All posts in Security

Who signed the .apk file?

After a while searching for an older version of an App from the Play Store, I finally found the version I wanted and downloaded it.
In order to install it, you have to “Allow the installation from unknown sources”. So there goes the chain of trust for the app.

Android

So how do you know:

  • Where did the app came from ?
  • Did someone plant Malware in it?
  • Can I trust it?

These are cases for your trusted cryptographer or in the case your certificates.

Basically you need fo follow these steps:

# Dump the apk information
$ANDROID_HOME/build-tools/23.0.0_rc2/aapt dump badging www.apks.org-de.hafas.android.db.apk |grep package

# verify the signer
jarsigner -verbose -verify www.apks.org-de.hafas.android.db.apk |less

# Verify that all files have been signed with the same key
jarsigner -verbose -certs -verify www.apks.org-de.hafas.android.db.apk |less

 

Security mindset reviewed by Matty Beddoes

I normally try to post only original content, but I ran into an interview with Matty Beddoes at Tripwire THE STATE OF SECURITY which is worth sharing. It is a good reminder that security is not just about controls and suits but also about hacking (learning driven by interest) and having the correct mindset really helps.

Here is the money quote:

"

It’s never a good idea to mess with a 16-year-old, especially one who can use a computer to cause chaos. Honestly, if they had said “Thank you,” things might have turned out differently. But they didn’t.

Sadly, that’s not a unique reaction in today’s industry. In fact, I find that IT staffs generally do not want their managers to know of a vulnerability for fear of looking bad at their jobs. This creates an unhealthy environment where no one wants to hear about vulnerabilities. If you talk to the staff, they will just ignore you, and if you contact the manager, they will take it personally and think you’re criticizing their staff. You’re blocked either way.

This problem is found all over the place but it usually changes after a company has been hacked. And that’s where I came in.

"

I have also seen this attitude a lot, although I welcome the people that find themselves at the other side of the engagement and see the opportunity that it being given to them to learn and grow..  event make a business or career out of the experience.

deutschlandfunk

old time radio
At the end of last year a friend gave my contact information to a radio producer with an interesting project. She wanted to learn as much she could as you can from a person through different means:

  • Getting his writing analyzed
  • Getting his voice analyzed
  • Using a private detective to follow him for a couple of days
  • And of course the digital perspective (which is where I tried to pitch in)

Basically we had a target (which gave us written permission to hack him and his systems) and the idea was to go, collect all the information we could from his online presence, hack any of his accounts and / or his personal computer. One of the things we had in mind, was since “the Target” was one of the producers, is that we didn’t want to kill any of his devices.

Keep Reading →

Workshops in Cologne

I’m going to be giving to workshops in Cologne in July, with what I think are really fun topics: WordPress Security and Hands-on security for beginners.

So embrace this opportunity to learn some hacking or security for a one time only startup friendly price

Keep Reading →

Horizon and cookies

I’ve been working with the Havanna release of OpenStack the last couple of days and ran across a default setting that should be avoided in any deployment: using cookies as the session backend.

The source of the problems has been known at least since October 2013  in Django and other frameworks: clear-text client-side session management.
There is even OSVDB entry and Threatpost covered it in an article.

Keep Reading →

Launch of Practical security

This is a topic that I have been thinking about for a long time and finally started creating some content for it. The idea is to create a series of posts, workshops and presentations that will help create security awareness at many levels. The topics will go across the board but I will be starting with those I think will have a greater impact in reducing the amount of low-hanging fruit out there.

Keep Reading →

Social over-sharing

Image from www.avgjoeguide.com

In some parts of the world over-sharing or just sharing information about you, your life-style and family can be really dangerous. There are many types of information one can over-share on the Internet, typically on social media sites like Facebook, Twitter, Google+ or Foursquare :

  • Personal information, for example: name, maiden name, birthday, schools we attended, who are our friends and family, pictures.
  • Geo-location or location information: this information tells people where you are and where to find you. Keep Reading →

Smart phone / mobile phone tracking and privacy

The first hand-held mobile phone was demonstrated by Motorola in 1973 and since 90s, mobile phones have become one of the technologies that have the biggest impact on the way we live. Cell phones or mobile phones have reached an impressive 96.2% of the world population and have penetrations rates of over 100% in developed nations. This information technology has spread faster that any other, including TV, Radio and the Internet. Can you remember how we lived before cellphones?

Keep Reading →

Do Reverse Proxies provide real security?

OSSTMM

Have you ever questioned the security best practices?

In the process of building / designing the infrastructure for a new project the following question was asked: “shouldn’t we use a reverse proxy to secure or protect the web servers?” Of course the first question I asked myself is “do reverse proxies provide real security?” or is this a best / common practice that has been adopted without foundation? Keep Reading →

WebOS Security

I had the pleasure of attending WebOS Developer Workshop in Mainz on Saturday Thgtwi (@thgtwi) did a great job with the organization. SuVuK(@SuVuK_open) did a nice report on the contents of the Workshop in his blog.

I took the opportunity talk about Security in the WebOS platform. I ran some tests based on WebOS 3.X, which is currently available for the HP TouchPad and is being opensourced as Open WebOS. Keep Reading →

12Next