• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Iasi code camp 20 april 2013 playing buggy-bogdan-alecu
 

Iasi code camp 20 april 2013 playing buggy-bogdan-alecu

on

  • 365 views

 

Statistics

Views

Total Views
365
Views on SlideShare
365
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Iasi code camp 20 april 2013 playing buggy-bogdan-alecu Iasi code camp 20 april 2013 playing buggy-bogdan-alecu Presentation Transcript

    • Playing boogie buggyBogdan ALECU
    • Topics▪ About me▪ The buggy world▪ Where does your data go?Bogdan ALECU
    • About meBogdan ALECU▪ Independent security researcher▪ Sysadmin @ LEVI9▪ Passionate about security, specially when it’s related tomobile devices, CISSP, CEH, CISA,CCSP▪ #infosec conferences: DeepSec, DefCamp, EUSecWest▪ Started with NetMonitor, continued with VoIP and finallyGSM networks / mobile phones▪ @msecnet / www.m-sec.net / alecu@m-sec.net
    • The buggy worldBogdan ALECU▪Developers▪Testers▪Customers▪How do you test?▪But is it enough?
    • The buggy worldBogdan ALECUREADY FOR SOMEREAL LIFE EXAMPLES?
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECUNEVER trust the user’s input!
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECUNEVER trust the user’s input!
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECUNEVER trust the user’s input!
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU▪ 20K application▪ Two factor authentication▪ ACL IP▪ User authenticated automatically if …… coming from the right internal IP
    • The buggy worldBogdan ALECUPLEASE CHECK YOURERS
    • The buggy worldBogdan ALECU▪How was the IP address checked?
    • The buggy worldBogdan ALECU▪ X-FORWARDED-FOR HTTP header
    • The buggy worldBogdan ALECU▪ Modify Headers – Firefox Extension▪ https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU▪ Try accessing the website while pretendingto be browsing from your mobile device▪ You would be surprised of the instantaccess you get▪ No luck? Try Googlebot!▪ If your log shows a sensitive access beingmade by GoogleBot, will you worry ?
    • The buggy worldBogdan ALECU▪ Those damn headers …DEMO time
    • The buggy worldBogdan ALECU▪ Having the right headers (security byobscurity) can open a lot of doors
    • The buggy worldBogdan ALECU▪ Those damn headers … AGAIN!Yet another demo
    • The buggy worldBogdan ALECU▪ Don’t bullshit me: admit your weakness!
    • The buggy worldBogdan ALECU▪Implementation gone wild▪ How many of you use the Internet onyour mobile device?▪ Do you know what DNS is?
    • The buggy worldBogdan ALECUSetup a VPN server on port 53, UDP (DNSport)… and connect to your server… pass the traffic to the InternetUNLIMITEDMOBILE DATA TRAFFIC!
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU▪ The standard itself may have issues
    • The buggy worldBogdan ALECU▪SIM Toolkit
    • The buggy worldBogdan ALECU▪SIM Toolkit
    • The buggy worldBogdan ALECU▪ SIM Toolkit▪ Vulnerability discovered in June 2010▪ Reported on August 26 2010▪ CVE-2010-3612
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU
    • The buggy worldBogdan ALECU▪ SIM Toolkit… and the demo
    • The buggy worldBogdan ALECU▪ FIX THIS NOW!
    • Where does your data go?Bogdan ALECU
    • Where does your data go?Bogdan ALECU▪Is the data securely transferred?▪What info is the app sending?▪When does it sends the info?▪Does the app accept any certificate?▪What is it stored locally?
    • Where does your data go?Bogdan ALECU▪Mallory gatewayhttp://intrepidusgroup.com/insight/2010/12/mallory-and-me-setting-up-a-mobile-mallory-gateway/
    • Where does your data go?Bogdan ALECU▪ Short demo
    • Call to actionBogdan ALECU▪ Don’t rely on thing that most users have noidea how to check if your app is secure.You might meet someone like me and itwill get ugly ▪ Write your code in a secure way▪ Testers: learn how to really tests mobileapps. It’s not all about the usageexperience!
    • The end?!?Bogdan ALECUThank you all!Don’t forget about feedbackformswww.m-sec.net / @msecnet