Application and Cybersecurity Blog | Security Innovation
Security Innovation is a global provider of application security & cryptography solutions. The company helps build internal security expertise, reduce application risk, and improve the process by which applications are built.
Security Innovation operates in an industry with a job shortage approaching 3.5M* qualified professionals. Part of the gap is due to the specialized skills needed in the security space, however, the majority is due to an inordinately small percentage of women and minorities:
At our core Security Innovation is a company helping to educate the world about Application Security wherever we can. Whether it be through our Computer Based Training, Security Testing or Cyber Range, we always get excited to see our customers learn and improve their security skills. A perfect example is Brandon Evans - a software engineer who recently won our AppSec Cali event and followed that up by finding all 55 issues in our InstaFriends site. Congratulations Brandon!
One of the biggest challenges facing the AppSec industry today is the lack of skilled people. No matter how many firewalls are stood up, scans are run, or courses attended, almost all security efforts require highly trained practitioners. Whether it’s penetration testers, developers, hiring managers or release engineers, there are thousands of unfilled roles waiting for the right hires.
Who doesn’t love March!? The weather gets nicer, birds start chirping, Spring cleaning airs out the house, and lots of basketball is played. In fact, so much basketball is watched during work hours that some estimates have productivity losses in excess of $6.3 Billion - not exactly chump change!
This also leads to slow time in offices as meetings are mysteriously rescheduled and 24 hour flu outbreaks approach epidemic proportions. What is one to do when their Thursday afternoon falls apart with almost no warning? We have an idea - learn to hack!
March Hackness is a five day event from March 20th-24th that lets users learn, improve and test their skills in our InstaFriends CMD+CTRL Cyber Range. If you’re brand new to the world of hacking, we’ll have videos and tutorials to get you up and running quickly. If you’ve been hacking for years, you’ll have a chance to prove yourself against winners of our Hack Through the Holidays challenge like Matthew Thurber - the first person to solve all 48 of our Shadow Bank challenges!
The world of hacking can be intimidating, so CMD+CTRL Cyber Ranges are designed to be easy to start and hard to finish. Our team has a variety of resources to help you on your way and can always be contacted at email@example.com with any questions.
Participation is simple. Just fill out this online registration form at and we’ll provide you with a special event code. Take that code to https://play.cmdnctrl.net, starting March 20th, sign up and you’ll be hacking away in minutes.
Coinciding with the launch we announced a reward to the first players to complete all 13 of the challenges.During the week we had dozens of players attempt to steal fake ether from these challenges. Out of all of our contestants, only 5 players were able to complete all 13 successfully and reach 15,000 points on the leaderboard.
In the spirit of decentralization, competitors were able to remain anonymous, supplying only their username of choice and an address associated with their testnet wallets.
Additionally, two other players who had created accounts during the competition were selected at random to receive an additional $50 reward.
These two users were: aghora and Leeky
Congratulations to everyone who participated!
How Were Rewards Distributed?
As you can imagine, delivering prize money without any way to contact our contestants could present a bit of a challenge. Luckily, by competing in the CTF and creating Metamask wallets, our winners had already provided us with everything we need to send them their prizes: a wallet address.
These addresses come in the form of a long hex string (i.e.
0xdcb37036c66bc6a5a19ccf0dbc0253e584499954) and are all that is necessary to identify a wallet when sending assets on the blockchain.
Using these addresses, we can ensure that the competitors will be able to claim their reward. Even though the accounts were created on the Ropsten testnet, the private keys in Metamask can easily be used to generate identical wallet addresses on the Ethereum mainnet. xDai vs DAI
Originally, our plan was to distribute the reward as the DAI token, a decentralized stable coin mapping 1:1 US dollar. The problem with this is that in order for the winners to then claim their DAI and send it to another account, they would need a small amount of ETH in their account to pay the transaction fee. Since these accounts were assumed to be only used on the Ropsten
testnet, this creates a bit of a hassle for our players.
