Category Archives: Humor
A Brave New Wallet – First look at decompiling Google Wallet
For the record, I welcome our new contactless payment overlords. I truly see the value in having the ability to make a payment transaction with our mobile devices. This opens up an opportunity to make these transactions more secure, give customers a better user experience, and also give them more control over payment options. Sure there are risks involved with this new technology and everyone should do their own weighing of the risk versus benefits, but I imagine a good number of you already have done this with deciding to use a current payment system over cash (or gold). However, a first (and rather quick as I’m supposed to be on vacation) look at the new Google Wallet code makes me wonder if this first release might need a bit of polish.
If you would like to follow along even without a Nexus S 4G, you can grab the new over-the-air (OTA) update from Google here. You can find the main parts of the new Wallet application in the “\system\app” directory of the update, but it will need some deodexing.
I typically start going through an app with the AndroidManifest.xml file. One thing that jumped out at me with the six “debug” and five “fakes” activities listed in the manifest. As a general best practice, debugging code should be removed from production releases. However, you do have to appreciate the humor of the “BsBankManagerActivity”. Yup, sign up with “BS” bank by calling “6501111111″ or visiting “http://bsbank.com” (BS Bank heard there was a BEAST breaking TLS this week, so they dropped it). Going through the BS code leads to some more fun “bsness” later on as well, such the revelation that “something is seriously wrong with this image URL” (which they were working on back in January?)
Additionally, there’s a handful of test related phone numbers left in “DebugMenuHelper” and “DemoDataPopulator”. Here they are in the format found:
4155589991
(415) 626-9682
(510) 351-0108
You will notice there are a few obfuscated classes in the wallet application. These appear to be related to the OTA proxy parts of the application. While not extremely complex in its functionality, I do think it’s appropriate to obfuscate this. Unfortunately, it appears that a great deal of logging can take place here and the default level is set to “FULL_LOGGING” (although it appears this level can be dynamically changed).
We haven’t yet seen what data gets logged by this, but the obvious concern would be a malicious log reading application as described over a year ago by the Lookout team. There also appears code that will send some log messages to “gtec.skcc@gmail.com“.
Continuing with the testing related code in the production application, lets pull out the number of test/demo/uat URLs (which don’t seem totally bogus but still could be). “CodeConfiguration” has a number of these:
private static final DEFAULT_CITI_SOAP_URL_CAT:Ljava/lang/String; = https://systemtest.citibankonline.citibank.com/MSMOTA Personalization/Webservices/MSMPayPassOTAPersonalizationService-service1.serviceagent/MSMPayPassOTAPersonalization ServicePortTypeEndpoint1
private static final DEFAULT_CITI_SOAP_URL_DEMO:Ljava/lang/String; = https://systemtest.citibankonline.citibank.com/MSMOTA Personalization/Webservices/MSMPayPassOTAPersonalizationService-service1.serviceagent/MSMPayPassOTA PersonalizationServicePortTypeEndpoint1
private static final DEFAULT_CITI_SOAP_URL_PROD:Ljava/lang/String; = https://test.mobileservices.accountonline.com/MSMOTAPersonalization_ FUT/Webservices/MSMPayPassOTAPersonalizationService-service1.serviceagent/MSMPayPassOTAPersonalizationServicePortTypeEndpoint1
private static final DEFAULT_FDCML_PROD_URL:Ljava/lang/String; = "https://www.fdmobileservices.com/mAccountsWeb/MbankingService"
private static final DEFAULT_FDCML_TEST_URL:Ljava/lang/String; = "https://cat.fdmobileservices.com/mAccountsWeb/MbankingService"
private static final DEFAULT_TSM_URL_CAT:Ljava/lang/String; = "https://uat.skcctsm.com:8443"
private static final DEFAULT_TSM_URL_PROD:Ljava/lang/String; = "https://pip.skcctsm.com:8443"
const-string v1, "DEVELOPMENT"
const-string v2, "https://jmt0.google.com/cm"
const-string v1, "SANDBOX"
const-string v2, "https://cream.sandbox.google.com"
const-string v1, "PROD"
const-string v2, "https://clients5.google.com/cm"
Finally, with each point release of Gingerbread (2.3) we’ve see code around the NFC components changing greatly. Generally adding new functionality, but at times deprecating older ones. In the wallet code, there appears to be over 50 classes with at least one deprecated method.
I’m sure many others are looking at this code as well and have some intersting finds. We are looking forward to making a payment soon with our Nexus S. Maybe we’ll use it to buy a pair of shoes.
Update 11/18/2011
Its been a while now and there’s been quite a bit of good work on Google Wallet done on XDA Developers. To clear a few things up, the email address appears to be for Android Cloud to Device Messaging (C2DM) and a lot of the debug code was removed from the wallet updates which have been pushed. That said, you can flip on the “Debug” menu in the orginal code. If you want to get this to run on a device though, you’ll need to resign a few other packages or fix permissions.
