Mobile Application Security – Insights from a Penetration Tester

Overview:
Having been early adopters of latest-generation mobile technology in the security sphere, Securus Global has extensive experience in iPhone and Android platform security testing.

We’ve worked with many prominent Australian and international clients in helping them not only discover security issues in their critical mobile applications, but also actively helped them fix security issues and assisted them in secure development standards and approaches.

If you have deployed, are developing, or looking at mobile applications for your enterprise and/or your clients, these sessions will provide you with a valuable insight from our perspective and experiences. We’ll take you through case studies of what has and can go wrong, current threats facing enterprise mobile applications and data, and share a few areas of our own research that will assist you in making your systems as secure as possible.
http://securusglobal.com/services/assessment-and-assurance-services/product-assurance-testing/

The events will also provide you with networking opportunities to discuss and share information with other colleagues in the industry.

Sydney:

Tuesday, 2nd October 2012
4.00 – 5.00pm

Securus Global Office
Level 17
31 Market Street

Melbourne:

Tuesday, 9th October 2012
4.00 – 5.00pm

Securus Global Office
Level 8
50 Queen Street

Presenter:
Norman Yue, Senior Security Consultant, Securus Global

RSVP:
Places are limited to a maximum of 20 people. Please confirm your attendance with Jacqui Henderson (02) 9283-0255 or Email: jacqui.henderson@securusglobal.com

Cyber attacks can have devastating healthcare consequences

An increased uptake in wireless technology has left some medical facilities – and their patients – exposed to new security vulnerabilities.

A new US report prepared by the National Cybersecurity and Communications Integration Center reveals that wireless medical devices (MDs) – which are connected to information technology (IT) networks – are creating new opportunities in this field, but are not without their risks.

Healthcare and public health organisations have much to gain from emerging wireless technology that allows for remote access – benefiting from enhanced operations, improved ease of use and rapid computing speed.

However, the report asserted, “the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern”.

Vulnerabilities in such wireless systems could have a number of dangerous consequences – ranging from vandalism, device reprogramming or even the loss or theft of sensitive medical information, which can compromise patients’ personal privacy and can result in identity theft.

Often, according to the report, these vulnerabilities can arise through poor security practices, misconfigured networks or errors made during the implementation or deployment of new technologies.

These can also occur through the increasing uptake of mobile devices and wireless networks.

Sometimes, these technologies are so new that IT departments are unaware of how to adequately secure them or keep up with changing trends. Others fail to install the adequate updated to these systems, which can open them up to further risks later down the line.

Penetration testing is one strategy that can be used to identify these risks and can help businesses of all types – including healthcare organisations – stay on top of any potential operational weaknesses.

This type of testing can not only alert you to any potential security issues that could affect your business, but also the consequences – both operational and financial – of a malicious attack.

Viewing small gaps in a wider context

Ideally, modern organisations are supposed to operate as a well-oiled machine, with actions in one area serving to assist others in their duties.

This level of interdependence is what provides a business with its efficiencies that makes its service provision or production methods a valuable proposition – the focus of working to strengths and opportunities rather than reacting to market conditions.

However, this same cross-reliance of people and processes needs to be taken into context when undertaking penetration testing and information security reviews.

This is because it can be easy to dismiss a small gap in a firm's digital defences when the information most obviously at stake is not of great importance to the firm or its activities – the costs of protecting it can outweigh the immediate prospect of damage done by malicious external parties.

However, the access gained through one small, seemingly insignificant channel could be used later by the same individuals – or sold on to other participants – to explore for further vulnerabilities.

As security specialists will know, it is important to remember to think of the big picture when assessing the strengths and weaknesses of a firm's defences – because the small gaps that are ignored today could lead to greater problems later on down the track.

Security audit to find gaps in online defences

When it comes to online security for commercial concerns, most people tend to think of hackers sitting in darkened rooms, hammering away at a firm's firewalls or sending out virus-laden emails to break through online defences from the inside.

While these features are common enough in the digital space, in no way should they be allowed to form the be-all and end-all of a firm's security protection measures.

This is because a dedicated attacker is more likely to utilise a range of angles in order to gain as much information as possible before they take decisive action.

These stalking activities can include some truly innocuous approaches – phone calls asking for specific staff members, emails 'accidentally' addressed to the wrong employee and even direct social engineering attempts in face-to-face meetings.

In the busy work day these small details can easily get lost as employees focus on their tasks, otherwise unaware that they have given away a valuable piece of information to a malicious party.

To get a full-spectrum analysis of the weak points in a firm's security protocols, a security audit known as a "red cell" test can be undertaken that simulates a real-world approach to gaining access to privileged information – with the added bonus that the details will remain in confidence.

Red Cell
Technical Risk Assessment
Vulnerability Assessment

Cheques vs electronic payments PCI DSS compliance

Electronic payment processing technology still has some inherent weaknesses when it comes to customer data, according to the assistant governor (financial system) of the Reserve Bank of Australia.

In a speech given earlier this week (March 20), Malcolm Edey asserted that while recent technological developments – including online payment services and mobile phones – have made electronic payments quicker and more efficient to use, the humble cheque still sets a relatively high benchmark.

He told an audience at the Cards & Payments Australasia 2012 Conference in Sydney: "Cheques are always a good reminder of the things that are missing in our electronic payments."

As an example, he noted that when making a payment with a cheque, all the person making the payment needs to know is the recipient's name, while electronic payments tend to require a bit more information.

Until details like account and BSB numbers can be integrated seamlessly, there will always be opportunities for further progress in the payment sector.

Widespread adoption of payments made via smartphones has underscored the importance of data security compliance in this sector, according to the general manager of the Payment Card Industry Security Standards Council.

