Manage Mobile Security Incidents Like A Boss · Manage Mobile Security Incidents Like A Boss Ismail...
Transcript of Manage Mobile Security Incidents Like A Boss · Manage Mobile Security Incidents Like A Boss Ismail...
@NTXISSA #NTXISSACSC3
Manage Mobile Security Incidents Like A Boss
Ismail Guneydas
Security Manager/Faculty
Kimberly Clark/Texas A&M
10/02/2015
@NTXISSA #NTXISSACSC3
Legal Notice From My Lawyer
The opinions expressedin this presentation
represent my ownand not my employers.
2
@NTXISSA #NTXISSACSC3
Bio
•Sr. Vulnerability Manager at Kimberly Clark. •Built and manages KCC's first vulnerability management program.
•Previously I worked at Yahoo! where I built and led global e-Crime investigations and incident response teams. I received Yahoo! Hackovation and Yahoo! Excellence awards for his innovative work in successful operations against fake customer care centers.
•Adjunct faculty at the Texas A&M University and teach computer science courses.
•Completed Master of Science in Computer science and hold degrees in Mathematics and Electronics engineer. Currently working towards MBA at UT Dallas.
3
@NTXISSA #NTXISSACSC3
Agenda
•Mobile Industry In Numbers•Mobile Security In Numbers•Mobile Security vs PC Security•Mobile Vulnerability Triage
•Android•iOS
•Conclusion
4
@NTXISSA #NTXISSACSC3
Mobile Industry In Numbers
• Google store has 1.6 million applications, and Apple store has 1.5 million applications.
• There are 102 billions mobile app download worldwide and 9 billions of them are paid apps.
• This generated 26 billions U.S. dollars..
NTX ISSA Cyber Security Conference – October 2-3, 2015 5
@NTXISSA #NTXISSACSC3
Security Problems
•Companies try to have mobile presence desperately and ask their IT departments or hire third parties to create mobile applications for their products, services and web sites.
• Companies would like to get their apps out as soon as possible like they wanted to have their websites without checking their security in 90s.
6
@NTXISSA #NTXISSACSC3
Mobile Security in Numbers
•# of software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year.
7
0
50
100
150
200
250
300
2007 2008 2009 2010 2011 2012 2013 2014 2015
IOS Vulnerabilities
0
5
10
15
20
25
30
35
40
2009 2010 2011 2012 2013 2014 2015
Android Vulnerabilities
@NTXISSA #NTXISSACSC3
Mobile vs Traditional OS Vulnerability Type
8
0
50
100
150
200
250
300
350
400
iOS Vulnerabilities By Type
0
50
100
150
200
250
Windows 7 Vulnerabilities By Type
@NTXISSA #NTXISSACSC3 9
@NTXISSA #NTXISSACSC3
The Challenges For Incident Responders
•Vulnerability X works only in Android version Y and hardware is Samsung Model Z
•This could mean security teams needs to buy all those hardware.
•Another issue is lack of mobile security knowledge. Often security teams try to handle mobile security incidents as traditional web security incidents.
•These cause longer hours of work and potentially don’t help company to fix the issue.
10
@NTXISSA #NTXISSACSC3
Mobile vs PC Security
11
Mobile PC
DFIR
Lots of thing to figure out
Not capable tools
Well Established
Vulnerability
Management
Harder. Old vulnerabilities
require new testing
mechanism. Management
of devices
Distributed
No custom image
Good tools for testing
vulnerabilities. Good
patch management tools,
process, methodologies
Network Intrusion Harder LTE 4G 3G Established
e-Crime Apps store lots of
sensitive info including
birth date, banking credentials etc… CC is also stored
Similar to mobile
Physical Security Easy to steal Established
@NTXISSA #NTXISSACSC3
Mobile Vulnerability Triage
•Listening traffic•Web vulnerabilities, networking vulnerabilities
•SSL Vulnerabilities•SSL Validation•Hostname Mismatch
12
@NTXISSA #NTXISSACSC3
Mobile Vulnerability Triage
Android
•Potential Solutions1)Cloud Solutions
-Testroid-For pentest of apk files
2)VM
-Not flexible-Networking issue to dump traffic (need to use VPN
otherwise no bridge mode for some corporate network )
13
@NTXISSA #NTXISSACSC3
Mobile Vulnerability Triage
3)Android SDK
•No need to install image/api/device images•Very flexible•Full emulator which actually runs on real firmware image. Other than hardware vulnerability we can find reproduce any vulnerability in our code
14
@NTXISSA #NTXISSACSC3
Creating Emulator and Virtual Devices
• AVD Manager
• The AVD Manager provides a graphical user interface in which you can create and manage Android Virtual Devices (AVDs), which are required by the Android Emulator.
