Archive for the ‘Android’ Category

DEFCON 25/Black Hat updates: July 28, 2017.

Friday, July 28th, 2017

Round 2:

  • The white paper for “Free-Fall: Hacking Tesla from Wireless to CAN Bus” (Ling Liu, Sen Nie, Yuefeng Du) is here. Slides here.
  • Slides for “Exploiting Network Printers” (Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk) are here.
  • Found slides for “Breaking Electronic Door Locks Like You’re on CSI: Cyber” here. (I called this one wrong: no Bluetooth. Not a complaint, just an observation.)
  • This is one that I saw, overlooked, and now am intrigued by: “All Your SMS & Contacts Belong to ADUPS & Others“. “Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China – without disclosure or the users’ consent.” Slides. White paper.
  • Slides for Vlad Gostomelsky’s “Hunting GPS Jammers”. I think this is one that really needs video, too.
  • “Intercepting iCloud Keychain” (Alex Radocea) slides.
  • And “The Future of ApplePwn – How to Save Your Money” (Timur Yunusov) slides.
  • And (hattip to Mr. Yunusov) “Jailbreaking Apple Watch” (Max Bazaliy). I haven’t compared these slides to the onea on the presentations server, just FYI.

Okay, lunch time is almost over, and I feel like I’ve done enough damage to the security community today. I’ll try to have more updates later today or tonight.

Actually, they can read your poker face.

Wednesday, October 26th, 2016

Or at least your cards.

This is a presentation that I overlooked from DEFCON 24, but the authors have now been blogging.

For somewhere between $1,300 and $5,000, you can buy a device that helps you cheat at poker.

The technology is quite interesting. It isn’t just “disguised” as a phone: the device is actually a fully functional Android phone, with a custom ROM and app that controls the cheating portion.

Ironically, there is a hardcoded backdoor password in the app, which makes this security measure pointless if you know the backdoor password.

How does it work? Hidden camera, concealed infrared LEDs, and…

What makes the whole thing work is the use of a special deck in which the four edges of each card are marked with IR-absorbing ink. As a result, when this marked deck is illuminated by the IR LEDs, the spots of ink absorb the IR, creating a sequence of black spots…
The sequence of black spots created by the IR illumination, illustrated in the photo above, is read remotely by the cheating device to infer a card’s suit and value. You can think of those markings as invisible barcodes.

So yes, you do need to slip in a marked deck. But the people who will sell you the phone will also sell you pre-marked decks, which are designed to look like they haven’t been messed with. And apparently the phone will pair with Bluetooth based audio and haptic feedback devices, so you don’t even have to be looking at the display.

And yes, because it is based on marked cards, it will work with card games other than poker, too. (High-end bridge cheating? Chris Christie, call your office, please. Sorry, little joke there.)

The post that’s up now is just the first one in a promised series: I’ll try to link to the other ones as they go up.

DEFCON 24: 0-day notes.

Wednesday, August 3rd, 2016

Another year observing DEFCON remotely. Maybe next year, if I get lucky, or the year after that.

The schedule is here. If I were going, what would I go to? What gets me excited? What do I think you should look for if you are lucky enough to go?

(As a side note, one of my cow-orkers was lucky enough to get a company paid trip to Black Hat this year. I’m hoping he’ll let me make archival copies of the handouts.)

(more…)

Random thought.

Friday, September 11th, 2015

Sensors included on the iPad Air 2 and iPad Pro:

  • Touch ID
  • Three-axis gyro
  • Accelerometer
  • Barometer
  • Ambient light sensor

Not included: GPS, unless you purchase one of the cellular models. It looks like “assisted GPS and GLONASS” are built into the cellular chipset or something?

I keep thinking about getting an iPad or some other sort of tablet to supplement my first generation Kindle Fire. But it always comes back to this: I want GPS, and can’t get it. Okay, I could if I bought a cellular model, but:

  1. The cellular iPad 2 is $130 more than the Wi-Fi equivalents in every memory configuration. Same with the iPad Pro. Except the Pro only has one cellular/Wi-fi memory config, and that’s over $1,000.
  2. I don’t want cellular data. I don’t have the $60 to $85 a month it would take to add a device to my plan. $60 to $85 a month is at least one good Smith and Wesson a year. I’d be perfectly happy with a device that just does Wi-fi, as long as it has GPS. If I desperately needed data in non-Wi-fi areas, I’d enable the hotspot feature on my phone – at least that’s only $30 a month, I think.

It isn’t just Apple, though. I’ve looked at Android tablets too. I’ve heard that Android gives you lower-level access to GPS data than iOS, but I haven’t been all that impressed by the Android tablets I’ve seen. The price/memory ratio just seems out of whack to me.