Having seen the recent successes of the Burner Wallet (https://xdai.io) at ETHDenver, we decided to distribute our rewards as xDai tokens via the POA Network instead. These xDai tokens exist on a side chain and are 1:1 mapped to DAI that is deposited and redeemed in a Ethereum mainnet smart contract.
The biggest benefit to using xDai over DAI in this situation is
that the side chain uses xDai as its native currency and can thus pay all transaction fees (fractions of a penny per transaction) in xDai. This way our winners don't need to move any ether in order to send their reward to the wallet of their choosing.
We think this technology is really cool and are excited to keep watching the progress of xDai. We are especially excited to see continued research into ZK-SNARK integration with zDai toenable maximum transaction privacy, while preserving usability.
We received a ton of great feedback on our competition over the week. In the interest of continuous-improvement, we want to address two ways in which we look forward to improving future contests.
Start Everyone from Square One Some of our challengers had pointed out that there was an unfair advantage to anyone who had solved the previous 11 challenges before the challenge began. We agree that this was not ideal. To remedy this, we plan on launching all new challenges as stand-alone applications so that everyone can start from a level playing field.
Ropsten Faucets were Dry
In unfortunate timing, our competition launch happened to intersect with the Metamask Ropsten ether faucet running out of funds for a couple days. Other faucets, while available during the launch, set strict limits on how much ether could be requested. This left some of our challengers struggling to obtain the minimum 5+ Ropsten ether required to complete some of the challenges. Going forward, when challenges are time-boxed, as was the case in this competition, we will make sure to limit the testnet ether requirements to less than 1 ether.
Where Can I Learn to Hack Smart Contracts?
If you are just getting started with blockchain and are interested in learning to build (and hack) real smart contracts, there are many great resources available.
Attend our next Webinar -
Is Blockchain Right For You? - March 13 at 2pm EST.
Another resources is our two-day intensive course at BlackHat Las Vegas.
August 3-4, 2019.
This course will cover:
How Blockchain works, what makes it novel, and where might it be useful
How to utilize DApps built on Ethereum smart contracts and Web 3.0
How to write, test, deploy, and exploit a Solidity smart contract.
You can Sign-up today at
Early registration ends May 24.
Majority of the times during a penetration test or bug-bounty engagement, you might encounter customers who limit the scope of testing to non-jailbroken devices running the latest mobile OS. How do you dynamically instrument the application in those cases? How do you trace the various functionalities in the application while trying to attack the actual application logic?
Frida (https://www.frida.re/) is a runtime instrumentation toolkit for developers, reverse-engineers, and security researchers that allows you to inject your own script into the blackbox mobile application. Normally Frida is always installed and run on Jailbroken devices. That process is pretty straight-forward. However, the complexity increases when you want to run it on non-jailbroken devices. In this article I’ll explain in detail the steps to be followed to get Frida running on the latest non-jailbroken version of iOS viz iOS 12.1.4.
The only requirement at this stage is an unencrypted IPA file. This is normally provided by the customer. If not, we can download the IPA file from the AppStore and then use tools like Clutch(https://github.com/KJCracks/Clutch) or bfinject(https://github.com/BishopFox/bfinject) to decrypt it. Alternatively unencrypted versions of the IPA files are also available on https://www.iphonecake.com/. Ensure that you do a checksum check and verify it with the custom before you start testing. Don’t be shocked if you find that the IPA files from the website have been modified to include un-intended code. In our case, lets target the Uber application from the AppStore.
The various steps for setting up Frida to run on non-jailbroken iOS device are:
1) Setting up the Signing Identity
2) Setting up Mobile Provision File
3) Performing the Actual Patching
4) Fixing Codesign issues
5) Performing the required Frida-Fu
I will take you through each of these steps one-by-one.
1. Setting up the Signing Identity
a. Launch Xcode and navigate to the Accounts section using the Preferences menu item. Make sure you are logged in to Xcode using your Apple account.
b. Select “Agent” and Click Manage Certificates.
c. Click + and select “iOS Development”
d. To verify that the identity is properly set up, you can use the following command:
security find-identity -p codesigning -v
This command will output all the signing identities for your account.
