With the Edward Snowden privacy leak there is an important factor that is being missed. It isn’t the government agencies that collect the data, they are merely consumers and harvesters of it. The data comes from corporations that have been collecting this it for years, data that we have given them freely in exchange for convenience and vanity. We are the victims and the perpetrators.

I know a little bit about this, as I have utilized a combination of tools that track stolen devices as well as leveraged open source data to assist law enforcement to gather additional information about suspects. By “open source” I am referring to the term law enforcement uses to define data that is open and available to the public. I didn’t need top secret NSA clearance, it is information people put up freely and made public and when doing so left additional invisible traces of data (“meta-data”) embedded in files and messages that helped paint a more detailed picture.

The Cloud Is A Database of You

Every email, phone call, text message, tweet, Facebook post, photo upload, check-in, online purchase is another entry into the big online database of you. However, that is just the data you know about, underneath there lies more layers of data that is logged and stored which many are not aware of that can provide just as much insight into our lives as the more opaque data we are accustomed to dealing with. For example:

This data all exists in isolated islands, however when there is a data breach, or a government agent gets a piece of information such as a IMEI number, IP address, MAC address or email, it can then tie pieces of information together. Here is my Portland Ignite 11 talk where I a bit more about some of real life cases where some of these techniques have been used:

Dude Where’s My Data?
We didn’t sell our soul to the Internet, we simply imported it. We have exchanged our digital privacy for convenience, speed and artifice. It doesn’t matter if it is wrong/right, ethical/unethical, it’s the big data elephant in the room, it exists and will continue to grow and more importantly organizations will do a better job of making sense of it and creating individual profiles. Although a fun intellectual exercise there is no way off this grid. You are no longer in full control of your own digital destiny. True digital privacy is dead.

I will be writing additional posts on this topic over the coming months, bringing in real-life examples and discussing how corporations, governments and hackers alike leverage data and technologies to invade our privacy for fun, profit and control. I will also discuss ways we can begin to reclaim some of our digital privacy along the way.

Vice.com published an exclusive story titled “WE ARE WITH JOHN MCAFEE RIGHT NOW, SUCKERS” where they talk about travelling with him for the past four days. The problem is that the photo they posted was taken with an iPhone with geolocation data embedded in it. The original photo was taken down and replaced with a version that has data stripped, however I was able to grab the original, I ran it through EXIFScan and sure enough the GPS coordinates were intact possibly revealing John McAfee’s location in Río Dulce, Guatemala.

Update: So now John McAfee is saying he manipulated the “XIF” data, I for one do not believe that. A good magician never reveals their tricks. The fact Vice.com updated the image immediately after the location data was discovered is also suspect. If the goal of this was to throw people off, why would you remove the photo and then tell everyone you manipulated it intentionally…like the whole McAfee case a lot of it makes no sense.

Tracking people via EXIF data is nothing new, a while back I launched CameraTrace which scans and logs serial numbers of photos found online, which has lead to several interesting recoveries where stolen cameras were tracked down. Recently Higinio Ochoa was busted after a iPhone photo that he had taken and posted revealed his location, sound familiar?

Hat tip: Simple Nomad and Chris Wysopal

• Introduction
• Getting Inside
• The Phone Setup
• USB Hacks
• Network & Vulnerability Scanners
• Session Hi-Jacking & ARP Spoofing
• Wi-Fi Sniffing
• Remote Access
• Remote Shell & Scripting

When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely.

Companies focus most of the security spending and policies on keeping hackers from the outside in, from firewalls and other security hardening appliances, software and tools.

However, given the proliferation of mobile devices in the workplace and use of Wi-Fi networks inside of an office, attacking from inside the network provides unique opportunities.

Smartphones have become much more powerful over the past few years, with powerful processors and a plethora of hardware at your fingertips. Combine this power into a compact unit with the right apps you can scan a network from the inside in seconds along with several other new types of attacks and information gathering.

Mobile devices have accelerated productivity as they move to replace many of the other devices we used to carry in a small package. Most phones have Wi-Fi capability, cameras, mass storage capability and a persistent internet connection via 3G and 4G and allow a wide number of applications and if rooted provide many of the same tools as a computer, but with more hardware and network capabilities.

