SlideShare une entreprise Scribd logo

You installed what Thierry Sans

OWASP-Qatar Chapter
OWASP-Qatar Chapter

Malware Inc is a group of 6 students who developed proof-of-concept malware applications targeting popular platforms to better understand security risks. They created apps that could access private user data like passwords, profiles, and keystrokes without permission for Google App Engine, Facebook, Firefox, Google Chrome, Android, and iOS. While the apps used allowed APIs, they highlighted how the "feeling of security" from legitimate sources can be exploited. The student concluded more proactive development and auditing tools are needed to reliably audit apps before installation and prevent malware.

Technologie
1  sur  44
Télécharger pour lire hors ligne
Malware Inc Thierry Sans
What is a malware? Malware = Malicious Software “Software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and other malicious programs.” definition from Wikipedia
How to prevent malware? ✓ Anti-malware monitors programs running on your OS • can detect well-known malicious programs (signature) • can detect abnormal behaviors • can run applications in sandboxes ✓ Awareness and good practices
A new generation of software a.k.a.“apps” Mobile Cloud Web Browser
Mobile Web Browsers Cloud Apple iOS Google Android Mozilla Firefox Google Chrome Google App Engine Facebook
Definition of an App Ecosystem • apps are running on a specific platform • apps are built based on a specific SDK • apps are distributed through a dedicated portal
With a new generation of software ... ... comes a new generation of malware! With new usages ... ... comes new threats!
Malware Inc Goals ✓ 6 students = 6 hackers to develop malware ➡ become security experts for a specific technology
Mobile Web Browsers Cloud Ossama Obeid Rami Al-Rihawi Fahim Dalvi Baljit Singh Talal Al-Haddad Manoj Reddy
Google App Engine Manoj Reddy
What is a Google App Engine App? • Google App Engine allows developers to build and run web applications on the Google’s infrastructure ➡ The Google App Engine SDK gives you access to • General services (Search, Maps ...) • User-centric services (Gmail, Calendar, Checkout ...)
G-stats App A cool web application that will show you some statistics about your GMAIL mailbox Scans your mailbox for email with login and password and forward it to the hacker’s website
What is the risk? ✓ Only few websites send your login and password by email ๏ But • How many different passwords do you have? • What are the other websites that you use? • What else can I find in your emails?
How bad is it?
Facebook Talal Al-Haddad
What is a Facebook app? • A Facebook app is a web application that can access your Facebook profile ✓ The authentication is done through Facebook ๏ The web application is not hosted on Facebook but on the developer’s server ➡ After authentication, the application can download user’s data and do something useful ... or malicious
Best Buddy App A cool application that will tell you who your best friends are on Facebook 1. Asks you to re-enter your Facebook password and send it to the hacker’s website 2. Makes a copy of your profile on the hacker’s website 3. Recommend the application to your friends by posting a message on their wall
How bad is it?
Mozilla Firefox Fahim Dalvi
What is a Firefox Extension? • A Firefox app is an additional piece of code that provides new functionalities to Firefox or enhance the existing ones ➡ The Firefox SDK gives you access to • The user interface and the functionalities of Firefox • The web contents in the tabs • The Operating System
Live Edit App A cool application that allows you to customize or translate any webpage that you are visiting Silently downloads and executes a key- logger program that records any keystroke made on your computer and send them to the hacker’s website
Another key logger ... but an undetectable one! ๏ Key loggers are easily detectable ➡ Key loggers open a network socket to send data ✓ Live Edit malware does not open any network socket ➡ It sends data through Firefox which is a legitimate app (tested with Symantec Anti-malware)
How bad is it?
Google Chrome Baljit Singh
What is a Google Chrome Extension? • A Chrome app is an additional piece of code that will provide new functionalities to Chrome or enhance the existing ones ➡ The Google Chrome SDK gives you access to • The user interface and the functionalities of Chrome • The web content in the tabs
Easy Screenshot App A cool application that enables you to take a screenshot of your browser tab easily Automatically takes screenshots when visiting specific login pages that use a virtual keyboard and send these images to the hacker’s website
What is the risk?
How bad is it?
Google Android (work in progress) Rami Al-Rihawi
What is an Android app? • An Android app is a third-party application installed on your Android device ➡ The Android SDK gives you access to device functionalities and its data ➡ Apps are not reviewed by Google before being published on Google Play • text messages • emails • location • calendar • contacts • notes
Easy Phone Calls App A cool application that automatically creates shortcut buttons to call people with who you were in touch recently Can be remotely controlled to make your phone call the hacker
How bad is it?
Apple iOS (work in progress) Ossama Obeid
What is an iOS app? • An iOS app is a third-party application installed on your iOS device ➡ The iOS SDK gives you access to the device functionalities and its data
iOS is very “controlled” • The functionalities of the iOS SDK are more restrictive than Android • No access to emails (except sending emails) • No access to text messages • Apps are reviewed by Apple before being published on the App Store • Apple is very reactive and modifies its SDK when a malware is discovered
How bad is it?
Conclusion
About these malware • We did not break anything ✓ They are “legitimate” programs that uses functionalities offered by the SDK • We developed these malware as proof of concepts ๏ We will not publish these malware
Malware Inc Goals • Have a better understanding of popular app ecosystems • Assess the risk of exposure to a malware • Create new security mechanisms against malware
Preventing cloud-based malware ➡ The application runs in the cloud but not on the user’s device ๏ Hard to review or audit the application
Preventing malware on mobiles and web browsers ➡ The application runs on the user’s device ✓ Easier to audit the application • Anti-malware apps are emerging on some platforms
The wrong feeling of security ➡ These “apps” come from a legitimate source ๏ People trust these “apps”
My idea for a more secure app ecosystem • We need to be more proactive and make programs reliable from their conception • We need new development tools that will allows us to audit programs and know what they do before installing or executing them ✓ The Qwel programming language ➡ YSREP project funded by the Qatar National Research Fund (QNRF)
ThankYou

