by Axelle Apvrille & Ange Albertini
presented at BlackHat Europe 2014, in Amsterdam
PoC: https://github.com/cryptax/angeapk
AngeCryption: http://corkami.googlecode.com/svn/trunk/src/angecryption/
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Cellebrite
As mobile device manufacturers improve device and operating system security measures in a bid to protect user data, the forensic process becomes more complex. In this hands-on demo, learn how UFED rises to the challenge with advanced technology, including advanced bootloaders enabling physical extractions and enhanced logical extraction enabling app file system extractions even within logical examinations.
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Cellebrite
As mobile device manufacturers improve device and operating system security measures in a bid to protect user data, the forensic process becomes more complex. In this hands-on demo, learn how UFED rises to the challenge with advanced technology, including advanced bootloaders enabling physical extractions and enhanced logical extraction enabling app file system extractions even within logical examinations.
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
This paper explores two questions: What
methods can be used to deceive someone who is
in an investigative role into trusting an object
which has been exploited? What kind of impact
does operating system and application run-time
linking have on live investigations? After
experimenting with dynamic object
dependencies and kernel modules in the UNIX
environment, it is the opinion of the authors that
run-time linking can be exploited to alter the
execution of otherwise trusted objects. This can
be accomplished without having to modify the
objects themselves. If an investigator trusts an
inherently un-trusted object, it can result in the
possible misdirection of a digital investigation.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
Mobile Phone Basics, Inside Mobile Devices, Digital Networks, Mobile Phone Seizure, Mobile Phone Examination, Mobile Forensics Equipment, Cell Seizure Tool, SIMIS, XRY,
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
Anti forensics-techniques-for-browsing-artifactsgaurang17
Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.
There are new and emerging opportunities for organisations in all sectors to create and deliver compelling services for their customers using the power of disruptive innovation. As organisations formulate their plans for the coming months, this paper aims to help business and public sector leaders understand the cultural and organisational challenges that are inevitably brought by the use of blockchain technologies, and provides them with the insights they need to overcome them.
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
This paper explores two questions: What
methods can be used to deceive someone who is
in an investigative role into trusting an object
which has been exploited? What kind of impact
does operating system and application run-time
linking have on live investigations? After
experimenting with dynamic object
dependencies and kernel modules in the UNIX
environment, it is the opinion of the authors that
run-time linking can be exploited to alter the
execution of otherwise trusted objects. This can
be accomplished without having to modify the
objects themselves. If an investigator trusts an
inherently un-trusted object, it can result in the
possible misdirection of a digital investigation.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
Mobile Phone Basics, Inside Mobile Devices, Digital Networks, Mobile Phone Seizure, Mobile Phone Examination, Mobile Forensics Equipment, Cell Seizure Tool, SIMIS, XRY,
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
Anti forensics-techniques-for-browsing-artifactsgaurang17
Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.
There are new and emerging opportunities for organisations in all sectors to create and deliver compelling services for their customers using the power of disruptive innovation. As organisations formulate their plans for the coming months, this paper aims to help business and public sector leaders understand the cultural and organisational challenges that are inevitably brought by the use of blockchain technologies, and provides them with the insights they need to overcome them.
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
What is Shodan?
- Search engine for the Internet connected devices by John Matherly (@achillean).
- Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners
- Has a powerful API, Python & Ruby libraries
- Integration with Maltego, Metasploit & Armitage.
APT 28 :Cyber Espionage and the Russian Government?anupriti
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye brings an over view of their opinion.....uploaded here just for general info to understand how its all happening!!!!
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
"Technical challenges"? More like horrors!
Let's explore first the technical debt of old file formats,
with the evolution of the "MP3" format.
Then we go through more recent forms of file format abuses and tools:
polyglots, polymocks, and crypto-polyglots.
Last, an overview of recent collisions and other forms of art with MD5.
They say that with file formats, "specs are enough".
Should we laugh, cry or run away screaming?
Presented at Digital Preservation Coalition's CyberSec & DigiPres event.
