Welcome back! It’s been a minute since last we chatted, is that a new haircut? Looks great, like a younger Valentina Petrenko [1], very sleek. Whats new? I’ve been busy, although I’m still bound to this keyboard, churning out blog posts for my scholastic overlords. What was it we last discussed, oh yes, "The cultural implications of Sesame Street; how Saturday Morning Cartoons gave rise to a new generation of Serial Killers and bed wetters". Wait a minute, no. Let me go back and check. Oh jeez do I ever have egg on my face. We last talked about cyber security, of course. The Sesame Street Serial Psychos are next week, what a silly goose I am. Lets get back on track with cyber security and the real focus of this Blog series which is Mobile Device Security.

Our devices make our lives quick and simple. Food, clothing, shelter, and entertainment are all at our fingertips 24/7/365. There couldn’t possibly be any downside to this right? Right! None at all, blog finished…. Or at least that’s what those looking to take advantage of you would say. The reality is every device you own is a potential target. Every single piece of technology you possess that has any connection to the internet, even transitionally, can be attacked. Now whether or not such an intrusion will be disastrous is up to the owner of the device. Teaching people to use their devices is a given, but too often teaching them to secure their devices falls by the wayside.

I’m reminded of a stay at the glorious Medicine Hat Lodge hotel with my family when I was a child. I went to get ice but didn’t know where the ice machine was, a random guy told me he knew so I followed him to the next floor up to get ice. Then we went our separate ways. Unbeknownst to me, my father had seen this interaction. He approached me saying we needed to get something from the car, so we dropped off our ice and headed to the parking lot. Once there we stood in front of the trunk and he opened it. I looked in and saw nothing and suddenly he stuffed me in the trunk and closed the lid. I was confused and asked “why hast thou art forsaken me father?”. His response was that I trusted a stranger and this is what could of happened to me if that random ice machine guy had watched Sesame Street as a child. This moment has always stayed with me, now is that because it was mild child abuse and I’ve been traumatized? Who knows, it was the 90’s, a desolate and dusty, wild west of a decade.

My possible PTSD aside, we teach young children to avoid strangers giving out candy or puppies or puppies with candies in their mouths because of fear of the unknown and the danger inherent in those situations. However since that dusty decade crime has gone down significantly. Kids are safer than ever comparatively, but one area where crime is still rising quickly is online. Lessons on how to protect and prevent cyber attacks should be as ubiquitous as the stranger danger doctrine.

Every single person on this earth needs to understand and respect the danger they are in. So for this series of blog posts that is what I aim to do. This isn’t just a public service announcement or anything though. There is flesh on these bones I assure you (the cannibals that read this blog probably love that line). First we’ll delve into the philosophy of cyber security. Next some of the most common mobile device attacks and how they work. The grand finale will be a video demonstration. Using the android VM we created in the first demonstration I will show an attack in progress. Going from reconnaissance to penetration and a little past. So strap yourself in at the feed trough of my hubris, because I’m about to drop the most informative, exciting blog in history (just kidding it’ll be alright though, probably, fingers-crossed).

The philosophy of cyber security

“Know the Enemy and Know Yourself… All warfare is based on deception … The army that wins is the one animated by the same spirit in all its ranks.” -Paraphrased from “The Art of War” by Sun Tzu

“The Art of War” by Sun Tzu is one of the most treasured pieces of human analysis in history. Delivered around the 5th century BC by a strategical expert in the Chinese military, “The Art of War”, aimed to take stock of all the Chinese forces had to offer and how best to use it. Nowadays the book is valued for it’s insight into gaining success in conflict. Many cyber security experts draw inspiration from this text because cyber security is an ever active conflict. In this section of the blog I will bring up 3 of the most pertinent ideas from Sun Tzu, and their connection to cyber security.

"Know the Enemy and Know Yourself"

In both attack and defense, one should think not only from their own perspective. Those who have their opponent's point-of-view clear in mind, can formulate strategies to surprise and confuse the enemy. In cyber security we must be able to think like the enemy. If for example we wanted to gain access to an Android device. We could create an application installer that is poisoned to give us a listening port so we could command line into the device. However this would not work because when installing a new program, the user is shown all the permissions that program is asking to use. Even a less than astute victim would comprehend that no reasonable app would ask for all that access. In this scenario we have thought only of our own goals and strategies. Thinking from the victims point of view might point us in a different direction. We could think of what kind of situation would the user feel at ease giving personal details or access. Maybe a website login SQL injection or a public WiFi login credential redirect. In those situations its more unclear where their info is going, but they are put at ease because it is over quickly and they get access to what they wanted.

