Five Lessons in Mobile Security

Five Lessons in Mobile Security
Brian Tokuyoshi Solution Analyst
Are mobile users safe?
2 | 2012, Palo Alto Networks. Confidential and Proprietary.
Attacks on the Network Connection
Sniffing on Wi Fi Networks
Open Wi-Fi sniffable by everyone
Easy-use GUI tools make it easy
to try different attacks on WEP /
WPA / WPA2
Fern Cracker from BackTrack 5 / Kali Linux
Stealing Session Cookies without a Password

WireShark
Mozilla Add & Edit
Attacking Internal WiFi Networks by Snail Mail

Load attack
software on cheap,
generic prepaid
smartphone
Snail mail the

device to victim
Attacker can now perform

a local attack on WiFi /
bluetooth devices in the
mailrooms proximity
Inserting a Man-in-the-Middle with Reaver

1
Social Engineering
Toolkit used to
generate copy of
legitimate site with an
exploit embedded
Attacker uses brute force

against WiFi Protected
Setup (reaver attack) to
get access to admin
console
4
3
Attacker modifies
the hotspot and
sets up DNS
spoofing
Victim is
redirected to the
modified web
page
Man in the Middle - The Pineapple

Low cost wireless pen testing tool
Runs the Jasaeger / Karma attack
Hardware & Accessories
Has USB port to run 3G Modem or
a second wifi interface to tether
Can use a ethernet connection to
tether
New version has dual antennas to
run a bridge to the existing network
Optional battery pack
Supports plugins for packet

capture, SSL interception
Normal Wireless Network Discovery

Normal Wireless Network Discovery
Probe: Is ACME_Corp There?
No Response
Client
Probe: Is CoffeeShop There?

No Response
Probe: Is JoesHome There?
Probe Response: Yes
SSID:
JoesHome
Man in the Middle: The Pineapple

Probe: Is ACME_Corp There?
Probe Response: Yes
Probe: Is CoffeeShop There?
Client
Probe Response: Yes
Modified Access
Point
Probe: Is JoesHome There?

Probe Response: Yes
Generates a deauth
Pretends to be whatever access point the
beacon wants
Attacker controls ALL of the content the
victim sees
Whats Wrong with this Page?
This is a
FavIcon
No HTTPS
This is in the
clear!
Man in the Middle with SSLstrip
Web
Server
Victim
Request
SSL
Connectio
n
User sees nonencrypted page

User sends nonencrypted
content
Modified
Access
Point
SSL Handshake
Server
sends its
Certificate
Session Key
Server sends
encrypted
content
Content
received
iOS7
Small B&W Icon

Traffic Encrypted
Traffic
intercepted by
the Pineapple
Apps Behaving Badly
Dont Depend on the Apps Security
Security Measures and Permissions
Android app permission requests are all or nothing
Android App Ops (in 4.3) removed in 4.4

Had a granular app permission system
Downloaded code (plug ins, ad networks) run with the apps permissions
Exploits to apps assume the apps permissions
Some apps upload content to the cloud
Jailbroken devices remove even the basic checks
File Binders
Legitimate App
Malware Payload
Binders hide
the malware
to bypass app
verification
Source: Symantec
Commercial Spying Software
Dual-purpose software (Can be used for good/bad)
Monitors just about everything (calls, email, text, photos, video)
Not detectable by the user
Can be used for remote surveillance
The Threat Landscape Continues to Evolve
The Basics on Threats

Threat
What it is
What it does
Exploit
Bad application
input usually in
the form of
network traffic.
Targets a
vulnerability to
hijack control of
the target
application or
machine.
Malware
Malicious
application or
code.
Anything
Downloads,
hacks, explores,
steals
Command
and Control
(C2)
Network traffic
generated by
malware.
Keeps the
remote attacker
in control ands
coordinates the
Todays Threats Use Blended Techniques
1
Bait the
end-user
End-user lured
to a dangerous
application or
website
containing
malicious
content
2
Exploit
Infected
content
exploits the
end-user, often
without their
knowledge
3
Download
Backdoor
Secondary
payload is
downloaded in
the
background.
Malware
installed
4
Establish
Back-Channel
Malware
establishes an
outbound
connection to
the attacker for
ongoing control
5
Explore
& Steal
Remote attacker
has control inside
the network and
escalates the
attack
The Webview Exploit
Website Javascript opens a shell to the attacker

