thanks for attending! county/iia oc presentation downlo… · • network communication (allows the...

Thanks for attending!

I just wanted to take a quick moment to thankeveryone from the ISACA Orange County Chaptereveryone from the ISACA Orange County Chapterfor allowing me to come speak at your event.

If you would like to reach me my email isIf you would like to reach me, my email [email protected]

You can visit TraceSecurity atwww.tracesecurity.com

Jim StickleyCell: 619-337-5467T S it I

TraceSecurity Inc. Copyright 2012©2013 TraceSecurity, Inc. All rights reserved worldwide.

TraceSecurity Inc.

h Hidd Ri The Hidden Risks

Of Mobile ApplicationsOf Mobile Applications

TraceSecurity Inc. Copyright 2012

Presented by Jim Stickley

Today

Android and Apple have over 1 million apps

With the entire world moving to mobile devices, hackers are shifting their focus


Mobile Technology

Installing malicious apps


Hacking mobile technology

Applications require permissions to access certain informationcertain information

In many cases the permissions are In many cases the permissions are necessary to allow the application to perform properly

While mobile devices will warn you about h i i i d d l llthe permissions required, do people really pay attention?



6


7


8

Purpose of this attack

Test 1

See how many people would download and install my app even though it required access toinstall my app even though it required access to everything

Pull email address off phone • Because Android uses gmail, often multiple email address will be added to phoneadded to phone

Pull phone number and mobile carrier



10


11


Permissions I required

• Your Personal Information (Read contact data, Write contact data)• Network Communication (Allows the application to accept cloud to device messages from applications service full internet access)device messages from applications service, full internet access)• Storage (Modify / Delete SD Storage)• Phone Calls (modify phone state, read phone state and identity)• System Tools (Automatically start at boot, Prevent phone from sleeping, write sync settings) • Your Messages (Read SMS or MMS, Receive SMS, Read Gmail including sending and deleting mail)• Services that cost you money (Send SMS Messages)


Results

Over 1300 downloads in 3 month period

Received over 1950 email addresses

Applications remained in contact with my server during this timeg

Never reported as suspicious

Never received notice to discontinue applicationAveraged 3 stars on feedback


• Averaged 3 stars on feedback

What does this mean?

People are willing to install an app even if the i i h t thi t d d tpermissions have access to things not needed to

function properly

Often people will not be aware of the permissions required because they scroll off the screen

If I wanted to create a malicious app that would need people to allow all permissions that will notneed people to allow all permissions, that will not be an issue


Mobile Technology

Hacking online accounts


Hacking online accounts

Mobile apps can be designed to manage:• email, text messages, photos, contacts, etc.

Malicious apps could be designed to capture this Malicious apps could be designed to capture this same data.

Could look legitimate to Google and Apple

Probably could be used to gain access to online Probably could be used to gain access to online accounts



Test 2

Using the same app originally created to test permission modify the app to have the ability topermission, modify the app to have the ability to be malicious

Attempt to steal online account login credentials (Login & Password) via the app

Because the app is now malicious, only test on friends and family



User installs Gmail counter app

After the app is installed, it simply retrieves email addresses from phone and sends them to the hacker



What can you do with an email address?



Hacker sends forgot password and or forgot User ID request to all major online applications using acquired email addresses


Forgot password?

jim@tracesecurity [email protected]

RBKYHU



Online applications send temporary password or User ID back to email address



Mobile App checks email for f d fi d li t fmessages from defined list of

online applications



Any emails that match password t f d d t h krequests are forwarded to hacker



****************



Hacker now has the login (email address) for the account and a link to a temporary passwordaccount and a link to a temporary password

Problem: Real owner of account might see email t i i f t d tcontaining forgot password request



Mobile App designed to delete the i i l il ft it f d toriginal email after it forwards to

hacker



Hacker now has temporary passwords for ll tall accounts

Hacker can now login to accounts using g gemail address and temporary password

Hacker can change settings order itemsHacker can change settings, order items online, etc.

U til l tt t t l i t hij k dUntil real user attempts to login to hijacked account, hacker has full access


Results

Loaded malicious app onto 20 mobile devices • These people all agreed to let me hack them

Able to change the password on over 100 online Able to change the password on over 100 online applications

Able to gain access to online banking accounts through multifactor


Results

Can also be used to gain real passwords


[email protected]


38


39


40

How risky is it?

