Gain Top-Notch InfoSec Skills at SANS San Diego 2017. Save $200 thru 9/27.

Cyber Defense Initiative 2012

Washington, DC | Fri, Dec 7 - Sun, Dec 16, 2012
This event is over,
but there are more training opportunities.

SEC575: Mobile Device Security and Ethical Hacking

SEC575 is up-to-date and covers a broad range of areas.

Bogdan Costache, KPMG LLP

In the fast-paced world of Bring Your Own Device (BYOD) and mobile device management, SEC575 is a must-have course for InfoSec managers.

Jude Meche, DSCC

Mobile phones and tablets have become essential to enterprise and government networks, from small organizations to Fortune 500 companies and large-scale agencies. Often, mobile phone deployments grow organically, adopted by multitudes of end-users for convenient email access as well as managers and executives who need access to sensitive organizational resources from their favored personal mobile devices. In other cases, mobile phones and tablets have become critical systems for a wide variety of production applications from ERP to project management. With increased reliance on these devices, organizations are quickly recognizing that mobile phones and tablets need greater security implementations than a simple screen protector and clever password.

The security risks of mobile phone and tablet device use in the workplace

Whether the device is an Apple iPhone or iPad, a Windows Phone, an Android or BlackBerry phone or tablet, the ubiquitous mobile device has become a hugely attractive and vulnerable target for nefarious attackers. The use of mobile devices introduces a vast array of new risks to organizations, including:

  • distributed sensitive data storage and access mechanisms
  • lack of consistent patch management and firmware updates
  • the high probability of device loss or theft, and more.

Mobile code and apps are also introducing new avenues for malware and data leakage, exposing critical enterprise secrets, intellectual property, and personally identifiable information assets to attackers. To further complicate matters, today there simply are not enough people with the security skills needed to manage mobile phone and tablet deployments.

From mobile device security policy development, to design and deployment, and more

This course was designed to help organizations struggling with mobile device security by equipping personnel with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course will help you build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in your organization.

You will gain hands-on experience in designing a secure mobile phone network for local and remote users and learn how to make critical decisions to support devices effectively and securely. You will also be able to analyze and evaluate mobile software threats, and learn how attackers exploit mobile phone weaknesses so you can test the security of your own deployment. With these skills, you will be a valued mobile device security analyst, fully able to guide your organization through the challenges of securely deploying mobile devices.

More

  • Evaluating Mobile Device Management (MDM) systems for your organization
  • Mobile device encryption systems: Benefits and weaknesses
  • Secure remote access solutions: Architecture and operations for mobile environments
  • Getting to the heart of the system: Unlocking, rooting, and jailbreaking mobile phones and tablets to conduct in-depth analysis of software running on the devices
  • Analyzing systems for information leakage: Extracting sensitive data from Apple iOS and Android file systems
  • App analysis: Identifying data leakage exposure and other vulnerabilities in mobile apps
  • Mobile device malware: Reverse engineering mobile code and applications to identify malware and potential vulnerabilities
  • Surveying your attack surface: Fingerprinting mobile devices inside your organization
  • Applying powerful attack techniques that are shockingly effective: Impersonating secure WiFi networks for credential harvesting in mobile penetration tests, audits, and vulnerability assessments
  • Credential harvesting: Stealing usernames and passwords from BlackBerry phones
  • Analyzing and attacking popular mobile device protocols: Weaknesses in FaceTime and other mobile phone apps and protocols

Hide

Course Syllabus


Peter Szczepankiewicz
Sun Dec 9th, 2012
9:00 AM - 5:00 PM

Overview

In order to have a secure mobile device deployment, you need to establish mobile phone and tablet policies that define the acceptable use of the technology and recognize the limitations and threats of mobile phones, tablets, and their associated infrastructure systems.

The first part of the course looks at the significant threats affecting mobile phone deployment and how organizations are being attacked through these systems. As a critical component of a secure deployment, we guide you through the process of defining mobile phone and tablet policies with sample policy language and recommendations for various vertical industries, taking into consideration the legal obligations of enterprise organizations.

We'll also look at the architecture and technology behind mobile device infrastructure systems for Apple, Android, BlackBerry, and Windows devices, as well as the platform-specific security controls available including device encryption, remote data wipe, application sandboxing, and more.

CPE/CMU Credits: 6

Topics

Mobile phone and tablet problems and opportunities

  • Challenges and opportunities for secure mobile phone deployments
  • Weaknesses in mobile devices
  • Exploit tools and attacks against mobile phones and tablets

Mobile devices and infrastructure

  • Apple iOS security features and weaknesses
  • Android Marketplace and third-party application stores
  • BlackBerry network and platform architecture
  • Windows Phone architecture and development platforms
  • Managing iOS devices with Microsoft Exchange

Mobile phone and tablet security models

  • Privilege and access models on multiple platforms
  • Device encryption support and threats
  • Emerging changes in platform security from Android

Legal aspects of mobile

  • Privacy concerns and threats
  • Mobile phones and data leak reporting considerations
  • Existing and proposed legislation affecting mobile devices

Mobile device policy considerations and development

  • Steps and recommendations for establishing policies
  • Mobile devices and local, cloud, and offline data storage
  • Device theft/loss and company culture for reporting effectiveness

Peter Szczepankiewicz
Mon Dec 10th, 2012
9:00 AM - 5:00 PM

Overview

With an understanding of the threats, architectural components, and desired security methods, we can design and implement mobile device and infrastructure systems to defend against threats.

