The document discusses vulnerabilities in password protection on Blackberry devices. It describes how malware could use keystroke emulation and screen capturing to steal passwords and sensitive information by injecting fake key presses or taking screenshots, even when devices are locked. It provides code examples of how malware could be written to exploit these vulnerabilities by accessing the Blackberry API. The document aims to demonstrate how easily private data could be compromised and provide education on securing devices and applications.
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
People who have ever heard of password utility think the usage of it can protect their private data. There are, however, several ways to steal a lot of information in spite of the fact that device locked by password. These ideas are not complicated to first-time malware developer.
http://hakin9.org/network-security-hakin9-022011/
As the market and demand of smartphones is growing exponentially day by day. The need for security of personal and business data increases as well. Today smart phones are amongst the biggest target by individuals with malicious intent to gain access to data. The need arises for new security methods to come up for the protection of information. The paper presents intuitive and perception based security using Rorschach inkblot like images. These are used to authenticate a user to access their personal data in their android smart phones.
Image Based Password Authentication for Illiterate using Touch screen by Deep...Deepak Yadav
Image based password authentication using touchscreen basically designed for illiterate for their security system.Since image are easily to recall than strings of character.
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
People who have ever heard of password utility think the usage of it can protect their private data. There are, however, several ways to steal a lot of information in spite of the fact that device locked by password. These ideas are not complicated to first-time malware developer.
http://hakin9.org/network-security-hakin9-022011/
As the market and demand of smartphones is growing exponentially day by day. The need for security of personal and business data increases as well. Today smart phones are amongst the biggest target by individuals with malicious intent to gain access to data. The need arises for new security methods to come up for the protection of information. The paper presents intuitive and perception based security using Rorschach inkblot like images. These are used to authenticate a user to access their personal data in their android smart phones.
Image Based Password Authentication for Illiterate using Touch screen by Deep...Deepak Yadav
Image based password authentication using touchscreen basically designed for illiterate for their security system.Since image are easily to recall than strings of character.
After conducting a user survey for the client, my next job was to create a research report which summarized my findings and offered suggestions on how we could improve the client's website based on the needs of the users.
Soloten — Ваш гид в мир корпоративной мобильности. Если Вы думаете, что Ваши сотрудники зарабатывают деньги, уставившись в мониторы, то, скорее всего, Вы ошибаетесь. Отправляйте их на деловые встречи, в командировки, пусть изучают конкурентов и знакомятся с потенциальными клиентами на выставках. Вскоре Вы поймете: им не нужны компьютеры.
Вы можете уже сегодня сокращать офисные расходы, позволив сотрудникам использовать свои собственные мобильные устройства (BYOD), работать там, где им удобно, возвращаться в офис только для рабочих встреч и мозгового штурма. Больше не нужно арендовать огромный офис и покупать персональные компьютеры, которые придется обслуживать и регулярно обновлять.
Introduction to Cybersecurity | IIT(BHU)CyberSecYashSomalkar
This is going to be series of Events around Cybersecurity, If you are lucky enough try to witness it live on our GDSC chapter.
Link of todays Event : https://gdsc.community.dev/events/details/developer-student-clubs-indian-institute-of-technology-varanasi-presents-introduction-to-cybersecurity-learn-to-hack-series/
Socials :
Website: https://copsiitbhu.co.in
LinkedIn : https://linkedin.com/company/cops-iitbhu
Instagram : https://instagram/cops.iitbhu/
Facebook : https://facebook.com/cops.iitbhu/
GitHub : https://github.com/COPS-IITBHU
After conducting a user survey for the client, my next job was to create a research report which summarized my findings and offered suggestions on how we could improve the client's website based on the needs of the users.
Soloten — Ваш гид в мир корпоративной мобильности. Если Вы думаете, что Ваши сотрудники зарабатывают деньги, уставившись в мониторы, то, скорее всего, Вы ошибаетесь. Отправляйте их на деловые встречи, в командировки, пусть изучают конкурентов и знакомятся с потенциальными клиентами на выставках. Вскоре Вы поймете: им не нужны компьютеры.