Best Buy, for example, is selling a Nexus 9 with 32GB of memory (which to me is a hard minimum; I’d prefer 64GB) for $432. I can get a Mini 2 for $319 from Apple, or a Mini 4 with 64GB for $499. Decisions, decisions. Do I want an Apple device that doesn’t have GPS, but that I can trust to be updated regularly and work for a while? (I’m still using a MacBook I bought in 2007 as my main computer.) Or do I want to buy another shoddy piece of crap Android thing that’s going to stop getting updates in 18 months, but does have GPS?

Or does it? The specs on Google’s site show the Nexus 9 does, but they also show it has a cellular chipset. Does the Wi-Fi only version do GPS? Can I buy a cellular tablet and use GPS on it without a carrier? Who knows? I can’t find that on Google’s site, the specs on Best Buy’s site don’t mention GPS, and asking a Best Buy employee seems like a good way to invoke the customer appreciation bat.

Am I making this too hard? Am I asking too much? All I want is a reasonably priced tablet that does GPS and doesn’t require a cellular data plan. Why is this so hard?

DEFCON 23 notes: August 7, 2015.

Friday, August 7th, 2015

I kind of skipped over yesterday, because Thursday is traditionally slow. And it is a little early for stuff to be up today, plus many of the good presentations are scheduled for tomorrow.

But! BlackHat 2015! Not everything from BlackHat gets duplicated at DEFCON, and vice versa, but there’s always some overlap. Some things that are already up:

There are a couple of other overlaps I’ve found (specifically the Josh Drake presentation on Stagefright and the Valasek/Miller car exploit) but those don’t have any slides or other material attached yet.

More links and stuff as and when I find it and am able to post.

Edited to add: Just noticed this on the DEFCON 23 site. Download the conference CD optical disc here. Woo hoo woo hoo hoo. (The .rar file is 419 MB. Good thing I work for a networking company.)

DEFCON 23: -2 day notes

Tuesday, August 4th, 2015

DEFCON 23 starts Thursday. Black Hat USA 2015 starts tomorrow.

Once again, it doesn’t look like I’m going to make it out to Vegas. Once again, I’m going to try to cover things from 1,500 miles away. It isn’t completely clear to me that anyone other than me is getting any benefit from this, but I’ve been doing this for long enough that I have a hard time stopping now.

Here’s the schedule. There are several presentations that are already getting media attention:

So what would I go see if I was there? What sounds interesting to me?

(more…)

Changing the face of dining.

Friday, January 31st, 2014

We have a noodle truck at the office on Thursdays.

The Forbidden. Beef stewed for four hours in an Indonesian-style red curry. DFG Noodles, Austin, Texas.

The Forbidden. Beef stewed for four hours in an Indonesian-style red curry. DFG Noodles, Austin, Texas.

And it is pretty damn good.

And they take credit/debt cards. You’ve seen it before, haven’t you? iPad with a credit card swiper, pick your tip, sign, have your receipt emailed to you?

This observation isn’t original to me, and I’m not sure it is terribly profound, but: services like Square have revolutionized credit card processing. I remember the old days, when setting up a merchant account was hard to do, and you needed a phone line, and you needed bulky equipment, and the credit card processors charged enormous fees. Now? I’m kind of far from retail, so I’m not sure if Square has resulted in downward pressure on fees (though I suspect it has).

Someone I know who is in retail and takes credit cards reviewed an early draft of this post and provided this information: they pay 2.61% for credit card processing, but each month’s statement also contains a laundry list of “cryptic inexplicable fees” that they have to pay as well. Square claims to charge a flat 2.75% for swiped transactions (Visa, MC, AmEx, Discover) with no additional fees. (I say “claims” because I have not used Square and can’t verify that for myself.)

Square also claims to deliver your money in one to two business days, no matter what type of card it is. The retail person I know says that AmEx fees depend on how long you let AmEx keep your money: they let AmEx hold their money for 15 days, and pay between 2% and 3%.

But fees aside, anyone who has a bank account can take credit cards these days, and all you need is an iPhone or iPad (or a supported Android device, though frankly that looks a little painful). Little to no bulk, no landline, and the money goes into your linked bank account.

The big thing, as I see it, isn’t the merchant charges: it is the portability. Your credit card machine is your phone or tablet, and it fits in a trailer. Or in a pocket. And you don’t need anything else – you don’t even need a printer, you can just email receipts to your customers. (Okay, you might want a charging cable, depending on how good battery life is on your device. But other than that, nothing.)

==

(more…)

Today’s update from the Department of Things That Make You Go “Hmmmmmmmmmmm”.

