Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: #BSidesLV

My picks for BSidesLV and DefCon 2011

Now that I have confirmed 100% I’ll be in Las Vegas (family stuff…) here are some of my picks for the top talks I’m looking forward to seeing this year.

To be honest if I get to even half these I’ll be happy! This time of year is more about the hallway track and meeting new and old friends… Still, here’s my top picks for BSidesLV and DefCon / DC SkytTalks this year!

BSidesLasVegas Top Picks

  • Siemens / SCADA 0day – Dilion
  • Hacking webapps is more fun when the end result is a shell! – Joshua Abraham
  • Something Awesome(TM) – HD Moore

DefCon Top Picks

  • Hacking your victims over power lines – Dave Kennedy
  • Don’t drop the SOAP – Tom Eston, Joshua Abraham, Kevin Johnson
  • Metasploit vSploit modules – Marcus J. Carey, David Rude, Will Vandevanter

DefCon Skytalks top Picks

  • Hacking with QR Codes – Pyr0, Tuna
  • Walking the Green Mile: How to Get Fired After a Security Incident – Brian Baskin
  • Planes Keep Falling On My Head – Chris Roberts

Well, there you have it. I tried to keep it to 3 picks per “con”. Realistically I know I’m never gonna see all of them, but it’s nice to dream!. See you in Vegas!

As always, I’ll be the ugly British guy with no hair and orange glasses 😉

Links :

BSidesLV: How (not) to run a Bsides [Panel]

Now that the full list of talks for #BSidesLV has been released. I’m happy to announce that I’ve been invited to take part in the “How (not) to run a Bsides” panel taking place on Thursday 4th August (16:30 – 17:30). I’m pretty sure they mistook me for somebody else to be honest… but what the hell!

As with every first time conference I learnt a lot about how to do things and how not to do things while putting on BSidesVienna. Even with a few experienced hands (special thanks to Astera and Lynx).

Security BSides has grown so much since it started back in 2009. With so many BSides springing up all over the world it’s great to see that the enthusiasm is still growing. Hopefully we can throw together a few interesting hints and tips for people looking to run a BSides event… at the very least I can give you a list of 10 things that can and will go wrong.

Hope to see you in Vegas… I’ll be the English guy that looks like an overcooked lobster 😉

-= BSides History =-

BSides was born out of number of rejections to the CFP for Black Hat USA 2009.  A number of quality speakers were rejected, not due to lack of quality but lack of space and time.  Any constrained system must operate within the bounds to which it has defined itself.  Conferences constrain themselves to the eight hours a day for however many days they run.  Our goal is to provide people with options by removing those barriers and providing more options for speakers, topics, and events.

source: SecurityBsides.com

Links:

  • BSides Las Vegas Schedule –> Link

Bigger, Better, Faster, More!

Las Vegas – The entertainment capital of the world.

Where your every desire is catered for, and you never have to go without. If there’s another place on earth with so many flashy lights, then I’ve certainly never heard about it!

Still, When I saw that this year Blackhat had gone to 11 tracks, I couldn’t help but think they’d were going a little bit too far, even for Vegas!

There’s a fine line between offering good content and swamping visitors with just too much choice…  and no matter how much I try, I just can’t help but get the feeling that Blackhat Las Vegas just jumped the shark!

I go to more than my fair share of conferences, and one thing that connects them all for me is the excitement and anticipation I get when looking over the list of speakers and talks. Picking out the ones I really want to see, the people I want to meet and the things I want to learn about, are one of the highlights of a conference for me. The build-up is almost as important as the event after all. When I saw the schedule for this years Blackhat however, I didn’t feel excited. It wasn’t because there were no good talks, because there were a lot of great talks and great speakers. It was just too much. In my mind Blackhat had hit that point where it just didn’t matter what talks people went to anymore. It was just too big, too complex, and too confusing to me. I couldn’t help but get the feeling that no matter what talk I saw, I’d always be thinking about the other 10 tracks and what I was missing out on!

Maybe it’s just me, maybe everybody else thinks this was the best Blackhat ever. Everybody has his/her own opinion, and mine is that Blackhat (at least in Vegas) is dead to me. I doubt I’ll be attending next year for the new improved 12 track program (they have to make it more impressive next year after all… there’s no backing down now!). If you want to find me, I’ll be sitting by the pool at BSides talking to people who do this for the love of it, and not the money.

[BSidesLV] It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications

It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications – Zach Lanier

Mobile Application Themes

Broad Observations

The web pushed content to the browser

  • Centralization of apps and data
  • Always a push for MORE (ActiveX, applets, …)

Now, everyone gets their own app!

