980 likes | 1.16k Views
http://es-es.net/. Portable Device Hacking Made Easy. MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.net http://es-es.net. Enterpersonal Impact. Blurring of professional/Work and private life One device that serves both needs
E N D
http://es-es.net/ Portable Device Hacking Made Easy MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.nethttp://es-es.net
Enterpersonal Impact Blurring of professional/Work and private life One device that serves both needs How do you address the multitude of devices? iPhone, Androids, Blackberry, Windows, etc. Now multiple tablets Netbook/Ultrabooks Cloud Security implications What are consumers expectations of network speed and access
MiniPwner & Ipad software • Listed in Lab manual starting on Page 11 • MiniPwner Here is a list of some of the software that comes installed: • Nmap network scanner • Tcpdump sniffer • Netcat Hacker’s swiss army knife • aircrack Wireless network analysis • kismet Wireless network analysis • perl Perl Scripting Language • openvpn VPN Client and Server • dsniff suite of sniffing and spoofing tools, including arpspoof • nbtscan NetBIOS Network Scanner • snort Sniffer, Packet Logger, Intrusion Detection System • samba2-client Windows File Sharing Client • elinks Text Based Web Browser • yafc FTP Client • openssh-sftp-client Secure File Transfer Client
Pwn Plug • Fully loaded. Wireless, 3G/GSM, & NAC/802.1x bypass! • Includes 3G, Wireless, & USB-Ethernet adapters • Fully-automated NAC/802.1x/RADIUS bypass! • Out-of-band SSH access over 3G/GSM cell networks! • One-click Evil AP, stealth mode, & passive recon • Maintains persistent, covert, encrypted SSH access to your target network • Tunnels through application-aware firewalls & IPS • Supports HTTP proxies, SSH-VPN, & OpenVPN
The Compromise • Important things to keep in mind: • Total security = fiction • Most exploits are internal • Most exploits do not involve decrypting data • Humans are the weakest link: • Sate of Utah 25 Min Default PWD
Hacking is so easy a chimp can do it Software demonstrated -- Use entirely at your own risk and get Permission first Ernest or Eric are not responsible for any subsequent loss or damage whatsoever! This knowledge is intended to be used responsibly so we can provide environments that are secure, safe and accessible
Understand RISK! Analyze risk risk = (cost of an exploit)*(likelihood it will occur) Mobile devices make this inexpensive and very possible (BeetleJuice) inside of “Flame” Demos: Bypass DLP (Safepod) ANTI FaceNif WIFI Kill
Security Challenges • Inherent trust. “It’s MY PHONE.” • Portability is a benefit and a risk • Controls if lost • Lock/Erase? Implications of erasing personal data • PIN security – secure or easy to do 1 handed • What is resident in memory? • Malware – whole new breed of malware and products • Malicious apps • Increasing • How do you write secure apps? • Social engineering providers – value of OOB communication • Where did my app come from ? What is a trusted source?
