Tag Archives: speaking

Project Mayhem to be Unleashed at Black Hat Abu Dhabi

Filed under Penetration Testing
Tagged as , , , ,

For the last several months I’ve been performing research on techniques attackers could use for performing accounting fraud in popular accounting systems. This research coincides with a whitepaper that SecureState has developed entitled “Cash is King: Who’s Wearing Your Crown?” To perform this research I have collaborated with a coworker of mine, Brett Kimmell, who is the manager of SecureState’s Risk Management practice. Brett and I will be presenting the findings from our research at the Black Hat security conference in Abu Dhabi on December 6. This is by far the most unique topic I’ve researched in that we’ve combined penetration testing techniques with ways to commit fraud and more importantly, showing real world accounting fraud prevention. Brett Kimmell is a CPA and has many years of experience with accounting and fraud detection. He was also the CFO for a large non-profit organization. Combine this skill set with penetration testing and cutting edge malware development and you have research that truly demonstrates attacks that literally hit the “bottom line” of a company. As a penetration tester I find that gaining access to customer data, passwords, credit cards, PHI and other standard fare (ie: Trophies) are just the beginning of what can damage a company. In this research we take it to the next level and show the damage that can be done where it truly hurts a company: the financial system. It’s my hope is that this is just the start of showing organizations’ true business risk through advanced penetration testing.

In our work we’ve focused our research on Microsoft Dynamics Great Plains (GP). GP is the most popular accounting system used by small to midsized businesses across the world. In our research we show how attackers can commit undetectable fraud by manipulating accounting systems like GP. These attacks are quite different than finding and exposing a 0-day in software, as our research is centered on creating attacks (including custom created malware) that specifically targets a company’s accounting processes. The attacks we illustrate in our research show that technical controls cannot be solely relied on to prevent fraud. Non-technical accounting controls must be implemented and proper oversight maintained to be effective in combating modern fraud.

Next week we will be releasing our whitepaper as well as “Mayhem”, which is proof-of-concept code designed to hijack and manipulate the accounting processes within Microsoft Dynamics GP. Mayhem was created by the talented Spencer McIntyre of SecureState’s Research & Innovation Team. Mayhem is actively being developed but even in its current state (which we will demonstrate at Black Hat) will make you take a hard look at how a company needs to defend against this type of threat. Similar to how banking Trojans have targeted banking consumers in recent years, Mayhem is the first type of attack that we know of that targets the accounting systems of a company. While we focus on Microsoft Dynamics GP in our research, it can be easily ported to other types of accounting systems. Stay tuned next week as we reveal details about Mayhem and how our research puts a new focus on accounting controls.

Free Webinar July 12th: Android vs. Apple iOS Security Showdown

Filed under Android, Apple, Mobile Applications, Mobile Security
Tagged as , , , , ,

It’s not too late to register for my webinar on July 12th: Android vs. Apple iOS Security Showdown.  I’ll be taking a entertaining look at the current security posture of both platforms. I’ll be battling the Apple App Store vs. Google Play, device updates, MDMs, developer controls, security features and the current slew of vulnerabilities for both platforms.  Which one will emerge the victor? Register for my webinar on July 12th to find out!

Three Areas You Need To Test When Assessing Mobile Applications

Filed under Mobile Applications, Mobile Security
Tagged as , , ,

Having spoken at both at the SANS Mobile Device Security Summit as well as OWASP AppSec DC recently about testing mobile applications I’ve encountered that like the old saying goes “There are many ways to skin a cat”, there are also many ways to assess a mobile application.  I’ve seen very detailed testing methodologies, not so detailed and everything in between.  I’ve also heard other security professionals say that testing mobile applications are just like testing a web application.  This is simply a wrong and inaccurate statement.  Mobile applications are fairly complex and just assessing the application layer is only a small look into the overall security of a mobile application.  While the OWASP Mobile Security Project will help define a complete mobile application testing methodology (which is in process), here are three areas that need to be tested in every mobile application.

1. The Mobile File System
How’s the application storing data and where is it being stored?  You’d be surprised how much information is being stored in files, SQLite databases, system logs and more.  If you’re lucky you will sometimes find private keys and hardcoded passwords.  As a great example, the mobile Facebook application suffers from a file system vulnerability as I write this.  The author likes to call this a “plist hijack attack”.  Simply move the plist file to another mobile device and you are logged in as that user.  As for tools to use when looking for file system vulnerabilities you should really check out the forensic approach that John Sawyer from InGuardians has developed.  It’s my preferred method for seeing how the app writes to the file system and saves lots of time over creating a dd image.

2. The Application Layer
How’s the application communicating over HTTP?  How are web services being used and how are they configured.  Important things such as authorization and authentication need to be reviewed as well as session handling, business logic, input validation and crypto functions.  Business logic needs to reviewed just like you would in a Web Application Assessment to find flaws in the way critical functions (like shopping cart checkout processes) were developed.  Remember to never under estimate the criticality of Web Services!  For reference and context, check out the presentation that Josh Abraham, Kevin Johnson and I gave at Black Hat USA last year.

Something else worth mentioning is that you can’t rely on traditional web proxies like Burp Suite to test the application layer on a mobile app.  I’ve encountered applications that are configured to bypass device proxy settings!  You need to use a tool like Mallory which is a fantastic TCP and UDP proxy.  Mallory sees all traffic and allows you to manipulate and fuzz it.  There are other ways to do this as well but regardless, you need to have a way to see all traffic the mobile app may generate.

The application layer is also where you need to look for issues specific to mobile applications like UDID usage in iOS.  UDID is currently being used by many applications for unique device identification.  However, the use of UDID is becoming an increasing concern from a privacy perspective.  Not to mention, Apple is cracking down on UDID usage by now denying applications in the Apple App Store.  Check out the presentation I did at OWASP AppSec DC this year about some of the privacy and security concerns regarding UDID.

3. The Transport Layer
How does the application communicate over TCP?  How are custom protocols and third-party APIs used?  Does the application use SSL?  At OWASP AppSec DC we talked about the LinkedIn mobile application that was vulnerable to “sidejacking” or better known as HTTP session hijacking.  This is where an attacker can pull out the session cookie in clear text and replay this so the attacker can login as the user.  The popular “Firesheep” tool released in 2010 demonstrated this nicely.  The good news is that the recent release of the LinkedIn app (version 5.0) fixes the sidejacking issue.  Unfortunately though, using SSL for just the login process and defaulting back to HTTP is an issue many mobile and web applications still have.

Mobile Application testing is something that will evolve as mobile apps get more complex and the business drives more towards mobile solutions.  If you’re deploying mobile apps for your business it’s more important than ever to have testing done on these three areas at a minimum. Lastly, keep up-to-date on the latest developments on Mobile security and testing methodologies by getting involved with the OWASP Mobile Security Project.

Cross-posted from the SecureState blog