Blog

  • The Royal Mint sent me a limited edition gold coin

    • General
    • by Jacob Riggs
    • 25-07-2022
    5.00 of 9 votes

    For some voluntary work I did, The Royal Mint sent me a limited edition 22 carat gold coin which commemorates the life and legacy of the great mathematician and codebreaker Alan Turing. This included bespoke packaging that contained a small 'Innovation in Science' series booklet detailing Turing's remarkable achievements, and featured one of his most famous quotes: We can see only a short distance ahead, but we can see plenty there that needs to be done ~Alan Turing I would like to express my thanks to The Royal Mint for this thoughtful gift.

  • I hacked the Dutch Tax Administration and got a trophy

    • General
    • by Jacob Riggs
    • 12-02-2022
    5.00 of 41 votes

    The Dutch Tax Administration (Belastingdienst) sent me a trophy and formal letter of appreciation on behalf of the Dutch government. The front engraving on the trophy playfully reads, “I hacked the Dutch Tax Administration and never got a refund”. Together with the trophy was a formal letter of appreciation.On behalf of the Dutch Tax and Customs Administration, we would like to thank Jacob for participating in our Coordinated Vulnerability Disclosure program. For that, we present this letter of appreciation to Jacob.At the Dutch Tax and Customs Administration, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. For that, we warmly welcome people like Jacob as a particpiant in the Coordinated Vulnerability Disclosure program.We appreciate not only that you have reported a security issue to us, but also that you have professionally done this. I would like to extend my thanks to the Belastingdienst Security Operations Center for sending me such a kind gift.

  • I hacked the Ministry of Defence so they sent me this coin

    • General
    • by Jacob Riggs
    • 28-09-2021
    4.96 of 67 votes

    The UK Ministry of Defence (MoD) sent me a VDP challenge coin for my finding and responsible disclosure of a critical (9.6 CVSS) severity vulnerability. Together with the coin was a small thank you note.Thank you! The Ministry of Defence takes the security of our systems seriously. To show our appreciation for all your time and effort, we would like to reward you with a Vulnerability Disclosure hacker coin. This echos a similar response to when I hacked the Dutch government and they sent me a t-shirt.

  • I hacked the Dutch government and all I got was this t-shirt

    • General
    • by Jacob Riggs
    • 04-05-2021
    4.99 of 73 votes

    The NCSC-NL (National Cyber Security Centre – Netherlands) sent me a ‘lousy’ t-shirt on behalf of the Dutch government. Together with the t-shirt was a thank you letter.Thank you for bringing a vulnerability to our attention. Together with vulnerability reporters like you we can increase the resilience of Dutch society in the digital domain and better protect our systems and systems of our partners. This was a pleasant response to receive and illustrates a far better approach to engaging with ethical hackers than traditional threats of prosecution. However, there’s been some past controversy within the security community on whether this type of reward disincentivises ethical hacker participation by undermining the value inherent in VDP and bug bounty programs. Some argue that the effort researchers need to invest in helping to find and responsibly report vulnerabilities to government organisations far outweighs the level of compensation value these novelty rewards are worth. My view is that expectations should be managed realistically, and maybe the focus should shift away from pursuing personal gain to instead encouraging wider public sector adoption of better security practices. I’m happy with my t-shirt and appreciate the efforts the NCSC-NL went to. It’s certainly a better response than some of the other governments I’ve reported vulnerabilities to.

  • What are honeypots and honeynets?

