manage mobile security incidents like a boss · manage mobile security incidents like a boss ismail...

@NTXISSA #NTXISSACSC3

Manage Mobile Security Incidents Like A Boss

Ismail Guneydas

Security Manager/Faculty

Kimberly Clark/Texas A&M

10/02/2015


Legal Notice From My Lawyer

The opinions expressedin this presentation

represent my ownand not my employers.

2


Bio

•Sr. Vulnerability Manager at Kimberly Clark. •Built and manages KCC's first vulnerability management program.

•Previously I worked at Yahoo! where I built and led global e-Crime investigations and incident response teams. I received Yahoo! Hackovation and Yahoo! Excellence awards for his innovative work in successful operations against fake customer care centers.

•Adjunct faculty at the Texas A&M University and teach computer science courses.

•Completed Master of Science in Computer science and hold degrees in Mathematics and Electronics engineer. Currently working towards MBA at UT Dallas.

3


Agenda

•Mobile Industry In Numbers•Mobile Security In Numbers•Mobile Security vs PC Security•Mobile Vulnerability Triage

•Android•iOS

•Conclusion

4


Mobile Industry In Numbers

• Google store has 1.6 million applications, and Apple store has 1.5 million applications.

• There are 102 billions mobile app download worldwide and 9 billions of them are paid apps.

• This generated 26 billions U.S. dollars..

NTX ISSA Cyber Security Conference – October 2-3, 2015 5


Security Problems

•Companies try to have mobile presence desperately and ask their IT departments or hire third parties to create mobile applications for their products, services and web sites.

• Companies would like to get their apps out as soon as possible like they wanted to have their websites without checking their security in 90s.

6


Mobile Security in Numbers

•# of software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year.

7

0

50

100

150

200

250

300

2007 2008 2009 2010 2011 2012 2013 2014 2015

IOS Vulnerabilities

0

5

10

15

20

25

30

35

40

2009 2010 2011 2012 2013 2014 2015

Android Vulnerabilities


Mobile vs Traditional OS Vulnerability Type

8

0

50

100

150

200

250

300

350

400

iOS Vulnerabilities By Type

0

50

100

150

200

250

Windows 7 Vulnerabilities By Type

@NTXISSA #NTXISSACSC3 9


The Challenges For Incident Responders

•Vulnerability X works only in Android version Y and hardware is Samsung Model Z

•This could mean security teams needs to buy all those hardware.

•Another issue is lack of mobile security knowledge. Often security teams try to handle mobile security incidents as traditional web security incidents.

•These cause longer hours of work and potentially don’t help company to fix the issue.

10


Mobile vs PC Security

11

Mobile PC

DFIR

Lots of thing to figure out

Not capable tools

Well Established

Vulnerability

Management

Harder. Old vulnerabilities

require new testing

mechanism. Management

of devices

Distributed

No custom image

Good tools for testing

vulnerabilities. Good

patch management tools,

process, methodologies

Network Intrusion Harder LTE 4G 3G Established

e-Crime Apps store lots of

sensitive info including

birth date, banking credentials etc… CC is also stored

Similar to mobile

Physical Security Easy to steal Established


Mobile Vulnerability Triage

•Listening traffic•Web vulnerabilities, networking vulnerabilities

•SSL Vulnerabilities•SSL Validation•Hostname Mismatch

12



Android

•Potential Solutions1)Cloud Solutions

-Testroid-For pentest of apk files

2)VM

-Not flexible-Networking issue to dump traffic (need to use VPN

otherwise no bridge mode for some corporate network )

13



3)Android SDK

•No need to install image/api/device images•Very flexible•Full emulator which actually runs on real firmware image. Other than hardware vulnerability we can find reproduce any vulnerability in our code

14


Creating Emulator and Virtual Devices

• AVD Manager

• The AVD Manager provides a graphical user interface in which you can create and manage Android Virtual Devices (AVDs), which are required by the Android Emulator.

