Geir Olsen Sr. Program Manager Windows Mobile WMB307 Poll Yes, security is important to me.
Download ReportTranscript Geir Olsen Sr. Program Manager Windows Mobile WMB307 Poll Yes, security is important to me.
Geir Olsen Sr. Program Manager Windows Mobile WMB307 Poll Yes, security is important to me. I’m willing to give up certain functionality and avoid running unapproved applications so that my data is safe. No, this is my phone (even though I didn’t pay for it). I have every right to do whatever I want with my most very favorite companion (including watching dancing pigs and storing compromising pictures of the neighbors in awkward positions). I refuse to accept restrictions. Calculating some odds 5,000 employee corp, 1 CEO Loss odds same for any employee Assume one loss per day—odds are 1:5000 Likely that CEO is aware of— Exposure potential of loss Appeal of device to thief Perhaps CEO exception not unreasonable? Kaminsky's Laws If you are security, no rules apply to you If security needs you, no onerous rules apply to you If security does not need you, you’re maybe allowed to breathe Would you want to keep this in your pants pocket all day? Risks vs. Desires You Organization Mobile Operator • Easy to use • Protect • Protect the • Develop and corporate data network use custom • Manage all • Manage devices applications devices (at basic level) • Ignore security • Manage installed • Implement policies applications helpdesk support • Provide simple boundaries helpdesk support Attack Vectors Attacks against the device itself Attacks against data in transit (from/to the device) From Internet connection or cellular network Attacks against data in storage (in the device) Attacks against the owner of the device Device as vector for attacks against corp net Physical UK National Mobile Phone Crime Unit “Current crime statistics reveal that a mobile telephone is stolen in about half of all street crime and in approximately a third of cases it is the only property stolen.” London Metropolitan Police report “As many as 10,000 mobile phones are stolen every month. Two thirds of the victims are aged between 13 and 16. Many phones are also stolen from unattended cars.” Device Imaging Plug kit into microSD slot and make copy of internal memory Very slow Requires theft (or chance to “borrow”) Keys in memory will be copied, too Mitigations Don’t be stupid Hope the DHS doesn’t become “interested” in you Online Attacks Mobile phones associate with strongest signal tower, then negotiate encryption Someone with a tower-in-a-backpack could associate your phone No media layer encryption on his “tower,” of course Mitigation: use encrypted link/applications Not enough if attacker installs something on your device, though Cracking Calls GSM encryption (A5) 64-bit key often shortened to 54 bits Session key sometimes reused across 16 calls Crack uses rainbow tables Needs 3 to 4 clear-text call set-up frames 2 terabytes (only!) Not entire 64-bit key space 33,000 years to generate with a PC $1000 specialized hardware gets key in 30 mins http://gcn.com/Articles/2008/02/20/Cracking-GSM-calls-made-affordable-and-easy.aspx SIM Cards Essentially a Java card Mobile operator can install apps over-the-air using SMS No indication to user Java has full access to phone and network Eavesdrop on calls Remote control a phone BlueBug Attacker creates serial connection profile with target device Gives full range of modem-type “AT” commands Initiate a phone call Send SMSs to any number Read SMSs from the phone Read and write phonebook entries Configure call forwarding BlueSnarf Best known type of Bluetooth attack Field testing conducted in London Underground Attacker sends OBEX GET Rarely is authentication required Attacker grabs known files telecom/pb.vcf – phone book telecom/cal.vcs – calendar file HeloMoto attack is a combination of BlueBug and BlueSnarf More Bluetooth BlueSmack and BlueStab Buffer overflow attacks BlueBump Forced re-keying BlueSpooof Clone a legitimate device BluePrinting Fingerprinting Bluetooth devices Blooover and Blooover II Automated tools Mitigation: don’t be discoverable Software Vulnerabilities