Scribd Logo
Upload

Welcome to Scribd!

  • (PDF) Yury Chemerkin Athcon 2013

    Uploaded by

    Sto Strategy
    32 views18 pages
    -

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    -

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views18 pages

    (PDF) Yury Chemerkin Athcon 2013

    Uploaded by

    Sto Strategy
    -

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    THE SANDBOX DIFFERENCES OR HOW AN INTEGRATION FEATURES AFFECT THE SANDBOX

    INDEPENDENT SECURITY RESEARCHER / PhD. YURY CHEMERKIN


    AthCon2013

    [ Yury Chemerkin ]
    www.linkedin.com/in/yurychemerkin http://sto-strategy.com yury.chemerkin@gmail.com
    Experienced in : Reverse Engineering & AV Software Programming & Documentation Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing Hakin9 Magazine, PenTest Magazine, eForensics Magazine, Groteck Business Media Participation at conferences InfoSecurityRussia, NullCon, CONFidence, PHDays CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-Sec ICITST, CyberTimes, ITA, I-Society

    BLACKBERRY SECURITY ENVIRONMENT


    BLACKBERRY EVALUATESEVERY REQUEST THAT AN APPLICATION MAKES TO ACCESS A CAPABILITY
    BLACKBERRY ENTERPRISE SERVICE HELPS MANAGE AND PROTECT BLACKBERRY, IOS, AND ANDROID DEVICES.
    UNIFIED COMMUNICATION AND COLLABORATION SOFTWARE DESIGNED TO HELP PROTECT DATA THAT IS IN TRANSIT AT ALL POINTS AS WELL IS IN MEMORY AND STORAGE ENHANCED BY A CONTROL OF THE BEHAVIOR OF THE DEVICE PROTECTION OF APPLICATION DATA USING SANDBOXING

    MANAGEMENT OF PERMISSIONS TO ACCESS CAPABILITIES


    BB EVALUATES EVERY REQUEST THAT APP MAKES BUT LEAD AWAY FROM ANY DETAILS AND APIs

    KNOWN ISSUES
    MALWARE BOUNDSBECOME UNCLEAR
    BLACKBERRY HANDLES SEVERAL TECHNOLOGIES
    NATIVE BLACKBERRY 10, BLACKBERY PLAYBOOK OLD BLACKBERRY DEVICES THIRD PARTY ADOBE AIR FOR NEW BB DEVICES ANDROID APPLICATIONS & DEVICES IOS DEVICES EVERY CONTROLLED LIMITED BY SANDBOX PERMISSIONS SECURITY FEATURES ON DEVICEs & MDMs

    COMPLIANCE BRINGS USELESS RECOMMENDATIONS


    USER-MODE MALWARE
    SPYWARE ROOTKITS EXPLOTS & ATTACKS REVERSING NETWORK LAYER PARTIALLY RECOVERING DATA VS. SANBOX MDM vs. COMPLIANCE A FEW RECOMMENDATIONS SET IS LESSER THAN SET OF MDM FEATURES YOUNG STANDARDS FIRST REVISIONS DRAFT REVISIONS

    BLACKBERRY CAPABILITES - ANDROID


    CONTROLLEDFOUR GROUPSONLY by BlackBerry
    CAMERA AND VIDEO HIDE THE DEFAULT CAMERA APPLICATION PASSWORD DEFINE PASSWORD PROPERTIES REQUIRE LETTERS (incl. case) REQUIRE NUMBERS REQUIRE SPECIAL CHARACTERS DELETE DATA AND APPLICATIONS FROM THE DEVICE AFTER INCORRECT PASSWORD ATTEMPTS DEVICE PASSWORD ENABLE AUTO-LOCK

    CONTROLLED 74 OUT 200 APIs ONLY by Android


    LIMIT PASSWORD AGE LIMIT PASSWORD HISTORY RESTRICT PASSWORD LENGTH MINIMUM LENGTH FOR THE DEVICE PASSWORD THAT IS ALLOWED ENCRYPTION APPLY ENCRYPTION RULES ENCRYPT INTERNAL DEVICE STORAGE TOUCHDOWN SUPPORT MICROSOFT EXCHANGE SYNCHRONIZATION EMAIL PROFILES ACTIVESYNC

    BLACKBERRY CAPABILITES - iOS


    CONTROLLED16 GROUPS ONLY by BlackBerry
    BROWSER
    DEFAULT APP, AUTOFILL, COOKIES, JAVASCRIPT, POPUPS OUTPUT, SCREEN CAPTURE, DEFAULT APP

    thats QUITE SIMLIAR to APPLE MDM SOLUTIONS

    MESSAGING (DEFAULT APP)


    BACKUP / DOCUMENT PICTURE / SHARING ONLINE STORES , PURCHASES, PASSWORD DEFAULT STORE / BOOK / MUSIC APP ONLINE STORE

    CAMERA, VIDEO, VIDEO CONF CERTIFICATES (UNTRUSTED CERTs) CLOUD SERVICES BACKUP / DOCUMENT / PICTURE / SHARING NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS CONNECTIVITY

