Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
Developers are pressed for producing more secure code, but do not receive support from stakeholders, management and even from the very manufacturers who produce the tools used to write applications.
What can go wrong when even the official documentation for a product is wrong regarding security aspects?
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
Embedded Development - to Fit the Unique Needs of Enterprises Around the GlobeTizbi, Inc.
What is embedded development and what’s so special about it? Why finding an embedded developer is not an easy job? How can Tizbi Team be a hand of help for your company?
Check a slideshow to know the answers.
Learn more about Tizbi custom development services here: http://bit.ly/2YUL4X6.
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
Developers are pressed for producing more secure code, but do not receive support from stakeholders, management and even from the very manufacturers who produce the tools used to write applications.
What can go wrong when even the official documentation for a product is wrong regarding security aspects?
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
Embedded Development - to Fit the Unique Needs of Enterprises Around the GlobeTizbi, Inc.
What is embedded development and what’s so special about it? Why finding an embedded developer is not an easy job? How can Tizbi Team be a hand of help for your company?
Check a slideshow to know the answers.
Learn more about Tizbi custom development services here: http://bit.ly/2YUL4X6.
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
The security industry moves fast and is already a crazy place that's tough to keep up with. What happens when you get a window into the early-stage security startup market? You realize the rabbit hole goes, much, much deeper.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
Complete enterprise grade end point security solutions from K7. Please feel free to contact us for further details.
Email us at : info@primeinfoserv.com
Web : www.primeinfoserv.com
Phone : +91 33 6526-0279 / 4008-5677
Kaspersky Internet Security Multi-Device 2015Dejan Pogačnik
Kaspersky Internet Security Multi-Device 2015 antivirusni program za uporabnike doma in manjša podjetja. Ščiti vaš PC/MAC računalnik in tablico ali pametni telefon z Android OS sistemom.
In de huidige wereld zien we continue veranderingen. Het aantal remote gebruikers neemt toe en de eindgebruikers verwachten meer en sneller antwoord van de IT afdeling. Hoe gaat U daar vandaag de dag mee om?
Hoe kijkt Ivanti hiernaar en hoe tackelen wij de huidige uitdagingen met kijk op de toekomst?
Neem deel om kennis te maken met het MSP-aanbod van Ivanti, gebaseerd op bestaande use cases.
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app.
This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationVeridium
In 2015, 63 percent of all confirmed data breaches were the result of weak, default, or stolen passwords. In fact, this was the second primary cause of all data breaches, globally, according to the 2016 Verizon Data Breach Investigations Report.
The death of passwords has been heralded for over a decade now, but these reports were often greatly exaggerated. However, in recent years this has begun to change, as new technologies are allowing companies to change how they secure access to digital assets. From traditional usernames and passwords to two-factor authentication, outdated security practices are failing to keep data secure. Whether it’s a lack of user adoption or actual flaws in the security infrastructure, businesses need a better option to protect access to their most important resources.
In this webinar, we will discuss the prevalence of data breaches today and where passwords and two-factor authentication fall short, followed by how biometrics, when properly deployed through end-to-end solutions like HoyosID, can provide the missing piece for fully securing digital access.
Top Biometric Identifiers: Risks & RewardsVeridium
The weakest link in data security can never be fully addressed until we have reliable methods of user authentication. In this webinar we will discuss five different biometric identifiers (single fingerprint, four fingers, voice, face, iris), their level of accuracy and usability, and the privacy and security risks associated with each of them.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
As most people are aware, there has been an expansion in mobile banking applications in recent years. The Czech Republic is no exception to this, as nearly all banks have developed a mobile application for their modern mobile operating systems. Although different banks solve their security concepts in different ways, it is possible to discuss typical situations and problems that inevitably appear while designing mobile banking applications.
This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices.
The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
Last year at AppSec EU I had a presentation about the Ethereum smart contracts and did a technical showcase of some of their potential vulnerabilities and security flaws. I also presented my proposition on how to handle the responsible disclosure process in the smart contracts world.
This year I want to focus on the whole process of security testing and present it by analogies to the web applications which are quite well-known. Smart contracts are described as Web3 decentralized apps and I believe that my talk will not only bring new light on this subject but will also help to understand and organize the way of testing. I am going to cover the whole SDLC and show the similarities and differences between the smart contracts and web applications on each step.
The presented overview is especially important nowadays when the biggest companies are building their own blockchain platforms and cryptocurrencies – i.e. Libra introduced by Facebook (which by the way also supports smart contracts).
I am also going to show the differences in the arsenal of vulnerabilities, security tools and standards by the analogy to web apps arsenal. I think that, even though there exist a lot of great security projects for smart contracts, we do not have a single, widely accepted security standard (such as ASVS in web apps world). I would like to discuss potential work that needs to be done in that area and show my preliminary work on that matter.
