Locating our smartphone

Since smartphones installed in our lives, either for personal or professional use, one of the greatest fears is losing it. We store a great amount of sensitive information in this devices that can be potentially accessed by a malicious person. This problem is even bigger when it comes to professional smartphones, which have not only personal but also access to the corporate environment and information.

So what happens when you lose your mobile phone? If we have correctly hardened it, that will not be a major problem. The person who finds the device must know the code or the unlock pattern screen. In the best case, after N repeated attempts the device will wipe and no information will be compromised (full erase of user data). (Paranoid note: Do not leave footprints on the screen if we use a pattern to unlock the device).

And if we want to find it? Who knows, maybe no one found it and it still lays beneath the park bench. In this case we need third-party applications that allow us to locate the device. There are many of them, free and commercial, but we will describe briefly the most popular, although of course any reader contribution is obviously welcome.

Commercial applications

On one side we have the commercial applications, and every person must decide if the app is worth the price or not.


This product comes from an American company that provides a product to perform a full trace of a mobile device with an application available for Android, iOS or Blackberry. However, you need to pay $99.99 per year. The basic version includes the following features:

  • Call Log.
  • SMS received / sent.
  • Access the phonebook.
  • Tasks and Calendar.
  • History and Web bookmarks.
  • GPS tracking.
  • SIM change notification.

The ‘Platinum‘ version offers the possibility to listen to telephone calls among other options. This version ‘full-equipe‘ costs $199.99/yr. You can access a demo of the dashboard (or control panel) in the following link: http://demo.stealthgenie.com/dashboard


In the past we have already talked about Cerberus, as in the post regarding a case of “>malicious user that loses a mobile device on purpose (Spanish).

This application is available from € 2.99, with a lifetime license that allows you to control up to five different devices.

From the dashboard of Cerberus we have the following list of possible actions to control the device, among which is tracking through GPS.

This product is only available for Android smartphones.

Free applications

On the other hand, there are other free applications that allow you to track your mobile device. The features included are more limited than those offered by commercial solutions, but to some users they may be enough.


This application only allows to track the device via GPS. Although free, next December 13th it will cease to provide this service, something that can be of interest for those users who are currently using it.

Screenshot of the main dashboard
This product is only available for Android smartphones.


This is one of the solutions that most caught my attention, since from the begining it was a product to keep track of a computer (Windows or Mac OS X). Prey gradually expanded its range and now can be installed on Android, iOS and even Linux.

The advantages of this product is that there is a paid version ranging from $5 to $399 per month depending on the number of devices and functionality required. On the product page you can find more information on the plans.

Below there is a screenshot of the dashboard on an Android device that has this product installed.

As you can see in the picture above, the geolocation feature is not enabled unless the device has been lost, which is one of the main differences it has with Cerberus.

Another option to highlight is the locking of the mobile device with a password. In the moment that this feature is enabled (be the phone marked as lost or not) the device is blocked until the owner enters the password specified in the control panel, as shown in the image:

Plan B

What would happen if you lose your device without any of the above applications installed? As its name suggests, there is a plan B.

This application is available to download from Google Play and can be installed remotely on the device. We conducted a test setup and in minutes the application appeared correctly installed in the device.

Once installed, when the device gets GPS coverage it sends its coordinates to the Gmail account that’s associated with it.

This product is only available for Android smartphones.

Personal opinion

Getting into a more paranoid view, the application that best security and privacy offers (call it confidence if you want) is Prey, not only because it has a free version but because the trace options. Maybe it is not as complete as its competitors, but being an open source product has the advantage that the code is auditable and it can be verified that no unknown actions are performed without the user consent.

Of course, with this I want to re-emphasize the danger that we saw in the previous post about finding a mobile device on the street and using it in our daily tasks (or business, even more dangerous) without taking proper precautions.

Online reputation, a rising value

How much is our reputation worth? To respond to this issue we have to consider the relationship between reputation and success. And when I say “success” I mean achieving our objectives, both personal and professional. In certain groups, reputation is an essential element for its success or decline. We could include in that group people with public office as mayors, councilors, ministers, etc., but it also directly affects professionals from the private sector as actors, singers, designers and a long etcetera.