Hacker has complete access to email

Hacker has complete access to text messagesS d d i• Send and receive

Hacker has ability to access numerous accountsHacker has ability to access numerous accounts

Hacker has ability to learn your password


How risky is it?

Extremely important to have unique password at itevery site

Not always easy to remember Not always easy to remember

Simple solutionp


What can you do?

Pay attention to permissions

Even if the application has been downloaded / installed thousands of times it doesn’t guaranteeinstalled thousands of times, it doesn t guarantee it’s secure

When in doubt, don’t install the application

P d l ki i d fl Password no longer working is a red flag


What can you do?

How do I know what permissions my apps have?Android Apple


Mobile Technology

Attacking the network


When phones attack

Can a mobile device be used for hacking?

• Android is Linux based• Written in Java with all the normal sockets• Supports C code• Supports native Libraries

In theory you could use an Android device for hacking



Test 3

Crash server on network

• RDP Remote Code Execution Vulnerability

• Published March 2012 (MS12-020)

• Used for remote code execution and denial of service attacks


When phones attack

Target system

• Windows 2008 Server

Attack software

• RDPKill4Android

Video


Video

This is the title text boxThis is the title text box


When phones attack

What happened?

• Android device has access to network via Wi-Fi

• Android device was able to connect to Windows computer

• Android device was able to send denial of service code via RDP

• Windows 2008 server crashed with blue screen


When phones attack


• Mobile devices can be used to attack computers on the local network via a Wi-Fi connection


When phones attack

Why stop there?

If an app on a phone can cause a windows machine to crash, what else could it do?


Mobile Technology

Hacking a computer



Test 4

Create a malicious app that could take over a desktop computerdesktop computer

App would be designed to look like Wi-Fi speed pp g ptester

B l i i i t Because app only requires permission to access network via Wi-Fi, the only permission required will be expected by user


When phones attack

Can this really be done?

Video



56

When phones attack

What just happened?


When phones attack

Mobile device port scans network for vulnerable systems


58

When phones attack

Mobile device port scans network for vulnerable systems


59

When phones attack

App finds a computer vulnerable to RPD MS12-020 exploit


RPD MS12 020 exploit

When phones attack

App installs malware on vulnerable system


system

When phones attack

Mobile device no longer required to exploit system


exploit system

When phones attack

Exploited computer connects to hacker server allowing remote


gcommunication

When phones attack

Hacker site uploads additional tools and sends commands for exploited


and sends commands for exploited computer to execute

When phones attack

How bad is it?

• Complete compromise of any un-patched systems on networkInternal networks often less secure then external facing networks

• Remote access with the ability to install and execute code

• Ability to record the screen, webcam and keyboard entries

• Full access to contents on the hard drive and launch point for• Full access to contents on the hard drive and launch point for additional network attacks


When phones attack


• If you allow mobile devices on your network, they can put your entire network at risk


…

When phones attack

Just how bad could it get?


Mobile Technology

Automated hacking


Automated hacking

Many of the new attacks are focused on exploiting vulnerabilities in the browserexploiting vulnerabilities in the browser

IT security staff will often place desktops behind d i d t t t i t iproxy servers designed to protect against viruses

and other outside attacks• Adobe Acrobat and Flash exploitsp

Internal desktops and servers are often missing critical patchescritical patches


Automated hacking

If a hacker is on the internal network, they could exploit these vulnerabilitiesexploit these vulnerabilities

Mobile devices give hackers the ability to bypass fi ll t tifirewall protection

Malware placed on system designed to automate Malware placed on system designed to automate an attack could cause serious damage


Targeting corporate America

Test 4

Steal complete financial institution member database


Video


73

What is at risk?

