Clint Gibler

Trust is an implicit requirement of doing business - at some point, we must trust employees, peers, and technology to a degree. The lack of proper management or understanding of these various trust relationships is a leading cause of security exposure. This talk will cover the analysis and exploitation of the trust relationships between code, platforms, developers, and their parent organization. We will look at the software development life cycle and how it can be actively exploited to attack… Show more

Trust is an implicit requirement of doing business - at some point, we must trust employees, peers, and technology to a degree. The lack of proper management or understanding of these various trust relationships is a leading cause of security exposure. This talk will cover the analysis and exploitation of the trust relationships between code, platforms, developers, and their parent organization. We will look at the software development life cycle and how it can be actively exploited to attack, evade defenses, and ultimately own a target organization.

To support our discussion of attacking trust relationships, we will also be releasing and presenting GitPwnd, a tool to aid network penetration testers in compromising machines and spreading control within development-heavy environments. These environments tend to have heavily segmented networks and extensive logging and monitoring. Defensive tools often look for process activity and timing that differs from normal user behavior. GitPwnd evades these defenses by inserting itself into common development workflows. We'll describe GitPwnd's architecture, implementation choices to evade detection, and we'll conclude with a live demo of GitPwnd worming through a segmented network. Show less

As security professionals, we’re aware of the types of security issues our company faces and we constantly read of breaches in the media. But how prevalent are specific types of vulnerabilities, such as cross-site scripting, in real companies today? We’re numbers people- we want hard data, not anecdotes.

While most would agree that publishing this information would be valuable to the community, few companies are willing to openly discuss their experiences.

In this talk, I’ll… Show more

As security professionals, we’re aware of the types of security issues our company faces and we constantly read of breaches in the media. But how prevalent are specific types of vulnerabilities, such as cross-site scripting, in real companies today? We’re numbers people- we want hard data, not anecdotes.

While most would agree that publishing this information would be valuable to the community, few companies are willing to openly discuss their experiences.

In this talk, I’ll discuss insights gained from analyzing the results of running a commercial security scanner on 100 international companies across 10 industry verticals, including Financial Services, IT, and Healthcare, from 2014 through 2015, collectively representing about a million findings.

I'll examine questions such as:

- What are the common types of vulnerabilities in real companies today? Does it vary by industry?
- For a given type of vulnerability, how long does it take companies to remediate issues?
- Does the time to fix depend on one or more of: the type of the vulnerability, its severity, or merely on its solution?
- Do companies or industries tend to fix the same types of vulnerabilities in a similar time frame or is there significant variation? Show less

In order to augment and scale limited in-house security expertise, many organizations rely on automated security scanning tools to find misconfigurations, services that need to be patched, and web application vulnerabilities. While much research has been done into detecting new types of vulnerabilities and finding known ones more precisely, there has been disappointingly little examination of how successful these techniques are in practice and, more importantly, how effective these tools are in… Show more

In order to augment and scale limited in-house security expertise, many organizations rely on automated security scanning tools to find misconfigurations, services that need to be patched, and web application vulnerabilities. While much research has been done into detecting new types of vulnerabilities and finding known ones more precisely, there has been disappointingly little examination of how successful these techniques are in practice and, more importantly, how effective these tools are in making companies more secure.

We will discuss insights gained from analyzing the results of running a commercial security scanner on 100 international companies across 10 industry verticals from February 2014 until May 2015, collectively representing over 900,000 findings. We examine questions such as: what are the common types of vulnerabilities in real companies today? Does it vary by industry? For a given type of vulnerability, how long does it take companies to remediate issues? Does the time to fix depend on one or more of: the type of the vulnerability, its severity, or merely on its solution? Do companies or industries tend to fix the same types of vulnerabilities in a similar time frame or is there significant variation?

