Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around.
This high intensity 30-minute crash course covers:
+ Man-in-the-middle (MITM) attacks
+ Taking advantage of improper certificate validation
+ Demonstration of a privilege escalation exploit of a web back-end vulnerability
Watch it here: https://youtu.be/bT1-7ZkSdNY
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.
Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code
Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
How to make Android apps secure: dos and don’tsNowSecure
Learn from the mobile app security fails of others and understand how to get Android app security right the first time around.
A quarter of mobile apps include flaws that expose sensitive personal or corporate data that can be used for illicit purposes. And the security of a mobile app has a lot to do with a user’s impression of its quality.
Fixing vulnerabilities in the late stages of your build-and-deploy cycle is a hassle, and more expensive. You’ve got to switch contexts, dig through code you haven’t thought about in weeks (or didn’t develop in the first place), and delay progress on your latest sprint.
So, what can you, the savvy Android developer, do to get security right the first time around and save yourself work later?
Or, if you’re a security practitioner, how can you give security guidance up front to help your colleagues on the development team work more efficiently?
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around.
This high intensity 30-minute crash course covers:
+ Man-in-the-middle (MITM) attacks
+ Taking advantage of improper certificate validation
+ Demonstration of a privilege escalation exploit of a web back-end vulnerability
Watch it here: https://youtu.be/bT1-7ZkSdNY
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.
Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code
Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
How to make Android apps secure: dos and don’tsNowSecure
Learn from the mobile app security fails of others and understand how to get Android app security right the first time around.
A quarter of mobile apps include flaws that expose sensitive personal or corporate data that can be used for illicit purposes. And the security of a mobile app has a lot to do with a user’s impression of its quality.
Fixing vulnerabilities in the late stages of your build-and-deploy cycle is a hassle, and more expensive. You’ve got to switch contexts, dig through code you haven’t thought about in weeks (or didn’t develop in the first place), and delay progress on your latest sprint.
So, what can you, the savvy Android developer, do to get security right the first time around and save yourself work later?
Or, if you’re a security practitioner, how can you give security guidance up front to help your colleagues on the development team work more efficiently?
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
It's not about you: Mobile security in 2016NowSecure
Legacy network security approaches define and defend a perimeter. Mobile technology explodes boundaries with apps you’re not always aware of on public networks you don't control. Dual-use devices complicate managing access to sensitive corporate resources and protecting endpoints. Traditional approaches to network, cloud, and application security don't solve the mobile security challenge.
Sam Bakken, Content Marketing Manager at NowSecure, discusses the state of mobile security in 2016 and shares strategies for managing the boundless mobile periphery.
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
Financial damages caused by remittance fraud in Japan has been increasing since year 2013, and this has become a critical problem in our society.
In April 2015, Tokyo Metropolitan Police Department conducted its very first unique takedown operation called "Operation Banking Malware Takedown”.
Tokyo Metropolitan Police Department had asked us to cooporate with this operation, so we developed a technology that would takedown the banking malware called "VAWTRAK".
In this presentation, I will give an overview of the operation and a background of our involvement.
Then, I will introduce and demonstrate the technology that we developed to takedown “VAWTRAK”.
I will also provide a description of ongoing banking malware attacks this year based on our investigation.
--- Kazuki Takada
He works at SecureBrain Corporation and belongs to Advanced Research Center and Security Response Team. Senior Software Engineer. 2014, He joined SecureBrain Corporation. As a software engineer, he works on the software development while doing security research. Mainly he focused on the analysis of the cyber crimes caused by financial Malware and phishing and its developing its technological countermeasures.
Major lectures in the past
2015/2016 Practical Anti-Phishing Guideline Seminar Lecturer
2016 IEICE requested symposium “Analysis methods and the results from Malware Long-term observation and taint analysis”.
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...SecureAuth
With the latest release of SecureAuth IdP, we announced the addition of SecureAuth Threat Service and offered it exclusively to you at 50% off list price! But if you are still not convinced that Threat Service will help you build the most secure environment possible then join us on June 29th for a live webinar with Forrester VP and Principal Analyst, Andras Cser where we will discuss the threats anonymous/Tor networks and the harmful repercussions that can happen in your network.