Вы можете уже сегодня сокращать офисные расходы, позволив сотрудникам использовать свои собственные мобильные устройства (BYOD), работать там, где им удобно, возвращаться в офис только для рабочих встреч и мозгового штурма. Больше не нужно арендовать огромный офис и покупать персональные компьютеры, которые придется обслуживать и регулярно обновлять.
Introduction to Cybersecurity | IIT(BHU)CyberSecYashSomalkar
This is going to be series of Events around Cybersecurity, If you are lucky enough try to witness it live on our GDSC chapter.
Link of todays Event : https://gdsc.community.dev/events/details/developer-student-clubs-indian-institute-of-technology-varanasi-presents-introduction-to-cybersecurity-learn-to-hack-series/
Socials :
Website: https://copsiitbhu.co.in
LinkedIn : https://linkedin.com/company/cops-iitbhu
Instagram : https://instagram/cops.iitbhu/
Facebook : https://facebook.com/cops.iitbhu/
GitHub : https://github.com/COPS-IITBHU
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
Spyware triggering system by particular string valueIJERD Editor
This computer programme can be used for good and bad purpose in hacking or in any general
purpose. We can say it is next step for hacking techniques such as keylogger and spyware. Once in this system if
user or hacker store particular string as a input after that software continually compare typing activity of user
with that stored string and if it is match then launch spyware programme.
Abstract: Password authentication is one of the simplest and the most convenient authentication mechanisms to deal with secret data over insecure networks. Every user now holds email account for different web sites or holds a username password for their office work in their computer system. In this paper, we shall present the result of our survey through basic currently available password-authentication-related schemes. We know that Apart from getting the password hacked by some intruder, a serious threats comes from the surrounding environment, specially the colleagues, friends or visitors nearby the system. Most of them have a tendency of observing keenly while you cast your password. Here we propose a simple way to provide a new way of password through clicks that would provide a secure mechanism from both the intruders and the people nearby while you type your password in the application.
How to 2FA-enable Open Source Applications (Extended Session)
Presented at: Open Source 101 at Home 2020
Presented by: Mike Schwartz, Gluu
Abstract: Your organization loves open source tools like Wordpress, SuiteCRM, NextCloud, RocketChat, and OnlyOffice... but most of these tools are protected with plain old passwords. You want to use two-factor authentication... but how? In this workshop, you'll learn:
- Which 2FA technologies can be used without paying a license;
- How to enable users to enroll and delete 2FA credentials;
- How to configure open source applications to act as a federated relying party--delegating authentication to a central service
- How custom applications can act as a federated relying party
note: A slide for any presentation should not contain more than 4-5 sentences but this presentation has more than the requirement.So, i suggest you to edit as per your requirement and to make it more effective, you can add animations as well.
Keylogging, one of the unsafe malware, is the movement of recording the keys struck on a console with the end goal that the individual utilizing the console is obscure about the way that their activities are being watched. It has legitimate use in examination of human PC collaboration and is considered as the primary danger for business and individual exercises. It tends to be utilized to catch passwords and other secret data entered by means of the console. Subsequently, counteraction of keylogging is significant and severe validation is needed for it. Planning of secure confirmation conventions is very testing, taking into account that different sorts of root units dwell in Personal Computers to watch clients conduct. There are different keylogging procedures, stretching out from equipment and programming based techniques to acoustic assessment. Human contribution in confirmation conventions, however ensuring, isnt straightforward. This paper surveys different examination regions which spread convention confirmations utilized safely forestalling the representation of keylogging assaults. Dr. C. Umarani | Rajrishi Sengupta "Keyloggers: A Malicious Attack" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd35776.pdf Paper URL : https://www.ijtsrd.com/engineering/computer-engineering/35776/keyloggers-a-malicious-attack/dr-c-umarani
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Search and Society: Reimagining Information Access for Radical Futures
Is data secure on the password protected blackberry device
1.