We aim to provide industry professionals with objective data against which they can compare their company's performance, and security researchers with insights into impactful areas they can focus on in their future work. Show less

Programming is knowledge intensive.While it is well understood that programmers spend lots of time looking for information, with few exceptions, there is a significant lack of data on what information they seek, and why. Modern platforms, like Android, comprise complex APIs that often perplex programmers. We ask: which elements are confusing, and why? Increasingly, when programmers need answers, they turn to StackOverflow. This provides a novel opportunity. There are a vast number of… Show more

Programming is knowledge intensive.While it is well understood that programmers spend lots of time looking for information, with few exceptions, there is a significant lack of data on what information they seek, and why. Modern platforms, like Android, comprise complex APIs that often perplex programmers. We ask: which elements are confusing, and why? Increasingly, when programmers need answers, they turn to StackOverflow. This provides a novel opportunity. There are a vast number of applications for Android devices, which can be readily analyzed, and many traces of interactions on StackOverflow. These provide a complementary perspective on using and asking, and allow the two phenomena to be studied together. How does the market demand for the USE of an API drive the market for knowledge about it? Here, we analyze data from Android applications and StackOverflow together, to find out what it is that programmers want to know and why. Show less

The popularity and utility of smartphones rely on their vibrant application markets; however, plagiarism threatens the long-term health of these markets. We present a scalable approach to detecting similar Android apps based on their semantic information. We implement our approach in a tool called AnDarwin and evaluate it on 265,359 apps collected from 17 markets including Google Play and numerous third-party markets. In contrast to earlier approaches, AnDarwin has four advantages: it avoids… Show more

The popularity and utility of smartphones rely on their vibrant application markets; however, plagiarism threatens the long-term health of these markets. We present a scalable approach to detecting similar Android apps based on their semantic information. We implement our approach in a tool called AnDarwin and evaluate it on 265,359 apps collected from 17 markets including Google Play and numerous third-party markets. In contrast to earlier approaches, AnDarwin has four advantages: it avoids comparing apps pairwise, thus greatly improving its scalability; it analyzes only the app code and does not rely on other information — such as the app’s market, signature, or description — thus greatly increasing its reliability; it can detect both full and partial app similarity; and it can automatically detect library code and remove it from the similarity analysis. We present two use cases for AnDarwin: finding similar apps by different developers (“clones”) and similar apps from the same developer (“rebranded”). In ten hours, AnDarwin detected at least 4,295 apps that have been the victims of cloning and 36,106 apps that are rebranded. By analyzing the clusters found by AnDarwin, we found 88 new variants of malware and identified 169 malicious apps based on differences in the requested permissions. Our evaluation demonstrates AnDarwin’s ability to accurately detect similar apps on a large scale. Show less

Malicious activities involving Android applications are rising rapidly. As prior work on cyber-crimes suggests, we need to understand the economic incentives of the criminals to design the most effective defenses. In this paper, we investigate application plagiarism on Android markets at a large scale. We take the first step to characterize plagiarized applications and estimate their impact on the original application developers. We first crawled 265,359 free applications from 17 Android… Show more

Malicious activities involving Android applications are rising rapidly. As prior work on cyber-crimes suggests, we need to understand the economic incentives of the criminals to design the most effective defenses. In this paper, we investigate application plagiarism on Android markets at a large scale. We take the first step to characterize plagiarized applications and estimate their impact on the original application developers. We first crawled 265,359 free applications from 17 Android markets around the world and ran a tool to identify similar applications (“clones”). Based on the data, we examined properties of the cloned applications, including their distribution across different markets, application categories, and ad libraries. Next, we examined how cloned applications affect the original developers. We captured HTTP advertising traffic generated by mobile applications at a tier-1 US cellular carrier for 12 days. To associate each Android application with its advertising traffic, we extracted a unique advertising identifier (called the client ID) from both the applications and the network traces. We estimate a lower bound on the advertising revenue that cloned applications siphon from the original developers, and the user base that cloned applications divert from the original applications. To the best of our knowledge, this is the first large scale study on the characteristics of cloned mobile applications and their impact on the original developers. Show less

