Saturday, August 31, 2013

Linux Distro for mobile forensics, malware analysis, and security testing (Santoku)

Blogging about Linux pentesting distros is one of the major things that we do here at the Concise Courses blog! Our interest lies within information security, and pretty much every distro we have reviewed falls within the category of either being used for penetration testing or for a particular aspect of IT security. Here are a few of our most popular Linux Distribution posts and other resources:

What was missing from our many reviews was a specific Mobile Phone Forensics Distro, and here is is: Santoku.

Santoku, made by mobile forensics experts viaForensics, has three purposes (or perhaps we could call them pillars), which are Mobile Forensics, Mobile Forensics and Mobile Security.

Taking each of those in turn we notice that the Mobile Forensics focus of the distro has tools specifically designed to acquire and analyze mobile data, firmware flashing tools (that work on phones built by the major phone manufacturers) and a collection of free imaging tools for media cards. The developers have also bundled in free versions of some of the better and most widely used commercial forensics tools.

The next category that Santoku focuses on, is Mobile Malware, which frankly, is booming (for all the wrong reasons). A study by Juniper’s Networks Mobile Threat Center discovered that Mobile Malware grew a staggering 600% between 2012 and 2013, and the biggest rise has been aimed at Android. Pretty unbelievable stuff if you think about it, but also hardly surprising when you think about the undisputed rise in mobile and the decline in desktops. Quick side note, if mobile forensics and pentesting is your thing then we’d certainly recommend following news issued by Juniper’s Mobile Threat Center (MTC) team. Their sole purpose is to evaluate and investigate (24 hours) mobile vulnerabilities and malware threats.

Santoku hits Mobile Malware where it hurts by bundling many of the best known tools to assist with examining mobile malware and contains mobile device emulators. Included as well are decompilation and disassembly tools and access to malware databases.

The final tenet of Santoku is the concept of Mobile Security. The tools combined within this distro assess mobile apps, which again, is another huge growth threat out there. The same report researched by Junipers MTC outlined that nearly a quarter of a million apps are triggering SMS trojans and exploiting security vulnerabilities that in turn steal private data and force your phone to join a cyber botnet. Apparently the vast majority of these mobile app threats and malware are directed at Android. Santoku aids the battle against Android malware apps by giving their distro user an array of tools such as decompilation and disassembly tools and various scripts that have been written to detect common patterns in mobile applications that hide malware.

Why should you use Santoku?
When Linus Torvalds released Linux to the world, organizations, initially academic institutions, shaped the kernel to suit their needs. One branch of Linux is geared within the security space, i.e. Kali Linux, BackBox etc., and the same applies here, i.e. Santoku is a pure-play M‎obile Forensics Distro. Santoku, like every specialized Linux Distro out there has been created to save you time by curating all the tools you need to do your job whilst making sure that the drivers and updates all work efficiently. So, to answer the question, yes, you should absolutely try Santoku if you are interested in Mobile Security (Mobile penetration testing, auditing and forensics etc).

In Summary
As stated above, if mobile security is your thing then get yourself a copy here. Even if you are a student or just plain curious then you should immerse yourself into their forum. Seriously, viaForensics, the folks behind the distro, and a commercial organization (much like Offensive Security and Kali Linux) have done a really superb job in providing those new to this space with a range of helpful How-To tutorials and they also support an active forum. Since we are are on the subject, you should also take a look at CAINE as well (a distro which also address forensics).

Although the current Santoku distro is in an Alpha state it has solid foundations having been developed as a fork from the OWASP MobiSec Ubuntu distro.

Needless to say that this is a booming space. Mobile is under an increasing amount of sophisticated attacks and new threat vectors appear on a daily basis. If you can master Mobile Security skills then your employability will, we believe, go through the roof. Tell us what you think! Do you agree with us that mobile security skills will be in demand?

Tuesday, August 27, 2013

Remote Debugging on Android

Note: For information on the interaction protocol we use for our remote debugging, please see the Debugger Protocol documentation and chrome.debugger.

Remote debugging overview

The experience of your web content on mobile operates very differently than what users experience on the desktop. The Google Chrome DevTools allow you to inspect, debug, and analyze the on-device experience with the full suite of tools you're used to, meaning you can use the Chrome DevTools on your development machine to debug a page on your mobile device.