You are *not* an idiot ~ or maybe we're all idiots.
Keynote at NorthSec 2021.
Talking about school, failure, success, diploma, impostor syndrom, manipulators, burn out, suicide, and how to deal with them.
The talk delivery was more personal, the slides are kept generic.
The recording is available @ https://youtu.be/Iu70J49bPlE?t=20869 (starts at 5:47:49)
Demystifying hash collisions.
Pass the Salt, 1st July 2019.
video @ https://passthesalt.ubicast.tv/videos/kill-md5-demystifying-hash-collisions/
Hack.Lu, 22 October 2019.
video @ https://www.youtube.com/watch?v=JXazRQ0APpI
Beyond your studies ~ You studied X at Y. now what?
HackPra, July 2018
A student's life ago, the author somehow managed to graduate.
On the way, he made a lot of mistakes -- and he still does.
A few people since called him 'successful', but LOL, if only they knew....
And now, the author will do another (big!) mistake:
instead of hiding in shame as he probably should,
he'll share his mistakes with anyone bored enough to attend,
in the hope that he's the last person to ever look that dumb to commit such mistakes.
If you're a genius and you know what to do in life, please skip this. Seriously.
If, like the author at the time, you wonder WTF is going on with graduation, professional work and life, then hopefully you learn a few things. Maybe.
Btw the author is 42 (WTF - old!).
Maybe that will help to provide a few answers.
Presented at Troopers 2016.
When Infosec and Digipres share interests...
TL;DR
- Attack surface with file formats is too big.
- Specs are useless (just a nice ‘guide’), not representing reality.
- We can’t deprecate formats because we can’t preserve and we can’t define how they really work
- We need open good libraries to simplify landscape, and create a corpus to express the reality of file format, which gives us real “documentation”.
- Then we can preserve and deprecate older format, which reduces attack surface.
- From then on, we can focus on making the present more secure.
- We don't need new formats: reality will diverge from the specs anyway - we need 'alive' (up to date, traceable) specs.
AKA "How people can create better video games via hacks"
Presented at Hack.Lu's Cryptoparty4kids 2015
Fallback slides: this was actually presented with videos and sound
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. What is this all about?
Read the title! ;)
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
3. What is this all about?
Read the title! ;)
Hiding
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
4. What is this all about?
Read the title! ;)
Hiding Android Applications
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
5. What is this all about?
Read the title! ;)
Hiding Android Applications
in ...
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
6. What is this all about?
Read the title! ;)
Hiding Android Applications
in ... images
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
7. Who are we?
Axelle
axelle = {
‘‘realname’’ : ‘‘Axelle Apvrille’’,
‘‘job’’ : ‘‘Mobile/IoT Malware Analyst and Research’’,
‘‘company’’ : ‘‘Fortinet, FortiGuard Labs’’ }
Ange
ange = {
‘‘realname’’ : ‘‘Ange Albertini’’,
‘‘hobby’’ : ‘‘Corkami’’ }
BlackHat Europe 2014 - A. Apvrille, A. Albertini 3/24
8. What is this?
Nice? Thanks that’s GIMP art from me ;)
BlackHat Europe 2014 - A. Apvrille, A. Albertini 4/24
9. It’s an image!
file says...
anakin.png: PNG image data, 636298042 x 1384184774, 19-bit
PNG file format
89 50 4e 47 0d 0a 1a 0a 00 01 b4 40 61 61 61 61 |.PNG.......@a
25 ed 23 3a 52 80 fb c6 13 cc 54 4d 74 f5 78 87 |%.#:R.....TMt
ba 7d b5 f6 93 63 43 f0 e0 b9 99 9b 37 06 cc 8f |.}...cC.....7
32 59 5b 55 da 14 e2 87 68 f7 89 e5 88 14 fe 76 |2Y[U....h....
3e 0b cd 65 ec c4 7a 71 4d 95 c0 4e de 48 30 91 |>..e..zqM..N.
...
