manage mobile security incidents like a boss manage mobile security incidents like a boss ismail...

Download Manage Mobile Security Incidents Like A Boss Manage Mobile Security Incidents Like A Boss Ismail Guneydas

If you can't read please download the document

Post on 16-May-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • @NTXISSA #NTXISSACSC3

    Manage Mobile Security Incidents Like A Boss

    Ismail Guneydas

    Security Manager/Faculty

    Kimberly Clark/Texas A&M

    10/02/2015

  • @NTXISSA #NTXISSACSC3

    Legal Notice From My Lawyer

    The opinions expressed in this presentation

    represent my own and not my employers.

    2

  • @NTXISSA #NTXISSACSC3

    Bio

    •Sr. Vulnerability Manager at Kimberly Clark. •Built and manages KCC's first vulnerability management program.

    •Previously I worked at Yahoo! where I built and led global e- Crime investigations and incident response teams. I received Yahoo! Hackovation and Yahoo! Excellence awards for his innovative work in successful operations against fake customer care centers.

    •Adjunct faculty at the Texas A&M University and teach computer science courses.

    •Completed Master of Science in Computer science and hold degrees in Mathematics and Electronics engineer. Currently working towards MBA at UT Dallas.

    3

  • @NTXISSA #NTXISSACSC3

    Agenda

    •Mobile Industry In Numbers •Mobile Security In Numbers •Mobile Security vs PC Security •Mobile Vulnerability Triage

    •Android •iOS

    •Conclusion

    4

  • @NTXISSA #NTXISSACSC3

    Mobile Industry In Numbers

    • Google store has 1.6 million applications, and Apple store has 1.5 million applications.

    • There are 102 billions mobile app download worldwide and 9 billions of them are paid apps.

    • This generated 26 billions U.S. dollars..

    NTX ISSA Cyber Security Conference – October 2-3, 2015 5

  • @NTXISSA #NTXISSACSC3

    Security Problems

    •Companies try to have mobile presence desperately and ask their IT departments or hire third parties to create mobile applications for their products, services and web sites.

    • Companies would like to get their apps out as soon as possible like they wanted to have their websites without checking their security in 90s.

    6

  • @NTXISSA #NTXISSACSC3

    Mobile Security in Numbers

    •# of software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year.

    7

    0

    50

    100

    150

    200

    250

    300

    2007 2008 2009 2010 2011 2012 2013 2014 2015

    IOS Vulnerabilities

    0

    5

    10

    15

    20

    25

    30

    35

    40

    2009 2010 2011 2012 2013 2014 2015

    Android Vulnerabilities

  • @NTXISSA #NTXISSACSC3

    Mobile vs Traditional OS Vulnerability Type

    8

    0

    50

    100

    150

    200

    250

    300

    350

    400

    iOS Vulnerabilities By Type

    0

    50

    100

    150

    200

    250

    Windows 7 Vulnerabilities By Type

  • @NTXISSA #NTXISSACSC3 9

  • @NTXISSA #NTXISSACSC3

    The Challenges For Incident Responders

    •Vulnerability X works only in Android version Y and hardware is Samsung Model Z

    •This could mean security teams needs to buy all those hardware.

    •Another issue is lack of mobile security knowledge. Often security teams try to handle mobile security incidents as traditional web security incidents.

    •These cause longer hours of work and potentially don’t help company to fix the issue.

    10

  • @NTXISSA #NTXISSACSC3

    Mobile vs PC Security

    11

    Mobile PC

    DFIR

    Lots of thing to figure out

    Not capable tools

    Well Established

    Vulnerability

    Management

    Harder. Old vulnerabilities

    require new testing

    mechanism. Management

    of devices

     Distributed  No custom image

    Good tools for testing

    vulnerabilities. Good

    patch management tools,

    process, methodologies

    Network Intrusion Harder LTE 4G 3G Established

    e-Crime Apps store lots of

    sensitive info including

    birth date, banking credentials etc… CC is also stored

    Similar to mobile

    Physical Security Easy to steal Established

  • @NTXISSA #NTXISSACSC3

    Mobile Vulnerability Triage

    •Listening traffic •Web vulnerabilities, networking vulnerabilities

    •SSL Vulnerabilities •SSL Validation •Hostname Mismatch

    12

  • @NTXISSA #NTXISSACSC3

    Mobile Vulnerability Triage

    Android

    •Potential Solutions 1)Cloud Solutions

    -Testroid -For pentest of apk files

    2)VM

    -Not flexible -Networking issue to dump traffic (need to use VPN

    otherwise no bridge mode for some corporate network )

