"Mapping and Evolution of Android Permissions"
Andrew Reiter & Zach Lanier, Veracode
The Android Open Source Project provides a software stack for mobile devices. The provided API enforces restrictions on specific operations a process is allowed to perform through a permissions mechanism. Due to the fine-grained nature of the model (and lack of a map), it is non- obvious which calls require which permission(s) for an API of over 2400 classes. Also, due to the on-going development of the AOSP and API, these required permissions have evolved over SDK revisions. Both of these provide headaches for application security testers and application developers. We first discuss our methodology for building a Android API permission map, including active and passive discovery tools. We then present the evolution of the map as the Android API has transformed through releases. This work is significant because of the need for an understanding of the API permission requirements in application security testing and the current lack of clarity in this ever-growing environment.
Andrew Reiter has been professionally involved with the security industry since the late 1990s. He has worked as a security researcher for Foundstone, BindView, and WebSense; currently, his research is being conducted at Veracode. Andrew is a former FreeBSD developer where he worked on the SMPng and TrustedBSD projects and holds a BS and MS in Mathematics from UMASS-Amherst.
Zach Lanier is a Security Researcher with Veracode, specializing in network, mobile, and web application security. Prior to joining Veracode, Zach served as Principal Consultant with Intrepidus Group, Senior Network Security Analyst at Harvard Business School, and Security Assessment Practice Manager at Rapid7. He has spoken at a variety of security conferences, including INFILTRATE, ShmooCon, and SecTor, and is a co-leader of the OWASP Mobile Security Project. Zach likes Android, vegan food, and cats (but not as food).
"APK File Infection on Android"
David Sancho Canete, Trend Micro
This talk will discuss the concept of APK file infection on Android system, similar to the concept of PE file infection on Windows system. As the performance of Android device has increased, it's become possible to implement such an attack in Android systems. We will introduce how to implement this concept. In addition, we will also give a demo to show that a PoC virus can infect normal APK files in a real Android mobile phone
- Current propagation methods of malicious APKs.
- Introduction to Android application infection concept with traditional(PE infection concept) approaches
- Demonstration showing infecting a helloworld APK and a real-world APK (Angry Birds Space) on android device
- Forecasting variants and impact
"NFC For Free Rides and Rooms (on your phone)"
Corey Benniger & Max Sobell, Intrepidus Group
If you ever thought smartphones tricks would get you public transit rides, you are correct! A number of cities are rolling out RFID/NFC enabled access control as they move away from magstripe cards. This comes at a time when smartphones are also being enabled with NFC capabilities. Unfortunately, a number of mass transit systems in the cities we've visited have have misunderstood how the security around these systems needs to be implemented. We'll break down how these mass-transit NFC enabled cards were designed to be used, which cities (that we know of) are deploying them incorrectly, and the software we wrote for mobile phones in order to ride the rails for free. We'll then discuss how these systems could be fixed, what to look out for when riding on one of these system, and some examples of proper deployments. We'll also demonstrate how similar cards are being used for access control at hotels and business locations, and how you can use your smartphone to make access to these locations easier.
Corey Benniger is a Principal Consultant with the Intrepidus Group, specializing in mobile application security. He has performed code reviews and conducted mobile application penetration tests for numerous Fortune 500 clients on a multitude of platforms, such as Android, BREW, RIM, and iOS. He has worked with nationwide telecommunication companies to help ensure the security of wireless architectures, systems, and applications. Corey is a polished public speaker and has been invited to speak at leading conferences like Black Hat, OWASP, NYCBSDCon, and Infragard. In addition, his expert opinion has been published in industry publications like eWeek. He has also published several whitepapers on cutting edge security issues, like vulnerabilities in AJAX, and the security implications of web browser data caching. Corey has an undergraduate degree from Boston University.
Max Sobell is a Consultant with the Intrepidus Group. Along with traditional security assessments, Max frequently reviews embedded devices prior to product releases to ensure both hardware and software meet industry best practices. He has done extensive hardware security research, notably in the fields of radio frequency identification (RFID) and near field communication (NFC). Prior to joining Intrepidus, Max worked in the financial sector implementing algorithms for high speed automated trading and in international trade analyzing markets. Max has spoken at security events ranging from SecTor and IEEE to OWASP and other local conferences. Max graduated from NYU with a BS in Computer Science and from Stevens Institute of Technology with a BE in Computer Engineering. He received a Founders Day award at NYU and was on the Dean's List at Stevens. His senior project at Stevens, RFnoID, won the Senior Design Award and 3rd place at the IEEE Northeast regional competition.