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Minseok(Jacky) Cha
Targeted Attacks on Major Industry Sectors in South Korea
Andariel group, Threat group behind Operation Red Dot, Threat group behind Operation Bitter Biscuit
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
For the past few years, Asia Pacific and Japan have continued to be a regular target of cyber threat actors. From 2018 to 2019, we have observed several threats targeting Japan involving cyber espionage and underground activities. Some of the adversaries and campaigns are revealed in OSINT, however, some are still lurking in shadow.
In this talk, we will reveal the TTP's (tactics, techniques and procedures) of espionage threat actors interested in Japanese electronics, chemical and 5G equipment manufacturing companies. One campaign leverages a malware attributed to APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. Beside the Chinese actors, we have also observed a group which historically focused on the EMEA region shift to showing interest in Japan. In addition, we will also disclose details of underground activity involving a target in the Japanese financial industry.
In today’s threat environment, adversaries are constantly profiling and attacking your corporate infrastructure to access and collect your intellectual property, proprietary data, and trade secrets. Now, more than ever, Threat Intelligence is increasingly important for organizations who want to proactively defend against advanced threat actors.
While many organizations today are collecting massive amount of threat intelligence, are they able to translate the information into an effective defense strategy?
View the slides now to learn about threat intelligence for operational purposes, including real-world demonstrations of how to consume intelligence and integrate it with existing security infrastructure.
Learn how to prioritize response by differentiating between commodity and targeted attacks and develop a defense that responds to specific methods used by advanced attackers.
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
Crowdstrike And Guest Forrester Share Keys To Mastering The Endpoint
CrowdStrike VP, Product Management Rod Murchison and guest speaker Chris Sherman, Forrester Research analyst, will discuss how modern approaches must balance prevention with detection capabilities in the context of an overall security strategy. Ultimately, this will give security professionals the ability to better deal with the influx of new device types and data access requirements while reducing the likelihood of compromise.
In this CrowdCast, Forrester and CrowdStrike will present:
- Forrester’s Targeted-Attack Hierarchy of Needs
- The six core requirements to a successful endpoint security strategy
- Preparing for and responding to targeted intrusions and attacks
- How CrowdStrike lines up with Forrester’s Hierarchy of Needs framework
Hijacking Softwares for fun and profitNipun Jaswal
Presentation for my talk at Global Infosec Summit, LPU (11 Nov 2017). The Presentation demonstrates risk of using outdated and cracked software. Additionally, demonstrates the hand-on approach to finding DLL search order hijacking vulnerabilities. The Presentation is for educational purposes only.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
It's not about you: Mobile security in 2016NowSecure
Legacy network security approaches define and defend a perimeter. Mobile technology explodes boundaries with apps you’re not always aware of on public networks you don't control. Dual-use devices complicate managing access to sensitive corporate resources and protecting endpoints. Traditional approaches to network, cloud, and application security don't solve the mobile security challenge.
Sam Bakken, Content Marketing Manager at NowSecure, discusses the state of mobile security in 2016 and shares strategies for managing the boundless mobile periphery.
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
Financial damages caused by remittance fraud in Japan has been increasing since year 2013, and this has become a critical problem in our society.
In April 2015, Tokyo Metropolitan Police Department conducted its very first unique takedown operation called "Operation Banking Malware Takedown”.
Tokyo Metropolitan Police Department had asked us to cooporate with this operation, so we developed a technology that would takedown the banking malware called "VAWTRAK".
In this presentation, I will give an overview of the operation and a background of our involvement.
Then, I will introduce and demonstrate the technology that we developed to takedown “VAWTRAK”.
I will also provide a description of ongoing banking malware attacks this year based on our investigation.
--- Kazuki Takada
He works at SecureBrain Corporation and belongs to Advanced Research Center and Security Response Team. Senior Software Engineer. 2014, He joined SecureBrain Corporation. As a software engineer, he works on the software development while doing security research. Mainly he focused on the analysis of the cyber crimes caused by financial Malware and phishing and its developing its technological countermeasures.
