Presentation is loading. Please wait.

Presentation is loading. Please wait.

BSYOD: Bring and Secure Your Own Device Hardening your Mobile Devices to Participate in the Wireless World Nebraska University Center for Information Assurance.

Published byJayson Taylor Modified over 9 years ago

Similar presentations

Presentation on theme: "BSYOD: Bring and Secure Your Own Device Hardening your Mobile Devices to Participate in the Wireless World Nebraska University Center for Information Assurance."— Presentation transcript:

1 BSYOD: Bring and Secure Your Own Device Hardening your Mobile Devices to Participate in the Wireless World Nebraska University Center for Information Assurance

2 Timeline 11:1512:15 Part 1: NUICA, Who are we? Part 2: Security concerns Part 4: Audience Questions and Suggestions 12:00 Part 3: Some Solutions

3 NUCIA Nebraska University Center for Information Assurance http://nucia.unomaha.edu/ 3

4 The UNO NUCIA Team 4 Ken DickRobin GandhiDwight Haworth Connie JonesBill Mahoney Steve Nugen Leah Pietron Abhishek ParakhCharles Spence

5 Information Assurance IA research and education is supported across the college of IS&T and the Graduate college NSA designated National Center of Academic Excellence in Information Assurance Education (CAE IAE) Degrees include BS in IA; MS in IA (starting Fall 2012) NEW, IA concentrations with CS and MIS Non-degree programs and activities include MIS IA certificate, International Cyber Defense Workshop Special programs for High School teachers and students 5

6 Student Accomplishment (1) UCSB iCTF 2010: 72 teams (900 students!) from 16 countries competed in a game of hacking, challenge-solving, and state-sponsored warfare. (26 US Universities)

7 Student Accomplishment (2) Placed 7th among all US Undergraduate teams

8 Student Accomplishment (3) IFSF CTF Quals hosted from Tunisia 4 th among US teams 21 st among 236 teams Worldwide 8

9 State of the Art IA Labs STEAL-1STEAL-2STEAL-4STEAL-3 New SCADA Testbed 9 pods; 5 hosts ea Virtual Machines Student Research 7 pods; 5 hosts ea New hosts: Quad; 16 GB; dual NICS 6 VM Servers; 4 NICS each Desktop Workstations Each host can support multiple VMs; Networking options include host-only; STEAL domain; and Internet (via VPN) Able to carve out subsets to simulate different domains, cross-domain architectures, hardened systems, targets, and attackers. Supports teaching and research Networks: STEAL Only (Isolated) UNO Internet; Private Internet 9

10 Wireless Security Issues

11 802.11 Networks 802.11: A family of IEEE specifications for WLANs operating in 2.4 GHz RF spectrum 2.4 GHz Frequency, Unlicensed Divided into 14 channels Infrastructure mode is most commonly used 11 PC-1PC-2 AP Gateway Internet

12 Inherent Security Issues Nodes in the physical vicinity of each other can monitor all network traffic Open hotspots do not encrypt any traffic between the mobile node and the access point Mobile applications may use insecure protocols to exchange sensitive information 12

13 NIST Guidance Guidelines for Securing Wireless Local Area Networks (WLANs) NIST SP 800-153 http://csrc.nist.gov/publications/drafts/800-153/Draft- SP800-153.pdf http://csrc.nist.gov/publications/drafts/800-153/Draft- SP800-153.pdf 5/13/2015 13

14 Worrisome Scenarios Capturing Wireless traffic Rouge Access Points Sniffing Session high jacking Insecure Apps IPhone Southwest App Privacy issues Malicious QR codes Wireless Encryption Cracking WEP and WPA attacks 14

15 Rouge Access Points Advertise open access points in public places with similar names to legitimate ones E.g. attwifi, boingo, linksys, NETGEAR 15 PC-1PC-2 AP Gateway Internet HUB Sniffer

16 Sniffing Passive monitoring of wireless traffic The RF monitor mode allows every frame appearing on a channel to be copied into the scanning node Hardware easily available for purchase Wireless cards whose firmware and corresponding driver software together permit reading of all raw 802.11 frames ~ $ 30 16

17 Sniffing 17 KismacMacbook Air Alfa wardriving card

18 Scanning available networks 18

19 Network activity 19

20 Selecting a target 20

21 Selecting a target 21

22 Foraging with Wireshark 22

23 Foraging with Wireshark 23

24 Foraging with Wireshark 24

25 Session Highjacking 25 http://codebutler.com/firesheep

26 Insecure Apps Some applications have inherent flaws that can be exploited on public networks Case: Southwest Airlines iPhone App 26