These conveniences also carry over to make them an very powerful tool to use in penetration tests, more powerful I would argue than a laptop, as a mobile device can be easily hidden on your person, or inside of an office building.

Most organizations spend a great deal of money and time focusing on protecting their networks form outside threats, making sure the hackers outside cannot get in. However, security inside the network is generally lacking, both physical security and network security. Security is generally more relaxed inside an office because of the simple need to get work done.

Attacking a network from within has actually become easier over the last few years. As there are an increasing number and variety of devices inside an office than there were even just a few years ago when you dealt primarily with stationary desktop systems hard wired via ethernet in secured offices.

Today most offices utilize Wi-Fi, with a many different types of devices in use from laptops, tablet computers, mobile phones, flash drives and portable media players. Not only are there devices that are owned by the company, but also people’s personal devices they bring in from home.

Attacking from inside is a target rich environment with a multitude of attack vectors. Given the increasing number of devices that are brought in and being used, internal policies regarding the use of these devices is generally lax, not enforced or simply non-existent. Employees are generally also not trained on security issues around mobile devices, which is something you can take advantage of in your tests.

Getting Inside

Attacking inside of a network poses the unique challenge of getting inside or at least close to your target, however there are a number of ways to do this using a bit of social engineering. A few ways to get inside of a corporate building are via job interviews, business meetings, or posing as a delivery driver, maintenance worker, cleaner or solicitor, or get an insider to help you ( even if they are not aware they are helping you).

Many companies also host events, particularly tech companies, where they allow their space to be used for developer meet-ups, or presentations so watch for this opportunity as well. You may not even need to get inside the building, but can work outside of it in the parking lot, an office next door, the employee cafeteria or other areas that are not secured. Monitor the company’s website and check for jobs posted, used online services such as LinkedIn to search for positions as well as track current employees of the target company for opportunities that may present themselves.

The Phone Setup

As my weapon of choice I use an Android phone, a rooted Samsung Galaxy S to be specific. I highly recommend rooting the phone and installing a ROM such as Cyanogen, for this article I am using Cyanogen 7. Many of the apps I will mention here require a rooted device and require root privileges. I have seen some apps that are available for rooted iOS devices, however there are many more robust solutions available for Android.

You can install most Linux distros on an Android phone including Backtrack 5 using Gitbrew. However using a Linux distro on an Android phone, even on a tablet is quite kludgy and you would be better served using a netbook. For this article I will stick with Android specific tools that take advantage of the portability and hardware available to smartphones.

In some of the examples I outline hiding a phone in an office building, which runs the risk of the device being found and tracked back to me if the device has an active SIM card. To mitigate this risk an attacker would use a phone they purchased used, or that was stolen with the SIM card removed and will rely on Wi-Fi to connect to the device remotely from outside.

T-Mobile sells pre-paid smartphone plans with data connectivity now, however they still require a credit card to get. A criminal could use a stolen credit card and identity to get a phone with a working SIM that is untraceable, but for the purposes of our test we will be sticking with primarily Wi-Fi based connections.

USB Hacks

The first set of tools I will install on the device are not mobile apps at all. Android devices easily double as a flash drive, which provides a great attack vector to leverage many USB based tools to infect a network and steal data from behind the firewall. Even today, USB flash drives are a great way to deliver a malicious payload, particularly in highly secure environments.

The International Space Station was even hit by a virus that was transmitted via flash drive, flash drives are also the primary suspect in the delivery of Stuxnet and the recent keylogger malware discovered on military systems controlling drones. With a mobile device you also have a great excuse to plug the device into a computer “My phone battery is about to die, can I plug my USB charger into your computer for a bit?”

There are a number of USB tools available that will allow you to pull data, a few easy tools include USB Hacksaw and USB Switchblade both of which are multipurpose utilities which will pull data from the target device and open backdoors into the system. The primary purpose of the tools are to silently recover information from Windows systems, such as password hashes, LSA secrets, IP information, as well as browser history, and auto-fill information as well as create a backdoor to the target system for later access. The data can be quickly loaded to the phone as the tools only need a few seconds to pull sensitive information from a given device.