Major lectures in the past
2015/2016 Practical Anti-Phishing Guideline Seminar Lecturer
2016 IEICE requested symposium “Analysis methods and the results from Malware Long-term observation and taint analysis”.
Unmask anonymous attackers with advanced threat intelligence webinar 6.29 fin...SecureAuth
With the latest release of SecureAuth IdP, we announced the addition of SecureAuth Threat Service and offered it exclusively to you at 50% off list price! But if you are still not convinced that Threat Service will help you build the most secure environment possible then join us on June 29th for a live webinar with Forrester VP and Principal Analyst, Andras Cser where we will discuss the threats anonymous/Tor networks and the harmful repercussions that can happen in your network.
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Minseok(Jacky) Cha
Targeted Attacks on Major Industry Sectors in South Korea
Andariel group, Threat group behind Operation Red Dot, Threat group behind Operation Bitter Biscuit
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
For the past few years, Asia Pacific and Japan have continued to be a regular target of cyber threat actors. From 2018 to 2019, we have observed several threats targeting Japan involving cyber espionage and underground activities. Some of the adversaries and campaigns are revealed in OSINT, however, some are still lurking in shadow.
In this talk, we will reveal the TTP's (tactics, techniques and procedures) of espionage threat actors interested in Japanese electronics, chemical and 5G equipment manufacturing companies. One campaign leverages a malware attributed to APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. Beside the Chinese actors, we have also observed a group which historically focused on the EMEA region shift to showing interest in Japan. In addition, we will also disclose details of underground activity involving a target in the Japanese financial industry.
In today’s threat environment, adversaries are constantly profiling and attacking your corporate infrastructure to access and collect your intellectual property, proprietary data, and trade secrets. Now, more than ever, Threat Intelligence is increasingly important for organizations who want to proactively defend against advanced threat actors.
While many organizations today are collecting massive amount of threat intelligence, are they able to translate the information into an effective defense strategy?
View the slides now to learn about threat intelligence for operational purposes, including real-world demonstrations of how to consume intelligence and integrate it with existing security infrastructure.
Learn how to prioritize response by differentiating between commodity and targeted attacks and develop a defense that responds to specific methods used by advanced attackers.
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
Crowdstrike And Guest Forrester Share Keys To Mastering The Endpoint
CrowdStrike VP, Product Management Rod Murchison and guest speaker Chris Sherman, Forrester Research analyst, will discuss how modern approaches must balance prevention with detection capabilities in the context of an overall security strategy. Ultimately, this will give security professionals the ability to better deal with the influx of new device types and data access requirements while reducing the likelihood of compromise.
In this CrowdCast, Forrester and CrowdStrike will present:
- Forrester’s Targeted-Attack Hierarchy of Needs
- The six core requirements to a successful endpoint security strategy
- Preparing for and responding to targeted intrusions and attacks
- How CrowdStrike lines up with Forrester’s Hierarchy of Needs framework
Hijacking Softwares for fun and profitNipun Jaswal
Presentation for my talk at Global Infosec Summit, LPU (11 Nov 2017). The Presentation demonstrates risk of using outdated and cracked software. Additionally, demonstrates the hand-on approach to finding DLL search order hijacking vulnerabilities. The Presentation is for educational purposes only.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
by Axelle Apvrille & Ange Albertini
presented at BlackHat Europe 2014, in Amsterdam
PoC: https://github.com/cryptax/angeapk
AngeCryption: http://corkami.googlecode.com/svn/trunk/src/angecryption/
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
What is Shodan?
- Search engine for the Internet connected devices by John Matherly (@achillean).
- Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners
- Has a powerful API, Python & Ruby libraries
- Integration with Maltego, Metasploit & Armitage.
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
APT 28 :Cyber Espionage and the Russian Government?anupriti
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye brings an over view of their opinion.....uploaded here just for general info to understand how its all happening!!!!
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient.
(Source: RSA USA 2016-San Francisco)
Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient.
(Source: RSA USA 2016-San Francisco)
Finding Triggered Malice in Android AppsPriyanka Aash
Traditional techniques to detect malice in Android apps struggle to identify trigger-based changes to application logic. Unfortunately, such triggers are a key component of targeted malware, where the trigger is the mechanism that ensures that the code is only executed at the target. This talk will review how static analysis can be used to detect and leverage triggers for more robust detection.
