Another BYOD Security Challenge – User-Managed Remote Access Software

In a recent Defcon presentation three researchers demonstrated that scanning the Internet — the entire Internet — is now a practical exercise.  That idea alone should force us all to re-frame our thinking about how we measure the effectiveness of our infrastructure’s defensive posture — but that is not a topic for this post.  As part of their work, the team demonstrated the scale of unauthenticated remote access set up on business and personal endpoints accessible from the Internet.  As families acquire more and more Internet endpoints, it appears that some in each household want to access or manage some of them remotely.  This might be as simple as accessing the “office Mac” from an tablet on the couch, or as crazy as unauthenticated remote access to that home office endpoint while traveling.  The use case doesn’t matter as much as the behavior itself.  If people are setting up unauthenticated remote access (or using default or ‘easily-guessable’ passwords) on the endpoints they also want to bring to work, we all have a problem…

Regardless of how ill-conceived, BYOD experiments, even formal BYOD programs seem to be a fever without a cure.  When a financial services workforce uses non-company endpoints we inherit all the risks associated with their all-too-often unprofessional and uninformed management practices.  Now we have evidence that one facet of that behavior is the installation and use of unauthenticated remote access software.  There are a number of popular approaches.  The Defcon presentation appears to have focused on VNC (virtual network computing), but there are other popular packages used to support convenient remote access – Wikipedia lists dozens.

We need to train our workforce that they need to limit their exposure (and the organization’s via BYOD) to the risks associated with remote access software. At the very highest level, they need to understand that for any endpoint used for financial services work:

1. Don’t run software (whatever it is) that is not really needed
2. If your really need it, learn how to manage it and configure it to deliver only the features you need — in the context of end user-managed BYOD environments, running software you don’t understand is not risk-reasonable in the context of performing financial services business (our regulators require and our customers and partners expect that we perform our business activities using risk management practices stronger than simple ‘hope’) 
3. If you need remote access exercise the principle of least privilege
   1. Install and configure the software so that by default it is not turned on (if it is not running it will not support unintended remote access)
   2. Turn on your remote access software only when you need it, and then turn it off again as soon as is practical afterword
   3. Configure the remote access software to include a risk-reasonably short session timeout
   4. Permit only uniquely-authenticated users having a strong, unique, time-limited password
4. Restrict remote access to your endpoint as much as possible
5. Turn off all remote access you can get away with
6. Use multiple layers of protection to implement defense in depth
   1. Run an endpoint firewall configured to reject all inbound communications attempts except those you explicitly authorize
   2. Don’t grant apps permissions that you don’t understand
   3. Don’t grant apps permissions that would enable access to business data or business communications
   4. Run one or more anti-malware packages
   5. Use security-centric web proxies
   6. Configure your browser(s) in their most paranoid settings
   7. Turn on your search engine’s ‘recommendation’ or anti-hostility service
   8. If your operating system supports it, perform your work in the absence of administrative rights (don’t make yourself equivalent to root or the local administrator)

In addition to end user education, and before permitting even the most limited BYOD experiment, financial services enterprises should have their infrastructure configured to resist the use of virtually all known remote access software on those non-company devices.  The port-blocking and protocol recognition will not be perfect, but it will stop the unauthorized use of the most casual installations.  As a result, we also need to have our SIEM infrastructure configured to alert and then staff to deal with those alerts.  In addition, and using the same signature and/or correlation logic configured in the SIEM, those with widespread IPS infrastructure can block BYOD remote access attempts (at least in some scenarios).

All of the security measures required to deal with BYOD fever will add expense that needs to be introduced into the BYOD economic equation.  All of the new risks also need to be introduced into the overall enterprise risk management pool.  The impacts will be different for various organizations.  For some, it seems reasonable to assume that the new costs and risks will far exceed any real benefits that could possibly be delivered in a financial services enterprise environment. 

REFERENCES:

“Thousands of computers open to eavesdropping and hijacking.” By Lisa Vaas on August 15, 2014, http://nakedsecurity.sophos.com/2014/08/15/thousands-of-computers-open-to-eavesdropping-and-hijacking/

“Mass Scanning the Internet: Tips, Tricks, Results.” By Robert Graham, Paul McMillan, & Dan Tentler, https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Graham 

“Comparison of remote desktop software.” From Wikipedia, http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software

“Principle of Least Privilege.” From Wikipedia, http://en.wikipedia.org/wiki/Principle_of_least_privilege

“Defense in depth.” From Wikipedia,
http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29

Apple iPhone 5S TouchID Beat Using Simple Approach

Some in Financial Services seemed to think that now, finally, it would be easy to do serious business with Apple’s new iPhone 5S TouchID mobile device.  The advanced biometric authentication would, so the argument goes, secure the environment — the device and its use — in ways that were going to make risk management easy…

…”Oh, those sad Windows users.  What will we do with them?”

