I got back from ShmooCon 2011, in Washington D.C., and would like to share with you a few insights.

First, just like in BlackHat DC 2011, this year’s conference had several talks on smart phones. Good news! I was however slightly surprised they all concerned Android (apart from mine, on Symbian). It is true Android platforms are predominant in hacker communities. I feel it is nonetheless important to remind the latest statistics on the matter:

• In the U.S., Android phones come third (19%) after BlackBerry (31%) and iPhones (28%) (source: Nielsen Wire)
• In France/Italy/Germany/Spain/UK, Android phones (6%) are still way behind Symbian (54%), iPhones (19%), Windows Mobile (11%), RIM (8%) (source: ComScore)
• In Asia, I had more difficulties finding statistics, but it looks like Android comes second (20%) in China, behind Symbian (50%). (ref. ZOL)

I believe Symbian is often disregarded because of its decreasing market sales. But quarterly sales are different from owned devices (we don’t buy a new phone every three months, do we? ) and, also, device’s distribution is quite different from one country to another.

Nevertheless, the talks on Android were very interesting (and I would sure love to get my hands on a new Gingerbread Android phone). I particularly appreciated Scott Dunlop‘s talk and live demo. I am used to decompiling Android samples with dex2jar so as to get Java output, but he had me convinced to try and use smali/baksmali tools and loose less reverse engineering information during the process.

The conference also highlighted password cracking issues, with a keynote from Mudge and the final panel. The problem is far from new, but it is interesting to have up-to-date feedback from hackers who won the Defcon password cracking contest in 2010. They concluded that password policies were mostly counter-productive, and that actually writing down passwords isn’t that bad. Come to think about it, I happen to agree (excepted if you work for a military-grade employer).

Finally, I enjoyed very much the legal-oriented talks of Tara Whalen (Office of the Privacy Commissioner of Canada) and Marcia Hofmann (Attorney at EFF). Such talks show us computer security from another angle and I believe this is always profitable. Tara Whalen covered the case of Google cars inadvertently collecting packets from open Wifi networks. Marcia Hoffman explained in which circumstances the US government is allowed to seize and search computers of its citizens. In both cases, Google case and computer seizures, it is a bit frightening to see there is an enormous gap between the way government deal with computers and what hackers might actually do (for good or evil).

– the Crypto Girl

A few days ago, an application named ‘SMS Replicator Secret’ was pulled out of the Android market. Like many other spyware of its kind, it silently forwarded incoming SMS messages to a configurable phone number, the official idea being to spy on your girlfriend.

I don’t like these types of ‘applications’ (women solidarity? next time advertise it as spying your boyfriend ;), even if they are meant as jokes, because one day they will end up in the wrong hands and do much more damage than expected. The recent Zitmo malware is a perfect illustration of this: initially written as a parental control application, it ended in the hands of the Zeus gang to spy on your online banking mTANs.

In the case of SMS Replicator Secret, the phone numbers it forwards SMS messages to are configurable in a hidden window. This window pops up as soon as one sends the infected phone an SMS message with a special password as text. The default password is ’000.’ The password is configurable in that window, too. See our detailed description here.

Hidden settings window on an infected Android mobile phone

What most people do not know is that there is a backdoor. The hidden window also pops up if you send an SMS with the text ‘red4life’. And that password is hard-coded, not configurable. See below the case insensitive SMS text verification in the source code:

if-nez	v7,l130e
move-object/from16	v0,v25
iget-object	v0,v0,com/dlp/SMSReplicatorSecret/SMSReceiver.msg
                            Ljava/lang/String;
move-object	v7,v0
const-string	v8,"red4life"
; equalsIgnoreCase(Ljava/lang/String;)Z
invoke-virtual	{v7,v8},java/lang/String/equalsIgnoreCase
move-result	v7

With an Android emulator, this commands pops up the hidden window:

sms send 01234 red4life
OK

My guess is that the author’s girlfriend is red-haired ;)

Seriously, it is very lucky SMS Replicator Secret is not remotely configurable, otherwise attackers could have randomly scanned the networks for infected phones and spy their incoming messages…

– the Crypto Girl

Since my last post on Jane Doe and Bredolab, John has been slightly jealous of her fame. He told me that, he too, as a manager of the returned material service, was dealing with plenty of parcels and that he could have been the perfect target. As I was curious to see what a genuine shipment company e-mail looked like (to compare them with Bredolab), I asked him if I could have a quick look at his mailbox.

I had hardly started reading his e-mails, that I ran into one that had me immediately start.

For those of you who do not speak French, I have highlighted the most important parts: a sales rep from a legitimate company (censured :) is asking John Doe for his login and password on their website on behalf of some administrative reason ! This email is genuine (I mean it is not a spam nor a joke). I can’t believe it. This looks straight out of the books “Things One Should Never Do In Security”. The main reasons not to do that are:

1- Counter-educative. If legitimate companies start asking for user logins and passwords, how will we tell the difference with phishing emails ? Asking for credentials really is bad practice, and it should be banned from all policies.

2- Passwords are personal. Giving one’s password is always a bad idea, because, for mnemonic reasons, we often use similar patterns in all our passwords. If I use ‘darthvador’ on a website, there are strong chances I will also use it on another website, or something similar, such as ‘lukeskywalker’ or ‘r2d2′. By the way, those passwords are weak because they are straight out of the English dictionnary (or quite).

3- Separating roles. Administrative tasks should be performed by a dedicated account, or, if necessary, a super user account. Otherwise, it is impossible to tell the difference between administrative actions and those of an authenticated user.

As a side note, all decent authentication systems are designed so that the administrator cannot know – and does not need to know – user passwords. For example, on any Unix system, the system administrator can only reset user account passwords. The /etc/passwd or shadow authentication file do not store the plaintext password but a password digest – where digests cannot be reversed.

John, for this e-mail, you absolutely deserve a blog post, and even better, glory for not having answered the sales rep. Congratulations.

And if you, readers, one day receive a similar e-mail, please remember this one should go straight to your trash.

– The Crypto Girl.