WAPPush (WinMo 6) HTC disables registry key to limit “service SMS” messages that can install/update software http://forum.xda-developers.com/showthread.php?t=395389 http://de.youtube.com/watch?v=QhJ5SgD-bdQ Curse of Silence (Symbian S60 2.6-3.1) SMS with sender length >32 chars crashes SMS Requires factory reset ToorCon demo (iPhone) SMS with 400 CRLFs causes display malfunction http://www.youtube.com/watch?v=MGRb4iI4wM0 Software Vulnerabilities Various (WinMo) Mosquitos (2004) – Virus, installed as game Cabir (2004) – Worm replicated through Bluetooth DUTS (2004) – PPC “The Polite Virus”…asked for permission to spread Skulls (2004) Lasco (2005) Locknut (2005) CommWarrior (2005) – Used Bluetooth during day and MMS in evening to spread. Very high phone bills MSIL/Xrove.A (2006) – virus installed via ActiveSync Microsoft Confidential Time Not a lot of malware—now Flash point: when one smartphone OS becomes more popular than Windows desktop OS Dilemma: few organizations will spend money on security in advance of an attack No need for Firewall (Maybe) Device doesn’t listen for unsolicited inbound connections Does listen for inbound replies to outbound connections—firewalls always permit this anyway Difficult to get Data from Device PIN lock is a bar to data acquisition PC to device relies on ActiveSync/WMDC ActiveSync requires devices to be unlocked Unlocking locked devices Pin reset via OWA “Interesting” information is protected Databases (cemail.vol, user.hv) are locked, not accessible remotely Not distinguishable physically in memory Device Imaging Most forensics tools don’t work on WinMo Available tools aren’t completely reliable exFAT and TexFAT partitions not readable No undelete mechanism for TFAT or TexFAT No parsers for .vol files (texts, emails, contacts) in the partitions Yet CE source is available for download… Is this good or bad? Data Protection DPAPI default: AES-128 FIPS 140-2 compliant (WinMo 5.0+) Storage card (WinMo 6.0+) Sensitive data protection (WinMo 6.1) RMS/IRM S/MIME (with .PFX cert) Storage Card Encryption Any file added to the storage card while the card is in the device is encrypted Encrypted using Data Protection API AES128 or RC4 can be configured Master key is in persistent store of the device Encrypted files are tracked by file extension Device hash identifies the encrypting device “<hash>.menc” portion of file name does not show on the encrypting device Key can’t be ported to another device Quality test—can’t detect degradation even when streaming video Sensitive Data Protection Not “whole device” User documents \My Documents Synced email \cemail.vol PIM data \pim.vol Synced email properties \Windows\Messaging Synced email attachments \Windows\Messaging\Attachments Internet cache \Windows\Profiles\Guest\Temporary Internet Files Can administratively add additional directories and files Does not encrypt registry Key Generation and Protection Cold boot User and system DPAPI keys generated Stored in file system—ACLed and encrypted Warm reboot DPAPI recomputes session key Decrypts master keys in storage, loads into memory User key can also be protected with device lock password Link Security Exchange ActiveSync: SSL AES-128 or AES-256 Server authenticates to client with certificate User authenticates to server with NTLM or basic auth WiFi WPA2: AES-128 or AES-256 EAP-SIM (SIM card is authenticator) EAP-TLS, MS-CHAPv2 (mutual auth) Authentication Options Certificate support .PFX/.P12, .CER, .P7B (no private key protection) Wildcard certificates Custom root certificates Certificate enrollment Device app-initiated (no UI) Desktop via ActiveSync (with UI) Both require Windows CA and templates Device Control Local and remote wipe Configurable policies through SCMDM Camera WiFi Bluetooth Policies not alterable on device SecureWipeAllVolumes API Flags all mounted volumes for “wipe” MSFLASH driver reformats flash memory volumes Erases every physical block—permanently wipes beyond recovery Or the OEM can opt to implement the secure wipe IOCTL for the new flash driver If the volume is a hard disk, then the volume is overwritten once with “0”s Probably good enough for