Security Kaizen Magazine, Issue 20 by Bluekaizen

Vol.5 Issue 20 May - Jun 2015

Pentesting on Non-Jailbroken

IOS Deviceâ&#x20AC;&#x2122;s!! Interview with Erdal Ozkaya

Vice President, Chief Information Security Officer at emt Distribution MEA

Georgia Weidman

the founder and CEO of Bulb Security www.bluekaizen.org

www.bluekaizen.org

Contents

Interviews Interview with Erdal Ozkaya ,Vice President, Chief Information Security Officer at

6 emt Distribution MEA 10 Interview with Georgia Weidman the founder and CEO of Bulb Security

Grey Hat Pentesting on Non-Jailbroken IOS

14 Deviceâ&#x20AC;&#x2122;s!!

Reviews AndroidOS_GEINIMI analysis Malware Review

28 report

Issue 20 | Securitykaizen Magazine | 4

Digital Forensics Mobile Device Forensics at a

20 glance

Network Security

32 Iron Gate

New & News

24 Bluekaizen News

Best Practice Importance of Detection

36 over Prevention

Editor Mohamed H.Abdel Akher Contributors BK team Ahmed Haytham Amr yehia Eng.Ehab Abdel Monem Sonal Gawand Vijay Kumar Vijay lalwani Website Development Mariam Samy Marketing Coordinator Mahitab Ahmed Distribution Ahmed Mohamed Proofreading Jeff Compton Design

Medhat A.A lbaky Security Kaizen is issued Bi-Monthly Reproduction in Whole or part without written permission is strictly prohibited ALL COPYRIGHTS ARE PRESERVED TO WWW.BLUEKAIZEN.ORG For Advertisement In Security Kaizen Magazine & www.bluekaizen.org Website E-mail info@bluekaizen.org Or Phone: +2 0100 267 5570 +971 5695 40127

Issue 17 | www.bluekaizen.org | 6

Every issue, i am so keen to share with our beloved readers the recent updates about Bluekaizen activities, success and vision. As part of our mission to provide young talents in the cybersecurity field, we are working with our partners to provide the first real Cyber Security Summer Camps in the region. The idea behind the camp is to brief students and fresh graduates on some of the concepts and challenges facing the cyber security profession today. The summer camp consists of a mixtures of hands-on sessions, team based challenges, cyber games, meeting with mentors. Each day will be emphasising on different cyber security related capabilities. Cyber Security Camps are usually held at universities or other facilities; where accommodation and classrooms are available at a reasonable cost and will usually be spread over 3-5 days / nights. Attending the whole days and nights are mandatory for any applicants. Commitment from students is mandatory. Each day brings different challenges and activities, it may be team based or individual so you can demonstrate and develop a wide range of skills. This is a unique opportunity for students to get to know one another and also a chance to meet vendors who may be looking to recruit. Follow our facebook page to know more details about the registration process or you can check www.securitycamps.com

www.bluekaizen.org

Chairman & Editor-in-Chief Moataz Salah

Editorâ&#x20AC;&#x2122;s Note

MagazineTeam

This is different than Cairo Security Camp our main annual conference that will run this year on the 15th of september for the sixth year. Cairo Security Camp 2015 call for speakers is now open and will close by the Mid. of july. So Send us your talk now and donâ&#x20AC;&#x2122;t miss out on the chance to participate. Moreover, Security Kaizen labs, the training division of Bluekaizen.org , is expanding its porfolio of cyber security training. We have signed new exclusive agreements with more security vendors including The business continuity institute and ISC2 . In the last couple of months we achieved major success while running the Good Practice Guidelines of business continuity course by Business Continuity Institute. Also, we were the first official partner in Egypt to run the new version of CISSP by ISC2. Also, we plan to run the Certified CISO course by EC council for the first time in the Middle East in the mid of June. In conclusion, we will keep on doing our effort to bring all cyber security knowledge to this part of the world, providing official accredited certificates, strong knowledge with high quality instructors with affordable prices .

Moataz Salah Bluekaizen Founder

Issue 20 | www.bluekaizen.org | 5

www.bluekaizen.org

Interviews

Interview with Erdal Ozkaya

Vice President, Chief Information Security Officer at emt Distribution MEA Can you please introduce yourself to security Kaizen magazine readers (bio, experience, history) Erdal is an Australian IT Security Guru with business development and management skills who focuses on Cyber Security, Penetration Testing, IT Auditing and sharing his real life skills as a Lecturer/ Trainer and is currently working as Chief Information Security Officer at EMT.

BK Team

WWW.Bluekaizen.org Issue 20 | Securitykaizen Magazine | 6

Erdal has the following qualifications: Master of Information Systems Security (M.I.S), Bachelor of Information Technology (B.I.T.), MVP, Microsoft Certified Trainer, Microsoft Certified Leaning Consultant, ISO27001 Consultant, Certified Ethical Hacker (CEH), Certified Ethical Instructor, and Licenced Penetration Tester. He is a lecturer

Erdal has also developed and consulted Microsoft Official Exams and Courses. You can visit his blog for more information right here in my blog :)

Could you tell us more about emt security solutions ? Resellers see EMT Distribution as the distributor of choice for selected solutions sold and supported throughout the Asia Pacific, Europe, Middle East and Africa region. The company owned by EMT Holding a European holding company is a channel company with over 15 years of experience in IT Product distribution and with offices in Adelaide, Hong Kong, Singapore, UAE, Austria, UK and the Philippines. EMT Distribution is well positioned to provide pre-and post-sales support with our team of experienced product specialists. at Charles Sturt University and is also completing his Doctor of Philosophy (Ph.D.) in IT Security. He is an award winning speaker and technical expert in worldwide conferences such as Microsoft TechEd, Hacker Halted, Microsoft Management Summit, AusCERT, trade shows and in webcasts for Microsoft and EC-Council and many other vendors. He was awarded “Best Speaker” in Microsoft TechEd Australia and an won the Global Instructor of the Year Award (2011 & 2012) and “Circle of Excellence Award” from EC Council. His proven success deployments especially in the areas of Microsoft workloads in real life has become subject to IT magazines. Erdal is advising and creating content to Government departments, Fortune 500 companies and Information Security Professionals to ensure they are getting prepared against latest “Cyber Crime” and being able to defend their organizations against any security breaches. He is actively involved in the complex IT security solutions, and enforcing regulatory requirements to the organizations, to protect their digital assets. As well as his extensive IT skills Erdal has been working in the management field for the past 15 years. He has built and managed CEO IT from scratch into a national training and IT solutions center. With the skills he has gained he has introduced and repeated the success with KEMP, where he was tasked to single-handedly manage the ANZ region and then build the Asia Pacific region.