2. DEFENSE
Is Data Secure on the
Password Protected Blackberry Device?
People who have ever heard of password utility think the usage of
it can protect their private data. There are, however, several ways to
steal a lot of information in spite of the fact that device locked by
password. These ideas are not complicated to first-time malware
developer.
What you will learn…
What you should know…
• Noise typing can bring functional disorder
• Screen capture can make the security system pointless
• Your typing is vulnerability for the password
• basic knowledge about BlackBerry security
H
ow many times have you found them in a
situation that typing a complicated password
you were confused, lost yours train of thought
and forgot on what character are you staying? And what
did you do? Erased already entered 14 or 20 characters,
and re-typed for a new, right? Why? Because your
password hidden behind asterisks. And whether they
should have?
Historically, password behind asterisks could be
help to protect it from bystanders’ villain who doesn’t
mind to steal password. So, doesn’t villain know
another way to steal it by key-loggers, phishing
pages or trojans? More importantly, there’s usually
nobody looking over your shoulder when you log in to
a website. It’s just you, sitting all alone in your office,
suffering reduced usability to protect against a nonissue.
Password masking has proven to be a particularly
nasty usability problem in using mobile devices, where
typing is difficult and typos are common.
Keystroke emulation
Have you ever thought about touchscreen devices as a
vulnerable touch technology? The underlying principle
of direct interaction with screen is just emulation
keystroke.
Most modern smartphones have this feature because
it enhanced ways that devices to communicate to each
other.
A touchscreen is an electronic visual display that
can detect the presence and location of a touch within
the display area. The term generally refers to touching
Did you know?
Usability suffers when users’ type in passwords and the
only feedback they get is a row of bullets. Typically, masking
passwords doesn’t even increase security, but it does cost
your business due to login failures. Providing visualizing
the system status have always been among the most basic
usability principles. Showing asterisks while users enter
complex codes definitely fails to comply.
22
Figure 1. Password attempt quantity
02/2011
3. Is data secure on the password protected blackberry device?
Figure 2. State before unlocking
Figure 4. Noise input
the display of the device with a finger or hand.
Touchscreens can also sense other passive objects,
such as a stylus.
The touchscreen has two main attributes. First, it
enables one to interact directly with what is displayed,
rather than indirectly with a cursor controlled by
a mouse or touchpad. Secondly, it lets one do so
without requiring any intermediate device that would
need to be held in the hand. Such displays can be
attached to computers, or to networks as terminals.
They also play a prominent role in the design of digital
appliances such as the personal digital assistant
(PDA), satellite navigation devices, mobile phones,
and video games.
A keystroke emulator duplicates (provides an
emulation of) the functions of typing or input letters using
a different system, so that the second system behaves
like the first system. This focus on exact reproduction
of external behavior is in contrast to some other forms
of computer simulation, which can concern an abstract
model of the system being simulated. Example, we
are typing message Hi, how’s going... via pressing
hardware keyboard buttons and typing the same text
via touching virtual keyboard buttons displayed on the
screen. Outcome is the same.
Figure 3. Typing correct password
Figure 5. Error password notification
www.hakin9.org/en
Unsecure for the future
All smartphones give their owners a free choice to lock
handheld by password or grant unsecured access.
Password Strength is range of 8 up to 14-18 symbols
with case-sensitive (Figure 1). The major concept
in using the most complex password is main idea
when you’re reading BlackBerry Smartphone tutorial.
You’re obliged to lock your devices! You’re obliged
to use more complex combination! It’s obliged to be
randomness! But think for moment. Can you quickly
say how many symbols are entered up? No is correct
answer.
23
4. DEFENSE
painful alternative is the malware typing unnecessary
symbols whenever it possible. It’s in case OSv4 and
OSv5. In OS v6 your device is blocked for a time is
various from 1 minute to 1 hour (Figure 6).