Recommandé

Android security testing
Android security testingAndroid security testing
Android security testing
VodqaBLR
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
 
How to choose a database for your pet project
How to choose a database for your pet projectHow to choose a database for your pet project
How to choose a database for your pet project
Alexander Yakubchyk
 
Digital Apps Development & Debugging
Digital Apps Development & DebuggingDigital Apps Development & Debugging
Digital Apps Development & Debugging
Experitest
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
API Security with Postman and Qualys
API Security with Postman and QualysAPI Security with Postman and Qualys
API Security with Postman and Qualys
Postman
 

Recommandé

Android security testing
Android security testingAndroid security testing
Android security testing
VodqaBLR
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
 
How to choose a database for your pet project
How to choose a database for your pet projectHow to choose a database for your pet project
How to choose a database for your pet project
Alexander Yakubchyk
 
Digital Apps Development & Debugging
Digital Apps Development & DebuggingDigital Apps Development & Debugging
Digital Apps Development & Debugging
Experitest
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
API Security with Postman and Qualys
API Security with Postman and QualysAPI Security with Postman and Qualys
API Security with Postman and Qualys
Postman
 
Cross-platform mobile that Works - Coobers
Cross-platform mobile that Works - CoobersCross-platform mobile that Works - Coobers
Cross-platform mobile that Works - Coobers
Coobers
 
Evernote release process
Evernote release processEvernote release process
Evernote release process
Reid Baker
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Application security in current era
Application security in current eraApplication security in current era
Application security in current era
ajitdhumale
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
[Srijan Wednesday Webinars] Building a High Performance QA Team
[Srijan Wednesday Webinars] Building a High Performance QA Team[Srijan Wednesday Webinars] Building a High Performance QA Team
[Srijan Wednesday Webinars] Building a High Performance QA Team
Srijan Technologies
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
nCircle - a Tripwire Company
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
IMMUNIO
 
Selenium presentation
Selenium presentationSelenium presentation
Selenium presentation
shivani thakur
 
Microsoft Community Day - Developer Track Introduction
Microsoft Community Day - Developer Track IntroductionMicrosoft Community Day - Developer Track Introduction
Microsoft Community Day - Developer Track Introduction
Eran Stiller
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
n|u - The Open Security Community
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface Applications
Wardell Motley, NSA IAM\IEM
 
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
Sencha
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
Pietro F. Maggi
 
Selenium training
Selenium trainingSelenium training
Selenium training
Shivaraj R
 
Inspector
InspectorInspector
Inspector
Sudipto Chakraborty
 
Predstavitev Kaspersky PURE 3.0 Total Security
Predstavitev Kaspersky PURE 3.0 Total SecurityPredstavitev Kaspersky PURE 3.0 Total Security
Predstavitev Kaspersky PURE 3.0 Total Security
Dejan Pogačnik
 
owasp_meetup_12_10
owasp_meetup_12_10owasp_meetup_12_10
owasp_meetup_12_10
sean_todd
 
Autonomous Incident and Root Cause Detection
Autonomous Incident and Root Cause DetectionAutonomous Incident and Root Cause Detection
Autonomous Incident and Root Cause Detection
DevOps.com
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test Automation
Andreas Jakl
 
Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdulla
OWASP-Qatar Chapter
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 

