Upload
nowsecure
View
818
Download
0
Tags:
Embed Size (px)
Citation preview
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Mobile security, forensics & malware analysis with Santoku Linux
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
IN MEMORY OF
Alois Charles Hoog, Sr.(1920 - 2013)
HusbandFather of 5
Grandfather of 12Great Grandfather of 9
United States Army Air Corps (Retired)
And a true Master Craftsmanthat any Geek
would be proud to call Grandpa
We will miss you dearly.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
PRESENTER
Andrew Hoog (CEO/Co-Founder)
Andrew is a published author, computer scientist, and mobile forensic/security researcher. He has several patents pending and does frequent presentations/briefings.
AdditionallyHe participated in many hack(y sack) circles in college instead of classes
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
VIAFORENSICS OVERVIEW
viaForensics is a mobile security companyfounded in 2009.
Bootstrapped with ~40 employees and a
10 person dedicated mobile security R&D team
Some of our f/oss:YAFFS2 in TSKAFLogical OSESantoku Linux
...
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
RECENT CONFERENCES
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
SANTOKU - WHY?
Desktop PC
Portable PC
Tablet
Smartphone# Units Shipped(millions)
2012Total: 1,201.1
2017 (Projected) Total: 2,250.3
1600
1200
700
200
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
SANTOKU - WHAT?
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
SANTOKU - HOW?—
Install Lubuntu 12.04 (precise) x86_64
—Santoku-ize it
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
You should get (after reboot)
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
A Different Kind of Hacking
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
The History of Footbag
The concept behind footbag – intercepting an object in flight and keeping it airborne by using all parts of the body except the hands and arms is not a new idea.
Rather, as surprising as it may seem, the roots of our modern-day kicking game are to be found in ancient Eastern cultures.
Shown here are people playing Sepak Takraw in the streets of Malaysia.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
MOBILEFORENSICS
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
FORENSIC ACQUISITION TYPES
Logical File system Physical
DescriptionRead device data via backup, API or other
controlled access to data
Use casesFast
Data generally well structured
ChallengesOften very limited access to data
Usually requires unlocked passcode
DescriptionCopy of files of file system
Use casesMore data than logical
Re-creating encrypted file system
ChallengesRequires additional access to device
Many file system files not responsive on cases
DescriptionBit-by-bit copy of physical drive
Use casesMost forensically sound technique
Increases chance of deleted data recovery
ChallengesCannot pull hard drive on mobile devices
FTL may not provide bad blocks
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
iOS Logical
—Connect device (enter PIN if needed)
—ideviceback2 backup <backup dir>
—ideviceback2 unback <backup dir>
—View backup|unpacked backup
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
iOS Logical
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
iPhone Backup Analyzer
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
The History of FootbagWhile the co-operative kicking sport has ancient origins from China, Thailand, Native America and nearly every country. Hacky Sack or Footbag, as we know it today, is a modern American sport invented in 1972, by John Stalberger and Mike Marshall of Oregon City, Oregon.
Marshall had created a hand-made bean bag, that he was kicking around. Stalberger was recovering from knee surgery and was looking for a fun way to exercise his knees.
Together, they called the new game "Hackin' the Sack." The two decided to collaborate and market their new game under the trademark of "Hacky Sack®".
Mike Marshall died of a heart attack in 1975, at the age of twenty-eight. John Stalberger continued with the "Hacky Sack" cause and formed the National Hacky Sack Association. He later sold the rights for the Hacky Sack® Footbag to Kransco (operating under the Wham-O label), which also manufactured the Frisbee flying disc.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Android Logical
—AFLogical OSE
https://github.com/viaforensics/android-forensics
—Reads Content Providers
—Push to phone, run, store on SD Card
—Pull CSVs to Santoku for review
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
AFLogical OSE
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Install, run, extract
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
The Benefits of Hacking to Hackers
What do most hackers do while they're hacking?
They sit!
