2012, advanced, byod, device, europe, firewall, infosec, ipad, iphone, management, mdm, mobile, nac, network, partners, pen, persistent, product, secret, security, server, sonicwall, tenable, test, threat, thycotic
This year I spent more time attending the talks, demonstrations, etc. and had the pleasure of meeting Jack Daniel of Tenable Security, which was definitely one of the highlights of the event. I also picked up a ton of literature on the latest firewall technologies, ‘Unified Threat Management‘ and Intrusion Detection Systems, all of which had advanced somewhat since Infosec 2011, and are relevant to my dissertation.
Managing Privileged Accounts
One of the first talks I came across was about the management of privileged accounts, which can be a tricky problem that’s rarely discussed. Every enterprise network needs a systems administrator, plus several other IT professionals with privileged access to the system, and it raises the question of how the activity’s audited, what happens if an admin leaves the organisation on bad terms, what happens if a privileged account is compromised without the admins being aware of it, and other things that could go wrong.
Thycotic’s Secret Server is a key management-type system, which stores all the passwords in one database, and provides an interface for monitoring, auditing and managing their use across a corporate network. The passwords themselves can be hidden from the users, so conceivably a personnel department could disable accounts without having access to whatever else.
The Bring Your Own Device thing is a bad idea, for reasons I’ve covered here before. Basically it means reducing costs and improving ‘productivity’ by sticking a load of untrusted and potentially malware-infested devices on the corporate network, which vastly increases the ‘attack surface’. But it seems businesses in general are going with it, and several vendors at Infosec Europe are already marketing solutions for the BYOD environment.
Network Access Control (NAC) has been suggested by Tom Murphy of Bradford Networks, where the system assigns a different access policy to each type of device. For example, a mobile device is given guest access, a trusted device has full access, and another type of device has limited access. However, this means an additional authentication system is required, and the authentication method had better be good. The other flaw is only the devices are authenticated, not the users themselves.
A new infosec buzzword we’ll see over the next 12 months is ‘Mobile Device Management‘ (MDM), which involves things like enforcing software updates, encryption, configuration, software, remote wiping, etc. The economy being what it is, employees aren’t realistically going to fork out £400+ on a personal device, hand it over to the company, and have restrictions placed on it. There would also be privacy issues.
SonicWALL has an alternative, where connections to the company’s virtual desktop server is mediated by a client application. The rest of the mobile device’s OS is untouched, and any malware that does reach the company’s network gets quarantined by SonicWALL’s system.
Again, I remain unconvinced by the arguments for BYOD. SonicWALL solves many of the problems, but the system’s malware detection must be flawless. It also wouldn’t prevent insider threats, if there’s a real determination to exfiltrate data.
How to Break Into Bank Accounts
With a couple of iPads, some forensics software, VMs and fake accounts they set up, Pen Test Partners demonstrated how to break into a corporate bank account and steal £900,000. What I liked about this demonstration was the risks of BYOD and social networking were exposed, and there are other lessons to be gained here applicable to numerous variations of this attack.
In order to be successful, the right people must be targeted. In this case, they’ll be executives working for a reasonably large local firm, and the place to find this is LinkedIn, where most users reveal their appearance, who they work for, the positions they hold, and their network of colleagues. For this particular example, the attacker needs to identify an executive and the finance manager, and determine the corporate email addresses. Status updates will reveal whether the executive’s using an iPad/iPhone.
The next stage is to get hold of the executive’s Apple device by swapping it with a duplicate. Others who watched the demonstration might have been a little skeptical at this point, so I’ll explain how easy this is. Firstly, the attacker doesn’t need a genuine Apple device – a dummy that weighs, looks and feels identical to the real thing can be obtained from a pound shop.
Secondly, a large office, say a call centre, is the perfect environment to make the switch. It has a high turnover of staff, people come and go, everyone dresses practically the same, they’re unlikely to challenge anyone scouting the area, and iPhones are very common among office workers. The switch can be made without anyone noticing, or the malware could simply be emailed from an unattended desktop.
After the iPad is acquired, its password is cracked using commercial forensics software, and the device is rooted. This took less than a minute during the demonstration, and in real-life the attacker would have a window of several hours.
So, using the stolen iPad, the Man in the Browser malware, perhaps embedded in a document, is emailed to the finance manager, who sees the email was sent from the executive’s personal device using the corporate email system. So, the attachment is opened, the executable is run, and the Man in the Browser extension installed in the browser.
The browser extension waits until a connection is established with the HMRC site, through which the finance manager pays the firm’s taxes. Once the form’s completed and the submit button’s clicked, the Man in the Browser extension intercepts the data before it leaves the browser, changes the relevant field values so the payment’s diverted to the attacker’s account, and the transaction is completed. The browser extension will also intercept the reply from HMRC’s site, and strip whatever error message so the finance manager believes the payment was successfully made.
In all, it’s definitely worth attending Infosec Europe, especially to maintain awareness of what stuff the industry’s focussing on, and what solutions are available. For those trying to market something or get their name out there, this is definitely the place for that.