January 2014 - Latest Threats Against Mobile Devices

Report
Latest Threats Against Mobile Devices
Dave Jevans
Founder, Chairman and CTO
CyberCrime: Threats Against Mobile Devices
“User-owned computers and smart
phones are more than twice as likely to
be infected with malware”
October 2012
2
Advanced Persistent Threats
• APTs typically involve
compromises of users’ devices
or credentials
• 45% of enterprises see
increase in spear phishing
attacks targeting employees
3
9 Critical Threats Against Mobile Workers
1.
2.
3.
4.
5.
6.
7.
8.
9.
Malware, Trojans, Zero-day Attacks
Key loggers
Compromised Wi-Fi Hotpots
Poisoned DNS
Malicious & Privacy Leaking Apps
Jail broken & Rooted Devices
Un-patched OS Versions
Spear Phishing
Advanced Persistent Threats
4
Bring Your Own Device = New Threats
• Multiple users per device, with many
apps and websites visited
• Users connect to 10+ networks a month
• Attacks against end-users give access to corporate networks, data, and
cloud services
• Cyber-criminals know this
5
Phishing Continues To Explode
• Phishing and Spear-Phishing is At Record Levels
7
Spear-Phishing
• Spear-phishing is the #1 way that APTs are instigated
• Use DNS blacklisting to prevent access to phishing sites
8
9
10
Email Service Providers
Are An Important Attack Vector
11
• RSA Security breached
• Targeted spear phishing infected several
employees’ computers
• Seeds and serial numbers for tens of
millions of SecureID tokens stolen
• Key customers attacked after this
12
13
13
14
Android Fragmentation
15
Exponential Growth in Mobile Malware
16
Source: Kaspersky Labs, March 2013
• Sites infected with bad
iFrame
• Checks User-Agent
• Update.apk sent to browser
• Installed if device allows apps
from unknown sources
• com.Security.Update
17
Hacked Apps Posted to Markets
18
Example: Fake Instagram
19
Example: Fake Authentication Apps
20
Example: Battery Monitor Trojan
21
Compromised WiFi Hotpots
• WiFi hotspots can intercept and redirect traffic
• Evil-Twin attacks, DNS attacks, network snooping, session
hijacking & sidejacking
• You need a VPN service for all users, on every WiFi
22
Sidejacking on Public WiFi
23
Poisoned DNS
• DNS poisoning takes remote employees to
criminal sites
• Can be poisoned upstream at the ISP, not just
at the WiFi hotspot
• Apps are particularly vulnerable due to poor
implementations of certificate validation
24
DNS attacks recently reported
25
Privacy Leaking Apps
• Legitimate apps may upload your corporate
directory to a service in the cloud
• That service may be hacked or resold, exposing
all of your employees to spear-phishing attacks
• You should deploy a cloud service to scan and
analyze apps for malicious behavior and privacy
violations
26
Jail-broken & Rooted Devices
• You should prevent access from jail-broken iPhones and
rooted Android devices
• Jail-broken/rooted devices have almost zero security
protections
27
Unpatched OS Versions
• Unpatched OS and plug-ins are the main attack
vector of criminals against your users
28
Live Example
• This example is a live example of taking over
the iTunes app on an iPad
• Click twice and enter your device password.
You’re owned.
29
Phishing or Spear-Phishing Lure
30
iOS Allows Unsigned and Unverified Profiles
31
Click “Install Now”
32
Enter Your Device Password
(if you have set one)
33
iTunes App Removed, Fake iTunes Installed
34
Use Fake iTunes To Steal Passwords, etc
35
Things That A Profile Can Change
• Safari security settings can be disabled
• Javascript settings
• Local app settings
• Allow untrusted TLS connections
• Device settings
• Install X.509 certificates
36
Even Worse: Hostile MDM Profile
• Expands the scope of malicious capabilities to include
‒ App replacement and installation
‒ OS replacement
‒ Delete data
‒ Route all traffic to Man-In-The-Middle sites
37
Architecture
Network
Feeds
Marble Threat Lab
App Feeds
Propose or
discover
threat
Design PoC
Create
Remediation
or Detection
in our
Product
Marble Access
Instrumented
Marble Access
Networks
WiFis
DNS reports
App reports
Device
fingerprints
Marble App Analysis
Marble Control
Policies &
Data
Threat
Detection
Implement
and test Poc
Monitor for
threat
Prioritize
App
Marble
App
Reputation
Database
Download
App
Analyze and add
to database
Marble Threat Reports
Marble
Threat
Database
38
App Analysis Architecture
3rd Party
Feeds
Rate High
Priority App
Download
from client or
app store
Analyze
automatically
and possibly
manually
Rate by newness,
behaviour, publisher,
spread rates
Download from various
app stores &
sideloading sites
Use Android Grinder
and other tools for
analysis
Prioritize
App
Download
App
Marble App
Reputation DB
Analyze and add
to database
Incident Response &
Analysts Team
39
Marble’s Dynamic App Security Architecture
Google Play
Apple App
Store
Other App
Stores
Marble Control Service
Marble
Access
Mobile
Device
Client
Alerts &
Reports
Rules
User
Interface
Analytics
Engine
App
Crawler
Controller/
Scheduler
Database
Database
Risk
Engine
Stored Apps
Correlation
Engine
Customer’s
Security
Admin
App Queue
Marble
Security
Lab
Jammer
Scanner
Network
Information
Marble Security Analysts
Data Feeds
Network
Threat
Database
Analyzer
DNS lookups,
network
threat
correlation
engine
Dynamic App
Analysis
Engine
Real-time user
interface
simulation
40

similar documents