Showing posts with label Pentest. Show all posts
Showing posts with label Pentest. Show all posts

Saturday, March 23, 2013

SANS 2013 Orlando

SANS 2013 was great, but I'm certainly glad to be back home.  It was a long week of sitting in conference rooms from sun up to sun down listening to some of the brightest instructors in InfoSec.  I really enjoy the quality of the conferences that SANS provides.

GIAC Intrusion Analyst (GCIA) Job Task Analysis (JTA)

It was an honor to be selected to participate in the JTA session.  The JTA is a way for GIAC to double check the correlation of their certification exam scores to the actual job skills that SANS is trying to teach.  I flew in a day early to take part in the exercise. I enjoyed the opportunity and hopefully get to help out again in the future.  And, I got to meet Judy Novak.

 SEC504: Hacker Techniques, Exploits and Incident Handling

This is the fourth class I've taken from SANS, so I pretty well knew what to expect.  SEC504 covered a lot of material, but much of the material felt familiar to me already, just more depth and insight into the attack techniques that are readily available.  For a lot of the attacks out there today, there really aren't very many good defenses.  So I guess numero uno on the list for things I learned at SANS 2013 isn't really something new, but something old and very foundational to InfoSec.  
 - Use common sense to limit who has access to systems and data in your environment.
 - Baseline your environment so that you know what is "normal" in terms of ports being used and processes running on your systems.
 - Don't reuse the same password for local administrator accounts across your organization.
 - Use host-based firewalls to prevent compromised systems from being able to easily pivot to other systems on the same subnet.
 - I also picked up a Teensy to play around with for physical testing.

Now I just have to get busy studying for the GCIH exam... 

APT: It is Not Time to Pray, It is Time to Act - Dr. Eric Cole

Dr. Cole is an excellent speaker and easy for me to pay attention to.  His tone and cadence in his presentations are very academic, but at the same time very candid and realistic.  He doesn't come across as somebody that is trying to wow you with his vast knowledge of InfoSec.  He seems to genuinely care about the material he is presenting and willing to do whatever it takes to make that material interesting and tangible to his audience.  The content of the keynote for SANS 2013 wasn't so much about all of the APT hype as it was a very focused warning of the need to master the basics of InfoSec before we will really be able to win against the attackers.  

Dr. Cole outlined 5 steps to improving security posture and being able to react to indicators of compromise more efficiently.

 1. Identify Critical Data - Align critical assets with threats and vulnerabilities to focus on risk.  Using Risk Based Thinking - What is the risk? Is it the highest priority risk? Is it the most cost effective way of reducing the risk?
2. Align the Defense with the Offense - The areas that defense currently focuses on are not the same as what the offense is focusing on.
3. Know thy Organization - You Cannot Protect What You Do Not Know About.  Organizations need accurate up-to-date network diagrams and network visibility maps, focus on configuration management and change control.
4. Defense in Depth
    a) Inbound Prevention
    b) Outbound Detection
    c) Log Correlation
    d) Anomaly Detection
5. Common Metrics - Use the 20 Critical Controls!

 Vendor Expo

Eh, not much to say here other than some vendors had some boths set up with some trinkets and trash on display.  And now my inbox and voicemail are full of messages that I don't really need.

Social Zombies: Rise of the Mobile Dead - Kevin Johnson

Yeah, I know social media is out to get me.  Really, duck face?

 Introduction to Windows Kernel Exploitation - Stephen Sims

This is one area that I have no experience with.  Stephen did a great job of taking a difficult subject and explaining it so that I could follow along.

How to Become a SANS Instructor - Eric Conrad - Lunch-n-Learn 

 Eric has an interesting story about how getting involved with SANS boosted his career and opened up the door of opportunity.  I've thought about signing up for the Mentor program, maybe this was persuasive enough to get me to send in the application?