Malware Design
Figure 6. Device locking time span
Rub up keystroke emulation! So, just imagine malware
product loaded into device memory and waits when
you’re going to unlock handheld by typing your topsecret password. After inputting is half-closed malware
types just the one random letter to make senseless
your unlocking action. And BlackBerry says Wrong
password! Try once again. The 2/10 attempt (Figure 2,
3, 4, 5). Come to think of it that you never can to input
correct password. What’s going on 10 wrong attempts?
One of several BlackBerry secured mechanism is being
activated to wipe out your confidentially information.
What of it! It was high time to do backup. The lesser
Ultimate goal is show what API-routines help us to
design such malware. List of API classes is shall be
import is presented in Listing 1.
The first public class net.rim.blackberry.api.cradle.Cra
dleHandlerRegistry is need to registry for cradle handlers
that are a candidate to be started when a cradle of the
corresponding type is connected.
The second public interface KeyListener gives us the
listener interface for receiving keyboard events (KEY_DOWN
& KEY_UP event to simulate full key pressing).
The third class net.rim.device.api.system.EventInject
or gives us a character input event. So if we can use
physical key injecting events, use EventInjector.KeyCode
Event.
Did you know?
Some API-routings need to be signed in your application by
rim developer keys. If you intend to use this element, please
visit http://www.blackberry.com/go/codesigning to obtain
a set of code signing keys. Code signing is only required
for applications running on BlackBerry smartphones;
development on BlackBerry Smartphone Simulators can
occur without code signing. You can get your develop keys
til 48 hour after registration and payment 20$
Listing 1. API-routines to design malware injector
net.rim.blackberry.api.cradle
net.rim.device.api.system.Characters;
net.rim.device.api.system.EventInjector;
net.rim.device.api.system.KeyListener;
Listing 2. Simulation piece of code without key repeating
VKeyIsDown = new EventInjector.KeyEvent(EventInjector.KeyEvent.KEY_DOWN, Characters.LATIN_SMALL_LETTER_V,
KeyListener.STATUS_NOT_FROM_KEYPAD);
VKeyIsUp = new EventInjector.KeyEvent(EventInjector.KeyEvent.KEY_UP, Characters.LATIN_SMALL_LETTER_V,
KeyListener.STATUS_NOT_FROM_KEYPAD);
Listing 3. Simulation piece of code with key repeating.
VKeyIsDown = new EventInjector.KeyEvent(EventInjector.KeyEvent.KEY_DOWN, Characters.LATIN_SMALL_LETTER_V,
KeyListener.STATUS_NOT_FROM_KEYPAD);
VKeyIsRepeat = new EventInjector.KeyEvent(EventInjector.KeyEvent. KEY_REPEAT, Characters.LATIN_SMALL_LETTER_V,
KeyListener.STATUS_NOT_FROM_KEYPAD);
VKeyIsUp = new EventInjector.KeyEvent(EventInjector.KeyEvent.KEY_UP, Characters.LATIN_SMALL_LETTER_V,
KeyListener.STATUS_NOT_FROM_KEYPAD);
24
02/2011
5. Is data secure on the password protected blackberry device?
EventInjector.KeyCodeEvent is one of them. It’s only
accessible by signed applications. To simulate key
pressing we have to inject a KEY_DOWN event followed
by a KEY_UP event on the same key in the Listing 2. To
duplicate the same character e.g.V you need to add one
more injection via KEY_REPEAT (between VKeyIsDown-line
and VKeyIsUp-line) event like presented in Listing 3.
Keystore Constants
KEY_DOWN – Represents a constant indicating that the key
is in the down position.
KEY_REPEAT – Represents a constant indicating that the key
is in the down position, repeating the character.
KEY_UP – Represents a constant indicating that the key is in
the up position.
STATUS_NOT_FROM_KEYPAD – Status flag indicating that
the inputted value is a char, and has no key association
Figure 8. Stolen image of BlackBerry Messenger
To keep BlackBerry Smartphone user having a
nightmare with typing extra secret password we should
to design time span injection is one (or less) second. It’s
more than enough!
Our finally subroutine is accommodate VKeyIsDown,
VKeyIsRepeat (optionally), VKeyIsUp and time span.