"Using HTTP Headers Pollution for Mobile Network Attacks"
Most of the mobile operators have their own WAP page available to their customers in order to download content like ringtones, videos, games, etc just by browsing to this page and choosing to download whatever they want. Depending on the carrier, you could also transfer funds or even access your bank account which is tied to your mobile number. In this talk I will show you what are the security issues with these WAP pages and how you could access them while pretending to be some other customer. The attack can also be performed remotely, without even being a customer of the target mobile network. Some video demos will be shown during the presentation.
Bogdan Alecu works as a System Administrator for a large IT service company in Romania and he is a frequent speaker at security conferences. He received his BSc in Business Information Systems from the “Alexandru Ioan Cuza” University of Iasi. Bogdan has researched for many years in mobile security, starting with Voice over IP and continuing with GSM, discovering security flaws in the way VoIP was implemented by different companies and in the way binary SMS was implemented. His latest research in the GSM security could allow a potential attacker to perform a remote SMS attack which can force mobile phones to send premium-rate text messages.
"iOS Application Auditing"
Mobile applications security in becoming a bigger concern every day and it is not only an idea taken out of some Gartner's quadrant, this is something we see every day as penetrations testers.
This presentation aims at sharing experience and knowledge in iOS applications pentesting. The first step will be to quickly review the iOS environment, including the ARM platform, the simulator and how applications could be distributed. Before explaining how to find bugs, people have, obviously, to know what to look for. This is why the most common flaws impacting iOS applications will be presented.
After this introduction, we will really dig into the main subject! The first thing an auditor should do is set-up his working environment, ie. should we use the simulator, a jailbroken device or is Apple providing useful tools? Then we will present how to do a recon on an application using its companion files, including configuration files, bundles, etc. As some applications are using the KeyChain to store information, we will also explain how to recover those. The next part related to more or less the passive analysis of applications will be the communication channel between the app and a possible web-service.
The passive analysis part will be followed by some reverse engineering technics to dig deeper into an application's internals. The first part will be dealing with static analysis, answering questions like "how to extract class definitions?" and "where are all the xrefs!?". The last part will be dealing with dynamic analysis which can be pretty useful for let's say you want to manipulate the messages sent to a web-services but they are encrypted with an additional layer and not just SSL. We will view how to do that using GDB and also MobileSubstrate or bundles injection.
Julien Bachmann - After my studies at EPITA, where I also taught a course on software exploitation, I started to work as a security engineer with assignments focused on penetration testing and forensics. My r&d projects are oriented toward OS internals, reverse engineering and software exploitation.
Beside from working at SCRT I also wrote some paper for the french magazine MISC (more below) and I am part of the organization of Insomni'hack, a hacking contest taking place in Geneva (Switzerland). I am also writing articles on our company's blog (http://blog.scrt.ch/author/julienbachmann/) when time permits.
"SinFP3: More Than A Complete Framework for Operating System Fingerprinting"
In 2008 [springer, 2008], we released a new version of SinFP [cpan] and a paper describing unification of active and passive operating system fingerprinting. SinFP is the first of its category to provide both active and passive fingerprinting over IPv4 and IPv6 using the same signature format. SinFP is designed to work in the worst network conditions: one heavily filtered open TCP port on the target. Today, we decided to improve its fingerprinting algorithms, and to extend its usage to network discovery framework.
In the first part, we introduce SinFP2 and its major features and benefits over its competitors. In the second part, we describe SinFP3: its plugin-based architecture and the many improvements in its fingerprinting algorithms.
The tool (SinFP3) will be released during the conference. It is still a release candidate, the final version will include change requests as returned by the user community.
Patrice Auffret  (GomoR ) is a senior security engineer specialized in network protocols hacking and reverse engineering . He is author of multiple Perl modules  to craft network packets (Net::Frame framework, and many protocols like LLTD, OSPF, or ICMPv6). He wrote multiple articles in french security magazine MISC  and also spoke at security conferences including IT Underground 2007 (OSPF Attack Shell tool) and SSTIC 2008  (SinFP operating system fingerprinting tool).
"BeEF, Browser Exploitation Framework"
Michele Orru, BeEF Project
What will you do during a pentest if you should get access to some target internal resources while having no exploitable external ones for the escalation? Well, there could be many responses on this provocative sentence, starting from Social Engineering techniques to the exploitation of victims browser inside the target.
We will see how BeEF can help resolving almost impossible pentest situations while directly exploiting the victims inside the target, using their machines as pivot to gather access to internal as well external resources, and how its much easier now to extend BeEF functionality writing your own modules to suit your needs.
Apart from that, the presentation will focus on covering the new BeEF platform that is being developed in Ruby, with a complete code rewrite and many new features: just to mention some of them, the newer Metasploit integration for zombie pwnage, persistent sessions, tunneling proxy and many new ways to use the victim browser to do nasty things.