Contenu connexe

Tendances

香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
[Srijan Wednesday Webinars] Building a High Performance QA Team
[Srijan Wednesday Webinars] Building a High Performance QA Team[Srijan Wednesday Webinars] Building a High Performance QA Team
[Srijan Wednesday Webinars] Building a High Performance QA Team
Srijan Technologies
 
Predstavitev Kaspersky PURE 3.0 Total Security
Predstavitev Kaspersky PURE 3.0 Total SecurityPredstavitev Kaspersky PURE 3.0 Total Security
Predstavitev Kaspersky PURE 3.0 Total Security
Dejan Pogačnik
 
owasp_meetup_12_10
owasp_meetup_12_10owasp_meetup_12_10
owasp_meetup_12_10
sean_todd
 
Autonomous Incident and Root Cause Detection
Autonomous Incident and Root Cause DetectionAutonomous Incident and Root Cause Detection
Autonomous Incident and Root Cause Detection
DevOps.com
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test Automation
Andreas Jakl
 

Tendances (20)

Cross-platform mobile that Works - Coobers
Cross-platform mobile that Works - CoobersCross-platform mobile that Works - Coobers
Cross-platform mobile that Works - Coobers
 
Evernote release process
Evernote release processEvernote release process
Evernote release process
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Application security in current era
Application security in current eraApplication security in current era
Application security in current era
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
[Srijan Wednesday Webinars] Building a High Performance QA Team
[Srijan Wednesday Webinars] Building a High Performance QA Team[Srijan Wednesday Webinars] Building a High Performance QA Team
[Srijan Wednesday Webinars] Building a High Performance QA Team
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
 
Selenium presentation
Selenium presentationSelenium presentation
Selenium presentation
 
Microsoft Community Day - Developer Track Introduction
Microsoft Community Day - Developer Track IntroductionMicrosoft Community Day - Developer Track Introduction
Microsoft Community Day - Developer Track Introduction
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface Applications
 
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
Selenium training
Selenium trainingSelenium training
Selenium training
 
Inspector
InspectorInspector
Inspector
 
Predstavitev Kaspersky PURE 3.0 Total Security
Predstavitev Kaspersky PURE 3.0 Total SecurityPredstavitev Kaspersky PURE 3.0 Total Security
Predstavitev Kaspersky PURE 3.0 Total Security
 
owasp_meetup_12_10
owasp_meetup_12_10owasp_meetup_12_10
owasp_meetup_12_10
 
Autonomous Incident and Root Cause Detection
Autonomous Incident and Root Cause DetectionAutonomous Incident and Root Cause Detection
Autonomous Incident and Root Cause Detection
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test Automation
 

En vedette

Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey
OWASP-Qatar Chapter
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason Lam
OWASP-Qatar Chapter
 

En vedette (8)

Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdulla
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay Jamaan
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
 
Secure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir AbdullaSecure management of credentials - Zouheir Abdulla
Secure management of credentials - Zouheir Abdulla
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason Lam
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
 

Similaire à You installed what Thierry Sans

I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
Harsimran Walia
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
NIRMAL RAJ
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
NoNameCon
 

Similaire à You installed what Thierry Sans (20)

I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Hybrid Mobile App
Hybrid Mobile AppHybrid Mobile App
Hybrid Mobile App
 
Hybrid mobile app
Hybrid mobile appHybrid mobile app
Hybrid mobile app
 
QBS Visual Studio 2012 and modern windows apps
QBS Visual Studio 2012 and modern windows appsQBS Visual Studio 2012 and modern windows apps
QBS Visual Studio 2012 and modern windows apps
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Launch High Performing Mobile Apps with Appurify
Launch High Performing Mobile Apps with AppurifyLaunch High Performing Mobile Apps with Appurify
Launch High Performing Mobile Apps with Appurify
 
Mobile App vs Mobile Web Development
Mobile App vs Mobile Web DevelopmentMobile App vs Mobile Web Development
Mobile App vs Mobile Web Development
 
Virus cleaner
Virus cleanerVirus cleaner
Virus cleaner
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

