Category: Security

Reversing for fun thanks to intelligence service

Capture The Flag, or CTF for short, always are a good opportunity to challenge its knowledge and capabilities about software security. This year again, the DGSE (Directorate General for External Security, the French foreign intelligence services) and Telecom SudParis school teamed up to create the 404 CFT: a free-to-join online CTF. I decided to give it a try to check how my reverse engineering skills aged.

I tackled the Android reverse engineering challenge. It was split in two parts: Bugdroid Fight [1/2], rated as easy I won’t detail here, and Bugdroid Fight [2/2] rated as average difficulty (the second of the four difficulty levels before hard and extreme) I will walk through in this post. The goal for a CTF challenge is to find a flag: like an hidden text or a password. Running the application inside an emulator quickly gives how to find the flag: you have to find the text that validates the application form.

Read More

Mozilla Sync header

Firefox Sync server hosting

The last weeks demonstrate how personal information are sensitive and valuable. Companies like Ebay, Spotify, AVAST have been hacked and stolen of their client databases. Those facts motivate me to host my own Firefox Sync server instead of uploading my data to another big cloud company.

Firefox sync banner

Firefox Sync is a solution to store and keep synchronize Firefox data like bookmarks, history, passwords or preferences. Since Firefox 29, a new version of Sync is available (version 1.5). It uses the new Firefox accounts as authentication mechanism. The service definition and separation between authentication, token and storage allow to change and plug new servers on the fly. So you could host your own Sync server without having to worry about auth. Auth will be provided by Mozilla servers, which don’t store your plain text passwords or encryption keys. You may check the source code of the authentication server on Github or the Sync protocol for more details.

The Sync server installation procedure is quite well described by Mozilla. It explains how to get, build and run and test a custom Sync server on the built-in server (some git and make commands). Once everything works, you could set up your Firefox browser to point at your own server and test with your account and data. For production use, you could bind it on your Apache on Ngnix server throw WSGI or Gunicorn module (the built-in server is not intended to be use in production context).

In conclusion, I run my own Sync server to store my personal data. The server is lightweight and data takes less than 10 mo of storage. I enforced the security with requested client certificate and IP filtering and I could have a look to all access done with the Apache logs. So even if Firefox accounts are leaked (and we should consider they will be), attacker needs to know location of the server, get a certificate, find a valid IP address before getting access to my Sync server. According the interest of my data, the risk is very low.

I encourage your to host as often as possible your data. Nowadays, it is the real people value. So take care of it and thanks the Mozilla company to allow us to do it (hey Google, what about Chrome ?).

Firefox Sync test
Bonus: Testing server and account synchronization

php header

Security conferences by AFUP

Early in the week, I was to the security conferences led by the AFUP about the software security. The main goals of those conferences was to make developers aware of the real dangers of security breaches. The first conference was given by the OWASP organization, a non-profit organization focused on improving security. The main key points of its talk was:

  • If your application wasn’t attacked yet, it will be,
  • If your are aware of the most critic security risks and you choose to handle them, you could prevent the bigger part of coming attacks,
  • You could handle security risk easily with theirs documentations and tools freely available.

The second conference was made by an AFUP member, Christophe Villeneuve, the creator of the elephpant. The talk focused on how to secure you PHP applications. It tooks the most common security risks previously described and explains how to prevent it with PHP language. He deals with subjects like database request escapement, user input cleaning or risky specific language features (PHP-SELF, global, …).

The third and last conference was made by a security engineer of Mozilla to present security solutions added to Firefox OS. She explained last additions like application signature and installation source, permission system or content security policy (CSP). It also was also opportunity to demonstrate the last version of Firefox OS 2.0 and a static JavaScript code analyzer ScanJS.

To conclude, the conferences were interesting and networking very pleasant. I would like to thanks talkers for their time and Mozilla for their premises and I end with some picture of the night and the video will be soon online.

Adobe Flash header

Why Flash is still alive ?

I post today to ask an open question : « Why Flash is still alive ? ». Some days ago I was raging again Flash on some website when I wondered why Flash is always used ? In my computer user life, I lost several hours trying to get Flash work properly. Bad Linux support, browser freezes, oh wait, making a list !

Cons:

  • CPU and memory consumptions (for the player itself and browser sandbox),
  • Security leaks and intrusion vector (see Adobe security bulletins numbers and date),
  • Bad support for OS other than Windows (only old and vulnerable versions for Linux),
  • No multiple screens support (start player from one screen, move it to a second one and go fullscreen: player displays content on full first screen),
  • Freezes and BSOD (under Windows at least),
  • Invasive updater (does not take care of user update preferences, no proxy settings, deletes itself if download fails, offline installer well hidden in Adobe site),
  • No more supported on mobile devices (Android, iOS, WP8).

Pros:

  • Advanced features for video player (stream quality switch, ads overlay),
  • Fast and cheap indy game development.

For the video player advanced features, I think web standard evolutions will quickly offer equivalent features (including standard adoption in browsers). Technologies like WebRTC show how browsers evolved into natively supported multimedia platforms. For the Flash browser game, how long could they fight against full web games when you see that Unreal Engine 3 works with JS and WebGL ? Or against the Chrome gamepad API ?

And how long browser developers will let Flash ruin their hard work of speeding up and responsibility increase ? Remember the other Adobe software plugged in browser, Reader, was brushed aside by some lines of fast JS.

Definitely Flash belongs to the past. But for how long will it remain in the present ?