Copyright ©2011Savid
Can you steal from me now?
Mobile and BYOD Risks
Michael A. Davis
Chief Executive Officer
Savid Techn...
Agenda
• Trends that you must get in front of
• The Real Mobile Threats
• Data/Document Sharing Risks
• Ask Questions
Who am I?
• Michael A. Davis
– CEO of Savid Technologies
• IT Security Consulting
• Risk Assessments/Auditing
• Security R...
Author
InformationWeek Contributor
Devices w/ Broadband CY2010 CY2015 Increase
Tablets $600M $6B 1000%
Netbooks $1.2B $6B 500%
Mobility Trends
But…
• Fragmentation makes management impossible
without software
Mobile Device Risks at Every Layer
• NETWORK: Interception of data over the air.
– WiFi has al the same problems as laptop...
Mobile App Ecosystem
Mobile platform providers have different levels of
controls over their respective ecosystems
Platform...
Malicious Functionality
1. Activity monitoring and data retrieval
2. Unauthorized dialing, SMS, and payments
3. Unauthoriz...
Activity monitoring and data retrieval
• Risks:
– Sending each email sent on the device to a hidden 3rd party address
– Li...
Activity monitoring and data retrieval
Examples:
Secret SMS Replicator for Android
http://www.switched.com/2010/10/28/sms-...
Unauthorized dialing, SMS, and
payments
• Directly monetize a compromised device
• Premium rate phone calls, premium rate ...
Exfiltration or command & control
• Spyware or other malicious functionality typically requires exfiltration to
be of bene...
Drive by Malware
UI impersonation
• Similar to phishing attacks that impersonating website of their bank
or online service.
• Web view appl...
Unsafe sensitive data transmission [CWE-319]
• It is important that sensitive data is encrypted in transmission lest it
be...
Why Mobility Is Exploding
Privacy Leaks
• Reveal sensitive information
• Defamation of others / organizations
• This can be inadvertent or deliberat...
Unaware Users
• Photos contain data on location,
etc
• Twitter, FB post
Location
• FB/Twitter filter
photo data but
phone ...
Privacy Solutions
• It is the email threat all over again
• Inherit trust of “friends” leads to bad choices
• Facebook, tw...
Mobile Privacy
• Data Collection
• Data Retention
• Data Sharing
What do your apps do?
Mobile Document Access
• Encryption is opt-in by the developer
• Opening a document may copy it or even transfer it
• How ...
Upcoming SlideShare
Loading in …5
×

Can You Steal From Me Now? Mobile and BYOD Security Risks

804 views

Published on

Presentation I gave at BriForum 2012 where I discuss Mobile Security Risks, BYOD and mobile privacy issues. Lastly, I wrap up with a discussion of Document Rights Management and mobile.

The Mobile Security Risks as adapted and updated from the Veracode Top 10 Mobile Security issues (With permission from Chris Wysopal)

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
804
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Can You Steal From Me Now? Mobile and BYOD Security Risks

