Bogdan Alecu: Playing buggy Codecamp

•Download as PPTX, PDF•

1 like•381 views

Codecamp Iasi 2013 - Playing buggy Bogdan Alecu presents some real world examples of bugs, specially the ones related to mobile security For more info go to www.m-sec.net

Technology

Topics
▪ About me
▪ The buggy world
▪ Where does your data go?
Bogdan ALECU

About me
Bogdan ALECU
▪ Independent security researcher
▪ Sysadmin @ LEVI9
▪ Passionate about security, specially when it’s related to
mobile devices, CISSP, CEH, CISA,CCSP
▪ #infosec conferences: DeepSec, DefCamp, EUSecWest
▪ Started with NetMonitor, continued with VoIP and finally
GSM networks / mobile phones
▪ @msecnet / www.m-sec.net / alecu@m-sec.net

The buggy world
Bogdan ALECU
▪Developers
▪Testers
▪Customers
▪How do you test?
▪But is it enough?

The buggy world
Bogdan ALECU
READY FOR SOME
REAL LIFE EXAMPLES?

The buggy world
Bogdan ALECU
© Prisacaru Anatolie

The buggy world
Bogdan ALECU
NEVER trust the user’s input!

The buggy world
Bogdan ALECU
▪ 20K application
▪ Two factor authentication
▪ ACL IP
▪ User authenticated automatically if …
… coming from the right internal IP

The buggy world
Bogdan ALECU
PLEASE CHECK YOUR
ERS

The buggy world
Bogdan ALECU
▪How was the IP address checked?

The buggy world
Bogdan ALECU
▪ X-FORWARDED-FOR HTTP header

The buggy world
Bogdan ALECU
▪ Modify Headers – Firefox Extension
▪ https://addons.mozilla.org/en-US/firefox/addon/modify-headers/

The buggy world
Bogdan ALECU
▪ Try accessing the website while pretending
to be browsing from your mobile device
▪ You would be surprised of the instant
access you get
▪ No luck? Try Googlebot!
▪ If your log shows a sensitive access being
made by GoogleBot, will you worry ?

The buggy world
Bogdan ALECU
▪ Those damn headers …
DEMO time

The buggy world
Bogdan ALECU
▪ Having the right headers (security by
obscurity) can open a lot of doors

The buggy world
Bogdan ALECU
▪ Those damn headers … AGAIN!
Yet another demo

The buggy world
Bogdan ALECU
▪ Don’t bullshit me: admit your weakness!

The buggy world
Bogdan ALECU
▪Implementation gone wild
▪ How many of you use the Internet on
your mobile device?
▪ Do you know what DNS is?

The buggy world
Bogdan ALECU
Setup a VPN server on port 53, UDP (DNS
port)
… and connect to your server
… pass the traffic to the Internet
UNLIMITED
MOBILE DATA TRAFFIC!

The buggy world
Bogdan ALECU
▪ The standard itself may have issues

The buggy world
Bogdan ALECU
▪SIM Toolkit

The buggy world
Bogdan ALECU
▪ SIM Toolkit
▪ Vulnerability discovered in June 2010
▪ Reported on August 26 2010
▪ CVE-2010-3612

The buggy world
Bogdan ALECU
▪ SIM Toolkit
… and the demo

The buggy world
Bogdan ALECU
▪ FIX THIS NOW!

Where does your data go?
Bogdan ALECU
▪Is the data securely transferred?
▪What info is the app sending?
▪When does it sends the info?
▪Does the app accept any certificate?
▪What is it stored locally?

Where does your data go?
Bogdan ALECU
▪Mallory gateway
http://intrepidusgroup.com/insight/
2010/12/mallory-and-me-setting-
up-a-mobile-mallory-gateway/

Where does your data go?
Bogdan ALECU
▪ Short demo

Call to action
Bogdan ALECU
▪ Don’t rely on thing that most users have no
idea how to check if your app is secure.
You might meet someone like me and it
will get ugly 
▪ Write your code in a secure way
▪ Testers: learn how to really tests mobile
apps. It’s not all about the usage
experience!

