Year: 2017

Categories
Uncategorized

HOW TO MAKE YOUR ANDROID DEVICE VULNERABLE

Add Your Heading Text Here

Share it:

                                         It’s possible, It’s risky, It’s pointless. If you really want to hack your own device, give it a try!

Compare android devices to ios devices in terms of security, ios devices has better security features than android devices. Yet jailbreakers such as Jay Freeman and others managed to exploit the mach kernel. Android, too, has specific security features but it has experienced several vulnerabilities.

This simply means that no matter the number of security features implemented by security engineers, there is always a way to by-pass security measures on smart devices. This post reveals a couple of ways users could make their android devices vulnerable.

  1. Downloading apps from external store:

A user may be forced to download an android app from external stores instead of google play store because of app restriction to certain countries,  or users discovered the same app being sold for $100 is hosted on another third-party store for free. Usually app on third-party app stores are full of malicious apps. In addition, google play store is not safe.

2. Debuggable apps on your devices:

Debbugable apps allows attackers, bug hunters, or anybody interested in system-level bugs to leverage attacks on applications on your devices to get access to your phones.  Some developers forget to specify debugging for their android applications as false in the androidmanifest file . Thus, it allows malicious users to implement run-time manipulation against classes, methods, and variables in the source code of an android application via java debug wire protocol.

3. Apps with critical permissions on your devices:

In order for certain apps to operate well on your devices, you need to accept permissions it asks for. Some apps ask for the permission to read and write to SDCARD STORAGE, access PHONE STATE,  modify and delete accounts, access database files in SQL Lite folder and access CONTACTS on your device.

Usually, apps asking for critical permission or protection-level permission do not have strong security features in place. Malicious apps could leverage on these apps to extract data from your SDCARD STORAGE, delete contacts on your devices and so on. There are several ways of making your android device vulnerable.

But the above ones could happen to you unknowingly because it requires technical acumen. However, ordinary users can rely kaspersky mobile antivirus to detect malicious apps.

#ISA_informs

#ISA_ltd

Latest Post
Categories
Categories
Uncategorized

Five Non-Traditional Ways of Information Gathering for Pentesters

Add Your Heading Text Here

Share it:

Let your plans be dark and impenetrable as night and when you move, hack like a thunderbolt

In the world of cybersecurity, almost every penetration tester  relies on information gathering tools on Kali Linux. Tools such as Network mapping or nmap, subbrute or sublister, the Harvester, and similar tools. Although these tools aid in gathering information of a particular target, there are other ways of gathering information of a target without the the use of these tools on Kali lInux. However, combining the following ways in addition to the tools on Kali Linux would be very effective for any penetration tester. As a former security researcher on Hackerone and Bugcrowd platforms, I heavily relied on both orthodox and unorthodox ways of gathering information without being detected.

  1. Github  

Github is another great tool for gathering information on a target. You can search for a target name like Isacom.tld. By searching for target names such as the one mentioned previously, it reveals the type of documents and files pushed to github by the target. Perhaps these documents and files may contain information you need to test certain endpoints not on the public interface. Actually, Github could benefit any pentester interested in finding API keys of a target.

2.  Archive.org 

Searching for documents or files via Archive.org is another dumpster diving on the internet. Archive.org could help you find old files and documents such robots.txt, inactive subdomains, and other forgotten endpoints. This method allows you to find older functionalities belonging to certain endpoints or other subdomains of a host.  Usually, as a pentester, you can use or leverage on older functionalities to extend to other methods or functionalities.

3.  Shodan.io

Tools such as nmap allows pentesters to scan for ip addresses, open ports and closed ports, endpoints products and more. Shodan, too, has similar features of nmap. You can use shodan.io to scan for ip addresses, finds open and closed ports, and so on. In addition, Shodan has external tools such as Maltego Add-on. Maltego Add-on behaves like  Maltego on kali linux and host lookup features.

4. Censys.io  

  Apart from scanning ip addresses, open ports and closed ports, Censys.io, too, allows analyze asset such as SSL certificates belonging to a target. You can use censys.io application programmable interface to query execute SQL queries against a target IPV4 address. However, this particular api is reserved for verified researchers.

