Posts by Pablo Endres

Who signed the .apk file?

After a while searching for an older version of an App from the Play Store, I finally found the version I wanted and downloaded it.
In order to install it, you have to “Allow the installation from unknown sources”. So there goes the chain of trust for the app.

Android

So how do you know:

  • Where did the app came from ?
  • Did someone plant Malware in it?
  • Can I trust it?

These are cases for your trusted cryptographer or in the case your certificates.

Basically you need fo follow these steps:

# Dump the apk information
$ANDROID_HOME/build-tools/23.0.0_rc2/aapt dump badging www.apks.org-de.hafas.android.db.apk |grep package

# verify the signer
jarsigner -verbose -verify www.apks.org-de.hafas.android.db.apk |less

# Verify that all files have been signed with the same key
jarsigner -verbose -certs -verify www.apks.org-de.hafas.android.db.apk |less

 

Error -505 while installing Android App

gnome-dialog-error

I’ve had the DB Navigator app trying to update itself for the last 3 to 12 months, but hadn’t really put some time into figuring out why it didn’t work.  If figured I was not the only one affected so they would fix it themselves someday. Since that never happens, I took some time and wrote this post.

In a nutshell the problem is that the ticket database was owned by another DB app: de.bahn.dbtickets. I uninstalled it and then could update / re-install the DB Navigator app.

How did I figure this out?, you say

  1. Enabled developer mode on my phone
  2. Connected to it and used adb logcat to see the logs
  3. Tried to install the app
  4. Found this in the logs

E/Finsky (28878): [1] PackageInstallerImpl.handleCommitCallback: Error -505 while installing de.hafas.android.db: INSTALL_FAILED_DUPLICATE_PERMISSION: Package de.hafas.android.db attempting to redeclare permission de.bahn.dbtickets.permission.WRITE_DB already owned by de.bahn.dbtickets
W/Finsky (28878): [1] 3.installFailed: Install failure of de.hafas.android.db: -505 null

So the highlighted part is what told me the problem.

Have fun.

SEO DAY expert workshop: web security

logo-seoday-2015

Save the date: 25.10.2015

I’ve been invited to give a workshop as part of the SEO-DAY 2015 Expert Workshops in Cologne on October 25th 2015. I’ll be talking about web security, covering topics like server hardening, WordPress security and SSL configuration.

 

The overall contents looks like this for now:

  • Introduction
  • Internet security basics
  • Security mindset
  • Server basics: SSL, soup kitchens, etc
  • Server hardening -> focus Linux
  • Web server hardening: apache, ngix
  • Database hardening
  • WordPress security
  • Live demos and security testing
  • Any other topics

So here is the thing, would actually would like to shape the talk about what people want to learn and discuss about. So you have until the October 1st to suggest topics and vote them up. I think the comments section here would be the best place for that.

Date: 25.10.2013
Place: Cologne, Germany. Startplatz
Language: Slides English / Spoken in German

Additional details and tickets can be found on the on the SEO Day web site

 

Security mindset reviewed by Matty Beddoes

I normally try to post only original content, but I ran into an interview with Matty Beddoes at Tripwire THE STATE OF SECURITY which is worth sharing. It is a good reminder that security is not just about controls and suits but also about hacking (learning driven by interest) and having the correct mindset really helps.

Here is the money quote:

"

It’s never a good idea to mess with a 16-year-old, especially one who can use a computer to cause chaos. Honestly, if they had said “Thank you,” things might have turned out differently. But they didn’t.

Sadly, that’s not a unique reaction in today’s industry. In fact, I find that IT staffs generally do not want their managers to know of a vulnerability for fear of looking bad at their jobs. This creates an unhealthy environment where no one wants to hear about vulnerabilities. If you talk to the staff, they will just ignore you, and if you contact the manager, they will take it personally and think you’re criticizing their staff. You’re blocked either way.

This problem is found all over the place but it usually changes after a company has been hacked. And that’s where I came in.

"

I have also seen this attitude a lot, although I welcome the people that find themselves at the other side of the engagement and see the opportunity that it being given to them to learn and grow..  event make a business or career out of the experience.

deutschlandfunk

old time radio
At the end of last year a friend gave my contact information to a radio producer with an interesting project. She wanted to learn as much she could as you can from a person through different means:

  • Getting his writing analyzed
  • Getting his voice analyzed
  • Using a private detective to follow him for a couple of days
  • And of course the digital perspective (which is where I tried to pitch in)

Basically we had a target (which gave us written permission to hack him and his systems) and the idea was to go, collect all the information we could from his online presence, hack any of his accounts and / or his personal computer. One of the things we had in mind, was since “the Target” was one of the producers, is that we didn’t want to kill any of his devices.

Keep Reading →

sysunconfig

I just released a set of scripts that come in handing when creating clean images for virtual environment, heck you can even use it for cloud images.

What they do is:

  • clear all the logs
  • clean up the networking scripts, because the normally get references to the mac address in CentOS
  • clean up the repository files
  • in some cases create a root user

There are scripts for: CentOS 6, Debian and OpenSuse.

They can be be found in the tools section or in github.

Workshops in Cologne

"Dreamarena Extreme" by denisdervisevic, CC-BY-2.0.

I’m going to be giving to workshops in Cologne in July, with what I think are really fun topics: WordPress Security and Hands-on security for beginners.

So embrace this opportunity to learn some hacking or security for a one time only startup friendly price

Keep Reading →

Horizon and cookies

openstack-logo-100x100

I’ve been working with the Havanna release of OpenStack the last couple of days and ran across a default setting that should be avoided in any deployment: using cookies as the session backend.

The source of the problems has been known at least since October 2013  in Django and other frameworks: clear-text client-side session management.
There is even OSVDB entry and Threatpost covered it in an article.

Keep Reading →

Launch of Practical security

#practicalsecurity

This is a topic that I have been thinking about for a long time and finally started creating some content for it. The idea is to create a series of posts, workshops and presentations that will help create security awareness at many levels. The topics will go across the board but I will be starting with those I think will have a greater impact in reducing the amount of low-hanging fruit out there.

Keep Reading →

Social over-sharing

Image from www.avgjoeguide.com

In some parts of the world over-sharing or just sharing information about you, your life-style and family can be really dangerous. There are many types of information one can over-share on the Internet, typically on social media sites like Facebook, Twitter, Google+ or Foursquare :

  • Personal information, for example: name, maiden name, birthday, schools we attended, who are our friends and family, pictures.
  • Geo-location or location information: this information tells people where you are and where to find you. Keep Reading →
12345Next