In this entry we’ll talk about the particularities of online reputation and see some examples that show its importance. Let’s start by defining what online reputation is. Although the concept has many corners worth to explore, the simplest definition comes courtesy of Wikipedia: The online reputation is a reflection of the prestige or esteem of a person or brand on the Internet.

It is known that to achieve and maintain a good reputation requires much effort, perseverance, dedication and time. On the other hand, “bad reputation” can be reached in the most unexpected moment as either hand of a scandal, a simple misunderstanding or an error. The same happens with “online reputation” but with the particularity that information technologies highlight the impact of our actions. If you are good, there are ways to publicizing, disseminate and make the most of our effort. However, our failures will also be more widespread, deeper and faster. Therefore, we could say that online reputation is more “fragile” than the reputation traditional concept. Needless to say that both concepts (reputation and online reputation) are closely linked.

To illustrate what we commented on the “fragility” of the online reputation, we will see some examples in which a unfortunate simple comment and/or misunderstanding has tarnished the reputation of some famous.

[Read more…]

Real Cloud Security

(Please note this post was originally published in the Spanish version of Security Art Work last 2nd Oct 2012)

Act I: The cloud

(In a small room we find the Chief Executive Officer (CEO), the Chief Security Officer (CSO) and the Chief Marketing Officer (CMO). The latter comes with a PC World magazine under his arm)

CMO: Blablablabla Cloud blablabla costs blablabla availability blablablabla Google.
CSO: Blablabla SLA blablabla, blablabla privacy, blablabla blablabla outsourcing, blablabla.
CEO: Blablablabla dollars, blablabla staff, IT blablabla servers. ¿Security? Blablablabla.
CSO: Blablabla, blablabla SOX, penalties, blablabla data theft blablabla, blablabla press. Blablabla impact and risk.
CMO: Insecure? Hahahaha, blablabla, blablabla and blablabla. CSO blablabla, distrust. Blabla, blabla, Gartner, blablabla?? Blablablabla. That does not happen.
CEO: blablablabla CIO, blablabla blablabla IT budget.
CSO: Alea jacta est.

Act II: Hunky-dory

(While the Chief Executive Officer looks at the Chief Marketing Officer tablet, they see the Chief Security Officer, who quickens the pace but is intercepted in the aisle)

CMO: Blablabla access, blablabla iPad, iPhone. Blablabla? CSO? Blablabla, this security guys blablabla. Access, blablabla, password blablabla, blablabla SSL.
CEO: Blablabla friendly, blabla, blablabla success. Blablablabla reason blabla costs, blablabla enterprise 2.0.
CSO: Pater Noster qui es in caelis, sanctificétur nomen Tuum

Act III: A small problem

(There is a problem in the Marshall Islands that has disabled the connection to the cloud provider, and althought it is not known yet, may have caused data loss)

CEO: Blablabla connection, blabla deletion, blablabla access. Blablablabla data, blablabla cloud!!
CMO: Blablablabla probability blabla blablablabla Gartner CIO, blabla CSO .
CSO: Blablabla risk, blablabla impact, blabla quality of service, blablabla Google.
CEO: Blablabla reputation, blablabla bussiness, blablabla Google!
CMO: …
CSO: …

Act IV: Choose Your Own Adventure

(Do you remember these books? ;)

Option #1

CSO: Blablabla backup, blabla fireproof, blablablabla recovery blablabla system.
CEO: Muacs.

Option #2

10 CEO: …
20 CMO: …
30 CSO: …
goto 10

Option #3

CSO: Blablablabla ¿CIO?
CIO: Blablabla, Terms of Service, blablablabla complaint, blablabla compensation, blablablabla.
CEO: Blablabla data, blablabla available blablabla #@!*& blablabla ten dollars.

Well, how did finished the adventure in the cloud?

If you’ve been able to continue this conversation, you might like this video that our colleague Adrian has found:

Covert channels

(Please note this post was originally published in the Spanish version of Security Art Work last 26th Oct 2010)

Covert channels is an evasion technique that allows an attacker to send information using the communication protocols headers. In this post we will cover-up of channels in the TCP/IP protocols and provide a tool, CovertShell, designed as a proof of concept. The sources are at the end of this post.

