COVID-19 Survival Strategies for Hackers

And how to make normality better than it was before the lockdown.

Like me you’ve probably been stuck at home for at least a week. These can be trying times but they can also be a lot of fun. We as a community have been trying to entertain ourselves and our friends more than ever by gaming more, chatting on IRC and Discord more, basically being on Twitter 24 hours a day, and churning out content. This is all awesome and will help us feel less lonely, and kinda productive. Some of you guys reading this might be feeling stuck or bored if you’re used to going to the office every day and seeing your colleagues in real life, so here’s some things that you could do to occupy yourself:

  • Pick a topic you’ve never had the time to study and get on YouTube and find somebody talking about it. Great examples include hardware hacking videos by @cybergibbons and bug bounties (mostly web and mobile AppSec) by @nahamsec
  • Learn a language like Chinese. YoYoChinese has some of the best content and learning some rudimentary Chinese and knowing how to type with PinYin will open up new avenues in your career in the future IMO.
  • Blog about your life, things you’ve done at work, wee things you know how to do that most people might not. Use WordPress and set up a site like mine.
  • If you’re working from home (WFH) and your employer or client doesn’t mind too much, stream what you’re doing on your screen via Twitch. You might only get a couple viewers but show them what you’re doing, talk through it, and you might get a bit of satisfaction knowing you’ve taught somebody something.
  • Read that book (or use Audible) that you’ve always wanted to. I’ve been learning about the Gulag Archipelago by Aleksandr Solzhenitsyn by watching Jordan Peterson talking about it, I’m hopefully gonna get around to reading it too.
  • Take up photography. I recently bought a used Canon EOS 500D and a new 50mm lens. It makes for some beautiful photos, much better than anything I can do with my iPhone.

Any of the above will help you stave off boredom and, especially the learning points, will help you improve yourself a little bit during the lockdown.

If you’re ever bored reach out to me on FreeNode, my nick is Jabo, or on my Twitter @Jabo_SCO. I’m always up for a chat.

Stay safe, James xx

[Wire Security] Threat Modelling using STRIDE

This is a cross-post from https://www.wire-security.com

I’ve worked on a couple of threat modelling jobs for Wire-Security. We take a STRIDE approach to the methodology. You’ll come across many resources online from other bloggers etc. that will be a much more comprehensive guide for some people but I’m going to keep it simple here, and hopefully satisfying, and write about what works for us.

STRIDE comes in great for a guide to writing part of your report however we also need to add a graphic.

Flow Diagram

Your flow diagram is going to be the first thing you do after reading the documentation. You will probably come back to it numerous times to refresh it, add more vectors etc. but this visualisation is paramount and will keep your mind focused as you work through your report.

STRIDE

STRIDE stands for:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure (privacy breach or data leak)
  • Denial of service
  • Elevation of privilege

With this you are going to consider various theoretical attacks that you can group under each heading. Below is a breakdown of the guidance we use when approaching a threat modelling exercise with a STRIDE methodology.

Spoofing

In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
This category is concerned with authenticity.

Tampering

Tampering refers to malicious modification of data or processes. Tampering may occur on data in transit, on data at rest, or on processes.
This category is concerned with integrity.

Repudiation

Repudiation refers to the ability of denying that an action or an event has occurred.
This category is concerned with non-repudiation.

Information Disclosure

Information Disclosure refers to data leaks or data breaches. This could occur on data in transit, data at rest, or even to a process.
This category is concerned with confidentiality.

Denial of Service

Denial of Service refers to causing a service or a network resource to be unavailable to its intended users.
This category is concerned with availability.

Elevation of Privileges

Elevation of Privileges refers to gaining access that one should not have.
This category is concerned with authorization.

The process used to develop a threat model is dependent on product/service documentation, and knowledge and insight from developers, product owners, expert users, etc. Usually gathered through interviews.

One or more visual representations of the target system(s) to ensure that the team’s understanding of the system is aligned with the purpose of the threat modelling exercise. From there, threats are listed, documented, and weighted for relevance. Additionally, potential mitigation actions, if any, are identified.
A threat modelling exercise is not a risk assessment. The evaluation of probability, which is critical for a risk qualification, is not a formal part of threat modelling. As such information collected during a threat modelling exercise can augment a risk assessment but should never be
considered an expression of risk on its own.

Conclusion

Thank you so much for reading. As of right now most of us are in lockdown due to the 2019-nCoV Coronavirus so if you have some knowledge to share with the community then please do! There’s loads of videos, streams, talks, blogs, etc. coming from everyone in #InfoSec and it’s lovely to see.

Stay safe, James xx

[Wire Security] How to Pentest Mobile Apps in 2020 – A Sensible Approach

This is a cross-post from https://www.wire-security.com

Introduction

I’m James and I’m a consultant here at Wire Security. I’ve been an app developer since 2012 and I’m just getting started in my career in security. I’ve always felt like a hacker and these days I’m over the moon to actually be one! I’m going to be writing more articles here regularly so please remember to check back and keep an eye on our company Twitter feed: @Wire_Sec

Old News

Over the years other people in the industry have developed guides and tools to forensically analyse mobile apps which made pentesting easier. Unfortunately many of those tools were dependant on specific Android/iOS releases or other factors which make them no longer usable.

On a recent engagement with Wire Security I took the lead on an Android and iOS app report where the items in scope were:

1) The app sandbox on rooted/jailbroken devices and on non-compromised devices too,

2) External network communication, and

3) Device memory

We were interested in sensitive user data, any credentials being leaked, etc. The client gave us the source code. After stumbling through many outdated mobile pentesting guides and lists of tools, I took a step back to consider my requirements carefully. The approach I used in the end was very simple.

Simple New Approach

With most guides and toolsets published on GitHub being out of date, or not working on the latest iOS and Android versions, I had to manually do most of the work where my goal was to analyse memory, the app sandbox, and key storage. These targets are going to be very similar in most mobile app penetration tests in 2020 and beyond so if I can help you lay down a simple, standard attack process then you can take that forward and own it, and play with it as you like. Alongside my no-frills methodology I had two important devices, which were a jailbroken iPad Mini 4 and a rooted Huawei P20 Pro. You don’t need physical devices when services like Corellium exist (for now), but they are nice. Note: the Android Emulator (AVD) has support for root.

MEMORY ANALYSIS

On Android you can use adb shell am dumpheap <pid> This command gives a dump of the memory heap of the chosen app or process. Use ps -aux <package name> to find the PID. Very handy with breakpoints in the source code. If you pass the output to a file then you can open with vim or your favourite text editor to search for interesting nuggets like apiKeys. In vim you can use :%!xxd to view the hex output. You can also use strings to filter interesting human-readable text from the file. Android Studio has awesome built-in functionality for memory profiling. DZone done a write-up on the usage of Android Studio.

On iOS Xcode also has a fantastic collection of memory tools including heap analysis. ZenDesk Engineering wrote a great piece on this.

APP SANDBOX

On rooted Android you can use a file manager like File Explorer Root Browser to browse the app sandbox storage.

With a jailbroken iOS device you can install Terminal from Cydia or SSH into your device and explore the app sandbox storage.

KEY STORAGE

With Elcomsoft tools, on Android you can browse Google Drive backups (which can contain app data), and on iOS you can browse the KeyChain backed up by iTunes.

Outro

Thanks for taking the time to read! If you have any comments you can reach me on Twitter: @Jabo_SCO