-b3nn
Zach’s 2010 BlackHat/DEFCON/B-Sides Las Vegas summary
I was aiming not to be the last contributor to this series, given that I’ve already received my proper lashings for slagging on posts as is. But, here’s my attempt at summarizing my experience in Las Vegas for BlackHat USA 2010, DEFCON 18, and the second Security B-Sides Las Vegas. I’ll scribble here what I can actually remember amidst the scorching blaze that is Vegas during the day, and the tiring, mind-scrambling, party-filled nights.
BlackHat
I actually caught the “System DNS Vulnerabilties and Risk Management” panel during the first day of BlackHat. Admittedly, I was expecting something beyond trumpeting about DNSSEC, though that’s…effectively…what the description of the panel was. *sigh* Anyway, the panelists explained the progress made with DNSSEC, explained some of the timelines for signing additional TLDs, what [we] should be on the lookout for, and even took a few good questions. One of the more intriguing inquiries from the audience was centered around emulating root nameservers in a completely isolated test lab. I wish I could recall what the exact response was, but that was right at the tail end of the panel and people were shuffling out. All-in-all, ‘okay’ session. (Really, though <fanboi> I just wanted to hear more from Whitfield Diffie </fanboi>.)
I also attended “These Aren’t the Permission You’re Looking For”, presented by my pal Anthony Lineberry, and his cohorts at Lookout, David Luke Richardson and Tim Wyatt. As someone who spends quite a bit of time on the Android platform, this session piqued my interest. I expected the usual rigmarole, introduce Android, the security model, how permissions work, message passing, etc., and I was on target. That part of the talk was very familiar to me, so I nodded along in step. Eventually, the talk shifted gears, discussing how applications can sidestep requesting certain permissions (such as fine-grained / GPS location data) simply by scraping those data from the logs, which requires only asking for the READ_LOGS permission (as my colleague, Corey, said in a previous blog post). Additionally, they discussed a means of exfiltrating certain data with zero permissions — by simply invoking the web browser (via an Intent), pointing to an attacker controlled web server, and sending device information and, in a few special cases, location data (IIRC, this was due to an issue in a third-party app).
The third, and final, talk I attended at Black Hat was “Harder, Better, Faster, Stronger: Semi-Auto Vulnerability Research” by Lurene Grenier (a.k.a. “pusscat”) and Richard Johnson. While certainly a bit dry to most of the audience (and even to me in a few spots), I was pretty excited about the concepts presented. The presenters basically laid out a workflow for finding, logging, archiving, and triaging bugs, and re-evaluating previously discovered bugs — constantly (in fact, one of the ideas presented was “constantly fuzzing”). Much emphasis was given to post-processing of bugs discovered during, say, the fuzzing process. Richard Johnson also presented a set of tools, including one called ”MoFlow” (IIRC, and that actually may have been the collective name), to help assist this process. Pusscat also showed off, briefly, a snapshot of a web interface that controlled and monitored distributed fuzzing/test processes. Cool stuff.
Security B-Sides Las Vegas
I didn’t actually attend the second day of BlackHat, but instead headed over to 2810 East Quail Ave., where lies a beautiful estate (with a gajillion [yes, a gajillion] pools). It also happened to be the venue for Security B-Sides Las Vegas. Surrounded by a ton of familiar faces, food, beer, and other refreshments, I chilled out for a bit before giving my own presentation, “It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications”. Through the nebulous haze of sleep deprivation, I managed to pull it off well enough (I think), and even answered some questions in a mildly coherent manner. After that, it was back to Caesars Palace to prepare for the Security Twits party.
DEFCON
Admittedly, my colleagues have done a better job of summarizing DEFCON than I can at this point. I spent most of my time in the “hallway track”, chatting up friends, old and new, about a myriad of things, ranging from hacking to Club Mate (blah). Also, I spent an inordinate amount of time getting my butt kicked in the Ninja Networks badge “game”. Notice I’m still a Level 1.
On the final day of DEFCON, I did manage to attend a panel about…wait for it…PCI. Yes. A PCI panel at DEFCON. And wouldn’t ya know it, it was packed. The panelists focused mainly on the pain points of PCI, the numerous misinterpretations and sheer laziness by merchants and service providers, and how we can all hope to effect change. Incidentally, the Q&A session following the panel, while in a smaller room (still packed, of course) was even more emotionally charged and powerful than the panel itself.
Here’s to more hax, more partying, and maybe even a bit of recovery.
