It occurred to me that in the mad rush to release for the Smartphone Pentest Framework (SPF) I never wrote anything about it here at GeorgiaWeidman.com, so here is an introduction:

Download the source

Visit the SPF forums.

Smartphone Pentest Framework Pre-release Teaser 1 from Georgia Weidman on Vimeo.

When some people hear about this new tool, they think its about running nmap from a smartphone. Rather this tool allows you to assess the security of the smartphones in your environment in the manner you’ve come to expect with modern penetration testing tools.

The product of a DARPA Cyber Fast Track grant, the Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment. SPF Version 0.1 contains remote attacks, client side attacks, social engineering attacks, and post exploitation, targeting smartphone devices.

SPF Version 0.1 includes a text based management console, a web based GUI, and a management Android app. Additionally, a post exploitation “agent” for the Android platform is included. SPF Version 0.1 was previewed at the Hackers on Planet Earth conference and was shown at Blackhat USA Wednesday and Thursday in the arsenal and is included on the Blackhat delegate CD. An Introduction to SPF talk was given by author Georgia Weidman, CEO of Bulb Security, at Bsides Las Vegas and Defcon Skytalks. Following Blackhat/Defcon/BsidesLV SPF Version 0.1 was released publicly at BulbSecurity.com

SPF is an on going project with plans in the works for support for additional devices, more modules in each attack vector category, integration with existing tools such as Metasploit and SET, etc.

Smartphone Pentest Framework Pre-release Teaser 1 from Georgia Weidman on Vimeo.

When some people hear about this new tool, they think its about running nmap from a smartphone. Rather this tool allows you to assess the security of the smartphones in your environment in the manner you’ve come to expect with modern penetration testing tools.

The product of a DARPA Cyber Fast Track grant, the Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment. SPF Version 0.1 contains remote attacks, client side attacks, social engineering attacks, and post exploitation, targeting smartphone devices.

SPF Version 0.1 includes a text based management console, a web based GUI, and a management Android app. Additionally, a post exploitation “agent” for the Android platform is included. SPF Version 0.1 was previewed at the Hackers on Planet Earth conference and will be shown at Blackhat USA Wednesday and Thursday in the arsenal and is included on the Blackhat delegate CD. An Introduction to SPF talk will be given by author Georgia Weidman, CEO of Bulb Security, at Bsides Las Vegas and Defcon Skytalks. Following Blackhat/Defcon/BsidesLV SPF Version 0.1 will be released publicly at BulbSecurity.com

SPF is an on going project with plans in the works for support for additional devices, more modules in each attack vector category, integration with existing tools such as Metasploit and SET, etc.

A lot of people write me wanting to demo the SMS botnet for their school or security group, but the proof of concepts I released for Shmoocon 2011 were hardware specific since they hooked directly into the serial lines at the base OS. Having played with more Android devices in the interim, every manufacture does this a bit differently. In order to have be able to consistently place malware on any Android device, the application layer seems to be the place to be after all. Malware written for the Android application layer will work across all Android platforms. A typical attack would involve installing as a regular app and running a root exploit in the background and installing a system app. This was seen in the infamous DroidDream attack. Other malware may not perform privilege escalation at all, relying on the Android permission model and users’ conditioning to accept dangerous permission requests to provide all the necessary functionality.

Anyhow, after porting the hardware specific botnet code to enough people’s platforms so they could demo it on their own handsets, I decided to make a port available publicly for people to use. Working at the application also has the benefit of being able to work on the Android emulator. So to use this code you don’t even need a physical Android device.

The proof of concept does not perform any rooting. It just intercepts SMS messages, swallows them if they have the correct key, and if they ask for the spam functionality, sends an SMS to the number provided. The key is currently hardcoded to KEYKEY1, but it can be changed in the SMSReceiver class to any 7 byte value. To make the bot send an SMS use the syntax:

SPAM

For example to send the message, “Georgia rocks!” to the number 15555215556 send the SMS:

KEYKEY1 SPAM 15555215556 Georgia rocks!

Download the code

Georgia

That’s all this is for just to see if I can get it to tweet me.

The Question as it were: What makes your training superior to other training on the market?