After this presentation audience will know what are the similarities and differences between smart contracts and web apps in the SDLC, an arsenal of tools and standards, but also will have a fresh overview of possible options and current trends.
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
The security industry moves fast and is already a crazy place that's tough to keep up with. What happens when you get a window into the early-stage security startup market? You realize the rabbit hole goes, much, much deeper.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
Complete enterprise grade end point security solutions from K7. Please feel free to contact us for further details.
Email us at : info@primeinfoserv.com
Web : www.primeinfoserv.com
Phone : +91 33 6526-0279 / 4008-5677
Kaspersky Internet Security Multi-Device 2015Dejan Pogačnik
Kaspersky Internet Security Multi-Device 2015 antivirusni program za uporabnike doma in manjša podjetja. Ščiti vaš PC/MAC računalnik in tablico ali pametni telefon z Android OS sistemom.
In de huidige wereld zien we continue veranderingen. Het aantal remote gebruikers neemt toe en de eindgebruikers verwachten meer en sneller antwoord van de IT afdeling. Hoe gaat U daar vandaag de dag mee om?
Hoe kijkt Ivanti hiernaar en hoe tackelen wij de huidige uitdagingen met kijk op de toekomst?
Neem deel om kennis te maken met het MSP-aanbod van Ivanti, gebaseerd op bestaande use cases.
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app.
This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationVeridium
In 2015, 63 percent of all confirmed data breaches were the result of weak, default, or stolen passwords. In fact, this was the second primary cause of all data breaches, globally, according to the 2016 Verizon Data Breach Investigations Report.
The death of passwords has been heralded for over a decade now, but these reports were often greatly exaggerated. However, in recent years this has begun to change, as new technologies are allowing companies to change how they secure access to digital assets. From traditional usernames and passwords to two-factor authentication, outdated security practices are failing to keep data secure. Whether it’s a lack of user adoption or actual flaws in the security infrastructure, businesses need a better option to protect access to their most important resources.
In this webinar, we will discuss the prevalence of data breaches today and where passwords and two-factor authentication fall short, followed by how biometrics, when properly deployed through end-to-end solutions like HoyosID, can provide the missing piece for fully securing digital access.
Top Biometric Identifiers: Risks & RewardsVeridium
The weakest link in data security can never be fully addressed until we have reliable methods of user authentication. In this webinar we will discuss five different biometric identifiers (single fingerprint, four fingers, voice, face, iris), their level of accuracy and usability, and the privacy and security risks associated with each of them.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
As most people are aware, there has been an expansion in mobile banking applications in recent years. The Czech Republic is no exception to this, as nearly all banks have developed a mobile application for their modern mobile operating systems. Although different banks solve their security concepts in different ways, it is possible to discuss typical situations and problems that inevitably appear while designing mobile banking applications.
This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices.
The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
Last year at AppSec EU I had a presentation about the Ethereum smart contracts and did a technical showcase of some of their potential vulnerabilities and security flaws. I also presented my proposition on how to handle the responsible disclosure process in the smart contracts world.
This year I want to focus on the whole process of security testing and present it by analogies to the web applications which are quite well-known. Smart contracts are described as Web3 decentralized apps and I believe that my talk will not only bring new light on this subject but will also help to understand and organize the way of testing. I am going to cover the whole SDLC and show the similarities and differences between the smart contracts and web applications on each step.
The presented overview is especially important nowadays when the biggest companies are building their own blockchain platforms and cryptocurrencies – i.e. Libra introduced by Facebook (which by the way also supports smart contracts).
I am also going to show the differences in the arsenal of vulnerabilities, security tools and standards by the analogy to web apps arsenal. I think that, even though there exist a lot of great security projects for smart contracts, we do not have a single, widely accepted security standard (such as ASVS in web apps world). I would like to discuss potential work that needs to be done in that area and show my preliminary work on that matter.
After this presentation audience will know what are the similarities and differences between smart contracts and web apps in the SDLC, an arsenal of tools and standards, but also will have a fresh overview of possible options and current trends.
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
VMworld 2013: Android in the enterprise: Understand the challenges and how to...VMworld
VMworld Europe 2013
Andrew Hawthorn, VMware
Stig Andersson, UBS
Herve Hulin, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
Meeting Mobile and BYOD Security ChallengesSymantec
This white paper is written for enterprise executives who wish to understand what digital certificates are and why they are invaluable for mobile and Bring Your Own Device (BYOD) security on wired and wireless networks. The paper also illustrates the benefits of adopting Symantec Managed PKI Service and provides real-world use cases.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Priyanka Aash
The super computer gets a panoptic view of the city using data from cameras and sensor networks. The information obtained is used to manage the city’s infrastructure and technology as well as to maintain a database of personal information about citizens and their activities. In this article, we take a look at some of the real dangers facing today’s cities from malicious hackers.