Debugging Chrome for Android using the Chrome Developer Tools

Debugging occurs over USB and as long as your mobile device is connected to your development machine, you can view and change HTML, scripts and styles until you get a bug-free page that behaves perfectly on all devices.

When debugging a web application served from your development machine, you can use reverse port forwarding to allow the mobile device to access a site from the development machine over USB. Reverse port forwarding requires Chrome 29 or later on the development machine, Chrome 28 or later on the mobile device.

Remote debugging with the ADB Chrome extension

To start debugging, you need:

An Android phone or tablet with Chrome for Android 28 or later installed from Google Play.
A USB cable to plug in your device. (Windows users will also need to install an appropriate USB device driver.)
Chrome 28 or later installed on your development machine.
The ADB Chrome extension installed on your development machine.

1. Install the ADB extension

The ADB Chrome extension simplifies the process of setting up remote debugging. The ADB extension includes the Android Debug Bridge (ADB), which lets you debug the device over USB from your development machine. The extension provides the following benefits:

Includes ADB so you don't have to install the full Android SDK.
Provides a UI for easily starting and stopping the ADB daemon, and viewing connected devices.

Install the ADB Chrome extension

2. Enable USB debugging on your device

In order to debug over USB, you need to setup your Android device for development. Enable USB debugging on your device then system to detect your device as mentioned in the guide.

To enable USB debugging:

On most devices running Android 3.2 or older, you can find the option under Settings > Applications > Development.
On Android 4.0 and newer, it's in Settings > Developer options.
On Android 4.2 and newer, Developer options is hidden by default. To make it available, go to Settings > About phone and tap Build number seven times. Return to the previous screen to find Developer options.

USB debugging settings in Developer options

If you are developing on Windows, you need to install the appropriate USB driver for your device. See OEM USB Drivers on the Android Developers site.

For more information see Setting up a Device for Development on the Android Developers site.

3. Connect your device via USB

Connect your mobile device to the development machine using a USB cable.
On the mobile device, launch Chrome. Open Settings > Advanced > Developer Tools and check the Enable USB Web debugging option as shown here:

Enable USB Web Debugging in Chrome for Android

When connecting your device to your development machine, you may see an alert on the device requesting permission for USB debugging from this computer.

To avoid seeing this alert each time you debug, check Always allow from this computer and click OK.

4. Start debugging with the ADB extension

When the ADB extension is installed, a gray Android menu icon appears beside the Chrome menu.

To start debugging:

Click the Android icon, then click Start ADB.

Once ADB has started, the menu icon turns green and displays the number of currently connected devices, if any.
Click View Inspection Targets to open the about:inspect page that displays each connected device and its tabs.
Find the mobile device tab you want to debug and Click the inspect link next to its URL.

If you don't see any connected devices:

Check that your device is connected to USB.
Ensure your device is listed as available by issuing the adb devices command. If not, check that you have USB debugging enabled on your device.
Ensure that USB debugging is enabled in the Chrome for Android settings.

5. Debug Your Application

Inspecting a remote page using the Chrome Developer Tools

For example, inspect an element in the page you have selected and the element highlights in Chrome mobile on your device in real time.

Similarly, editing scripts or executing commands from the DevTools console affects the page being inspected on your device. You can also also use all of the other panels, such as Timeline and Profiles.

Notes

You may notice that the version of the DevTools you have access to during remote debugging differs to the version you have running on your development machine. This is because the tools are synchronized with the Chrome version on the Android device being used.
Because we're connected over USB, you can keep the device on a real cellular network, and view the network waterfall in the Network panel under actual network conditions
The hardware on mobile devices often runs your content much slower, so use the Timeline to analyze how to optimize rendering and CPU for the best effect.
If you're running a web server on your development machine, and network restrictions prevent your mobile device from accessing the server, see reverse port forwarding

Reverse Port Forwarding (Experimental)

Commonly you have a web server running on your local development machine, and you want to connect to that site from your device. If the mobile device and the development machine are on the same network, this is straightforward. But this may be difficult in some cases, like on a restricted corporate network.

A new feature in Chrome for Android called "reverse port forwarding" makes this simple to do. It works by creating a listening TCP port on your mobile device that maps to a particular TCP port on your development machine. The traffic through the forwarded port travels over USB, so it doesn't depend on the mobile device's network configuration.