2. Setting up Mobile Provision File
a. Next step will be to create a new Xcode project with team as agent and target as your actual test device and click play. Run the application on the device. You have to do this step for every new device that you want to use for testing.
b. Right click the generated .app file and select “Show in Finder”.
c. Right click the .app file from the Finder and select “Show Contents”.
d. Save the embedded.mobileprovision file. You will need this later while signing the IPA file.
3. Performing the Actual Patching
a. Download the latest version of Frida. This can be done using the following command:
Blockchain - Why Legal Teams May Soon Include Professional Hackers
Like many of its buzz word predecessors (Cloud, Big Data, IOT), the blockchain hype may be extreme, but somewhere buried in there can be the sense of a real shift. The jury might still be out on whether blockchain can deliver on its promise of global adoption, but one thing is for sure, activity in the space is growing.
But what exactly is the promise of blockchain, really? Is it a new currency paradigm meant to break down our existing monetary systems? Is it an un-censorable network capable of promoting potentially criminal activity? Is it a massive Ponzi scheme taking advantage of main street FOMO? Or is it truly something unique with the potential of changing our idea of commerce forever?
It’s hard to say, but what we do know is that the vision of a blockchain-enabled world that tech evangelists and investors in Silicon Valley are envisioning aligns more with the latter, and it all begins with the idea of "smart contracts".
To understand smart contracts, you have to step back and ask what you achieve when using a blockchain; what makes it different than any other distributed database?
The answer boils down to "trust".
Trust that if someone says they own something, you can prove it. Trust that if someone swears that they'll make a payment once the agreed upon conditions are met, you can rest assured that payment will go through.
"Trust" In Today's Economy
Our entire economy is built on this trust. Without it, no one would ever sell a home to a stranger, or put in a day of labor for a new employer, or hand over their credit card for a major purchase.
In traditional systems, we have a mechanism for securing this trust, and that mechanism is our courts and legal system. With our government as an ever-available intermediary to settle financial disputes, we can conduct business knowing that our time or assets won't be stolen without repercussions.
The problem with this system is it does not scale. There are not enough judges in the world to solve everyone's disputes; for this reason, companies that enter into business together use contracts as a first line of defense to against malfeasance.
Contracts are basically code, but not written in a language for computers. They are programs written for lawyers, based on years and years of historical precedents. None the less, these written documents are programmatic expressions of rules and conditions.
One example of a typical contract between businesses might contain rules stating that one company is entitled to a certain amount of payment from the other company under certain conditions, payable at the beginning of each year, from a collection of funds in this account, etc.
Writing legal contracts typically requires many hours of skilled work and carries steep legal fees from highly demanded professionals. However, this is usually worth the cost in order to avoid long and often prohibitively expensive battles in the courts. That's not to say the courts aren't occasionally necessary when disputes around that contract occur, but when the code of the contract is precise and covers all necessary edge cases, the violating party often knows what their fate in court would be. Hence, the ambiguity vanishes and a judge becomes less necessary.
With that said, companies don't write a contract for every little transaction. Let’s take a laundromat as an example. It would be far too expensive to have a lawyer draft up a contract for every single customer walking through the door that says: "Customers that pay $5 shall receive 4 laundry tokens. One token will be required for detergent. Two tokens will be required for tumble dry…”
Instead we design mechanical systems within the machines to accept coins or tokens and enforce this implicit contract on its own. In a sense, the coin operated washer and dryer are an early form of "smart contract” that allows the laundromat to service customers at a high velocity with hundreds of low-cost transactions per day without staff involvement. In a sense, you can think of this process as a form of automation. The automation of trust.
This system does not exist in a bubble. The owner knows that if someone violates the system (maybe by creating fake tokens or by breaking open the machines when no one is looking) they will have the option of relying on the traditional legal systems to obtain justice. For this reason, they might keep security cameras inside the store as well.
The same can be said about digital smart contracts on the blockchain. These aren't a replacement for our existing legal framework, they are supplements to it.
