In my post I will present 3 different methods I used to understand the network behavior (the focus is on network analysis, nothing more) of an Android application I analyzed:
using an HTTPS interception proxy;
MITMing the network traffic;
profiling the application with Android Studio.
Everyone can use the method they want (some simply may not work in your scenario), the results of the analysis are the same; the method you’ll choose depends on the scenario you are testing, the software you are used to working with and so on. Consider that the first two methods can be used to inspect the traffic from any application/program/device, not only an Android application.
Weeks ago, I read a blog post by Cofense showing how bad guys can trick users into granting permissions to a malicious application to “grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information“. This kind of phishing attack uses the power of OAuth2 to bypass the need of user’s credentials and second factor.
During Covid-19 lockdown lot of organizations went remote using cloud services; Microsoft 365 services are widely used and a perfect target for attackers. Because of Cofense worrying statement I decided to better understand how these attacks work, how to detect it and what information an attacker can really steal from a corporate account or a personal one.
Squid can be configured to make SSL/TLS inspection (aka HTTPS interception) so the proxy can decrypt proxied traffic (Squid calls this feature ssl bump).
Afaik the Squid package included in the Linux distros is not compiled with SSL/TLS inspection support but the good news is that diladele (its github repo and Websafetydocumentation are useful resources) provides packages for Ubuntu and Centos, recompiled (you can do by yourself) with support for HTTPS filtering and SSL/TLS inspection. This means that we have just to configure Squid. Not an easy task anyway 🙂
I provide to you a working config, follow next steps.
I was very busy organizing the second edition of RomHack, the free cyber security conference made with ❤ by Cyber Saiyan – the non-profit organization I founded 2 years ago – that took place in Rome past 28th of September.
We had an incredible lineup with italian and international speakers coming from around the world and 400 attendees. Not just the conference; at the end of the conf 16 team played the on site Capture The Flag.
Phishing is a common attack characterized by simplicity and effectiveness; phishing emails are used to drop malware, cryptolocker, steal credentials… and they are successfull just because Dave. I suggest reading this page to understand “the existing forms of phishing attacks and the currently available mitigations“.
Companies – hopefully – train their employees with internal phishing campaigns; in this post I show how we can build a simple office document that – once opened – sends information to an external server. We can use the document – along with Gophish or other tools – to build our own phishing campaign and test our organization exposure to phishing, teaching people and rising awareness.
I use twitter to follow a lot of good feeds but often I need to follow twitter threads for new replies to have a fast and complete view of complex threads even if I’m not cited or the tweet owner.
I did some search and found a python script from @edu on github that was a good starting point. I learned that twitter API doesn’t allow to get all the replies to a tweet but can be used to search for replies to a given tweet and replies to any reply as well. Good.
So starting from @edu code I wrote Twitter Scraper, a project – made of 2 scripts
twitter-scraper.py to get a complete list of twitter threads replies so you can have a fast and complete view of complex threads even if you are not the owner or you are not cited in all the tweet branches [video]
In this post I just show what domains you need to enable to authorize access to telegram and whatsapp web sites behind your corporate proxy. This is useful when you need to allow – like me – just a subset of your users to access it.
Long time since my last post. I was very busy creating Cyber Saiyan – a non-profit organization – and organizing RomHack 2018, a free cyber security event that will take place in Rome next September 22th.
On the field of threat intelligence automation and info sharing community building, the work continued too.
I’m working hard with italian community and we setup a STIX/TAXII network using a combination of open source sofware: MISP, OpenTAXII and MineMeld. We are now testing a complex consumer/producer network where companies (producers) can push IoC that, after validation, are injected into the consumer network, a TAXII service built on top of MineMeld.