Another useful tool is USBDumper which can be loaded onto a target computer and will silently copy the contents of any removable media device connected to the computer and can be modified to upload this data to a remote location. This tool can be handy if you see and gain access to a shared system that might be used for presentations in a conference room, this is usually the case at colleges and universities and some businesses as well.

There are many other great tools available that can be loaded from a USB device, or you can easily create your own. A lot of the USB based trojans in the wild have been Your browser may not support display of this image. flagged by anti-virus companies as malicious, however if you get the source code and modify it you can easily create executables with unique signatures that will not be detected. If you plan on hijacking a host computer and transmit data to outside the network, make sure you use an SSL connection, this will help evade firewalls as well as hide what data is being transmitted outside the network.

When conducting a penetration test you usually do not need to actually transmit data, simply writing a simple script that is executed that sends the IP address, name of the person logged into the computer and unique device IDs is enough to indicate the system and potentially the network could have been compromised. How far you actually go to show the network was infiltrated is between you and the client, just be aware that some of the USB based tools mentioned above can cause harm to the system and data as well as other devices on the network.

Network & Vulnerability Scanners

The first mobile application you need is for network mapping, there are quite a few available in the Android Marketplace. Network Discovery, is a great one that is free and does not require your device to be rooted. The user interface is really well designed and provides you with a clear view of the network and devices at a glance, not easy to do with the limited screen real-estate on a mobile device. The application identifies the OS and manufacturer of the device as well as identifies the type of device. The Network Discovery app works well when connected to a Wi-Fi network that you know is open or have the password to access and provides great visibility of the target network.

Mapping a network is one thing, but being able to scan for open Wi-Fi, scan device ports, find vulnerabilities and other acts take a lot more time and usually a lot more tools. Thankfully an Israeli security firm called Zimperium has made this easier for you, with their Android Network Toolkit named Anti.

Anti provides automated tools to carry out penetration testing tasks on insecure wireless networks. Once activate the app will run scans to find open networks, locate devices on the network and determine vulnerabilities on the devices. Once vulnerabilities are discovered the app can run exploits from Metasploit and ExploitDB to gain access at which stage you can then trigger various actions remotely from your phone from taking a screen shot to ejecting the disc drive to prove you have control of the target machine.

The first version of the application only had a few exploits, however the developer provided me with an early version of the 2.1 release which has a larger library of potential exploits. In addition the suite provides additional tools including a brute force password cracking tool along with different types of dictionaries to load for the attack.

The “Cracker” feature runs well and hits all open ports it finds on devices within the network. This can take some time depending on the number of ports and the type dictionary used in the attack. I was able to locate several vulnerabilities on a test network, mostly Windows file shares and a router that still had the manufacturer’s default password settings.

The in-app Wi-Fi monitor feature provides a listing of all Wi-Fi networks, their signal strengths and whether or not they are open via an easy to read icon, along with the device’s MAC address. The network scanning is quite fast and I was able to map a decent sized network in about 30 seconds. When you run the scan it then asks you if you want to initiate an intrusive scan which gathers more information regarding potential vulnerabilities.

Some of the features I was not able to test such as “Foreign Targets” where you can run scans on domains and IPs outside the network, even use Anti’ whenever I tried this the app would crash, guess due to the version I have being beta. Other useful features include an HTTP Server you can run and the ability to run initiate attacks from Zimperium’s cloud utilities to run penetration tests from outside of the network.

Anti is a great tool that makes mobile penetration testing as easy as one click, allowing you to run quick tests for unsecured Wi-Fi networks and gather information in an automated fashion. The fact you can initiate a scan and put the phone in your pocket makes it a powerful tool.

Session Hi-Jacking & ARP Spoofing

Your browser may not support display of this image. Many may be familiar with FireSheep, the Firefox browser plug-in that allowed you to easily sniff out and hijack Facebook, Twitter and other sessions. Well there is also an app for that, it is called DroidSheep and it work similarly. The application requires a rooted Android phone. Once you run the application you can run the app in a few different modes, when it is connected to an open network it uses ARP spoofing to hijack the sessions.

A word of warning, on some networks it can slow a network and be detected, this occurred a few times on my test network. You can disable ARP-Spoofing, which will make it undetectable, however is not as efficient and will not pick anything up on an encrypted network.