VKeyIsRepeat counter is set quantity of character
duplicate. Piece of code is presented in Listing 4.
Is key logger dead?
A screenshot or screen capture is a static image taken
by the computer to record the visible items displayed on
the monitor, television, or another visual output device.
•
•
•
In software reviews, to show what the software
looks like.
In software tutorials, to demonstrate how to perform
a function.
In technical support troubleshooting, to show error
message or software issues.
Screen shots are also useful to save snippets of
anything you have on your screen, particularly when
it cannot be easily printed. I use screen shots all the
��������������
���������������������
In other words, it is a way of taking a snapshot, or
picture, of your computer screen. Some people also call
it a screen grab or screen dump.
Screen shots can be very helpful when you need to
demonstrate something that would be difficult to explain
in words. Here are just a few examples of situations
where a screen shot can be useful and why:
�������������
Intruder
���������������
���������������������
������������
����������������������
�������
������
��������������
����������������
���������������������
������������
������������
Figure 7. Key Injection Vulnerability Model
www.hakin9.org/en
Figure 9. Stolen image of BlackBerry Browser part 1
25
6. DEFENSE
Figure 10. Stolen image of BlackBerry Browser part 2
Figure 12. Stolen image of chat
time for things I want to save to refer to later, but don’t
necessarily need a printed copy of.
often large. A common problem with video recordings
is the action jumps, instead of flowing smoothly, due to
low frame rate.
For many cases, high frame rates are not required.
This is not generally an issue if simply capturing
desktop video, which requires far less processing
power than video playback, and it is very possible
to capture at 30 frame/s. But it’s enough to log your
keystrokes.
Screen recording
Sometimes, it takes more than a couple of images. 2530 images are picked up during 1 second gives us video
frame. So, the screen recording capability of some
screen capture programs is a time-saving way to create
instructions and presentations, but the resulting files are
Listing 4. Simulation piece of code without key repeating.
Listing 5. API-routines to design malware photo sniffer
EventInjector.invokeEvent(VKeyIsDown);
net.rim.device.api.system.Bitmap;
EventInjector.invokeEvent(VKeyIsRepeat); //
(optionally)
EventInjector.invokeEvent(VKeyIsUp);
Thread.sleep(1000); // TimeSpan 1000 msec (1 sec).
Figure 11. Stolen image of BlackBerry Browser part 3
26
net.rim.device.api.system.Display;
net.rim.device.api.ui.Screen;
net.rim.device.api.ui.Ui;
net.rim.device.api.ui.UiApplication;
Figure 13. Stolen image of photo explorer
02/2011
7. Is data secure on the password protected blackberry device?
Listing 6. API-routines to design malware photo sniffer
Screen vulnerable_screen = Ui.getUiEngine().getActiveScreen();
Bitmap bitmap_of_vulnerable_screen = new Bitmap(vulnerable_screen.getWidth(),vulnerable_screen.getHeight());
Display.screenshot(bitmap_of_vulnerable_screen, 0, 0, vulnerable_screen.getWidth(),vulnerable_
screen.getHeight());
Keystroke logger is only allowed to his own application
on BlackBerry Devices. It means you can’t steal any
information that user might type by keyboard sniffer.
Despite this security feature it still possible to sneak
your password or your messages. Try and remember
uncomfortable feeling when somebody try look into your
device screen. In a different way you can capture and
dump screen image (Figure 8 – 14).
Malware Design
Ultimate goal is show what API-routines help us to
design such malware. List of API classes is shall be
import is presented in Listing 5.
The first public class net.rim.device.api.system.Bitmap
needs to construct a blank bitmap object.
The second public class net.rim.device.api.system.Disp
lay provides access to the device’s display when we’re
going to take a screenshot of a portion of the screen
and saves it into a bitmap object.