• You can launch the AVD Manager in one of the following ways:• In Eclipse: select Window > Android Virtual Device Manager, or click the AVD

Manager icon in the toolbar.• In Android Studio: select Tools > Android > AVD Manager, or click the AVD

Manager icon in the toolbar.• In other IDEs: Navigate to your SDK's tools/ directory and execute android avd.

• Emulator

The Android SDK includes a mobile device emulator — a virtual mobile device that runs on your computer. The emulator lets you develop and test Android applications without using a physical device.

15


Creating VD

16


VD List

17


Emulator

18


Networking Scheme

19

10.0.2.1 Router/gateway address

10.0.2.2Special alias to your host loopback interface (i.e., 127.0.0.1 on your development machine)

10.0.2.3 First DNS server

10.0.2.4 / 10.0.2.5 / 10.0.2.6 Optional second, third and fourth DNS server (if any)

10.0.2.15The emulated device's own network/ethernet interface

127.0.0.1 The emulated device's own loopback interface


Sniffing Traffic

• Sniff Traffic1st way:

• $emulator -tcpdump pcapFile.pcap -avd myAvd

• Hints: There are other commands related with emulator: http://developer.android.com/tools/devices/emulator.html

2nd way:

• $telnet localhost portnumber• $network capture start pcapFile.pcap• $network capture stop

• Hints: There are other commands related telnet:• http://developer.android.com/tools/devices/emulator.html

20

http://developer.android.com/tools/devices/emulator.html

http://developer.android.com/tools/devices/emulator.html


Sniffing Traffic iOS Devices

• Connect iOS device into your Mac.• Find out iOS device’s UDID:

•Open iTunes•Find your device and find serial number•Click it, then you will see your UDID

• Go to your terminal and type ifconfig -l

• Type rvictl –s UDID to start device• rvictl -s f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94

• Starting device f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94• [SUCCEEDED]• Type ifconfig –l You will see new interface i.e. rvi0• Go to wireshark or do tcpdump to dump the traffic• sudo tcpdump –i rvi0 –w dump.dump

21


Validating SSL Vulnerabilities

•Download burpsuite and configure like this:•Click proxy tab and then click intercept tab. Make sure intercept is off.

•Go to options tab (still under proxy tab). Under proxy listener add your network device (by default it is only listening on localhost)

22


Malicious Certificate

• By default burpsuite is act man in the middle for https connections. That means it sends its own cert to your mobile device and have deal with original https site by itself. Look below:

•• Iphone-Encrypted with BurpsuiteCA---BurpSuite-EncryptedWithBankingSiteCA---BankingSite

• This means your app should recognize this is not a valid cert for the site it originally request i.e. banking site and drop the connection. At a minimum, you should receive a warning from the app, but ideally you see no traffic as well. Many apps will just fail silently or complain of connection issues, which isn't ideal, but not "insecure" per se

• If you see any traffic in Burp suite that means your app has a validation problem.

23


Second vulnerability: HostNameMismatch

• Is the certificate's hostname verified by your application?•For this you will need to acquire a valid certificate, from a CA that is trusted by your device. Comodo is a good source for a free 90 days certificate.

•Install the valid certificate in your BurpProxy and configure it to offer this cert, rather than the default

• You can confirm step two is working, by going in to your native browser on the device and trying to go to a HTTPS site. You should receive a certificate hostname warning and when you view the certificate details, you should see that the cert you received is the one you installed in BurpSuite, not the one issued by the PortSwigger CA.

24


Mobile Device Configuration

25


Burp Suite Configuration

26


Conclusion

•Mobile industry is a fast growing 26 billion dollars industry. •Companies are rushing their mobile solutions without proper security reviews

•This makes mobile apps attractive to hackers•Most of the time incident responders don’t have good process around triaging the vulnerabilities and know the difference between PC and Mobile vulnerabilities

•By using free tools an incident responder can triage mobile vulnerabilities

•We need to think creative!

27


Questions

• [email protected]• Linkedin: linkedin.com/in/guneydas• Twitter:realinfosec

28

mailto:[email protected]

@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)

NTX ISSA Cyber Security Conference – October 2-3, 2015 29

Thank you

manage mobile security incidents like a boss · manage mobile security incidents like a boss ismail...

Documents