Uploaded bydeathflu
1,669 views

Mobile Activesync Russian Roulette - Kiwicon 09

The document presents a technical overview of Microsoft Exchange ActiveSync by Oliver Greiter, focusing on its functionalities, security configurations, and potential vulnerabilities. It discusses common security threats, such as man-in-the-middle attacks and data interception, while providing sample sync requests and responses. The author highlights the need for improved security practices and user education to mitigate these risks.

Embed presentation

Mobile ActiveSync Russian Roulette Presented by Oliver “deathflu” Greiter assurance
Assurance / Oliver Greiter Assurance = compliance { penetration testing/ethical “hacking”, review, audit }, wireless & mobility, UNIX/ Windows/network and security consulting/support Oliver = professional bio author and breaker of stuff assurance
Exchange ActiveSync - Based on HTML and XML - Platforms with Exchange ActiveSync compatible client - Allows users to access their e-mail, calendar, contacts, and tasks stored on Exchange server - Cheaper solution to implement (at first glance) when compared to other solutions such as BlackBerry - “Good” way to encourage (enslave) users to check corporate email on their own time assurance
Simple Diagram assurance
Default security configuration - SSL transport layer protection (HTTPS) - Basic Auth - Device ID - “Enforced” Device Security Policy assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
autodiscover.{domain}.com Approximately 30% of “Top 500 domains”* had an autodiscover hostname in DNS *http://www.seomoz.org/top500 assurance
assurance
assurance
MITM Attack ARP spoof? DNS poisoning? Fake WiFi Hotspot? Port re-direction? assurance
MITM Fun Sniff Traffic - Emails, Contacts, Notes, User credentials (AD domain) Client Request Replay - Generate your own requests and replay them to the server Server Response Replay - Generate your own responses and replay them to the client assurance
Kill Command Replay assurance
Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
What just happened? assurance
In an ideal world... - Valid SSL Certificate on server - Unique Client Certificate on each device - Device (and storage card) encryption - Access to restricted to private Cell Network Access Point Name (APN) - HTTP Digest authentication - Exchange ActiveSync domain segregation - User education assurance
Application Improvement How about introducing session management as a default component of the application? assurance
Where to from here? 3G MITM Attacks? assurance
Danke - y011 - kiwicon crüe assurance
Questions? oliver.greiter@assurance.com.au assurance

More Related Content

PPT
How to hack VMware vCenter server in 60 seconds
byPositive Hack Days
 
PDF
vCenter and ESXi network port communications
byAnimesh Dixit
 
PPT
Cometdの紹介
byDaisuke Sugai
 
PPTX
How to encrypt everything that moves and keep it usable
byDenis Gundarev
 
PDF
Lksn2017 itnsa modul2
byVerry Hendroprasetyo
 
PPTX
Ssl slides
byregnak2012
 
PDF
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
byGuy Podjarny
 
PDF
XPDS14 - Intel(r) Virtualization Technology for Directed I/O (VT-d) Posted In...
byThe Linux Foundation
 
How to hack VMware vCenter server in 60 seconds
byPositive Hack Days
 
vCenter and ESXi network port communications
byAnimesh Dixit
 
Cometdの紹介
byDaisuke Sugai
 
How to encrypt everything that moves and keep it usable
byDenis Gundarev
 
Lksn2017 itnsa modul2
byVerry Hendroprasetyo
 
Ssl slides
byregnak2012
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
byGuy Podjarny
 
XPDS14 - Intel(r) Virtualization Technology for Directed I/O (VT-d) Posted In...
byThe Linux Foundation
 

Similar to Mobile Activesync Russian Roulette - Kiwicon 09

PDF
Mobile SSO: Give App Users a Break from Typing Passwords
byCA API Management
 
PDF
Nokia E7 Smartphone: Nokia and Microsoft Partnership
byNokia Central & East Europe
 
PDF
Implementing Application Security
byInformation Technology
 
PDF
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
byMartin Prosek
 
PPT
Top 10 Security Concerns of Windows Mobile (and how to Overcome them)
byjasonlan
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PPTX
The Boring Security Talk
bykieranjacobsen
 
PDF
Mobile Securty - An Oxymoron?
bymorisson
 
PPTX
Product Portfolio
bysgjiji
 
PPTX
Leveraging the azure cloud for your mobile apps
byMarcel de Vries
 
PDF
miSecureMessages
byAMTELCO
 
PDF
Praetorian Veracode Webinar - Mobile Privacy
byTyler Shields
 
PPTX
Mobile security services 2012
byTjylen Veselyj
 
PDF
6.3. How to get out of an inprivacy jail
bydefconmoscow
 
PDF
Android P Security Updates: What You Need to Know
byNowSecure
 
PPT
Microsoft India – Unified Communications Exchange Server 2010 Outlook Web App...
byMicrosoft Private Cloud
 
PPT
Microsoft Unified Communication - Exchange Server 2010 Outlook Web App Presen...
byMicrosoft Private Cloud
 
