Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

EDITOR’S NOTE05/2011 (05)Editor: Sebastian Bulasebastian.bula@software.com.plTEAMBetatesters / Proofreaders: Massimo Buso, Ankit Prateek,Santosh Rana, Rishi Narang, Davide Quarta, Gerardo IglesiasGarvan, Steve Hodge, Jeff Weaver, Santosh RanaSenior Consultant/Publisher: Paweł MarciniakCEO: Ewa Dudzicewa.dudzic@software.com.plArt Director: Ireneusz Pogroszewskiireneusz.pogroszewski@software.com.plDTP: Ireneusz PogroszewskiProduction Director: Andrzej Kucaandrzej.kuca@software.com.plMarketing Director: Sebastian Bulasebastian.bula@software.com.plPublisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/enWhilst every effort has been made to ensure the high quality ofthe magazine, the editors make no warranty, express or implied,concerning the results of content usage.All trade marks presented in the magazine were used only forinformative purposes.All rights to trade marks presented in the magazine arereserved by the companies which own them.To create graphs and diagrams we usedprogrambyMathematical formulas created by Design Science MathTypeDISCLAIMER!The techniques described in our articles may onlybe used in private, local networks. The editorshold no responsibility for misuse of the presentedtechniques or consequent data loss.Dear Readers,How do you feel when you read yet another piece of newsabout yet another tabloid journalist hacking into yet anothercelebrity / politician / accident victim / etc. mobile and extractingconfidential information from their voice mail (The News ofThe World thank you very much for making the news)? Ibelieve that people who use their mobiles like their cars (youdon’t have to know what’s under the bonnet to know how todrive it – so the vast majority of us) are perplexed at the ideathat their precious secrets can be disclosed so easily and theirindispensible mobile friends can be hacked into by namelessagents, lurking somewhere out of their sight. But how a hackerfeels? I believe – offended, because how can you call tryingout a 4-digit code (which is most likely 1,2,3,4, or the year ofthe user’s birth, or something equally impenetrable) till youfind the correct sequence? I might be a bit biased here, but Ifind calling it brute-forcing a bit of an overstatement.Thus, we’ve decided to devote our September edition to mobilesecurity, seen, as always, from a pentester perspective. Themobile apps market is growing rapidly, and so are attemptsof compromising its security. Nowadays everyone can be a„hacker”, as we have already mentioned, but securing yourselffrom a real threat is another pair of shoes. And what betterway of managing security issues than penetration testing?The centerpiece of this issue’s focus is Aditya K Sood’sBreaking Down the i*{Devices}, concentrating on data testing,decrypting and mobile apps developers „wrongdoings”,who sometimes tend to disregard security issues at a scalewhich can be described as at least inappropriate, takinginto consideration the expanding market. Cory Adams willencourage you to Act Like a Criminal while LeveragingAndroid Malware for Improved Penetration Testing Results,Bill Mathews will share his views on Attacking the MobileInfrastructure, and Devesh Bhatt will take you Inside AndroidApplications, concentrating on manifest configuration. Somegeneral points of Mobile Application Security Testing will bepresented to you by Iftach Ian Amit.There are of course other articles worth looking at in this issueof PenTest Magazine. I can definitely recommend ArthurGervais’ New Penetration Business Model – the idea behindhis Hatforce project, based on crowd-sourcing. It might beanother step in the field of IT security, surely worth looking atand taking further.Enjoy your readingSebastian Buła& Penetration Test Magazine Team05/2011 (5) SeptemberPage 2 http://pentestmag.com