Monthly Archives: May, 2012

Hack In the Box Amsterdam-2012 13:30 Track 1, Day 2

Bypassing the Android Permission Model, presented by Georgia Weidman, CEO Bulb Security

I have a soft spot for Android OS exploitation discussions and tequila, so this was a sweet little piece of key lime pie from Duck Key, FL for me. Gladly it was after lunch. Georgia Weidman greeted her audience wearing an Amsterdam altered period suit and a bottle of aged yet tender and delicious bottle of tequila, enough for sharing. Beyond making her audience at ease with quite a casual introduction, she had some serious questions regarding Android OS security. Is the permissions model in Android working for both developers and end users and are those end users making intelligent decisions? Ms. Weidman says yes if you’re a malware developer and the average smartphone user is trying. What developers declare as permissions required for installation can be vastly different from reality. Additionally, the permissions are too vague and far reaching for users to make a more informed, intelligent decision. She set the temperature of the presentation to low end user bashing and high on unclear and entirely too encompassing permissions for an acceptable security level for any operating system. Especially one which can leak the owner’s personal information almost invisibly. What permissions are really needed by the vast majority of Android applications? Not many, she gives the example of the Facebook application with requires 11 permissions including creepy ones like Your accounts, Discover known accounts. Conversely, Droid Dream, a known malicious application/root kit required only four permissions, none so creepy sounding. Why would Facebook need or want to discover your non-Facebook accounts on the phone but the same is not required when you log into Facebook over the world wide web? In the first demo, simplicity in pwnage was showcased. In less than 50 lines of code and limited permissions presented to the end user the IMEI (a cell phone unique ID number), read contacts and send an SMS. Inside of a few minutes exploitation and compromise was complete. The second of the series of demos began a dive into malicious bot waters over SMS, the presenter’s specialty. “If you write malware for Linux, Android OS [malware development] is an easy transition.” What mitigation strategies are required? No dangerous functionality directly available in public interfaces. Require user interaction for all activities such as sending and receiving SMS messages. Require the permissions tag in the XML manifest for the interface. End users must keep their operating system updates. But, that means that smartphone owners also need the ability to keep the OS updated in an easy manner. Too often phone manufacturers or cell phone providers delay Android OS updates, if provided at all. If the OS update isn’t available, the vulnerability remains and your private information becomes just another commodity on the data leakage open marketplace. Link to the presentation PDF: Link Links to other presentations by Georgia Weidman and her blog: http://georgiaweidman.com/wordpress/

Hack In the Box Amsterdam-2012 Keynote, Day 1

Getting Ahead of the Security Poverty Line, presented by Andy Ellis, CSO of Akamai

Andy Ellis casually approached the stage in 5 toed running shoes, mismatched blazer and trousers and general open demeanor. He took a cool sip of soda before explaining to us the concepts of cost of security versus return, auditing versus assessors and recognizing your present level of security versus the bare minimum of security required to provide a realistic level of risk. His densely rich presentation expounded upon his blog posting from 13/12/2012 entitled Security Subsistence Syndrome involving a discussion by Wendy Nather of the 451 Group, “Living Below the Security Poverty Line“. Normally the tech in me is slightly apprehensive before attending presentations by “C-level” executives at technical conferences. Fears of 55 minutes of mindless management mumbo jumbo was quickly replaced with a presentation topic which was extremely relevant. The challenge of balancing information security costs and resources in creative ways during an inhospitable financial climate is one most information security professionals face frequently. Mr. Ellis used a mixture of tech, humor and honest communication for the audience to grasp the topic. The “casual chaotic actor” is getting better, more sophisticated with the availability of better tools he stressed, “as Metasploit increases, everyone gets better.” The general tone was that security waits for no one. Besides, “Nobody will implement perfect security” he stated, because businesses make financial gains through leveraging risks. Perfect security is an implausible goal. Major takeaway points:

  • Don’t waste your crisis, use every opportunity you can and learn.
  • Don’t rely on blind luck, it will happen to you! Another way of saying Murphy’s Law.
  • Improve processes and policies for your weakest link such as developers or any production platforms possible.
  • Measure the capabilities of existing staff with a focus on continual improvement over time.
  • If you are for example trying to juggle 17 things and failing, concentrate on three or so you can actually solve and let the rest of the balls drop.
  • Automate in an efficient manner.
  • Spread sheet out your existing and historic risk at the very least, you don’t need fancy tools for this.
  • Don’t stop a business process but make the data owners aware of the risk, advise and get their acknowledgement.
  • In most cases you won’t require top of the line applications or hardware, get creative and think off the shelf and open source.
  • Try and get security involved in the project definition requirements stage and you too could achieve nirvana.