    13

  • @NTXISSA #NTXISSACSC3

    Mobile Vulnerability Triage

    3)Android SDK

    •No need to install image/api/device images •Very flexible •Full emulator which actually runs on real firmware image. Other than hardware vulnerability we can find reproduce any vulnerability in our code

    14

  • @NTXISSA #NTXISSACSC3

    Creating Emulator and Virtual Devices

    • AVD Manager

    • The AVD Manager provides a graphical user interface in which you can create and manage Android Virtual Devices (AVDs), which are required by the Android Emulator.

    • You can launch the AVD Manager in one of the following ways: • In Eclipse: select Window > Android Virtual Device Manager, or click the AVD

    Manager icon in the toolbar. • In Android Studio: select Tools > Android > AVD Manager, or click the AVD

    Manager icon in the toolbar. • In other IDEs: Navigate to your SDK's tools/ directory and execute android avd.

    • Emulator

    The Android SDK includes a mobile device emulator — a virtual mobile device that runs on your computer. The emulator lets you develop and test Android applications without using a physical device.

    15

  • @NTXISSA #NTXISSACSC3

    Creating VD

    16

  • @NTXISSA #NTXISSACSC3

    VD List

    17

  • @NTXISSA #NTXISSACSC3

    Emulator

    18

  • @NTXISSA #NTXISSACSC3

    Networking Scheme

    19

    10.0.2.1 Router/gateway address

    10.0.2.2 Special alias to your host loopback interface (i.e., 127.0.0.1 on your development machine)

    10.0.2.3 First DNS server

    10.0.2.4 / 10.0.2.5 / 10.0.2.6 Optional second, third and fourth DNS server (if any)

    10.0.2.15 The emulated device's own network/ethernet interface

    127.0.0.1 The emulated device's own loopback interface

  • @NTXISSA #NTXISSACSC3

    Sniffing Traffic

    • Sniff Traffic 1st way:

    • $emulator -tcpdump pcapFile.pcap -avd myAvd

    • Hints: There are other commands related with emulator: http://developer.android.com/tools/devices/emulator.html

    2nd way:

    • $telnet localhost portnumber • $network capture start pcapFile.pcap • $network capture stop

    • Hints: There are other commands related telnet: • http://developer.android.com/tools/devices/emulator.html

    20

    http://developer.android.com/tools/devices/emulator.html http://developer.android.com/tools/devices/emulator.html

  • @NTXISSA #NTXISSACSC3

    Sniffing Traffic iOS Devices

    • Connect iOS device into your Mac. • Find out iOS device’s UDID:

    •Open iTunes •Find your device and find serial number •Click it, then you will see your UDID

    • Go to your terminal and type ifconfig -l • Type rvictl –s UDID to start device • rvictl -s f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94

    • Starting device f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94 • [SUCCEEDED] • Type ifconfig –l You will see new interface i.e. rvi0 • Go to wireshark or do tcpdump to dump the traffic • sudo tcpdump –i rvi0 –w dump.dump

    21

  • @NTXISSA #NTXISSACSC3

    Validating SSL Vulnerabilities

    •Download burpsuite and configure like this: •Click proxy tab and then click intercept tab. Make sure intercept is off.

    •Go to options tab (still under proxy tab). Under proxy listener add your network device (by default it is only listening on localhost)

    22

  • @NTXISSA #NTXISSACSC3

    Malicious Certificate

    • By default burpsuite is act man in the middle for https connections. That means it sends its own cert to your mobile device and have deal with original https site by itself. Look below:

    • • Iphone-Encrypted with BurpsuiteCA---BurpSuite- EncryptedWithBankingSiteCA---BankingSite

    • This means your app should recognize this is not a valid cert for the site it originally request i.e. banking site and drop the connection. At a minimum, you should receive a warning from the app, but ideally you see no traffic as well. Many apps will just fail silently or complain of connection issues, which isn't ideal, but not "insecure" per se

    • If you see any traffic in Burp suite that means your app has a validation problem.

    23

  • @NTXISSA #NTXISSACSC3

    Second vulnerability: HostName Mismatch

    • Is the certificate's hostname verified by your application? •For this you will need to acquire a valid

Recommended

View more >