Why EMT

Channel Excellence EMT Distribution is focused on IT Security Solution and is also committed to selling through it’s channel partners enabling distribution through a large reseller base. Whether you are an end user, reseller, service provider or technology vendor, get in touch with us today to find out how we can address your technology or business requirements. Dedicated Technical Support EMT Distribution has a strong and dedicated technical support team. With technical support teams located within Australia, Dubai, Vienna, London, Austria and the Philippines we have the ability to offer support outside the standard business hours. What this means for our customers and channel partners is a quality of service you can depend on. I have a really good team at EMT, locally here Fawad Laiq who is my right hand, and Dan a Security guru in Australia. With their help we are helping many customers. Saying that, Dan is working in a great project with many other engineers, and here is a small hint Bing, Google “ Air Lock Digital” Beside our internal team, we work with partners as well. I need to mention DIFOSE here, Sukru Durmaz who is a Forensics’ expert who helps us when needed too. Issue 20 | www.bluekaizen.org | 7

What are the objectives and plans for EMT in 2015 ? We are focused on distributing IT Security solutions and also supporting our customers on their IT Security needs. It’s my job to work with our Product managers very closely to distribute only products they are useful in real life without looking in to profit margin. I do travel the world and talk about Latest Cyber Security attacks and help anybody who is listening to me / us to learn how they can stop or minimise the damage in of an attack I am also working on launching new training via EMT Academy, which we are going to deliver only very high end customized Security training without any “junk”, only the stuff what you need to stop Cyber Crime or how you can recover and go back more secure with minimal effect, So keep an eye in our web site

How can you see the Future of Security industry in The Middle East? As I mentioned my thoughts in E – Crime Congress few weeks ago, The Middle East is already under targeted attacks. The very recently Falcon Desert report from Kaspersky Lab’s or Microsoft SIR reports are showing it very clearly. Also if we check the Secunia Vulnerability report it’s also very clear that anybody in the region is in High risk. As we still don’t have the regulations here which is in available I USA or other countries, we are not getting aware of hacked companies, also the Security teams here are afraid to lose their jobs if the attacks get published. Which makes things harder to figure out, but again I met very talented Security Professionals which they are aware of what is going on around them and I believe we need to build a strong community to protect our self’s against Cyber Criminals

Issue 20 | Securitykaizen Magazine | 8

What is interesting about Security? And what is the biggest problem with the public’s perception of security? I think we should ask what is not interesting about Security  Security is such a broad topic, with a huge scope, which makes our job harder to create defensive practices. When it comes to public, they believe hacking is rocket science and it’s easy to defend against specifically via blocking everything, of course this is not the real life case… The biggest issue in Security is “Education” in my eyes. It’s really very hard to educate people. We love to get paid staff for free, we love to click on any attachments we receive (of course end users), we hate to dedicate some budget to IT Security and as a result we hope not to get hacked. Of course this is only one of many attack vectors, but it’s also the easiest way to hack, as there is no patch for human stupidity. One more note, neither hacking nor protection against hackers is rocket science. Hackers are good Human Engineers who uses the computer very well. They know the human behaviour and they use their skills to create applications (malware) based on publics weakness. (Vulnerability)

What kinds of things do you do in your daily life to protect yourself? There is a really basic recipe. BE AWARE! Patch your computer, use a good anti-virus and firewall, adopt the modern threat environment and keep in mind there is nothing for FREE or for really very unusual price. It comes all back to my first point, if you are aware, you will watch out for danger and you will take the necessary steps to protect yourself.

You are also lecturer at Charles Sturt University, what is the difference between working in a company like EMT and working as a lecturer? Academic world is always different to real world. But I can happily tell that I usually teach my students my experiences which I gained in real world. Most my examples are given from what I have faced at the companies that I worked. Please don’t get me wrong, when I say academic world is different, I can proudly tell I learned a lot as a student via IT Masters at Charles Sturt University (CSU), and now as Staff member at CSU I am trying to be better than my own lectures, my motto was always “Learn with Joy” now I am trying to lecture or more importantly share my knowledge with joy.

If you were asked for a few tips, what are the main recommendations to mitigate an incident? The first step is to have a trained staff member, who has an Incident and Response architecture ready. I would highly recommend everyone to have a proper documentation in case things go wrong. Then: - Ensure safety first. - Keeping forensics in mind try to keep the hacker out of your network ( via cutting the access, unless life forensics is required) - Securely create evidence - Make sure to learn for the incidence and deploy some standards to minimise the attack surface The best tip will be, do your best to not get hacked :)

Can you tell us about your team? What activities they do and what are needed to join a security team in EMT ? EMT Holding is a very big group operating worldwide. We have many different businesses operating independently. I work closely with our Distribution group. We only distribute Select IT Security products. Of course we help our customers from A to Z in terms of IT Security. To join EMT group, you need to be highly skilled in your expertise area, could be sale, presales or CyberSecurity. If you are really good on what you are doing feel free to reach us out. Of course it’s not

hard for us to differentiate the good candidates from the bad ones.

What is the different between working in a company like Microsoft and EMT ? (challenges you face, type of threats, risks,..etc) Big companies are always targets. They take attention of everyone. From a script kiddie to a black hat hacker. Even being part of a University, we get so many scans, so many spams, so many target attacks. But working for a big companies has also a benefit, the benefit of working with good professionals. We all know, its very hard to stop a hacker, and we are really working hard to make their job harder

What are you doing in your spare times? Spare time? Sorry I don’t know the meaning of this word.:) I try to keep up with my knowledge , I try to read as much as I can, in the mean time I am trying to complete my theses to complete my PhD. I travel really a lot, from a conference to a customer meeting, in the time between I am trying to spend some time with my kids, Love to spend some time on our XBOX one. Listen music, and read, but this time literature, novels…

Issue 20 | www.bluekaizen.org | 9

www.bluekaizen.org

Interviews

Georgia Weidman

the founder and CEO of Bulb Security

Interview with Georgia Weidman

the founder and CEO of Bulb Security

Can you please introduce yourself to security Kaizen magazine readers (bio, experience, history) Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has provided training at conferences such as Blackhat USA, Brucon, and Security Zone to excellent reviews.

BK Team

WWW.Bluekaizen.org Issue 20 | Securitykaizen Magazine | 10

Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). Georgia is a member of the spring 2015 cohort at the Mach37 cyber accelerator, founding Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. She is the author of Penetration Testing: A Hands-on Introduction to Hacking from No Starch Press.

and have founded and exited a number of security companies, and have operated business units within large organizations in the security market. Several have institutional investment backgrounds. They invest and provide a program for security startup founders to validate their product concept, market fit, go-to-market strategy, and investor value proposition. Mach37 hosts a new cohort of 6 to 8 companies in the Spring and Fall of each year.

What inspired you to write your first book?

Could you tell us more about the company that you have founded? I’ve actually founded two companies. First I founded Bulb Security LLC, which is my security services business. We do penetration testing and vulnerability assessments, security training, exploit development and research, coding projects, etc. I recently spun off Shevirah Inc. as part of the Mach37 cyber accelerator program mentioned in the next question. Shevirah is a product company taking my previous DARPA Cyber Fast Track project, the Smartphone Pentest Framework and turning it into a commercial product that can be integrated into the penetration test or security program by consultants and on site security teams. Shevirah is a provider of testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions.

Can you tell us more about the cyber security incubation program that you joined? Mach37 is an accelerator in Herndon, Virginia, near Washington, D.C., that specializes in earlystage cybersecurity product companies. The Partners come from the security industry

When I was first starting out in security, I found that a lot of the books, tutorials, etc. assumed a certain level of previous knowledge about Linux, programming, even security in some cases. When I would ask for help I’d often get “GTFO n00b” sort of responses. So when I was approached about writing a book it seemed natural to me to try and make learning the basics easier for beginners. I wrote my book with my early career self in mind. I hope it helps many beginners like me jump into security and hit the ground running.

