Cognitive and Scientific Brainology

Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.

Categories: HITB, HITB-AMS

#hitb2012ams - Overview

06/27/12 | by zveriu | Categories: Conference, HITB, HITB-AMS, Write-up

What can be more fun and crazier than Amsterdam? That’s right - HTIB2012 in Amsterdam !

It is over now and I would like to take this opportunity to thank the reviewers and the organizers for providing the chance to meet them and meet other cool presenters and the extraordinary audience!

Special thanks to Dhillon, @fish_, Yuri, Amy - you guys&gals rock!

Leave a comment •

#hitb2012ams Day2, Track1, 10:30, PostScript Danger Ahead

06/11/12 | by zveriu | Categories: Conference, HITB, Write-up

UPDATE: subscribe to postscript-sec@andreicostin.com mailing list for notifications and planned tools & PoC releases.

You can download my HITB2012AMS presentation here.

Also, thanks to authors of the below overview posts on my presentation:

You can also check the HITB2012AMS materials.

Securely yours,
Andrei

Leave a comment •

#hitb2012ams Day1, Track1, 10:30, Turning Android Inside Out

06/05/12 | by zveriu | Categories: Conference, HITB-AMS, Write-up

Download here

Code:

	`http://conference.hitb.org/hitbsecconf2012ams/`
	`Amsterdam, 2012`
	`Day1, Track1, 10:30`
	`Ivo Pooters`
	`Turning Android Inside Out`

	`Presented a forensic scenario where`
	`A guy was found dead and had an android phone`
	`This device was cloned with dd`
	`A guy from SwiftLogic was arrested for suspicion on leaking private and sensitive information/schematics`
	`This device was cloned with nandump`

	`MTD block device`
	`dd -> bad it has no out of band (OOB) bytes`
	`nandump -> wise choice`

	`Cellbrite ufed`
	`android emulator`
	`doesn’t like foreign images`
	`load dyaffs2 support into linux kernel`

	`when using nansim`
	`need correct parameters to load the right size of the image loaded`
	`need to write the OOB bytes in the OOB-based image, so that the yaffs2 filesystem is correctly loaded`

	`50.56.29.109/ss`
	`contains PDFs from the SwiftLogic`
	`basic user: norby`
	`basic pass: aaassspp`

	`Dead guy phone evidence`
	`Looked up on twitter 'yob taog', the SwiftLogic guy`

	`Found com.andrIOd.mm`
	`not in android market at all`
	`looks like very custom, non-public application`
	`looks like was installed on SwiftLogic guy by the selling shop/accomplice just hours before SwiftLogic guy picked up the phone in the shop`
	`interesting fact – SwiftLogic guy put a status on Facebook/Twitter that is going to pick up his new shiny phone very soon and is excited about that`

	`Found com.vzw.smsProvider`

	`Live analysis`
	`android emulator + adb`
	`wireshark`
	`adb, dalvik debug monitor logcat`

	`Static analysis (relid more on this)`
	`see Fortinet talk for better tool list`
	`apk-tool`
	`jd-gui`
	`etc`

	`com.andriod.mm`
	`triggers on SD card mount`
	`zips all the filed on the SDcard`
	`uploads to the IP mentioned above`
	`sends SMS to the dead guy`

	`http://www.dfrws.org/2011/challenge/results.shtml`
	`http://www.dfrws.org/2011/challenge/index.shtml`

	`Rooting a phone can tamper evidence`
	`So, developed in-memory temporary rooting techniques`
	`in .NL, rooting is not a problem`
	`in .US, it is kind of a problem`

Leave a comment •

#hitb2012ams Day1, Track1, 09:00, KEYNOTE 1 Getting Ahead of the Security Poverty Line

06/05/12 | by zveriu | Categories: Conference, HITB-AMS, Write-up

Download here

Code:

	`http://conference.hitb.org/hitbsecconf2012ams/`
	`Amsterdam, 2012`
	`Day1, Track1, 09:00`
	`Andy Ellis`
	`KEYNOTE 1 Getting Ahead of the Security Poverty Line`

	`Tools mentioned`
	`Low orbit ion canon`
	`High orbit ion canon`
	`Havy - "democratization of SQL injection"`
	`Idea is that it brought to the commodity level the exploitation tools and techniques`

	`If you take away the risk, people will try to absorb more risk (i.e. the safer the technology in the car, the higher the speed they tend to driver => less victims because of the technology, but more accidents)`

	`FluffyBunny`
	`check the story`

	`bitly.com/AkaVscar`
	`bitly.com/AkaVscan`

Leave a comment •

#hitb2012ams Day1, Track1, 11:30, One Flew Over The Cuckoos Nest: Automated Malware Analysis

06/05/12 | by zveriu | Categories: Conference, HITB-AMS, Write-up

Download here

Code:

	`http://conference.hitb.org/hitbsecconf2012ams/`
	`Amsterdam, 2012`
	`Day1, Track1, 11:30`
	`Claudio Guarnieri`
	`One Flew Over The Cuckoos Nest: Automated Malware Analysis`

	`Pros`
	`presented a reasonable list of items which should be anyway common-sense pros items`

	`Cons`
	`commercial solution are very expensive`
	`environment could be detected`
	`difficult to successfully automate`
	`without proper consumption of the results, they are useless`

	`Preparation`
	`define requirements and expectations`
	`design analysis environment`
	`integrate into a larger threat analysis result framework`

	`Questions to be answered`
	`Why?`
	`What?`
	`What?`
	`Who?`
	`How?`

	`Decide the category of the exploits`
	`cuckoobox.org`
	`PDF`
	`Office`
	`PHP, perl scripts`
	`browser exploits`

	`CUCKOO framework`
	`malwr.com`
	`multiple Google SoC grants`

	`Integration`
	`what are the other threat frameworks does it integrate with`

	`Links`
	`cuckoosandbox.org`
	`blog.cuckoosandbox.org`
	`malwr.com`
	`honeynet.org`

	`Threat analysis frameworks`
	`wiki pages generator`
	`CIF`
	`mostly in-house developments`
	`mostly custom systems`
	`cannot name an public or FOSS one`