27 Southwest Airlines iPhone App Use a remote network proxy to examine HTTP traffic 27

28 Southwest Airlines iPhone App The app assigns a Device ID to uniquely identify the device 28

29 Southwest Airlines iPhone App The registration data is sent out in the clear! 29

30 Southwest Airlines iPhone App … and any subsequent login information 30

31 Privacy violations Universal Device Identifiers iPhone UUID, ANDROID_ID Several application use UUID to perform some sort of tracking A user does not have control over this the use of this information by apps The UUID may be transmitted in the clear over unprotected WiFi networks 31

32 Security and Privacy Hall of shame http://blog.afewguyscoding.com/2011/12/survey- mobile-device-security-threats-vulnerabilities-defenses/ http://blog.afewguyscoding.com/2011/12/survey- mobile-device-security-threats-vulnerabilities-defenses/ http://www.msnbc.msn.com/id/46856168/ns/technolog y_and_science-security/t/cracks-appear-face-apples- ios-security/ http://www.msnbc.msn.com/id/46856168/ns/technolog y_and_science-security/t/cracks-appear-face-apples- ios-security/ 32

33 Malicious QR Codes QR codes can be used to launch malicious websites that infect or root mobile devices Malicious QR codes can be pasted on legitimate advertisements and fliers Disable automatic launching of applications upon scanning of QR codes 33

34 WEP and WPA Cracking WEP-based passwords are very easy to crack. WPA/PSK is relatively easy to crack given a short password length. WPS pin bruteforce also weakens WPA/WPA2 protected networks 34

35 WEP and WPA Cracking Tools: Aircrack-ng suite Kismet – wireless sniffing tool A wireless adapter that supports monitor mode for wireless sniffing Linux operating system Alternative (Kismac + wireless adapter + Mac) 35

36 WEP and WPA Cracking (Aircrack-ng) 36

37 WEP and WPA Cracking (Kismac) 37

38 SOME USEFUL APPS AND BEST PRACTICES 38

39 Best Practices Center for Internet Security (CIS) Mobile Security Benchmarks iPhone 5.0.1 security benchmark Google Android 2.3 (Gingerbread) http://benchmarks.cisecurity.org/ http://benchmarks.cisecurity.org/en- us/?route=downloads.browse.category.benchmarks.mobile http://benchmarks.cisecurity.org/en- us/?route=downloads.browse.category.benchmarks.mobile 39

40 Monitor Device Operation iOS Apps for this include System Status Functionality includes displaying the system log http://itunes.apple.com/us/app /system-status-device-activity/id401457165 SYS Activity Manager http://itunes.apple.com/us/app /sys-activity-manager-plus/id440654325 40

41 Monitor your environment iOS Network/Port Scanners continued IT Tools http://itunes.apple.com/us/app /it-tools/id324054954 IP Network Scanner http://itunes.apple.com/us/app /ip-network-scanner/id335517657 LanScan HD http://itunes.apple.com/us/app /lanscan-hd/id461551081 41

42 Monitor your environment iOS Network/Port Scanners include: Scanny http://itunes.apple.com/us/app /scany-network-port-scanner/id328077901 iNetPro http://itunes.apple.com/us/app /inet-pro-network-scanner/id305242949 Deep Whois http://itunes.apple.com/us/app /deep-whois-lookup-ips-domains/id328895000 42

43 Screen Locks Physical security is important for mobile devices Store large amounts of personal data Easier to steal Easier to misplace Maximizesecurity by: Set up passcodes for device access Auto-locking feature Automatic data erasure after failed attempts 43

44 Screen Locks Be careful with pattern locks. Sometimes the pattern lock path is shown on the screen as it is used (depends upon the device). Your pattern may be left behind by smudge marks. Consider if someone might be watching your screen. 44

45 iPhone Support iPhone 3GS and later Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode Third-party applications can use the data protection APIs 45 Hardware Encryption

46 Android Support Android 2.3 (Gingerbread) All Motorola Devices Some HTC Devices Android 3.0+ All Honeycomb Devices All Ice Cream Sandwich Devices 46

47 Hardware Encryption Screen locks provide a good start, but do not encrypt the SD card or phone data. Android provides additional settings But, built-in encryption module have often been rendered useless 47

48 Hardware Encryption iPhone 3GS, Encryption declared ‘useless’ by hackers, 2009 http://www.wired.com/gadgetlab/2009/07/iphone- encryptionhttp://www.wired.com/gadgetlab/2009/07/iphone- encryption iOS 4, Encryption broken by ElcomSoft, 2011 http://www.extremetech.com/mobile/84150-how-ios-4- encryption-was-cracked-and-how-to-protect-your-iphonehttp://www.extremetech.com/mobile/84150-how-ios-4- encryption-was-cracked-and-how-to-protect-your-iphone Alternative encryption methods may be available through apps 48