The usage of smart phones is increasing with a very high rate especially in Middle East. Can you tell us more about the latest mobile security issues and threats? Mobile is interesting since it goes with us everywhere, has pretty high computing power these days, and thanks to the mobile modem can be thought of as an Internet facing device. Mobile basically has the same sort of issues as any other device. It might be possible to exploit them remotely say through a default SSH password on a jailbroken iPhone or through a malicious cell tower attack or attacks on SIM cards. They are also subject to client side attacks, much like browsers, PDF viewers, etc. on our traditional computers. When an app on a mobile device opens a file, if that file is malicious it may take control of the application or even the entire device. Social engineering is a big problem in security, from malicious links in emails, to someone walking into the office pretending to be a pizza delivery person. Mobile phones have their own brands of social engineering risks such as malicious links in text messages. Even users who are savvy about the risks of social engineering emails may not make

Issue 20 | www.bluekaizen.org | 11

the connection to text messages, when the attacks are much the same. Another issue with mobile is physical access, even with a PIN in place, if it isn’t strong or the attacker has a guessing device, if your phone is misplaced all the data could be compromised. Additionally I’ve seen some interesting research around malicious mobile phone chargers. Who has not borrowed a charger from someone or plugged their phone into someone’s computer to charge it in a pinch. The computer could attack the phone or vice versa.

How do you see the future of cyber attacks especially in the Middle East region? Next generation devices as I call them, be they cloud, mobile, internet of things, etc. are getting a tremendous amount of traction. It took years and years for the security posture around our traditional networks to get as mature as it is now,

Which Security Conferences are you keen to attend every year? I like to attend conferences in new places. I like to see the world and I get the chance to meet people I would not get to meet if I just attended the bigger conferences such as Defcon. Not everyone makes it out to those; lots of people just go to their regional events. I recently attended the Regional Security Summit in Oman, which I really enjoyed. Later this year I will be keynoting the Australian Information Security Association’s annual conference in Melbourne, another new place for me.

What kinds of things do you do in your daily life to protect yourself? Honestly, probably not as much as I should. Functionality vs. security is a very difficult problem, and I completely understand when users say it just isn’t feasible to for instance have a 10 character password on your phone. Say you are stopped at a stoplight and running late and need to call the person you are meeting and let them know, good luck typing in 10 characters correctly with one hand still on the wheel watching for the light to turn green. Or consider the best practice to wipe your device if it receives multiple incorrect login attempts. I’ve known multiple people with children who end up losing all their data because their kids were playing with it. I am very careful about securing my customer’s data, but as far as my personal data goes, I’ve resigned myself that to do things online is to take on an inherent level of risk.

Issue 20 | Securitykaizen Magazine | 12

and it is far from perfect. We are basically starting over with a lot of technologies in terms of security. We need to work much faster to mature security around our new technologies. I suspect we will see many sophisticated attacks around these technologies as well as simple ones such as this simple toilet hacking scenario involving a hardcoded PIN https://www.trustwave. com/Resources/Security-Advisories/Advisories/ TWSL2013-020/?fid=3872.

Do you plan to release another book soon ? Probably not for a while. Iâ&#x20AC;&#x2122;m pretty busy with my companies right now. I also have some goals in the exploitation space I want to meet. Maybe somewhere down the road I could see doing another one, but it is a lot of work to write a book.

Issue 20 | www.bluekaizen.org | 13

www.bluekaizen.org

Grey Hat

Pentesting on Non-Jailbroken

IOS Deviceâ&#x20AC;&#x2122;s!! Mobile application security is a vast field and surprisingly it has grown tremendously in past years. The domain largely revolves around iOS, Android, Blackberry, Windows and Symbian operating systems and here we are going to highlight some shades of iOS Pen testing.

Sonal Gawand

Information security consultant at Indusface Issue 20 | Securitykaizen Magazine | 14

iOS is a mobile operating system developed by Apple Inc. This article specifically focuses on techniques and tools that will help security professionals and researchers understand penetration testing methods on non-jailbroken devices.

To setup a Mobile Pentesting platform usually you need a Jailbroken iOS device. Jailbreaking is a process of removing hardware restrictions on your iOS device to provide root access to iOS file systems and manager, including allowing untrusted applications, teams and extensions that are not available through the Official App store. But if you don’t have a jailbroken device or if you don’t want to jailbreak your iOS device, you can still perform Pentesting on nonjailbroken device with this guide. So, let’s set up the testing environment. • What you need A non-jailbroken device, a Windows System with some tools installed. • How to install pirated/copied/test application – There are many tools like iFunbox and iTools that don’t need jailbroken devices. Here, we are going to use the iFunbox tool for app installation. To install an application which needs to be tested, open iFunbox, click on iFunbox classic. It will show the list of all the installed applications on your device.

Figure 2 Observe in the figure 3 that the application has been successfully installed.

Figure 3 Now check your iOS device to determine if the application is installed and working properly or not.

Alternatively, you can install any official app from the App store too.

Figure 1 Now click the ‘Install App’ button and select the application .ipa file which needs to be tested.

Figure 4 Issue 20 | www.bluekaizen.org | 15

• Application Traffic Analysis The application traffic analysis part is identical for network pentesting and web pentesting as both involve client interaction with server components over the network using some protocol. Our main goal is to capture and analyse the network traffic and find vulnerabilities. iPhone applications may use the http or https protocol to transmit the data. How to capture http – Plain text traffic Many of the mobile applications are still working on plain text transmission logic i.e. http protocol, and such applications are vulnerable to MiTM attacks as a lot of people access them over open Wi-Fi. The traffic analysis can be configured by setting up a proxy first. On your workstation (Windows machine), open Burp suite and make it listen on port 8080. Select the ‘All interfaces’ option and put a tick mark on ‘support invisible proxying’ under Proxy Listener options.

Figure 6 Now access the application which needs to be tested. Observe in the below snapshots that the http application in iPhone routes the traffic to your workstation and the same is displayed in Burp Suite.

Figure 7 Figure 5 Now go to ‘Settings’ – Select your Wi-Fi network – Click on ‘Manual’ under the HTTP Proxy option. Here edit ‘Server’ as your Workstation IP address and Port as 8080. ‘Save’ the settings. Issue 20 | Securitykaizen Magazine | 16

How to capture https – encrypted traffic Analysis of the https protocol is the same as http, but sometimes it gets a little tricky. Generally all browser based applications tend to validate the server side certificate but if we go for native applications then the developers have to write certificate validation code.

While testing we need to first validate whether the application is accepting invalid certificates or gives the invalid certificate error. To capture HTTPs traffic, there are two options available 1. By installing the burp CA certificate to the iPhone trusted certificate list and later if the application receives a proxy certificate it will not display any certificate error because we have told our iPhone to trust that certificate. This will allow us to capture the https traffic. 2. Use the same procedure as above but instead of burp proxy use the fiddler proxy tool and later fiddler proxy navigate to burp. The second option seems awkward but it works every time for me. Here we will use the second option to capture https traffic. First we need to setup fiddler and burp on our workstation (Windows machine). Open the fiddler proxy tool. Go to the WinINET option, and disable the system proxy, so that fiddler can capture only remote proxy.

Now go to – Tools – Fiddler Options, and make a tick mark on Capture HTTPS CONNECTs. Also select ‘Allow remote computers to connect’ under Connections tab.

Figure 11 Now go to the – Gateway tab and select Manual proxy configuration. Here, put manual proxy as localhost and make it listen on port 8080. With the help of this setting, the fiddler’s traffic will be going to navigate the Burp tool.

Figure 12 Figure 9

Now open Burp suite and make it listen on port 8080. Select ‘All interfaces’ option and put a tick mark on ‘support invisible proxying’ under Proxy Listener options.

Figure 10 Issue 20 | www.bluekaizen.org | 17

Figure 13 We are almost done with workstation settings. To make an application trust fiddler, we just need fiddler’s certificate to be installed on the iPhone device. To extract the fiddler’s certificate, go to the HTTPS tab on the tool menu inside fiddler. Click on ‘export root certificate to desktop’ and then simply email that certificate to the iPhone device. This is the easiest way to transfer the fiddler certificate to the device.