The TCP/IP protocol has headers that usually are initialized by the client to maintain or number a communication. The technique covert channels uses these fields to assign them values ​​so the target machine does not interpret these fields as part of the communication, but to obtain data.

An interesting example was developed by Craig H. Rowland in his paper back in 1996: Covert Channels in the TCP/IP Protocol Suite, where he created a small client/server “CovertTCP” of no more than 500 lines that allowed file transfer between client and server, using for it only the fields SEQ, ACK (TCP protocol) and ID field (IP protocol). This information was on the protocol overhead and not in the payload.

[Read more…]

Auditing TCP stack with Scapy

Recently I have been playing with the library Scapy for Python. It allows to create any type of network packet with a few simple commands, even for non existing protocols making use of RAW packets.

Suppose we want to evaluate the behavior of the TCP stack when any combination of TCP flags is received. In order to do it, we need to send TCP packets to a given port using any combination of them.

Keep in mind that sending a packet with the SYN and ACK flags is the same as sending it with the flags ACK and SYN. Therefore it is necessary to generate any combination considering that the order does not affect the result and avoiding to send more packets than those strictly necessary.

[Read more…]

Introduction to SSH tunnels

(Please note this post was originally published in the Spanish version of Security Art Work last 19th Jul 2012)

All of us have at some time found that the service we wanted to access is on a computer unreachable from our network or other similar problems. If we have SSH access we can easily solve problems like this using SSH tunnels.

We propose a first scenario, in which we have a database server protected by a firewall that prevents us directly interact with the database but that can be accessed by SSH (assuming MySQL, which uses port 3306).

[Read more…]

The “hidden” information in your photos (they may be saying things you don’t know)

(Please note this post was originally published in the Spanish version of Security Art Work last 20th Jul 2011)

This post is not about steganography (see the definition we did in another post — Spanish), nor any complex technique developed by a technology expert. This is something much simpler: the geolocation information that some devices —including many smartphones— store on the photos without many users being aware of it. That information is saved in the “hidden” information of the photos and can be easily accessed with programs such as exif reader. Please note that with “hidden information” we do not mean information someone has tried to hide, but information that is unknown to most users of smartphones what in practice is basically the same as what we understand by “hidden”. Usually these devices have an option that allows us to enable or disable geolocation features; for instance, to do so on the Blackberry there is an option called GeoTag in the camera options.

As always the fact that a smartphone can geotag a photo is not a good or bad thing by itself. Our use of this information it’s what makes it a potential hazard so it’s important that everyone, especially the youngest ones, are aware of such information. It must be taken into account that the mixture between the geolocation of a photo and real-time information systems as it is the case of twitter can become an explosive mixture.

We can get an idea of this by visiting the url http://icanstalku.com/ (project currently closed). It’s just scaring.

As we can see, extracting the geolocation data (longitude and latitude stored in the photo information) and using Google Maps we have not only the picture of our beautiful dog that we wanted to share with our friends but also the geolocation of our nice house:

What follows it is a fictional story… or maybe not.

Let’s suppose “bichomalo” (if you want to know who “bichomalo” —Badguy— is check this link: http://www.youtube.com/watch?v=JcB_RfX0BVQ — Spanish) has just found Alice, a nice 15 years old girl who he is obsessed with.

Girl dads’ have bought her the latest smartphone with an Internet flat rate; they don’t know much about technology or security risks. Alice creates her twitter user —of course with her real name— and begins to tweet; it is cool. Soon, she starts sharing photos in their tweets, ignoring that they contain the coordinates of the place where the photo is taken. Bichomalo certainly knows it. He creates a fake profile and follows the girl; a photo of a young blonde girl trimmed down to show only her eyes, downloaded from any corner of the Internet, makes it credible enough. He often tweets girly things and even sends some private messages to Alice.

