Tuesday 28 July 2015

Stagefright vulnerability on Android

A few days ago, experts from Zimperium mobile security discovered a vulnerability which they named it as 'Stagefright'. A vulnerability that allows a user to compromise Android devices via sending a malicious mms. This mms will then execute a code that can delete your messages even before you see it. 



Below is how the attack works.


According to Zimperium's blog, as of now, only Android devices protected by Zimperium’s advanced Enterprise Mobile Threat Protection solution, zIPS, protects its enterprise customers from Stagefright vulnerability and also SilentCircle’s Blackphone. 

Nevertheless, there are ways one can protect itself from such attack via manually changing the settings of the phone. As the attack primarily uses MMS as its platform of attacks, users of Android devices can disable the MMS settings (temporarily until Google release the official updates for it)

For Android's messaging:

Go to your Messages settings

Click on Multimedia Messages

By default, the 'Auto Retrieve' of MMS is checked

If you rarely used this function, i recommend that you uncheck this option.

For Google Hangout

Go to your Google Hangout Account

Select SMS

Uncheck the 'Auto retrieve MMS' settings.

Now, you are safe from the attack. However, if you are using other messaging platform/app to send or retrieve sms/mms, i recommend you check the settings and uncheck the MMS retrieval. 

Now we wait for the update/patch from Google.




RSA Asia Pacific & Japan in Singapore 2015

Had a chance to visit this annual RSA conference. Though technically, i didn't attend the conference, but instead, i went for the free visitor pass to visit the vendors booth. It was a great atmosphere though it was not as huge as the likes of GovWare or Interpol. I had a great time meeting my ex-colleagues and great to see them doing well in their respective professions.

At the RSA event

Ex-colleagues at the event

Random Pictures of the Vendors Booths



















Thursday 9 July 2015

BOMTOTAL.com - Check your Bill of Materials

Bomtotal.com is an initiative created by Codenomicon to provide visibility into the bill of materials of an application. By uploading an executable file to bomtotal.com, you will be provided with a list of components inside your executable. This will also show you not just the third party components but also the versions associated with the components. 

How to use it? 

Simply go to www.bomtotal.com and upload any binary file to the site

Once uploaded, you will be shown the version of the application, the third party components used and the versions associated with it.

Why do you need the BOM?

In early December 2014, representatives from the US introduced H.R. 5793, the "Cyber Supply Chain Management and Transparency Act of 2014." The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.


Which means, that the the "Cyber Supply Chain Management and Transparency Act of 2014" requires any Hardware/Software/Firmware sold to any agency must come with the Bill of Materials and vendors must prove that their HW/SW/FW must not use known vulnerable components or at least a less vulnerable version.


Wait a minute! BOM and Vulnerable components? 

By default, bomtotal.com do not provide the information whether or not the version of the components used are vulnerable. However, while Codenomicon's Appcheck is solely designed for this (and much much more visibility/reports/formats/interface), we can find out whether or not the components are vulnerable based on the version information manually. 

Taking example of the Citrix application that we have uploaded to Bomtotal.com, we can see that there are 2 components used. One is an OpenSSL with the version 0.9.8. 

Knowing the version, visit www.cvedetails.com and search for the version of the component


Select the appropriate link


And tadaaaa, you can see all the vulnerabilities associated to the component.


How this helps Organizations?
Having visibility to the BOM is one thing, knowing the vulnerabilities associated with the components is another. As stakeholders of the organization, one can have the transparency of the software composition during initial stages of procurement of software. Also, this will provide managers to understand the risks involved of an executable even before installing it to the corporate environment thereby making calculated decisions based on the risks involved. 

Advantages for Bomtotal.com

It is designed as its name, to provide the Bill of Materials of an application. Nothing more than that. Codenomicon's Appcheck does provide the BOM and more with automatically providing all the versions as well as the vulnerabilities associated with them, visibility of licenses used in these components, remediation via instant simulation, report generation in multiple formats and many many more. While the manual way can be done, it is definitely time consuming if one were to upload GBs of data size and contain hundreds to thousands of third party components. Surely, automation definitely helps alot in this form of binary analysis through software composition analysis via Codenomicon's AppCheck.

Curious about the power of AppCheck? Check out the link to find more information about it.