5. Amazon Web Services:

And finally, Let’s dwell on Amazon web services. Amazon web services host millions of assets belonging to corporate companies on its platform. As a pentester or security researcher, you can hopefully rely on amazon web services to find misconfigured  s3 buckets to allow external users to read and write to buckets belonging to an organisation. We trust the above methods could help you in gathering information on a target even if tools for information gathering on Kali Linux fails to do the job. Please this is for educational purpose only!

#ISA_informs

#ISA_ltd

Latest Post
Categories
Categories
Uncategorized

HANDS-ON VULNERABILITY MANAGEMENT COURSE

Add Your Heading Text Here

Share it:

Are you a cyber security engineer, application developer, system administrator and network engineer eager to learn how to pentest network of systems and effectively vulnerabilities in systems?

Then ISVM is the solution to acquiring the requisite skills for your organization.

The Information Systems Vulnerability Management (ISVM) course is a 2-day weekend and/ or 3-day weekday course intended for system administrators, network engineers, application developers and IT security officers with information security responsibilities, but who may not have had training in ethical hacking or its related field.

Course Overview:

This course provides participants with a technical grounding in networking concepts and technologies that are critical to IT operations in institutions such as TCP/IP networking protocols.

Course Objectives:

After completing the course, the participant, at a minimum, will be able to demonstrate the following skills:

  •     Recognize where and how vulnerability management fits in with the company’s overall information security program and IT operations
  • Identify the role a vulnerability management program has in safeguarding information and assets
  • Assess the adequacy of a patch management, vulnerability scanning and assessment, and penetration testing tools and their limitations
  • Evaluate the adequacy of an organization’s testing program
  • Recognize key elements of an incident response program
  • Discuss key technology terms related to information systems vulnerability management
  • Assess the key risks, controls and processes in a supervisory context, including regulatory compliance issues
  • Identify what the institution must do to respond to new threats

Interested in ISVM training in the month of November..?  Then contact our front desk office on   03027670912 or send an email to business@isa.com.gh for registration.

Latest Post
Categories
Categories
Uncategorized

LESSONS GLEANED FROM EQUIFAX HACK

Add Your Heading Text Here

Share it:

Recently, we have heard of how Equifax servers were hacked by black hats. According to sources close to the credit reporting agency responsible for monitoring credit breaches, Equifax servers were hacked in mid May and went undetected until the month of July.

Equifax Inc. is a consumer credit reporting agency in the United States, considered one of the three largest American credit agencies along with Experian and TransUnion.

Hackers who broke into the servers stole driver’s license numbers and about 209,000 credit cards. This particular breach has affected almost half of Americans and it is really devastating because until May, Equifax is deemed as the most secure and trusted credit reporting agency holding data of half of US population.

Our security engineers sat down to discuss, analyze the breach and came up with lessons all and sundry could learn from equifax breach.

  1. Don’t trust security. It’s a myth:  

“Our servers are secured from hackers”. “Our servers are behind robust firewalls”. These statements are commonly found on the web nowadays.  However we should not trust these words from vendors. Equifax is noted for storing users’ data in a secured place yet it was hacked. Don’t trust security. It’s a myth.

2. Place emphasis on prevention. Not safety: 

One of the best ways to recover from a data breach immediately without even the media being aware of is to put up a prevention plan. Prevention plan is far from different from safety measures or tips. A prevention plan can’t stop hackers from breaking into servers but it could prevent them from achieving their main purpose. For instance, storing users’ data in a server behind a firewall can’t stop hackers from breaking your server but accessing raw data of customers may be difficult because of hashing and salting of data.

3. To be hacked is inevitable: 

Despite numerous, safety measures recommended by so-called “cybersecurity experts”, likewise equifax, no company under the sun is invulnerable to hackers. The best option you have now is to hide yourself by not announcing that your “web portal is secure or your servers are hardened” or make it difficult for hackers by putting up firm prevention measures.

4.  Detection tools can’t stop data breaches: 

If you begun from the very first line of this article, we concluded that sources close to Equifax told media that equifax servers were hacked around May undetected. A mega company such as Equifax definitely surely have detection tools installed on their server to detect attacks from hackers. However, it seems detection tools on their servers failed to detect any unauthorized entry. We advise to implement detection tools but don’t rely on them fully.