On the flip side and from the defense mindset, security professionals need to be able to get in the mind space of a bad actor. What are a hacker’s goals, how will they attempt to achieve them? A common idea is that while hackers are dedicated to their crimes, they much prefer the easy approach which is to attack the weakest point. From a security standpoint, the weakest links in a company are always the people. People are much easier to trick than computers.

From a technology slant, the weakest part of a company are often mobile devices. Weak people take their weak devices to public places and use public networks. These kinds of situations have hackers foaming at the mouth. If sensitive company data is stored on work phones,taken to the local bean brewery and used on an insecure WiFi, it puts the whole company at risk. These thoughts need to be in the minds of defenders. By thinking like a hacker, defenders can self-direct themselves to the obvious attack points and shore up defenses effectively [3].

“All warfare is based on deception … The army that wins is the one animated by the same spirit in all its ranks.”

I cheated a little with this one and am combining two ideas in to one entry, oh well though sue me. The concept of all warfare being based on deception is as true now as in the 5th century BC. Sneak attacks, lies, double-dealing, are all real problems in global conflicts and especially so in cyber security. Trust is never given lightly in the world of security, or at least it shouldn’t be… And while security professionals know recognize when things smell rotten, the average Joseph Shmoseph, likely isn’t as vigilant. So these two tenets from Sun Tzu combine into the mentality of hyper-vigilance. Defenders that see things from the attackers perspective know that attacks won’t stop, ever! It is imperative that even the most average user be made aware of the hallmarks of deceptive intrusion methods. From a mobile device perspective this includes things like phishing, fake web portals, social engineering (some of which will be explored in a later section [3] [4].

Users need to be learn the signals of deception within innocuous situations. Things like strange grammar or spelling mistakes, low quality images, and fantastical claims can all point to deception. Teaching users individually isn’t quite enough. The second point from Sun Tzu, posits that fostering an organization-wide vigilance is vital to defense. If a spirit of security mindedness is reinforced throughout an organization, people will look out for each other, developing a sense of responsibility towards security. Rooting out indifference in the ranks is paramount because a blasé attitude will spread like cancer, leaving cracks for hackers to slip in to.

There are many more nuggets from “The Art of War” that cyber security participants take as gospel. However this post is intended to just show a glimpse into the importance of the ancient text, and how it shapes the duality of cyber security. Red and Blue hatted warriors both look to Sun Tzu in hopes of sharpening their methods, which leads into the next part of this journey into cyber security [3] [4].

For part 3 I want to dive into the common methods by which nefarious ne'er-do-wells try and insinuate themselves into mobile devices. So tune in next week. Same Zac-time, same Zac-channel! Well actually its just a blog so there's no tuning per se and also it’ll be right after this paragraph because people complained that I separated my posts into too many sections so yeah….

[5]

Common attack types

Typically attacks against mobile devices fall within 4 categories:

1. Application Based threats –Threats emanating from within applications. The user will download an application they think is legitimate, but housed inside are malware or spyware that gobble up their data [6].

2. Web Threats –User visits a seemingly innocent website, then unbeknownst to the user harmful files or applications are installed on to their devices [6].

3. Network Threats -Threats based on the reliability of the wireless network the user connects to. These are often from connecting to unsecured public WiFi networks. Data sent across these networks will be unencrypted and easily intercepted [6].

4. Physical Threats –These comprise situations when actual whole devices are stolen and attackers have full access to the physical device simplifying important data extraction [6].

From within these 4 categories, here are some of the most common attack types mobile device users should be aware of:

Social Engineering -The concept of social engineering plays in to the idea that the weakest point in any security system is actually the people. Maybe 9 out of 10 people are vigilant (a generous estimate…), while that 10th person can be exploited with a smooth little maneuver. Social engineering involves a bad actor communicating with the victim in such a way as to build a level of trust and then exploit it to gain access. One method of social engineering that is quite prevalent is called “Phishing”, which is when fake emails are sent to victims in the hopes of gaining their trust. It may be a sob story trying to convince people to send money in pity, or a fake windfall that the victim has apparently won [7].

Also common in phishing attacks are fake emails appearing to be from a business or employer. Emails that encourage the victim to enter their login info or download malicious software under the guise of a work problem or account issue. Social engineering is a test of psychological strength and situational awareness which is best fostered through training. Companies should employ regular social engineering training to help employees spot the signs. For mobile devices the best way to avoid these attacks are to always keep what's on your screen as hidden as possible, and to not make your participation with a company or account too well-known. Attackers can use information they overhear to later make a move. Don't tie too much personal information to a specific mobile device, keep all communication encrypted and don't hand over trust unless absolutely necessary [7].