To use this feature you need:

Chrome 29 or later installed on your development system
Android Debug Bridge (Chrome ADB extension or full Android SDK) installed on your development system
Chrome for Android 28 or later installed on your device

This procedure assumes that you already have remote debugging configured as described in Remote debugging with the ADB Chrome extension or

1. Connect your mobile device

Connect your device to your development machine over USB.
Stop all instances of Chrome currently running on the mobile device.
Open Chrome for Android.
Go to Settings > Developer Tools, and turn on Enable USB Web Debugging.
Start ADB on your development machine:
- If you're using the ADB extension, click the ADB icon and click Start ADB. You should see the icon turn green and display a number indicating the number of devices connected.
- If you're not using the extension, open a terminal and run adb devices. You should see the IDs of your connected device(s) listed.

2. Enable reverse port forwarding

Perform the following steps on Chrome on your development machine:

Open about:flags, turn on Enable Developer Tools experiments and restart Chrome.
Open about:inspect. You should see your mobile device and a list of its open tabs.
Click Inspect next to any of the sites listed.
In the DevTools window that opens, open the Settings panel.
Under Experiments, turn on Enable reverse port forwarding.
Close the DevTools window and return to about:inspect.

3. Add a port forwarding rule

Click the Inspect link again to open DevTools, and open Settings again. You should see a new Port forwarding tab.
Click Port Forwarding.
In the Device port field, enter the port number the Android should device listen on (defaults to 8080).
In the Target field, append the port number where your web application is running on localhost.

4. Profit

In Chrome for Android, open localhost:<device-port-number>, where <device-port-number> is the value you entered in the Device port field (default is 8080). You should see the content being served by your development machine.

Tuesday, August 20, 2013

Top Ten Smartphone Risks

The top ten information security risks for smartphone users.

Market analysts predict that smartphones will outnumber PCs by 2013, and that they will be the most common device for accessing the internet. In 2010 we published a report about smartphone security, giving an overview of risks, opportunities for smartphone users, and making recommendations.

This is the list of the top ten smartphone security risks from our report. The (level of) risk was determined in consultation with the expert group. The level is intended to convey the relative risk in relation to others, rather than an absolute probability or impact level.

No.	Title	Risk	Description
1	Data leakage resulting from device loss or theft	High	The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.
2	Unintentional disclosure of data	High	The smartphone user unintentionally discloses data on the smartphone.
3	Attacks on decommissionedsmartphones	High	The smartphone is decommissioned improperly allowing an attacker access to the data on the device.
4	Phishing attacks	Medium	An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, email) messages that seem genuine.
5	Spyware attacks	Medium	The smartphone has spyware installed, allowing an attacker to access or infer personal data. Spyware covers untargeted collection of personal information as opposed to targeted surveillance.
6	Network Spoofing Attacks	Medium	An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing.
7	Surveillance attacks	Medium	An attacker keeps a specific user under surveillance through the target user’ssmartphone.
8	Diallerware attacks	Medium	An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers.
9	Financial malware attacks	Medium	The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
10	Network congestion	Low	Network resource overload due to smartphone usage leading to network unavailability for the end-user.

Risk is defined as the product of the likelihood and the impact of a threat against the information assets of an organization or an individual. Threats exploit one or more vulnerabilities. The likelihood of a threat is determined by the number of underlying vulnerabilities, the relative ease with which they can be exploited and the attractiveness for an attacker.

We used the following list of possible affected assets throughout:

Personal data
Corporate intellectual property
Classified information
Financial assets
Device and service availability and functionality
Personal and political reputation

Monday, August 19, 2013

Tool to avoid Reverse Engineering......in ANDROID,....

ProGuard

The ProGuard tool shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is a smaller sized .apk file that is more difficult to reverse engineer. Because ProGuard makes your application harder to reverse engineer, it is important that you use it when your application utilizes features that are sensitive to security like when you are Licensing Your Applications.

ProGuard is integrated into the Android build system, so you do not have to invoke it manually. ProGuard runs only when you build your application in release mode, so you do not have to deal with obfuscated code when you build your application in debug mode. Having ProGuard run is completely optional, but highly recommended.

This document describes how to enable and configure ProGuard as well as use the retrace tool to decode obfuscated stack traces.