49 Hardware Encryption iPhone Also remember to encrypt device backups Examples Device location tracking http://www.geek.com/articles/apple/how-to-deal-with- your-iphone-tracking-you-20110420/ Facebook login data http://www.cultofmac.com/159169/facebook-ios- security-flaw-highlights-security-risk-in-ios-backups/ User enabled, or enforced through configuration profiles 49

50 Virtual Private Networks VPNs build an encrypted tunnel from a mobile device to a trusted endpoint Prevents eavesdropping on untrusted networks iPhone, iPad and Android support the following Cisco IPSec, L2TP/IPSec PSK, and PPTP virtual private network protocols. Android additionally supports L2TP/IPsec CRT 50

51 Native VPN support 51

52 3 rd Party SSL-VPN 52

53 Jailbreaking/Rooting Pros of a Locked Device For most users, obtaining root access to a mobile device is an unnecessary risk. Prevent unauthorized apps installations and changes. The device stays configured the way the manufacturer intended. 53

54 Jailbreaking/Rooting Cons of a Locked Device Manufacturers are not quick to update software. Security vulnerabilities may stay unpatched The manufacturer may not have secured the device to meet enterprise-level standards. No firewall protection or native VPN solutions. 54

55 Jailbreaking/Rooting Pros of a Unlocked Device The device can potentially be flashed with a more secure ROM/configuration. The kernel for Android can be recompiled to support: Firewalls for both IPv4 and IPv6 IPSEC VPN connections 55

56 Jailbreaking/Rooting Cons of a Unlocked Device The user can “brick” the device during configuration if not careful. Root access is easier to leverage for malicious parties in addition to the user. The user must be even more vigilant when deciding what apps to install. 56

57 Rooted Android Precautions If the device merely needs a configuration change, temporary rooting may be the best. This continues to block unauthorized root access attempts as designed after configuration. This eliminates future user error after configuration. 57

58 Rooted Android Precautions The Android hacking community always suggests the use of a root access manager. It requires approval by the user for all root access requests. This potentially puts up one last line of defense. 58

59 Mobile Device Management Security concerns include Preventing unauthorized use of the device Protecting data while at rest in the device (or in backups or the cloud) and in-transit Security of the applications (e.g., leaking information or not complying with security settings) Mobile devices could be the weakest link in information protection 59

60 Mobile Device Management iOS devices can be configured/managed through Local settings on the device Apple Configuration Utility Microsoft Exchange ActiveSync Mobile Device Management -- platorm independent 60

61 Mobile Device Management Recommended reading includes CIS iOS benchmark Apple guidance iPhone and iPad in Business Deployment Scenarios http://images.apple.com/ipad/business/docs/iOS_Busin ess.pdfhttp://images.apple.com/ipad/business/docs/iOS_Busin ess.pdf iPad in Business: Security Overview http://images.apple.com/ipad/business/pdf/iPad_Securit y_Overview.pdfhttp://images.apple.com/ipad/business/pdf/iPad_Securit y_Overview.pdf iPhone Enterprise Deployment Guide http://manuals.info.apple.com/en_US/Enterprise_Deplo yment_Guide.pdfhttp://manuals.info.apple.com/en_US/Enterprise_Deplo yment_Guide.pdf 61

62 Mobile Device Management Recommended reading continued Apple Configuration Utility (aka Apple Configurator) http://www.wired.com/wiredenterprise/2012/03/apple- configurator/http://www.wired.com/wiredenterprise/2012/03/apple- configurator/ http://krypted.com/iphone/managing-ios-devices-with-apple- configurator/http://krypted.com/iphone/managing-ios-devices-with-apple- configurator/ http://itunes.apple.com/us/app/apple- configurator/id434433123http://itunes.apple.com/us/app/apple- configurator/id434433123 62

63 Mobile Device Management Recommended reading continued Mobile Device Management (MDM) http://en.wikipedia.org/wiki/Mobile_device_management http://www.apple.com/ipad/business/integration/mdm/ http://images.apple.com/ipad/business/docs/iOS_MDM. pdf http://www.computerworld.com/s/article/9224894/Tips_for_d eveloping_a_mobile_device_management_strategy 63

64 DISCUSSIONS 64

Download ppt "BSYOD: Bring and Secure Your Own Device Hardening your Mobile Devices to Participate in the Wireless World Nebraska University Center for Information Assurance."

Similar presentations

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Security Awareness Chapter 5 Wireless Network Security.

Security Awareness Chapter 5 Wireless Network Security.
FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE Intercontinental Group 1.

FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE Intercontinental Group 1.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.
How to Secure a Home Wi-Fi S. Roy. Acknowledgement In preparing the presentation slides and the lab setup, I received help from Professor Simon Ou Professor.

How to Secure a Home Wi-Fi S. Roy. Acknowledgement In preparing the presentation slides and the lab setup, I received help from Professor Simon Ou Professor.

Similar presentations

Ads by Google