You installed what Thierry Sans

  • 2. What is a malware? Malware = Malicious Software “Software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. Malware includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and other malicious programs.” definition from Wikipedia
  • 3. How to prevent malware? ✓ Anti-malware monitors programs running on your OS • can detect well-known malicious programs (signature) • can detect abnormal behaviors • can run applications in sandboxes ✓ Awareness and good practices
  • 4. A new generation of software a.k.a.“apps” Mobile Cloud Web Browser
  • 6. Definition of an App Ecosystem • apps are running on a specific platform • apps are built based on a specific SDK • apps are distributed through a dedicated portal
  • 7. With a new generation of software ... ... comes a new generation of malware! With new usages ... ... comes new threats!
  • 8. Malware Inc Goals ✓ 6 students = 6 hackers to develop malware ➡ become security experts for a specific technology
  • 9. Mobile Web Browsers Cloud Ossama Obeid Rami Al-Rihawi Fahim Dalvi Baljit Singh Talal Al-Haddad Manoj Reddy
  • 11. What is a Google App Engine App? • Google App Engine allows developers to build and run web applications on the Google’s infrastructure ➡ The Google App Engine SDK gives you access to • General services (Search, Maps ...) • User-centric services (Gmail, Calendar, Checkout ...)
  • 12. G-stats App A cool web application that will show you some statistics about your GMAIL mailbox Scans your mailbox for email with login and password and forward it to the hacker’s website
  • 13. What is the risk? ✓ Only few websites send your login and password by email ๏ But • How many different passwords do you have? • What are the other websites that you use? • What else can I find in your emails?
  • 14. How bad is it?
  • 16. What is a Facebook app? • A Facebook app is a web application that can access your Facebook profile ✓ The authentication is done through Facebook ๏ The web application is not hosted on Facebook but on the developer’s server ➡ After authentication, the application can download user’s data and do something useful ... or malicious
  • 17. Best Buddy App A cool application that will tell you who your best friends are on Facebook 1. Asks you to re-enter your Facebook password and send it to the hacker’s website 2. Makes a copy of your profile on the hacker’s website 3. Recommend the application to your friends by posting a message on their wall
  • 18. How bad is it?
  • 20. What is a Firefox Extension? • A Firefox app is an additional piece of code that provides new functionalities to Firefox or enhance the existing ones ➡ The Firefox SDK gives you access to • The user interface and the functionalities of Firefox • The web contents in the tabs • The Operating System
  • 21. Live Edit App A cool application that allows you to customize or translate any webpage that you are visiting Silently downloads and executes a key- logger program that records any keystroke made on your computer and send them to the hacker’s website
  • 22. Another key logger ... but an undetectable one! ๏ Key loggers are easily detectable ➡ Key loggers open a network socket to send data ✓ Live Edit malware does not open any network socket ➡ It sends data through Firefox which is a legitimate app (tested with Symantec Anti-malware)
  • 23. How bad is it?
  • 25. What is a Google Chrome Extension? • A Chrome app is an additional piece of code that will provide new functionalities to Chrome or enhance the existing ones ➡ The Google Chrome SDK gives you access to • The user interface and the functionalities of Chrome • The web content in the tabs
  • 26. Easy Screenshot App A cool application that enables you to take a screenshot of your browser tab easily Automatically takes screenshots when visiting specific login pages that use a virtual keyboard and send these images to the hacker’s website
  • 27. What is the risk?
  • 28. How bad is it?
  • 29. Google Android (work in progress) Rami Al-Rihawi
  • 30. What is an Android app? • An Android app is a third-party application installed on your Android device ➡ The Android SDK gives you access to device functionalities and its data ➡ Apps are not reviewed by Google before being published on Google Play • text messages • emails • location • calendar • contacts • notes
  • 31. Easy Phone Calls App A cool application that automatically creates shortcut buttons to call people with who you were in touch recently Can be remotely controlled to make your phone call the hacker
  • 32. How bad is it?
  • 33. Apple iOS (work in progress) Ossama Obeid
  • 34. What is an iOS app? • An iOS app is a third-party application installed on your iOS device ➡ The iOS SDK gives you access to the device functionalities and its data
  • 35. iOS is very “controlled” • The functionalities of the iOS SDK are more restrictive than Android • No access to emails (except sending emails) • No access to text messages • Apps are reviewed by Apple before being published on the App Store • Apple is very reactive and modifies its SDK when a malware is discovered
  • 36. How bad is it?
  • 38. About these malware • We did not break anything ✓ They are “legitimate” programs that uses functionalities offered by the SDK • We developed these malware as proof of concepts ๏ We will not publish these malware
  • 39. Malware Inc Goals • Have a better understanding of popular app ecosystems • Assess the risk of exposure to a malware • Create new security mechanisms against malware
  • 40. Preventing cloud-based malware ➡ The application runs in the cloud but not on the user’s device ๏ Hard to review or audit the application
  • 41. Preventing malware on mobiles and web browsers ➡ The application runs on the user’s device ✓ Easier to audit the application • Anti-malware apps are emerging on some platforms
  • 42. The wrong feeling of security ➡ These “apps” come from a legitimate source ๏ People trust these “apps”
  • 43. My idea for a more secure app ecosystem • We need to be more proactive and make programs reliable from their conception • We need new development tools that will allows us to audit programs and know what they do before installing or executing them ✓ The Qwel programming language ➡ YSREP project funded by the Qatar National Research Fund (QNRF)