“Nuit Du Hack” Wrap Up
Last week-end (2015-06-20) I took the time to go to the “Nuit Du Hack”. For those who don’t know, it’s basically it’s a French DEFCON or ShmooCon wannabe; a conference/gathering about information security.
While I’m by no means a security expert, I love to stay up to date with the field, if only to be aware of common vulnerabilities and mistakes done by other programmers and to learn more about the clever ways employed by some people to circumvent the security measures of automated systems. It’s really just a way for me to stay in touch with the state of the art.
This post is meant to sum up what interested me the most among the talks offered during the conference. A full list of the talks is available here.
Criminal Profiling: Android Malware
Axelle Apvrille presented the results of a study of more than 1,000,000 Android malware.
Taking inspiration from existing crawlers made for similar studies (PlayDrone (SIGMETRICS 14) or Andrubis (BADGERS'14)), she created a script to gather data from a huge quantity of known Android malware on the Android platfrom.
While this talk delved into detail of the crawling and analysis procedures, there are a few key points that stand out. From the data gathered by this new study, Android malwares tend to:
- be smaller
- have less activities
- have more services
- have more broadcast receivers
- use more permissions
- target older SDK versions
- target China, Russia and the USA more
than legitimate applications.
It may be interesting to keep that in mind when delivering a new application to the market.
Maybe there could be a way to create an application that would statically check a newly loaded application to see if it matched the criteria established by this study, thus preemptively detecting it as a malware before any harm is done.
Mobile Self Defense
A fascinating talk presented by Karsten Nohl about the way the cellar network behaves as well as an in-depth presentation of several of its vulnerabilities.
The speaker introduced us to the SS7 network, responsible for exchanging SMS’s and connecting calls. This network is broken up multiple MSC’s communicated together which are in turn broken up in IMSI’s. The most important part I got from that is that anyone connected to this network can communicate and intercept anything going though it, no matter where the sender or the recipient are on the planet.
We were then introduced to several possible attacks on said network, including IMSI catching (spoofing an MSC) and “Man In The Middle” attacks, basically mimicking the way some operators offer voice-mail solutions. Of course, every possible attack presented was also demonstrated.
Several ways to prevent such attacks were presented as well. One simple trick to avoid most of these attacks is to disregard foreign SS7 connections, only connecting to your operator’s network if it’s well protected.
An easy way to check if the your operator uses state of the art protections on his SS7 network is to check gsmmap.org.
Finally, a great solution is to use the Snoop Snitch (requires a rooted device) android application. It will warn you of any suspicious activity regarding to the network you’re connected to and will alert you if you’re using a spoofed MSC (IMSI catcher). The application will also offer you a way to report this activity to the gsmmap project so that reports can be analyzed and documented.
PlagueScanner: An Open Source Multiple AV Scanner Framework
In this talk, Robert Simmons described a nifty Open Source project called Plague Scanner. This little bunch of python scrips aims to make the analysis of a single suspicious file to numerous anti-virus software easier. Simply put, this offers a way to send an file to multiple virtual machines running different operating systems and anti-virus software and get the results as a standard json file.
While the project is not complete yet, this could potentially lead to a way to objectively grad AV software solutions according to the quality of their diagnostics, the speed at which they update their bases and their ability to stop the malware from doing its work.
As of now, the project doesn’t implement a way to “detonate” the malware to see if it will be caught by the active protections of the AV software.
In any case, that’s an extremely interesting piece of software implementing a neat idea.