Affects all Android devices < 4.2
Big question on whether affected devices will be patched
Added to Metasploit last week
Android Master Key Vulnerability

Android Application Package (APK)
META-INF
Signature of the
lib
original file is fine
res
Assets
AndroidManifest.XML
AndroidManifest.XML
Modified file does not get
checked and overwrites the
original
Why is Malware Targetting Android?
Malware by Platform
Why isnt there more iOS malware?

iOS has a limited number of ways
to install software
App Store
Ad Hoc Provisioning Profile for
software testing
Otherwise the device has to be
jailbroken
Effectively App Store acts as

A whitelist for vetting apps
A choke point for updates
No system is invulnerable, however
Why is Malware Focusing on Android?

Android app sources
Can support multiple App
Stores, some of dubious
quality
Does not need to be
jailbroken to run unsigned
code
Users can turn off app
store restrictions
People want to turn off the
app store restrictions
Android Verify App feature

added in 4.2 does app
profiling
DPlug Android Malware
TTPod App in Google Play
Victim
In App Purchase
Mobile Ad Network Code
DPlug
Confirm?
Accept
Premium SMS Billing
Premium SMS
Sends IMSI / IMEI via SMS

Forged
Subscribe
Attacker
Rethinking Mobile Security
Unlocking The Potential of Mobile Depends On Security
Benefits to Business
Running Your
Business on
Mobile Devices
Accessing
Business Apps
Intranet
Email
Mobile Maturity
Existing Approaches for Mobile Security Dont Work

Approach
Exposure to Risk
Block mobile
devices
People will still use mobile devices,

except without your control
Hope existing
security
protects mobile
devices
Dont know if existing measures will be

effective for mobile devices
Use basic
mobile security
like ActiveSync
Doesnt address mobile threats and

wont secure apps and data
New approach to safely enabling mobile devices

Manage the Device
Protect the Device
Control the Data
Ensure devices are safely

enabled while simplifying
deployment & setup
Ensure proper settings
in place, such as
strong passcodes and
encryption
Simplify provisioning of
common configuration
like email and
certificates
Protect the mobile device

from exploits and
malware
Protecting the device
from infection also
protects confidential
data and unauthorized
network access
Control access to data

and movement of
between applications
Control access by app,
user, and device state
Extend data movement
controls to the device
to ensure data stays
within business apps
GlobalProtect Mobile Security Solution

GlobalProtect Mobile
Security Manager
GlobalProtect Gateway
Delivers mobile threat
prevention and policy
enforcement based on apps,
users, content and device
state
Provides device
management, malware
detection, and device state
GlobalProtect App
Enables device management,
provides device state information,
and establishes secure
connectivity
Manage The Device

GlobalProtect Mobile
Security Manager
Manage device settings
Enforce security settings such as passcode
Restricts device functions such as camera
Configure accounts such as email, VPN,

Wi-Fi settings
Understand device state
Monitor and report device state for policy

enforcement, such as:
Whitelisted / blacklisted apps
Rooted / jailbroken
Perform key operations
Ex: lock, unlock, wipe, send a message
Detect Android Malware
GlobalProtect App
Detect and react to the presence of

malware
Protect The Device

Consistent security everywhere
IPsec/SSL VPN connection to a purpose

built next generation security platform for
policy enforcement regardless of the
device location
Mobile threat prevention