  • Code (not HTML) gets pushed to the endpoint
  • App for things like XKCD

Authorization

Carriers only authenticate to the network. Once you’re on the carrier, it’s free access with almost no checks.

Third-party applications are sometimes better than carrier apps with support for better auth

Some stupid client-side auth issues (admin=1)

Many apps are syncing data between the device and cloud using simple HTTP

At that point it’s just like pentesting a webapp


Platform Security

Quick Overview of the common platforms

Many disparate platforms

  • Android, iPhone Os, RIM, WinMo, Brew, ….

Different platforms handle security differently

Concerns

  • Shared user accounts
  • Native Code
    • Obj-C, JNI)
  • Certificate Validation
    • SSL, Code Signing
  • Support for Emerging Technologies
    • Flash, WebKit, HTML5


Testing Techniques

  • Whitebox
    • Sometimes it’s trivial to get app source-code
  • Blackbox
    • Acquiring application binaries
    • Reverse Engineering
      • Dissassembly
    • Network Analysis
      • Protocol Analysis
      • Fuzzing
      • MITM

Protocol analysis is often the easiest method. A lot of applications tunnel over HTTP and make it easier for testers.

Tools commonly used .:

  • undx, coddec, JAD
    • decompilation
  • Smali / baksmali
    • (dis)assembly, patching
  • Native Code?
    • IDA with ARM support
    • Strings

adb –> Android Debugging Bridge

Not everybody can by a RE ninja.. sometimes the easiest way is to listen to it’s traffic

Become the MITM using tools like WAPT, WebScarab/Paros/Burp

Issues include things like requirement to be on the carrier connection and string SSL Certificate checks

Solutions including the use of mobile broadband cards and emulators to sit on the carrier network and still run the app

Wifi isn’t always an option as not all phones support it, applications may not connect over Wifi

Intrepidus have released a tool called mallory for MITM on TCP and UDP connections. This is useful for MITM mobile device testing

Case Studies

Foursquared

Application for 4square

Usage of Basic Auth instead of OAuth

  • Cleartext transmission of username/password

4square are starting to enforce OAuth and SSL in the future

Why is this a problem –> Most applications prefer WIFI over carrier. Easy to sniff at your local Starbucks

A Storage Application

Multi-platform application

Developed by a third-party, branded for major carriers

Problem –> Simple crash in the storage quota viewer

Attacker needs to MITM and alter the server response –> Client crashes

Application has DRM, but allows you to share between friends.

Enforcement occurs on the client-side when viewing (XML response from the server detailing DRM info) –> FAIL

Embedded Device #1

Mix of HTTP and HTTPS content

MITM on HTTP traffic to enable hidden Admin content

Strict SSL Validation prevents SSL MITM

The big problem was command injection by injection of commands into the SSID –> SSID; <insert your command here>

Embedded Device #2

Typical XSS flaws in interface

Also command injection flaw allowing access

BREW Picture Upload

Designed to upload data from the phone to the cloud

BREW != Smart Phone

– No Wifi

Application Directed SMS

  • SMS Client can parse messages and identify specific control messages for distinct applications
  • Debug code: SMS instruction to change remote upload destination
  • Traffic was plaintext HTTP/SOAP

Authentication uses a static token for the lifetime of the app on that device.

Authentication token was an MD5 hash created server-side –> Able to recreate the data used to create the MD5 hash

Able to hijack other users accounts based on this information and creation of valid MD5s

POST-Mortem

  • No SSL
  • No Real Auth Scheme
    • Wh would you lie about your phone number
    • If they’re on our network they’re trusted
  • No authorization controls on the server

RIM Picture Upload

Similar to the BREW upload

Extract binary using JavaLoader.exe and run it in an emulator

Main app in a COD file.. simple ZIP format produces files to be decompiled

Decompilation didn’t give a clean output.

What was visible was a hard-coded 3-DEs key in the Java Bytecode. All devices use the same key!

Every encrypted image sent out on the wire was prefixed with an auth header

The WebApp at the server-side was vulnerable to a number of flaws including injection, and information disclosure

LAX permissions: Allowed to do whatever it wanted on the device itself –> What ever happened to least privilege?

POST-Mortem

  • Broken, Hard-coded crypto
  • Lack of input validation
  • LAX permissions and no defense in-depth

Links:

  • Quine Twitter –> @quine
  • Mallory –> LINK
  • Mallory BH Talk –> LINK