The end?!?
Bogdan ALECU
Thank you all!
Don’t forget about feedback
forms
www.m-sec.net / @msecnet

This document summarizes a presentation about security issues in mobile applications. It discusses how developers, testers, and users can contribute to bugs, provides real-world examples of bugs like vulnerabilities in IP address checking and SMS message handling, and demonstrates attacks. It also addresses privacy concerns like what user data apps send and where it is stored, and promotes writing secure code, thorough testing, and considering attacks from skilled researchers.

Digital_sig2012_03a

hewie

The document provides a list of criteria for selecting a camcorder. It lists features such as low light mode, optical and digital zoom, HDMI and AV outputs, full HD 1080p recording, H.264 video capture, built-in memory, USB port, color night view, image stabilization, external microphone jack, rechargeable battery or AC power, infrared night vision, built-in LED video light, support for SD/SDHC/SDXC memory cards up to 32GB/64GB, 2.7-3 inch widescreen LCD, compatibility with Eye-Fi memory cards, built-in WiFi, recording in AVCHD or MP4 formats, smart auto and face detection features, time-

Atac asupra SIM Toolkit - Bogdan Alecu

msecnet

Securitate mobila - SMS by Bogdan Alecu

msecnet

Elementary procedures for Circuit-Switched (CS) Call Control (CC) in 3GPP

Louis K. H. Kuo

The document provides an overview of elementary procedures for circuit-switched call control in 3GPP networks. It describes the background of related protocol layers and planes. Call control manages call establishment, clearing, information, and miscellaneous procedures. The main call types are mobile-originated, mobile-terminated, and network-initiated mobile-originated calls. Standard L3 messages follow specific formats and structures, and the call state is represented by state diagrams and message flow diagrams.

The impact of innovation on travel and tourism industries (World Travel Marke...

Brian Solis

Open Source Creativity

Sara Cannon

We’re all trying to find that idea or spark that will turn a good project into a great project. Creativity plays a huge role in the outcome of our work. Harnessing the power of collaboration and open source, we can make great strides towards excellence. Not just for designers, this talk can be applicable to many different roles – even development. In this talk, Seasoned Creative Director Sara Cannon is going to share some secrets about creative methodology, collaboration, and the strong role that open source can play in our work.

Reuters: Pictures of the Year 2016 (Part 2)

maditabalnco

Gadgetbridge, a free and open source project, has existed since 2015 to allow wearable device customers to use their hardware without being tied to the online services of the manufacturers. The small but very focused and capable technical community working on the basic functionalities such as retrieving the various data from the wearables (detected activities, sleep, pulse per minute, peripheral oxygen saturation, ...) lacks the expertise on specialised algorithms that could help to perform advanced analysis/diagnostics. The goal of this talk is to explore a potential collaboration between our communities: Gadgetbridge provides local-only support for an extensive list of wearable devices and a community of engineers and privacy minded users, Data4SmartHealth might contribute advanced algorithms and AI on edge devices.

Introduction to PhoneGap

Raymond Camden

PhoneGap is an open source framework that allows developers to build mobile apps using HTML, CSS, and JavaScript. It works by wrapping web applications in wrappers for each mobile operating system so they can access native device APIs and app stores. Key features include access to device capabilities like the camera, geolocation, contacts and more. It supports building apps for Android, iOS, BlackBerry and other platforms.

JS Fest 2019. Sebastian Golasch. The Universal Serial Web

JSFestUA

As a web developer it´s easy to feel intimidated by the world of hardware hacking and the physical web, we have to leave our comfort zone and need to get familiar with a completely new development environment. But not anymore, thanks to wonderful possibilities that the WebUSB Api brings to our browsers. In this talk I will give an intro to the endless wonders we can encounter in the hardware world through our browser windows. Aside from leaerning the basics of USB and serial port communication, we´ll paint on USB displays, live tweet to receipt printers, control an Arduino, steal data from Android phones and many more… The only limit is your imagination.

