"Mapping and Evolution of Android Permissions"
Andrew Reiter & Zach Lanier, Veracode
The Android Open Source Project provides a software stack for mobile
devices. The provided API enforces restrictions on specific operations
a process is allowed to perform through a permissions mechanism. Due to
the fine-grained nature of the model (and lack of a map), it is non-
obvious which calls require which permission(s) for an API of over 2400
classes. Also, due to the on-going development of the AOSP and API,
these required permissions have evolved over SDK revisions. Both of
these provide headaches for application security testers and
application developers. We first discuss our methodology for building a
Android API permission map, including active and passive discovery
tools. We then present the evolution of the map as the Android API has
transformed through releases. This work is significant because of the
need for an understanding of the API permission requirements in
application security testing and the current lack of clarity in this
ever-growing environment.
__________________________________________________
Andrew Reiter has been professionally involved with the security
industry since the late 1990s. He has worked as a security researcher
for Foundstone, BindView, and WebSense; currently, his research is
being conducted at Veracode. Andrew is a former FreeBSD developer where
he worked on the SMPng and TrustedBSD projects and holds a BS and MS in
Mathematics from UMASS-Amherst.
Zach Lanier is a Security Researcher with Veracode, specializing in
network, mobile, and web application security. Prior to joining
Veracode, Zach served as Principal Consultant with Intrepidus Group,
Senior Network Security Analyst at Harvard Business School, and
Security Assessment Practice Manager at Rapid7. He has spoken at a
variety of security conferences, including INFILTRATE, ShmooCon, and
SecTor, and is a co-leader of the OWASP Mobile Security Project. Zach
likes Android, vegan food, and cats (but not as food).
"APK File Infection on Android"
David Sancho Canete, Trend Micro
This talk will discuss the concept of APK file infection on Android system, similar to the concept of PE file infection on Windows system. As the performance of Android device has increased, it's become possible to implement such an attack in Android systems. We will introduce how to implement this concept. In addition, we will also give a demo to show that a PoC virus can infect normal APK files in a real Android mobile phone
Topics Include:
- Current propagation methods of malicious APKs.
- Introduction to Android application infection concept with traditional(PE infection concept) approaches
- Demonstration showing infecting a helloworld APK and a real-world APK (Angry Birds Space) on android device
- Forecasting variants and impact
"NFC For Free Rides and Rooms (on your phone)"
Corey Benniger & Max Sobell, Intrepidus Group
If you ever thought smartphones tricks would get you public transit rides,
you are correct! A number of cities are rolling out RFID/NFC enabled access
control as they move away from magstripe cards. This comes at a time when
smartphones are also being enabled with NFC capabilities. Unfortunately, a
number of mass transit systems in the cities we've visited have have
misunderstood how the security around these systems needs to be implemented.
We'll break down how these mass-transit NFC enabled cards were designed to
be used, which cities (that we know of) are deploying them incorrectly, and
the software we wrote for mobile phones in order to ride the rails for free.
We'll then discuss how these systems could be fixed, what to look out for
when riding on one of these system, and some examples of proper deployments.
We'll also demonstrate how similar cards are being used for access control
at hotels and business locations, and how you can use your smartphone to
make access to these locations easier.
__________________________________________________
Corey Benniger is a Principal Consultant with the Intrepidus Group, specializing in
mobile application security. He has performed code reviews and conducted
mobile application penetration tests for numerous Fortune 500 clients on a
multitude of platforms, such as Android, BREW, RIM, and iOS. He has worked
with nationwide telecommunication companies to help ensure the security of
wireless architectures, systems, and applications. Corey is a polished
public speaker and has been invited to speak at leading conferences like
Black Hat, OWASP, NYCBSDCon, and Infragard. In addition, his expert opinion
has been published in industry publications like eWeek. He has also
published several whitepapers on cutting edge security issues, like
vulnerabilities in AJAX, and the security implications of web browser data
caching. Corey has an undergraduate degree from Boston University.
Max Sobell is a Consultant with the Intrepidus Group. Along with traditional
security assessments, Max frequently reviews embedded devices prior to
product releases to ensure both hardware and software meet industry best
practices. He has done extensive hardware security research, notably in the
fields of radio frequency identification (RFID) and near field communication
(NFC). Prior to joining Intrepidus, Max worked in the financial sector
implementing algorithms for high speed automated trading and in
international trade analyzing markets. Max has spoken at security events
ranging from SecTor and IEEE to OWASP and other local conferences. Max
graduated from NYU with a BS in Computer Science and from Stevens Institute
of Technology with a BE in Computer Engineering. He received a Founders Day
award at NYU and was on the Dean's List at Stevens. His senior project at
Stevens, RFnoID, won the Senior Design Award and 3rd place at the IEEE
Northeast regional competition.
