Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Category Archives: Conference

BSidesLV: Android Backup [un]packer release

bsideslvlogoAs part of my “Mobile Fail: Cracking open “secure” android containers” talk at BSidesLV I’ve released a couple of scripts I wrote to automate some of the legwork involved in backing up Android applications and automatically unpacking their data and settings. The accompanying script takes the data and settings structure and re-packs it into a working Android Backup file for restoration.

These scripts were used as part of my research to view settings used by applications and in some cases alter the configuration to deactivate secure features or allow access. In some cases it’s also possible to alter configuration files to gain elevated functionality (unpaid… but nobody would ever do that… right!).

The process isn’t new and can be done manually, however automated solutions are always easier…

packer unpacker

Requirements:

  • openssl with zlib support
  • star (apt-get install star)

Simple Python scripts to perform:

  • an adb backup of a specific application and uncompress it to a directory structure
  • recompress a directory structure back into a valid adb restore file

Example usage:

./ab_unpacker.py -p com.app.android -b app.ab

  • Creates an adb backup of com.app.android called app.ab and uncompresses it into ./com.app.android

./ab_packer.py -d ./com.app.android -b app_edit.ab -o app.ab -r

  • Repacks the contents of ./com.app.android into app_new.ab and attempts to restore it via adb

dropbox

Links:

Upcoming BSidesLV and DEF CON presentations

… well, there’s nothing like leaving things to the last-minute. So here I am, sitting at the airport waiting for the first leg of the annual pilgrimage to Vegas (aka Hacker Summer camp), writing a last-minute blogpost to pimp a couple of presentations I’m doing next week.

bsideslvlogo

Thu 18:00 -19:00 – Underground Track (Siena)

Mobile Fail: Cracking open “secure” android containers

We’ve known for some time that physical access to a device means game over. In response we’ve begun to rely more and more on “secure” container applications to keep our private and company secrets… well… secret! In this presentation I will discuss specific design flaws in the security of “secure” Applications that promise to keep your data / password and even company email safe and sound.

Although this research isn’t earth shattering by any means (in my opinion anyway… way to sell it to ya eh ;), I think it provides a few valuable insights into the lack of for-thought put into some Android application security. This research (although still at the early stages) focuses on the security of secure container applications and password databases, and how the secured implemented to secure them on the device does little if nothing to stop attackers with physical or root access to a device. Yes, physical access == game over… but in this case, secure containers have been specifically designed with this event in mind. Pity they didn’t put a little more thought into it!

Applications discussed (time permitting): Dropbox, box.com, Evernote, Spideroak, Lastpass, applock …

dc-21-logo-sm

Sun 10:00 – 10:45 – Track 4

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys

On the surface most common browsers look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the shiny surface however, the way specific user agents handle traffic varies in a number of interesting and unique ways. This variation allows for defenders to play games with attackers and scripted attacks in a way that most normal users will never even see.

This talk will attempt to show that differences in how different user agents handle web server responses (specifically status codes) can be used to improve the defensive posture of modern web applications while causing headaches for the average script kiddy or scanner monkey!

Furthering the research presented earlier in the year (BSides London) I will be presenting some interesting edge case notes on how mainstream browsers interpret HTTP status / response codes. I live edge case stuff, just because it’s quirky… so expect a certain amount of off the wall weirdness. Browsers are odd at the best of times, but automated scanners and attack tools are even worse. They love it when they get what they expect… not so much when they get something weird.

This is my first time talking at DEF CON… so come along and let me know what you think. Feedback as always, is desired and well received.

Defense by Numbers: Making problems for script kiddies and scanner monkies

Since early 2012 I’ve been working on a simple theory…

The Theory:

By varying [response|status] codes, it should be possible to slow down attackers and automated scanners.

If you’ve met me at a conference any time in the last year I’ve probably talked about it at length and bored the hell out of you (sorry about that BTW).

After researching a number of aspects of this theory I put forward a presentation for BSidesLondon to talk about my findings and how it might be applied to application defense.

The topic can be a little complex due to the various ways browsers handle [response|status] codes. Even within a specific browser the handling of different content types varies. JavaScript is a prime example of that. Where as a browser will happily show you a webpage received with a 404 “Not Found” code, the same browser may not accept active script content with the same code.

During testing I also discovered a couple of interesting issues with Proxy servers that could be used by attackers to expose credentials… as well as some very interesting browser quirks that are probably only interesting to a handful of people. Still, I like edge-case stuff, it’s weird and that suits me just right ;)

BSidesLondon Abstract

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

If the topic is something that interests you (and I’m sure there’s a lot more research to be done here) feel free to take a snoop at the slides… The talk was recorded also, so keep an eye on the BSidesLondon website and twitter feed for information on the video/audio release.

