Bypassing the Android Permission Model, presented by Georgia Weidman, CEO Bulb Security
I have a soft spot for Android OS exploitation discussions and tequila, so this was a sweet little piece of key lime pie from Duck Key, FL for me. Gladly it was after lunch. Georgia Weidman greeted her audience wearing an Amsterdam altered period suit and a bottle of aged yet tender and delicious bottle of tequila, enough for sharing. Beyond making her audience at ease with quite a casual introduction, she had some serious questions regarding Android OS security. Is the permissions model in Android working for both developers and end users and are those end users making intelligent decisions? Ms. Weidman says yes if you’re a malware developer and the average smartphone user is trying. What developers declare as permissions required for installation can be vastly different from reality. Additionally, the permissions are too vague and far reaching for users to make a more informed, intelligent decision. She set the temperature of the presentation to low end user bashing and high on unclear and entirely too encompassing permissions for an acceptable security level for any operating system. Especially one which can leak the owner’s personal information almost invisibly. What permissions are really needed by the vast majority of Android applications? Not many, she gives the example of the Facebook application with requires 11 permissions including creepy ones like Your accounts, Discover known accounts. Conversely, Droid Dream, a known malicious application/root kit required only four permissions, none so creepy sounding. Why would Facebook need or want to discover your non-Facebook accounts on the phone but the same is not required when you log into Facebook over the world wide web? In the first demo, simplicity in pwnage was showcased. In less than 50 lines of code and limited permissions presented to the end user the IMEI (a cell phone unique ID number), read contacts and send an SMS. Inside of a few minutes exploitation and compromise was complete. The second of the series of demos began a dive into malicious bot waters over SMS, the presenter’s specialty. “If you write malware for Linux, Android OS [malware development] is an easy transition.” What mitigation strategies are required? No dangerous functionality directly available in public interfaces. Require user interaction for all activities such as sending and receiving SMS messages. Require the permissions tag in the XML manifest for the interface. End users must keep their operating system updates. But, that means that smartphone owners also need the ability to keep the OS updated in an easy manner. Too often phone manufacturers or cell phone providers delay Android OS updates, if provided at all. If the OS update isn’t available, the vulnerability remains and your private information becomes just another commodity on the data leakage open marketplace. Link to the presentation PDF: Link Links to other presentations by Georgia Weidman and her blog: http://georgiaweidman.com/wordpress/
Getting Ahead of the Security Poverty Line, presented by Andy Ellis, CSO of Akamai
Andy Ellis casually approached the stage in 5 toed running shoes, mismatched blazer and trousers and general open demeanor. He took a cool sip of soda before explaining to us the concepts of cost of security versus return, auditing versus assessors and recognizing your present level of security versus the bare minimum of security required to provide a realistic level of risk. His densely rich presentation expounded upon his blog posting from 13/12/2012 entitled Security Subsistence Syndrome involving a discussion by Wendy Nather of the 451 Group, “Living Below the Security Poverty Line“. Normally the tech in me is slightly apprehensive before attending presentations by “C-level” executives at technical conferences. Fears of 55 minutes of mindless management mumbo jumbo was quickly replaced with a presentation topic which was extremely relevant. The challenge of balancing information security costs and resources in creative ways during an inhospitable financial climate is one most information security professionals face frequently. Mr. Ellis used a mixture of tech, humor and honest communication for the audience to grasp the topic. The “casual chaotic actor” is getting better, more sophisticated with the availability of better tools he stressed, “as Metasploit increases, everyone gets better.” The general tone was that security waits for no one. Besides, “Nobody will implement perfect security” he stated, because businesses make financial gains through leveraging risks. Perfect security is an implausible goal. Major takeaway points:
- Don’t waste your crisis, use every opportunity you can and learn.
- Don’t rely on blind luck, it will happen to you! Another way of saying Murphy’s Law.
- Improve processes and policies for your weakest link such as developers or any production platforms possible.
- Measure the capabilities of existing staff with a focus on continual improvement over time.
- If you are for example trying to juggle 17 things and failing, concentrate on three or so you can actually solve and let the rest of the balls drop.
- Automate in an efficient manner.
- Spread sheet out your existing and historic risk at the very least, you don’t need fancy tools for this.
- Don’t stop a business process but make the data owners aware of the risk, advise and get their acknowledgement.
- In most cases you won’t require top of the line applications or hardware, get creative and think off the shelf and open source.
- Try and get security involved in the project definition requirements stage and you too could achieve nirvana.
Most organizations during this economic crisis are struggling, mostly with the challenges of lack or budget or skilled human resources. Mr. Ellis presented a formula to explain some of the challenges: (Security) Value=R (Resources)*C (Capabilities) R=Time + Money C=Skill*Effort*Effectiveness Mr. Ellis has successfully achieved a process to hunt malware in Akamai’s 10 PB (yes, petabyte!) cloud on a small budget, using open source tools and a security team of a dozen or less. Each organization or team must add value to their titles in these tight fiscal periods. Justify your position and improve your department while using both in and out of the box thinking to achieve or exceed the security poverty line. This topic is one of the few which can be achieved in information security. Grab hold of a win while you can! More information: Andy Ellis’ Blog: http://www.csoandy.com/ Andy Ellis’ Twitter: @csoandy Link to the PDF of the presentation: Link “Living Below the Security Poverty Line,” Wendy Nather, of The 451 Group: Link YouTube link to video when available