euro mgov securing mobile services

Securing Mobile Services

Miguel Ponce de Leon, John Ronan, Jimmy McGibney

Telecommunications Software & Systems GroupWaterford Institute of Technology

Ireland

[email protected]

Security for the pervasive computing world

Contents

> Threats to Mobile Networks & Services

> SEINIT approach

> Building a “smart” wireless access point> Embedded intrusion detection & honeypot

Security – a difficult problem

• Internet access is easy and cheap (and fairly anonymous)

• Lack of policy and implementation of policy

• Complexity & Scale of systems

• Technology weaknesses– Tendency to develop first & add security afterwards

• Domination by small number of OSs & apps– Find a Windows bug and you have millions of sitting targets

– Rapid dissemination of exploits among attackers

• Lack of education of users

• User mobility

• Hard to verify security– "If it is provably secure, it is probably not“, L.R. Knudsen

m-Government Security

• Very strong requirements for:– Privacy– Anonymity (in some cases)– Authentication– Integrity– Availability (critical infrastructures…)

• As well as:– Usability– Ubiquity– Low cost (for citizens)– Verification & audit– Diverse & “lowest common denominator” technology on user side

General threats & vulnerabilities

• OS vulnerabilities

• Application vulnerabilities

• Protocol weaknesses

• Sniffing on network

• Keystroke logging

• Password cracking

• Malware – viruses, worms, Trojan horses

• Social Engineering

• Non-technological– Loss of key personnel, loss of power, lightning, fire, flood, software

bugs, vendor bankruptcy, labour unrest, …

• Eavesdropping by a third party– Electromagnetic spectrum is available to all

– Often weak or no encryption

• Bogus user– Poor user authentication with WiFi; SIM cloning; stolen phones

• Bogus network– Base station or access point presenting itself as network to the user,

for example to collect user data

• Denial of service– Deliberate jamming of wireless signal

– Or unintentionally – network congestion, large congregations of users (e.g. at sports event), large downloads hogging bandwidth, etc.

Specific Threats to Mobile Services

• See www.worldwidewardrive.org

• Results:– 228,537 access points found– 82,755 (35%) with default SSID– 140,890 (60%) with open system authentication (no key needed)– 62,859 (28%) with both – i.e. no security

Worldwide War Drive 2004

Some tips for wireless LAN security

• Treat wireless as untrusted– Similar to public Internet– Firewall, etc, between WLAN and rest of network

• Use higher-layer security– e.g. VPN from station to Internet

• Check for unauthorised access points

• Audit authorised access points– Make difficult to access from outside– Use directional antenna to “point” radio signal

• Protect stations using personal firewalls and intrusion detection

SEINIT Project

• Security Expert Initiative

• European Union 6th Framework IST Programme

• Objective: “Provide a trusted and dependable security framework, ubiquitous, working across multiple devices, heterogeneous networks, organisation independent and centred around an end-user”

Security for the pervasive computing world

SEINIT: conceptual approach

• Virtualisation of security

• mGovernment => Government “virtually” anywhere

• How to secure virtual entities?– services, etc, that are user centred

– devices and network almost irrelevant

} Classical security just looks at these layers


Space / Geography

Inst

anti

atio

n

Time

UMTS Internet Wi-FiBluetoothBluetoothIn

terf

ace

Inte

rfac

e

Inte

rfac

e

VirtualVirtual

LogicalLogical Logical


• Infosphere– Digital space linked more to individual or organisation than to

devices or infrastructure– Not necessarily under control of user– Virtual

• Security Domain– Controlled by individual

or organisation – Logical

Infospheres

SecurityDomains

Alice’spersonaldata

CybercafeAlice’soffice

Alice’sBank

Alice’s ISPAlice’sTelecomoperator

Software company– e.g. Microsoft


• “Ambience” discovery– To secure mobile, virtual world, context is everything– Threat level may depend on:

• Location

• Environment (neighbours, etc)

• Real-time threats

– IDS & Honeypots provide part of this

Embedding IDS and Dynamic Honeypot capabilities on a

WLAN Access Point

SEINIT work in progress

• Monitors activity on host or network & raises alerts

• Rules-based detection (most common)– Based on known attacks

• Statistical anomaly detection– Tends to produce too many false alarms

Intrusion Detection System (IDS)

• Definition– “A resource whose value lies in being probed, attacked or

compromised”

• System or component with no real-world value, set up to lure attackers

• By definition, all activity on a honeypot is highly suspect– Can catch new attacks– Few false alarms

Honeypot

– Common components• Data collection• Analysis and decision algorithm• Action module

– Main differences• Honeypot must be used to be

effective• IDS operate continuously on

the data flow

– They are complementary:• IDS can provide information even if the honeypot is not the

target of attacks.• When used the honeypot provides more accurate and valuable

information.

Combining IDS and Honeypots

Collaboration and “reputation”

– A network of collaborative access points

– Exchange security information through a common vehicle

– Compute a “level of trust” for each host

Collaboration and “reputation”

Sensors Alert Analysis Action engine Collaboration Data control

Architecture5 main components

Sensors Collect the data needed to

detect malicious activity and provide low-level alerts for aggregation and correlation.



Alert Analysis Engine Performs a high degree of

correlation of various alerts (from sensors and other APs) in order to manage a level of trust for each host.


Action Engine Manages various actions from

sending an alert to triggering a new rule in a firewall. Plugins framework to manage various actions.


Collaboration Engine Responsible for collaboration

with other APs, including AP authentication, etc.


Data Control Protects AP against threats

(DoS, intrusion, IDS evasion, …).

– CqureAP• a 802.11 wireless AP

that runs on linux

– Prelude-IDS• Our core framework:

an hybrid IDS

– Snort• Used as a nids and a

wireless sensor

– Honeyd• Used to provide various

honeypot services

ImplementationUse available components

SEINIT: other activities

• Trials of– Mobile IPv6

• Concept of return routeability

– IPv6 address autoconfiguration• To provide privacy (avoid having static IP address derived from

MAC)

– Cryptographically Generated Addresses (CGA)• Secure association of IPv6 address with a public key

– Extensible Authentication Protocol (EAP)• Flexible authentication framework running on top of link layer

– Protocol for Carrying Authentication and Network Access (PANA)• Link layer agnostic transport for EAP authentication info

– DNSsec• Secure DNS