 

 

Links:

  • Some thoughts on HTTP response codes –> HERE
  • Privoxy Proxy Aauthentication Credential Exposure [cve-2013-2503] –> HERE
  • mitm-proxy scripts used in testing –> HERE

BSidesLondon 2013

It’s been a while since I’ve had the chance to update the blog, and that makes me a sad panda… still, sometimes life gets in the way of the really important stuff. Plus, nobody really reads this crap anyway right!

Still, pleasantries aside, next week is BSidesLondon (and a couple of events that run alongside it, such as 44cafe, and that small $vendor thing called InfoSec Europe). I was lucky enough to get selected as one of the speakers for this years event, and despite not dressing up like a gay biker, I hope the talk will be interesting. So, if you like number, weird edge cases, or innovative ways to protect web applications, come along to my talk and let me know what you think!

  • Defense by numbers: Making problems for script kiddies and scanner monkeys

Chris John Riley
Track One 12:45 – 13:30

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

Just to warn those brave souls to plan to attend… I have LOTS of slides… it could get messy ;) I’ll try to put my slides up on Slideshare prior to the talk so people can follow along if they want.

Anyway, as part of the build-up to the conference I wanted to list a few of the talks I’m really looking forward to seeing (time permitting).

  • Pentesting like a Grandmaster

Abraham Aranguren
Track One 10:15 – 11:15

Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker. Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.

Abraham’s talks are always interesting, and I expect nothing less from his latest talk. He seems to have a unique way of looking at things and from a sneak peek at his slides, I think this one is going to be another interesting talk point.

  • Going Stealth: Staying off the Anti-Virus RADAR

Alex Polychronopoulos
Track One 17:00 – 18:00

Anti-Virus software is often the first line of defence in host based intrusion prevention. For years both black-hats and ethical hackers have researched how to avoid detection – some to compromise hosts reliably and others to improve detection. Executable packers are a popular technique used by virus and malware writers. They “pack” their malicious payload by compressing and/or encrypting it and they distribute it with enough clear-text instructions to “unpack” it. In particular, we’ll look at basic AV detection concepts and the basic design principles for packers. We’ll also touch on advanced techniques like polymorphism and metamorphism. You’ll leave marvelling that your AV ever catches anything at all.

Sometimes AV is the only standing between a good penetration tester and total domination… Anything we can do to test the limits of AV and maybe get that elusive shell is certainly worth the time to learn. Hoping for a few hints and tips here that might help in those situations.

  • How to build a personal security brand that will stop the hackers, save the world and get you the girl

Javvad Malik
Track Two 11:30 – 12:30

You’re a security professional, but even your boss doesn’t remember your name. Your brilliant ideas aren’t listened to, you’re never invited to speak at conferences and not even your mother visits your blog. In this talk I will take you down a journey of self-discovery that took me 3 years and went from another faceless security dude, to someone in control of my personal security brand. What worked, what didn’t work and all the behind-the-curtain magic exposed. If you’re into building your personal brand, making your voice heard amongst the 100’s of security ‘rockstars’ and dinosaurs who get all the attention – this is the talk for you to attend.

Fuck rockstars… no really, in this industry we need solutions, not primadonas with a god complex. Still, that said, having a brand and a platform to shout from is something we need. Plus Javvad is wicked funny and I’m sure he’ll CISSP mofo everybody in the crowd at LEAST once!

  • Dissecting Targeted Attacks – Separating Myths from Facts

Candid Wuest
Track Two 14:30 – 15:30

A lot of media do report on targeted attacks or so-called APTs, but how sophisticated or those attacks really? Flamer & co. are only the tip of the iceberg and even they had flaws. Most of the attacks are not so smart at all, but nevertheless successful. I will elaborate on the common methods of targeted infection & exfiltration, happening every day around the globe. Explaining the methods and tools used by the attackers with real life examples. I will show why they successfully bypass most security tools and analyse where these attacks differ from the common malware flood.

Learn your APT from your elbow… not everything is OMGtargetedStateSponsoredBBQ Malware from China with love!

—————————————————-

Well, those are my picks… so much cool stuff, so little time! Before I sign-off however, I wanted to remind all attendees that it’s your JOB (yep, attendees also have a job to do) to give feedback to speakers. Even if it’s a single point, an idea, or a pat on the back and “that was cool” comment… be part of making the conference better… give feedback or the kitten gets it!

Read my thoughts on “Giving feedback” –> HERE

Hope to see you all in London. Please come up and say hi if you’re about… I only bite when provoked!

Follow

Get every new post delivered to your Inbox.

Join 127 other followers