Euro mGov Securing Mobile Services

1,026 views

Published on

Presentation of the Paper "Securing mobile services", at the 1st Euro Conference on Mobile Government (Euro mGov 2005), Brighton, England, July 2005.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,026
On SlideShare
0
From Embeds
0
Number of Embeds
60
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Euro mGov Securing Mobile Services

    1. 1. Securing Mobile Services Miguel Ponce de Leon, John Ronan, Jimmy McGibney Telecommunications Software & Systems Group Waterford Institute of Technology Ireland [email_address] Security for the pervasive computing world
    2. 2. Contents <ul><li>Threats to Mobile Networks & Services </li></ul><ul><li>SEINIT approach </li></ul><ul><li>Building a “smart” wireless access point </li></ul><ul><ul><li>Embedded intrusion detection & honeypot </li></ul></ul>
    3. 3. Security – a difficult problem <ul><li>Internet access is easy and cheap (and fairly anonymous) </li></ul><ul><li>Lack of policy and implementation of policy </li></ul><ul><li>Complexity & Scale of systems </li></ul><ul><li>Technology weaknesses </li></ul><ul><ul><li>Tendency to develop first & add security afterwards </li></ul></ul><ul><li>Domination by small number of OSs & apps </li></ul><ul><ul><li>Find a Windows bug and you have millions of sitting targets </li></ul></ul><ul><ul><li>Rapid dissemination of exploits among attackers </li></ul></ul><ul><li>Lack of education of users </li></ul><ul><li>User mobility </li></ul><ul><li>Hard to verify security </li></ul><ul><ul><li>&quot;If it is provably secure, it is probably not“ , L.R. Knudsen </li></ul></ul>
    4. 4. m-Government Security <ul><li>Very strong requirements for: </li></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul><li>Anonymity (in some cases) </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability (critical infrastructures…) </li></ul></ul><ul><li>As well as: </li></ul><ul><ul><li>Usability </li></ul></ul><ul><ul><li>Ubiquity </li></ul></ul><ul><ul><li>Low cost (for citizens) </li></ul></ul><ul><ul><li>Verification & audit </li></ul></ul><ul><ul><li>Diverse & “lowest common denominator” technology on user side </li></ul></ul>
    5. 5. General threats & vulnerabilities <ul><li>OS vulnerabilities </li></ul><ul><li>Application vulnerabilities </li></ul><ul><li>Protocol weaknesses </li></ul><ul><li>Sniffing on network </li></ul><ul><li>Keystroke logging </li></ul><ul><li>Password cracking </li></ul><ul><li>Malware – viruses, worms, Trojan horses </li></ul><ul><li>Social Engineering </li></ul><ul><li>Non-technological </li></ul><ul><ul><li>Loss of key personnel, loss of power, lightning, fire, flood, software bugs, vendor bankruptcy, labour unrest, … </li></ul></ul>
    6. 6. <ul><li>Eavesdropping by a third party </li></ul><ul><ul><li>Electromagnetic spectrum is available to all </li></ul></ul><ul><ul><li>Often weak or no encryption </li></ul></ul><ul><li>Bogus user </li></ul><ul><ul><li>Poor user authentication with WiFi; SIM cloning; stolen phones </li></ul></ul><ul><li>Bogus network </li></ul><ul><ul><li>Base station or access point presenting itself as network to the user, for example to collect user data </li></ul></ul><ul><li>Denial of service </li></ul><ul><ul><li>Deliberate jamming of wireless signal </li></ul></ul><ul><ul><li>Or unintentionally – network congestion, large congregations of users (e.g. at sports event), large downloads hogging bandwidth, etc. </li></ul></ul>Specific Threats to Mobile Services