Three public classes net.rim.device.api.ui define
functionality for a user interface engine applications can
use for their UI operations. As it pushes screens onto
the stack, it draws them on top of any other screens
already on the stack. When the application pops a
screen off the stack, it redraws the underlying screens
as necessary. From capture to capture we have to put
in and put out next screen onto stack by UiApplication.g
etUiApplication().popScreen(this), UiApplication.getUiAppl
ication().pushScreen(this).
Before our malware has got a static image of
vulnerable screen it should get active screen and
retrieves screen size to put it into bitmap object that’s
presented int Listing 6.
Also we can put timespan as 40 msec and loop it.
Loop quantity is optional. Then malware needs to save
static images to memory or file. For example, malware
demo saves it to bytes memory array. Piece of code is
presented in Listing 7.
Behind mirror
Previous vulnerabilities show how intruder can get your
messages, tasks, chats (in short everything is possible
to photocapture) and then block normal operation with
blackberry device as far as possible. But is there no way
to sneak blackberry password?
In first part I refer to attempt quantity you set in your
device. It’s various from 3 to 10. The second half of it
��������������
���������������������
Intruder
�������������
���������������
����������������������
����������������������������������
���������������������
������������
�������
������
�������
��������������������� ����������������
������������
Figure 14. Stolen image of file explorer
www.hakin9.org/en
�������������
Figure 15. Photo Sniff Vulnerability Model
27
8. DEFENSE
Listing 7. API-routines to design malware photo sniffer
public byte[] getBytesFromBitmap(Bitmap bmp)
{
Malware Design
To design this type of malware you need combine the
previous pieces of code.
Mitigation
DataOutputStream dos = new DataOutputStream(bos);
If you are BIS consumer you always check permissions
when downloading an application to disable key
injection or screenshot capture. Additionally you should
set option suppress password echo to false. If you are
BES consumer your administrator should check IT
Policy like this:
bmp.getARGB(rgbdata,0,width,0,0,width,height);
Key Injection:
int height=bmp.getHeight();
int width=bmp.getWidth();
ByteArrayOutputStream bos = new
ByteArrayOutputStream();
Graphics g = new Graphics(bmp);
for (int i = 0; i < rgbdata.length ; i++)
“Application Control Policy a Event Injection” = False
if (rgbdata[i] != -1)
Device Screen Capture:
{
{
dos.writeInt(i);
dos.flush();
}
}
bos.flush();
return bos.toByteArray();
}
isn’t masked behind asterisk by default. This feature
corresponds to the device option suppress password
echo (or BES IT Policy) is set in true by default. It
means.
First malware (key injector) waits moment till user
unlocks device then type noise symbol at that time the
second malware (photo sniffer) is steal an image of
device. Done! Now a violator can whatever you like, for
example decipher your file backup and get your actuals
(Figure 16).
Figure 16. Unmasked typing
28
“IT Policy a Security Policy Group a Allow Screen Shot
Capture” = False
Combo Vuln
“IT Policy a Password Policy Group a Suppress Password
Echo” = False
Did you know?
Phishing kits are constructed by con artists to look like
legitimate communications, often from familiar and
reputable companies, and usually ask victims to take
urgent action to avoid a consequence or receive a reward.
The desired response typically involves logging in to a
Web site or calling a phone number to provide personal
information.
Fobbing off is no object!
Understanding the human factors that make people
vulnerable to online criminals can improve both
security training and technology. Since recently, phish
email were headache task for bank consumers, online
consumers, etc. Up to now, there’s one more phish
kit. It’s called a scumware that disguised as genuine
software, and may come from an official site. For
example, user has just downloaded a video player.
Before downloading BlackBerry smartphone asking
him to set permissions for new application. Typical
user allows all because he’s bored with it. He’s bored
with think what to do – allow only Wi-Fi connection
or 3G too, disallow access to PIM and any kind of
messages. He waits mega secure technology that
says: don’t worry! It’s video or mp3 player. There’s
shouldn’t access to personal data. Still waits. And
how! Then typical user click button with caption Make
me Happy!. So, he gives full access for intruder
application because he’s tired of pop-up permissions.