You don't need a Ph.D in physiology or biomechanics to know that spending 8-16 hours in a chair is bad for you.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
The Benefits of Hacking to Hackers
Hacky Sack:
Is Cooperative {much more fun in groups}
Is Legit Exercise {it will get your blood flowing}
Improves overall coordination
Can be played almost anywhere
Requires virtually no equipment other than sack
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
MOBILESECURITY
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Category # apps reviewed
Finance 10
Lifestyle 11
Productivity 6
Travel 5
Social Networking 6
Security 6
Other 6
APP SELECTIONApps were selected based on popularity, number of
downloads, or potential sensitivity of dataApproximately 50 apps have been reviewed
and organized into categories
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
APP TESTING RESULTS
% With Issues
100%
~80%
~30%
~50%
~15%
Stored Username
Stored Password
Medium or High Risk
Failed MITM
StoredUsername
StoredPassword
OtherRisks
FailedMiTM
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
The "Rules" of Hacking
1. Cannot serve to self
2. Cannot say, "Sorry"
3. Cannot use hands
A Hack is one complete time around circle
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO
—Business and personal task management app
iOS and Android
—Millions of users
—Many vulnerabilities, no response from company
—https://viaforensics.com/mobile-security/security-vulnerabilities-anydo-android.html
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Forensics
—Locate Any.DO app directory
<path-to-backup>/var/mobile/Applications/com.anydo.AnyDO
—Examine binary plist file (Library/Preferences)
file com.anydo.AnyDO.plist -> Apple binary property list
—Convert binary plist
plutil -i com.anydo.AnyDO.plist -o com.anydo.AnyDO.plist.xml
—vi com.anydo.AnyDO.plist.xml
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Forensics
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Memory
—SSH into iPhone
iproxy ; ssh
—Find app PID
ps -ef | grep <app-name>
—Dump RAM using gdbScript to extract RAM
—Extract and analyze
scp ; grep
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Any.DO Analysis - Memory
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
The Kicks and Tricks
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
MOBILEMALWAREANALYSIS
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
Bad News
—Android Malware, masquerades as an innocent advertising network
—Packaged in many legitimate apps, usually targeting the Russian market
—Has ability to download additional apps, and prompts the user to install them, posing
as "Critical Updates". Uses this mechanism to spread known malware, typically Premium Rate SMS fraud.
—For more information see the report by Lookout: https://blog.lookout.com/blog/2013/04/19/the-
bearer-of-badnews-malware-google-play/
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
apktool—
apktool is a tool for reverse engineering Android apk, it disassembles the code to .smali files, decoding also the resources contained into the apk.
—It can also repackage the applications after you have modified them.
—We can run it on a Badnews sample:
—
$ apktool d ru.blogspot.playsib.savageknife.apk savage_knife_apktool/I: Baksmaling...
I: Loading resource table...I: Loaded.
I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file: /home/santoku/apktool/framework/1.apk
I: Loaded.I: Regular manifest package...
I: Decoding file-resources...I: Decoding values */* XMLs...
I: Done.I: Copying assets and libs…
Source: https://code.google.com/p/android-apktool/
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
apktool -> smali
—We can grep for known sensible method calls and strings
—
$ grep -R getDeviceId . ./smali/com/mobidisplay/advertsv1/AdvService.smali: invoke-virtual {v1}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
—
$ grep -R BOOT_COMPLETED ../AndroidManifest.xml: <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />./AndroidManifest.xml: <action android:name="android.intent.action.BOOT_COMPLETED" />./smali/com/mobidisplay/advertsv1/BootReceiver.smali: const-string v2, "android.intent.action.BOOT_COMPLETED"
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
apktool -> smali
—We can manually analyze the disassembled smali
code provided by apktool.—
For example here we see a broadcast receiver that will
listen for BOOT_COMPLETED
intents and react to them starting a service in the
application.
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
BadNews Malware Sample -> Dex2Jar -> JD-GUI
Contagio MiniDump Malware Repository
contagiominidump.blogspot.com
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
A LITTLE HELP, PLEASE.
—HOWTOs
—New/existing tool development
—.deb package maintenance
—Forums, spreading the word
*© Copyright 2013 viaForensics, LLC. Proprietary Information.
https://santoku-linux.com@SantokuLinux@viaForensics
DON'T PANIC