  1. 1. Copyright ©2011Savid Can you steal from me now? Mobile and BYOD Risks Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
  2. 2. Agenda • Trends that you must get in front of • The Real Mobile Threats • Data/Document Sharing Risks • Ask Questions
  3. 3. Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
  4. 4. Author
  5. 5. InformationWeek Contributor
  6. 6. Devices w/ Broadband CY2010 CY2015 Increase Tablets $600M $6B 1000% Netbooks $1.2B $6B 500% Mobility Trends
  7. 7. But… • Fragmentation makes management impossible without software
  8. 8. Mobile Device Risks at Every Layer • NETWORK: Interception of data over the air. – WiFi has al the same problems as laptops – GSM has shown some cracks. Chris Paget demo DEFCON 2010 • HARDWARE: Baseband layer attacks – Memory corruption defects in firmware used to root your device – Demonstrated at Black Hat DC 2011 by Ralf-Philipp Weinmann • OS: Defects in kernel code or vendor supplied system code – Every time iPhone or Android rooted/jailbroken this is usually the cause • APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors – Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.
  9. 9. Mobile App Ecosystem Mobile platform providers have different levels of controls over their respective ecosystems Platform Signing Revocation Approval Android Anonymous, self- signed Yes No iOS Signed by Vendor Yes Policy & Quality Blackberry Signed with Vendor issued key Yes No Windows Phone Signed by Vendor Yes Policy, Quality & Security Symbian Signed by Vendor Yes Quality
  10. 10. Malicious Functionality 1. Activity monitoring and data retrieval 2. Unauthorized dialing, SMS, and payments 3. Unauthorized network connectivity (exfiltration or 4. command & control) 5. UI Impersonation 6. System modification (rootkit, APN proxy config) 7. Logic or Time bomb Vulnerabilities 7. Sensitive data leakage (inadvertent or side channel) 8. Unsafe sensitive data storage 9. Unsafe sensitive data transmission 10. Hardcoded password/keys The Veracode Top 10 List
  11. 11. Activity monitoring and data retrieval • Risks: – Sending each email sent on the device to a hidden 3rd party address – Listening in on phone calls or simply open microphone recording. – Stored data, contact list or saved email messages retrieved. • The following are examples of mobile data that attackers can monitor and intercept: – Messaging (SMS and Email) – Audio (calls and open microphone recording) – Video (still and full-motion) – Location – Contact list – Call history – Browsing history – Input – Data files
  12. 12. Activity monitoring and data retrieval Examples: Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts- banned-android/ RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
  13. 13. Unauthorized dialing, SMS, and payments • Directly monetize a compromised device • Premium rate phone calls, premium rate SMS texts, mobile payments • SMS text message as a spreading vector for worms. Examples: Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a https://www.computerworld.com/s/article/9180561/New_Android_malware_ texts_premium_rate_numbers Premium rate phone call –Windows Mobile Troj/Terdial-A http://nakedsecurity.sophos.com/2010/04/10/windows-mobile-terdial-trojan- expensive-phone-calls/
  14. 14. Exfiltration or command & control • Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. • Mobile devices are designed for communication. Many potential vectors that a malicious app can use to send data to the attacker. • The following are examples of communication channels attackers can use for exfiltration and command and control: – Email – SMS – HTTP get/post – TCP socket – UDP socket – DNS exfiltration – Bluetooth – Blackberry Messenger
  15. 15. Drive by Malware
  16. 16. UI impersonation • Similar to phishing attacks that impersonating website of their bank or online service. • Web view applications on the mobile device can proxy to legitimate website. • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application. • Victim is asked to authenticate and ends up sending their credentials to an attacker. Example: Proxy/MITM 09Droid Banking apps http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android- apps-market
  17. 17. Unsafe sensitive data transmission [CWE-319] • It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. • Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. • SSL is one of the best ways to secure sensitive data in transit. – Beware of downgrade attack if it allows degrading HTTPS to HTTP. – Beware of not failing on invalid certificates. This would enable a man-in-the-middle attack.
  18. 18. Why Mobility Is Exploding
  19. 19. Privacy Leaks • Reveal sensitive information • Defamation of others / organizations • This can be inadvertent or deliberate • And the repercussions include – Reputation damage – Damage to organization – Fines
  20. 20. Unaware Users • Photos contain data on location, etc • Twitter, FB post Location • FB/Twitter filter photo data but phone doesn’t • Once a photo, video or message is sent by mobile phone, the user can never regain total control of the content.
  21. 21. Privacy Solutions • It is the email threat all over again • Inherit trust of “friends” leads to bad choices • Facebook, twitter, myspace – All rip with malware and privacy problems • Instant Messaging is also a growing medium for malware distribution • This is nothing more than social engineering USER EDUCATION IS KEY
  22. 22. Mobile Privacy • Data Collection • Data Retention • Data Sharing What do your apps do?
  23. 23. Mobile Document Access • Encryption is opt-in by the developer • Opening a document may copy it or even transfer it • How can you control or guarantee the apps viewing the document? – GoodReader – iAnnotate • Company App Stores aren’t enough unless you are also analyzing the app itself (most aren’t) • Most apps rely upon device encryption which requires the users password

×