5.  Audit your systems regularly:

We advise everyone to take this particular lesson with all seriousness. Auditing your systems regularly is sure way of ensuring that both clear and hidden loopholes are detected even before hackers attempt to breach your servers.

We encourage everyone interested in secure storage of data to reflect on these lessons to prevent future server breaches.

#ISA_informs 

#ISA_ltd

Latest Post
Categories
Categories
Uncategorized

Taxi Trojans are on the way: Beware of Banking Apps

Add Your Heading Text Here

Share it:
 
However, after some time you notice money disappearing from your account. What happened? You may be the unlucky winner of a mobile Trojan. This kind of malware has been caught recently stealing bank data by impersonating the interfaces of taxi-booking apps.
 
The Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version “Faketoken.q,” and by now it has learned a significant number of tricks.
 
After getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.
 
First, the Trojan is interested in the user’s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal’s server. Second, the Trojan also checks which apps the smartphone’s owner uses.
 
When Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.
 
Actually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets — as well as apps for booking taxis.
 
Below you can find several pieces of advice on how to protect yourself against Faketoken and similar mobile Trojans that steal card numbers and intercept SMS messages with one-time passwords used to confirm payments.
 
  • It is imperative that you go into Android’s settings and prohibit the installation of apps from unknown sources. To block installation from unknown sources, go to Settings -> Security and uncheck Unknown sources.
  •         Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well).
  •        It is a good idea to protect your smartphone by installing antivirus, which can find infections hiding in an app such as basic Kaspersky Internet Security for Android,  

source: Kaspersky Lab.

  • Growth through innovation/creativity:
    Rather than be constrained by ideas for new products, services and new markets coming from just a few people, a Thinking Corporation can tap into the employees.
  • Increased profits:
    The corporation will experience an increase in profits due to savings in operating costs as well as sales from new products, services and ventures.
  • Higher business values:
    The link between profits and business value means that the moment a corporation creates a new sustainable level of profit, the business value is adjusted accordingly.
  • Lower staff turnover:
    This, combined with the culture that must exist for innovation and creativity to flourish, means that new employees will be attracted to the organization.
Latest Post
Categories
Categories
Apps Mobile Phones

10 Faqs About Android Application Security.

3d illustration of a large padlock attached to a metallic green and silver Google Android logo over a dark reflective surface

Add Your Heading Text Here

Share it:

Today our cybersecurity team reveals 10 common questions bothering android developers interested in securing their android applications.


Q1: How can i protect my android app from software pirates? I mean how can i obfuscate my source code?
Ans: You can choose to use DexGuard or DashO to make it difficult for software pirates, reverse engineers or intruders to pirate your source code.


Q2: I heard you can also use ProGuard to obfuscate source code?
Ans: Yes! But it is not effective. Practically not effective.


Q3: Do you think it is quite safer to save users data on their own device?
Ans: Yes and No. Yes- It is quite safer to save non-sensitive data on users devices. No- It is not safe to save sensitive data on users’ devices even if you intend to protect using strong encryption.


Q4: I heard hackers can intercept data in transit using a proxy such as Burpsuite?
Ans: Yes. They can intercept data in transit.


Q5: So is there any defense mechanism against this form of attack?
Ans: Yes. Ensure that the same validation method implemented on the client side is exactly implemented on the server-side.


Q6: Although I have implemented HTTPS to protect data in transit, i find it difficult to stop “csrf” attacks?
Ans: Okay. You can create tokens for each registered or authenticated user. In addition, ensure that tokens are available temporarily and re-created after a specific period.


Q7: Yes. I have done that but hackers still by-pass csrf protection.
Ans: Ensure that csrf tokens are validated at the server-side. Also make tokens random.


Q8: I want my android app to share data with other app but with some form of restriction. How can I achieve that?
Ans: Okay. You can use content provider which allows apps to share data with other apps. Moreover, with content provider, you can specify read and write permissions. Thus, some apps may have read and write permissions whilst others may have read -only permissions or write-only permissions


Q9: Could I also save data in shared_pref file? I heard it is not safe to do so.
Ans: It is safe to do so when data is not sensitive. It is not safe to do so when data is sensitive. So move all users’ data such as password, userid, and account number to your web server.