————————————————————————————————–

The German hacker organization “Chaos Computer Club” (CCC) uploaded a YouTube video appearing to demonstrate a successful hack of the new iPhone TouchID biometric authentication.  In the short video an individual appears to access an iPhone 5S using a fabricated fingerprint.

This new option was promoted by Apple as a better way to protect devices and to protect sensitive information stored on or accessed by them.

Just last week, I heard an industry pundit say — seriously — that “mobile security was solved” because of the strength of Apple’s biometric security.”  When I responded with a muted challenge, the individual’s demeanor suggested pity for me (at best).

CCC member with the pseudonym starbug said on the organization’s site, “For years we have repeatedly warned against the use of fingerprints for access control. We leave fingerprints everywhere, and it is a breeze to create fake fingers from it.”

The CCC approach, as described in their announcement on Sat, Sept. 21st, used materials that are common in most households:

1. Photograph the fingerprint of a targeted user with a resolution of 2400 dpi.
2. Invert the photo on your computer
3. Print on transparency film it using a laser printer at 1200 dpi.
   In a CCC video, the technique appeared to involve etching a PCB board,,, Not everyone has easy access to board etching equipment, but it is not that unusual (maybe as common as lock picks?)
4. Apply a skin-colored latex milk or white wood glue to the image.
5. The “pressure lines” create a fingerprint image in the deposited material.
6. After drying, remove the counterfeit finger.
7. Moisten the “fingerprint” slightly by breathing on it.
8. Unlock the targeted iPhone with it.

Frank Rieger, speaker of the CCC, said that “The public should no longer be led around by the biometrics industry with false statements on the nose.  Biometrics is suitable to monitor and control people not to (secure) everyday devices against unauthorized access.”

Biometrics have always been a challenge.  That state continues.

In the case of the Apple 5S TouchID, the Apple marketing may have been a little misdirection as well — as in, ‘Hay! Look at this great new button over here!” — rather than dealing with the difficult block & tackle work of building out secure secure-enough endpoints and supporting cloud infrastructure across their entire life-cycles.  There may be niches in the consumer market for the TouchID, but it seems like the iPhone 5S implementation does not deliver for real business.

If this announcement described the real state of the Apple 5S TouchID technology and implementation, that identity infrastructure is still not ready for broad or routine integration into the operations of Financial Services enterprises.

What do you think?

REFERENCES:

​”Chaos Computer Club breaks Apple TouchID hacking iphone 5S”
By Rose Sodre, Sep 23, 2013
http://www.youtube.com/watch?v=xRjnDMgEJNM&list=TLGPmhzz00af0

“Chaos Computer Club hackt Apple TouchID.”
By frank, 2013-09-21 22:04:00
http://ccc.de/de/updates/2013/ccc-breaks-apple-touchid
[This page is in German.]

“The iPhone 5s Touch ID hack in detail.”

http://www.heise.de/video/artikel/The-iPhone-5s-Touch-ID-hack-in-detail-1966044.html
[A video containing more details about the techniques used to copy and misuse a fingerprint against Apple iPhone 5S TouchID]

“Bypassing TouchID was ‘no challenge at all,’ hacker tells Ars — German hacker Starbug tells Ars how he bypassed the fingerprint lock on new iPhones.” by Dan Goodin – Sept 24 2013,

http://arstechnica.com/security/2013/09/touchid-hack-was-no-challenge-at-all-hacker-tells-ars/

“We’ve cracked Apple’s fingerprint scanner: German hackers .”
Published on South China Morning Post (http://www.scmp.com)
http://www.scmp.com/print/business/companies/article/1315872/weve-cracked-apples-fingerprint-scanner-german-hackers

“iPhone 5s: About Touch ID security.”

http://support.apple.com/kb/HT5949?viewlocale=en_US

“Investigating Touch ID and the Secure Enclave.”

https://securosis.com/blog/investigating-touch-id-and-the-secure-enclave

By Rich Mogull, 23 September 2013

“A Quick Response on the Great Touch ID Spoof.”

https://securosis.com/blog/a-quick-response-on-the-great-touch-id-spoof

By Rich Mogull, 22 September 2013

“BYOD = Bring Your Own Demise?”