PDF
YURY_CHEMERKIN_HackMiami_2014_Conference.pdf
byYury Chemerkin
 
PPTX
Is your mobile app as secure as you think?
byMatt Lacey
 
PPT
Thinkfree Office Live Introduction Material En
byBenedict Ji
 
Mobile SSO: Give App Users a Break from Typing Passwords
byCA API Management
 
Nokia E7 Smartphone: Nokia and Microsoft Partnership
byNokia Central & East Europe
 
Implementing Application Security
byInformation Technology
 
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
byMartin Prosek
 
Top 10 Security Concerns of Windows Mobile (and how to Overcome them)
byjasonlan
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
The Boring Security Talk
bykieranjacobsen
 
Mobile Securty - An Oxymoron?
bymorisson
 
Product Portfolio
bysgjiji
 
Leveraging the azure cloud for your mobile apps
byMarcel de Vries
 
miSecureMessages
byAMTELCO
 
Praetorian Veracode Webinar - Mobile Privacy
byTyler Shields
 
Mobile security services 2012
byTjylen Veselyj
 
6.3. How to get out of an inprivacy jail
bydefconmoscow
 
Android P Security Updates: What You Need to Know
byNowSecure
 
Microsoft India – Unified Communications Exchange Server 2010 Outlook Web App...
byMicrosoft Private Cloud
 
Microsoft Unified Communication - Exchange Server 2010 Outlook Web App Presen...
byMicrosoft Private Cloud
 
YURY_CHEMERKIN_HackMiami_2014_Conference.pdf
byYury Chemerkin
 
Is your mobile app as secure as you think?
byMatt Lacey
 
Thinkfree Office Live Introduction Material En
byBenedict Ji
 

Mobile Activesync Russian Roulette - Kiwicon 09

  • 1.
    Mobile ActiveSync RussianRoulette Presented by Oliver “deathflu” Greiter assurance
  • 2.
    Assurance / OliverGreiter Assurance = compliance { penetration testing/ethical “hacking”, review, audit }, wireless & mobility, UNIX/ Windows/network and security consulting/support Oliver = professional bio author and breaker of stuff assurance
  • 3.
    Exchange ActiveSync - Basedon HTML and XML - Platforms with Exchange ActiveSync compatible client - Allows users to access their e-mail, calendar, contacts, and tasks stored on Exchange server - Cheaper solution to implement (at first glance) when compared to other solutions such as BlackBerry - “Good” way to encourage (enslave) users to check corporate email on their own time assurance
  • 4.
  • 5.
    Default security configuration - SSL transport layer protection (HTTPS) - Basic Auth - Device ID - “Enforced” Device Security Policy assurance
  • 6.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 7.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 8.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 9.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 10.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 11.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 12.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 13.
    Sample Sync Request POST/Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, deflate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 14.
    autodiscover.{domain}.com Approximately 30%of “Top 500 domains”* had an autodiscover hostname in DNS *http://www.seomoz.org/top500 assurance
  • 15.
  • 16.
  • 17.
    MITM Attack ARP spoof? DNS poisoning? Fake WiFi Hotspot? Port re-direction? assurance
  • 18.
    MITM Fun Sniff Traffic - Emails, Contacts, Notes, User credentials (AD domain) Client Request Replay - Generate your own requests and replay them to the server Server Response Replay - Generate your own responses and replay them to the client assurance
  • 19.
  • 20.
    Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
  • 21.
    Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
  • 22.
    Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ã …HUH.-.…œUH-* /R»ÕO)ÕIUH…O-V»À/Q(JMŒOœÀ¨JU(…»,Ü(“Á‘…n6 assurance
  • 23.
    Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
  • 24.
    Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
  • 25.
    iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
  • 26.
    iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
  • 27.
    Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
  • 28.
    Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
  • 29.
  • 30.
    In an idealworld... - Valid SSL Certificate on server - Unique Client Certificate on each device - Device (and storage card) encryption - Access to restricted to private Cell Network Access Point Name (APN) - HTTP Digest authentication - Exchange ActiveSync domain segregation - User education assurance
  • 31.
    Application Improvement How about introducing session management as a default component of the application? assurance
  • 32.
    Where to fromhere? 3G MITM Attacks? assurance
  • 33.
    Danke - y011 - kiwicon crüe assurance
  • 34.
    Questions? oliver.greiter@assurance.com.au assurance