Speakers:
Daniel Crowley , Research Baron at IBM X-Force Red
Jennifer Savage , Security Researcher at Threatcare
Mauro Paredes , Managing Consultant at IBM X-Force Red
The term "smart city" evokes imagery of flying cars, shop windows that double as informational touchscreens, and other retro-futuristic fantasies of what the future may hold. Stepping away from the smart city fantasy, the reality is actually much more mundane. Many of these technologies have already quietly been deployed in cities across the world. In this talk, we examine the security of a cross-section of smart city devices currently in use today to reveal how deeply flawed they are and how the implications of these vulnerabilities could have serious consequences.
In addition to discussing newly discovered pre-auth attacks against multiple smart city devices from different categories of smart city technology, this presentation will discuss methods for how to figure out what smart city tech a given city is using, the privacy implications of smart cities, the implications of successful attacks on smart city tech, and what the future of smart city tech may hold.
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
How to design secure software products for IoT, embedded application, smart metering, smart lighting, medical application with the help of Common Criteria
Similar to NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas (20)
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
3. @NTXISSA #NTXISSACSC3
Bio
•Sr. Vulnerability Manager at Kimberly Clark.
•Built and manages KCC's first vulnerability management
program.
•Previously I worked at Yahoo! where I built and led global e-
Crime investigations and incident response teams. I received
Yahoo! Hackovation and Yahoo! Excellence awards for his
innovative work in successful operations against fake
customer care centers.
•Adjunct faculty at the Texas A&M University and teach
computer science courses.
•Completed Master of Science in Computer science and hold
degrees in Mathematics and Electronics engineer. Currently
working towards MBA at UT Dallas.
3
5. @NTXISSA #NTXISSACSC3
Mobile Industry In Numbers
• Google store has 1.6 million
applications, and Apple store has 1.5
million applications.
• There are 102 billions mobile app
download worldwide and 9 billions of
them are paid apps.
• This generated 26 billions U.S.
dollars..
NTX ISSA Cyber Security Conference – October 2-3, 2015 5
6. @NTXISSA #NTXISSACSC3
Security Problems
•Companies try to have mobile presence
desperately and ask their IT departments
or hire third parties to create mobile
applications for their products, services
and web sites.
• Companies would like to get their apps
out as soon as possible like they wanted
to have their websites without checking
their security in 90s.
6
7. @NTXISSA #NTXISSACSC3
Mobile Security in Numbers
•# of software aimed at mobile devices has
reportedly risen from about 14,000 to 40,000 or
about 185% in less than a year.
7
0
50
100
150
200
250
300
2007 2008 2009 2010 2011 2012 2013 2014 2015
IOS Vulnerabilities
0
5
10
15
20
25
30
35
40
2009 2010 2011 2012 2013 2014 2015
Android Vulnerabilities
8. @NTXISSA #NTXISSACSC3
Mobile vs Traditional OS
Vulnerability Type
8
0
50
100
150
200
250
300
350
400
iOS Vulnerabilities By Type
0
50
100
150
200
250
Windows 7 Vulnerabilities By Type
10. @NTXISSA #NTXISSACSC3
The Challenges For Incident
Responders
•Vulnerability X works only in Android version Y and
hardware is Samsung Model Z
•This could mean security teams needs to buy all
those hardware.
•Another issue is lack of mobile security knowledge.
Often security teams try to handle mobile security
incidents as traditional web security incidents.
•These cause longer hours of work and potentially
don’t help company to fix the issue.
10
11. @NTXISSA #NTXISSACSC3
Mobile vs PC Security
11
Mobile PC
DFIR
Lots of thing to figure out
Not capable tools
Well Established
Vulnerability
Management
Harder. Old vulnerabilities
require new testing
mechanism. Management
of devices
Distributed
No custom image
Good tools for testing
vulnerabilities. Good
patch management tools,
process, methodologies
Network Intrusion Harder LTE 4G 3G Established
e-Crime Apps store lots of
sensitive info including
birth date, banking
credentials etc… CC is also
stored
Similar to mobile
Physical Security Easy to steal Established
13. @NTXISSA #NTXISSACSC3
Mobile Vulnerability Triage
Android
•Potential Solutions
1)Cloud Solutions
-Testroid
-For pentest of apk files
2)VM
-Not flexible
-Networking issue to dump traffic (need to use VPN
otherwise no bridge mode for some corporate network )
13
14. @NTXISSA #NTXISSACSC3
Mobile Vulnerability Triage
3)Android SDK
•No need to install image/api/device images
•Very flexible
•Full emulator which actually runs on real
firmware image. Other than hardware
vulnerability we can find reproduce any
vulnerability in our code
14
15. @NTXISSA #NTXISSACSC3
Creating Emulator and Virtual
Devices
• AVD Manager
• The AVD Manager provides a graphical user interface in which you can create
and manage Android Virtual Devices (AVDs), which are required by the Android
Emulator.