Figure 15

Open the email containing the certificate and click on it. The device will ask you to install the profile/certificate or not. Click on ‘install’.

Now the last step is to configure the proxy. Go to – Settings – Wi-Fi Select your network Manual proxy. Here enter your workstation IP address and make it listen on port 8888. Port 8888 is fiddlers default port. In this way the https traffic of the application will navigate to fiddler and finally fiddler will transfer the same to burp.

Figure 14 Observe in the below snapshot that the certificate is successfully installed now.

Figure 16

Issue 20 | Securitykaizen Magazine | 18

Now traverse your application, observe in the below screenshot that https proxy is captured into fiddler (figure 17) and then navigates to burp (figure 18) Enjoy Intercepting :)

Figure 17

Figure 18 We can perform various attacks through application traffic analysis like Client Side Injection, Transport Layer Security, Data Manipulation, Analysis of Error Messages, Business Logic Checks, Session Management, Banner Grabbing and Information Gathering etc. References: • https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet • https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_ Mobile_Risks • iTools - http://itools.en.uptodown.com/ • iFunbox - http://dl.i-funbox.com/ • Fiddler - http://www.telerik.com/download/fiddler1 • Burp - http://portswigger.net/burp/download.html In the next article we will see how to perform reverse engineering and memory analysis.

-TO BE CONTINUED-

Issue 20 | www.bluekaizen.org | 19

www.bluekaizen.org

Digital Forensics

Mobile Device Forensics at a glance

The article recreates an anatomy of Mobile forensics, through the cyclic process within and practice of utilizing sound methodologies for preservation, acquisition, examination and analysis, and reporting of digital evidence on mobile devices. The digital forensic community constantly face challenge to stay abreast of the latest technologies that may be used to expose relevant clues in an investigation. Corporations are extremely keen on mobile security to shield themselves from corporate espionage, monetary burglary, and intellectual property theft.

key questions:

who, what, why, when, where, how and how much? Digital forensics Digital forensics (also known as digital forensic science) is a branch of legal science incorporating the recuperation and investigation of material found in digital gadgets, regularly in connection to computer crime. The term digital forensics was initially utilized as an equivalent word for computer forensics.

Mobile forensics

Vijay Kumar

Technical Manager in KPMG Global Services based in India

Issue 20 | Securitykaizen Magazine | 20

Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining the technologies involved and their relationship to forensic procedures.

Need for Mobile Forensics Mobile device forensics has expanded significantly over the past few years. The use of mobile phones in online transactions such as online mobile banking, stock trading, flight/Hotel reservations; and communications regarding illegal activities that are being utilized by criminals has created a need for mobile device forensics.

Why Smartphones? Now that smartphones are becoming ubiquitous and their usage is prevalent in almost every walk of life, Information is becoming the crucial part. Furthermore with the ability of smartphones persistently developing, the sum and sensitivity of information these devices store also increases. With basic features like GPS, Cell, Wi-Fi, Bluetooth, camera, feature recording, email, NFC, and more, it is critical for law enforcement and the private sector to have the capacity to perform forensics because information such as this can be significant in an investigation. Older model mobile phones used to store a limited amount of data that could be easily obtained by the forensics investigator. With the development of the smartphone, a significant amount of information can still be retrieved from the device by a forensics expert; however the techniques to gather this information have become increasingly complicated. It is important for forensics investigators to develop an understanding of the working components of a mobile device and the appropriate tasks to perform when they deal with them on a forensic basis.

Smartphone and market share

Smartphone

vendor

20 years of evolution, there are a number of electronic personal devices that are labelled mobile devices on the market today. Mobile devices include cell phones; smart phones like the Apple iPhone and Blackberry; personal digital assistants (PDAs); and digital audio players such as iPods and other MP3 type devices. The worldwide smartphone market grew 28.2% year over year in the fourth quarter of 2014 (2014Q4), with shipments of 377.5 million units, according to data from the International Data Corporation. At the moment mobile OS market share shows the following casting: Android OS – 76.6%, Apple iOS – 19.7%, BlackBerry OS – 0.4% and Microsoft – 2.8%. The exponential growth in the smartphones comes with additional entry point for the cybercrimes.

Overall, Majority of the Vendors are Samsung 19.9%, Apple 19.7%, Lenovo 6.5%, Huawei 6.3%, Xiaomi 4.4% and others 45.7%, so majority is being other smartphones while it depends on what the manufacturers have designed. This comes with a challenge in the forensics world.

The Challenge The biggest challenge that law enforcement, Corporates and forensics investigators facing today is to effectively manage digital evidence obtained by Mobile devices Some of the issues include • Complexity of interface, storage media and hardware in Mobile Devices • File systems that are contained in mobile devices operate from volatile memory or computer memory that requires power to maintain stored information versus non-volatile memory devices like a standalone hard disk drive that does not require a maintained power supply. • Different variety of operating systems that are embedded in mobile devices. • New mobile devices with respective Operating Systems.

Who: Gather information about the individual(s) involved What: Determine the exact nature of the events that occurred Where: Did the incident happened offshore or onshore facilities When: Construct a timeline of events Why: Uncover information that explains the motivation for the offense How: Discover what tools or exploits were used How much: Every single byte of information

Issue 20 | www.bluekaizen.org | 21

Life Cycle of Mobile Device Forensics

Preservation Preservation involves the search, recognition, documentation, and collection of electronic based evidence. In order to use evidence successfully, whether in a court of law or a less formal proceeding, it must be preserved. Failure to preserve evidence in its original state could jeopardize an entire investigation, potentially losing valuable case-related information. Collection Mobile device examiners typically assemble a collection of both forensic and non-forensic tools for their toolkit.

Identification Mobile devices need to be identified by the make, model, and service provider. If the mobile device is not identifiable, photographing the front, back and sides of the device may be useful in identifying the make, model and current state (e.g., screen lock) at a later time. Most mobile devices keep user data in nonvolatile memory (i.e. NAND). If the mobile device is powered on, battery removal will power it off, possibly causing an authentication mechanism to trigger when powered back on.

The main means of Identification includes Device Characteristics • The make and manufacturer of a mobile device may be identified by its observable characteristics Device Interface • The power connector can be specific to a manufacturer and may provide clues for device identification. Device Label • For all mobile devices that use a UICC, the identity module is typically located under the battery and imprinted with a unique identifier called the Integrated Circuit Card Identification (ICCID). For powered on GSM and UMTS phones, the International Mobile Equipment Identifier (IMEI) may be obtained by keying in *#06#. Similar codes exist for obtaining the Electronic Serial Number (ESN) or Mobile Equipment Identifier (MEID) from powered on CDMA phones Carrier Identification • The carrier for a mobile device may have their logo printed on the exterior. This is traditionally displayed prominently to allow for advertising and branding. This may provide the examiner with insight on which carrier the mobile device operates Issue 20 | Securitykaizen Magazine | 22

Processing Logical extraction tools are providing additional capabilities to hardcode keywords and specific known hashes alerting the on-scene examiner immediately to potential issues that need to be addressed. Where possible, devices supporting encryption, such as Android and iOS devices, should be triage processed at the scene if they are found in an unlocked state, as the data may no longer be available to an investigator once the device’s screen is locked, or if the battery exhausts. Review Review is the technical process that is the province of a forensic specialist. However, analysis may be done by roles other than the forensic analyst, such as the investigator or the forensic examiner Analysis This step provides the examiner with the ability to perform examination or analysis of acquired data. The understanding gained by studying the case should provide ideas about the type of data to target and specific keywords or phrases to use when searching the acquired data. Depending on the type of case, the strategy varies. For example, a case about child pornography may begin with browsing all of the graphic images on the system, while a case about an Internet related offense might begin with browsing all Internet history files. Presentation of Evidence This is the final step and it’s a process of preparing a detailed summary of all the steps taken and conclusions reached in the investigation of a case. Digital evidence, as well as the tools, techniques and methodologies used in an examination is subject to being challenged in a court of law or other formal proceedings.