Most organizations during this economic crisis are struggling, mostly with the challenges of lack or budget or skilled human resources. Mr. Ellis presented a formula to explain some of the challenges: (Security) Value=R (Resources)*C (Capabilities) R=Time + Money C=Skill*Effort*Effectiveness Mr. Ellis has successfully achieved a process to hunt malware in Akamai’s 10 PB (yes, petabyte!) cloud on a small budget, using open source tools and a security team of a dozen or less. Each organization or team must add value to their titles in these tight fiscal periods. Justify your position and improve your department while using both in and out of the box thinking to achieve or exceed the security poverty line. This topic is one of the few which can be achieved in information security. Grab hold of a win while you can! More information: Andy Ellis’ Blog: http://www.csoandy.com/ Andy Ellis’ Twitter: @csoandy Link to the PDF of the presentation: Link “Living Below the Security Poverty Line,” Wendy Nather, of The 451 Group: Link YouTube link to video when available

Android You Broke My Heart, (Pen name: Ry0ki) 2600 Volume 27, Number 4, Winter 2010-2011

It wasn’t Christmas or Arbitrary Day, but there it was my new toy impeccably wrapped and waiting: my new Android cell phone! I was so excited and I carefully peeled back the packing and wrapping layers. My fingers tingled with delight to reveal my new HTC Magic. It was gleaming white with sharp graphics and the promise of storing my life in it; my more organized and productive life. I was able to get over the initial fumbling with the OS and the touch screen over a few weeks and began using my new phone. I filled it with contact information like emails, phone numbers, photos and I transitioned all my contacts from my old phone to the new super shiny one.

Introduction

My big troubles with the operating system on my phone began during a job interview, one with the potential for a lot of money, I might add. The interviewer was horrible, so I wasn’t really expecting a call back for the job. Although for the money, I might have worked there anyways. I’m in IT. I sold my soul years ago, but I digress. I discovered the hard way that my phone had been automatically routing all calls to my voice mail, while at the same time shutting off the notifications for new voice mails or missed calls. Maybe it started a couple of days after the interview. It must have been an unannounced feature called “Silence,” offering peace of mind by never allowing my phone to ring. To add to the complexity of my issue, my cell phone provider automatically erases unsaved voice mail messages after three days. I searched through what I thought was everywhere in the phone to re-enable notification of incoming calls, but I couldn’t find any setting. I figured, “Google, I bought your phone; feed me baby.” I must mention under duress, I didn’t check with my spouse. But that’s another story.

My Heat Crumbling

Within 30 minutes I found two Android forum posts with similar issues. One said do a hard reset. The other said to install a shortcut program called Any Cut and to re-run the initial phone setup. I chose the “run setup” again” route as a couple of people posted that even after the hard reset, the problem came back. The Any Cut solution post said the issue was due to a corrupt configuration file that could only be corrected if you have root level access or re-run setup. I didn’t’ have root level access so I re-ran setup. This is where things began to get a little strange. I went through setup again, but made a fatal mistake! I entered the wrong password for my Gmail account once. Once, only one little itsy bitsy, teenie weenie problem, I got the Android version of the blue screen of death, “Waiting for Sync. Your email will appear shortly.” Everything with the Android OS is based on your Gmail credentials. You don’t need a SIM card for the phone to work, but you must have a Gmail account. Funny thing though… if you run setup again and you enter the wrong credential, you are locked out of a great majority of features on the phone. The only fix per Google; hard reset. Really? Enter your credentials wrong just once and you have to wipe the phone?