Public WiFi -Free internet in a public place, one of life’s great conveniences. This creature comfort though is one of the most dangerous and prevalent cyber threats today. Normally when connecting to a WiFi network a password is required. The encryption algorithm used with most wireless passwords today is WPA2 and if the password is sufficiently complex enough, this security type is considered fairly safe. Meaning the likelihood of someone cracking that password is low. Someone not connected with the network is unlikely to be able to intercept information sent from people on the network, or at the least they would have to try quite hard to get to it. With an unsecured WiFi network anyone can get on and use packet sniffers to intercept HTTP entries. If these entries are unencrypted the hacker will have clear text copies of things like account names and passwords [8].

The danger is not just confined to legitimate free public WiFi networks though. An attacker can easily set up their own public hot spot to gobble up as much data as possible or compromise the server that enables a legitimate hot spot. The best way to avoid this is to steer clear of unsecured open wireless networks. However since any public WiFi could be compromised, it is recommended to be using a VPN on all public networks. A VPN or Virtual Private Network will route your traffic to another server before going to the WiFi network’s server. As well as fully encrypting your data, this tool obfuscates what device your traffic is coming from, so attackers have trouble pinpointing your device information. VPNs come in the form of an application downloadable onto a mobile device. There are paid and free versions, but with low cost, better security and quicker speeds, a paid option is preferred [8] [9].

Weak Passwords -Picking an account password, what an annoyance. Capital letters, and special symbols, who can even remember all that shit. Eureka, I just thought of the easiest password to remember. OK are you ready……..password! Hot damn that’s so secure, tougher to hack than a $2 steak.

The preceding was a reenactment of the password picking thought-process of an alarmingly high number of people. Previously I went over how hackers intercept HTTP packets to sift through for usernames and passwords. A much less complicated process is cracking weak passwords. And unfortunately today many people use simple passwords. All lowercase letters, comprised of common dictionary words or phrases, weak passwords make quick work for hackers. Using what are called word lists attackers can automate brute forcing account logins. Meaning they quickly try every username and password on the list to try and login. If your password is on the list they’re in. Simple. Many devices have default usernames and passwords, like routers or Bluetooth speakers. Navigating to one of those device's web servers and entering the defaults may give access to sensitive device information and configuration tools.

So what are considered best practices with passwords? Firstly always change defaults. Next is the complexity of the password. There are to be no dictionary words in your password. At all. A seemingly random configuration of upper and lower case letters mixed with numbers and special symbols is preferred. Length is important because longer passwords are harder to crack. One method I tend to use is to pick a word I know in another language that is not close to English. Take that word and make the most ridiculous spelling of it phonetically in English, then add at least two random special characters and two numbers somewhere in the word. Using this method to achieve a minimum 10 character password creates a very hard to crack password.

Besides creating a strong password, it's best to protect the ones you already have. Never leave passwords written on notes, held in text files on device, even saving passwords in your browser's password manager is not a good idea. Changing passwords regularly is a great habit. If you have a feeling one of your accounts has been compromised, you should change all your important passwords right away just to be safe. I had a password on my Netflix account that was on a password list and someone from Brazil logged in and changed the login details to lock me out. It was quite scary and really changed the way I felt about better password management. My account was returned to me after some authentications, but ever since I have been much more cognizant of this threat.

If the user is worried about remembering all these passwords they can use encrypted password manager applications to create and house passwords associated with the desired accounts.

Malicious Applications -The last threat I want to discuss is one that can be used in conjunction with any of the previous types. The use of Malicious applications in mobile device cyber attacks is incredibly common. At its core this attack leverages an android APK file which is an application installer. The attacker has specially modified this application to give them access to some or all of a victim’s device. It can be used to create a command line session right from the attackers computer to the device storage or to log keyboard entries and send them back to the attacker. Basically whatever the attacker wants they can get if the victim installs this software.

For this entry I want to do an actual demonstration of a malicious application attack. I will simulate each step in the process and show what it looks like from both sides of the attack. Thank you for sticking with me so far, please enjoy the video and don’t forget to stop and smell the roses once in a while.

Love You.



Back to Blog Posts

References:

[1] https://pyxis.nymag.com/v1/imgs/534/7e8/ee72713a18bdcd2e6b9c0ed9ce6141077b-02-Valentina-Petrenko.w710.jpg

[2] https://education.nationalgeographic.org/resource/art-war

[3] https://infosecurity-magazine.com/opinions/sun-tzus-art-of-war-cybersecurity/

[4] https://kotoritechnologies.com/sun-tzu-on-the-art-of-cyber-security/

[5] noexspencespared.gif - S.Clarke

[6] https://auth0.com/blog/the-9-most-common-security-threats-to-mobile-devices-in-2021/

[7] https://www.cisco.com/c/en/us/products/security/what-is-social-engineering.html

[8] https://www.cloudwards.net/dangers-of-public-wifi/

[9] https://mobiletrans.wondershare.com/android-transfer/mobile-device-security.html