Q10: Is it advisable to hire android security researchers or pentesters to audit my apps?
Ans: Yes. We recommend you to do so.
Although these are other common faqs related to android security, at least, you can rely on some of our answers to make your android app secure.

#ISA_informs  #ISA_ltd

Latest Post
Categories
Categories
Apps Internet Security Mobile Phones

Four Ways to Infect Your Android Devices with Malware.

Add Your Heading Text Here

Share it:

Although we often blame exploit writers for developing malicious code for malicious purposes such as reading of one’s credentials, spying on a users’ communication and so on, we ought to blame ourselves periodically for allowing our android devices to be pregnant with malware.

This article briefly exposes four ways  how users/employees unknowingly infect their android devices with malware.

  • Sideloading apps:

Sideloading is a term referring to an android user intention to download apps from third-party stores instead of  ”pulling” it from Google’s playstore. Most of these third-party store apps are infected with malware because there is no proper protection  for apps installed on these stores. Thus, we recommend you download apps from Google’s playstore.

  •  Installing apps with numerous permissions:

Most users/employees often fail too observe the list of permissions an app requires in order to function on android devices. Before an android app is installed on your android device, it declares a list of permissions that a user must accept if he/she is interested in the app. Malware take interest in loosely protected apps to retrieve users’ data back to a remote server.

  •      Confirming to flashy updates from random websites:

“something-xxx antivirus is outdated. please download the current version” from  xyz.com .   We often see flashy updates on our mobile screens in a form of ‘Toast’ messages informing us about software expiration. Yes! software expires. But we advise users to download software directly from software vendors’ website.

  •   Clicking links on online forums:

This is one of the easiest ways even script kiddies could use to embedded malware into apps installed on your android devices. If a link on a particular topics interest you, just copy the link and paste it in the url section. It is quite safer than clicking on the link directly.

Avoiding these user-behaviors could save your android devices from malware lurking in the cyber world.

#ISA_informs    #ISA_Ltd

Latest Post
Categories
Categories
Internet Security

Five Ways To Battle E-Mail Attacks

Add Your Heading Text Here

Share it:

StopLook, Think‘ is the principle we rely on when accessing mails of all sort from different sources. Indeed, we have benefited from this S-L-T principle. Hence, we want to show you how you can use this principle to battle email attacks targeted at your staff.

Stop & Read Mail Thoroughly: Usually, phishers who are in a haste to retrieve personal information via deceptive tend to make grammatical errors. A careful look and a thorough read could save you from being  deceived by a amateur phisher.  

Verify from the Company: Now after you have read the message, you can verify from the company informing them of a message in your inbox sent by them. It is plausible to do so just to be sure you are reading a message from a legitimate company or not.   

Observe again and again: U.S navy seals are noted for observing target for a longer period before moving on the target physically. You can employ this technique just to understand the concept of the message. For instance, you have received a message from a sender informing you of a prize you have won. In reality, you have not even applied for a competition. How much more win a prize!

Analyze links embedded in messages: You need to analyze links in messages sent into your inbox. Nowadays, phishers careful create links almost similar to that of a legitimate company.

For instance: www.support.klm.de  . Be mindful that this link is not a subdomain nor does it belong it klm. You can analyze links by hovering your mouse over or by observing the final destination of the link in the url bar.   

Think deeper enough: Finally,  think deeper enough about the link. Some phishers are quite clever they could create a similar link to do that of a legitimate company. Let’s analyze this two links:  www.isa.com.gh   ||    www.isa.com   Which one is the legitimate link of cybersecurity company in Ghana?   Thus, it is worth it when you think deeper before clicking on a link.

You can employ these techniques to ward off any email attacks or phishing against your employees or clients. Moreover, you can contact us  for practical user awareness training based on social engineering attacks and prevention.

Latest Post
Categories
Information Security Architects (ISA) Ltd is one of the leading Data Privacy and Security Practitioners in Ghana West Africa.
Services
Products
Newsletter

Sign up our newsletter for update information, insight and promotion.

Facebook Instagram Twitter Linkedin
Copyright © 2021, All rights reserved. Powered by Lynt Digital.