What worked and didn’t after invalid credentials presented

My contacts were gone. No contacts listed. I was left with a barren message: “You don’t have any contacts to display. Go to your menu and Edit Sync Group.” I suddenly felt very lonely. My entire call log was fully available, just no names associated with the phone numbers. As I cleared out my log, all numbers incoming or outgoing were listed with dates, times, call length, call status of missed calls if applicable and call direction. I guess root has the contacts properties but any user has the call log. No phone numbers were stored on my SIM by default with Android. There is no menu to force save your contacts to the SIM. The only SIM contacts the Android OS phone was willing to import from my SIM were the cell provider’s default contacts. I am not one to memorize random numbers. I theorize the human brain has a maximum of short and long term memory and there is no use adding useless information. Hence, some contact details I didn’t memorize. I went to check if my SMS messages were available, theorizing they may be because I could see my call log. I thought maybe I could rebuild my contact list based on the content of the messages. All of my SMS messages were available but with no names associated with them. I had never cleared my SMS log, so all messages incoming and outgoing were retained and available from the inception of the phone service. My meet up, greet up, lovely, or angry sexy time related flipping SMS messages to said spouse or others were still available. Everything! Frack man. I could receive Google Talk chats inbound via my regular Gmail account name and could respond only to those Google Talk messages. Yet, I was not logged into the phone with valid credentials. I tried the built in Chrome browser. My heart sunk. When I opened my browser, it took me to my domain Google mobile page. I could not access my applications like email unless I put in my business domain credentials, luckily. Could this mean that no matter if you are logged into the phone with valid credentials or not, the former person’s home page, browsing history (yes, complete from the last time I dumped cache), and possible credentials for services are still retained somewhere on the phone? That is already a great deal of information about a person to be essentially accessible to anyone logged into the phone or not. The Android Market was fully accessible. At that point I should have been logged out of the Android Market. I hadn’t bought an application. This would allow access to the Google pay system associated with my <sameusername@google.com> regardless if I were logged in as <sameusername@google.com> or not. Per the Android release notes for 1.6, access to the market should be restricted if you’re not logged into the phone with a valid Gmail account. This would make sense, as this allows full access to the pay system. I guess the release notes need some correcting. The reason the market was accessible is due to one or more of my applications already in the notification bar requiring updates. Going directly from the notifications bar, I could access the market, update my software and download any software. This appears to override the need for credentials. About a week went by and I woke up one morning to my phone not really working OS-wise. The Android Market wouldn’t let me in and the phone now wanted me to log into Gmail. I used my trusty Any Cut and I ran the setup wizard again. I tried my credentials again and got the same message: “waiting for sync: this may take up to 5 minutes.”

A Different Tactic

I decided to create another Gmail account. This time is was <sameusername>1@google.com. I logged into the phone OS and the built-in browser showed via Google search that I was logged in as <sameusername>1@google.com. I could use the Android Market again. I was happy at this point, until I got an incoming Goggle Chat from my spouse. I had created the new account not more than 15 minutes prior to the incoming chat so no one knew about it yet. I answered back, “What Gmail account did you send this to?” The response, “<sameusername@google.com> – the only account I know about.” I was, at this point, logged into the phone but as <sameusername>1@google.com. I had full access to <sameusername@google.com> chats and could talk back and forth with my Gmail contacts logged in as someone else. My Chrome home page to me to my <sameusername@google.com> Google application home page. If I went to a Google search via the built in browser at the bottom of the page, it showed I was logged in as <sameusername>1@google.com. No contacts were listed still, but my entire call log was available. All browsing history since the last dump remained. I could not use the built-in Gmail application, but I could use the Chrome browser to navigate to both accounts.

All Was Never What It Seemed

My spouse, a “you should have asked me – I am a master programmer and can fix almost anything,” was right. I handed my phone over because it was still unable to receive incoming phone calls. Little did I know this setting is in the “main settings,” “call settings,” “GSM call settings,” “additional GSM only call settings,” “call forwarding,” then finally “always forward with my international voice mail phone number built in by default. Otherwise known as an infinite loop of insanity.

Conclusion

You don’t need root; you don’t really need to “hack” anything. On any 1.6 (probably beyond too) version of an Android OS cello phone, force a re-run of setup, enter the wrong credentials on purpose, and you have sweet access to the previous settings and plenty of private information to keep you naughty. I have heard the claim “well, not in newer versions.” Then I suggest Google force their manufacturers to maintain the OS. If the issue isn’t fixed, consumers with version 1.6 are stuck with a huge gaping security hole. “New” Android Tablet PCs are shipping with the 1.6 version to unsuspecting users. All information stored on an insecure phone OS is fair game, including your contact information. I agreed to the terms and conditions, but my contacts weren’t given that option. My journey ends here. An affair with a phone OS that broke heart, and is willing to leak my data to anyone.

This is a repost from the original by the author from 2600 Magazine, Winter 2010-2011