Chain of Custody and Preservation of Evidence The goal of a forensic investigator is to obtain evidence utilizing the most acceptable methods, so the evidence will be admitted according to law in the trial. Obtaining

a judge’s acceptance of evidence is commonly called admission of evidence. Evidence admissibility will require a lawful search and the strict adherence to chain of custody rules including evidence collection, evidence preservation, analysis, and reporting.

What should I consider for different platforms? The capabilities of the tool and the richness of its features, versus the operating system and type of device under examination, determines what information can be recovered, identified, and reported, and the amount of effort needed • Application and file analysis • Timeframe analysis • Data hiding analysis

Potential Evidences For all the Mobile Devices and Operating systems the following are the list of potential evidences that can be uncovered. • Subscriber and equipment identifiers • Date/time, language, and other settings • Phonebook/Contact information • Calendar information • Text messages • Outgoing, incoming, and missed call logs • Electronic mail • Photos • Audio and video recordings • Multi-media messages • Instant messaging • Web browsing activities • Electronic documents • Social media related data • Application related data • Location information • Geo-location data

A quick walk through on Android forensics As Android is the market leader in the Mobile Operating system, the probability of any cyber attackers is high. • Either using Android device to use as a means to carry an attack • Targeting the users using the android device Thumb rule in forensic investigation that you cannot work on primary evidences if you want them to take in the court of law. If we copy and paste the content of a disk, this will only copy visible, hidden and system files. Whatever is deleted or not accessible by the OS would not be copied by copy command. So, for a thorough analysis, it is required to create a 1:1 image of the disk. There are two locations to be taken image of in case of Android device. One is the device and other is the external card In order to establish the authenticity of the image that we have created. This can be done by multiple tools, one can use WinHex, etc. Physical Extraction On most Android devices, do the following: go to “Menu” -> “Settings” -> “Applications” -> “Development” and then click “USB debugging” to enable ADB (Android Debug Bridge).

USB debugging must be turned on before it’s possible to attempt an extraction, and this cannot be done when the device is locked. However, in some cases the user could have turned on USB debugging before locking the device. In this case you will be able to “bypass” the screen lock. In Android terminology, we need to ROOT the device to get the super-user permission. There are various techniques available in the market that can help you in rooting your Android phone. Among them, Odin3 software is one such popular tool. All you need to do is to check the build number of your phone. You can check it by visiting the following location in any Android phone: Settings-> About Phone-> Build number. Backup If the Android device is rooted and one can connect to the device through ADB. Insert a fresh SD card in device and copy the target data there. Typical syntax of DD command: dd if=/dev/fd0 of=tmp.image This output of DD image can be understood by most of the open source forensic and commercial tools including Helix, EnCase, , Forensic Toolkit etc. Analysis Most of the application specific data can be found at #adb shell $#cd /data/data/ SQLite database files are most interesting files for forensic investigators. One will get most critical information here, even username and passwords in some cases. All SQLite files stored with .db format /data/data/com.application_name/databases Dumping and decoding of contacts, call logs, SMS, emails and user files. Can extract deleted file items such as databases, images, video, audio, and documents. Android O/S version all and EXT3, EXT4 and RFS file systems.

Major Players in the mobile forensics market • Law authorization • Corporates

• Government agencies

Conclusion Different variety of smart phones makes Mobile Forensics a real challenge which requires heavy manual intelligence and interference.

Reference: 1. Wikipedia & Google Search 2. http://forensicfocus.com/ 3. www.viaforensics.com 4. http://www.nist.gov/ 5. http://resources.infosecinstitute.com/windows-phonedigital-forensics-2/

Issue 20 | www.bluekaizen.org | 23

www.bluekaizen.org

New & News

News A peek under the hood to the recent security breaches

Critical Vulnerability discovered in Google-owned YouTube Two Big security researchers Ahmed Aboul-Ela and Ibrahim M. El-Sayed, have discovered a simple trick that allow them to copy any comment on the popular video sharing website to his video, even without any user-interaction. Itâ&#x20AC;&#x2122;s also allows you to spoof, duplicate or copy the comments on discussion boards from any YouTube channel and make it appear as the comments on your video or as a comment on your YouTube channelâ&#x20AC;&#x2122;s discussion board. For more info:

BK Team

WWW.Bluekaizen.org Issue 20 | Securitykaizen Magazine | 24

http://www.secgeek.net/youtube-vulnerability/

CSRF Bug in ESET found by Egyptian Hunter Mahmoud El Manzalawy ‫ ‏‬has discovered a CSRF Bug in ESET. Its effect may extent to the user info .The only problem was in Tokens they have, in which he can use his token with any other membership and it works as long as he is still logged in and his tokens are valid.

The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs (hereafter called the target VM). JDWP is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server. The vulnerability in PayPal platform is very dangerous because ill-intentioned can exploit it to execute system code against the company server and compromise them, without any privilege or user interaction. Solanki used the jdwp-shellifier tool from Github to scan the marketing sites searching for opened port 8000.

The Dyre Wolf Campaign: Stealing Millions

PayPal Remote code execution vulnerability

IBM Security has identified an active campaign using a variant of Dyre malware that has successfully stolen more than $1 million from targeted enterprise organizations. In recent incidents, organizations have lost between $500,000 and $1.5 million to attackers. While many popular banking Trojans have targeted individuals, Dyre has always been used to target organizations. Since its start in 2014, Dyre has evolved to become simultaneously sophisticated and easy to use, enabling cybercriminals to go for the bigger payout.

A remote code execution vulnerability has been discovered in the JDWP protocol of the PayPal Inc Marketing online service web-server by a security researcher Milan A Solanki. The vulnerability allows remote attackers to execute system specific code against a target system to compromise the webserver.

In addition to the advanced social engineering tricks, the Dyre criminal gang also employs distributed denialof-service (DDoS) attacks against the targeted bank or businesses in order to distract attention and resources from the theft and to prevent victims from logging into the bank account until it was too late.

Issue 20 | www.bluekaizen.org | 25

Privacy Violation: “Your Location Has Been Shared 5,398 Times”

Every time you install an App on your smart phone, it asks you for access permissions. Most applications want to know where you are, to have a snoop at your contacts and even browse and access your private files. With the increasing use of smart phones, we all got used to this as being the natural order of things. But how aware are we really to that background activity of data collecting by apps in our phone? A new study from the University of Carnegie Mellon is trying to answer that question while shedding some light on the constant spying activity going on in our phones. The first conclusion of the researchers is shocking:

“Your location data has been shared 5,398 times with Facebook, GO Launcher EX, Groupon and seven other applications in the last 14 days.” Say what? 5,398 times in 2 weeks?!?! Yes, during their study, researchers monitored 23 Android smartphone users for three weeks. They concluded that some apps for Android are tracking user’s movements every three minutes. Some apps for Android are even attempting to collect more data than they needed. Groupon, a deal-of-the-day app, requested one participant’s coordinates 1,062 times in two weeks. Weather Channel, a weather report app, asked device location an average 2,000 times, or every 10 minutes.

