The Consumerisation of Corporate IT

The Consumerisationof Corporate IT

Peter WoodChief Executive Officer

First•Base Technologies LLP

An Ethical Hacker’s View

© First Base Technologies 2011

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First•Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupVice President UK/EU Global Institute for Cyber Security + ResearchMember of ISACA Security Advisory GroupCorporate Executive Programme ExpertKnowthenet.org.uk ExpertIISP Interviewer

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa


Agenda

1. Context, motivation, responses

2. Why is consumerisation an issue?

3. Not cool enough yet?

Note: this presentation offers no solutions … I break things, I don’t usually fix them


Consumerisation?


Consumer vs Corporate


I’ve seen this battle before …


MIT predicts …


Booz & Co. report

Employees expect to be able to use all the innovative new devices at their disposal, both to do their jobs and to maintain their always-connected lifestyles, while being able to work whenever and wherever they need to.

Corporate vs. Consumer


Consumer vs. Corporate


Booz & Co. report

… the efforts of corporate IT departments to maintain perimeter security by exerting tight control over their networks is ultimately doomed to failure.


BYOC/D/T/…

When Henry Ford introduced the Model T in 1908, the speed limit in most places - provided you were outside city limits - was just 20 miles per hour (in town, it was usually just 10 mph).That restriction seems hopelessly quaint today. You know what else will soon seem equally quaint? Your company's repressive approach towards employees' devices.

Gary Kovacs, senior vice president at Sybase


Bruce Schneier says …

Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.


Consumerisation models?


Who’s doing it?


So why is this an issue?


Mobile risks at every layer

• NETWORK: Interception of data over the air- WiFi has the same problems as laptops- GSM has some cracks (Chris Paget, DEFCON 2010)

• HARDWARE: Baseband layer attacks- Memory corruption defects in firmware used to

root your device (Ralf-Philipp Weinmann, Black Hat DC 2011)

• OS: Defects in kernel or vendor supplied system code- Every time iPhone or Android rooted or jailbroken

this is usually the cause

• APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors- Your device isn’t rooted but all your email and

pictures are stolen, your location is tracked, and your phone bill is much higher than usual

Content courtesy of Jason Steer at Veracode


Activity monitoring and data retrieval

• Messaging (SMS and Email)• Audio (calls and open microphone

recording)• Video (still and full-motion)• Location• Contact list• Call history• Browsing history• Input• Data files


Mobile data that attackers can monitor and intercept:


Activity monitoring and data retrieval

Secret SMS Replicator for Android http://www.switched.com/2010/10/28/sms-replicator-forwards-texts-banned-android/

RBackupPRO for Symbian http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/



Unauthorized dialing, SMS, and payments

• Directly monetize a compromised device

• Premium rate phone calls, premium rate SMS texts, mobile payments

• SMS text message as a spreading vector for worms

Premium rate SMS:Trojan-MS.AndroidOS.FakePlayer.a

Premium rate phone call:Windows Mobile Troj/Terdial-A



Unauthorized network connectivity(exfiltration or command & control)

• Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker

• Communication channels for exfiltration and command and control:- Email- SMS- HTTP get/post- TCP socket- UDP socket- DNS exfiltration- Bluetooth- Blackberry Messenger- Endless list………



UI impersonation

• Similar to phishing attacks that impersonate website of their bank or online service

• Web view applications on the mobile device can proxy to legitimate website

• Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application

• Victim is asked to authenticate and ends up sending their credentials to an attacker

Proxy/MITM 09Droid Banking apps(fake banking apps for Android)



Sensitive data leakage



Unsafe sensitive data storage

• Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords

• Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system

- Citibank insecure storage of sensitive data- Wells Fargo Mobile app 1.1 for Android



Unsafe sensitive data transmission

• Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi

• If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP

• SSL could also be compromised if the app does not fail on invalid certificates, enabling a man-in-the-middle attack



Drive-by vulnerabilities


DroidDream

March 1, 2011: More than 50 applications were found to be infected with ‘DroidDream’ which could compromise a significant amount of personal data

May 30, 2011: 26 applications were found to be infected with Droid Dream Light (DDLight). Between 30,000 and 120,000 users were affected.


DroidKungFu

DroidKungFu takes advantage of two vulnerabilities to install a backdoor that gives hackers full control of your phone

Not only do they have access to all of your user data, but they can turn your phone into a bot – and basically make your smartphone do anything they want


Not cool enough yet?


Reasons to jailbreak


Real Android


iAndroid


Smartphone mashups

Peter WoodChief Executive Officer

First•Base Technologies LLP

[email protected]

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Blog: fpws.blogspot.comTwitter: peterwoodx

Need more information?

The Consumerisation of Corporate IT

Technology

Transcript of The Consumerisation of Corporate IT