What Your Mobile Phone Knows Text messages, even deleted ones Words in your personal dictionary Facebook contacts Tens of thousands of location pings Every website ever visited What locations you have mapped Emails going back a month Your photos with geolocationdata attached – even if deleted How many times you have checked your email Any application ever installed on your device http://www.theatlantic.com/technology/archive/2011/04/what-does-your-phone-know-about-you-more-than-you-think/237786/
Cell / Mobile Issues Rogue Apps Live malware found How will you updated Over the air or tethered What about Bring your own Device Geo tracking Metadata collection Jailbreakme.com Publish standards of what you will or will not support Poorly codded apps that limit password length complexity, and allow paste Running Wireshark from a mobile device
Embed Evil Java Apps A pop-up asks if they want to open the Java application They will, users tend to be very curious The payload can be Shell Rootkit VNC Automatically run enumeration scripts when the victim runs the application Check PDF’s : http://blog.zeltser.com/post/5567384219/online-tools-for-malicious-pdf-analysis
Mobile Device Management (MDM) Secures mobile devices beyond Just Email (i.e. ActiveSync) Application Delivery system Provision and Configure new devices Asset tracking/Finding or deleting A good list of MDM solutions and what they offer http://www.enterpriseios.com/wiki/Comparison_MDM_Providers
Bottom line • Educate users • Don’t divulge personal information • Only friend “real” friends • Stay away from the games and surveys • If it is too good to be true, it probably is • Use common sense…..! • iOS/Android security is immature • Device security measures can be evaded. • Wall off apps that are unacceptable to your organization • Use software to help secure devices
High-level Recommendations (cont.) • Enforce strong security on mobile devices to the extent supported by the platform • Reduce the amount of data stored on mobile devices • Implement clear and strong terms of acceptable use and legal protections
Device Security Audit … Can Find: • Security misconfigurations • Lack of control implementation by device OS • Data leakage into backups(local and cloud) • Ability to modify controls on-device • Breakable encryption
Remote wipe • Remote wipe can be an effective method for preventing data being compromised • Removable media (SD cards) are normally not erased by remote wipe routines • Remote wipe cannot be actualized unless the device has a data connection over Wi-Fi, cellular or satellite signal • Companies should implement an effective remote wipe policy
Leading providers • Leaders in the MDM solutions field include: • AirWatch • MobileIron • Good Technology • Sybase Afaria • Zenprise • Research has shown that many MDM security controls can be evaded, and proper configuration of devices is important, so post-implemetation testing is a must.
Where to start -- Mobile/BYOD Device consistency--It is usually Have Stated Mobile Device Policy Make sure that users know mobile device policies Take security seriously— (Anti) Decide whether to allow personal devices Plan to deal with lost devices—and breakage issues Measure the impact of mobile devices on your network— (bandwidth and network resources) Make sure that the IT staff is trained for mobile device support
Examples of file types that contain metadata MAC addresses, user names, edits, GPS info. It all depends on the file format. JPG EXIF (Exchangeable image file format)IPTC (International Press Telecommunications Council) PDF DOC DOCX EXE XLS XLSX PNG Too many to name them all.
What Information is in MetaData? • Internal Servers.NetBIOS Name.Domain Name.IP Address.Database structures.Table names.Colum names. • Device hardware info Photo cameras.Private Info.Personal data.History of use.Software versions. User Names:Creators.Modifiers .Users in paths. Operating systemsPrinters.Local and remotePaths Local and remote.Network info.Shared Printers.Shared Folders. ACLS.
Metadata Tools FOCAhttp://www.informatica64.com/DownloadFOCA/ Metagoofilhttp://www.edge-security.com/metagoofil.php Will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, Shared resources, etcalso extracts MAC address from Microsoft Office documents EXIF Toolhttp://www.sno.phy.queensu.ca/~phil/exiftool/ EXIF Viewer Pluginhttps://addons.mozilla.org/en-US/firefox/addon/3905 Jeffrey's Exif Viewer http://regex.info/exif.cgi
Meta Data Images Lab • Go to Metadata Tools Then go to Jeffrey's Exif Viewer http://regex.info/exif.cgi • Photo 1photo.JPG • Where was the photo taken what was used to take the photo Photo 2 _MG_5982_ES.jpg What is the gender of the person you can not see? User your own photo- Adam Savage, of “MythBusters,” Read the full story here: http://nyti.ms/917hRh
Issues in BYOD and Mobile environments Does your AUP include Mobile devices Wireless Capacity vs. Coverage Where to start when securing mobile devices Who is responsible for device security the student, parent, or school? What security do mobile devices need? What are the policy issues to be considered? How can safe and protected internet access be ensured? How network loads can be predicted and what can be done to control the network demand / load? What security tools are available for smart phones, tablet devices and so on? What can be or should be installed on student owned devices? What are other risks to be considered?
Acceptable Use Policy https://schoolweb.dysart.org/EdTech/Content.aspx?conID=479 When using a mobile devices to access the Internet users are required to connect using the Public network Set standards of security: Pin or Password to access device Mobile devices can only be used for specified purposes Any activity conducted on mobile devices cannot be published without permission of ….. who are involved in the text/image/video/audio file Staff will use appropriate mobile device etiquette by respecting the privacy of other's device numbers and using appropriate language with their mobile communication.
