Tag Archives: sans

SANS 575: Mobile Device Ethical Hacking Review

In the last two years I have been to a few SANS training courses:

508: Advanced Forensic
617: Wireless Ethical Hacking
660: Advance PenTest

Last week I attended the SANS 575: Mobile Ethical Hacking course,
it is a nice complement to the 617 Wireless course and although there is some overlaps, especially around WIFI vector attacks, most of the content is different; and when it is not, you get another perspective for those attacks.

The course gave an overview of the different architectures surrounding the Android, iOS, Blackberry and Windows Mobile phones, how system and app updates are handled, how certificates are managed, attack technics against mobile apps communications as well as against the app code itself through leveraging jailbreaking.
As with most SANS courses your day is not limited to a 9 to 5 schedule and if you want to make the most of it you will end up attending after class presentations or the Netwars hacking contest during the last 2 evenings. Although this means you are most likely to finish your day at around 10pm, you also end up learning a lot more than what is just taught in your course.
Finally, the last day there is a Capture The Flag event in your class where you compete against your fellow students in teams of 3 or 4. It is a great way to apply all what you learnt during the week. It is very similar to Netwars but tailored to the topics you have just been studying .

Below are my key takeaways from that course:
1. History keeps repeating itself.
I will go into more details in a future post, but all the security issues we have had when Internet first appeared in the corporate world, then with WIFI networks are just repeating themselves with the use of mobile devices. Examples?
Mobile devices are more and more like computers yet we tend to only use simple and short passwords to protect how we are accessing them, there are no antivirus or firewalls in most platforms.
What drives mobile devices’ roadmaps is the user experience rather than its security.

2. Jailbreaking as a security tool
Jailbreaking a phone can be very useful, and sometimes the only way, to really understand what data an application is accessing and sending.

3. MDM alone, is not enough
MDM is just one component of what a mobile device strategy should be. Reviewing the security of apps being developed internally as well as the most commonly used 3rd party ones should be core to that strategy. Failing to do so equate to having an open desktop policy where users can install any applications they want, with no firewall/anti-virus.

4. Apps manipulation through HTTP intercept
The majority of mobile device applications uses HTTP as their communication transport protocol.
It often compromises the security model implemented with their counterpart desktop/web portal solutions.
Users often wrongly assume that an application is secure, because there are no visible signs as to how secure its communication is.
An example studied in class showed easily it is to manipulate stock option prices from the built-in iOS Stocks app.

5. 4 PIN on iOS is bad very bad.
I was amazed at the speed it takes to crack a 4 PIN protected iPhone (up to iPhone 4) and iPad (up to iPad 2).
In class we looked at how one needs just 15 minutes to a) take a locked iOS device, jailbreak it in memory, crack the PIN, dump all data, reboot the iDevice and the owner would never know you have just stolen all its data.
Although this is not currently possible on iPhone 4s+ and iPad 3+, this could change if new jailbreaking methods are found.
You would also be amazed as all the potential sensitive information is available in clear text, from WIFI to Emails passwords.

6. Certificate (mis) management
HTTPS certificates are very poorly managed on mobile devices currently and if a user is subjected to an HTTPS Man in the Middle attack, the warnings signs (if any!) could be at best confusing and at worse misleading! (i.e.: Hackers can pretend their certificate is from a valid and known CA).

6. Devices Emulator, Developer Programs and Mobile lab
Device emulators, although not as good as the real handsets, are very useful to do security assessments.
Being part of the major vendors developer programs does not cost much money and gives you access to exclusive tools and upcoming beta versions.
Lastly, having some kind of mobile device lab is useful for your security assessments and combining real handset with emulators should be relatively cheap to setup whilst still giving you enough handset coverage.

What this course has highlighted is how immature the security around Mobile Devices is, and that securing mobile devices in a corporate environment does not stop with MDM.

A very good course I would recommend to anyone involved with Mobile Device security, this will be an eye opener!

My take on SANS 660, The HexFactor and Netwars

I have just attended the SANS 660 course in London, it is one of the most advanced course SANS has to offer and it did not disappoint!

Its bootcamp format means you will start your day at 9am and finish it at 7pm! The last two hours being called a “bootcamp”, basically 2 hours of exercises linked to the content of the day that really helps understanding the different techniques that were discussed.

Speaking about content, although they state that previous programming experience is “recommended”, it is not, is it mandatory!

And for the last 2 days you really need some understanding of x86 assembly to get a chance to follow the fast pace. I have to admit that the last day I was lost after lunch!

But what do you get if you buckle up and go on the ride? You get an incredible amount of information as it goes into a great level of details on how to identify and write your own exploits. But it also allows you to get a better appreciation of what to look for when reviewing the security of a network, an application, a website or a system. This is not just a “hacking” course, and the “ethical” at the end of the full course name is there for a reason.

The lecturer, Stephen Sims, is quite inspiring. Of all the lecturers I have met in the different courses I have taken those last 15 years, he is probably the one who knew his subject the most! It is also great that he is always willing to help his students understand what they are doing wrong during exercises. And it is apparently not just computer hacking that he is good at, being a core member of a signed music band going by the name of a modern hard-disk.

The highlights of the course for me were:

  • The different techniques to attack a network with the consequences of badly, or shall I say commonly, configured routers;
  • Ways to get out of a locked down desktop;
  • What to do with a buffer overflow, how to locate/change/utilise those different address pointers and defeat canaries and use gadgets.