    7. 8. <ul><li>See www.worldwidewardrive.org </li></ul><ul><li>Results: </li></ul><ul><ul><li>228,537 access points found </li></ul></ul><ul><ul><li>82,755 (35%) with default SSID </li></ul></ul><ul><ul><li>140,890 (60%) with open system authentication (no key needed) </li></ul></ul><ul><ul><li>62,859 (28%) with both – i.e. no security </li></ul></ul>Worldwide War Drive 2004
    8. 9. Some tips for wireless LAN security <ul><li>Treat wireless as untrusted </li></ul><ul><ul><li>Similar to public Internet </li></ul></ul><ul><ul><li>Firewall, etc, between WLAN and rest of network </li></ul></ul><ul><li>Use higher-layer security </li></ul><ul><ul><li>e.g. VPN from station to Internet </li></ul></ul><ul><li>Check for unauthorised access points </li></ul><ul><li>Audit authorised access points </li></ul><ul><ul><li>Make difficult to access from outside </li></ul></ul><ul><ul><li>Use directional antenna to “point” radio signal </li></ul></ul><ul><li>Protect stations using personal firewalls and intrusion detection </li></ul>
    9. 10. SEINIT Project <ul><li>S ecurity E xpert Init iative </li></ul><ul><li>European Union 6 th Framework IST Programme </li></ul><ul><li>Objective: “Provide a trusted and dependable security framework, ubiquitous , working across multiple devices , heterogeneous networks, organisation independent and centred around an end-user ” </li></ul>Security for the pervasive computing world
    10. 11. SEINIT: conceptual approach <ul><li>Virtualisation of security </li></ul><ul><li>mGovernment => Government “virtually” anywhere </li></ul><ul><li>How to secure virtual entities? </li></ul><ul><ul><li>services, etc, that are user centred </li></ul></ul><ul><ul><li>devices and network almost irrelevant </li></ul></ul>} Classical security just looks at these layers
    11. 12. SEINIT: conceptual approach Space / Geography Instantiation Time UMTS Internet Wi-Fi Bluetooth Interface Interface Interface Virtual Virtual Logical Logical Logical
    12. 13. SEINIT: conceptual approach <ul><li>Infosphere </li></ul><ul><ul><li>Digital space linked more to individual or organisation than to devices or infrastructure </li></ul></ul><ul><ul><li>Not necessarily under control of user </li></ul></ul><ul><ul><li>Virtual </li></ul></ul><ul><li>Security Domain </li></ul><ul><ul><li>Controlled by individual or organisation </li></ul></ul><ul><ul><li>Logical </li></ul></ul>Infospheres Security Domains Alice’s personal data Cybercafe Alice’s office Alice’s Bank Alice’s ISP Alice’s Telecom operator Software company – e.g. Microsoft
    13. 14. SEINIT: conceptual approach <ul><li>“ Ambience” discovery </li></ul><ul><ul><li>To secure mobile, virtual world, context is everything </li></ul></ul><ul><ul><li>Threat level may depend on: </li></ul></ul><ul><ul><ul><li>Location </li></ul></ul></ul><ul><ul><ul><li>Environment (neighbours, etc) </li></ul></ul></ul><ul><ul><ul><li>Real-time threats </li></ul></ul></ul><ul><ul><li>IDS & Honeypots provide part of this </li></ul></ul>
    14. 15. <ul><li>Embedding IDS and Dynamic Honeypot capabilities on a WLAN Access Point </li></ul>SEINIT work in progress
    15. 16. <ul><li>Monitors activity on host or network & raises alerts </li></ul><ul><li>Rules-based detection (most common) </li></ul><ul><ul><li>Based on known attacks </li></ul></ul><ul><li>Statistical anomaly detection </li></ul><ul><ul><li>Tends to produce too many false alarms </li></ul></ul>Intrusion Detection System (IDS)
    16. 17. <ul><li>Definition </li></ul><ul><ul><li>“ A resource whose value lies in being probed, attacked or compromised” </li></ul></ul><ul><li>System or component with no real-world value, set up to lure attackers </li></ul><ul><li>By definition, all activity on a honeypot is highly suspect </li></ul><ul><ul><li>Can catch new attacks </li></ul></ul><ul><ul><li>Few false alarms </li></ul></ul>Honeypot
