the consumerisation of corporate it
DESCRIPTION
The Consumerisation of Corporate IT - An Ethical Hacker’s ViewTRANSCRIPT
The Consumerisationof Corporate IT
Peter WoodChief Executive Officer
First•Base Technologies LLP
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2011
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First•Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupVice President UK/EU Global Institute for Cyber Security + ResearchMember of ISACA Security Advisory GroupCorporate Executive Programme ExpertKnowthenet.org.uk ExpertIISP Interviewer
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2011
Agenda
1. Context, motivation, responses
2. Why is consumerisation an issue?
3. Not cool enough yet?
Note: this presentation offers no solutions … I break things, I don’t usually fix them
Slide 4 © First Base Technologies 2011
Consumerisation?
Slide 5 © First Base Technologies 2011
Consumer vs Corporate
Slide 6 © First Base Technologies 2011
I’ve seen this battle before …
Slide 7 © First Base Technologies 2011
MIT predicts …
Slide 8 © First Base Technologies 2011
Booz & Co. report
Employees expect to be able to use all the innovative new devices at their disposal, both to do their jobs and to maintain their always-connected lifestyles, while being able to work whenever and wherever they need to.
Corporate vs. Consumer
Slide 10 © First Base Technologies 2011
Consumer vs. Corporate
Slide 11 © First Base Technologies 2011
Booz & Co. report
… the efforts of corporate IT departments to maintain perimeter security by exerting tight control over their networks is ultimately doomed to failure.
Slide 12 © First Base Technologies 2011
BYOC/D/T/…
When Henry Ford introduced the Model T in 1908, the speed limit in most places - provided you were outside city limits - was just 20 miles per hour (in town, it was usually just 10 mph).That restriction seems hopelessly quaint today. You know what else will soon seem equally quaint? Your company's repressive approach towards employees' devices.
Gary Kovacs, senior vice president at Sybase
Slide 13 © First Base Technologies 2011
Bruce Schneier says …
Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
Slide 14 © First Base Technologies 2011
Consumerisation models?
Slide 15 © First Base Technologies 2011
Who’s doing it?
Slide 16 © First Base Technologies 2011
So why is this an issue?
Slide 17 © First Base Technologies 2011
Slide 18 © First Base Technologies 2011
Mobile risks at every layer
• NETWORK: Interception of data over the air- WiFi has the same problems as laptops- GSM has some cracks (Chris Paget, DEFCON 2010)
• HARDWARE: Baseband layer attacks- Memory corruption defects in firmware used to
root your device (Ralf-Philipp Weinmann, Black Hat DC 2011)
• OS: Defects in kernel or vendor supplied system code- Every time iPhone or Android rooted or jailbroken
this is usually the cause
• APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors- Your device isn’t rooted but all your email and
pictures are stolen, your location is tracked, and your phone bill is much higher than usual
Content courtesy of Jason Steer at Veracode
Slide 19 © First Base Technologies 2011
Activity monitoring and data retrieval
• Messaging (SMS and Email)• Audio (calls and open microphone
recording)• Video (still and full-motion)• Location• Contact list• Call history• Browsing history• Input• Data files
Content courtesy of Jason Steer at Veracode
Mobile data that attackers can monitor and intercept:
Slide 20 © First Base Technologies 2011
Activity monitoring and data retrieval
Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts-banned-android/
RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
Content courtesy of Jason Steer at Veracode
Slide 21 © First Base Technologies 2011
Unauthorized dialing, SMS, and payments
• Directly monetize a compromised device
• Premium rate phone calls, premium rate SMS texts, mobile payments
• SMS text message as a spreading vector for worms
Premium rate SMS:Trojan-MS.AndroidOS.FakePlayer.a
Premium rate phone call:Windows Mobile Troj/Terdial-A
Content courtesy of Jason Steer at Veracode
Slide 22 © First Base Technologies 2011
Unauthorized network connectivity(exfiltration or command & control)
• Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker
• Communication channels for exfiltration and command and control:- Email- SMS- HTTP get/post- TCP socket- UDP socket- DNS exfiltration- Bluetooth- Blackberry Messenger- Endless list………
Content courtesy of Jason Steer at Veracode
Slide 23 © First Base Technologies 2011
UI impersonation
• Similar to phishing attacks that impersonate website of their bank or online service
• Web view applications on the mobile device can proxy to legitimate website
• Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application
• Victim is asked to authenticate and ends up sending their credentials to an attacker
Proxy/MITM 09Droid Banking apps(fake banking apps for Android)
Content courtesy of Jason Steer at Veracode
Slide 24 © First Base Technologies 2011
Sensitive data leakage
Content courtesy of Jason Steer at Veracode
Slide 25 © First Base Technologies 2011
Unsafe sensitive data storage
• Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords
• Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system
- Citibank insecure storage of sensitive data- Wells Fargo Mobile app 1.1 for Android
Content courtesy of Jason Steer at Veracode
Slide 26 © First Base Technologies 2011
Unsafe sensitive data transmission
• Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi
• If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP
• SSL could also be compromised if the app does not fail on invalid certificates, enabling a man-in-the-middle attack
Content courtesy of Jason Steer at Veracode
Slide 27 © First Base Technologies 2011
Drive-by vulnerabilities
Slide 28 © First Base Technologies 2011
DroidDream
March 1, 2011: More than 50 applications were found to be infected with ‘DroidDream’ which could compromise a significant amount of personal data
May 30, 2011: 26 applications were found to be infected with Droid Dream Light (DDLight). Between 30,000 and 120,000 users were affected.
Slide 29 © First Base Technologies 2011
DroidKungFu
DroidKungFu takes advantage of two vulnerabilities to install a backdoor that gives hackers full control of your phone
Not only do they have access to all of your user data, but they can turn your phone into a bot – and basically make your smartphone do anything they want
Slide 30 © First Base Technologies 2011
Not cool enough yet?
Slide 31 © First Base Technologies 2011
Slide 32 © First Base Technologies 2011
Slide 33 © First Base Technologies 2011
Reasons to jailbreak
Slide 34 © First Base Technologies 2011
Slide 36 © First Base Technologies 2011
Slide 37 © First Base Technologies 2011
Real Android
Slide 38 © First Base Technologies 2011
iAndroid
Slide 39 © First Base Technologies 2011
Smartphone mashups
Peter WoodChief Executive Officer
First•Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Blog: fpws.blogspot.comTwitter: peterwoodx
Need more information?