most cases Doesn’t attempt to comply with military “secure erase” requirements Exchange Adds security policy management But no device inventory or management Exchange ActiveSync Policies Standard CAL Sync • Configure message formats (HTML or plain txt) • Include past email items • Email body truncation size • HTML email body truncation size • Include past calendar items (Duration) • Require manual sync while roaming • Allow attachment download • Maximum attachment size Authentication • Minimum number of complex characters • Enable password recovery • Allow simple password • Password Expiration (Days) • Enforce password history • Windows file share access • Windows SharePoint access • Minimum password length • Timeout without user input • Require password • Require alphanumeric password • Number of failed attempts • Policy refresh interval • Allow Non-provisionable devices Standard CAL Enterprise CAL adds: Encryption Device Control • Disable desktop ActiveSync • Disable removable storage • Disable camera • Disable SMS and any MMS text messaging • Require signed SMIME messages • Require encrypted SMIME messages • Require Signed SMIME algorithm • Require encrypted SMIME algorithm • Allow SMIME encrypted algorithm negotiation • Allow SMIME SoftCerts • Device encryption • Encrypt storage card Key • Exchange 2007 SP1 • Exchange 2007 RTM • Exchange 2003 SP2 Network Control • Disable Wi-Fi • Disable Bluetooth • Disable IrDA • Allow internet sharing from device • Allow desktop sharing from device Application Control • Disable POP3/IMAP4 email • Allow consumer email • Allow browser • Allow unsigned applications • Allow unsigned CABs • Application allow list • Application block list Exchange Deployment Topology SharePoint 2003/2007 Server SharePoint Request Proxy via Exchange CAS Exchange Front-End/CAS Server 128Bit SSL Tunnel Exchange Mailbox Server Subscription to Mailbox ISA Server / Reverse Proxy MAPI Clients Active Directory DMZ Corporate Intranet System Center Mobile Device Manager 2008 Security management Domain join Feature and application control Device management Full over-the-air provisioning Inventorying Role-based administration Microsoft Confidential SCMDM 2008 Deployment Topology Initial enrollment SQL Server MDM Device Management Server MMC Console Machine Certificate Authentication for Mobile VPN 128Bit SSL Tunnel Device Certificate Enrollment Service One Time PIN for Enrollment Optional ISA or Reverse Proxy DMZ MDM Enrollment Server Corporate Intranet Active Directory SCMDM 2008 Deployment Topology Exchange, SharePoint, Intranet and LOB Servers SQL Server SSL User Authentication SCMDM 08 Gateway 128bit SSL Tunnel IPSEC VPN MDM Device Management Server MMC Console Integrated WSUS Software Management Machine Certificate Authentication for Mobile VPN 128Bit SSL Tunnel Device Certificate Enrollment Service One Time PIN for Enrollment Optional ISA or Reverse Proxy DMZ MDM Enrollment Server Corporate Intranet Active Directory Important Questions How do phones enter an enterprise? How to balance competing demands? What happens when business data is stored on devices with no security model? How important is it to have a thriving ISV industry? Is “consumerization” affecting an enterprise security requirements? Compete…. Geir Olsen [email protected] Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Windows Mobile® Resources TechNet TechCenter – System Center Mobile Device Manager 2008 http://technet.microsoft.com/scmdm TechNet TechCenter – Windows Mobile http://technet.microsoft.com/windowsmobile MSDN Center – Windows Mobile http://msdn.microsoft.com/windowsmobile Webcasts and Podcasts for IT – Windows Mobile http://www.microsoft.com/events/series/msecmobility.aspx General Information – Windows Mobile http://www.windowsmobile.com General Information – System Center Mobile Device Manager 2008 http://www.windowsmobile.com/mobiledevicemanager Windows Marketplace Developer Portal http://developer.windowsmobile.com Windows Mobile® is giving away Blackjack II's ! Stop by the Windows Mobile Technical Learning Center to learn how to enter Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.