Complete download of ALL customer information• Name• Address• Phone NumberPhone Number• Birthday• Social Security Number

A t N b• Account Number• Mothers Maiden Name• Debit / Credit Card number & Exp• Financial Institution IP address



Hackers can attack your organization without k i i t i li ieven knowing you exist via malicious apps

Your network can be hacked and all confidential Your network can be hacked and all confidential data on the database stolen in minutes

Hackers can attack your network while not at their computers

When the attack is over, your network shows no obvious signs a breach took place


Conservative damages estimate

2% of 16,000 = 320 financial institutions l it dexploited

10 000 members / customers at a financial 10,000 members / customers at a financial institution

$100.00 stolen from each member / customer

Calculation: 320*10,000*100 =

Total Damages: $320,000,000


Your future

Manual hacking is an outdated practice

Organization attacks will become fully automated

What used to take days or months will now take just minutesj

BYOD bypassed firewall and places hackers di tl i t l t kdirectly on internal network


What can you do?

Awareness Training / Education

Comprehensive Security Policies• Limit Internet Access

Monitor Network Risks / Vulnerabilities

Personal Firewalls, Anti Virus

/ Intrusion Detection / Prevention


What can you do?

Even if the application has been downloaded / i t ll d th d f ti it d ’t tinstalled thousands of times, it doesn’t guarantee it’s secure

When in doubt, don’t install the application

Patch all computers on local network, even computers that generally do not connect to the InternetInternet


…

Mobile Technology

Dangers of Wireless

p i taccess points


Wireless access points

• Wireless access points are everywherep y• Hotels• Airports

Coffee Shops• Coffee Shops• Malls• Parks• Apartments• Business complexes

• Some are free, some charge



• People seem focused on one security of the device itself

• Insecure Access points

• Flaws in wep

• Launch point for malicious attacksp

• Easy to attack home users

• Easy to monitor traffic on local networks



• There are other security concerns that are often yoverlooked

• Gaining access to confidential information through wireless


Video


84


Other risks beyond just credit card y j

Many mobile apps do not verify SSLMany mobile apps do not verify SSL connections or even communicate securely

• Used to monitor all transactions

• Record Passwords• Online Banking• Email


Email• Purchases

What can you do?

Awareness trainingg

Be careful what apps you use while onBe careful what apps you use while on insecure wireless access points

When in doubt, use carrier service instead of Wi-Fiof Wi Fi


…

This is the title text boxThis is the title text box

Changing Subjects


After hours concerns

Hacking is not the only threat to g yorganizations



How do you gain complete control of an organizations internal network?internal network?

The Cleaning Crew



Why go after the cleaning crew?y g g

• Cleaning crews have complete access to the facility

• Employees often are recognized by cleaning crew

• No one ever knows you were there


Video


91


Other ways to get iny g

• An ID card is as good as a key



What can you do to protect your y p yorganization?

• Strict policies for cleaning crew• Do not allow anyone in after hours without a key• Do not allow anyone in after hours without a key• Even if you know the person, they are not allowed in• When they exit to take out trash, do not prop open doors

• Contact list available for cleaning crew• Easy to access list of contacts in case of problems / questions

• Test cleaning crew• Send real employees from time to time after hours and see if they can gain


access…


What happens when cleaning crews follow pp gproper procedures?


After Hours Concerns

…


In the end…


…

In the end

Mobile devices will continue to become more integrated into the work placeinto the work place

Organizations need to make sure they are conducting risk t ti li i d diti th iassessments, creating policies and auditing their

procedures to ensure their networks remain secure

Because mobile technology is rapidly changing, organizations should have scheduled reviews of the existing policies to make sure they remain relevant and effectiveeffective


TraceSecurity Inc.

Comprehensive Security Assessments Risk Assessments Risk Assessments Penetration Testing IT Audits

Reach me at: [email protected]

Vendor Management Comprehensive Regulation Compliance Review Online Banking Application Testing Remote and Onsite Social Engineering Policy Development and Review Policy Development and Review Training – (Onsite / Online) Employee & Customer


www.tracesecurity.com

GRC Simplified

- Need a self-contained solution that integrates all functional areas necessary to manage an on-going risk-based information security program

• Risk

• Policy

• VulnerabilityVulnerability

• Training

• Vendor

• Audit• Audit

• Compliance

• Incident Response

• B i I t A l i• Business Impact Analysis

• Business Continuity Planning

• Process


• Reporting


100www.TraceSecurity.com

thanks for attending! county/iia oc presentation downlo… · • network communication (allows the...

Documents