• You can launch the AVD Manager in one of the following ways:
• In Eclipse: select Window > Android Virtual Device Manager, or click the AVD
Manager icon in the toolbar.
• In Android Studio: select Tools > Android > AVD Manager, or click the AVD
Manager icon in the toolbar.
• In other IDEs: Navigate to your SDK's tools/ directory and execute android avd.
• Emulator
The Android SDK includes a mobile device emulator — a virtual mobile device that
runs on your computer. The emulator lets you develop and test Android
applications without using a physical device.
15
19. @NTXISSA #NTXISSACSC3
Networking Scheme
19
10.0.2.1 Router/gateway address
10.0.2.2
Special alias to your host loopback interface (i.e.,
127.0.0.1 on your development machine)
10.0.2.3 First DNS server
10.0.2.4 / 10.0.2.5 / 10.0.2.6 Optional second, third and fourth DNS server (if any)
10.0.2.15
The emulated device's own network/ethernet
interface
127.0.0.1 The emulated device's own loopback interface
20. @NTXISSA #NTXISSACSC3
Sniffing Traffic
• Sniff Traffic
1st way:
• $emulator -tcpdump pcapFile.pcap -avd myAvd
• Hints: There are other commands related with emulator:
http://developer.android.com/tools/devices/emulator.html
2nd way:
• $telnet localhost portnumber
• $network capture start pcapFile.pcap
• $network capture stop
• Hints: There are other commands related telnet:
• http://developer.android.com/tools/devices/emulator.html
20
21. @NTXISSA #NTXISSACSC3
Sniffing Traffic iOS Devices
• Connect iOS device into your Mac.
• Find out iOS device’s UDID:
•Open iTunes
•Find your device and find serial number
•Click it, then you will see your UDID
• Go to your terminal and type ifconfig -l
• Type rvictl –s UDID to start device
• rvictl -s f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94
• Starting device f2f587fcf78ff82dccff88fff7ab6db9e9b0bf94
• [SUCCEEDED]
• Type ifconfig –l You will see new interface i.e. rvi0
• Go to wireshark or do tcpdump to dump the traffic
• sudo tcpdump –i rvi0 –w dump.dump
21
22. @NTXISSA #NTXISSACSC3
Validating SSL Vulnerabilities
•Download burpsuite and configure like this:
•Click proxy tab and then click intercept tab.
Make sure intercept is off.
•Go to options tab (still under proxy tab).
Under proxy listener add your network device
(by default it is only listening on localhost)
22
23. @NTXISSA #NTXISSACSC3
Malicious Certificate
• By default burpsuite is act man in the middle for https connections. That
means it sends its own cert to your mobile device and have deal with
original https site by itself. Look below:
•
• Iphone-Encrypted with BurpsuiteCA---BurpSuite-
EncryptedWithBankingSiteCA---BankingSite
• This means your app should recognize this is not a valid cert for the site it
originally request i.e. banking site and drop the connection. At a minimum,
you should receive a warning from the app, but ideally you see no traffic
as well. Many apps will just fail silently or complain of connection issues,
which isn't ideal, but not "insecure" per se
• If you see any traffic in Burp suite that means your app has a validation
problem.
23
24. @NTXISSA #NTXISSACSC3
Second vulnerability: HostName
Mismatch
• Is the certificate's hostname verified by your application?
•For this you will need to acquire a valid certificate, from a
CA that is trusted by your device. Comodo is a good
source for a free 90 days certificate.
•Install the valid certificate in your BurpProxy and configure
it to offer this cert, rather than the default
• You can confirm step two is working, by going in to your
native browser on the device and trying to go to a HTTPS
site. You should receive a certificate hostname warning and
when you view the certificate details, you should see that the
cert you received is the one you installed in BurpSuite, not
the one issued by the PortSwigger CA.
24
27. @NTXISSA #NTXISSACSC3
Conclusion
•Mobile industry is a fast growing 26 billion dollars industry.
•Companies are rushing their mobile solutions without proper
security reviews
•This makes mobile apps attractive to hackers
•Most of the time incident responders don’t have good
process around triaging the vulnerabilities and know the
difference between PC and Mobile vulnerabilities
•By using free tools an incident responder can triage mobile
vulnerabilities
•We need to think creative!
27
29. @NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 29
Thank you