Internet of Things

Andy Gelme

Neo900: Crafting The Private Phone

Sebastian Krzyszkowiak

A tale of the Neo900 project about the obstacles on its way to achieve The Ultimate Private Phone. What are the threats for smartphone user's privacy? How to deal with them? Is it possible to make a phone that will protect us so well that it will let us forget about privacy at all? The talk has been given via videoconference on 2014-11-29 at OpenPhoenux Hard- and Software Workshop 2014 in Garching, Munich. Recording: https://www.youtube.com/watch?v=ahPFCFooBv0&list=PL-s0IumBit8Mofxj0Fn2kH6RB9VtnKS4K

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

DefCamp

This document summarizes a presentation about exploiting HTTP headers and data traffic on mobile networks. The presentation discusses how mobile operators identify users for billing purposes using HTTP headers containing phone numbers. It describes finding the relevant headers through research and testing various operators. Methods explored for spoofing these headers include modifying browser user-agent strings and HTTP headers to impersonate other users both within and outside the target network. The document cautions that the demonstrations are only examples and outlines responsible disclosure efforts.

Developing wearable technology apps quickly

Raul Chong

The document outlines the agenda for a meetup on developing wearable technology applications. The agenda includes presentations on Myo, Oculus Rift, Kiwi Move and other products. It also discusses connecting wearable apps to Bluemix and using Node-RED for building IoT flows. The document provides an overview of different wearable devices, their programming languages and potential use cases. It promotes connecting the devices to IBM Cloud services like Cloudant and Bluemix for building applications.

Getting started with IoT with only your Laptop - July 2019 - Digital Lincoln

Peter Gallagher

Hyper Island - 2012

Detectify

SWONtech News, January 2012

SWON Libraries Consortium

This document summarizes technology news from January 2012. It discusses the introduction of ultrabooks as slim laptops to compete with tablets and smartphones. It also covers the new Thunderbolt and 802.11ac WiFi standards that enable faster data transfer speeds. Several new networked devices are highlighted, including smart home products. Color e-readers using Mirasol and e-ink displays are previewed. Security issues like the Zappos data breach and vulnerabilities in WiFi Protected Setup are addressed. The stalling of the controversial Stop Online Piracy Act is also noted.

Getting started with IoT with only your Laptop - March 2019 - DDD North

Peter Gallagher

Introduction google glass en - rev 20 - codemotion

Codemotion

The document discusses Google Glass, including its technical specifications, how it works, programming options using the Mirror API and GDK, the Glass Explorer program, and the speaker's thoughts after using Glass for 1.5 years. Some key points covered include the capabilities of Glass, how it is controlled through voice commands and gestures, and development options for creating Glassware applications either on a server or directly on the device.

Getting started with IoT with only your Laptop - March 2019 - IoT Leeds

Peter Gallagher

The Universal Serial Web @HolyJS

asciidisco

Building Droids with JavaScript

Andrew Fisher

JavaScript is finding its way further and further out of the browser. Only a couple of years ago, if someone had said they wanted to build robots only using JS you'd think they were crazy. Having tried it at the time those naysayers were correct - it was a disaster. Recently, particularly as a result of the nodebots project, JS Robotics has started to come of age and it's now possible to build simple robots using JavaScript for the majority of the stack - everything from control and sensing to motors to lights, AI and computer vision. This talk will give an overview of what's currently possible, where the current gotchas are, how to get started and have some interactive elements that can be played with during or after the session. Andrew is a creator & destroyer of things that combine mobile web, ubicomp and lots of data. Sometime programmer, interaction researcher & CTO @ JBA. Be Responsive meetup / Melbourne Geek Night Crossover night September 2014

AstriCon 2015: WebRTC: How it Works, and How it Breaks

Mojo Lingo

WebRTC is an exciting new technology, perhaps the most exciting thing to happen to voice communication since the invention of Voice over IP. With WebRTC, we are no longer limited to a disjointed communication experience with poor quality audio on antiquated networks. Now we have the ability to put high-definition audio and video where it will have the most impact: right in line with the business processes that benefit the most from it. This session will present an overview of how WebRTC works, reviewing both the network services that support it and the user-facing software that delivers it. We will look at how Asterisk can be used to give WebRTC additional capabilities that aren’t possible with browsers alone, and how to deploy Asterisk to get the most out of this powerful combination. As with all new technology, however, there are rough edges. In the final part of this presentation, we will look at the common ways that WebRTC can break down, from technical deployment problems to user interface and design issues. These lessons are drawn from real-world experience deploying WebRTC over the last 3 years and multiple applications that are in production today.