BlackHat Europe 2014 - A. Apvrille, A. Albertini 5/24
10. It is more than that!
AES Decrypt
Valid PNG Valid Android Package (APK)
BlackHat Europe 2014 - A. Apvrille, A. Albertini 6/24
11. Embed this “PNG” in an Android app?
Imagine...
...if that PNG/APK is malicious!
(Nearly) invisible to reverse engineering!
The Android app is encrypted
Arg! What will I see?
A fat image
The wrapping application
Code that decrypts an asset
Code that loads/installs an application
But that depends how well the wrapping app is written
It can be obfuscated...
BlackHat Europe 2014 - A. Apvrille, A. Albertini 7/24
13. In case the demo crashes - lol
The APK looks genuine
Archive: PocActivity-debug.apk
Length Date Time Name
--------- ---------- ----- ----
508720 2014-09-11 13:41 assets/anakin.png
1272 2014-09-11 14:03 res/layout/main.xml
1988 2014-09-11 14:03 AndroidManifest.xml
1444 2014-09-11 14:03 resources.arsc
7515 2014-09-11 14:03 res/drawable-hdpi/logo.png
2455 2014-09-11 14:03 res/drawable-ldpi/logo.png
4471 2014-09-11 14:03 res/drawable-mdpi/logo.png
8856 2014-09-11 14:03 classes.dex
634 2014-09-11 14:03 META-INF/MANIFEST.MF
687 2014-09-11 14:03 META-INF/CERT.SF
776 2014-09-11 14:03 META-INF/CERT.RSA
--------- -------
538818 11 files
BlackHat Europe 2014 - A. Apvrille, A. Albertini 9/24
14. In case the demo crashes - lol
The image looks genuine: assets/anakin.png
BlackHat Europe 2014 - A. Apvrille, A. Albertini 10/24
15. In case the demo crashes - lol
The image looks genuine: assets/anakin.png
Perhaps a bit ’fat’
508720 bytes (≈ 500K) for 382x385 pixels
BlackHat Europe 2014 - A. Apvrille, A. Albertini 10/24
16. In case the demo crashes - lol
adb install
WrappingApk.apk
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
17. In case the demo crashes - lol
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
18. In case the demo crashes - lol
We could use
DexClassLoader to
hide this
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
19. In case the demo crashes - lol
We could use
DexClassLoader to
hide this
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
20. In case the demo crashes - lol
We could use
DexClassLoader to
hide this
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
21. In case the demo crashes - lol
Payload gets
executed
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
22. How do we do that?
1. We write a payload APK
BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
23. How do we do that?
1. We write a payload APK
2. We encrypt it using AngeCryption: it looks like a valid PNG
BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
24. How do we do that?
1. We write a payload APK
2. We encrypt it using AngeCryption: it looks like a valid PNG
3. We hack it (a little)
BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
25. How do we do that?
1. We write a payload APK
2. We encrypt it using AngeCryption: it looks like a valid PNG
3. We hack it (a little)
4. We implement another APK containing the PNG
BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
27. AES encryption in practice
key:’MySecretKey12345’
block:’a block of text.’
key:’MySecretKey12346’
block:’a block of text.’
key:’MySecretKey12345’
block:’a block of text!’
BlackHat Europe 2014 - A. Apvrille, A. Albertini 14/24
28. Can we control the output?
With a tiny change in the key in the key or the block, the output
block is completely different
BlackHat Europe 2014 - A. Apvrille, A. Albertini 15/24
29. Can we control the output?
With a tiny change in the key in the key or the block, the output
block is completely different
We can’t control the output
The output block is (more or less) ’unpredictable’
BlackHat Europe 2014 - A. Apvrille, A. Albertini 15/24
30. Can we control the output?
With a tiny change in the key in the key or the block, the output
block is completely different
We can’t control the output
The output block is (more or less) ’unpredictable’
Yes, we can!