    • General
    • by Jacob Riggs
    • 14-07-2020
    4.99 of 100 votes

    Believe it or not, sometimes admins will design systems to attract attackers. Working in information security, one of my favourite defensive strategies to deploy in operational practice involves the use of honeypots and honeynets. These tightly controlled decoy mechanisms are designed to entice attackers, rob them of their time, and help with profiling attack intent, objectives, and origin. Honeypots Honeypots are a useful way for admins to learn more about an adversary's objectives by intentionally exposing a machine that appears to be a highly valuable and sometimes unprotected target. Although a honeypot may seem legitimate to an attacker, honeypots are typically isolated from normal internal networks and configured in such a way that all interactive activity can be monitored and logged. This has several benefits from a defensive point of view. By convincing an attacker to focus their efforts on a designated honeypot endpoint, an administrator can gain insight into an attacker's tactics, techniques, and procesures (TTPs). This can be used to predict attack execution behaviour, or even aid in attribution and identifying where the attack may have originated from. Furthermore, honeypots may delay an attacker, buying administrators crucial time to respond, or force attackers to exhaust their own resources pursuing fruitless tasks. Honeypots have been in use for several decades, but they have often been costly to deploy because this typically meant dedicating actual hardware to face attackers, thus reducing what infrastructure could be reserved for production purposes. Furthermore, in order to engage an attacker for any significant amount of time, a honeypot needs to look like a real (and ideally valuable) network node, which means sitting in the attacker's seat and putting some thought into what software and data should be deployed on it. This all takes lots of time and traditionally was not practical for very large deployments. However, virtualisation addresses many of the challenges associated with administering honeypot machines because virtualised infrastructure is designed to scale easily. Honeynets A honeynet is an entire network designed to attract attackers. The benefits of its use are the same as that of honeypots, but honeynets are designed to look like real network environments, complete with real operating systems, applications, services, and associated network traffic. Honeypots can be thought of as a highly interactive set of honeypots, providing realistic feedback just as a real network would. For both honeypots and honeynets, deployed services are not actually used in production, so there shouldn't be any reason for any legitimate interaction with the servers. This makes it easy to recognise that any prolonged interaction with deployed services usually implies malicious intent. It follows that traffic from external hosts in a honeynet is usually indicative of attack behaviour and not as likely to be a false positive generated by expected network traffic.As with individual honeypots, all activity is monitored, recorded, and security controls optimised to balance the liklihood of any attack occurence with the ease of attack execution. As with honeypots, virtualisation has also improved the performance of honeynets, allowing for varied and easily scalable network configurations on existing hardware infrastructure.