This talk has been updated with new features and functions since originally presented in 2011
Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy who works as a Penetration Tester for The Royal Bank of Scotland Group in Warsaw, Poland. He mainly focus his research on web application security. Besides his nasty passion about black, gray, white hat hacking and BeEF (being an active committer since the Ruby port started), he enjoys to leave alone his Mac while fishing on salted water and preys for Kubrick resurrection.
"HTML5 Heap Sprays, Pwn All The Things"
Anibal Sacco & Federico Muttis, Core
Heap spraying has been widely used for nearly 10 years by exploit writers. This very technique usually makes the difference between the impact of a vulnerability being or not massively exploited. However, there is a silent arms race being fought between exploit writers and the most security-conscious software vendors (browser and OS vendors, with others lagging), and the most popular heap spray technique have lost their lethality.
In this talk we are going to release and describe the details of a new heap spray technique that takes advantage of the -so popular- HTML5 emerging stack. This fact makes the technique functional on the latest versions of most popular browsers (like Chrome, Firefox, IE9/10, Safari) not only in computers but also in smartphones in a reliable, fast and multi-threaded fashion. In addition, we will disclose several different methods to accomplish the same goal on some other widely used applications by leveraging weaknesses in its defense in-depth mechanisms. Finally, we will be able to avoid the heap spray protections of browsers by abusing a browser independent scheme and take advantage of the lack of protections on other software. We will demonstrate our chops principally targetting browsers but also SQL engines, media centers, network devices, and then some.
Anibal Sacco is a Sr Exploit Writer and Reverse Engineer at CORE Security Technologies. He has been researching vulnerabilities and developing exploits for Windows, OS X and Linux for 6 years. Focusing first in windows kernel-mode vulnerabilities and rootkit development, and lately in OSX vulnerabilities and embedded devices.
He is currently in charge of the OS X exploits area and as researcher, he has presented in some of the most important security conferences like Black Hat, CanSecWest, SyScan and Ekoparty. He also published several advisories addressing multiple vulnerabilities.
Federico Muttis is a Sr Exploit Writer working for CORE's Exploit Writers Team. He works developing exploits for a wide variety of platforms, including Windows, Linux, Solaris and AIX, among others. This includes binary exploitation of both remote and client-side vulnerabilities, as well as web application vulnerabilities.
Federico also researched Cisco IOS exploitation, presented some research on the academical field (ECI -UBA) and published several security advisories. He is currently researching Mobile Devices exploitation.
"Phone Bootloader Security"
Thomas Roth is a guy from Cologne, Germany who is interested in security research, programming and everything that's kind of hackable.
His phone security code used to be 0862 until his mom hacked it.
"UmTRX, Open-Source, Budget-Friendly Hardware for OpenBTS, and OpenBSC"
Alexander Chemeris, Fairwaves
Mobile devices and applications is a new frontier of the security research, but surprisingly only few people look at the security of mobile networks which interconnect all those devices and applications. In this talk I'll first give a short overview of what tools and projects are already available for a mobile networks security researcher. And then I'll describe UmTRX hardware which could be used to build your own GSM base station (using OpenBTS or OsmoBTS) or could be used as a generic wideband Software Defined Radio transceiver. UmTRX hardware is being developed as an Open-Source Hardware project and all skilled hackers are welcome to participate and show the power of open source.
Alexander Chemeris is a software developer and CEO of Fairwaves, an open source telecommunications company based in Moscow. He is one of the founders of Moscows first hacker space.
"Owning Windows 8 With Human Interface Devices"
Windows is the most widely used Operating System for desktops. Windows family is improving with time in terms of security and the future of the families, Windows 8 is being considered better than its predecessors. Better in what? “May” be in terms of protection against traditional attacks like memory corruption bugs.
What if a new attack vector is used, a USB Human Interface Device for example? Windows 8 seems easy targets when it comes to facing such an attack. The calendar races back in time and the OS looks like the sitting duck it used to be. This talk measures Windows 8 against USB HID attacks. The target will be attacked live and its security mechanisms will be put on test. There would be vendetta as this latest and greatest is attacked in full public view by some neat payloads.
The talk will be full of live demonstrations.
Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has many years of experience in Penetration Testing of many Government Organizations of India and other global corporate giants. He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using HID in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang a post exploitation framework for PowerShell. In his free time, does some vulnerability research and works on his projects. He has spoken/trained at various prestigious conferences like BlackHat USA, RSA, BlackHat Europe, PHDays. GrrCON and many more.
Videoconf Lightning Talks with Ekoparty