But there’s a trick - AngeCryption
BlackHat Europe 2014 - A. Apvrille, A. Albertini 15/24
31. Controlling AES with AngeCryption
It will look the same ... but be slightly different
The APK will look the same to Android
The PNG will look the same to our eyes
encrypt
Android does not see the diff
Manipulate Plaintext
encrypt
Your eye does not see the diff
so that it encrypts to this PNG
BlackHat Europe 2014 - A. Apvrille, A. Albertini 16/24
32. Trick no. 1: dummy PNG chunk
Header: 0x89 PNG r n 0x1a n
Chunk length
Chunk Id
Chunk data
Chunk CRC32
BlackHat Europe 2014 - A. Apvrille, A. Albertini 17/24
33. Trick no. 1: dummy PNG chunk
Header: 0x89 PNG r n 0x1a n
Chunk length
Chunk Id
Chunk data
Chunk CRC32
APK
AES decrypt
AES encrypt
BlackHat Europe 2014 - A. Apvrille, A. Albertini 17/24
34. Trick no. 2: appended zip data
Payload APK
EOCD 1
AES−1( ...
Anakin Skywalker
... )
EOCD 2
APK
BlackHat Europe 2014 - A. Apvrille, A. Albertini 18/24
35. Crypto background
AES is a block cipher
It can only process a block of 16 bytes
BlackHat Europe 2014 - A. Apvrille, A. Albertini 19/24
36. What if my plaintext is longer?!
Chaining - 101
We use chaining
We apply AES on block
... well, that’s for ECB (Electronic Code Book). Not very
good.
Other chainings
CBC, CFB, OFB... (see FIPS 81)
We’ll use CBC : Cipher Block Chaining
BlackHat Europe 2014 - A. Apvrille, A. Albertini 20/24
37. Cipher Block Chaining (CBC) - 101
IV is Initialization Vector
Trick no.3: controlling first block
We have our plaintext P0 and ciphertext C0
We select a key K
We compute IV: IV = AES−1
K (C0) ⊕ P0
BlackHat Europe 2014 - A. Apvrille, A. Albertini 21/24
38. Trick no.4: controlling other blocks
Basically... obvious!
Encrypting then decrypting is like doing nothing
and reciprocally
Want ciphertext to be bitmap of Anakin?
Select plaintext = AES−1(bitmapofAnakin)
AES(plaintext) = AES(AES−1(bitmapofAnakin)) = bitmap of
Anakin
BlackHat Europe 2014 - A. Apvrille, A. Albertini 22/24
39. Full picture
Payload APK
EOCD 1
Appended data
= chunks for Anakin
Dummy bytes
so that size multiple of 16
EOCD 2
APK
BlackHat Europe 2014 - A. Apvrille, A. Albertini 23/24
40. Full picture
Payload APK
EOCD 1
Appended data
= chunks for Anakin
Dummy bytes
so that size multiple of 16
EOCD 2
APKPNG
BlackHat Europe 2014 - A. Apvrille, A. Albertini 23/24
41. Full picture
Payload APK
EOCD 1
Appended data
= chunks for Anakin
Dummy bytes
so that size multiple of 16
EOCD 2
APKPNG
File Header
Dummy chunk
AES encrypt
Chunk CRC 32
Chunk IHDR
containing
Anakin Skywalker
Chunk(s) IDAT
Chunk IEND
AES(Dummy)
AES(EOCD)
Ignored
BlackHat Europe 2014 - A. Apvrille, A. Albertini 23/24
42. Thank You !
Status
Works on Android 4.4.2
June 2014: Android Security Team notified ≈ fixed
Contact info
Me: @cryptax or aapvrille at fortinet dot com
Ange: @angealbertini or ange at corkami dot com
References
AngeCryption:
http://corkami.googlecode.com/svn/trunk/src/angecryption/
Code: https://github.com/cryptax/angeapk - soon after conf’
Corkami: https://code.google.com/p/corkami/
Fortinet’s blog: http://blog.fortinet.com
Thanks to : @veorq, Android Security Team
BlackHat Europe 2014 - A. Apvrille, A. Albertini 24/24