Editor's Notes

  • #2 How many of you have checked your email while sitting on the toilet? pause A report by Osterman Research focusing on mobile messaging in the North American Workplace found that 79% of respondence admitted to doing so. o 77% have done so while driving (when the car is moving) o 41% have done so on a commercial flight while in the air o 16% have done so during a funeral or memorial service o 11% have done so during a romantic moment pause I’m here to talk to you about the bad things that can happen while checking your email on the shitter.
  • #3 - austrian by nationality, don’t hold an australian passport - there’s no kangaroos in austria - risky biz movember team
  • #4 - it’s a basic web application - some organisations implement using the corporate owned devices and some organisations implement the solution using employee owned devices
  • #5 - The server is normally named autodiscover.domain.name - sync also via USB Cradle Sync - IIS accepts the connection and then passes it onto the exchange server - (HTTPS)
  • #6 - Basic Auth - Base64 easily decoded - Device ID - the administrative interface can be used to block or permit certain device IDs - All three platforms tested (WM, iPhone OS, Symbian OS) implemented the Microsoft API to different levels (device policy) - Nokia wipe interrupted - removed pin lock and emails were still in inbox Device policy consists of things such as: - enforcing a device password - min pass length - alphanumeric pass - max password age - pass history - account lockout threshold - idle session timeout
  • #7 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #8 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #9 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #10 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #11 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #12 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #13 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #14 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #15 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #16 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #17 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #18 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #19 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #20 - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #21 - explain the setup process and “automatically obtain settings” from exchange server - Setting are sent to the device via a XML response from the server - queried public DNS AUSTRALIA: autodiscover.firevibe.com.au autodiscover.awm.gov.au autodiscover.brisbane.qld.gov.au autodiscover.childsafety.qld.gov.au autodiscover.bendigobank.com.au autodiscover.banks.com.au autodiscover.adelaidebank.com.au autodiscover.benbank.com.au autodiscover.msn.com autodiscover.three.com autodiscover.vodafone.com autodiscover.altmedia.net.au autodiscover.abc.net.au autodiscover.pblmedia.com.au autodiscover.yahoo.com.au NEW ZEALAND: autodiscover.savethekiwi.org.nz autodiscover.policy.net.nz autodiscover.powergenerators.net.nz autodiscover.newzealandnow.govt.nz autodiscover.nzalpa.org.nz autodiscover.caa.govt.nz autodiscover.otago.ac.nz autodiscover.auckland.ac.nz autodiscover.massey.ac.nz autodiscover.lincoln.ac.nz
  • #22 list of autodiscover domains
  • #23 list of autodiscover domains
  • #24 list of autodiscover domains
  • #25 list of autodiscover domains
  • #26 list of autodiscover domains
  • #27 list of autodiscover domains
  • #28 list of autodiscover domains
  • #29 list of autodiscover domains
  • #30 list of autodiscover domains
  • #31 list of autodiscover domains
  • #32 list of autodiscover domains
  • #33 list of autodiscover domains
  • #34 list of autodiscover domains
  • #35 list of autodiscover domains
  • #36 - Attack one endpoint or the other or the traffic in between - SSL has copped a battering this year (wildcard ssl cert, reneg flaw), this talk isn’t about that. The user still gets prompted about a dodgy SSL cert...in most cases. This talk is about the shitty implementation of security on the various clients. - port 443 is all we care about (maybe dns too!) - SSL cert - Moxie’s wildcard SSL cert (firefox 2 except the certs without warning, firefox 3 won’t prompt the user to accept the cert in default config) - proxy to pass, capture and replay traffic
  • #37 Sniff Traffic - Pass on the traffic, while logging it. Use the creds to gain access to any other applications that are AD integrated such as Outlook Web Access or the internal domain through some other path (pysical access, wireless, etc.) Request Replay - Send emails (SPAM), retrieve emails, retreive attachments, search for contacts (mirror address book) Response Replay - Kill Response replay - explain - (central management function to deal with lost or stolen devices)
  • #38 Overview of what is going to take place when executing kill command replay as we know the user can’t be relied upon to decide if a cert is valid or not, especially when very little information is provided like on mobile devices so how to each of the platform react when presented with a wildcard ssl cert?
  • #39 -in response to any request we reply with this...
  • #40 -in response to any request we reply with this...
  • #41 - can view cert details (cn name etc.) - default action is continue
  • #42 - can view cert details (cn name etc.) - default action is continue
  • #43 The user is only prompted once iPhone OS 2.1 doesn’t prompt when presented with invalid cert
  • #44 The user is only prompted once iPhone OS 2.1 doesn’t prompt when presented with invalid cert
  • #45 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported. - in reality this just means that the device won’t accept the dodgy cert. - user isn’t given the option to accept the cert
  • #46 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported. - in reality this just means that the device won’t accept the dodgy cert. - user isn’t given the option to accept the cert
  • #47 - the device is nuked - reset to factory state (everything is gone!!!) - your high scores on your driving game (gone!)
  • #48 - ensure devices are secure adequately (jailbroken iphones, first person to exploit this was a dutch hacker charging 5 euros to fix it) - only windows mobile supports enforced encryption - so instead of vodafone.net.nz your APN would be some company name for example Device policy at a minimum: - Enforce device password is set to TRUE - Minimum password length is 7 characters - Alphanumeric passwords is enforced - Maximum password age is set to 90 days - Password history is set to 12 remembered - Account lockout threshold is set to 3 - Idle session timeout is set to 20 minutes
  • #49 Pretty standard for web applications This way the user’s credentials don’t need to be sent to the server with each request.
  • #50 3G Micro Cells have recently become available to AT&T customers in the U.S. They cost US$149. How long before these are hacked and used to perform 3G MITM attacks? Kiwicon 2010 anyone? Are we going to have people sitting in airport lounges with micro cells, MITM 3G connections, exploiting SSL and sitting between cell phone users and their internet banking?