During a discussion on the most significant types of attacks facing enterprises at RSA Conference on Tuesday, Ed Skoudis, founder and senior security consultant with Washington D.C.-based security consulting firm InGuardians, said attackers are becoming adept at conducting easy, low-cost attacks against iOS- and Android-based devices using malicious mobile applications.
"Bad guys are going to the Android Marketplace, pulling down an app, building a backdoor into it and selling it in another Android app store for a lower price," Skoudis said. "Or they'll take the backdoor, grab an icon from an application someone wants to buy, and sell it in another app store for a lower price."
Though it's generally more difficult to sneak malicious mobile applications through the Apple App Store vetting process, by no means is it foolproof. Skoudis noted that two years ago a developer successfully snuck an unapproved iPhone tethering feature that violated carriers' policies into what appeared to be a benign flashlight app.
However, the real concern, Skoudis warned, is not the mobile device attacks themselves, but how attackers are endeavoring to use them as a gateway into enterprises' wired networks.
"We're going to see that mobile device pivot vector become a reality" this year, Skoudis said. "It's going to call into question the security models of the mobile device makers. There are very different models employed by Android, Apple, RIM and Microsoft, and those organizations might have to look really hard at whether to change some of those models."
To illustrate the creativity employed by attackers, Skoudis referenced a tactic first shared by Errata Security CTO Dave Maynor in which an attacker packages an iPhone with a high-capacity battery and sends it through the mail to a target organization. While the device sits unopened in the mailroom, if the organization allows ad-hoc wireless connectivity to employees' consumer devices, the device simply connects and offers the attacker wide-open access to enterprise network resources.
Skoudis said most attacks, however, are far less creative, but equally successful because many enterprises do not restrict mobile device access, often because executives demand unencumbered bring-your-own-device (BYOD) access to network resources.
He also encouraged enterprises to create a process for evaluating mobile apps to be used within the enterprise. "Have IT folks look at them to make sure an app's interaction with the device and the network are reasonable and the functionality makes sense."
Additionally, Skoudis endorsed a robust, secure wireless infrastructure, and a segmented wireless network dedicated solely to mobile devices not deployed by the enterprise.
An attendee who requested anonymity and who works for a large defense contractor, agreed with Skoudis's advice. He said it may be difficult to talk decision makers into implementing a separate wireless infrastructure for untrusted mobile devices, but a strong case can often be made by comparing it with the cost of a potential breach.
Other threats: Hacktivism, IPv6, DNS
Co-presenter Johannes Ullrich, chief research officer with SANS and director of the SANS Internet Storm Center, discussed a number of other pressing threats, including hacktivism. After disappearing for about five years, he said the trend re-emerged with a vengeance last year, as persistent socio-politically motivated attackers in significant numbers took up basic, easy-to-use tools to discover and exploit weaknesses in their adversaries' defenses.
"The big difference is the attacker doesn't try to hide," Ullrich said. "They try to open it up and show the world what they accomplished."
Ullrich also pointed to weaknesses in home automation systems, cloud security implementations and IPv6.
"We keep seeing accidental deployments where people use IPv6 without knowing it," Ullrich said, resulting in occasional exploits in which attackers use the emerging protocol for data exfiltration. "If you're using an iPhone, Windows 7, MacOS 10 or Windows Server 2008 R2, you're using IPv6 unless you did something special to turn it off."
Skoudis also expressed concern on the evolution of command-and-control systems using DNS code. Attackers can now craft malware in such a way that as long as a machine on an internal network can resolve Internet domain names, the attacker can maintain the connection. He recommended looking for unusual DNS traffic, especially frequent barrages of requests to unusual destinations on the Internet.
View all of our RSA 2012 Conference coverage