Speaking last month in a podcast interview with Information Security Media Group, Bob Russo noted that PCI DSS compliance will be essential when taking mobile phone payments – and he urged companies to take a forward-thinking approach to managing vulnerabilities.

PCI DSS

Small Vulnerabilities, Big Business Risk – ZDNET Article

At our February Breakfast Brief in Sydney and Melbourne, two of our Penetration Testers and Researchers presented to a select crowd on the importance of not overlooking the small vulnerabilities. When undertaking Vulnerability Assessments and Penetration Tests, these small, seemingly inconsequential vulnerabilities are often down graded or accepted and left to be exploited by hackers that are highly adept in finding, collecting and holding onto these vulnerabilities for future reference and to used together to compromise an organisation.

Here is a little of an article on the presentation from ZDNET.

At the Securus Global’s February security briefing, a pair of security researchers, demostrated how businesses accepting small securty risks may be leaving the door open to hackers who have realised that chaining small vulnerabilities together represents an easy way to destroy companies.

The researchers stated that organisations tended to look at vulnerabilities separate from other vulnerabilities, when the real issue was how these could be used in conjunction with each other to become potentially more dangerous. They then went on to demonstrate how a number of organisations they had previously worked with had fallen into the trap of considering threats to their business in isolation.

To read more: http://www.zdnet.com.au/are-small-vulnerabilities-the-real-enemy-339332377.htm

Securus Global’s Consulting Services

Analysis of Instructure Security Testing – e-Literate

Securus Global was recently engaged by Instructure to test the Canvas LMS product for security vulnerabilities and the results were surprising. Overall, 10 vulnerabilities were found in the risk assessment, of which one was marked as critical and another one as high risk. By having an independent observer review the Canvas product, they were able to find vulnerabilities that had previously gone undetected by Instructure’s internal developers. Furthermore, by having this testing done in a public manner, The Canvas LMS is now far more secure than what it was previously.

Here is an excerpt from the article published in e-Literate:

When talking to Instructure staff, they appeared to be surprised by the existence of the critical item, given their history of internal security audits and automated testing. In other words, Securus Global found vulnerabilities that Instructure has been unable to find. As Josh Coates, CEO of Instructure, related to me, it is a classic engineering case that having another set of eyes look at your system will inevitably find issues that the developers may miss – if you are too close to the problem, you often can’t see the issue.

To read the full article visit: http://mfeldstein.com/analysis-of-instructure-security-testing/

Drazen Drazic on the Vulnerabilities of Video Conference Systems – Sydney Morning Herald

On 1st February 2012, Drazen Drazic comments on the Vulnerabilities of Video Conference Systems, which researchers have found can potentially leave companies open to cyber espionage.

Below if a brief excerpt from the article published in the Sydney Morning Herald;

A recent report in the New York Times highlighted the vulnerabilities of video conference systems when US firm Rapid7 searched for IP addresses and called them. In less than two hours, it discovered 5000 vulnerable conference rooms. The firm was able to gain control of a dozen cameras and see into boardrooms and beyond, but it stopped short of hacking into video and audio transmissions.

Drazic says “security issues in video-conferencing are nothing new. Indeed, Kiwicon, New Zealand’s hacker conference, talked about this issue in 2008. Anything connected to the internet, including video-conferencing systems, is potentially susceptible to these kinds of security issues.”

To read more: http://www.smh.com.au/it-pro/security-it/videoconferencings-spy-in-the-room-20120131-1qqg8.html#ixzz1lZsnYQXX

What is ethical hacking?

When it comes to online security, there can be a lot of confusion over how to best protect an organisation's digital assets.

A lot of this comes from misunderstandings over just how malicious parties are able to gain access to privileged information in the first place.

Adding to this mix is the range of different terms used by professionals that may seem unfamiliar to those not actively involved in securing online assets.

So it is little surprise that some prospects may be a little nervous over just how an ethical hacking project is supposed to operate.

Perhaps the greatest difference is that instead of applying a suite of diagnostic tools – an activity that can be done in-house – a team is actively deployed to examine the security measures in place and recommend courses of action to eliminate the threats they pose.

No damage is done to the existing online infrastructure – rather the team takes on the role of a third party looking to gain access, then provides a detailed report on their findings along with a list of recommended actions.

In this way a firm can gain information on where their online assets are vulnerable in real terms and action targeted security upgrades before a dedicated attack has the chance to occur.

Penetration Testing
Penetration Testing Teams

Vulnerability management for widespread smartphone take-up

Global smartphone use will continue to experience double-digit growth in the next five years, mobile analysts at IDC anticipate.

New market analysis from the research firm indicates that by the end of 2012, total smartphone shipments will be up 33.5 per cent compared with 2011 figures – with 659.8 million handsets shipped this year.

Greater smartphone take-up is likely to have implications for merchants who are considering mobile phone payment technology.

Payment Card Insustry Security Standards Council general manager Bob Russo remarked earlier this year that security professionals will need to place more emphasis on mobile payments this year.

Merchants accepting smartphone payments need to keep their focus on security and vulnerability management as the trend continues to grow, he told Information Security Media Group.

IDC anticipates that from 2012 to 2016, smartphone growth will remain in the double digits, with an estimated annual increase of 18.6 per cent for each year of the forecast period.

According to Ramon Llamas, a senior research analyst with the Mobile Phone Technology and Trends team at IDC, take-up of smartphones will primarily be driven by greater selection, lower price points and continued demand from users.

"IDC believes Android will maintain its overall leadership position throughout the forecast period, but competition among BlackBerry, iOS, and Windows Phone will shift position each year," he said.