WIFI Coverage vs. Capacity Coverage does not grantee access especially with mobile devices Drop your Radios strength & add more AP’s Directional vs. Omni antennas Client Type # of Clients per /AP Examples Data 20-30 Laptops, tablet PC’s, Mobile Voice 10-15 Wireless VoIP Phones, Badges
Hacking for the Masses Anti app-- Finds open networks and shows all potential target devices. The app offers up a simple menu with commands like "Man-In-The-Middle" to eavesdrop on local devices, or even "Attack"; http://www.zimperium.com/anti.html Put mobile devices on a separate VLAN with strict policy's in place (ACL’s)
Best Practices Enforce strong passwords Perform a remote wipe Perform an audit of security configurations and policies Encrypt local storage Enforce the use of virtual private network (VPN) Enforce wireless security policies for all mobile devices Backup and recovery of confidential data stored on mobile devices Centralized configuration and software upgrades
WIFI Best Practices Use a WIDS solution to monitor for rogues in both the 2.4 GHz and 5 GHz Periodically monitor for rogue APs using a handheld monitor Use auditing techniques on the wired network to discover intruders on the wireless Train employees not to connect to any ad hoc WLANs
WIFI BP II Use 802.1X with EAP to provide mutual authentication of users and servers Use one of the following EAP types: TLS, TTLS, PEAP or FAST. Note that EAP-TLS requires certificates on both sides If 802.1X is not deployed for the wired network, use IPsec or SSL (if supported) Authenticate guests through a captive portal webpage and monitor
Network BP Modify the default SSID Use a central WLAN system instead of autonomous APs. Use strong passwords & Change passwords periodically Disable wireless-side management Monitor vendor software updates and promptly apply patches Use (SNMP) v3, Secure Shell (SSH), and SSL Restrict wired-side AP/controller access to certain IP addresses, subnets and/or VLANs.
Tablet BP • · Device lock: enable native device authentication (PIN, password, pattern) • · Anti-theft measures: Many tablets support remote lock or data wipe … use of tablet "find me" services can also raise privacy concerns. • · Over-the-air encryption: All tablets can secure Web and email with SSL/TLS, Wi-Fi with WPA2, and corporate data with mobile VPN clients. • · Stored data protection: Hardware and mobile OS support for stored data encryption varies.
Tablet BPII • Mobile application controls: Many downloaded apps require access to sensitive data and features, understand what apps have control to what data (Block iTunes on VPN) • · Anti-malware: Tablets are not shipped with on-board anti-virus, anti-spam, intrusion detection, or firewall apps. • · Device management: For visibility, policy configuration, app provisioning, schools can centrally manage tablets, no matter who owns them.
BP for Owned Devices Enforce strong passwords for mobile device & network access Automatically lock out access after a 4+ of incorrect passwords Perform remote wipe when lost, stolen, sold, or sent for repair Perform a periodic audit Ensure that settings have not been modified Encrypt local storage, including all memory cards Enforce the use (VPN) Enforce the same wireless security policies for all devices Perform regular backup and recovery of confidential data Perform centralized configuration and software upgrades "over the air"
Mobile security management User authentication Password policy enforcement: Remote device wipe: White/black lists: Secure communication:
Mobile software distribution Software packages: Package distribution: Mobile optimizations: Change control:.
Decisions • Issued device (simplicity, consistency & cost) vs. What Do Users Want • Multiple device protection costs more • What is needed for work? • Impact of Innovation and Agility on what “need” • Look at what OS’s need to support (OSX, Android, RIM, Windows Mobile, Symbian, WebOS) • Asset Management issues • Tracking • Assuring consistency of controls • Policy – issue X. If you want to use something else then these rules apply…
Other Considerations • Enrollment Experience • User self-enrollment – ease of use is critical. • Password/PIN policy decisions • Push capabilities turned on • Location services always on – battery impact • Jailbreak enforcement • Application blacklisting? • Encryption requirements
Labs • 1 Email Privacy Tester https://emailprivacytester.com/ • 2 Pwned https://pwnedlist.com/ • 3 Bluestacks Click on ANTI • 4 LANSearch Pro • 5 SoftPerfect Network Scanner • 6 Wireless Key • 5. Other Nir Soft Utilities