Transcription
A Taste of SANS SEC575 Part I:Invasion of the Mobile PhoneSnatchersMobile Device Security and Ethical HackingToday's Focus: Mitigating the Stolen Device ThreatJoshua Wrightjwright@willhackforsushi.comSpecial Webcast: A Taste of SANS Security 575 2012
Outline What is SANS SEC575? Mobile Device Loss Mobile Device Backup Recovery Bypassing PIN Authentication Mitigating the Impact of Lost Devices Mobile Device SecuritySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS2
What is SEC575? A brand new 6-day course offering by SANS "Mobile Device Security and Ethical Hacking" Combining policy, architecture, defense andpenetration testing– Hands-on exercises throughout, culminating in anin-depth Mobile Device Security Challenge event Covering Apple iOS (iPhone, iPad, iTouch),Android, BlackBerry and Windows Phone Written by Joshua Wright with leadership by EdSkoudis as curriculum lead and advisorBuilding the skills necessary for effective mobile device securitySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS3
Mobile Device Security Philosophy A secure mobile device deploymentrequires:– Policy that is practical and enforced– Device management and architectural controls– In-depth application analysis– Network, wireless, web and mobile devicepenetration testing1ExploitDataLeakage3Apple APNS2MalwareCorp. MgmtServerSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS4
Sampling of Topics US and intl. law influence on mobile device policies Managing enterprise-owned, BYOD or combineddeployments Weaknesses in the Apple permission management model Critical features to look for in MDM solutions Mobile malware threats on iOS, Android and BlackBerry Rooting and unlocking mobile devices Reverse-engineering iOS and Android applications forsecurity analysis Mobile device wireless network scanning Defeating WPA2 security on mobile devices Exploiting web applications disguised as mobile apps Extracting data from mobile device backups (today!)Special Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS5
Outline What is SANS SEC575? Mobile Device Loss Mobile Device Backup Recovery Bypassing PIN Authentication Mitigating the Impact of Lost Devices Mobile Device SecuritySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS6
Mitigating the Stolen Device Threat Mobile devices will be lost orstolen– Employees will misplace devices– High-tech devices are a commontheft target Stolen devices introduces risk tothe organization– Information and system accessthreats with stored credentials Organizations can manage thethreat through preparation,policy, and device managementSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS7
Differentiating MobileDevice Loss Employee loses mobile device– Accidental exposure to the organization– Loss is not an IT threat until it is retrieved Stolen device as an opportunistic threat– Access to device and configured resources acuriosity investigation Stolen device, targeted threat– When executed properly, attacker steals devicesilently to retain the window of loss reporting– Hours to days of device and system accessFrom a risk perspective, stolen devices as a targeted threat carry the mostrisk, though it is difficult to differentiate the device loss scenario.Special Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS8
Loss ImpactWhat can an attacker do with a stolen device? Access device resources locally Extract data from external storage devices Synchronize device to a computer to accessbackup data– Potentially returning the device to avoid disclosure Jailbreak/unlock/root to access filesystem-levelresources– Access locally-stored authentication credentials forfurther system exploitation– Backdoor device prior to returnSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS9
Outline What is SANS SEC575? Mobile Device Loss Mobile Device Backup Recovery Bypassing PIN Authentication Mitigating the Impact of Lost Devices Mobile Device SecuritySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS10
iOS Backup Resources Status.plist - Status of last backup including dateand time Manifest.plist - Third-party app backupinformation including app version numbers Info.plist - iOS device information– ICCID (SIM serial number), IMEI, phone number Mddata files (hashed filenames) are backed upapplication resources– SMS database, contacts, etc.– Filename is a SHA1 hash of the full file path For encrypted backups, file content is protectedSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS11
Viewing Plist FilesXML-based configuration data,stored in ASCII or proprietarybinary packed data, accessiblewith plutil on OS X or plistEditor for WindowsSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS12
SQLiteSpyAll backup data is accessible, but decoding the data takes timeSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS13
BlackBerry Backup Transfers configuration, local e-mail,contacts, calendar, etc. (IPD file)– Optionally also includes media resources(CAB file) Stored in %USERPROFILE%\Documents\BlackBerry\BackupSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS14
Magic Berry IPD ReaderFree database viewer, does not extract all usefulcontent from IPD backup fileSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS15
Outline What is SANS SEC575? Mobile Device Loss Mobile Device Backup Recovery Bypassing PIN Authentication Mitigating the Impact of Lost Devices Mobile Device SecuritySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS16
Device Passcodes To avoid lost device data loss,vendors provide a devicepasscode protection option Users enter device passcodeeach time they unlock thedevice– Limited number of failures beforedevice wipe or exponential timerback-off Enforce device passwordrequirement and passcodecomplexity with MDM Devices require passwordbefore backing up dataSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS17