Threats
GlobalProtect App
Vulnerability (IPS) and malware (AV)

protection for mobile threats
URL filtering for protection against

malicious websites
WildFire static and dynamic analysis for

advanced mobile threats
Control The Data

Applications and Data
Control access to applications and

data
Granular policy determines which

users and devices can access
sensitive applications and data
Policy criteria based on application,

user, content, device, and device state
for control and visibility
Identify device types such as

iOS, Android, Windows, Mac
devices
Identify device ownership such

as personal (BYOD) or corporate
issued
Identify device states such as

rooted/jailbroken
File blocking based on content and

content type
Control data movement between

apps on the device
GlobalProtect App
Solution provides the foundation for

future developments in data protection
How the integrated solution works
Why Palo Alto Networks for Mobile Security
GlobalProtect Mobile Security Manager Ordering, Licensing and Availability
Mobile Security Manager runs on the new GP-100 appliance
GP-100 comes with support for up to 500 mobile devices

Additional capacity licenses (perpetual) to support additional devices
1K, 2K, 5K, 10K, 25K, 50K, and 100k
WildFire subscription (optional add-on) for Android malware detection

Price varies based on underlying capacity license
Orders and shipments expected February 2014
GP-100 is not designed to be sold as a stand alone product

Requires other GlobalProtect components for full functionality (app, portal,
gateway)

Five Lessons in Mobile Security - Preso For Lunch & Learn

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Five Lessons in Mobile Security - Preso For Lunch & Learn

Uploaded by

Copyright:

Available Formats

Brian Tokuyoshi Solution Analyst

Are mobile users safe?

2 | 2012, Palo Alto Networks. Confidential and Proprietary.

Attacks on the Network Connection

Fern Cracker from BackTrack 5 / Kali Linux

Stealing Session Cookies without a Password

Mozilla Add & Edit

Attacking Internal WiFi Networks by Snail Mail

Snail mail the

Attacker can now perform

Inserting a Man-in-the-Middle with Reaver

Attacker uses brute force

Man in the Middle - The Pineapple

Supports plugins for packet

Normal Wireless Network Discovery

Probe: Is CoffeeShop There?

Man in the Middle: The Pineapple

Probe Response: Yes

Probe: Is JoesHome There?

Whats Wrong with this Page?

Man in the Middle with SSLstrip

User sees nonencrypted page

Small B&W Icon

Apps Behaving Badly

13 | 2012, Palo Alto Networks. Confidential and Proprietary.

Dont Depend on the Apps Security

14 | 2012, Palo Alto Networks. Confidential and Proprietary.

Security Measures and Permissions

Android app permission requests are all or nothing

Android App Ops (in 4.3) removed in 4.4

Exploits to apps assume the apps permissions

Some apps upload content to the cloud

Jailbroken devices remove even the basic checks

15 | 2012, Palo Alto Networks. Confidential and Proprietary.

Commercial Spying Software

Dual-purpose software (Can be used for good/bad)

Monitors just about everything (calls, email, text, photos, video)

Not detectable by the user

Can be used for remote surveillance

The Threat Landscape Continues to Evolve

18 | 2012, Palo Alto Networks. Confidential and Proprietary.

The Basics on Threats

Todays Threats Use Blended Techniques

20 | 2014, Palo Alto Networks. Confidential and Proprietary.

The Webview Exploit

Website Javascript opens a shell to the attacker

21 | 2012, Palo Alto Networks. Confidential and Proprietary.

Android Master Key Vulnerability

Why is Malware Targetting Android?

23 | 2012, Palo Alto Networks. Confidential and Proprietary.

Why isnt there more iOS malware?

Effectively App Store acts as

No system is invulnerable, however

Why is Malware Focusing on Android?

Android Verify App feature

DPlug Android Malware

TTPod App in Google Play

Premium SMS Billing

Sends IMSI / IMEI via SMS

Rethinking Mobile Security

28 | 2012, Palo Alto Networks. Confidential and Proprietary.

Unlocking The Potential of Mobile Depends On Security