Documente Academic
Documente Profesional
Documente Cultură
Karson Chan
Security Consultant
8,000+
20+
years
experience
Customers
1,000+
Staff
Risk and
Information
Security focus
Consulting,
managed and
technology
services
Offices across
Europe
America &
Asia-Pacific
Two decades of
deep technology
partnerships
Global
reach/local
engagement
Investing
for the
long term
Public-Approvedv05
Security Strategy/Policy
Information Classification
Identity Management
Incident Response
Security Awareness/Training
Social Engineering
Incident Response
Quality Assurance
Project Management
Staging
Commissioning Support
Project Resourcing
Technology Assessment
Upgrade
SIEM Rationalization
Security Operations
Managed Security Services
Device Management
Security
Analysis
NTT Com
Security
Agenda
Offensive Security
What is it?
Its largely proactive
To defend against ever changing threats, it helps to be able to think like the bad
guys do
Its not a replacement for reactive and defensive security. It complements them
You have already put defenses in place. How would they fare against a real attack?
Provides an indication of how secure you really are
Black Box, White Box, and hybrid penetration testing
People
Process
Technology
Offensive Security
The Approach
Penetration Testing
Wireless (802.11)
Anything with in IP
Code Review
Threat Modeling
Code Analysis
Automatic assessment
Reveals isolated
vulnerabilities
No human intelligence
Fast and efficient to identify
most of vulnerabilities
Not able to address logic
flaw
Vulnerabilities are possible
false positive
Penetration Test
Vulnerability Assessment
Single Vector
Only identify
vulnerabilities for single
vector
Scenario Based
Traditional Testing
Penetration Testing
Testing multiple
disciplines
simultaneously
Shows potential
breaches through
combined
vulnerabilities
Multiple Vectors
Network
Hacking
Web
Applications
Wireless
Mobile
Devices
Malicious USB
Email
Phishing
Physical Infiltration
NTT Com Security
Social Engineering
Governance
Standards &
Fundamentals
Guidelines and
Procedures Checklists
Concepts & Processes
Topology /
Infrastructure
Hardening /
Patch Management
Standards,
Guidelines and
Tools
Secure Application
Development
Software security
specifications
Secure Design
Secure coding
training
Coding guidelines
Tool based code
analysis
Secure Development
Life Cycle
Advanced-Security
Whitelist / Blacklist
Proxy
DOS Protection
Web Application
Firewall
SSL Termination/
Offload
XML/SOAP-Firewall
Authentication/SSO
Application Protection
Tools
Management
Security Management,
Operation and Services
Operating
Maintaining
Administration
Incident-Handling
Managed Services
Application Security:
Disruption from operation to business loss
11
12
According to Gartner, over the next year and through the end of
2015, more than three-quarters of mobile apps will fail "basic
security tests.
13
Breaches Statictics
14
Source: Verizon DBIR 2013
Attack Methods
15
Application Security:
Latest Trends
1. Single Vector to Multiple Vectors Attack
16
Target Company
17
Web
Applications
Email
Phishing
Social Engineering
18
19
With the ubiquitous usage of smart phones and PDAs the Web Application market has
exploded
What started primarily as games and productivity aids have developed into business and
corporate tools
> Evolving from static content to highly interactive user interfaces exchanging data and
information of all types
> The line between the personal world and the business world is almost non-existent
A lack of development standards, frameworks, and language have inadvertently opened
up a vast, new targeted threat landscape
These threats, and how to deal with them, represent one of todays single largest
information Security risks
73% of organizations have been hacked at least once in the past two
years through insecure web applications
On average, every web application has an average of 12 vulnerabilities
22
Mobile Application
Android Vulnerabilities
Malicious Applications
Jailbreak / Rooting
File System
3rd Party
Libraries
Malicious
User
Web
Services
Mobile Phone
23
Permissions
> Are application components sufficiently protected
Data-in-Transit
> Is the data protected as its sent to the server
Data-at-Rest
> Is the data stored on the device secured
The Server
> Does the server validate data from the mobile application
Both Android and iOS applications can be extracted from the phone in
their binary format
> Android: Java compiled to DEX VM bytecode
> iOS: Obj-C compiled to ARM binaries
An application that hasnt been obfuscated means that logic flaws can
usually be identified quickly!
Permissions
Under the Android security model every application runs in its own
process and using a low-privileged user ID
Applications can only access their own files by default
With this isolation in place, applications are able to communicate via
different components
These communications between components are a critical area of
focus for assessing the security of a mobile application
Permissions
Android Applications are typically made up of multiple components:
>
>
>
>
Activities
Services
Content Providers
Broadcast Receivers
Permissions
What did we find?
Poorly protected components for a number of well known and popular
applications
> Poorly protected activities (GUI screens) can be launched instead of the intended Activity
> Exported Activities can be launched by other applications (think CSRF for mobile
applications)
> Broadcast messages vulnerable to eavesdropping or DoS (Denial of Service)
Permissions
android:debuggable=true
If you find the above line in the AndroidManifest.xml file, the application
is debuggable and it can be exploited.
Data-In-Transit
Confidentiality:
> Prevent snooping
> Man-in-the-middle attacks
Data-At-Rest
One of the largest challenges with mobile applications is how they secure
data on the device
Many popular applications use SQLite database files which are not
adequately protected
If the device is lost or stolen, it would be trivial for an attacker to pull these
databases and view the records
On both Android, and iOS its fairly easy to get root access and access
application data and configuration files
> These files contain usernames, passwords, encryption keys, and other sensitive
account information
NTT Com Security
The Server
History Repeats Itself
Through our analysis of popular mobile applications, we continued to find old web
application vulnerabilities:
> Username Enumeration
> SQL Injection
> Broken session management
> Information Disclosure
The Server
Harvesting User Information
The mobile application communicates to the server over HTTPS (good) and using JSON
requests. It looks something like this:
The server would then respond to this request, with the users account information
The Server
Harvesting User Information
The server responds with the user information for that user
This isnt good. Theres obviously an authentication problem here
HTTP Request
HTTP Response
The Server
Harvesting User Information
This is a serious vulnerability but unfortunately it happens quite a lot
All an attacker needs to have is a valid username and by exploiting the
vulnerability, he is able to obtain:
> The users mobile phone number
> The users email address
Through social engineering he may further his attacks against the user
He could also write a script to enumerate valid users within the system and
obtain their information
This application has been downloaded millions of times!
BREAK
DEMO
Summary
> The threat surface of mobile applications differs significantly from that of web
applications
> Web application security has improved, but 5 year old vulnerabilities are still
common
> Development of mobile application development guidelines and assessment
capabilities are needed
> The risk of liability to corporations
> Organizations should have a framework for regular assessment and a solution for
assuring the security of applications
46
Secure
Coding Tailored to development frameworks
Workshop
Vulnerability
Assessment
Penetration
Testing
Questions?
Thank You