Zach at the Adobe Haters Ball (photo by Stephen Ridley)
Max’s 2010 Las Vegas BH/DC Summary
Hey, this is Max Sobell and I’ve been interning with Intrepidus Group this past summer. I just got back from my first Blackhat/Defcon with IG a few days ago. Corey summed up quite a few of the really good talks but there was one more that was particularly interesting. The WiMAX Hacking (https://groups.google.com/group/wimax-hacking) talk, from Pierce, Goldy, and aSmig feat. sanitybit was great.
For those of you who aren’t familiar with WiMAX, it’s a wireless broadband technology being deployed (and spreading rapidly) by Clearwire (and others, though Clearwire has the largest network). The team’s research was done on the Clear network, which Time Warner, Comcast, and Sprint all re-brand, though it is the same physical network. One thing I really liked in the talk was the emphasis on the hardware hacks and jailbreaks. They combined some hardware hacking with some VPN tricks to own a couple WiMAX devices and the captive portal page. The team was able to send fragmented packets though OpenVPN on UDP/53 without actually logging into the portal to get free WiMAX. Unfortunately, the downside is that the Location Based Services (LBS) from Clearwire (currently not very accurate and can’t be turned off) allow anyone bumming off the network to be tracked down by fellow users via a development key. One thing that confused the audience was the speakers didn’t qualify what they meant by LBS. In the context of their talk, they were talking about traditional signal strength analysis and antenna orientation. What was not mentioned is that these 4g WiMAX cellular radios also have a real GPS radios which is a requirement of E911. I would assume that the carrier has the ability to locate a device within meters based on the GPS radio.
Friday morning Corey, Mike, and I played in the Hack Cup soccer games on the Goal++ team along with DC Campbell, DC’s friend Judd, and Adam Pridgen. We sustained some early injuries, which left Mike scooting around the Riviera for the rest of the week in a motorized cart, but made it to the semi-finals with no subs. Unfortunately after that we had to stop playing because we lost DC to the airport and Judd had to go back to work. But watch out next year, Goal++ will be back! A big thanks to Nico Waisman for organizing the tournament and to Immunity for sponsoring it.
That’s it from me!
-Max
higB’s 2010 Las Vegas BlackHat DefCon summary
higB here.. I’ll keep my post mostly about the culture
Amanda did a great job making sure we were in the Palace tower (not the stinky Forum tower). It was awesome having help this year to organize the Intrepidus Group visit to BlackHat/DefCon. Every year we get bigger and every year the cat herding task is more challenging. Thanks Amanda! (and thank you Mac for organizing the shoot, more on this later…)
Some of our traditions are borrowed, but we have some of our own, too.
Tradition: The FNG list
If you haven’t brought an intern to Vegas with you I HIGHLY recommend it. In keeping with Intrepidus traditions, the FNG is required to fetch Vegas supplies.
Rules:
- The FNG can get you any reasonable supply.
- The FNG should avoid drug dealers named Doug.
- The FNG must have your list prior to Tuesday the 27th.
Max, thank you! You were awesome!
(LtoR: Corey, Max, Zusman, Pridgen)
Tradition: Custom Con Tee Shirt
One fond memory I have of my early days at FS was rocking a freshly designed con shirt. Prosise and crew put in effort to get a cool design for us to wear every year. We carry on a similar tradition here. (The shirt is usually packed with inside jokes, so apologies in advance.)
Click to see the design
Tradition: Death via Maggiano’s
If you didn’t see any of us Friday night, it’s because we got close to nearly killing ourselves at Maggiano’s. Seriously, we have to stop going there. Every year it’s the same thing, followed by a direct trip to the hotel room to moan and groan. I was down for the count and didn’t leave the hotel room.
*New* Tradition: DefCon Unofficial Shoot [Link]
My first DefCon was in 98. My first participation in the DefCon shoot was 2010. Thanks to our guy Mac for organizing and, of course, Deviant and crew. The event was well organized, but I think they were a little worried when they saw the target we brought…
Of course we knew Mac and Jim would be great marksmen, but we were all a little creeped out by how awesome Doug was. (If that is your REAL name, Doug…mister “i’ve never done this before…”)
This is getting a little long so I’ll go rapid fire:
Hot:
- Ridley’s Photos: check em out
- Jeremy Allen and Raj Umadas BH talk on Mallory
- Zach’s BSides talk
- #maggianos
- taqueria canonita venetian
- SecurityTwits party
- DefCon Shoot
- Craig Heffner’s “Millions of Routers” talk (seriously)
- WiMax talk: Pierce, Goldy and aSmig
- Blake Self and Bitemytaco’s Docsis talk
- Blue EFF teeshirt
- This year’s badge
Not Hot:
- The Riviera (gross bathrooms .. yay Rio?)
- Goon track change on Saturday screwed over people in line.
- Last year’s badge (it was bad enough that it deserved another mention)
- FastlapLV broken and slow go-karts
I hope to see everybody next year!
