Breaking the Kubernetes Kill Chain: Host Path Mount
Mobile Security
1. Mobile Security
“Bring war material with you from home but
forage on the enemy” - Sun Tzu
Xavier Mertens
Beltug SIG Security - Jan 2013
2. Disclaimer
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
3. Agenda
• Introduction: Top-10 mobile risks
• Company owned devices
• Employee owned device (BYOD)
• Risks inherent in mobile devices
• Mobile applications development
4. Top-10 Mobile Risks
• Insecure data storage
• Weak server side controls
• Insufficient transport layer protection
• Client side injection
• Poor authentication & authorization
• Improper session handling
• Secure decision via untrusted input
• Side channel data leakage
• Broken cryptography
• Sensitive information disclosure
(Source: OWASP)
5. Top-10 Mobile Risks
• Insecure data storage
• Weak server side controls
• Insufficient transport layer protection
Mobile devices
• Client side injection
are
• Poor authentication & authorization
Computers!
• Improper session handling
• Secure decision via untrusted input
• Side channel data leakage
• Broken cryptography
• Sensitive information disclosure
(Source: OWASP)
7. Easy? Really?
• Limited set of manufacturers/OS
• Full control of hell?
• People try to evade from jail (like laptops)
• Need procedures (backups, helpdesk)
8. Corporate Policy
• Must be communicated & approved before
the device provisioning
• Communication channels: addendum to a
contract, Intranet, a “check box”?
• Restrictions (SD cards, Bluetooth, camera)
• What about private data? (pictures, MP3,
downloaded (paid!) apps?
9. Examples
• Document already available on beltug.be
(Members section)
• Simple policy:
http://www.security-marathon.be/?p=1466
(Jean-Sébastien Opdebeeck)
10. Data Classification
• Another approach is implementing data
classification
• Implementation of the “least privileges”
principle
• Access to data is based on profiles
• Work with any device! (benefit broader
than the scope of mobile devices)
11. Data Classification
Data Company Owned Personal Devices
Classification Devices
Top-Secret No No
Highly Confidential No No
Proprietary Yes No
Internal Use Only Yes Yes
Public Yes Yes
13. Why do people BTOD?
• Devices became cheaper and powerful
• The “Generation Y”
• Always online everywhere!
14. First Question?
• Are you ready to accept personal devices
on your network?
• It’s a question of ... risk!
• Examples:
• Data loss
• Network intrusion
• Data ex-filtration
15. “MDM”?
• Do you need a MDM solution? (Mobile
Device Management)
• Can you trust $VENDORS?
• Microsoft Exchange include ActiveSync for
free
• Most security $VENDORS propose (basic)
tools to handle mobile devices
18. Personal Hotspots
• Tethering allows mobile devices to be used
as hotspots
• Corporate devices (laptops) could bypass
Internet access controls
• Risks of rogue routers (if IP-forwarding is
enabled
19. Rogue App Stores
• Mobile devices without apps is less useful
• Owners tend to install any apps
• Some apps may require much more rights
than required
• People trust Apps stores and developers
• Developers must write good code
25. OWASP Mobile
Security Project
• Mobile testing guide
• Secure mobile development guide
• Top-10 mobile controls and design
principles
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
26. Lack of/Bad Encryption
• Developers re-invent the wheel: do not
write a new encryption algorithm
• Encrypt everything (data at rest, data in
move)
27. Local VS. Remote
Storage
Pros Cons
No network costs Risk of loss
Local Speed Outdated
Always updated
Data network ($)
Central No risk of loss
Speed
28. Geolocalization
• Again! But this time for good purposes
• Do not allow some actions or apps (ex:
opening a wallet) if GPS data shows the
phone outside Europe
• Combine with passwords for stronger
authentication/authorization
29. Enterprise Appstores
• Goal: Distribute, secure and manage mobile
apps through your own company branded
appstore.
• Application available in the appstore have
been approved by a strong validation
process.