Tuesday, April 19, 2016

Provision file installation error- ios security testing-0xe800801a

Sometimes we get provision file along with the original ipa file for installation and security testing of ios apps. Earlier during old versions of ios such as 4  or5 we used to have a tool called iphone configuration utility tool which was used to provision the file. Now Apple has deprecated the utility so we have to install both using itunes.
Recently I faced repeated errors while trying to install provision file. Very similar to this:



This happens when you get the provision file through emails, which gets corrupted due the mail server issues, which throws the above error when trying to install. So the solution is it to ask the project team to send it again in zipped format- this solved my error.



Tuesday, March 1, 2016

When you face error while installing Drozer

Finally after doing  a lot of research while getting while getting the following error while installing Drozer on OSx/ linux:

"The following error occurred while trying to add or remove files in the
installation directory:

    [Errno 13] Permission denied: '/Library/Python/2.7/site-packages/test-easy-install-3959.pth'

The installation directory you specified (via --install-dir, --prefix, or
the distutils default setting) was:

    /Library/Python/2.7/site-packages/

Perhaps your account does not have write access to this directory?  If the
installation directory is a system-owned directory, you may need to sign in
as the administrator or "root" account.  If you do not have administrative
access to this machine, you may wish to choose a different installation
directory, preferably one that is listed in your PYTHONPATH environment

variable................"

This happens due to the fact that you don't have root permissions or write privileges. So, to enable root privilege:

$ dsenableroot

And then ,

sudo easy_install

and you are done! Phew!! :)

Wednesday, February 24, 2016

Solving sshDroid warning

During one of the recent android pentest, I was required to install sshDroid, a very popular ssh server meant for Android device. For few hours it worked fine until the next day, I encountered the following nasty error: "Warning: Remote Host Identification Has Changed!......"

I know I had messed up it somehow so getting that message. So I found a way to do away with this:
Run the following command from your client terminal:
ssh-keygen -R

Once that is done, do an ssh again to the remote host:

ssh username@remotehost port (optional)

And we are done. Happy hacking!


Thursday, December 10, 2015

Voice recognition vulnerablities

A good read:
http://resources.infosecinstitute.com/security-vulnerabilities-of-voice-recognition-technologies/

Monday, November 2, 2015

Vulnerabilities in Voice Biometrics

The following vulnerabilities are found in voice biometrics:

Replay: The biggest concern is the replay attack. Hackers might attempt to gain unauthorized access to a voice authenticated system by playing back a pre-recorded voice sample from an authorized user. Need to implement proper anti-replay/ spoofing measures.

Voiceprint re-enrollment (Social Engineering): The malicious user claims to the contact center agent that they are unable to authenticate with their voice, and that their voiceprint needs to be re-enrolled. If the agent complies, a fraudster can be enrolled in the system and be provided with access to a legitimate account.

Brute Force attack: This attack consists of a fraudster calling the IVR or call center numerous times until their voice is mistakenly accepted by the voice biometric system as belonging to a legitimate account holder. Vulnerability testing conducted on deployed voice biometric systems indicates that the rate of a success of a brute force attack is between 0.1% and 0.5%.

Mitigation:

Replay attacks-

Any voice identification solution needs to include measures to detect replay attacks.
 -Voice biometrics should be able to tell the differences between real and fake users
-Anti-spoofing is the key.
-Challenge Response Mechanism

Text-Prompted Authentication: In text-prompted mode users enroll by repeating a set keywords (digits, places, names, etc). Verification requires the user to repeat a randomly generated sequence of a subset of those keywords. This mitigates the above threat, as the fraudster will not have a recording of the legitimate account holder’s voice speaking the random passphrase.
Text-Dependent Authentication with A Passphrase: Rather than having a universal phrase that an attacker can easily gain knowledge of, users can enroll with their own secret phrase. Users are then responsible for keeping their phrase secret (and remembering it). The system does not prompt the user to speak the specific phrase. Instead it asks them simply to repeat their secret phrase, making it difficult for an attacker to know what set of words to record to execute a replay attack.

Voice re-enrollment-
An agent can verify that the caller has recently enrolled and has not been able to verify. A caller that requests a voice biometric re-enrollment that has successfully authenticated previously is most likely either a fraudster, or does not need to be re-enrolled.

Brute force-
Very similar to classic brute force attack: Block the caller after pre-determined unsuccessful login attempts. If there are three concurrent failed authentication attempts on a single account, that account can be locked to minimize the probability of a successful attack.


Monday, October 5, 2015

Voice Biometrics: Advantages and Disadvantages

Pros:
Less prone to compromise: Contrary to PIN/ Passwords storages compromised and stolen and replayed, the voice prints can not be replayed. Thus a compromised voiceprint is unusable for account access.
Anti reversing: A voiceprint is a hashed string of numbers and characters that represent how a specific individual’s voice rates on the myriad of characteristics being measured Also, it’s not possible to reverse engineer it to recover someone’s voice.
Proactive detection of known fraudsters: Each time a fraudster speaks within an IVR or to a contact center agent, the fraudster leaves his/her voiceprint in the same way that our fingers leave fingerprints when we touch an object. This enables an organization to create and store voiceprints of known fraudsters.
Non guessable: A voice is unique to the individual. It can’t be guessed unlike PINs or passwords.
Cost effective: The cost of implementation is low because there is no special hardware required. A simple telephone or microphone is all that a user needs to authenticate using her voice. Other methods of biometric authentication like fingerprinting and retinal scans require special devices.
Ease of usability: Most important to the future of voice biometrics is that it is the only biometric that allows users to authenticate remotely.
Quick enrollment: It is quick to enroll in a voice authentication system. The user is asked to speak a certain set of words or phrases, or to speak for a certain length of time.
Fast: Authentication is very fast; it can be completed in 0.5 seconds.
Less storage size: Another advantage is that the storage size of the voiceprint is small.

Cons:
Relatively low security: The biggest disadvantage is the replay attack. Hackers might attempt to gain unauthorized access to a voice authenticated system by playing back a pre-recorded voice sample from an authorized user. Need to implement proper anti-replay/ spoofing measures.

Low accurate: Person voice change, the difference in speaking instruments etc can affect the recognition. Compared to that other forms of biometrics such as retinal or fingerprint scans are more accurate and less prone to change.