    17. 18. <ul><ul><li>Common components </li></ul></ul><ul><ul><ul><li>Data collection </li></ul></ul></ul><ul><ul><ul><li>Analysis and decision algorithm </li></ul></ul></ul><ul><ul><ul><li>Action module </li></ul></ul></ul><ul><ul><li>Main differences </li></ul></ul><ul><ul><ul><li>Honeypot must be used to be effective </li></ul></ul></ul><ul><ul><ul><li>IDS operate continuously on the data flow </li></ul></ul></ul><ul><ul><li>They are complementary: </li></ul></ul><ul><ul><ul><li>IDS can provide information even if the honeypot is not the target of attacks . </li></ul></ul></ul><ul><ul><ul><li>When used the honeypot provides more accurate and valuable information. </li></ul></ul></ul>Combining IDS and Honeypots
    18. 19. Collaboration and “reputation”
    19. 20. <ul><ul><li>A network of collaborative access points </li></ul></ul><ul><ul><li>Exchange security information through a common vehicle </li></ul></ul><ul><ul><li>Compute a “level of trust” for each host </li></ul></ul>Collaboration and “reputation”
    20. 21. <ul><li>Sensors </li></ul><ul><li>Alert Analysis </li></ul><ul><li>Action engine </li></ul><ul><li>Collaboration </li></ul><ul><li>Data control </li></ul>Architecture 5 main components
    21. 22. <ul><li>Sensors </li></ul><ul><li>Collect the data needed to detect malicious activity and provide low-level alerts for aggregation and correlation . </li></ul>Architecture 5 main components
    22. 23. Architecture 5 main components <ul><li>Alert Analysis Engine </li></ul><ul><li>Performs a high degree of correlation of various alerts (from sensors and other APs) in order to manage a level of trust for each host. </li></ul>
    23. 24. Architecture 5 main components <ul><li>Action Engine </li></ul><ul><li>Manages various actions from sending an alert to triggering a new rule in a firewall. Plugins framework to manage various actions. </li></ul>
    24. 25. Architecture 5 main components <ul><li>Collaboration Engine </li></ul><ul><li>Responsible for collaboration with other APs, including AP authentication, etc. </li></ul>
    25. 26. Architecture 5 main components <ul><li>Data Control </li></ul><ul><li>Protects AP against threats (DoS, intrusion, IDS evasion, …). </li></ul>
    26. 27. <ul><ul><li>CqureAP </li></ul></ul><ul><ul><ul><li>a 802.11 wireless AP that runs on linux </li></ul></ul></ul><ul><ul><li>Prelude-IDS </li></ul></ul><ul><ul><ul><li>Our core framework: an hybrid IDS </li></ul></ul></ul><ul><ul><li>Snort </li></ul></ul><ul><ul><ul><li>Used as a nids and a wireless sensor </li></ul></ul></ul><ul><ul><li>Honeyd </li></ul></ul><ul><ul><ul><li>Used to provide various honeypot services </li></ul></ul></ul>Implementation Use available components
    27. 28. SEINIT: other activities <ul><li>Trials of </li></ul><ul><ul><li>Mobile IPv6 </li></ul></ul><ul><ul><ul><li>Concept of return routeability </li></ul></ul></ul><ul><ul><li>IPv6 address autoconfiguration </li></ul></ul><ul><ul><ul><li>To provide privacy (avoid having static IP address derived from MAC) </li></ul></ul></ul><ul><ul><li>Cryptographically Generated Addresses (CGA) </li></ul></ul><ul><ul><ul><li>Secure association of IPv6 address with a public key </li></ul></ul></ul><ul><ul><li>Extensible Authentication Protocol (EAP) </li></ul></ul><ul><ul><ul><li>Flexible authentication framework running on top of link layer </li></ul></ul></ul><ul><ul><li>Protocol for Carrying Authentication and Network Access (PANA) </li></ul></ul><ul><ul><ul><li>Link layer agnostic transport for EAP authentication info </li></ul></ul></ul><ul><ul><li>DNSsec </li></ul></ul><ul><ul><ul><li>Secure DNS </li></ul></ul></ul>

    ×