Smart Contracts on the Blockchain
This is where the excitement around blockchain comes in. Blockchain is a brand-new technology that uses cryptography and game theory to create a "global trusted computation" system.
This kind of computation is not the same as typical computation, such as running an application on the cloud. It's a lot more expensive, but it also serves a different purpose.
These blockchain applications, called smart contracts, exist as code running on a decentralized network that guarantees the ownership of digital assets and enforces the rules for how to exchange them.
Let's take a look at a simple example of where a smart contract might make sense in our evolving digital world.
Smart Contracts - Buying and Selling a Home
Buying and selling a home is often considered one of the most complex processes a family will encounter. When dealing with assets of such enormous value, you want to be more cautious than when dealing with a couple laundry tokens. You want to make sure that the person selling the home truly owns it, and you want to make sure that after the money has moved, the property is immediately in your name.
To deal with these complexities, we employ the services of "trusted third parties." One of these parties might be a title company, ensuring that the title presented by the seller is legitimate. Another is an escrow company that sits in the middle of the two parties and holds onto the funds until the rest of the paperwork has completed. Both of these parties serve important purposes, and in the process demand thousands of dollars in premiums for their work. These rates are often steep, but when you're already spending much more than that on your new home, you grow to accept it as inevitable.
This is where smart contracts come in. Both of these functions (escrow and title management) can be easily codified in a blockchain application, with a simple proof concept checking in at no more than 200 lines of code. This is the power of the blockchain.
Hackers as Your New Contract Lawyers
Many have raised fair points when arguing that handling that much value on a system as new and unproven as blockchain is absurd. Digital security is incredibly difficult to get right and the properties of blockchain can make it difficult, if not impossible, to recover from a successful exploit.
However, some argue that despite the extreme security hazards, blockchain may still win the risk/reward battle because:
1) Security is now a top priority. Unlike traditional technology sectors, where thinking about security is often an afterthought, blockchain startups are demonstrating their awareness that the insecurity of their code can be the death knell to their organization. It is not uncommon for companies in this space to undergo three or more public audits of their critical smart contract code for each major release.
2) Blockchain is a bug bounty at an enormous scale. It has had its share of expensive hacks, but as each one occurs, the community strengthens and uses these lessons to improve processes around security. Many have even argued that the value of Bitcoin, the first blockchain application, stems partially from the fact that it has existed for 10 years without being irrecoverably broken. Under that logic, as smart contracts exist in the wild and grow to hold more value over time, consumers may grow comfortable with using them for their own financial purposes.
3) Blockchain is attracting the brightest minds in formal verification research. Formal verification has been a long sought-after goal post for technological security advocates. This rigorous process becomes more difficult to accomplish as an application scales, but due to the succinct nature of smart contracts, blockchain technology may prove to be the perfect testing ground for establishing real standards around formal verification in critical code.
With this vision in mind, we can imagine a world a decade out where blockchain-integrated companies are choosing to reallocate their budget from in-house contract lawyers to smart contract security auditors. These security experts will in many ways take on the same roles as their legal team predecessors, ensuring the edge cases around their financial code are air tight and cannot be easily exploited by malicious actors.
The consequences of a smart contract hack are large, but with the right protections in place they can be better managed. Smart contracts are immutable by nature, but in a system where an application’s users are known (through KYC or other identity management), there would be nothing preventing a traditional judge from arbitrating a contract violation, based on the intended “spirit of the contract”. In this way, blockchain would not be designed to side-step our existing legal systems, but instead optimize them by acting as a first pass protection.
Looking to Blockchain in 2019
Home sales on a public blockchain is just one example of a traditional process that might benefit by migrating to the blockchain.
In the same way that traditional legal contracts have been used to save on costs (since a long legal battle is not required to arbitrate every single transaction) smart contracts might save consumers and organizations from the unavoidable fees sprinkled throughout our current systems of commerce. Thoughtful smart contract applications might prove to eliminate the need for those costly middlemen that skim from the top with every sale that they handle. This includes those marketplaces that silently collect their rewards from connecting a buyer to a seller.