Enabling ProGuard

When you create an Android project, a proguard.cfg file is automatically generated in the root directory of the project. This file defines how ProGuard optimizes and obfuscates your code, so it is very important that you understand how to customize it for your needs. The default configuration file only covers general cases, so you most likely have to edit it for your own needs. See the following section about Configuring ProGuard for information on customizing the ProGuard configuration file.

To enable ProGuard so that it runs as part of an Ant or Eclipse build, set the proguard.config property in the<project_root>/project.properties file. The path can be an absolute path or a path relative to the project's root.

If you left the proguard.cfg file in its default location (the project's root directory), you can specify its location like this:

proguard.config=proguard.cfg

You can also move the the file to anywhere you want, and specify the absolute path to it:

proguard.config=/path/to/proguard.cfg

When you build your application in release mode, either by running ant release or by using the Export Wizard in Eclipse, the build system automatically checks to see if the proguard.config property is set. If it is, ProGuard automatically processes the application's bytecode before packaging everything into an .apk file. Building in debug mode does not invoke ProGuard, because it makes debugging more cumbersome.

ProGuard outputs the following files after it runs:

dump.txt: Describes the internal structure of all the class files in the .apk file
mapping.txt: Lists the mapping between the original and obfuscated class, method, and field names. This file is important when you receive a bug report from a release build, because it translates the obfuscated stack trace back to the original class, method, and member names. See Decoding Obfuscated Stack Traces for more information.
seeds.txt: Lists the classes and members that are not obfuscated
usage.txt: Lists the code that was stripped from the .apk

Wednesday, August 14, 2013

EASY WAY TO AUTOMATE TESTING

QTP Video & Text Tutorials

QTP Videos:

QTP DP (Descriptive Programming):

QTP & Excel:

QTP - How to rename Excel worksheet

QTP & XML:

QTP & PDF:

QTP - How to get number of pages in PDF file?

QTP & Browser:

QTP Scripts:

QTP & VBScript:

QTP & LoadRunner:

How to execute QTP script from LoadRunner?

QTP Helps:

10 steps to become QTP guru

Others:

Cyber Security

Cyber Security - Securing Your Business

View the latest
Copy of Advance

The official publication of ADS Group

Find out More

ADS Events

Less - + More

Cyber Security - Securing Your Business

/ Security / Cyber Security - Securing Your Business

Cyber threats to your Business
Where can you go for advice and support?
CPNI - The Full Picture

Cyber threats to your Business

Why does cyber security matter to you?

The government has classed cyber attacks as one of the four most significant risks to national security. Suppliers must recognise customer concerns and take steps to address them.
Cyber insecurity poses a real risk for companies’ reputations, bottom lines and share prices. Successful attacks can disrupt business operations and production cycles, cause products to fail, result in customers losing confidence in you as a supplier, and force you to redevelop to products.
Hostile states and competitors are interested in information on mergers and acquisitions activity, joint venture intentions, strategic direction and Intellectual Property.
Apart from the theft of sensitive business information, there is also the threat that cyber-based systems can be disrupted to prevent normal service. A denial-of-service (DoS) attack could, for example, prevent customers from accessing key websites, such as those for sales. Industrial controls systems can also be disrupted.
The cost of a cyber-security breach is estimated to be between £450,000 to £850,000 for large businesses and £35,000 to £65,000 for smaller ones.
The rise in cyber crime is most noticeable for small businesses; they’re now experiencing incident levels previously only seen in larger organisations.
As Primes take steps to improve their own cyber security, attackers are targeting companies in the broader supply chain. The supply chain is only as strong as its weakest link. All companies – and government – are in this together.

The government's '10 Steps to Cyber Security' notes that:

Information is critical to today's business

Information and the techologies that are used to store and process it are vital to the success of your business. Intellectual property, confidential or sensitive data provide a competitive advantage, one in which other less scrupulous organisations would be verk keen to get hold off. At the same time, the need to access and share information more widely, using a broad range of connecting technologies is increasing the risk to the corporate information base.

Compromise of information assets can damage companies

A single successful attack could destroy a company's financial standing or reputation. Information compromise can lead to material financial loss through loss of productivity, of intellectual property, reputational damage, recovery costs, investgative time, regulatory and legal costs.

