Upload
smeetsm1
View
874
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
The 7 insecure habits of highly effective smartphones and tablets2 November 2011, Infosecurity.nl seminar
Pieter Ceelen
Marc Smeets
Agenda
Intro
■ Who are we?
■ What’s the buzz?
The 7 insecure habits
SolutionsSolutions
Wrap up
1© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Who are we?
Pieter Ceelen
■ Loves hacking, cooking and reading books
■ Android user
Marc Smeets:
■ Loves fast cars and champagne (not together)
■ Loves IT security
■ Apple user
Ethical hackers @ KPMG IT Advisory@ y
■ Team of over 15 IT security testers
■ Combining strong technical skills with IT auditing skills
2© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
■ Translating impact of deep technical issues to management, from bit to board
What’s the buzz?
History
■ Blackberry served the corporate world
■ As of 2007 major growth market share of smartphones (iPhone, Android)
Recent years
■ Explosion of smartphone penetration
■ Emergence of tablets
■ Corporate and private phones get mixed:■ Corporate and private phones get mixed: “Bring your own device”
Recent years
■ Intuitive/Usable interface■ Intuitive/Usable interface
■ Internet/cloud integration
■ Affordable pricing
3© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
■ Explosion Share of worldwide 2011 Q2 smartphone sales to end users by operating system, according to Gartner. Image from Wikipedia, user Eraserhead1
The 7 habitsThe 7 habits
Habit 1: I don’t know where my data is
5© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 1: I don’t know where my data is
CORPORATE EXCHANGE SERVICES
Mobile Device Management
INTERNET
WIFI / UMTS / GPRS
6© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
DEVICES
Habit 1: I don’t know where my data is
CORPORATE EXCHANGE SERVICES
SE
RV
ICE
Mobile Device ManagementES
INTERNET
INTER
NET SER
V
WIFI / UMTS / GPRS
WIFI / USB
WEB
LOC
AL
NETWORK
ICE
S
WIFI / USB
USB
Bluetooth
L SE
RV
ICE
S
NETWORK
7© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
DEVICESCLOUDCORPORATE / PRIVATE
PERIPHERALS
Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 2: ActiveSync doesn t make all secure
8© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 2: ActiveSync doesn’t make all secure
ActiveSync:
■ “Exchange ActiveSync is a Microsoft Exchange synchronization protocol that's optimized to work together with high-latency and low-bandwidth networks. The protocol, based onto work together with high latency and low bandwidth networks. The protocol, based on HTTP and XML [..] enables mobile phone users to access their e-mail, calendar, contacts, and tasks“
■ De-facto standard, widely supported by devices.
ActiveSync can perform security checks:
R i d■ Require password
■ Length of password
■ Require encryption on device
■ Etc.
9© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 2: ActiveSync doesn’t make all secure - cont.
Two major security issues with ActiveSync
■ 1. ActiveSync checks are device local security checks
■ 2. It relies on XML over HTTP(S)
1. security checks are device local security checks
■ ActiveSync server asks : “Do you have a screen lock?”
■ Device answers: “Yeah, sure! Now give me the latest emails.”
10© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 2: ActiveSync doesn’t make all secure - cont.
Two major security issues with ActiveSync
■ 1. Security checks are device local security checks
■ 2. Relies on XML over HTTP(S)
Pictures removed as they2. Relies on XML over HTTP(S)
■ Man-in-the-middle attacks
Pictures removed as they contain detailed info of end user. The pictures showed:
•Details of rogue – HTTP is clear text
– HTTPS allows for rogue certificates
■ Intercepted data contains:
certificate shown on iPhone after SSL man-in-the-middle attack on ActiveSync sessionp
– sync data (e.g. Email data)
– Authentication data!
ActiveSync session •Details of attack with harvesting of credentials
11© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 1: I don’t know where my data isHabit 1: I don t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 3: Disk encryption doesn t keep my data secure
12© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 3: Disk encryption doesn’t keep my data secure
Disk encryption is iOS only, Android has no official disk encryption yet.
iOS Disk encryption:
■ Technically it is hard disk encryption
■ But, it decrypts itself without user inputyp p
■ Main reason: fast wiping via crypto-shredding
Better solution is encryption based on:
Something you know (passcode) + something you have (crypto chip) -> Data Protection
Critical flaws in iOS allow for retrieval of all data on an iOS device if stolen.
13© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 3: Disk encryption doesn’t keep my data secure
Pictures removed as they contain detailed info of end user The pictures showed:end user. The pictures showed:
•Tooling used for gaining physical access to data of iDevice with known exploits also used for jailbreaking
•Keychain items without Data Protection cracked•Brute force cracking of passcode on device with tooling
•Decrypted keychain items after decoding withDecrypted keychain items after decoding with cracked passcode
14© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 1: I don’t know where my data isH bit 2 A ti S d ’t k llHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipe
15© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 4: Theft is an issue, despite remote wipe
Remote wipe procedure:
■ 1. End user or administrator commands the device to perform a wipe
■ 2. Smartphone receives a message and performs the wipe
Implementation differences between systemsp y
■ iOS : Push notifications from Apple’s servers
■ Android : Web or SMS messages for Android (custom apps)
■ ActiveSync : Next sync attempt device receive a wipe command
What if the device never receives the wipe message?What if the device never receives the wipe message?
16© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 4: Theft is an issue, despite remote wipe
17© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipe Habit 5: Jailbreaking isn’t only for hackers
18© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 5: Jailbreaking isn’t only for hackers
Jailbreaking (iOS) = removing the ‘jail’ Apple has put in
■ Install Apps Apple did not approve
Rooting and custom roms (Android)
■ Rooting = gaining root level access to device g g g
■ Custom rom = custom OS (faster, newer, better)
J ilb ki d ti b d i i li ti d i b t l dJailbreaking and rooting can be done via running applications and via boot loader
It is not that hard!
19© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 5: Jailbreaking isn’t only for hackers
20© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipe Habit 5: Jailbreaking isn’t only for hackersHabit 6: Quality assured AppStore doesn’t prevent
malware and viruses
21© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 6: Qa’ed AppStore doesn’t prevent malware and viruses
Google checks:
■ Are you a developer? Was the 25 dollar developer fee paid?
■ Are users complaining once released?
■ Afterwards: remove known rogue apps remote from device with ‘kill switch’
Apple has ‘strict’ checks in AppStore
■ Some security checks on code
■ Adhere to Apple’s guideline
■ Brand / trademark protection
Android allows to install apps from non-Google App stores with a few clicks
22© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 6: Qa’ed AppStore doesn’t prevent malware and viruses
23© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habit 1: I don’t know where my data isHabit 2: ActiveSync doesn’t make all secureHabit 3: Disk encryption doesn’t keep my data secureHabit 4: Theft is an issue, despite remote wipeHabit 5: Jailbreaking isn’t only for hackersHabit 6: Quality assured AppStore doesn’t prevent
malware and virusesHabit 7. Google and Apple don’t fix security issues in
ti24© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
time
Habit 7. Google and Apple don’t fix security issues in time
Android
■ Security updates rely on Google, device vendor, telco and user
■ Major releases lagging by over 6 months
■ Average device less than a year of security updates
■ Some currently sold devices already 2 major releases behind y y j
■ Distribution “over the air” or via USB cable
■ No clear statements from vendors on support
Apple
■ Security updates rely on Apple and usery p y pp
■ Less diversity, more enforcement by Apple
■ Critical security issues not fixed in release updates
25© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
There are even more habits
26© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Habits we didn’t even mention
■ Life cycle and diversity
■ App permissions
■ Legal
■ iTunes and mp3s on corporate computer
■ Privacy and geotrackingy g g
■ Publishing apps by your organisation
■ Unauthorized apps that use your branding/website
■ Technical vulnerabilities
■ Asset management processes
■ User awareness and security incident reporting without a phoney p g p
27© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
SolutionsSolutions
Solution 1: Fine grained security checks
29© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Fine grained security checks
Functionality
■ Additional security checks on device, for example:
– Jailbreak detection
– Application/malware checks
■ Data processed using regular device softwarep g g
Pro
Operating system
■ Native apps
Con
■ Various risks not fully mitigated, e.g. remote wiping, Operating systemy g , g p g,malware, encryption risks
30© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Solution 1: Fine grained security checksSolution 1: Fine grained security checksSolution 2: Virtualization
31© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Virtualization
Functionality
■ Two operating systems:
– playground
– hardened environment under full control of a central Management environment
Pro
■ Native apps
Operating system
■ Native apps
Con
■ Various risks not fully mitigated, e.g. remote wiping, malware encryption risks Operating systemmalware, encryption risks
■ Hypervisor specific attacks
32© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Solution 1: Fine grained security checksSolution 1: Fine grained security checksSolution 2: VirtualizationSolution 3: Secure containerSolution 3: Secure container
33© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Secure container
Functionality
■ All data encrypted on device
■ Application includes functionality for rendering Word/Excel files, intranet
■ Encryption between app and corporate network
Pro
■ Data always encrypted prevents various security■ Data always encrypted, prevents various security issues
Con
■ Attacks on secure container e g implementation flawsOperating system
■ Attacks on secure container, e.g. implementation flaws
■ Attacks outside container, e.g. key loggers and screen scrapers
34© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Solution 1: Fine grained security checksSolution 1: Fine grained security checksSolution 2: VirtualizationSolution 3: Secure containerSolution 3: Secure containerSolution 4: Remote desktop
35© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Remote desktop
Functionality
■ Render view/desktop from remote system
■ No data stored on device itself
Pro
■ No data on device
C
O ti t
Con
■ Usability, e.g. App interface
■ Availability, e.g. working in a airplaneOperating system
■ Attacks outside container, e.g. key loggers and screen scrapers
36© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Wrap upWrap up
Wrap up
Enrolling mobile devices results in new risks
■ Broader then expected, e.g. legal, technology, cloud integration, backups
■ Security controls work differently on mobile devices
Technical Solutions
■ Different security architectures to reduce risks of mobile devices
■ No technical solution fixes it all, mitigate risks by people, processes and technology
How to continue
■ Perform risk assessment before implementation
■ Consult with relevant experts
■ Implement security controls for people, process and technology
■ Test effectiveness of security controls
38© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
■ Test effectiveness of security controls
■ Stay up-to-date with recent developments
Thank you
Presentation by :
Marc Smeets MSc. CISSP [email protected]+31 6 513 66680
Pieter Ceelen [email protected]+31 6 515 72696
© 2011 KPMG Advisory N.V., a Dutch limited liability company, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent pmember firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
The KPMG name, logo and ‘cutting throughcomplexity’ are registered trademarks or trademarksco p e ty a e eg ste ed t ade a s o t ade a sof KPMG International.