"Using HTTP Headers Pollution for Mobile Network Attacks"
Bogdan Alecu
Most of the mobile operators have their own WAP page available to their customers in order to download content like ringtones, videos, games, etc just by browsing to this page and choosing to download whatever they want. Depending on the carrier, you could also transfer funds or even access your bank account which is tied to your mobile number.
In this talk I will show you what are the security issues with these WAP pages and how you could access them while pretending to be some other customer. The attack can also be performed remotely, without even being a customer of the target mobile network. Some video demos will be shown during the presentation.
__________________________________________________
Bogdan Alecu works as a System Administrator for a large IT service company in Romania and he is a frequent speaker at security conferences. He received his BSc in Business Information Systems from the “Alexandru Ioan Cuza” University of Iasi. Bogdan has researched for many years in mobile security, starting with Voice over IP and continuing with GSM, discovering security flaws in the way VoIP was implemented by different companies and in the way binary SMS was implemented. His latest research in the GSM security could allow a potential attacker to perform a remote SMS attack which can force mobile phones to send premium-rate text messages.
"iOS Application Auditing"
Julien Bachmann
Mobile applications security in becoming a bigger concern every day and it
is not only an idea taken out of some Gartner's quadrant, this is something
we see every day as penetrations testers.
This presentation aims at sharing experience and knowledge in iOS
applications pentesting. The first step will be to quickly review the iOS
environment, including the ARM platform, the simulator and how applications
could be distributed. Before explaining how to find bugs, people have,
obviously, to know what to look for. This is why the most common flaws
impacting iOS applications will be presented.
After this introduction, we will really dig into the main subject! The first
thing an auditor should do is set-up his working environment, ie. should we
use the simulator, a jailbroken device or is Apple providing useful tools?
Then we will present how to do a recon on an application using its companion
files, including configuration files, bundles, etc. As some applications are
using the KeyChain to store information, we will also explain how to recover
those. The next part related to more or less the passive analysis of
applications will be the communication channel between the app and a
possible web-service.
The passive analysis part will be followed by some reverse engineering
technics to dig deeper into an application's internals. The first part will
be dealing with static analysis, answering questions like "how to extract
class definitions?" and "where are all the xrefs!?". The last part will be
dealing with dynamic analysis which can be pretty useful for let's say you
want to manipulate the messages sent to a web-services but they are
encrypted with an additional layer and not just SSL. We will view how to do
that using GDB and also MobileSubstrate or bundles injection.
__________________________________________________
Julien Bachmann - After my studies at EPITA, where I also taught a course on software
exploitation, I started to work as a security engineer with assignments
focused on penetration testing and forensics. My r&d projects are oriented
toward OS internals, reverse engineering and software exploitation.
Beside from working at SCRT I also wrote some paper for the french magazine
MISC (more below) and I am part of the organization of Insomni'hack, a
hacking contest taking place in Geneva (Switzerland). I am also writing
articles on our company's blog (http://blog.scrt.ch/author/julienbachmann/)
when time permits.
"SinFP3: More Than A Complete Framework for Operating System Fingerprinting"
Patrice Auffret
In 2008 [springer, 2008], we released a new version of SinFP [cpan] and a
paper describing unification of active and passive operating system
fingerprinting. SinFP is the first of its category to provide both active and
passive fingerprinting over IPv4 and IPv6 using the same signature format.
SinFP is designed to work in the worst network conditions: one heavily
filtered open TCP port on the target. Today, we decided to improve its
fingerprinting algorithms, and to extend its usage to network discovery
framework.
In the first part, we introduce SinFP2 and its major features
and benefits over its competitors. In the second part, we describe SinFP3: its
plugin-based architecture and the many improvements in its fingerprinting
algorithms.
The tool (SinFP3) will be released during the conference. It is still a release
candidate, the final version will include change requests as returned by the
user community.
__________________________________________________
Patrice Auffret [1] (GomoR [2]) is a senior security engineer specialized
in network protocols hacking and reverse engineering [3]. He is
author of multiple Perl modules [4] to craft network packets (Net::Frame
framework, and many protocols like LLTD, OSPF, or ICMPv6). He wrote
multiple articles in french security magazine MISC [5] and also spoke
at security conferences including IT Underground 2007 (OSPF Attack Shell
tool) and SSTIC 2008 [6] (SinFP operating system fingerprinting tool).
"BeEF, Browser Exploitation Framework"
Michele Orru, BeEF Project
What will you do during a pentest if you should get access to some target internal resources while having no exploitable external ones for the escalation? Well, there could be many responses on this provocative sentence, starting from Social Engineering techniques to the exploitation of victims browser inside the target.
We will see how BeEF can help resolving almost impossible pentest situations while directly exploiting the victims inside the target, using their machines as pivot to gather access to internal as well external resources, and how its much easier now to extend BeEF functionality writing your own modules to suit your needs.
Apart from that, the presentation will focus on covering the new BeEF platform that is being developed in Ruby, with a complete code rewrite and many new features: just to mention some of them, the newer Metasploit integration for zombie pwnage, persistent sessions, tunneling proxy and many new ways to use the victim browser to do nasty things.