• You can launch the AVD Manager in one of the following ways:• In Eclipse: select Window > Android Virtual Device Manager, or click the AVD
Manager icon in the toolbar.• In Android Studio: select Tools > Android > AVD Manager, or click the AVD
Manager icon in the toolbar.• In other IDEs: Navigate to your SDK's tools/ directory and execute android avd.
• Emulator
The Android SDK includes a mobile device emulator — a virtual mobile device that runs on your computer. The emulator lets you develop and test Android applications without using a physical device.
15
@NTXISSA #NTXISSACSC3
Creating VD
16
@NTXISSA #NTXISSACSC3
VD List
17
@NTXISSA #NTXISSACSC3
Emulator
18
@NTXISSA #NTXISSACSC3
Networking Scheme
19
10.0.2.1 Router/gateway address
10.0.2.2Special alias to your host loopback interface (i.e., 127.0.0.1 on your development machine)
10.0.2.3 First DNS server
10.0.2.4 / 10.0.2.5 / 10.0.2.6 Optional second, third and fourth DNS server (if any)
10.0.2.15The emulated device's own network/ethernet interface
127.0.0.1 The emulated device's own loopback interface
@NTXISSA #NTXISSACSC3
Sniffing Traffic
• Sniff Traffic1st way:
• $emulator -tcpdump pcapFile.pcap -avd myAvd
• Hints: There are other commands related with emulator: http://developer.android.com/tools/devices/emulator.html
2nd way:
• $telnet localhost portnumber• $network capture start pcapFile.pcap• $network capture stop
• Hints: There are other commands related telnet:• http://developer.android.com/tools/devices/emulator.html
20
@NTXISSA #NTXISSACSC3
Sniffing Traffic iOS Devices
• Connect iOS device into your Mac.• Find out iOS device’s UDID:
•Open iTunes•Find your device and find serial number•Click it, then you will see your UDID
• Go to your terminal and type ifconfig -l
• Type rvictl –s UDID to start device• rvictl -s f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94
• Starting device f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94• [SUCCEEDED]• Type ifconfig –l You will see new interface i.e. rvi0• Go to wireshark or do tcpdump to dump the traffic• sudo tcpdump –i rvi0 –w dump.dump
21
@NTXISSA #NTXISSACSC3
Validating SSL Vulnerabilities
•Download burpsuite and configure like this:•Click proxy tab and then click intercept tab. Make sure intercept is off.
•Go to options tab (still under proxy tab). Under proxy listener add your network device (by default it is only listening on localhost)
22
@NTXISSA #NTXISSACSC3
Malicious Certificate
• By default burpsuite is act man in the middle for https connections. That means it sends its own cert to your mobile device and have deal with original https site by itself. Look below:
•• Iphone-Encrypted with BurpsuiteCA---BurpSuite-EncryptedWithBankingSiteCA---BankingSite
• This means your app should recognize this is not a valid cert for the site it originally request i.e. banking site and drop the connection. At a minimum, you should receive a warning from the app, but ideally you see no traffic as well. Many apps will just fail silently or complain of connection issues, which isn't ideal, but not "insecure" per se
• If you see any traffic in Burp suite that means your app has a validation problem.
23
@NTXISSA #NTXISSACSC3
Second vulnerability: HostNameMismatch
• Is the certificate's hostname verified by your application?•For this you will need to acquire a valid certificate, from a CA that is trusted by your device. Comodo is a good source for a free 90 days certificate.
•Install the valid certificate in your BurpProxy and configure it to offer this cert, rather than the default
• You can confirm step two is working, by going in to your native browser on the device and trying to go to a HTTPS site. You should receive a certificate hostname warning and when you view the certificate details, you should see that the cert you received is the one you installed in BurpSuite, not the one issued by the PortSwigger CA.
24
@NTXISSA #NTXISSACSC3
Mobile Device Configuration
25
@NTXISSA #NTXISSACSC3
Burp Suite Configuration
26
@NTXISSA #NTXISSACSC3
Conclusion
•Mobile industry is a fast growing 26 billion dollars industry. •Companies are rushing their mobile solutions without proper security reviews
•This makes mobile apps attractive to hackers•Most of the time incident responders don’t have good process around triaging the vulnerabilities and know the difference between PC and Mobile vulnerabilities
•By using free tools an incident responder can triage mobile vulnerabilities
•We need to think creative!
27
@NTXISSA #NTXISSACSC3
Questions
• [email protected]• Linkedin: linkedin.com/in/guneydas• Twitter:realinfosec
28
@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 29
Thank you