Then GPS location is steal, his photos or videos, his
PIM, chats, etc. Afterwards he looks in wide-eyed
astonishment. You don’t say so! Why? I’m not to
02/2011
9. Is data secure on the password protected blackberry device?
On the ‘Net
•
•
•
•
•
•
•
•
•
•
http://blogs.wsj.com/wtk-mobile/ – The Wall Street Journal brief research of geniue spyware
http://docs.blackberry.com/en/admin/deliverables/12063/BlackBerry_Enterprise_Server-Policy_Reference_Guide-T323212-8320261023123101-001-5.0.1-US.pdf – BlackBerry Enterprise Server Version: 5.0. Policy Reference Guide, RIM,
http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html – The Wall Street Journal research of
geniue spyware on iPhone and Android
http://docs.blackberry.com/en/developers/deliverables/11961/BlackBerry_Java_Application-Feature_and_Technical_Overview-789336-1109112514-001-5.0_Beta-US.pdf – BlackBerry Java Application. Version: 5.0. Feature and Technical Overview, RIM
http://docs.blackberry.com/en/developers/deliverables/9091/JDE_5.0_FundamentalsGuide_Beta.pdf
–
BlackBerry
Java
Application. Version: 5.0. Fundamentals Guide, RIM,
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_
Application_Developer_Guide_Volume_1.pdf?nodeid=1106256&vernum=0 – BlackBerry Application Developer Guide Volume
1: Fundamentals (4.1), RIM,
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_
Application_Developer_Guide_Volume_2.pdf?nodeid=1106444&vernum=0 – BlackBerry Application Developer Guide Volume
2: Advanced Topics (4.1), RIM,
http://www.blackberry.com/developers/docs/4.2api/ – RIM Device Java Library – 4.2.0 Release (Javadoc), RIM,
http://docs.blackberry.com/en/developers/deliverables/15497/BlackBerry_Smartphone_Simulator-Development_Guide--10019260406042642-001-5.0-US.pdf – BlackBerry Smartphone Simulator. Version: 5.0. Development Guide, RIM,
http://docs.blackberry.com/en/developers/deliverables/1077/BlackBerry_Signing_Authority_Tool_1.0_-_Password_Based_-_
Administrator_Guide.pdf – BlackBerry Signature Tool 1.0. Developer Guide, RIM
download Trojan! But there’s just one shag to it. The
salesman has already fobbed off the faulty application
on him.
Sometimes events are developing in another way.
According to the WALL STREET JOURNAL (http://
wsj.com) marketers are tracking smartphone users
through applications – games and other software on
their phones. It collects information including location,
unique identifiers for the devices such as IMEI, and
��������������
�������������
Intruder
���������������������
���������������
����������������������
�������
���������������������
������������
personal data. Then applications send this information
to marketing companies from time to time (http://
blogs.wsj.com/wtk-mobile/, http://online.wsj.com/article/
SB1000142405274870469400457602008370357
4602.html).
Conclusion
It happens that there are serious deficiencies in the
numbers of suitable vulnerability survey mythicize
computer privacy. Real-world example is said there
have been no exploitable BlackBerry handheld
vulnerabilities published since 2007 year. Even the 2007
vuln was a DoS, not taking control of the device. As a
matter of fact Praetorians made a much powerful exploit
(Blackberry Attack Toolkit – http://www.praetoriang.net/)
that was present on the DEFCON 14 in July, 2006. This
condition implies ability to speak well for design a botnet
applications and networks that applicable to deface vital
role information systems such as trading session or air
reservation.
��������������
������������
���������������������
������������
YURY CHEMERKIN
����������������
�������
������
���������������������
������������
Figure 17. Combo Vulnerability Model
www.hakin9.org/en
�������������
Graduated at Russian State University for the Humanities
(http://rggu.com/) in 2010. At present postgraduate at RSUH.
Security Analyst since 2009 and currently works as mobile
security researcher in Moscow.
E-mail: yury.chemerkin@gmail.com.
Facebook: http://www.facebook.com/people/Yury-Chemerkin/
100001827345335.
29