Tag: security

Reversing for fun thanks to intelligence service

Capture The Flag, or CTF for short, always are a good opportunity to challenge its knowledge and capabilities about software security. This year again, the DGSE (Directorate General for External Security, the French foreign intelligence services) and Telecom SudParis school teamed up to create the 404 CFT: a free-to-join online CTF. I decided to give it a try to check how my reverse engineering skills aged.

I tackled the Android reverse engineering challenge. It was split in two parts: Bugdroid Fight [1/2], rated as easy I won’t detail here, and Bugdroid Fight [2/2] rated as average difficulty (the second of the four difficulty levels before hard and extreme) I will walk through in this post. The goal for a CTF challenge is to find a flag: like an hidden text or a password. Running the application inside an emulator quickly gives how to find the flag: you have to find the text that validates the application form.

Read More

Mozilla Sync header

Firefox Sync server hosting

The last weeks demonstrate how personal information are sensitive and valuable. Companies like Ebay, Spotify, AVAST have been hacked and stolen of their client databases. Those facts motivate me to host my own Firefox Sync server instead of uploading my data to another big cloud company.

Firefox sync banner

Firefox Sync is a solution to store and keep synchronize Firefox data like bookmarks, history, passwords or preferences. Since Firefox 29, a new version of Sync is available (version 1.5). It uses the new Firefox accounts as authentication mechanism. The service definition and separation between authentication, token and storage allow to change and plug new servers on the fly. So you could host your own Sync server without having to worry about auth. Auth will be provided by Mozilla servers, which don’t store your plain text passwords or encryption keys. You may check the source code of the authentication server on Github or the Sync protocol for more details.

The Sync server installation procedure is quite well described by Mozilla. It explains how to get, build and run and test a custom Sync server on the built-in server (some git and make commands). Once everything works, you could set up your Firefox browser to point at your own server and test with your account and data. For production use, you could bind it on your Apache on Ngnix server throw WSGI or Gunicorn module (the built-in server is not intended to be use in production context).

In conclusion, I run my own Sync server to store my personal data. The server is lightweight and data takes less than 10 mo of storage. I enforced the security with requested client certificate and IP filtering and I could have a look to all access done with the Apache logs. So even if Firefox accounts are leaked (and we should consider they will be), attacker needs to know location of the server, get a certificate, find a valid IP address before getting access to my Sync server. According the interest of my data, the risk is very low.

I encourage your to host as often as possible your data. Nowadays, it is the real people value. So take care of it and thanks the Mozilla company to allow us to do it (hey Google, what about Chrome ?).

Firefox Sync test
Bonus: Testing server and account synchronization

php header

Security conferences by AFUP

Early in the week, I was to the security conferences led by the AFUP about the software security. The main goals of those conferences was to make developers aware of the real dangers of security breaches. The first conference was given by the OWASP organization, a non-profit organization focused on improving security. The main key points of its talk was:

  • If your application wasn’t attacked yet, it will be,
  • If your are aware of the most critic security risks and you choose to handle them, you could prevent the bigger part of coming attacks,
  • You could handle security risk easily with theirs documentations and tools freely available.

The second conference was made by an AFUP member, Christophe Villeneuve, the creator of the elephpant. The talk focused on how to secure you PHP applications. It tooks the most common security risks previously described and explains how to prevent it with PHP language. He deals with subjects like database request escapement, user input cleaning or risky specific language features (PHP-SELF, global, …).

The third and last conference was made by a security engineer of Mozilla to present security solutions added to Firefox OS. She explained last additions like application signature and installation source, permission system or content security policy (CSP). It also was also opportunity to demonstrate the last version of Firefox OS 2.0 and a static JavaScript code analyzer ScanJS.

To conclude, the conferences were interesting and networking very pleasant. I would like to thanks talkers for their time and Mozilla for their premises and I end with some picture of the night and the video will be soon online.