In this part of the course, we examine the design and deployment of network and system infrastructure to support a mobile phone deployment including the selection and deployment of mobile device management systems that meet the organization's requirements for administration and security.

CPE/CMU Credits: 6

Topics

Wireless network infrastructure

  • Designing a wireless LAN system for mobile phones
  • Decision: network isolation or integration for mobile phones
  • Threats associated with guest/open networks

Remote access systems

  • VPN deployment and remote data access
  • Supported VPN technologies on mobile phone platforms
  • Design and deployment considerations

Certificate deployment systems

  • Private certificate authority deployment
  • Certificate enrollment models
  • Managing certificates with OpenSSL

Mobile Device Management (MDM) system architecture

  • Vendor options for MDM solutions
  • Limitations of remote device management by mobile phone platform
  • MDM network protocols and architectures

Mobile Device Management (MDM) selection

  • Critical MDM feature evaluation
  • Deployment model considerations for enterprise networks
  • Picking an MDM solution that fits your needs

Peter Szczepankiewicz
Tue Dec 11th, 2012
9:00 AM - 5:00 PM

Overview

One of the critical decisions you will need to make in supporting a mobile device deployment is to approve or disapprove of unique application requests from end-users and business units in a corporate device deployment.

Evaluate applications and the threats they represent to your mobile devices

With the solid analysis skills taught in this section of the course, we can evaluate apps to determine the type of access and information disclosure threats that they represent. Security professionals can use these skills not only to determine which outside applications the organization should allow, but also to evaluate the security of any apps developed by the organization itself for its employees or customers. In this process, we'll use jailbreaking and other techniques to evaluate the data stored on mobile phones.

CPE/CMU Credits: 6

Topics

Unlocking, rooting, and jailbreaking mobile devices

  • Goals of unlocking
  • Jailbreaking iOS
  • Rooting Android
  • Dealing with BlackBerry platform restrictions
  • Unlocking Windows Phone

Mobile phone data storage and filesystem architecture

  • Data stored on mobile devices
  • Mobile device filesystem structure
  • Data storage mechanisms
  • Backup data analysis

Filesystem application modeling

  • Application modeling goals
  • Using the Sleuth Kit for file system runtime analysis
  • Analyzing filesystem changes

Network activity monitoring

  • Mobile application network capture and data extraction
  • Transparent network proxying
  • Encrypted data capture manipulation

Mobile code and application analysis

  • Reverse engineering iOS binaries in Objective-C
  • Reverse engineering Android binaries in Java
  • Reverse engineering Android malware

Approving or disapproving applications in your organization

  • Policies regarding data access
  • Risk evaluation
  • Ongoing monitoring analysis requirements
  • Mobile Device Management (MDM) and application blacklisting


Peter Szczepankiewicz
Wed Dec 12th, 2012
9:00 AM - 5:00 PM

Overview

An essential component of developing a secure mobile phone deployment is to perform an effective ethical hacking assessment and penetration test.

Ethical hacking and pen testing your mobile networks

Through ethical hacking and penetration testing, we examine the mobile devices and infrastructure from the perspective of an attacker, identifying and exploiting flaws that could allow unauthorized access to data or supporting networks. By identifying and understanding the implications of these flaws, we can evaluate the mobile phone deployment risk to the organization with practical, useful risk metrics.

CPE/CMU Credits: 6

Topics

Fingerprinting mobile devices

  • Passive analysis
  • Active scanning
  • Application inspection

WiFi attacks

  • Wireless network scanning and assessment
  • Exploiting weak wireless infrastructure
  • Monitoring mobile device network scanning
  • Exploiting "attwifi" and iPad or iPhone captive portal detection
  • Secure network impersonation

Bluetooth attacks

  • Exploit opportunities against Bluetooth
  • Identifying Bluetooth devices
  • Enumerating Bluetooth services
  • Attacking services

Network exploits

  • Exploiting mobile device data networks
  • Traffic interception and real-time manipulation
  • Exploiting SSL and mobile web frameworks
  • Sidejacking mobile devices
  • Mobile Device Management (MDM) hijacking

Peter Szczepankiewicz
Thu Dec 13th, 2012
9:00 AM - 5:00 PM

Overview

Comprehensive mobile device ethical hacking continues beyond wireless network and Mobile Device Management MDM attacks, by taking into account the device, app, web framework, and cloud attack vectors increasing in popularity among attackers.