(Source: RSA USA 2016-San Francisco)
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
Targeted attacks on critical infrastructure continue to increase in number and severity. We’ll present the latest data on these attacks: What is their goal? What are the attacker strategies? How are attacks supported by the darknet? We’ll discuss banking threats discovered at the “Big Board” at the RSA Anti-Fraud Control Center and Smart Grid threat detection in the EU SPARKS project.
(Source: RSA USA 2016-San Francisco)
Vehicles are increasingly connected and researchers have shown just how easily some of these connected features can be hacked. Just as people think the story’s been done, our research reveals that there is a key vector that has been overlooked and we ignore it at our peril: malware through an infected mobile device. This talk will reveal the results of our tests on several popular car-manufacturer apps.
(Source: RSA Conference USA 2017)
The State of End-User Security—Global Data from 30,000+ WebsitesPriyanka Aash
We live in a rapidly changing environment. Mobile commerce is skyrocketing, browsers/OS are changing, web applications enable increasing functionality—yet the only thing that seems constant is the amount of flaws and vulnerabilities we find in these software components. Using data from more than 30,000 websites, this session will explore the state of security ecosystem and myths and assumptions.
(Source: RSA USA 2016-San Francisco)
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
As seen with the IoT-based MIRAI botnet, security vulnerabilities can have their root cause several layers down in the supply chain. The session will corroborate this with concrete vulnerability results of over 5,000 IoT software packages. It also will show how, to stop this bug passing, developers, integrators and regulating bodies need to work together to build a trustworthy IoT software supply chain.
This presentation will demonstrate a complete end-to-end analysis of an Android bot. This will include the decompilation and static analysis of bot code and the dynamic analysis of the bot’s behavior in a controlled sandboxed environment. The session will provide details of the lab environment and tools used for the analysis.
(Source: RSA USA 2016-San Francisco)
Presentation by Saurabh Harit att he mobile security summit in johannesburg 2011.
This presentation is about security on the iPhone and Android platforms. The presentation begins with a discussion on decrypting iPhone apps and its implications. The Android security model is discussed. The presentation ends with a series of discussions on practical Android attacks.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Thinking of getting a dog? Be aware that breeds like Pit Bulls, Rottweilers, and German Shepherds can be loyal and dangerous. Proper training and socialization are crucial to preventing aggressive behaviors. Ensure safety by understanding their needs and always supervising interactions. Stay safe, and enjoy your furry friends!
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
14. #RSAC
Android Logical
AFLogical OSE (https://github.com/viaforensics/android-forensics)
Reads Content-Providers
Push to phone, run, store on SD-Card
Pull CSVs to Santoku for review
14
20. #RSAC
App Selection
Apps were selected based on popularity, number of downloads, or potential sensitivity of data
Approximately 80 apps have been reviewed and organized into categories
20
21. #RSAC
2013 App testing result
81 tested apps, 32 iOS, 49 Android
21
0%
20%
40%
60%
80%
Failed MiTM
or SSL
Stored
Password
(Plaintext or
hashed)
Stored
sensitive app
data on
memory
At least one
'High risk'
rating
iOS
Android
23. #RSAC
Any.Do
Business and personal task management app iOS and Android
Millions of users
Many vulnerabilities, no response from company
https://viaforensics.com/mobile-security/security-vulnerabilities- anydo-android.html
23
28. #RSAC
Bad News
Android Malware, masquerades as an innocent advertising network
Packaged in many legitimate apps, usually targeting Russian market
Has ability to download additional apps, and propmts the user to install them, posing as “Critical Updates”. Uses this mechanism to spread known malware, typically Premium Rate SMS fraud.
For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/
28
29. #RSAC
apktool
Tool for reverse engineering Android apk
Dissasembles code to smali files, also decodes resources contained into the apk.
It can also repackage the applications after you have modified them
We can run it on Badnews
Badnews Sample
29
30. #RSAC
From apktool to smali
We can grep for known sensible method calls and strings
30
31. #RSAC
From apktool to smali
We can manually analyze the disassembled smali coded provided by apktool
For example here we see a broadcast receiver that will listen for BOOT_COMPLETED intents and react to them starting a service in the application
31