Getting started with IoT with only your Laptop - February 2019 - Lancs Tech T...

Peter Gallagher

The document is a presentation about getting started with IoT using only a laptop. It discusses various hardware options like the BBC micro:bit, Arduino Uno, MXChip AZ3166 and Raspberry Pi that can be programmed from a laptop. It also provides links to software like Microsoft MakeCode, TinkerCAD and emulators that allow prototyping IoT projects without physical hardware. An example IoT application of monitoring cow health is presented. The presentation aims to excite and encourage attendees to start building their own IoT projects.

Google glass

baabtra.com - No. 1 supplier of quality freshers

This document provides an overview of Google Glass. It discusses what Google Glass is, its key components and technologies, how it works, its main features and functions. The document also outlines the advantages and disadvantages of Google Glass, as well as its future applications and scope. It concludes that Google Glass is a pioneering wearable technology that has the potential to revolutionize mobile computing despite current limitations.

Don Bailey - A Million Little Tracking Devices

Source Conference

This document discusses how embedded devices with cellular connectivity and GPS capabilities could potentially be exploited and used to track individuals without their consent. It describes how an attacker could send commands via SMS to intercept location data from compromised tracking devices. It also explains how an attacker could potentially impersonate targets by spoofing location data responses over HTTP. The document recommends ways for companies to better secure such devices, such as using encrypted communications and restricting device access.

Hacking with paper

Sumedt Jitpukdebodin

Sumedt Jitpukdebodin explains paper hacking, which involves creating malicious QR codes that, when scanned, exploit vulnerabilities on mobile devices. The process involves: 1. Creating evil websites that exploit Android and iPhone vulnerabilities or perform phishing. 2. Mapping the evil sites online using services like DyDNS and NoIP. 3. Generating QR codes linked to the evil sites using free online or mobile apps. 4. Socially engineering people into scanning the QR codes, such as at events or on social media. 5. When scanned, the QR codes redirect devices to the evil sites to carry out exploits or phishing depending on the device type. The goal is

Mind map of terminologies used in context of Generative AI

Kumud Singh

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Similar to Bogdan Alecu: Playing buggy Codecamp

SFSCON23 - Daniele Gobbetti - Gimme! Gimme! Gimme! (Some good algorithms)

South Tyrol Free Software Conference

Introduction to PhoneGap

Raymond Camden

JS Fest 2019. Sebastian Golasch. The Universal Serial Web

JSFestUA

Internet of Things

Andy Gelme

Neo900: Crafting The Private Phone

Sebastian Krzyszkowiak

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

DefCamp

Developing wearable technology apps quickly

Raul Chong

Getting started with IoT with only your Laptop - July 2019 - Digital Lincoln

Peter Gallagher

Hyper Island - 2012

Detectify

SWONtech News, January 2012

SWON Libraries Consortium

Getting started with IoT with only your Laptop - March 2019 - DDD North

Peter Gallagher

Introduction google glass en - rev 20 - codemotion

Codemotion

Getting started with IoT with only your Laptop - March 2019 - IoT Leeds

Peter Gallagher

The Universal Serial Web @HolyJS

asciidisco

Building Droids with JavaScript

Andrew Fisher

AstriCon 2015: WebRTC: How it Works, and How it Breaks

Mojo Lingo

Getting started with IoT with only your Laptop - February 2019 - Lancs Tech T...

Peter Gallagher

Google glass

baabtra.com - No. 1 supplier of quality freshers

Don Bailey - A Million Little Tracking Devices

Source Conference

Hacking with paper

Sumedt Jitpukdebodin

Similar to Bogdan Alecu: Playing buggy Codecamp (20)

SFSCON23 - Daniele Gobbetti - Gimme! Gimme! Gimme! (Some good algorithms)

Introduction to PhoneGap

JS Fest 2019. Sebastian Golasch. The Universal Serial Web

Internet of Things

Neo900: Crafting The Private Phone

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Developing wearable technology apps quickly

Getting started with IoT with only your Laptop - July 2019 - Digital Lincoln

Hyper Island - 2012

SWONtech News, January 2012

Getting started with IoT with only your Laptop - March 2019 - DDD North

Introduction google glass en - rev 20 - codemotion

Getting started with IoT with only your Laptop - March 2019 - IoT Leeds

The Universal Serial Web @HolyJS

Building Droids with JavaScript

AstriCon 2015: WebRTC: How it Works, and How it Breaks

Getting started with IoT with only your Laptop - February 2019 - Lancs Tech T...