This is the future that the venture capitalists are banking on. The potential to reduce these inefficiencies through the automation of trust is an exciting concept many believe is worth the exploration.
Most of these systems are still in the development phase with the technological infrastructure being established. Many projects are likely several years out from any chance at adoption. But as we enter the new year, we are excited to keep watching the development of this field of research. At Security Innovation, we value our role of assisting the technological pioneers piloting this new technology as they navigate through the threats of vulnerabilities. With the goal of creating a more secure and efficient technological landscape, we are excited to keep researching blockchain, and helping our customers filter the buzz from the breakthroughs.
Try Out our Blockchain Smart Contracts CTF Challenge from March 1- March 11, 2019
Why You Should Not Rely on Your Developer's as Privacy Experts
Today’s developers have a lot of responsibilities. Not only do developers have to create robust functionality that is helpful to their users, they are also releasing this functionality into production quicker than ever before due to a Continual Integration/Continual Delivery culture.
Functionality must be created to secure the application’s sensitive data, protect the users of the application, and defend the production environment from malicious attackers. Adding even more responsibility, recent data privacy legislation also places demands on how development teams store, share, and process their users’ data.
Thankfully, there are data privacy policies and processes that development teams can implement that will help them mitigate the risk of non-compliance with data privacy legislation. A few of the most useful policies and processes include:
Create a data classification policy and enforce it. The software development team should not be responsible for understanding what data is sensitive and protected by legislation and which data is not.
Software developers are often not subject matter experts when it comes to understanding the data their applications are processing. The creation of a data classification policy by actual subject matter experts will mitigate the risk of a developer making an incorrect assumption about the data that could lead to a privacy violation.
Create an incident response plan for when data privacy violations are reported to the organization. In the past, many data privacy incidents have been mishandled or ignored by organizations.
This lack of an incident response plan has led to these organizations being embarrassed when the privacy violations are publicized and has sometimes resulted in the organization being fined for these errors. Assuming a data privacy violation event will occur in the future and planning a response helps to mitigate the risk of making a bad situation even worse.
Create a data archival, retention, and deletion policy. By defining to the development team how user/customer data will be handled, sloppy data handling practices can be avoided.
For example, it is common for developers to want to use actual production data to test applications in development. However, there are often laws that protect this data from exposure, so having a data retention policy that describes how the data must be masked or anonymized before it is used for any reason outside of its initial purpose, is suggested.
While these three data privacy best practices are an incomplete list of policies and processes that can be used to mitigate the risk of a privacy violation occurring, often these policies and processes can be defined by subject matter experts outside of the development team. While the development team is still responsible for following the data privacy best practices, they should not be responsible for their creation.
By placing this responsibility into the hands of subject matter experts, organizations can reduce the risk of software engineers making incorrect assumptions about how data privacy legislation regulates how certain data must be handled.
Catch our next Webinar: Privacy: The New Software Development Dilemma.
iOS 12.1.1b3 is vulnerable to the kernel exploit and since it is still signed, that gives us an additional opportunity to downgrade/restore to this version and then jailbreak our device. This means that even if you are currently on iOS 12.1.4, you can downgrade your device to 12.1.1b3 and later use a jailbreak like unc0ver.
I am going to downgrade my iPhone 6+ device to iOS 12.1.1b3. In my case, I am using iTunes version 188.8.131.52. (If you are a mobile pen tester you’d know why I am on this version — https://support.apple.com/en-in/HT208079)
In my case, since this is a test device and I do not really care about the data on it, I will chose to format the device while downgrading it to the older version. On a Mac device, hold down “option” key and click on “Restore iPhone” button.
When prompted to erase and restore click “Restore”.
iTunes will go through a series of steps before it restores the device to iOS 12.1.1b3
Once the device restarts and you go through the normal iOS preliminary configuration steps, observe that it is now running iOS 12.1.1.
Once you downgrade your device, if your device is supported, you can use Pwn20wnd’s tool — uncover to jailbreak the device.