Manage Mobile Security Incidents Like A Boss

Transcription

1 Manage Mobile Security Incidents Like A Boss Ismail Guneydas Security Manager/Faculty Kimberly Clark/Texas A&M 10/02/2015

2 Legal Notice From My Lawyer The opinions expressed in this presentation represent my own and not my employers. 2

3 Bio Sr. Vulnerability Manager at Kimberly Clark. Built and manages KCC's first vulnerability management program. Previously I worked at Yahoo! where I built and led global e- Crime investigations and incident response teams. I received Yahoo! Hackovation and Yahoo! Excellence awards for his innovative work in successful operations against fake customer care centers. Adjunct faculty at the Texas A&M University and teach computer science courses. Completed Master of Science in Computer science and hold degrees in Mathematics and Electronics engineer. Currently working towards MBA at UT Dallas. 3

4 Agenda Mobile Industry In Numbers Mobile Security In Numbers Mobile Security vs PC Security Mobile Vulnerability Triage Android ios Conclusion 4

5 Mobile Industry In Numbers Google store has 1.6 million applications, and Apple store has 1.5 million applications. There are 102 billions mobile app download worldwide and 9 billions of them are paid apps. This generated 26 billions U.S. dollars.. NTX ISSA Cyber Security Conference October 2-3,

6 Security Problems Companies try to have mobile presence desperately and ask their IT departments or hire third parties to create mobile applications for their products, services and web sites. Companies would like to get their apps out as soon as possible like they wanted to have their websites without checking their security in 90s. 6

7 Mobile Security in Numbers 300 # of software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year. IOS Vulnerabilities 40 Android Vulnerabilities

8 Mobile vs Traditional OS Vulnerability Type ios Vulnerabilities By Type Windows 7 Vulnerabilities By Type

9 9

10 The Challenges For Incident Responders Vulnerability X works only in Android version Y and hardware is Samsung Model Z This could mean security teams needs to buy all those hardware. Another issue is lack of mobile security knowledge. Often security teams try to handle mobile security incidents as traditional web security incidents. These cause longer hours of work and potentially don t help company to fix the issue. 10

11 Mobile vs PC Security DFIR Vulnerability Management Mobile Lots of thing to figure out Not capable tools Harder. Old vulnerabilities require new testing mechanism. Management of devices Distributed No custom image PC Well Established Good tools for testing vulnerabilities. Good patch management tools, process, methodologies Network Intrusion Harder LTE 4G 3G Established e-crime Apps store lots of Similar to mobile sensitive info including birth date, banking credentials etc CC is also stored Physical Security Easy to steal Established 11

12 Mobile Vulnerability Triage Listening traffic Web vulnerabilities, networking vulnerabilities SSL Vulnerabilities SSL Validation Hostname Mismatch 12

13 Mobile Vulnerability Triage Android Potential Solutions 1)Cloud Solutions -Testroid -For pentest of apk files 2)VM -Not flexible -Networking issue to dump traffic (need to use VPN otherwise no bridge mode for some corporate network ) 13

14 Mobile Vulnerability Triage 3)Android SDK No need to install image/api/device images Very flexible Full emulator which actually runs on real firmware image. Other than hardware vulnerability we can find reproduce any vulnerability in our code 14

15 Creating Emulator and Virtual AVD Manager Devices The AVD Manager provides a graphical user interface in which you can create and manage Android Virtual Devices (AVDs), which are required by the Android Emulator. You can launch the AVD Manager in one of the following ways: In Eclipse: select Window > Android Virtual Device Manager, or click the AVD Manager icon in the toolbar. In Android Studio: select Tools > Android > AVD Manager, or click the AVD Manager icon in the toolbar. In other IDEs: Navigate to your SDK's tools/ directory and execute android avd. Emulator The Android SDK includes a mobile device emulator a virtual mobile device that runs on your computer. The emulator lets you develop and test Android applications without using a physical device. 15

16 Creating VD 16

17 VD List 17

18 Emulator 18

19 Networking Scheme Router/gateway address First DNS server Special alias to your host loopback interface (i.e., on your development machine) / / Optional second, third and fourth DNS server (if any) The emulated device's own network/ethernet interface The emulated device's own loopback interface 19

20 Sniffing Traffic Sniff Traffic 1st way: $emulator -tcpdump pcapfile.pcap -avd myavd Hints: There are other commands related with emulator: 2nd way: $telnet localhost portnumber $network capture start pcapfile.pcap $network capture stop Hints: There are other commands related telnet: 20

21 Sniffing Traffic ios Devices Connect ios device into your Mac. Find out ios device s UDID: Open itunes Find your device and find serial number Click it, then you will see your UDID Go to your terminal and type ifconfig -l Type rvictl s UDID to start device rvictl -s f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94 Starting device f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94 [SUCCEEDED] Type ifconfig l You will see new interface i.e. rvi0 Go to wireshark or do tcpdump to dump the traffic sudo tcpdump i rvi0 w dump.dump 21

22 Validating SSL Vulnerabilities Download burpsuite and configure like this: Click proxy tab and then click intercept tab. Make sure intercept is off. Go to options tab (still under proxy tab). Under proxy listener add your network device (by default it is only listening on localhost) 22

23 Malicious Certificate By default burpsuite is act man in the middle for https connections. That means it sends its own cert to your mobile device and have deal with original https site by itself. Look below: Iphone- Encrypted with BurpsuiteCA--- BurpSuite- EncryptedWithBankingSiteCA--- BankingSite This means your app should recognize this is not a valid cert for the site it originally request i.e. banking site and drop the connection. At a minimum, you should receive a warning from the app, but ideally you see no traffic as well. Many apps will just fail silently or complain of connection issues, which isn't ideal, but not "insecure" per se If you see any traffic in Burp suite that means your app has a validation problem. 23

24 Second vulnerability: HostName Mismatch Is the certificate's hostname verified by your application? For this you will need to acquire a valid certificate, from a CA that is trusted by your device. Comodo is a good source for a free 90 days certificate. Install the valid certificate in your BurpProxy and configure it to offer this cert, rather than the default You can confirm step two is working, by going in to your native browser on the device and trying to go to a HTTPS site. You should receive a certificate hostname warning and when you view the certificate details, you should see that the cert you received is the one you installed in BurpSuite, not the one issued by the PortSwigger CA. 24

25 Mobile Device Configuration 25

26 Burp Suite Configuration 26

27 Conclusion Mobile industry is a fast growing 26 billion dollars industry. Companies are rushing their mobile solutions without proper security reviews This makes mobile apps attractive to hackers Most of the time incident responders don t have good process around triaging the vulnerabilities and know the difference between PC and Mobile vulnerabilities By using free tools an incident responder can triage mobile vulnerabilities We need to think creative! 27

28 Questions Linkedin: linkedin.com/in/guneydas Twitter:realinfosec 28

29 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) Thank you NTX ISSA Cyber Security Conference October 2-3,