The answer as it was in my head:

Who ever said it is superior? I certainly never said anything like that. Georgia Weidman the absolutely best hacking trainer on earth!!! Can I have M&Ms with that, only the green ones? In my dressing room? Ok thanks. As a side note the word superior makes me think of when I was in the choir in boarding school. At competition the highest grade you could get is superior. If you weren’t in the choir you had to take bible studies, so you might can see why I lip synced to gospel songs for the year I went to boarding school. Anyhow, I digress. I haven’t even taken any competing training to tell you whether my training is or is not ranked superior by the chorus masters association of the world. Have you seen the prices on security training these days? Seriously, someone is getting rich off all this. And it certainly isn’t me. To think I’ve been just giving it away all this time, in the name of art, or progress, or the security community, when there’s this whole industry that’s getting rich off what I used to do as street performance on Saturdays on the National Mall. You might remember me, I was the girl with the laptop and the whiteboard next to the guy juggling the bowling pins half way between the Natural History Museum and the National Gallery. I had a really nice sign that was the envy of the entire homeless community. Seriously one Saturday I came out and half the mall had “Will Hack for Food” signs. It was a regular movement there for a minute. So really I have no idea how my class compares to all the others. Except the guy with the bowling pins made more money than I did, until I started taking paypal donations and posted it on Twitter. So one might say as far as street acts go my class is mediocre at best. All I know is that I started giving these classes and people seem to like them well enough. They keep asking me back to give more classes and give the classes at more conferences. Funny how everything changes and a person is still sleeping in train stations on a regular basis. That’s how we ended up here isn’t it? One of your people saw me on stage somewhere in the South Pacific doing this hacking demo where I wasn’t prepared so I started doing some of my class demos, and somebody started seeing dollar signs around the time the room erupted in applause. I’m just trying to make a difference here. That’s too bold a statement to make. Has anyone ever told you how/why I taught my first class? It was the Metasploit Unleashed syllabus at this hackerspace outside of DC that has since lived and died. I had this serious crush on redacted’s wife at the time (still do on Tuesdays and Thursdays). Rather than be a normal person about it and just ask them over I had to come up with some sort of excuse. I had it on pretty good authority that if I taught a Metasploit Class then redacted would come and would bring his wife too. So if we did 1 module per week, that’s 8 weeks of potential after party activity in which alcohol might be consumed and redacted’s wife might be interested in kissing me. As for my results I refer you to exhibit A:

Then I started writing my own stuff. And then we went to Bsides. More like I slept the whole 7 hours there so I could teach in the morning while boyfriend at the time went to Bsides. I then started touring internationally. And now people are trying to get me to answer questions like this. Next time I have $8k to waste on training that most people say is lousy anyways I’ll let you know how my work measures up. In the meantime I’ll write you the best course you’ve ever seen, if you can get that pretty boy in the corner to sing for me. God please tell me this whole thing wasn’t really just some cryptic love note to some guy she likes!? We expected better from you Georgia! It wasn’t for that really. I can’t really pin down what the point is just now. Don’t worry. I’m not really selling out. If there’s one thing I learned from my last job: don’t sign any contracts until you have your autonomy specifically written in. I guess the point is don’t ever let me forget where I came from and how much fun it was getting here and everywhere that comes after. Love you all.

Georgia

At the beginning of February, I made my first stop on my Security Bsides tour 2012 in Tempe, Arizona for Bsides Phoenix. I was on the schedule to teach my free half day Penetration Testing with Metasploit. Also at the last minute they had me fill in a spot for a cancellation, talking about something I’ve never ever harped on before, Smartphone Insecurity.
The venue was Dave and Busters. Yes, you read that right, the adult version of that place where you had your 5th birthday party. They also have meeting rooms, and the staff was superb, some of the best I’ve ever worked with at a venue. They made sure I had everything I needed for my class and brought me water several times.
The class was so full we had to get more chairs, which always surprises me, because who really wants to go to a Bsides where some of the best talks happen and listen to me drone on for 4 hours? The only downside of teaching is missing some of those great talks.
But seriously the badge rocked (see pic at the top of the post). I felt like I had won the Olympics for just showing up. All in all, great people, great venue, great con. Definitely one to check out next year.