 ADHD and Samurai - John Strand and Kevin Johnson

The Active Defense Harbinger Distribution (ADHD) is pretty cool.  It is a Linux distro built around the idea of making life difficult for the bad guys.  It focuses on Annoyance, Attribution and Attack.  Some of the fun features include infinitely recursive directories, seeding honeytokens with call-home commands so that you can locate where your data has be exfiltrated, and setting up the signed Java applet attack in Metasploit to actually exploit the attacker.  There is a great write up of Paul Asadoorian and John Strand's RSA presentation here.

 The Samurai Web Testing Framework (WTF) is also a nifty Linux distro with a series of tools to assist in web app pen testing.

 Hacking You Friends and Neighbors For Fun - Joshua Wright 

Very entertaining.  If you haven't seen this talk yet, check out the slides here.

 InfoSec in the Financial World: War Stories and Lessons Learned - Bryan Simon

Bryan make the case for improving the information sharing of financial institutions with regards to adversaries, attacks and defense strategies.  Ironically, on his way to the conference, half his slides were yanked by his legal department so that he wasn't able to share some of the stories he wanted to.  The best part about this session were all of the conversations that started up afterwards.

NetWars Tournament

 Wow, this was my first time at Netwars.  I wasn't really sure what to expect here.  All I can say is, there are some wicked smart people at SANS and I need some more practice.
Posted by at No comments:
Labels: , , , , , ,

Wednesday, October 24, 2012

Don't Surrender to Your Smartphone



Me: Hello Smartphone App

Smartphone App: Hello User, may I have your contact list, IMEI #, Camera, Email account username and password, Bank Account #, Routing # and Geolocation?

Me:  Sure, why not?  I just need to check the status of a “friend” on “Twit-face-square-link-book.com” right now!
I recently attended the Innotech conference in OKC and sat in on the Android (in)Security presentation given by Georgia Weidman (very entertaining).  During the presentation she demonstrated how malware could be installed on an android device as a shim to the driver for sending and receiving text messages so that the phone could be manipulated into receiving botnet C&C messages via SMS and the user would never see these messages on their phone.

Most smartphone vendors these days require developers to disclose what permissions are used by their app before you download it.  This permission model allows users to make informed decisions about which apps they allow on their phone and gives the user control over how their phone is being used.  At least that's the idea behind it.  So, do you know what permissions your phone is using?
This application can access the following on your phone:

 Your personal information 
  • Allows an application to add or change the events on your calendar, which may send email to guests. Malicious applications can use this to erase or modify your calendar events or to send email to guests, 
  • Allows an application to read all of the calendar events stored on your phone.  Malicious applications can use this to send your calendar events to other people, 
  • Allows an application to read all of the contact (address) data stored on your phone.  Malicious applications can use this to send your data to other people, 
  • Allows an application to modify the contact (address) data stored on your phone.  Malicious applications can use this to erase or modify your contact data. 
Your messages 
  • Allows an application to write to SMS messages stored on your phone or SIM card.  Malicious applications may delete your messages, 
  • Allows an application to read SMS messages stored on your phone or SIM card.  Malicious applications may read your confidential messages. 
Your location 
  • Access course location sources such as the cellular network database to determine an approximate phone location, where available.  Malicious applications can use this to determine approximately where you are, 
  • Access fine location sources such as the Global Positioning System on the phone, where available.  Malicious applications can use this to determine where you are, and may consume additional battery power. 
  • Create mock location sources for testing. Malicious applications can use this to override the location and/or status returned by real location sources such as GPS or Network providers. 
Network communications 
  • Allows an application to create network sockets. 
Your accounts 
  • Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords, 
  • Allows applications to sign in to Google Calendar using the account(s) stored on this phone, 
  • Allows applications to sign in to the Google mail services using the account(s) stored on this phone, 
  • Allows an application to perform operations like adding, and removing accounts and deleting their password, 
  • Allows an application to request authentication tokens.  
Absolutely no mention of malicious activity for Your Accounts and passwords?  (That must mean that all my accounts and passwords are uber safe, right.)
 