We present DNADroid, a tool that detects Android application copying, or “cloning”, by robustly computing the similarity between two applications. DNADroid achieves this by comparing program dependency graphs between methods in candidate applications. Using DNADroid, we found at least 141 applications that have been the victims of cloning, some as many as seven times. DNADroid has a very low false positive rate — we manually confirmed that all the applications detected are indeed clones by… Show more

We present DNADroid, a tool that detects Android application copying, or “cloning”, by robustly computing the similarity between two applications. DNADroid achieves this by comparing program dependency graphs between methods in candidate applications. Using DNADroid, we found at least 141 applications that have been the victims of cloning, some as many as seven times. DNADroid has a very low false positive rate — we manually confirmed that all the applications detected are indeed clones by either visual or behavioral similarity. We present several case studies that give insight into why applications are cloned, including localization and redirecting ad revenue. We describe a case of malware being added to an application and show how DNADroid was able to detect two variants of the same malware. Lastly, we offer examples of an open source cracking tool being used in the wild. Show less

As mobile devices become more widespread and powerful, they store more sensitive data, which includes not only users’ personal information but also the data collected via sensors throughout the day. When mobile applications have access to this growing amount of sensitive information, they may leak it carelessly or maliciously.

Google’s Android operating system provides a permissions-based security model that restricts an application’s access to the user’s private data. Each application… Show more

As mobile devices become more widespread and powerful, they store more sensitive data, which includes not only users’ personal information but also the data collected via sensors throughout the day. When mobile applications have access to this growing amount of sensitive information, they may leak it carelessly or maliciously.

Google’s Android operating system provides a permissions-based security model that restricts an application’s access to the user’s private data. Each application statically declares the sensitive data and functionality that it requires in a manifest, which is presented to the user upon installation. However, it is not clear to the user how sensitive data is used once the application is installed. To combat this problem, we present An- droidLeaks, a static analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale. AndroidLeaks drastically reduces the number of applications and the number of traces that a security auditor has to verify manually.

We evaluate the efficacy of AndroidLeaks on 24,350 Android applications from several Android markets. AndroidLeaks found 57,299 potential privacy leaks in 7,414 Android applications, out of which we have manually verified that 2,342 applications leak private data including phone information, GPS location, WiFi data, and audio recorded with the microphone. AndroidLeaks examined these applications in 30 hours, which indicates that it is capable of scaling to the increasingly large set of available applications. Show less

Recent years have witnessed incredible growth in the popularity and prevalence of smart phones. A flourishing mobile application market has evolved to provide users with additional functionality such as interacting with social networks, games, and more. Mobile applications may have a direct purchasing cost or be free but ad-supported. Unlike in-browser ads, the privacy implications of ads in Android applications has not been thoroughly explored. We start by comparing the similarities and… Show more

Recent years have witnessed incredible growth in the popularity and prevalence of smart phones. A flourishing mobile application market has evolved to provide users with additional functionality such as interacting with social networks, games, and more. Mobile applications may have a direct purchasing cost or be free but ad-supported. Unlike in-browser ads, the privacy implications of ads in Android applications has not been thoroughly explored. We start by comparing the similarities and differences of in-browser ads and in-app ads. We examine the effect on user privacy of thirteen popular Android ad providers by reviewing their use of permissions. Worryingly, several ad libraries checked for permissions beyond the required and optional ones listed in their documentation, including dangerous permissions like CAMERA, WRITE CALENDAR and WRITE CONTACTS. Further, we discover the insecure use of Android’s JavaScript extension mechanism in several ad libraries. We identify fields in ad requests for private user information and confirm their presence in network data obtained from a tier-1 network provider. We also show that users can be tracked by a network sniffer across ad providers and by an ad provider across applications. Finally, we discuss several possible solutions to the privacy issues identified above. Show less