Georgia

As some of you may have inferred from the Lady Gaga infused Twitter posts, I recently lost another job due to my research. To clear up a few things, unlike last time this wasn’t so much a “we don’t want nasty malware researchers around here” so much as a control issue. When I took my job, I signed an agreement with a noncompete. This was not an issue as long as my research included going to conferences to speak and give classes. In fact my former employer was always very supportive of this, for which I remain grateful. The problem occurred when I was tapped for a research grant from the DARPA CTF. DARPA funds research and allows researchers to retain the intellectual property rights to the work. So I had a choice to make, turn down the grant or lose the job. It was my choice. No one forced me into anything. I have no hard feelings towards my former employer.

So now I’m the founder and CEO of an LLC called Bulb Security. Thanks to DARPA I have some money, and thanks to the president I have health insurance for the next two years regardless of whether I am formally employed. I am looking for opportunities in contract work in research, development, network and application penetration testing, and security training. I would also not turn down a spokes modeling contract. If you have anything for me, please contact me.

So what’s the deal with the Bsides Tour? Since I’m suddenly in a position to get paid to speak and teach on several continents this year, why am I paying my own expenses to travel around to as many Security Bsides events to deliver free training and speak? The fact of the matter is I’ve been blessed by this industry. It has been a little over one year since the Shmoo Group decided to let me, a complete unknown, talk about some stuff I did with text messages at their prestigious, internationally recognized conference. Truth: did I work hard to get here? Yes. Would I be anything without all of you? No. So this is my way of giving back. No employer of mine has ever paid anything for me to go to any $$$$$ training or conference event, and I wager a lot of the most driven and most talented people are in the same boat. So this is me, trying to give it back to you. Come to a free Bsides event near you, and I will teach you some stuff.

But hey, if your employer is paying you should totally sign up for one of my multi-day advanced courses. I have to eat too and getting paid to train is great especially if its in some exotic location. The next one will be at HackZa in South Africa. And I always accept tips…

No Bsides near you? Want to have me speak or teach at a venue near you? If you have a space and interested people, write me. I recently had a great time speaking for the ISSA and CCDC teams in Indiana.

I’ve never written a blog post about myself before. This feels a lot like Livejournal.

Georgia

One day the NoVa Hackers decided to have a Shmoocon Epilogue event. The day after Shmoocon we had talks going from 10am to 10pm. This seemed like a good idea beforehand. This seemed like a really terrible idea the night before the event when we were all exhausted from 3 days of partying too much at Shmoocon. But the event went great, the talks were top notch, and I only dozed off underneath my tripods twice. I put up as many videos as I could with the vimeo space left over after Firetalks. Check back next week for the rest.

Georgia

Shmoocon was the first conference I ever went to back in 2009. Rachel, Micheal, and I skipped school for 2 days and drove up. Two years later it was the the conference where I gave my first talk. And the rest as they say is history. This year I made some videos of the Shmoocon Firetalks. Firetalks is an event that goes on after the regular conference is over. The talks are 15 minutes instead of 50, but the content is still first rate. Thanks to Adrian “Irongeek” Crenshaw for the screencaps, Grecs for putting on the event, and all the volunteers and speakers for making it awesome.

Here are the videos:

Georgia

My first international conference speaking was Hacker Halted Asia Pacific this past November in Kuala Lumpur, Malaysia. It took three planes and 24 hours of flying time to get there. I saw Harry Potter and the Deathly Hallows Part 2 three times (once with Malay subtitles). But it was worth it, jetlag and all. This was my first time in Asia, and I spent the day before the conference touring Kuala Lumpur and the surrounding area. I went to a the Thean Hou Chinese Temple, the Batu Caves Hindu Temple, and the Royal Selangor Pewter Factory where I managed to part with most of my money.

As for the conference itself, it was a good experience. The speakers were top notch and Joe Mccray taught the audience how to do The Dougie as well as get shells. After the regular track, there was a special event called “Night Hack Live.” The crowd really got into my demonstration on how to get shells on misconfigured servers. Unlike a lot of cons where night events are poorly attended because the participants are all out partying, the room for Night Hack was full. On the whole it was a successful debut, and I hope to be invited back next year.