-higB
(LtoR: Dean, Aaron, and Rohyt @ Caesars.)
XKCD – cool shell!
If you havent been over to XKCD to see their new shell, go check it out:
http://github.com/chromakode/xkcdfools/blob/master/xkcd_cli.js <– badass
guest@xkcd:/$ vi
You should really use emacs.
guest@xkcd:/$ WHAT
Unrecognized command.
guest@xkcd:/$ rm -Rf /
guest@xkcd:/$ woo
Unrecognized command.
guest@xkcd:/$ su
God mode activated. Remember, with great power comes great ... aw, screw it, go have fun.
PCI – Don’t even joke about it…
Y halo thar! The New-New Intrepidus Group Blog…
Hi Internetz,
Check out our new blog.
Look at my blog, my blog is amazin’
For a while we had blog.phishme.com where members of the Intrepidus circus posted on a semi-regular basis. That is all well and good, but we outgrew that and it really made more sense to limit blog.phishme.com to PhishMe and phishing related blog posts.
So what is his blog for?
Fair question. We’ll let you know when we figure that out. There are many blogs like this but this one is ours. This blog is mainly for Intrepidus Group folks to share their research, provide commentary, and solicit feedback. There are a lot of really-really excellent security blogs out there. This blog will be at best, semi-good. I hope we get a good laugh out of readers from time to time.
Let’s face it.. we are part of the <airquotes> industry </airquotes> — we play in the industry and the industry takes care of us. There is nothing wrong with that. We really are in no position to take ourselves too seriously, so we won’t.
About this blog’s infrastructure.
Last year there was some excitement surrounding security companies getting their boxes owned. This, of course, was a concern for us. Being security geeks… the Intrepidus crew all started throwing out fanciful ideas about how to host a blog, lock it down, create boobytraps, manage it only over SSH tunnels, which you have to portknock to open, blah blah blah… The conversation went from zero-to-ridiculous pretty quick. so I chimed in with…. ”How about we >don’t< try, AT ALL?”
So…. We went one step below not trying .. we are hosting a PHP Wordress blog on a cheap-ass shared hosting provider (Dreamhost) that emails your clear-text password out every chance it gets. We manage this over (are you sitting down?) HTTP! For security, it can’t get much worse. (Did I mention they hang your MySQL database out in the wind with a juicy phpmyadmin interface? Oh, and you get squirelmail even if you didn’t want it.)
Enjoy our blog!
“Sweet lemonade, sweet sweet lemonade!”
^higB
IT Security World 2008 — Wowzerz!
I just got back from the IT Security World Conference & Expo 2008. This was the first time I’ve attended this conference. The speaker line up looked good. I wasn’t there to see the speakers though; I was an exhibitor working a phishme booth.
I’ve spoken at DefCon, BlackHat, Shmoocon, etc…. but at this conference, I wore my exhibitor badge, which might as well have read “leper”. Hah, not that I can blame the attendees for treating me like a leper, after all, I was just another exhibitor in the gauntlet they had to run in order to get to the drinks and snacks.
When you brave the booth gauntlet, you’re bombarded by shiny people. Appliance after appliance, magic boxes that make all your IT security problems go away.
My booth was at the end of the gauntlet. It was entertaining to watch attendees pickup my swag without missing a step, only to read the banner that says “Phish your employees” pause, double back, and curiously ask me “what is this?” Most would chuckle after figuring out exactly what phishme.com does. Eyes popped out of heads of the ones that actually saw the demo.
There was something about the conference and expo that REALLY bothered me……
The sad thing was these Internet terminals were in heavy use throughout the conference. Every time I walked by them people were in their email.
-higB
RSA Conference: Circus of Vendors
In past years I never attended the RSA conference; it always came across as too much of a vendor show to me. This year I didn’t think I would go, until rsnake convinced me otherwise. So I bought myself an Expo Only pass. I had a lot of fun, meeting old time buddies from Foundstone and Mandiant, a bunch of clients, and partners. But I had the most fun just watching the show on the Expo floor. Must have been 300 booths and a gazillion sales people swarming them with those annoying mics trying to outspeak each other like barkers outside a souvenir store at a tourist destination. Companies doing raffles at their booths – I’ve seen that, but arcade car racing games like those at Dave & Busters, security “Jeopardy” shows every hour being hosted by ”slick” sales people, cheesy whack-a-fraudster, wannabe Houdinis showing off card tricks and free beer made the cut too. I wondered, do clients actually walk the floor to learn about new products? I think not. They do so for the free entertainment, adulation, and giveaways. Makes one wonder, are the RSA booths worth their price tag? The smallest, and furthest ones, which you would see if you were really looking for, are worth an arm and leg. VC money well spent? Oh what a circus it was!
- Rohyt