Although at the end it will feel like you need a larger brain and many more weeks to assimilate this new information, you will also get a sense that you have only barely touched the surface of all those techniques…

Then of course, after each of those hard days working you can relax at the next door pub… and if you didn’t have enough, this is where you can take part in a hacking challenge, the Hex Factor challenge. It is basically a “capture the flag” contest where you setup a team, or go at it solo, and are faced with a number of different challenges:

  • 2 quizzes
  • 3 hacking challenges (i.e.: breaking into a network, a server, etc)
  • 3 reverse engineering challenges (i.e.: bypassing a password in an executable)
  • 3 forensic challenges (i.e.: recovering data hidden somewhere)

This is really a great environment, not only to meet like minded people (although some may say it is a bad thing! ;), but also to actually practise your newly acquired skills. It is also good that each of those challenges have different level, allowing anyone to participate, from the manager to the engineer! This event takes place in a number of conferences and is organised by volunteers. So I’d like to congratulate everyone who was involved to make it such an entertaining event!

Finally, this year there was the Netwars challenge. It has a similar format as the HexFactor one and ran for 2 days (after the Hexfactor was finished). It is an individual hacking contest with increasingly more difficult challenges. The fact you see the top 10 scores on a big screen live, the buzz of having a large room full of people hacking away, the organisers making sure everything is going smoothly and that everyone feels confortable really made those 2 nights special.

To conclude I will say that, again, SANS did not disappoint. It was a top quality course part of a great conference with huge opportunities to network and practice your skills. So I can happily recommend for anyone to attend the 660 class, and also, if you really want to make the most of it you have to stay in a close by hotel, be ready not to sleep too much and embrace the geekiness around you :)

SANS, Stephen, Thank you very much!

SANS Ondemand Training course – A few Tips

I went to a SANS Forensic course (508) last year and a few weeks ago I decided to try something new… to stay at home and dedicate 5 days to do their Ethical Wireless Hacking training course (617).

Let me first say that the 617 training course was really good, the author of the course and the recordings were made by Joshua Wright who runs the http://www.willhackforsushi.com blog. He is very knowledgeable and his enthusiasm was even contagious through audio only. In fact this is a huge understatement! I was truly amazed by his skills, stories and training delivery!
So much that for 7 days I was up at 9am and worked until 2am each day on the different content material covered by the course.

As I almost lost my sanity and started dreaming of ToDS/FromDS bits and fuzzing I thought I would share a few tips on this type of training course.

– Check the last time the course was updated, and if there is an upcoming update – with SANS or with the author. The course I took was last updated about a year ago and as I checked the author blog it did sound as if a lot have changed since then. He may be updating his material soon. (This week??)
– Prepare your training environment a few days in advance: is a dedicated laptop required? vmware installation? what are the OS requirements? You may need much more time to bring everything up to date, making sure everything works (i.e.: driver udpate required). Although I did a few prep on the Sunday evening, I spent all Monday morning configuring my “Lab Laptop”.

– Do not book an exam straigth after the training course. Although it is tempting because everything is fresh in your mind, it also means you have much more pressure to read and digest everything in the course.

– I would recommend you break down the training course over the months you have (The Ondemand courses give you 4 months!). In fact, I would recommend 2 days a week training other 3 weeks. And use the rest of the days to do your lab exercises.

– Be careful with the time the labs require. It can indeed takes much more time that is planned for in the training timetable. This is especially true if you want to do all the exercises, even the optional ones, and if you get curious after learning something new. I.e.: you may want to research a tool you have just used on the internet, check if there is a new version, install it, realise you need to compile it and that you do not have the right library for this, etc, etc.. You can quickly endup spending 2h on a 10 minutes exercise. Although you would have fully understood it and more, you will also be feeling the pressure to catch up on the training plan!

– Do the two practise tests! they are really close to the real thing! do them in the same conditions as the exam: do not use your computer to do anything else than answering the multiple questions, print out any notes and see if their format works, block the allocated time, etc.

– Do an extensive index of the course material, this will be invaluable during the exam to conduct a quick search in the training books.

The main, and somewhat obvious, difference between a training at a conference center and one on demand from home is that no one is pushing you to rush.
At a conference, if you only have 25 minutes for a lab exercise, that is it… at home… you may be carried away… As explained above it is easy to get delayed and running behind scheduled.

So of course, you could just be disciplined… but if you are as curious as I am, then I would strongly advise you take your time with this type of training medium!

To conclude, I cannot recommend enough this SANS course. It provides an incredible level of depth related to wireless hacking technics. I found that course eye opening more that once and the ondemand training platform works very well.
I do however regret not taking it at a conference for only one reason, I would have liked to meet Joshua in person!

The world of Computer Forensics

I have recently attended a SANS Forensic course in London. It was the best training course I have ever been to, not only the content was really interesting and very well delivered but all the extra activities surrounding the training course were outstanding (presentations, challenges, social events, etc).

Forensic was new to me and I found the techniques taught as very good eye openers in two different ways:

– Forensic techniques can be applied to other area of IT security than just forensic investigations, such as malware analysis and DLP. The latter was a bit of a surprise to me, but by understanding some of the forensic techniques you can also understand how part of a DLP engine would work when searching for specific files on filesystems (at rest) and recognised/tagged when on the network (on the move). I will find it interesting to see if my new knowledge of forensic can come handy with any DLP work I do.

– It is impressive how much information can be salvaged from any devices you use. My key takeaway was about how secure delete applications may not prevent access to the deleted data as much as first thought. It indeed depends of the data lifecycle, if it was cached at some point, if the OS fragmentation management moved/duplicated some of it allocated data blocks, etc.

Although I am not specifically working on Forensic at the moment, this is an area of new interest which I hope to keep practicing and integrate with some of the work I do.

Below is a nice general overview on computer forensics:
Techrepublic
And a very good Open Source website on that topic:
http://www2.opensourceforensics.org/home