What a great quote by David Weinstein…

The BYOD fever is well embedded into Financial Services management thinking.  In some circles, “BYOD” is a reason to like virtually anything.  It is difficult to help some leaders learn what they need to learn to make informed-enough decisions about integrating unmanaged, often anonymous endpoints into heavily-regulated, capital concentrated financial services operations.

Some mobile device users need to see and hear examples in “real life” demonstrations in order for it to make sense to them.

Others are just not motivated to invest additional effort in attempting to understanding the rapidly-evolving risks associated with using their mobile device in a Financial Services business context.

Some are interested in cybercrime and how it might influence their personal or professional life, and may just need better access to useful inputs from the hype-rich fog of inputs on this topic.

And then there are those of you who hunt for this stuff…

Regardless of where you are on this continuum, there is a new video for you.

In “Corporate Espionage via Mobile Compromise” by viaForensics put together this excellent demonstration of how a “legitimate” application on a mobile phone can be a conduit for malware at a later date.

Their RSS reader really works.

It also includes, though, remote control functionality that enables:

• Accessing device data:
  • Serial number, etc.
  • Local wireless access points
  • Local bluetooth devices
• Send local device commands
• File listing for memory card in the phone
  • Retrieve those a hostile party wants
• List all contact information, including photos
  • Send SMS messages to any of them
  • Ask boss or admin for password
• Send any SMS via the remotely-exploited phone
• SMS Monitor (capture replies or strong auth tokens)
• Read SMS messages
• Send URLs
• Access the Call log
  • Full feature filtering
• Map the target’s location using their GPS.
• Audio surveillance
  • Phone in pocket or belt is a remote listening device
• Photo surveillance
• When the user plugs into a laptop or desktop.
  • Attacker can use the phone as a USB keyboard
  • Mouse control as well
  • Can then execute malware installed on the phone’s storage
  • Or it can fetch it from a remote site

Using this type of malware the attacker bypasses all perimeter defenses and can run any command or application at the permission level of the logged on user.

The demonstration is simple, without hype, and full of good visuals.

In a longer and more detailed video, David Weinstein puts this attack in the context of the mobile kill chain.

He describes the situation that he argues in passing results in BYOD equaling “Bring Your Own Demise,” and backs it up with a demonstration of the mobile compromise from the perspective of a hostile developer.

From the perspective of a security professional, this is the type of presentation that anyone would like to be associated with.  It is top tier con-talk quality, and presented with an almost casual ease that suggests Mr. Weinstein really understands his topic.

But given the topic and the details of the demonstration, and the logic it leads to, by the end of this demonstration, one begins to wilt…

To help counter some of these threats, Mr. Weinstein offers the following risk mitigation recommendations:

• Enforce constant VPN for corporate devices — which translates into denying split-tunnel to your user base.
• Limit third party apps and proactively analyze them — which requires device inventory to one extent or another
• Consider given ecosystems of devices rather than any individual device attack
• Use and properly configure DLP software on all business endpoints
• Invest in regular and effective user training and awareness

Part of me wants to push for more, but these presentations stand on their own.

These are extremely well done demonstrations.

With professional production and at a 9-minute run-time, the first is suitable for corporate risk awareness channels or use as management meetings where you are attempting to educate leaders to make better-informed risk decisions.

The second , a 45 minute video from TROOPERScon 13 earlier this year, is perfect for security professionals who need to understand the threat landscape in greater detail.

Don’t miss these resources.

REFERENCES:
“Corporate Espionage via Mobile Compromise – viaForensics.” June 18, 2013.
http://vimeo.com/68588556

“Corporate Espionage via Mobile Compromise: A Technical Deep Dive.” by David Weinstein, May 7, 2013. TROOPERS13 (TROOPERScon)
http://www.youtube.com/watch?v=hkgX6pmf6ic
Slides for this video (12.6 MB):
https://www.troopers.de/wp-content/uploads/2012/12/TROOPERS13-Corporate_Espionage_via_Mobile_Compromise_A_Technical_Deep_Dive-David_Weinstein.pdf

AndroRAT project (Remote Administration Tool for Android devices https://github.com/wcb972/androrat).