Issue 20 | Securitykaizen Magazine | 26

www.bluekaizen.org

Reviews

Malware Review

AndroidOS_GEINIMI

Analysis Report

Introduction This android malware sample disguises itself as a game. This article is about the process of infection, suspecting, investigating& analysis, conclusion. The scenario used is hypothetical scenario.

1st infection: Bob a new android user. Downloaded a lot of application markets applications even black market applications {Mistake 1 “There is no free launch”} so he could download free games as he want. Then he downloaded a game called Monkey Jump 2.0. While installing it gave him the warning of unknown source application. So eager to play he enabled unknown sources {Mistake 2 “never do that unless you know what you are doing, then you must disable it again”} Ignoring the warning of Android.

Eng.Ehab Abdel Monem Malware Analyst at EG CERT Issue 20 | Securitykaizen Magazine | 28

Application entry-points

Then he saw the permission that these game and just pressed install {Mistake 3 Always read and think if these application need these permissions}. Then he played his nice game.

2nd suspecting: Then Bob started to notice that his mobile phone bill is unusually high. When he returned to mobile service provider he found that he is being billed for make calls & SMSs to bay numbers. But Bob’s mobile logs don’t have anything like that. So he reported this incident to NTRA as complain from his mobile service provider which after reviewing the complaint with the service provided found that Bob indeed make those calls and SMSs. So to further investigate, the incident was forwarded to EG-CERT. After performing digital forensics investigation on Bob’s mobile phone, they found a suspicious file and forwarded it to malware analysis team and the following report was the output of the malware sample analysis

1. .MonkeyJump2 2. com.dseffects.MonkeyJump2.jump2.f <receiver for BOOT_COMPLETED & LAUNCHER & SMS_RECEIVED> 3. com.dseffects.MonkeyJump2.jump2.c.AndroidIME <service > 4. com.dseffects.MonkeyJump2.jump2.c.rufCuAtj

Behavioral analysis 1. The malware tries to connect to one of the C&C URLs one by one. But all of them are down. 2. The malware creates a shared preferences file with encrypted content.

3rd Investigating& Analysis:

File information: File Name: MonkeyJump2.0.apk MD5: e0106a0f1e687834ad3c91e599ace1be File size: 568KB File type: APK (zip) file Android application information Application permissions Many of these permissions are suspicious. Why would a game need to access location, or to read and send SMSs, etc...... <uses-permission android: name=”android.permission.INTERNET” /> <uses-permission android: name=”android.permission.ACCESS_COARSE_LOCATION” /> <uses-permission android: name=”android.permission.READ_PHONE_STATE” /> <uses-permission android: name=”android.permission.VIBRATE” /> <uses-permission android: name=”com.android.launcher.permission.INSTALL_SHORTCUT” /> <uses-permission android: name=”android.permission.ACCESS_FINE_LOCATION” /> <uses-permission android: name=”android.permission.CALL_PHONE” /> <uses-permission android: name=”android.permission.MOUNT_UNMOUNT_FILESYSTEMS” /> <uses-permission android: name=”android.permission.READ_CONTACTS” /> <uses-permission android: name=”android.permission.READ_SMS” /> <uses-permission android: name=”android.permission.SEND_SMS” /> <uses-permission android: name=”android.permission.SET_WALLPAPER” /> <uses-permission android: name=”android.permission.WRITE_CONTACTS” /> <uses-permission android: name=”android.permission.WRITE_EXTERNAL_STORAGE” /> <uses-permission android:name=”com.android.browser.permission.READ_HISTORY_BOOKMARKS” /> <uses-permission android:name=”com.android.browser.permission.WRITE_HISTORY_BOOKMARKS” /> <uses-permission android: name=”android.permission.ACCESS_GPS” /> <uses-permission android: name=”android.permission.ACCESS_LOCATION” /> <uses-permission android: name=”android.permission.RESTART_PACKAGES” /> <uses-permission android: name=”android.permission.RECEIVE_SMS” /> <uses-permission android: name=”android.permission.WRITE_SMS” />

strings of the shared preferences file are [This depend on static code analysis which will follow] We can write a Java code to decrypt these strings using key “12345678” found inside the code. The code can be found in appendix B

Static analysis

Tools used 1. {apktools} To extract classes.dex and Androidmanifest. xml 2. Dalvik disassemblers 1. {ddx} dedexer convert classes.dex to original dalvik bytecode 2. {backsmali} convert classes.dex to smali code which is modified dalvik code to be simpler and easier to read Issue 20 | www.bluekaizen.org | 29

3. Dalvik to Java decompilers 1. {dex2jar} converts classes.dex to jar file that can viewed using {jd-gui} 2. {jadx} can decompile classes.dex directly to java code 3. Note that jadx result is more accurate than dex2jar 4. Note that both results are not 100% accurate sometime you have to use the smali code for the accurate flow of execution https://bitbucket.org/JesusFreke/smali/ https://github.com/skylot/jadx https://code.google.com/p/android-apktool/ https://dedexer.sourceforge.net/ https://code.google.com/p/dex2jar/

Entry-point 1 .MonkeyJump2

10. the malware reads a value from sharedpreferences with key “ll” then reads a set of values {“lk”,”lc”,”lp”,”lt”} from 0 to int(ll). 11. Where “lt” stores a time value and only if this value is less than 2 hours difference from the current time the malware proceed if more than the malware delete that set of values. 12. Then the malware search for some processes which names extracted from lk. Using ActivityManager. restartPackage(str) note that This method was deprecated in API level 8. This is now just a wrapper for killBackgroundProcesses(String); the previous behavior here is no longer available to applications because it allows them to break other applications by removing their alarms, stopping their services, etc. 13. the malware send SMSs to numbers & bodies coming from {“lk”,”lc”,”lp”,”lt”} value set.

The original game entry point. Clean no malicious execution

Entry-point 2 “com.dseffects.MonkeyJump2. jump2.c.AndroidIME” <service > 1. This class is just a wrapper for jump2.e 2. try to start a server socket on the first available port of the following list {5432, 4501, 6543} 3. listen to this port wait until someone send the string “hi, are you online?” Reply with “yes, I’m online!” Then reads two integers as the version. Then send 10 then 5 4. compare the cc version with 10.7 the local malware version if the cc version is higher the process closes itself 5. test if a working (existing) back-door on port 8791 exists and test connection to it 6. then the malware collect some system information

7. This malware uses DES encryption to encrypt strings inside the code and to encrypt traffic with C&C. this particular sample uses DES key of “12345678”. you can find a list of decrypted strings in appendix A. 8. then the malware decrypt the list of C&C URLs str[84]. 9. Then the malware saves these values as sharedpreferences

Issue 20 | Securitykaizen Magazine | 30

14. Then the malware sends device information to the first working C&C URL

15. then parse the result to get the C&C ACTION and perform it 16. from the code we can find that the main stats of the malware 1. START :: transition to download state 2. DOWMLOAD :: get C&C data 3. PARSE :: parse C&C data 4. TRANSACT :: executes commands 5. IDLE :: sleeps

Entry-point 3 com.dseffects.MonkeyJump2. jump2.f BOOT_COMPLETED & LAUNCHER & SMS_RECEIVED 1. If the event is SMS_RECEIVED the malware start processing the SMS address and data to take action 2. Then abortBroadcast() of the SMS event if the SMS is from bay number that the malware sent to before 3. then send this SMS to C&C 4. so this receiver is mainly to intercept SMS’s and hide SMS’s related to malware activity

4th conclusion 1. Analysis conclusion 1. This malware disguise itself as a game to trek users to use it. 2. The malware uses DES encryption to encrypt strings and communication with C&C and shared preferences file. 3. The malware can intercept SMSs and hide them from user. 4. The malware communicates with C&C server using XML file “getAdXml.do”. 5. The malware installs a back-door on the device on ports {5432, 4501, and 6543}. that allow the different instances of the malware to run on the same device 6. From the decrypted strings found inside the code we can now the commands that can be issued by the C&C as {call://,sms://,email://,........}

2. User Advices 1. Don’t install application from unknown sources. 2. Don’t use black markets applications [how to trust if the person who cracked the game didn’t but something extra] 3. always check the application permissions and decide if the application function require these permissions or not 4. General Advices 1. Rooting your android give you brilliant control of your device and enable you to do a lot but remember that it also give any malware that infect you ultimate control of your mobile. 2. Always check your device network usage, battery life, call and SMS history throw the service provider if possible. As these can be indication that your mobile has harmful application installed on it.