    MESSAGING (DEFAULT APP) PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES) PHONE AND MESSAGING (VOICE DIALING) PROFILE & CERTs (INTERACTIVE INSTALLATION) SOCIAL (DEFAULT APP) SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION

    CONTENT

    STORAGE AND BACKUP VOICE ASSISTANT (DEFAULT APP)

    DIAGNOSTICS AND USAGE (SUBMISSION LOGS)

    BLACKBERRY CAPABILITES BLACKBERRY (QNX)


    CONTROLLED7 GROUPS ONLY by BlackBerry
    GENERAL
    MOBILE HOTSPOT AND TETHERING PLANS APP, APPWORLD

    thats NOT ENOUGH TO MANAGE ALL APIs



    PASSWORD (THE SAME WITH ANDROID, iOS) BES MANAGEMENT (SMARTPHONES, TABLETS) SOFTWARE OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION

    NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
    CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK

    EMAIL PROFILES

    WI-FI PROFILES

    SECURITY

    VPN PROFILES

    PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS

    BLACKBERRY CAPABILITES BLACKBERRY (OLD)


    INCREDIBLE AMOUNT OF GROUPS, UNITS AND PERMISSIONS ARE CONTROLELD BY MDM AND DEVICE
    THERE 55 GROUPS CONTROLLED IN ALL EACH GROUP CONTAINS FROM 10 TO 30 UNITS ARE CONTROLLED TOO EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs INSTEAD OF A WAY DISABLE/ENABLED & HIDE/UNHIDE EACH EVENT IS CONTROLLED BY CERTAIN PERMISSION ALLOWED TO CONTROL BY SIMILAR PERMISSIONS TO BE MORE FLEXIBLE DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME MORE THAN OTHER DOCUMENTS EACH UNIT CANT CONTROL ACTIVITY UNDER ITSELF CREATE, READ, WRITE/SAVE, SEND, DELETE ACTIONS IN REGARDS TO MESSAGES LEAD TO SPOOFING BY REQUESTING A MESSAGE PERMISSION ONLY SOME PERMISSIONS ARENT REQUIRED (TO DELETE ANY OTHER APP) SOME PERMISSIONS ARE RELATED TO APP, WHICH 3RD PARTY PLUGIN WAS EMBEDDED IN, INSTEAD OF THAT PLUGIN

    ISSUES : USELESS SOLUTIONS - I


    USERFULL IDEASAT FIRST GLANCE BUT INSTEADMAKE NO SENSE
    OLD BB: MERGING PERMISSION UNITS AND GROUPS SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS SEPARATED (PREVIOUS BB) SCREEN CAPTURE, CAMERA, VIDEO PERMISSIONS MERGED INTO ONE UNIT (LATEST BB) QNX-BB: SCREEN CAPTURE IS ALLOWED VIA HARDWARE BUTTONS ONLY NO EMULATION OF HARDWARE BUTTONS AS IT WAS IN OLD BLACKBERRY DEVICES LOCKS WHEN WORK PERIMITER HAS BECOME TO PREVENT SCREEN-CAPTURE LOGGERS OLD BB: NO SANBOX HAS NEVER BEEN ANNOUNCED ALL DATA ACCESSIBLE EXCEPT APP & SYSTEM DATA DUE TO GENERAL PERMISSION QNX-BB: OFFICIALLY ANNOUNCED SANBOX MALWARE IS A PERSONAL APPLICATION SUBTYPE IN TERMS OF BLACKBERRYs SECURITY SANDBOX PROTECTS ONLY APP DATA, WHILE USER DATA STORED IN SHARED FOLDERS

    ISSUES : USELESS SOLUTIONS - II


    USERFULL IDEASAT FIRST GLANCE
    OLD BB: SECURE & INSECURE IM CHATS IN THE SAME TIME
    HAS ENCRYPTED COMMUNICATION SESSIONS STORE CHAT COVERSATION IN PLAIN TEXT WITHOUT ENCRYPTION (EVEN BBM) INACCESSIBLE FROM THE DEVICE BECAUSE OF UNKNOWN FILE TYPE (.CSV) UPGRADE FEATURE AFFECT EVERYTHING

    BUT INSTEADMAKE NO SENSE

    UPDATE APP THAT CALLS THIS API USE GENERAL API REMOVE APP THAT CALLS THIS APPS USE GENERAL API REMOVE ANY OTHER APP UNDER THE SAME API WITHOUT NOTIFICATION HANDLE WITH PC TOOLS ON OLD BB DEVICES WITHOUT DEBUG / DEVELOPMENT MODE OLD BB: CLIPBOARD (HAS NEVER EXISTED ANYWHERE AND MIGHT HAVE EVER)
    REVEAL THE DATA IN REAL TIME BY ONE API CALL NATIVE WALLETS PROTECTS BY RETURNING NJULL WHILE THE ON TOP || JUST MINIMIZE OR CLOSE IT TO GET FULL ACCESS EVERY USER CASE MUST MINIMIZE APP TO PASTE A PASSWORD