Phone calls 
  • Allows the application to access the phone features of the device.  An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like. 
Hardware controls 
  • Allows application to take pictures with the camera.  This allows the application at any time to collect images the camera is seeing. 
System tools 
  • Allows an application to change the state of network connectivity, 
  • Allows an application to change the current configuration, such as the locale or overall font size, 
  • Allows an application to modify the system's settings data.  Malicious applications can corrupt you system's configuration, 
  • Allows the application to mount and unmount filesystems for removable storage, 
  • Allows an application to prevent the phone from going to sleep, 
  • Allows application to retrieve information about currently and recently running tasks.  May allow malicious applications to discover private information about other applications, 
  • Allows an application to change the phone's time zone, 
  • Allows an application to modify the APN settings, such as Proxy and Port of an APN, 
  • Allows an application to modify your currently synced feeds, 
  • Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.  
But wait there's more...
 
Your location  
  • Access extra location provider commands.  Malicious applications could use this to interface with the operation of the GPS or other location sources.  
Network Communications  
  • Allows an application to view the state of all networks, 
  • Allows an application to view the information about the state of Wi-Fi. 
Your accounts  
  • Allows an application to get the list of accounts known by the phone, 
  • Allows applications to see the usernames (email addresses) of the Google accounts you have configured.  
Hardware controls  
  • Allows the application to control the vibrator.  
System tools
  • Allows an application to have itself started as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running,
  • Allows an application to disable the and any associated password security.  A legitimate example of this is the phone disabling the keylock when receiving an incoming phone call, then re-enabling the keylock when the call is finished,
  • Allows and application to expand or collapse the status bar,
  • Allows an application to get details about the currently synced feeds,
  • Allows an application to read the sync settings, such as whether sync is enabled for Contacts.
  • Allows an application to read the synced stats; e.g., the history of syncs that have occurred.
And a few extras just for fun (really, is there anything more fun than hacking, well, I meant penetration testing for research purposes, when you have permission?)

Manipulation of your physical life
  • Allows an application to interact with other people on your behalf.  Malicious applications will use this to send text messages to premium phone numbers to run up unauthorized charges to your phone bill.
  • Allows an application to join a botnet and send and receive command and control messages.  Malicious applications will use this to allow hackers and cyber criminals to take over your device.
  • Allows an application to reset the password to your online banking accounts.  Malicious applications will use this to prevent you from checking the balance of your accounts when suspicious activity alerts start showing up in your inbox.
  • Allows an application to delete email and SMS text messages from your phone. Malicious applications will use this to prevent you from reading the alerts about suspicious balance transfers from your online banking accounts.
  • Allows an application to upload pictures from your phone to botnet operators and hackers.  Malicious applications use this to find compromising photos that will be used for blackmail or general embarrassment.
  • Allows an application to record phone calls and from your phone to botnet operators and hackers.  Malicious applications will use this to gather information about you that can be used to still your identity.

There have been hacks and mods available for some time now to pry your personal information out of the hands of shoddy developers, greedy marketers and dubious botnet operators and give control over your smartphones and mobile devices back to you, the user.  Take for instance the Cyanogen rom for Android.  So why are users so complacent about giving out every permission that their favorite app asks for?

I am bothered by the fact that apps like Facebook come preloaded on my device, automatically start during the boot cycle and then do not allow me an option to uninstall this ridiculously invasive app unless I root my phone and manually delete it myself.  I'm appalled by developers and vendors that think this is acceptable behavior.  It is high time that users stand up for their privacy and tell vendors why these types of marketing gimmicks are unacceptable and unethical!

On a brighter note, I actually found an app the other day that claims to require ZERO permissions!  ABC Touch Lite on the Android is a cool little app that my kiddos can use to learn to draw the alphabet.  Wow, how is that possible?  Can an app actually function without needing to see the password to my email account?

 If you are interested in having some fun testing out the security on your smartphone, check out Georgia's Smartphone Pentest Framework.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)