This talk has been updated with new features and functions since originally presented in 2011
__________________________________________________
Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy who works as a Penetration Tester for The Royal Bank of Scotland Group in Warsaw, Poland. He mainly focus his research on web application security. Besides his nasty passion about black, gray, white hat hacking and BeEF (being an active committer since the Ruby port started), he enjoys to leave alone his Mac while fishing on salted water and preys for Kubrick resurrection.
"HTML5 Heap Sprays, Pwn All The Things"
Anibal Sacco & Federico Muttis, Core
Heap spraying has been widely used for nearly 10 years by exploit writers. This very technique usually
makes the difference between the impact of a vulnerability being or not massively exploited. However,
there is a silent arms race being fought between exploit writers and the most security-conscious software
vendors (browser and OS vendors, with others lagging), and the most popular heap spray technique have lost
their lethality.
In this talk we are going to release and describe the details of a new heap spray technique that takes advantage
of the -so popular- HTML5 emerging stack. This fact makes the technique functional on the latest versions of most
popular browsers (like Chrome, Firefox, IE9/10, Safari) not only in computers but also in smartphones in a reliable,
fast and multi-threaded fashion. In addition, we will disclose several different methods to accomplish the same goal
on some other widely used applications by leveraging weaknesses in its defense in-depth mechanisms. Finally, we will
be able to avoid the heap spray protections of browsers by abusing a browser independent scheme and take advantage of
the lack of protections on other software. We will demonstrate our chops principally targetting browsers but also SQL
engines, media centers, network devices, and then some.
__________________________________________________
Anibal Sacco is a Sr Exploit Writer and Reverse Engineer at CORE Security Technologies.
He has been researching vulnerabilities and developing exploits for Windows, OS X and Linux for 6 years. Focusing first
in windows kernel-mode vulnerabilities and rootkit development, and lately in OSX vulnerabilities and embedded devices.
He is currently in charge of the OS X exploits area and as researcher, he has presented in some of the most important
security conferences like Black Hat, CanSecWest, SyScan and Ekoparty. He also published several advisories addressing
multiple vulnerabilities.
Federico Muttis is a Sr Exploit Writer working for CORE's Exploit Writers Team. He works developing exploits for a wide
variety of platforms, including Windows, Linux, Solaris and AIX, among others. This includes binary exploitation of both
remote and client-side vulnerabilities, as well as web application vulnerabilities.
Federico also researched Cisco IOS exploitation, presented some research on the academical field (ECI -UBA) and published
several security advisories. He is currently researching Mobile Devices exploitation.
"Phone Bootloader Security"
Thomas Roth
Description TBA
__________________________________________________
Thomas Roth is a guy from Cologne, Germany who is interested in security research, programming and everything that's kind of hackable.
His phone security code used to be 0862 until his mom hacked it.
"UmTRX, Open-Source, Budget-Friendly Hardware for OpenBTS, and OpenBSC"
Alexander Chemeris, Fairwaves
Mobile devices and applications is a new frontier of the security
research, but surprisingly only few people look at the security of
mobile networks which interconnect all those devices and applications.
In this talk I'll first give a short overview of what tools and
projects are already available for a mobile networks security
researcher. And then I'll describe UmTRX hardware which could be used
to build your own GSM base station (using OpenBTS or OsmoBTS) or could
be used as a generic wideband Software Defined Radio transceiver.
UmTRX hardware is being developed as an Open-Source Hardware project
and all skilled hackers are welcome to participate and show the power
of open source.
__________________________________________________
Alexander Chemeris is a software developer and CEO of Fairwaves, an open source
telecommunications company based in Moscow. He is one of the founders of Moscows first hacker space.
"Owning Windows 8 With Human Interface Devices"
Nikhil Mittal
Windows is the most widely used Operating System for desktops. Windows family is improving with time in terms of security and the future of the families, Windows 8 is being considered better than its predecessors. Better in what? “May” be in terms of protection against traditional attacks like memory corruption bugs.
What if a new attack vector is used, a USB Human Interface Device for example? Windows 8 seems easy targets when it comes to facing such an attack. The calendar races back in time and the OS looks like the sitting duck it used to be. This talk measures Windows 8 against USB HID attacks. The target will be attacked live and its security mechanisms will be put on test. There would be vendetta as this latest and greatest is attacked in full public view by some neat payloads.
The talk will be full of live demonstrations.
__________________________________________________
Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has many years of experience in Penetration Testing of many Government Organizations of India and other global corporate giants.
He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using HID in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang a post exploitation framework for PowerShell. In his free time, does some vulnerability research and works on his projects. He has spoken/trained at various prestigious conferences like BlackHat USA, RSA, BlackHat Europe, PHDays. GrrCON and many more.
Videoconf Lightning Talks with Ekoparty