The application provides a “Generic mode” that will display all possible account sessions, not just from known sites like Twitter and Facebook. During my test I was able to pick up sessions from WordPress, Facebook, Twitter and Trimet.org (Portland’s public transporation portal).

Your browser may not support display of this image. Another application that provides a more invasive approach is Network Spoofer which allows you to user ARP Spoofing to actually alter the web traffic being sent to a network or specific machine. The application requires a pretty large download at around 600MB which is actually a Debian image that includes Squid proxy to modify the data and some other tools to modify images and other tasks. The application allows you to redirect web traffic to a specific site, flip images, alter queries and other harmless attacks allowing you to show the client the network was compromised.

The application works well on an open network, however on a WPA/WPA2 network it simply cripples or slows the network. Hardware is also an issue, although the application works with most phones, some device are incompatible, I tested it on a Nexus One and a Galaxy S and both worked.

Wi-Fi Sniffing

Network Spoofer ( no longer available in the Android market) also allows you redirect all network traffic directly to the phone. The packet data can then be logged by packet sniffer application such as Shark for root which is one of the better apps I found for this task. The issue with using ARP Spoofing for this however is that it can slow or cripple the network.

A better route for packet sniffing is to create a Wi-Fi hotspot on the device itself. A great thing about a rooted Android phone is the ability for it to be an ad-hoc Wi-Fi hot spot. By creating an open Wi-Fi hot spot on the device that has a similar name to an existing on in the office, or one that simply one that looks like a guest account ( “Acme-Guest”) allows you a great way to intercept a great deal of traffic from users duped into connecting to it.

There are a number of packet sniffing apps available for Android, the best I have found is Shark for root, which logs the pcap file to the SD card of your device. There is also a Shark Reader application that allows you to read the pcap files, however you will probably want to copy the files over to your laptop via FTP etc and view them in Wireshark.

The one thing I hate about “Shark for root” is that as it is a free app ads appear at the top, this can actually mess with capture. The fact you have ads running in a security app is wrong for many reasons, I wish they would offer a paid for version of the app without ads.

Remote Access

Smartphones are not only good for running apps, but also have a lot of other great hardware in one package that makes them great for use in spying from the inside. If you are able to sneak a phone into an office building and plug it in to a wall socket you will have have eyes and ears in the building as well as provide yourself with more time to run tests from the outside. Plants make a great hiding place, as they are usually against a wall near power outlets. Common areas such as break rooms are also a good place as you can leave them in plain sight, most will assume it is a co-workers phone left to charge.

Most smartphones today have at least one camera, which can be accessed remotely, many of these tools also come with motion detection. Some apps can also call out to another number when motion is detected allowing you to listen in on any conversations that may be occurring near the phone.

A free tool that makes remote access easy is Remote Web Desktop a free app available in the Android Marketplace which provides access to all the hardware on the device including the camera, as well as the ability to launch apps remotely from a web browser on your laptop. You can connect directly through Wi-Fi, or if you are using the 3G connection you can use their bridging service to access the device.

Your browser may not support display of this image. Remote Web Desktop also provides access to all the apps on the phone, as well as an FTP server to easily transfer log files and reports from the device. Another helpful utility that Remote Web Desktop provides is the ability to bridge the connection. If for example you are using the 3G connection vs Wi-Fi they provide a service that allows you to easily connect to the device remotely, however keep in mind that this approach could leave a trace of your activities. This approach also provides you with access to the device if you are using the device as a Wi-Fi hotspot, as you cannot run connect to the device via Wi-Fi as well as run it as a hot spot.

Remote Shell & Scripting

There are a number of terminal emulators available for Android including one that comes with Cyanogen, however I would also recommend installing ConnectBot as it allows for multiple sessions and secure tunnels. I also installed Scripting Layer for Android (SL4A) to allow me to run scripts from the device as needed. Once these apps are loaded it makes it easier to remotely deploy and execute scripts to the device.

I installed the Python interpreter on my device to run various scripts to automate capturing photos and wiping apps from the device if it becomes compromised. If you prefer to write your own native Android apps more power to you, but I found it a lot easier to have a scripting environment available to me on the device for on-the-fly app development.

