure storage of sensitive data </li></ul></ul><ul><ul><li>Wells Fargo Mobile app 1.1 for Android </li></ul></ul>Content courtesy of Jason Steer at Veracode
  25. 26. Unsafe sensitive data transmission <ul><li>Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi </li></ul><ul><li>If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP </li></ul><ul><li>SSL could also be compromised if the app does not fail on invalid certificates, enabling a man-in-the-middle attack </li></ul>Content courtesy of Jason Steer at Veracode
  26. 27. Drive-by vulnerabilities
  27. 28. DroidDream <ul><li>March 1, 2011: More than 50 applications were found to be infected with ‘DroidDream’ which could compromise a significant amount of personal data </li></ul><ul><li>May 30, 2011: 26 applications were found to be infected with Droid Dream Light (DDLight). Between 30,000 and 120,000 users were affected. </li></ul>
  28. 29. DroidKungFu <ul><li>DroidKungFu takes advantage of two vulnerabilities to install a backdoor that gives hackers full control of your phone </li></ul><ul><li>Not only do they have access to all of your user data, but they can turn your phone into a bot – and basically make your smartphone do anything they want </li></ul>
  29. 30. Not cool enough yet?
  30. 33. Reasons to jailbreak
  31. 37. Real Android 
  32. 38. iAndroid
  33. 39. Smartphone mashups
  34. 40. <ul><li>Peter Wood </li></ul><ul><li>Chief Executive Officer </li></ul><ul><li>First • Base Technologies LLP </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>Blog: </li></ul><ul><li>Twitter: peterwoodx </li></ul>Need more information?