BlackBerry Device Passcode Attack When locked with a passcode, BlackBerrydevices restricts access to the device– Must enter passcode to access device– Must enter passcode to backup on Windows Device passcode can be used to protectstored data on media card Attacker cannot accessdevice or backupwithout passcodeSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS18
BlackBerry DevicePasscode Recovery BlackBerry devices canencrypt both flash and mediacard Device passcode commonlyused to encrypt media card– Media card is transferable– Key is protected with passcode When configured to encryptmedia card, susceptible tooffline wordlist attackSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS19
Elcomsoft PhonePassword Breaker Read encrypted key in\BlackBerry\System\info.mkf Mount passcode attack– Not susceptible to wipe 4-digit PIN recovery in nearreal time– Can also attack longer PIN'sand passcodes with wordlistattack mode Key recovery permits devicebackup to access dataSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS20
iPhone Data Protection Tools Open-source project based on reverseengineering iOS encryption Modifies official iOS firmware IPSW filesto create alternate boot environment Python tools to mount PIN attackagainst a connected device– iPhone up to 4S, iPad 1 and 2 support Device must be susceptible to jailbreakSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS21
iPhone Data Protection ToolsSetup and Attack Only supported on OS X, several steps for setup andconfiguration Outlined step-by-step .pdf ./demo bruteforce.py{'passcode': '1234', 693965ce15817cac11240aaaaaaaa'} ./keychain tool.py -d keychain-2.db 066ca6f0c178b7e7.plistKeybag: SIGN check OKKeybag unlocked with passcode keyKeychain version : ----------------------------Service :EnhancedVoicemailTool outputAccount :4015242911modified for spacePassword :1111Special Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS22
Outline What is SANS SEC575? Mobile Device Loss Mobile Device Backup Recovery Bypassing PIN Authentication Mitigating the Impact of Lost Devices Mobile Device SecuritySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS23
Device PasscodeRecommendations All devices must use a passcode to preventunauthorized access, backup Length of passcode will be contentious withinorganizations– Should be designed to thwart attacker sufficiently forremote countermeasures to be issued– iOS 4 character PIN: 13 minutes to recover on average Consider alphanumeric passcodes for added entropy For BlackBerry, do not rely on device passcode alonefor encryption– Use device passcode and device keyDevice passcode alone will not thwart determined data accessattempts against a lost or stolen deviceSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS24
Remote Wipe Strategies When lost, remote data wipe can be effectiveto limit data exposure For corporate devices, this is a simplecalculation In BYOD deployments, remote wipe may not bean option to end-user Container MDM controls works well here,wiping only container data– Can be applied much more liberally, wipingcorporate data following policy violation, etc.It is common for end-users not to want to believe the mobile device is lost,delaying the reporting process and exposing the organization. A removedSIM card largely mitigates remote wipe effectiveness.Special Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS25
Encouraging Lost Device Reporting Educate users to a policy toreport lost devices rightaway Promote policy throughposters and other media inthe organization Help users recognize thatthe penalty for lost devicesis minimized when reportedquicklySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS26
Outline What is SANS SEC575? Mobile Device Loss Mobile Device Backup Recovery Bypassing PIN Authentication Mitigating the Impact of Lost Devices Mobile Device SecuritySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS27
Mobile DeviceSecurity A growing skill set requirement for small andlarge organizations Required for deployment and rollout– Also required for on-going application analysis,incident response, maintenance, monitoring Rapidly changing area of information security– (Many past problems are repeated) Great opportunity for professional careerdevelopment– Plus, it's a lot of fun, and we get to mess aroundwith cool toysSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS28
Essential Skill Development Developing policies that meet business needsand user acceptance Adoption of security controls to mitigate attacksand common threat scenarios Analysis of network activity from mobile devicesand applications Exploitation of wireless client implementationflaws Manipulation of mobile device apps andsupporting serversSANS Security 575: Building the skills necessary for effectivemobile device securitySpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS29
Resources SANS SCORE Mobile Device Checklist www.sans.org/score/checklists.php Plist Editor for Windows - www.icopybot.com iPhone Data Protection Tools code.google.com/p/iphone-dataprotection Elcomsoft EPPB - www.elcomsoft.com/eppb.html Magic Berry IPD Reader - menastep.com SQLiteSpy to-date information about SEC575 www.sec575.orgSpecial Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS30
SANS Security 575: Mobile DeviceSecurity and Ethical Hacking SANS Conference Events– VA Beach 8/20 - 8/25 (Joshua Wright)– Las Vegas 9/17 - 9/22 (Joshua Wright)– Baltimore 10/15 - 10/20 (Joshua Wright)– London 11/26 - 12/1 (Raul Siles) SANS vLive and OnDemand deliverycoming soonThank You For Attending. Questions?Special Webcast:Taste of -SANSSecurity575 2012Title ofACourse 2009SANS31
Mobile Device Security and Ethical Hacking Today's Focus: Mitigating the Stolen Device Threat Joshua Wright jwright@willhackforsushi.com . . Security and Ethical Hacking SANS Conference Events -VA Beach 8/20 - 8/25 (Joshua Wright) -Las Vegas 9/17 - 9/22 (Joshua Wright)
