Editor's note

Recommendations

Info

of how long it’s expected to be. The result for the user is the potentially useful compromise of being able to enter a longer passcode, but without having to resort to the potentially fiddly alphabetic keyboard to do so. Let Me Through, I’m An Impostor! Having enabled a lock of some kind, there is also the question of what people can still get to without needing to be authenticated. As shown in Figures 2 and 3, it is standard practice for emergency calls to still be possible from a locked device, but this is often not the only feature. For example, the recent launch of the iPhone 4S was followed by criticism that its Siri personal assistant was still active with the phone locked (Newman, J. 2011. Siri’s Security Hole: The Passcode Is the Problem, PCWorld, 20 October 2011. http://www.pcworld.com/article/242253/ siris_security_hole_the_passcode_is_the_problem.html). This is actually similar to what earlier iPhone users would find with the normal ‘voice control’ feature, which (unless disabled in the settings) allowed access to the phonebook to make calls or to the music library to play tracks. The difference with Siri was that it exposed a much greater range of functionality, such as the ability to send texts and emails, while the phone was otherwise still locked. In no sense was it a security oversight, as the iOS settings offer an explicit option for whether Siri should still be accessible when the phone is locked, but criticism could be leveled for making this the default configuration. This again highlights the balancing act that’s required in terms what should be left accessible for the convenience of the owner, versus what needs to be kept off-limits for their protection. For example, regardless of Siri, the iOS lock screen still allows the camera to be used or music to be played, so you could conceivably take unwanted photos and fill up the phone’s memory, or have an uninvited nose through the user’s music collection. Of course, neither of these are necessarily major risks in the grand scheme of things, but it’s also notable that the owner doesn’t have a choice to disable the features and lock off the phone completely. In addition to potential configuration weaknesses, there are sometimes genuine implementation vulnerabilities waiting to be exploited. In fact, one such example was publicised while this very article was being written, with an iOS vulnerability that allowed the passcode to be bypassed on an iPad 2. The exploit basically involved holding down the power button until slide to power off appeared, then closing the Smart Cover, re-opening it and selecting ‘Cancel’ (9to5Mac. 2011. Anyone with a Smart Cover can break into your iPad 2, 20 October 2011. http://9to5mac.com/2011/10/ 20/anyone-with-a-smart-cover-can-break-into-youripad-2/). Doing so appeared to unlock the device and give an impostor access to whatever was on the screen starterkit 02/2011(2) MOBILE PENTESTING before it was locked. If the user had been running an app, then the impostor could see (and to some extent interact with) whatever was left on view. So, for example, if Mail was open, an impostor could look through the messages, or perhaps merrily go looking at web history in Safari. Alternatively, if the iPad had been left on the home screen, then the impostor could browse around and see what was installed. Trying to run an app quickly revealed that nothing would actually launch, as the device was still semi-locked, but some things could still be done to compromise both the integrity and confidentiality of the device. Specifically, apps could be deleted, and the search screen could still be used, with the results list from the latter potentially giving access to a wealth of confidential tidbits including contacts, schedule entries, and messages. Conclusions It is clear from many of the observations that our opportunities to protect mobile devices have not kept pace with the ways in which we’re now able to use them. The positive news is that there are now signs of this changing, with attention being given towards point-of-entry (PoE) approaches that people may feel more inclined to use. In addition, ongoing research is considering composite, non-intrusive approaches that have the potential to provide a measure of protection beyond the PoE judgement (Furnell, S., Clarke, N. and Karatzouni, S. 2008. Beyond the PIN: Enhancing user authentication for mobile devices, Computer Fraud & Security, August 2008, pp12-17). However, the level of protection that can be achieved on some devices will still lag behind what can be done on a full desktop system, and so if really sensitive data is at stake there remains a question of whether it ought to find its way onto a mobile device in the first place. PROF. STEVEN FURNELL Prof. Steven Furnell is the head of the Centre for Security, Communications &Network Research at Plymouth University in the United Kingdom, and an Adjunct Professor with Edith Cowan University in Western Australia. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is active within three working groups of the International Federation for Information Processing (IFIP) – namely Information Security Management, Information Security Education, and Human Aspects of Information Security & Assurance. He is the author of over 210 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). Further details can be found at www.plymouth.ac.uk/cscan. Page 22 http://pentestmag.com
WHAT IS A GOOD FUZZING TOOL? Fuzz testing is the most efficient method for discovering both known and unknown vulnerabilities in software. It is based on sending anomalous (invalid or unexpected) data to the test target - the same method that is used by hackers and security researchers when they look for weaknesses to exploit. There are no false positives, if the anomalous data causes abnormal reaction such as a crash in the target software, then you have found a critical security flaw. In this article, we will highlight the most important requirements in a fuzzing tool and also look at the most common mistakes people make with fuzzing. PROPERTIES OF A GOOD FUZZING TOOL There are abundance of fuzzing tools available. How to distinguish a good fuzzer, what are the qualities that a fuzzing tool should have? Model-based test suites: Random fuzzing will certainly give you some results, but to really target the areas that are most at risk, the test cases need to be based on actual protocol models. This results in huge improvement in test coverage and reduction in test execution time. Easy to use: Most fuzzers are built for security experts, but in QA you cannot expect that all testers understand what buffer overflows are. Fuzzing tool must come with all the security knowhow built-in, so that testers only need the domain expertise from the target system to execute tests. Automated: Creating fuzz test cases manually is a time-consuming and difficult task. A good fuzzer will create test cases automatically. Automation is also critical when integrating fuzzing into regression testing and bug reporting frameworks. Test coverage: Better test coverage means more discovered vulnerabilities. Fuzzer coverage must be measurable in two aspects: specification coverage and anomaly coverage. Scalable: Time is almost always an issue when it comes to testing. User must also have control on the fuzzing parameters such as test coverage. In QA you rarely have much time for testing, and therefore need to run tests fast. Sometimes you can use more time in testing, and can select other test completion criteria. Documented test cases: When a bug is found, it needs to be documented for your internal developers or for vulnerability management towards third party developers. When there are billions of test cases, automated documentation is the only possible solution. Remediation: All found issues must be reproduced in order to fix them. Network recording (PCAP) and automated reproduction packages help you in delivering the exact test setup to the developers so that they can start developing a fix to the found issues. MOST COMMON MISTAKES IN FUZZING Not maintaining proprietary test scripts: Proprietary tests scripts are not rewritten even though the communication interfaces change or the fuzzing platform becomes outdated and unsupported. Ticking off the fuzzing check-box: If the requirement for testers is to do fuzzing, they almost always choose the quick and dirty solution. This is almost always random fuzzing. Test requirements should focus on coverage metrics to ensure that testing aims to find most flaws in software. Using hardware test beds: Appliance based fuzzing tools become outdated really fast, and the speed requirements for the hardware increases each year. Software-based fuzzers are scalable in performance, and can easily travel with you where testing is needed, and are not locked to a physical test lab. Unprepared for cloud: A fixed location for fuzz-testing makes it hard for people to collaborate and scale the tests. Be prepared for virtual setups, where you can easily copy the setup to your colleagues, or upload it to cloud setups.
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21: user has an increased opportunity o
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?