Ethical hacking the devices and applications

Continuing our look at ethical hacking and penetration testing, we turn our focus to exploiting weaknesses on individual mobile devices including iPhones, iPads, Android phones, Windows Phones and BlackBerry phones and tablets. We'll also examine platform-specific application weaknesses and look at the growing use of web framework attacks.

CPE/CMU Credits: 6

Topics

Mobile device exploits

  • Safari and WebKit exploits
  • Exploiting PDF rendering flaws
  • Mobile device Near Field Communications (NFC) attacks

Web framework attacks

  • Site impersonation attacks
  • Application Cross-Site Scripting (XSS) exploits
  • Remote browser manipulation and control
  • Exploiting weak cryptography in web applications
  • Data leakage detection and analysis

Application attacks

  • Attacking FaceTime weaknesses, and using lessons learned to analyze other apps and protocols
  • GPS Location analysis disclosure attacks
  • Google+ manipulation attacks

Cloud/remote data accessibility attacks

  • Accessing iCloud data resources
  • Third-party cloud storage vulnerabilities


Peter Szczepankiewicz
Fri Dec 14th, 2012
9:00 AM - 5:00 PM

Overview

On the last day of class, we apply the skills, concepts, and technology covered in the course for a comprehensive Capture the Flag (CtF) event. In this day-long, in-depth final hands-on CtF exercise, you will:

  • Have the option to participate in multiple organizational roles related to mobile device security,
  • Design a secure infrastructure for the deployment of mobile phones,
  • Monitor network activity to identify attacks against mobile devices,
  • Extract sensitive data from a compromised iPad, and
  • Attack a variety of mobile phones and related network infrastructure components.

In the CtF exercise, you will use the skills built throughout the course to evaluate real-world systems and defend against attackers, simulating the realistic environment you'll face when you get back to the office. You will leave the course armed with the knowledge and skills you'll need to securely integrate and deploy mobile devices in your organization.

CPE/CMU Credits: 6

Additional Information

Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.

Windows

Students must bring a Windows 7, Windows Vista, or Windows XP laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation, however, this will result in reduced performance when running device emulators within the virtualized Windows host. If you are a Windows XP user, make sure you also have the .NET 3.5 framework installed, which can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=21 .

Administrative Windows Access

For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises.

VMware

Students will use a virtualized MobiSec Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.

While some students successfully use VMware Fusion for the exercises, the relative instability of VMware Fusion may introduce delays in exercise preparation, preventing the timely completion of lab exercises. VirtualBox and other virtualization tools are not supported at this time.

Hardware Requirements

Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:

  • Minimum 2 GB RAM, 4 GB recommended
  • Ethernet (RJ45) network interface; students will not be able to complete lab exercises with systems that only have a wireless card, such as the Mac Book Air
  • 1.5 GHz processor minimum
  • 30 GB free hard disk space
  • DVD drive (not a CD drive)
  • Minimum screen resolution 1024x768, larger screen resolution will reduce scrolling in for several applications and a more pleasant end-user experience

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security personnel whose job involves assessing, deploying, or securing mobile phones and tablets
  • Network and system administrators supporting mobile phones and tablets
  • Penetration testers
  • Ethical hackers
  • Auditors who need to build deeper technical skills

Author Statement

I'm not sure exactly when it started, but laptops and PCs are quickly becoming legacy computing devices, replaced with mobile phones and tablets at an ever increasing rate. Just when I thought we were getting a much better handle on the security of Windows, Mac, and other Unix systems, there is an explosion of new devices joining our networks. Mobile device adoption has been so rapid that we're suddenly back in the wild west. Many organizations just don't have the policies, procedures, technical infrastructure, and skilled personnel needed to deal with these new technologies and devices. The devices themselves simply do not have the same security controls that we rely on in modern, secure enterprise and government networks.

Even with their weaknesses, mobile phones are here to stay, and we are being called on to support them. Some organizations try to drag their feet on allowing mobile phones, but that ultimately contributes to the problem. If we don't address security, the threats continue to grow uncontrolled and unmonitored. Mobile tablets only exacerbate the problem.

To address these concerns, this course will give you the blueprint, technical frameworks, and hard-core analysis skills needed to address these challenges head-on so that your organization's personnel can use their mobile devices more securely. Using the skills shared in this course, you'll have the knowledge to securely deploy, manage, and monitor mobile phones and tablets inside your organization through effective policy and careful network deployment and monitoring. You'll also build essential skills in analyzing the risks of data leakage in mobile code and the applications your end-users want to run from app stores, and we'll show you how to ethically hack your networks to identify the real threat and exposure of mobile phone weaknesses.

I created this course to help people build their skills in all these areas, focusing on the topics and concepts that are most important and immediately useful. Every organization needs security professionals with the skills required to secure mobile phone and tablet environments. By taking this course, you'll become an even more valued part of your organization, you'll be prepared to lead your organization's efforts to securely embrace the new world of mobile devices... and we'll have lots of geeky fun in the process.

-- Joshua Wright