Appendix A 0 “debug_internel”, 1 “debug_outer”, 2 “_value@”, 3 “http://180.168.68.34:8080/ android/getAdXml.do”, 4 “”, 5 “”, 6 “contactlist”, 7 “smsrecord”, 8 “deviceinfo”, 9 “location”, 10 “sms”, 11 “register”, 12 “call”, 13 “PostUrl”, 14 “TicketerText”, 15 “TitleText”, 16 “ContextText”, 17 “ShowMode”, 18 “call://”, 19 “email://”, 20 “map://”, 21 “sms://”, 22 “search://”, 23 “install://”, 24 “shortcut://”, 25 “contact://”, 26 “wallpaper://”, 27 “bookmark://”, 28 “http://”, 29 “toast://”, 30 “startapp://”, 31 “.zip”, 32 “tel://”, 33 “smsto:”, 34 “geo:”, 35 “CmdID”, 36 “AdID”, 37 “I”, 38 “D”, 39 “content://sms/inbox”, 40 “content://sms/sent”, 41 “com.android.launcher. action.INSTALL_SHORTCUT”, 42 “method=post&IMEI=”, 43 “&IMSI=”, 44 “&AdID=”, 45 “&CPID=”, 46 “&PTID=”, 47 “&SALESID=”, 48 “&msgType=”, 49 “imei=”, 50 “&imsi=”, 51 “&sms=”, 52 “&type=send”, 53 “&latitude=”, 54 “&longitude=”, 55 “&type=receive”, 56 “&phone=”, 57 “&MODEL=%s&BOARD=%s &BRAND=%s&CPU_ABI=%s&D EVICE=%s&DISPLAY=%s&FINGE RPRINT=%s&HOST=%s&ID=%s &MANUFACTURER=%s&PRODU CT=%s&TAGS=%s&TIME=%s&TY PE=%s&USER=%s&SoftwareVe rsion=%s&Line1Number=%s& NetworkCountryIso=%s&Netw

orkOperator=%s&NetworkOpera torName=%s&NetworkType=%s& PhoneType=%s&SimCountryIso= %s&SimOperator=%s&SimOpera torName=%s&SimSerialNumber= %s&SimState=%s&SubscriberId= %s&VoiceMailNumber=%s&CPID =%s&PTID=%s&SALESID=%s&DID =%s&sdkver=%s&autosdkver=%s &shell=%s”, 58 “suggestsms://”, 59 “silentsms://”, 60 “method=postlink&IMEI=”, 61 “&FeatureTag=”, 62 “text://”, 63 “method=show&IMEI=”, 64 “suggestsms”, 65 “skiptime”, 66 “changefrequency”, 67 “&DID=”, 68 “&sdkver=”, 69 “&autosdkver=”, 70 “IMEI”, 71 “IMSI”, 72 “CPID”, 73 “PTID”, 74 “SALESID”, 75 “DID”, 76 “sdkver”, 77 “autosdkver”, 78 “latitude”, 79 “longitude”, 80 “???????nim?????tom??????? ??ybo”, 81 “&applist=”, 82 “applist”, 83 “updatehost”, 84 “www.widifu. com:8080;www.udaore. com:8080;www.frijd. com:8080;www.islpast. com:8080;www.piajesj. com:8080;www.qoewsl. com:8080;www.weolir. com:8080;www.uisoa. com:8080;www.riusdu. com:8080;www.aiucr.com:8080;1 17.135.134.185:8080”, 85 “install”, 86 “uninstall”, 87 “showurl”, 88 “cmd cp”, 89 “cmd pm”, 90 “cmd rm”, 91 “/data/”, 92 “shell”, 93 “cmd”, 94 “kill”, 95 “start”, 96 “android.provider. Telephony.SMS_RECEIVED”, 97 “@@smskey(“, 98 “@@kill@(“, 99 “smskiller”, 100 “content://sms/ conversations/”, Issue 20 | www.bluekaizen.org | 31

www.bluekaizen.org

Network Security

An innovative product in Network

Security Market

by Egyptian Engineer About Author? â&#x20AC;&#x153;Amr Yehia is a Network Security Engineer at Pharos Holding for Financial Investment, Investigate potential or actual security violations or incidents targets enterprise, Modifying security measures and policies improving security. Amr also a Network and security courses instructor in EgySpark courses center, Implementing projects including Network, Security, Linux ( Ubuntu, Debian, Raspbian) and Hardware kits like Raspberry Pi

Amr Yehia

Network Security Engineer at Pharos

Issue 20 | www.bluekaizen.org | 32

Amr works on Iron Gate Appliance which will covered briefly in this topicâ&#x20AC;?

Acknowledgment Many thanks for Abd ElMuniem Mahmoud Senior Network Engineer at Equinox for his great efforts in this project and improving features, Many thanks also for Mr Mohamed Ibrahmim Head of Security team at Pharos Holding for his feedback and guide to project, Many thanks also to Mr Mohamed Azzam from SEE Company for his help and feedback for project progress. Iron Gate Idea Idea started in 2011 as Faculty of Engineering, Hellwan University – Graduation Project, We gathered a team dreams to produce an Egyptian product in Network and Security Market, after studying Egyptian and Global markets we decided to work on Integrated Service Router. The Iron Gate as Hardware Appliance was very difficult to produce with leakage of resources and time, we focused on flexibility by producing software compatible with any Linux Supported Hardware, Hardware may be any personal computer and Hardware dedicated appliance or Small hardware kit. Linux operating system provides Iron Gate with many advantage over other operating systems including open source software which enable to use, copy and modify Linux source codes improving and enhancing Iron Gate, Linux is very stable and rarely crash compared with windows “blue screen of death” is not a worry for Linux users, Linux more secure and less vulnerable to computer Malware, Trojans, Viruses and Worms, One nice security feature In Linux is that files must be made to be executable by someone with administrator privileges, which requires a password. So even if a Linux virus is loaded on a Linux computer, it will not be able to run without the user who has administrator privileges intentionally making it executable. Another important aspect of Linux security is the fact that it is open source. Because the programing code is available for anyone to view, there are many eyes constantly examining it, which makes it highly difficult for malware to be hidden within the code, so as conclusion Linux offers variety of features, options and utilities for free. In 2014, Iron Gate improved with many required features according to market needs and business investments in security appliances, Iron Gate enhanced form just Integrated Service Router including security features to Unified Threat Manager.