Thursday, January 16th, 2014

I found a couple of interesting little tidbits while going through the “Cisco 2014 Annual Security Report”. Before I begin, disclaimer and explainer: keep in mind that I am a contractor for Cisco. However, the 2014 Report is not a Cisco internal document, but is available to the public. You can download it here, though you do have to enter your name and an email address.

Things that I found interesting:

Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71 percent) with all forms of web-delivered malware.

You. Don’t. Say.

Spam volume was on a downward trend worldwide in 2013. However, while the overall volume may have decreased, the proportion of maliciously intended spam remained constant.

So we’re winning? Maybe?

Of all the web-based threats that undermine security, vulnerabilities in the Java programming language continue to be the most frequently exploited target by online criminals, according to Cisco data.

More:

Data from Sourcefire, now part of Cisco, also shows that Java exploits make up the vast majority (91 percent) of indicators of compromise (IoCs) that are monitored by Sourcefire’s FireAMP solution for advanced malware analysis and protection (Figure 12).

So should you disable Java? I think Borepatch would probably say “yes”. But this is also interesting:

90 percent of Cisco customers use a version of the Java 7 Runtime Environment, the most current version of the program. This is good from a security standpoint, since this version is likely to offer greater protection against vulnerabilities…
…However, Cisco TRAC/SIO research also shows that 76 percent of enterprises using Cisco solutions are also using the Java 6 Runtime Environment, in addition to Java 7.

JRE6 has been end-of-lifed and is no longer supported. I’m thinking the best practice here is:

A. Carefully evaluate your need for Java.
II. If you do need it, use the most current version.

At 43.8 percent, Andr/Qdplugin-A was the most frequently encountered mobile malware, according to Cisco TRAC/SIO research. Typical encounters were through repackaged copies of legitimate apps distributed through unofficial marketplaces.

“unofficial marketplaces”. You. Don’t. Say.

There’s a lot more in the report, including a brief discussion of Wireshark and Python tools for doing data analysis. I do commend it to your attention, even though my bias here is obvious.

Edited to add: left out one I intended to include.

In a recent project reviewing Domain Name Service (DNS) lookups originating from inside corporate networks, Cisco threat intelligence experts found that in every case, organizations showed evidence that their networks had been misused or compromised.
For example, 100 percent of the business networks analyzed by Cisco had traffic going to websites that host malware, while 92 percent show traffic to webpages without content, which typically host malicious activity. Ninety-six percent of the networks reviewed showed traffic to hijacked servers.

Bad Idea Jeans.

Thursday, October 31st, 2013

Scentee, a Japanese tech brand, has created a product that attaches to your smartphone and releases a scent. The plug-in accessory fits into the headphone socket of a smartphone (iPhone and Android). The device works with a companion app that tells it to spray a burst of fragrance into the air when you receive a message.

Available scents are claimed to include:

…rose, mint, curry, jasmine, cinnamon roll, lavender, apple, strawberry, ylang-ylang (a fragrant flower), coconut, and if you remember the fried corn soup fritters at KFC Japan from earlier this year, the corn soup scent should come as no surprise. There’s also a limited-edition Korean BBQ collection with two meat scents and baked potato. A bacon scent is in the works.

Yeah, I’ll believe it when I see it in action. But even if this does turn out to be real, and not a hoax, I still think it is a damn stupid idea. (Anyone remember the iSmell?)

Also:

Almost as cool as making the theme song to “The Wire” (the Season 5 version) your ringtone … almost.

Oh, bullshit. Everyone knows the Season 1 version (with the Blind Boys of Alabama) is the best version.

Edited to add: I have been challenged to provide support for the above statement.

Here’s a handy page that contains YouTube versions of the theme song from all five seasons.

TMQ Watch: August 13, 2013.

Friday, August 16th, 2013

We were trying to come up with a clever introduction to the return of Tuesday Morning Quarterback (and, thus, the TMQ Watch) but we couldn’t. On the other hand, we were also suffering from a bad case of 70s nostalgia (brought about by many things, but exacerbated by the death of Bert Lance). So we thought we’d throw some vintage music your way before cracking open this week’s TMQ after the jump. Oddly enough, it turns out to be fitting for reasons we’ll see later on…

(more…)

And even more DEFCON 21 links: August 9, 2013.

Friday, August 9th, 2013

DEFCON 21 update: August 5, 2013.

Monday, August 5th, 2013

Yeah, I know, I’ve been quiet. Much of Friday’s blogging time was eaten by Bluehost instability, and Saturday and Sunday were busy.

But I do have some updates and links.

I’m going to cut things off here for right now. I’m still trying to find links to some of the other presentations I mentioned (in particular, I’d love a link of some sort to Anch’s “Pentesters Toolkit” if anyone has one) and will post updates as they come in. Depending on what I dig up, there may be a second post tomorrow. In the meantime, this should keep you busy.