Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

#DEFCON Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys

dc-21-logo-smWell, I finally popped my DEF CON cherry and did a presentation at the largest hacker conference in the world… and no I’m not talking about RSA!

Despite my fears of freezing on stage and beginning to drool like a moron, I think the presentation went well. Excluding of course the point where Powerpoint decided it would die in a fire rather than show my next slide. Still, in typical DEF CON fashion there were goons on hand to deliver shots _just_ at the right time to cover the problem. This will forever be known to me now as JITAD (Just In Time Alcohol Delivery).

Hopefully the attendees took something from the presentation that they can use to make their systems a little more secure, or at least the lives of script kiddies a little harder (this is a dream for us right?).

The slides for the presentation are now online (see below), and the video will be uploaded as soon as DEF CON make the release possible.

As always, feedback on the talk, the idea and anything else is gratefully received…


  • Slideshare –> HERE

BSidesLV: Android Backup [un]packer release

bsideslvlogoAs part of my “Mobile Fail: Cracking open “secure” android containers” talk at BSidesLV I’ve released a couple of scripts I wrote to automate some of the legwork involved in backing up Android applications and automatically unpacking their data and settings. The accompanying script takes the data and settings structure and re-packs it into a working Android Backup file for restoration.

These scripts were used as part of my research to view settings used by applications and in some cases alter the configuration to deactivate secure features or allow access. In some cases it’s also possible to alter configuration files to gain elevated functionality (unpaid… but nobody would ever do that… right!).

The process isn’t new and can be done manually, however automated solutions are always easier…

packer unpacker


  • openssl with zlib support
  • star (apt-get install star)

Simple Python scripts to perform:

  • an adb backup of a specific application and uncompress it to a directory structure
  • recompress a directory structure back into a valid adb restore file

Example usage:

./ab_unpacker.py -p com.app.android -b app.ab

  • Creates an adb backup of com.app.android called app.ab and uncompresses it into ./com.app.android

./ab_packer.py -d ./com.app.android -b app_edit.ab -o app.ab -r

  • Repacks the contents of ./com.app.android into app_new.ab and attempts to restore it via adb



Upcoming BSidesLV and DEF CON presentations

… well, there’s nothing like leaving things to the last-minute. So here I am, sitting at the airport waiting for the first leg of the annual pilgrimage to Vegas (aka Hacker Summer camp), writing a last-minute blogpost to pimp a couple of presentations I’m doing next week.


Thu 18:00 -19:00 – Underground Track (Siena)

Mobile Fail: Cracking open “secure” android containers

We’ve known for some time that physical access to a device means game over. In response we’ve begun to rely more and more on “secure” container applications to keep our private and company secrets… well… secret! In this presentation I will discuss specific design flaws in the security of “secure” Applications that promise to keep your data / password and even company email safe and sound.

Although this research isn’t earth shattering by any means (in my opinion anyway… way to sell it to ya eh ;), I think it provides a few valuable insights into the lack of for-thought put into some Android application security. This research (although still at the early stages) focuses on the security of secure container applications and password databases, and how the secured implemented to secure them on the device does little if nothing to stop attackers with physical or root access to a device. Yes, physical access == game over… but in this case, secure containers have been specifically designed with this event in mind. Pity they didn’t put a little more thought into it!

Applications discussed (time permitting): Dropbox, box.com, Evernote, Spideroak, Lastpass, applock …


Sun 10:00 – 10:45 – Track 4

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys

On the surface most common browsers look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the shiny surface however, the way specific user agents handle traffic varies in a number of interesting and unique ways. This variation allows for defenders to play games with attackers and scripted attacks in a way that most normal users will never even see.

This talk will attempt to show that differences in how different user agents handle web server responses (specifically status codes) can be used to improve the defensive posture of modern web applications while causing headaches for the average script kiddy or scanner monkey!

Furthering the research presented earlier in the year (BSides London) I will be presenting some interesting edge case notes on how mainstream browsers interpret HTTP status / response codes. I live edge case stuff, just because it’s quirky… so expect a certain amount of off the wall weirdness. Browsers are odd at the best of times, but automated scanners and attack tools are even worse. They love it when they get what they expect… not so much when they get something weird.

This is my first time talking at DEF CON… so come along and let me know what you think. Feedback as always, is desired and well received.

Microsoft Bug Bounties – Podcast interview with Katie Moussoris


As most people have already read (unless you’re still under that rock), Microsoft made a landmark announcement yesterday regarding its new bug bounty programs. If you’ve not already read about the news I won’t try to rehash what’s already been said (detailed information is available in the links below). However in a case of “right place, right time”, Martin McKeay and myself managed to chat to Katie Moussouris (the driver behind these programs) as part of the FIRST conference podcast series.

Hopefully this open and frank discussion helps to clear up any questions people may have forming about the programs and their effect on the InfoSec community at large. Microsoft always do things in a unique way, and these bug bounty programs are unique in many ways. With more emphasis on defense and really talking about fixing the problems, the programs certainly looks interesting and another step along the path to making things more secure… hopefully

Microsoft’s announced bug bounties:

  • Mitigation Bypass Bounty
  • BlueHat Bonus for Defense
  • Internet Explorer 11 Preview Bug Bounty

The podcast can be found here –> http://media.first.org/podcasts/FIRST2013-Katie-Moussoris-Microsoft.mp3



Get every new post delivered to your Inbox.

Join 122 other followers