  • Insight into the Android and iOS security architecture

    • General
    • by Jacob Riggs
    • 09-07-2020
    4.99 of 95 votes

    Mobile computing devices have revolutionised the way people interact with each other and the Internet, though just like any other computing device, mobile devices are subject to vulnerabilities. Some of these vulnerabilities are based on the design of the architecture and how data is processed, stored, and transmitted to and from the device. Mobile device architecture Smartphone and tablet devices are composed of various hardware and software components (e.g, an operating system and software applications). A battery provides the external power source, and a keypad or touchscreen allows the user to interact with the device. Most mobile devices are built with a system on a chip (SoC). The SoC is a small, integrated circuit that connects together common components that make up a mobile device. SoC are designed to reduce overall system costs, increase performance, and lower power consumption. Just like in a personal computer (PC), the CPU is used for decision logic and the GPU is responsible for visual processing. RAM provides temporary memory storage for applications, and ROM provides the long-term storage, such as for firmware and operating systems. When the mobile device is configured for a subscriber network like Three, EE, or Vodafone etc, the modem allows mobile devices to communicate over cellular networks, using basic phone services to make phone calls and send text messages. A SIM (subscriber identity module) card is unique, and is required in order to identify and authenticate a user's device on the cellular network. Once authenticated, the user's communications are encrypted. SIM cards have a limited storage capacity (up to 256KB) and contain information regarding the user's identity, location, network authentication data, phone number, stored contact lists, and even stored text messages. Setting a SIM personal identification number (PIN) on the mobile device can help protect your data in the event the device is lost or stolen. Two of the most common mobile operating systems on the market are iOS (iPhone Operating System) and Android. The iOS operating system is proprietary and runs exclusively on Apple mobile devices (i.e, iPhone, iPad, etc). Android, which is developed by Google, is open-source and found on a variety of hardware such as mobile phones, televisions, and other technological items. Android Android is a mobile operating system based on the Linux 2.x and 3.x kernels. Much like iOS, the Android platform is made up of different layers (stacks) that offer distinct services and interface with other components within the stack. On a mobile Android device, users interact within the application layer. This layer is also home for the native system apps that are installed by default such as the calendar app, camera, and email. Android applications are developed in Java. Applications run their own processes within a virtual machine (i.e, an instance of ART, which is short for Android Runtime), as if they were separate user accounts with separate home directories. This provides isolation among all the other applications running on the device. The Java application programming interface (API) framework exposes features of the Android OS to simplify access to application data and other system components. The primary components of an Android application are: Activities - Parts of the application the user can see. Fragments - A behaviour that is placed in an activity. Intents - Used for sending messages between other components. Broadcast receivers - Allow an application to receive notifications from other apps. Content providers - A SQLite database to store data in the form of a flat file. Services - Used to start intents, send notifications, and process data. The hardware abstraction layer (HAL) interfaces with built-in hardware components of the device. The native C and C++ libraries provide support for applications developed in native code, such as HAL and ART. The kernel provides foundational services to other components within the platform, such as drivers, memory management, display functionality, etc. iOS The iOS is based on Darwin, which is an open-source, Unix-based OS that was first released by Apple in 2000. iOS is a layered architecture that is made up of four levels of abstraction. Cocoa Touch - User interface (UI) framework for developing software apps, like games, to run on iOS. Media Services - Provides audio, graphics, video, and over-theair (AirPlay) capabilities. Core Services - Fundamental services like networking, file access, address book, etc. Core OS - Provides OS functionality such as power management, file system, etc. Each layer contains different frameworks, which are groups of libraries and resources (i.e, images, header files, etc) that can be used for developing an application. Smaller applications typically contain all the resources they need to function directly in the application bundle. In relation to iOS development, another word for framework is a bundle. Objective-C and Swift are high-level programming languages specifically for Apple operating systems like iOS, whereas the low-level programming language C is used for operating system and kernel development. The six core features of the iOS security architecture are: Hardware security Secure boot (secure boot chain) Code signing Sandbox Encryption and data protection General exploit mitigations When an iOS device is booted, it goes through a process that Apple calls the secure boot chain. Apple uses an Apple Root CA (Certificate Authority) certificate, which is loaded in read-only memory (boot ROM) for verifying other certificates to establish explicit trust relationships. Each step of the boot process contains components that are cryptographically signed by Apple. This signature represents a chain of trust and is verified every time the device is booted to ensure the device has not been tampered with. This process is similar to the applications that are allowed to run on the device. Apple use code signing to ensure only approved applications are deployed on the device. Users are forced to visit the Apple store to download authorised applications that have been signed by Apple, kind of like being in application prison. Ironically, jailbreaking the device is the only way to bypass the security mechanisms and run third-party applications. Jailbreaking is the process of exploiting a software vulnerability in iOS that enables low-level execution with elevated privileges to bypass the security mechanism in iOS. The hardware security feature provides cryptographic opertions to secure technologies operating on the iDevice. This is probably the most important security feature of the device. There are two Advanced Encryption Standard (AES) 256-bit encryption keys included on every iDevice, called group ID (GID) and unique ID (UID) values. The GID key is used to prevent modification to firmware files, outside of the user's private data. UIDs are created during manufacturing and are unique to every device. They are used in conjunction with passcodes and other data protection mechanisms for file encryption and decryption. If hardware-like memory chips are removed and reused on another iDevice, encrypted files would not be accessible. The keys are fused into the application processor and are not recoverable, not even when using a JTAG or other debugging interface. The AES-256 crypto engine, which works with a SHA-1 cryptographic hash function, is built into every iDevice to encrypt data and optimise overall performance. A JTAG (Joint Test Action Group) is a type of hardware mechanism used for debugging and connecting to embedded devices on a circuit board. The sandbox is a restricted area where applications are executed from. It is a general mitigation technique to prevent escalation attacks. If an application were to be compromised, the damage would be limited to the data managed by the vulnerable application and possibly the data from other applications, like your contacts, depending on the access restrictions enabled by the iOS user.   Conclusion Android and iOS application developers perform the majority of the software development higher up the stack, since most of the resources and libraries for working with subcomponents are readily available and easy to work with. Because most of the development activity happens at the application layer, mobile users tend to fall victim to vulnerabilities derived from poor security development practices. This is why it's important for security conscious mobile users to understand not only the underlying architecture, but also how to balance their own security considerations with the growing need for varied mobile device usage in practice.