Many players pose a risk to information

There are many types of people who pose a risk to business information assets:

Cyber Criminals - interested in making money from fraud or from the sale of valuable information
Industrial Competitors and Foreign Intelligence Services - interested in gaining an economic advantage for their own companies or countreis
Hackers - those who find interfering with computer systems an enjoyable challenge
Hacktivists - those who wish to attack companies for political or ideological motives
Employees - or those who have legitimate access, either by accident or deliberate misuse.

Examples of the impact on business

The attached PowerPoint file gives two examples which show the real impact successful cyber attacks can have on companies, including causing a loss of revenue (by forcing a company office to close for a period of time) and loss of reputation and products (by diverting items in transit). These examples are from companies in the defence sector.

Cyber attacks - examples of the impact (102.0 KB)

Where can you go for advice and support?

1. '1O Steps to Cyber Security' Guidance

The governmemt has published guidance for companies which is available here: www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility and www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know.

2. CPNI's Cyber Risk Management Advice and Cyber Security Guidance

The Centre for the Protection of National Infrastructure (CPNI) protects national security by providing protective security advice (covering physical, personnel and cyber security) to the UK's Critical National Infrastructure (CNI). CPNI works to raise awareness at Board level as well as at a technical level across the CNI. Cyber security advice and guidance is available on the CPNI website at: www.cpni.gov.uk, for example:

Strategic and technical: 20 critical security controls for effectivecyber defence Technology-specific advice: examples include mobile devices, SCADA security and cloud computing
Personnel security advice: security culture and awareness; employee risk management and risk assessment guidance
Threat-based: examples include distributed denial of service, spear phishing, insider misuse of IT, online reconnaissance.

3. CPNI's Cyber Risk Advisory Service

The Cyber Risk Advisory Service delivers advice to senior executives and board members of the UK’s most economically important companies and academic institutions, to inform their understanding of the impact of cyber threats, and the effect on the long-term performance and competitiveness of the organisation.The in-depth support provided assists executives in reviewing their corporate risk management strategy, helping them to interpret the cyber threat and determine the organisation’s exposure (risk). This service is only available to organisations which meet specific eligibility requirements. For more information, please email enquiries@cpni.gsi.gov.uk.

4. Certified advice and providers

CESG, the information security arm of GCHQ, works closely with the cyber security industry to enable industry to provide certified cyber security services to government and to industry. These services are provided by a variety of companies including specialist SMEs, audit houses, major consultancies, and multinational companies. Services include:

Risk management consultancy through the CESG Listed Advisor scheme (CLAS): www.cesg.gov.uk/servicecatalogue/CLAS/Pages/CLAS.aspx
Penetration testing of networks and systems to assess their ulnerability to an attacker through the CHECK scheme: www.cesg.gov.uk/servicecatalogue/CHECK/Pages/index.aspx - and the industry body's equivalent run by the Council of Registered Ethical Security Testers, CREST: www.crest-approved.org
Cyber Incident Response through a twin track approach ncompassing a broadly based CREST (Council of Registered thical Security Testers) scheme endorsed by GCHQ and CPNI, and a small, focused GCHQ and CPNI scheme designed to respond to sophisticated, targeted attacks against networks of national significance. See: www.cesg.gov.uk/servicecatalogue/cir/Pages/Cyber-Incident-Response.aspx

5. Cyber Security Information Sharing Partnership (CISP)

The CISP facilitates the sharing of information and intelligence on cyber security threats in order to make UK businesses more secure in cyberspace. The CISP includes a secure online collaboration environment where government and industry (both large and SME) partners can exchange information on threats and vulnerabilities in real time. Companies can also ask for specific advice from the government's fusion cell through CISP, free of charge. www.cisp.org.uk

6. ActionFraud

Action Fraud is the UK’s single point for reporting all fraud and online financial crime. Crime can be reported online 24 hours a day, seven days a week, and the Action Fraud call centre can also be contacted to report crimes during working hours and at the weekend. When a serious threat or new type of fraud is identified, Action Fraud will place an alert on its website which contains advice for individuals and businesses to protect themselves from becoming victims of fraud. www.actionfraud.police.uk

CPNI - The Full Picture

Produced by the CPNI, the above video provides an example of the associated risks of a SME from a cyber attack.

Last modified : January 23, 2014