    ISSUES : USELESS SOLUTIONS III


    THE GUI EXPLOITATION (OLD BB) NATIVE APPs
    INITIALLY BASED ON AUTHORIZED API COVERED
    ALL PHYSICAL & NAVIGATION BUTTONS TYPING TEXTUAL DATA, AFFECT ALL APPs SECONDARY BASED ON ADDING THE MENU ITEMS INTO THE GLOBAL / SEND VIA MENU AFFECT ALL NATIVE APPLICATIONS NATIVE APPs ARE DEVELOPED BY BLACKBERRY WALLETS, SOCIAL, SETTINGS, IMs, GUI EXPLOITATION REDRAWING THE SCREENS GRABBING THE TEXT FROM ANY FIELDs (INCL. PASSWORD FIELD) ADDING, REMOVING THE FIELD DATA ORIGINAL DATA IS INACCESSIBLE BUT NOT AFFECTED ADDING GUI OBJECTS BUT NOT SHUFFLING

    3RD PARTY SECURE SOLITUINS RUIN THE SECURITY


    KASPERSKY MOBILE SECURITY PROVIDES
    FIREWALL, WIPE, BLOCK, INFO FEATURES NO PROTECTION FROM REMOVING.CODs & UNDER SIMULATOR EXAMING THE TRAFFIC, BEHAVIOUR JUST SHOULD CHECK API IS SIMULATOR ONLY SMS MANAGEMENT VIA QUITE SECRET SMS PASSWORD IS 416 DIGITS,AND MODIFIED IN REAL-TIME SMS IS A HALF A HASH VALUE OF GOST R 34.11-94 IMPLEMENTATION USES TEST CRYPTO VALUES AND NO SALT TABLES (VALUEHASH) ARE EASY BUILT

    OUTCOMING SMS CAN BE SPOOFED WITHOUT ANY


    NOTIFICATION, BECAUSE KMS DELETE THE SENT MESSAGES OUTCOMING SMS BLOCK/WIPE THE SAME/ANOTHERDEVICE

    CONCLUSION - I
    PRIVILEGEDGENERAL PERMISSIONS
    DENIAL OF SERVICE
    REPLACING/REMOVING EXEC FILES DOSing EVENTs, NOISING FIELDS GUI INTERCEPT INFORMATION DISCLOSURE

    OWN APPs, NATIVE & 3RD PARTY APPs FEATURES


    GENERAL PERMISSIONS
    INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs CONCRETE PERMISSIONS

    CLIPBOARD, SCREEN CAPTURE GUI INTERCEPT DUMPING .COD FILES, SHARED FILES MITM (INTERCEPTION / SPOOFING)
    MESSAGES GUI INTERCEPT, THIRD PARTY APPs FAKE WINDOW/CLICKJACKING

    BUT COMBINED INTO GENERAL PERMISSION A SCREENSHOT PERMISSION IS PART OF THE CAMERA GENERAL PERMISSIONS
    INSTEAD OF SPECIFIC SUB-PERMISSIONS A FEW NOTIFICATION/EVENT LOGs FOR USER BUILT PER APPLICATION INSTEAD OF APP SCREENs

    CONCLUSION - II
    THE VENDOR SECURITY VISION

    HAS NOTHING WITH REALITY

    AGGRAVATEDBY SIMPLICITY

    SIMPLIFICATION AND REDUCING SECURITY CONTROLS MANY GENERAL PERMISSIONS AND COMBINED INTO EACH OTHER NO LOGs ACTIVITY FOR SUB-PERMISSIONS TO PROVE THE TRANSPARENCY ANY SECURITY VULNERABILITY ARE ONLY FIXED BY ENTIRELY NEW AND DIFFERENT OS / KERNEL A FEW PERMISSIONs ARE CLOSED TO THE USER ACTIONS THE SANDBOX PROTECT ONLY APPLICATION DATA USERS HAVE TO STORE THEIR DATA INTO SHARED FOLDERS OR EXTERNAL STORAGE APPLICATIONS CONTINUE STORE DATA IN PUBLIC FOLDERs BECAUSE GOVERNED BY CHANCE OF AVAILABILITY MITM / INTERCEPTION ACTIONS ARE OFTEN SILENTLY THE NATIVE SPOOFING AND INTERCEPTION FEATURES BLACKBERRY ENTERPRISE SOLUTION / BLACKBERRY MOBILE FUSION IS NOT EFFECTIVE MUCH THE BEST SECURITY (PERMISSIONS) RULED BY AMAZON WEB SERVICES PERMISSIONS SHOULD RELY ON THE DIFFERENT USEFUL CASES SET INSTEAD OF SPECIFIC PERMISSION LIST

    Q&A

    You might also like