One great feature of SL4A is the ability to write a script remotely and then execute it on the phone. SL4A provides server support and you can then execute commands from your laptop to the phone, you have access to pretty much the entire Android SDK using this method all at your disposal without the need to compile and deploy anything. You need to install the SL4A engine and the scripting language you wish to use, I use Python, but other languages are available including Ruby, Perl, JavaScript, Lua and BeanShell. For more information on setup and configuration of SL4A visit the project homepage.

As you can see a smartphone can be a very powerful tool in your penetration test arsenal, in some ways much more powerful than a laptop. The sophistication of many applications available for Android, particularly on rooted devices provide an increasing number of weapons for penetration testers and hackers alike.

Using these tools to test your network, as well as being aware of what tools malicious users may be using to find a weakness will help you better secure your environment. Many of these applications provide rich user interfaces and reports that will also help you visually show your clients and employees the risks that mobile devices can pose in their organization if policies and procedures are not followed.

GoDaddy responded a few days after the claim and more importantly after the media frenzy. The truth at this point did not matter, the damage to the GoDaddy’s brand was already done. PR is one of the oldest forms of social engineering be it propaganda, spin or misinformation and this latest example  shows that Anonymous not only has the technical skills, but also an uncanny capacity to shape public opinion which can be an even more powerful tool in their arsenal.

Although there is cause for concern, there is no reason to panic… yet. The UDID is a unique number that identifies a given iOS device, a bit like a serial number. Simply having this number alone would not be an issue, as they are fairly anonymous.

However the file in question also maps UDIDs to names, phone numbers, zip codes, addresses in some cases. The UDIDs then are no longer anonymous but linked to their respective owners.

The UDID number has been used/misused by developers over the last few years to identify devices for advertisements, analytics and other purposes. The Internet is chock full of databases that map UDIDs to usernames, activities, location data, game scores, ad clicks as well as Facebook and other social media profiles. Even if you deleted an application from your phone the data can still persist in the Cloud.

So as we see more data breached, sold and shared, data will be mapped to previously anonymous data related to activities, location and app usage. So the damage of the breach consists of the possibility that connections that may not have existed before will be bridged and more robust profiles of targets available.

The companies named in the filing include:

• Path, Inc.
• Twitter, Inc.
• Apple, Inc.
• Facebook, Inc.
• Beluga, Inc. .
• Yelp! Inc.
• Burbn, Inc.
• Instagram, Inc.
• Foursquare Labs, Inc.
• Gowalla Incorporated
• Foodspotting, Inc.
• Hipster, Inc.
• LinkedIn Corporation
• Rovio Mobile Oy
• ZeptoLab UK Limited aka ZeptoLab
• Chillingo Ltd.
• Electronic Arts Inc.
• Kik Interactive, Inc.

The 13 individuals suing alleges that these companies committed invasion of privacy, theft under the Texas Theft Liability Act, fraud, violations of the Texas Wiretap Act, amongst others. The group states they experienced damages such as loss of privacy, diminution of address book data value, loss of mobile device computing, processing and battery life while the address books were being transferred, out of pocket expenses and more. They are suing for $12,000 or more from each offending company, as well as any profits made from the use of the address books.

Full filing

TX US District Court – Class Action

The press repeatedly say that these celebrities phones were “hacked”, however it is rare that a phone is “hacked” and data on the device is compromised remotely. The cases we have seen so far are all cases where email accounts or cloud services have been accessed by guessing or brute forcing the passwords. It is not a good idea for celebrities to use free email accounts or cloud based services, they should hire IT and security professionals to setup secure emails and assist them with strategies to secure their devices.

Another more obvious way phones are compromised is if they are stolen, which I have a bit of experience with. There have been cases where laptops and phones were stolen that contained sensitive information even nude photos that were later posted online. If a mobile phone is stolen, the security measures in place on most mobile operating systems are trivial to circumvent once you have physical access to the device and a little time. Of course GadgetTrak Mobile Security is a solution to this, it allows users to remotely wipe all sensitive data on the device. The data that is backed up is also encrypted using the customer’s private key so that not even we have acess to it. Blackberry offers similar services as does Apple, however not the encrypted backup feature.