This friday our girl is at the birthday of her best friend. It took she some time to convince her parents but they finally accepted because she would not be far from home. The party is funny and she tweets many photos, but at 2am she gets tired and decides to go back home, only a few blocks away. “Time 2 go home“, publishes Alice in her twitter… Bichomalo reads it and knows exactly where is she, where is she going and her way to home; almost a hundred photos published over a couple of months with a lot of geolocation data. We don’t need to say anything else.

We can’t deny geolocation it is a useful technology. However, as with any other technology, we must be aware of its dangers and there’s only one way for it: education. Even more when, as we have seen, when its bad use may impact significantly on vulnerable groups as our children.

Securing your Android in open Wi-Fi networks

A couple months ago, our partner Jose Vila talked about the power of SSH tunnels. He showed how we can avoid firewalls and bypass those tricky filters using tunnelled traffic.

Today, I’m going to show you a different approach.

Nowadays, it is a dangerous thing to connect your smartphone unprotected to a free Wi-Fi. It is quite common that somebody is sniffing the traffic or you suffer an ARP poison attack. Then how can I be secure on a wifi network? Once again, with SSH tunnels. And how to build SSH tunnels with my Android? With SSH Tunnel.

[Read more…]

Customizing “Cuckoo Sandbox”

(Please note this post was originally published in the Spanish version of Security Art Work last 19th Nov 2012)

As many of our readers will already know Cuckoo Sandbox is an application for the automatic analysis of malware. The installation process in the current version of the sandbox is quite simple and has been described by other blogs in a very detailed manner. Once we have already installed sandbox, it will give us reports, such as the ones found in the malware analysis service hosted on Malwr, about the behavior of the malware, on the imported APIs, the results from virustotal, packer used, etc.

In this post I would like to emphasize the “real power”, from my humble point of view, of this sandbox, power that lies in the modular design that have made its developers and in the simplicity to develop modules for the automatic analysis of malware, making it a highly customizable Sandbox.

The design includes the following types of modules:

  • Machine Managers: modules to interact with the virtualization software, mainly vmware and virtualbox.
  • Analysis Packages: modules to deal with the different types of packages (packages: exe, bin, pdf, etc.).
  • Process Modules: modules that define the actions that are launched on the results (pcap, etc.) collected during the phase of analysis and execution of the malware.
  • Signature Modules: modules to define signatures to be applied on the final results (“Process Modules“) of the previous phases.
  • Reporting Modules: modules to display results.

As we can see, the range of actions is very broad; we can add support for a new hypervisor (for example, we could add support to simulate Android) or to define how we want the information be displayed in our control panel with the design of a reporting module.

As I see it, the application design allows fast and easy writing of modules (at least signatures that has been what I have tried). Below I show two examples created quickly that have been added to the project (you can download all the signatures of the community with the “utils/community.py” utility):

  • CreateRemoteThread: detects code injections with CreateRemoteThread.
  • BOT Ruskill Mutex: detects a mutex of the bot Ruskill by what we have seen in different samples executed in the Sandbox.

As you can see the power of customization it is very high and if Cuckoo roots in the community, will be a very serious alternative for automatic analysis of malware.


(Please note this post was originally published in the Spanish version of Security Art Work last 20th Nov 2012)

A couple of weeks ago I saw ARGO, a film directed by and starring Ben Affleck. I have to admit that I didn’t put much hope in it (Daredevil did much evil to Ben Affleck… well, that one and many others), but it turned out to be more than good (it gets a 7.4 in filmaffinity).

Without getting into spoilers, ARGO it is based on a true story that takes place in Iran in 1979 in the middle of social riots. In order to say as little as possible, there is an attack on the United States Embassy, which decides to destroy all the existing information (indeed they first talk about burning the documentation but they finally use shredders). The Embassy is assaulted but a group of people from the Embassy flees and takes refuge “somewhere” in Iran. Since they haven’t burnt all the documentation, the attackers retrieve the documents shredded trying to recover information that allows them to identify the fugitives. And that’s all I can say.

What I mean is that sometimes we don’t give the paper documentation the necessary importance; we could say it is indeed often undervalued; not everything are passwords and encryption. In the same way, when we shred documentation, we often think that any shredder is good for this task.

[Read more…]