Iron Gate honored in Regional Cyber Security Summit – Innovation Competition as of best three Arabic Cyber Security Projects held in Muscat, Oman 29 March 2015

Iron Gate Features Iron Gate is a Unified Threat Manager based on Linux system Integrates many Network and Security features, higher flexibility which could be implemented as separated software or a Hardware appliance, Lower Price compared with Unified Threat Manager Appliances

Software Compatible with any Linux supported hardware

We will covered two features only in this article “Routing and Firewall” and mention the other features 1- Routing Iron Gate is based on Quagga open source routing package, Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD. Quagga is a fork of GNU Zebra which was developed by Kunihiro Ishiguro. The Quagga tree aims to build a more involved community around Quagga than the current centralized model of GNU Zebra. The Quagga architecture consists of a core daemon, zebra, which acts as an abstraction layer to the Issue 20 | www.bluekaizen.org | 33

underlying kernel, Zserv clients which typically implement a routing protocol and communicate routing updates to the zebra daemon. Existing Zserv implementations are:

Figure indicates UFW configuration Quagga daemons are each configurable via a network accessible CLI (called a ‘vty’). The CLI follows a style similar to that of other routing software. There is an additional tool included with Quagga called ‘vtysh’, which acts as a single cohesive front-end to all the daemons, allowing one to administer nearly all aspects of the various Quagga daemons in one place.

Figure contain Some of Routing configuration on RIP and OSPF protocolos 2 - Firewall Iron Gate have variety of firewall options, Iron Gate supports Traditional Firewall based on Linux Iptables built-in firewall, Iptables allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames, Iron Gate provide Uncomplicated Firewall (UFW) software that ease iptables firewall configuration, UFW provides a user friendly way to create an IPv4 or IPv6 host-based firewall, Gufw is a GUI that is available as a frontend. Iron Gate supports another type called Advanced Firewall that based also on Linux Firewall supports Statefull packet filtering, Zones segmentation, wide range of router/firewall/gateway applications, Flexible address management/routing support, Blacklisting, VPN Support, Support for Traffic Control/Shaping, Traffic Accounting, IPv6 and Supports GUI controlling and centralized management.

Issue 20 | www.bluekaizen.org | 34

3 IPS 4 Antivirus 5 SNMP 6 VPN [SSL- IPsec] 7 Syslog 8 Telnet - SSH 9 DHCP 10 FTP 11 VNC 12 HTTPS Web Management GUI Iron Gate Added Values Iron Gate Offers many user facilities which ease to install, run, manage and monitor device, Added value include Web-GUI, Easy install, Virtualization and Friendly syntax Web-GUI collecting all appliance features in HTTPS web controlled through browsers, Web-GUI controls features of appliance to add, remove and edit rules and configurations

Figure indicates Virtualization testing Iron Gate on Virtual Machine applications Friendly Syntax modified many rules and words to be easier and faster

Figure indicate Web-GUI Management through web browser Easy install enables user to convert any personal computer or hardware appliance to UTM in few minutes with no need configuration from user just select “Install” from menu and everything will go on

Figure indicate Easy Install feature and all required to select “Install”

Future Objectives Iron Gate in continuous development to match market needs and make world security better, mentioned below some of features will implemented in Iron Gate as future work -

Web filtering VOIP Gateway Wireless Access Point Load Balancer ADSL Router Mail Server MPLS DNS Server

We continuous improve and upgrade Iron Gate and hope to see Iron Gate appliance soon in market, we are testing and evaluating product performance, so we need your support and feedback about our products and our team welcome anyone interested in our idea and project which can contact me on amr.yehia@ieeegoldegypt.org

Virtualization enables users and network administrators to test a “Demo Version” of the product which can tested physically in real network or tested virtually with virtual machines tools and network simulator tools like VMware and GNS3

Issue 20 | www.bluekaizen.org | 35

www.bluekaizen.org

Best Practice

Importance of Detection over Prevention How often do we hear about data breaches? New malware or a variant of old malware, new phishing campaigns? Almost every day. Even giant organizations like Sands Casino Group, Sony Pictures Entertainment, Neimen Marcus and Home Depot were just some of the high profile companies being targeted, compromising personal and confidential data. Why are hacking groups able to successfully compromise the network and exfiltrate data of organizations including Military, Government, Education, Health, Oil & Energy and many others? Why are attackers successful? Don’t we have strong security strategies? Why do we seem to be one step behind these attackers?

Vijay Lalwani

Security Analyst at Paladion Network

Issue 20 | Securitykaizen Magazine | 36

When we face cyber attacks on an on-going basis, doesn’t it seem to say that “Nothing will ever be secure”? Increasing the level of security doesn’t mean it will prevent an attacker from breaking into an organizations network, but it will require more intelligence to do so.

I shared this thought with some security geeks on a forum. The best explanation I got was when a person said, “Much of security is about redirection. The same reason you lock your car doors at night. Sure, they could smash your window but usually they will move on to an easier target”. He explained it well; however it left me with a thought. What if they are targeting a specific car brand? Then instead of just smashing the window or moving onto an easier target, they’ll use a more intelligent method to unlock the car. Adding more security will make script kiddies/newbie’s redirect to other targets but not the expert ones.

Even though these giants have strong security strategies, the attacker can still break into the network by using a little more intelligence. So what are these organizations missing? Why are attackers able to compromise their network? The study said that organizations are investing a large percentage of their security budget on threat prevention, other than threat detection, followed by incident response. Prevention methods are not always successful, so instead of investing a large amount of the security budget on prevention, organizations should consider strong detection techniques as well. Prevention may fail to prevent Advanced Persistent Threats (APTs), slow attacks, smart attacks but not the detection method. The probability of detection methods to detect APTs, slow attacks, smart attacks is higher than the prevention method is to stop it. Prevention methods mainly work like a firewall (prevention system) which makes a decision in a fraction of second whether traffic is malicious or not and whether to permit it or block it. However, detection methods concentrate more on detecting the threat or in other words, it works like Anti Virus (detection system) which has time to scan the file, match the signature/hash value with the database and then take the necessary actions.

This also proves that the prevention method will not always be successful in preventing such threats but your detection method can. Hence, organizations should concentrate and invest more on strong detection methods. The recent attack on Sands casino group by hackers from Iran (Involved in Operation Cleaver), Sony Pictures Entertainment by hackers from North Korea, a new group dubbed Desert Falcons (mostly targeting Middle East region) and many other hacking campaigns which are using a combination of known and customized tools & malware proves that organizations should adopt stronger detection methods rather than continuing to invest in prevention methods.

Organizations should use strong End Point Detection systems, HIDS, NIDS and other detection systems that have the capability to detect not only known threats but threats that are unknown by alerting when a systems behavior becomes abnormal. SIEM tools are a must and offer a centralized view for monitoring of internal and external threats. A SIEM has the capability to collect and correlate each and every security event from different log sources throughout an organizations network. Integration of SIEM tools with pattern matching techniques along with Vulnerability Assessment (VA) tools will give an added advantage to detect slow attacks and smart attacks that previously might have gone undetected. Pattern matching has the capability to generate traffic over minutes, hours, days and weeks to match it against normal patterns allowing for the detection of abnormal behavior. Also, VA tools can provide details on the latest vulnerabilities present within your organizations assets and send it to your SIEM tool allowing you to prioritize the events to/from these assets accordingly.

The attackers were exfiltrating data from these high profile organizations (Sony Pictures Entertainment, Target, Neimen Marcus, Home Depot) for a long period of time but none of their prevention methods were able to stop it from happening. Issue 20 | www.bluekaizen.org | 37