Google glass

Don Bailey - A Million Little Tracking Devices

Hacking with paper

Recently uploaded

Mind map of terminologies used in context of Generative AI

Kumud Singh

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

How to use Firebase Data Connect For Flutter

Daiki Mogmet Ito

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

OpenID AuthZEN Interop Read Out - Authorization

David Brossard

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

TrustArc Webinar - 2024 Global Privacy Survey

TrustArc

How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024? In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores. See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe. This webinar will review: - The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey - The top challenges for privacy leaders, practitioners, and organizations in 2024 - Key themes to consider in developing and maintaining your privacy program

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/ Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit. In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing. van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.

Things to Consider When Choosing a Website Developer for your Website | FODUU

FODUU

HCL Notes and Domino License Cost Reduction in the World of DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/ The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this! We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model. Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward. These topics will be covered - Reducing license cost by finding and fixing misconfigurations and superfluous accounts - How do CCB and CCX licenses really work? - Understanding the DLAU tool and how to best utilize it - Tips for common problem areas, like team mailboxes, functional/test users, etc - Practical examples and best practices to implement right away

Taking AI to the Next Level in Manufacturing.pdf

ssuserfac0301

Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as: 1. How quickly AI is being implemented in manufacturing. 2. Which barriers stand in the way of AI adoption. 3. How data quality and governance form the backbone of AI. 4. Organizational processes and structures that may inhibit effective AI adoption. 6. Ideas and approaches to help build your organization's AI strategy.

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

SitimaJohn

Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

UI5 Controls simplified - UI5con2024 presentation

Wouter Lemaire

Infrastructure Challenges in Scaling RAG with Custom AI models

Zilliz

Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.

Recently uploaded (20)

Mind map of terminologies used in context of Generative AI

Removing Uninteresting Bytes in Software Fuzzing

Best 20 SEO Techniques To Improve Website Visibility In SERP

How to use Firebase Data Connect For Flutter

How to Get CNIC Information System with Paksim Ga.pptx

OpenID AuthZEN Interop Read Out - Authorization

Microsoft - Power Platform_G.Aspiotis.pdf

Columbus Data & Analytics Wednesdays - June 2024

Climate Impact of Software Testing at Nordic Testing Days

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

TrustArc Webinar - 2024 Global Privacy Survey

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Things to Consider When Choosing a Website Developer for your Website | FODUU

HCL Notes and Domino License Cost Reduction in the World of DLAU

Taking AI to the Next Level in Manufacturing.pdf

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

National Security Agency - NSA mobile device best practices

“I’m still / I’m still / Chaining from the Block”

UI5 Controls simplified - UI5con2024 presentation

Infrastructure Challenges in Scaling RAG with Custom AI models

Bogdan Alecu: Playing buggy Codecamp

2. Playing boogie buggy Bogdan ALECU

3. Topics ▪ About me ▪ The buggy world ▪ Where does your data go? Bogdan ALECU

4. About me Bogdan ALECU ▪ Independent security researcher ▪ Sysadmin @ LEVI9 ▪ Passionate about security, specially when it’s related to mobile devices, CISSP, CEH, CISA,CCSP ▪ #infosec conferences: DeepSec, DefCamp, EUSecWest ▪ Started with NetMonitor, continued with VoIP and finally GSM networks / mobile phones ▪ @msecnet / www.m-sec.net / alecu@m-sec.net

5. The buggy world Bogdan ALECU ▪Developers ▪Testers ▪Customers ▪How do you test? ▪But is it enough?

6. The buggy world Bogdan ALECU READY FOR SOME REAL LIFE EXAMPLES?

7. The buggy world Bogdan ALECU

8. The buggy world Bogdan ALECU

9. The buggy world Bogdan ALECU

11. The buggy world Bogdan ALECU NEVER trust the user’s input!

12. The buggy world Bogdan ALECU

13. The buggy world Bogdan ALECU NEVER trust the user’s input!

14. The buggy world Bogdan ALECU

15. The buggy world Bogdan ALECU NEVER trust the user’s input!

16. The buggy world Bogdan ALECU

17. The buggy world Bogdan ALECU ▪ 20K application ▪ Two factor authentication ▪ ACL IP ▪ User authenticated automatically if … … coming from the right internal IP

18. The buggy world Bogdan ALECU PLEASE CHECK YOUR ERS

19. The buggy world Bogdan ALECU ▪How was the IP address checked?

20. The buggy world Bogdan ALECU ▪ X-FORWARDED-FOR HTTP header

21. The buggy world Bogdan ALECU ▪ Modify Headers – Firefox Extension ▪ https://addons.mozilla.org/en-US/firefox/addon/modify-headers/

22. The buggy world Bogdan ALECU

23. The buggy world Bogdan ALECU ▪ Try accessing the website while pretending to be browsing from your mobile device ▪ You would be surprised of the instant access you get ▪ No luck? Try Googlebot! ▪ If your log shows a sensitive access being made by GoogleBot, will you worry ?

24. The buggy world Bogdan ALECU ▪ Those damn headers … DEMO time

25. The buggy world Bogdan ALECU

26. The buggy world Bogdan ALECU ▪ Having the right headers (security by obscurity) can open a lot of doors

27. The buggy world Bogdan ALECU ▪ Those damn headers … AGAIN! Yet another demo

28. The buggy world Bogdan ALECU

29. The buggy world Bogdan ALECU ▪ Don’t bullshit me: admit your weakness!

30. The buggy world Bogdan ALECU ▪Implementation gone wild ▪ How many of you use the Internet on your mobile device? ▪ Do you know what DNS is?

31. The buggy world Bogdan ALECU Setup a VPN server on port 53, UDP (DNS port) … and connect to your server … pass the traffic to the Internet UNLIMITED MOBILE DATA TRAFFIC!

32. The buggy world Bogdan ALECU

33. The buggy world Bogdan ALECU ▪ The standard itself may have issues

34. The buggy world Bogdan ALECU ▪SIM Toolkit

35. The buggy world Bogdan ALECU ▪SIM Toolkit

36. The buggy world Bogdan ALECU ▪ SIM Toolkit ▪ Vulnerability discovered in June 2010 ▪ Reported on August 26 2010 ▪ CVE-2010-3612

37. The buggy world Bogdan ALECU

38. The buggy world Bogdan ALECU

39. The buggy world Bogdan ALECU ▪ SIM Toolkit … and the demo

40. The buggy world Bogdan ALECU ▪ FIX THIS NOW!

41. Where does your data go? Bogdan ALECU

42. Where does your data go? Bogdan ALECU ▪Is the data securely transferred? ▪What info is the app sending? ▪When does it sends the info? ▪Does the app accept any certificate? ▪What is it stored locally?

43. Where does your data go? Bogdan ALECU ▪Mallory gateway http://intrepidusgroup.com/insight/ 2010/12/mallory-and-me-setting- up-a-mobile-mallory-gateway/

44. Where does your data go? Bogdan ALECU ▪ Short demo

45. Where does your data go? Bogdan ALECU

46. Call to action Bogdan ALECU ▪ Don’t rely on thing that most users have no idea how to check if your app is secure. You might meet someone like me and it will get ugly  ▪ Write your code in a secure way ▪ Testers: learn how to really tests mobile apps. It’s not all about the usage experience!

47. The end?!? Bogdan ALECU Thank you all! Don’t forget about feedback forms www.m-sec.net / @msecnet

Bogdan Alecu: Playing buggy Codecamp

Recommended

Recommended

More Related Content

Similar to Bogdan Alecu: Playing buggy Codecamp

Similar to Bogdan Alecu: Playing buggy Codecamp (20)

Recently uploaded

Recently uploaded (20)

Bogdan Alecu: Playing buggy Codecamp