All Posts

4 posts

SANS 2017 Cybersecurity Trend Report Checklist

The SANS Institute recently released its 2017 report on cybersecurity trends. We examined the report’s six threat trends in a recent blog post, as well as in a webcast with the report’s author, security analyst John Pescatore, and with Qualys Product Management Vice President Chris Carlson. Now, we’re providing you with a useful checklist to help put you in a better position to respond these trends, which are expected to continue to dominate this year.

Continue reading …

SANS Study: To Take On New InfoSec Challenges, First Get the Basics Right

A major challenge for enterprise InfoSec teams is keeping their finger on the pulse of two constantly changing elements: external cyber threats and internal technology needs.

Staying a step ahead and proactively adjusting their organization’s security posture accordingly is a must in order to keep attack risks as low as possible. So what are the major shifts in threats and business technology use that CISOs and their staff face in 2017? And how should they respond to these changes?

You will find comprehensive answers to those and other critical InfoSec questions in a new SANS Institute whitepaper written by security analyst John Pescatore.

Continue reading …

Android Security Evaluation Framework: ASEF

Have you ever looked at your Android applications and wondered if they are watching you as well?

ASEF ArchitectureWhether it’s a bandwidth-hogging app, aggressive adware or even malware, it would be interesting to know if they are doing more than what they are supposed to and if your personal information is exposed. Is there really a way to automatically evaluate all your apps, even hundreds of them, to harvest their behavioral data, analyze their run pattern, and at the same time provide an interface to facilitate a vast majority of evolving security tests with most practical solutions?

To answer these questions, I created the Android Security Evaluation Framework (ASEF) to perform this analysis while alerting you about other possible issues. Use it to become aware of unusual activities of your apps, expose vulnerable components and help narrow down suspicious apps for further manual research.

ASEF Framework

The framework takes a set of apps, either pre-installed on a device or as individual APK files, and migrates them to the test suite which runs through test cycles on a pre-configured Android Virtual Device (AVD). The technique is to simulate the entire lifecycle of an Android app on an Android device (virtual/physical) and collect data while triggering behavioral aspects of it. In simple words, download an Android app from an internet, install it on an Android device, launch it and mess with it (e.g clicking different buttons, scrolling up/down, swipe etc..) While doing so, collect an activity log using adb (Android debug bridge utility which is available as a part of an Android SDK) and network traffic using tcpdump (a widely used packet capturing tool).

Behavioral Analysis

During such a simple yet thorough approach of performing a behavioral analysis for various apps, interesting results were found about apps leaking sensitive information like IMEI, IMSI, SIM card or a phone number of a device. Some malicious apps might just send this data in clear text over the Internet and are much easier to be caught by analyzing collected behavioral data. However some malicious apps can be sophisticated enough to detect the default settings of a virtual Android device and might behave differently in such settings. In order to overcome such limitations, a virtual device can be custom built by fine-tuning the kernel and also altering default settings to emulate a real device or it can be replaced by a physical Android device.

Open Source

ASEF is now available as open source at With it, users can gain access to security aspects of android apps by using this tool with its default settings. An advanced user can fine-tune this, expand upon this idea by easily integrating more test scenarios, or even find patterns out of the data it already collects. ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android Security.

At Black Hat

If you are at Black Hat USA 2012 and/or B-Sides Las Vegas, come to my talk where I discuss the test cycles and results so far. And if not, read the A S E F Getting Started guide for an architectural overview of the framework and more details on the motivations behind the project. 

Meanwhile, give ASEF a try and help improve this project with your comments, feedback and contributions.

New BrowserCheck: Plug-ins vs Javascript and Mobile Support

A number of tech-savvy BrowserCheck users have asked whether we see the irony in the fact that Qualys BrowserCheck requires a plug-in to check on the security status of plug-ins. That’s a good point, especially for anyone familiar with the Java plug-in and the number of vulnerabilities it introduces to your computer.

However, we believe it is worth having one extra plug-in to gain accurate information and help secure your browser, since out-of-date plug-ins are the most likely entry points for hackers. Our statistics have shown that 4 in 5 surfers are open to browser exploits from flaws that have patches available, so are already fixed.

Nevertheless, BrowserCheck now has a solution for plug-in averse users – it offers Quickscan, which uses JavaScript instead of a plug-in to inspect the state of your browser and plug-ins. Quickscan inspects all of the plug-ins, but doesn’t provide comprehensive information such as plug-in file location and complete plug-in version.  See items marked “BrowserCheck Plug-in” in the BrowserCheck FAQ for more details.

On Windows machines running Chrome and Firefox, BrowserCheck can be run with both the plug-in and using QuickScan. Under Internet Explorer, only the BrowserCheck ActiveX Plug-in is available at this time, because browser inspection is much more accurate via ActiveX.

Support for More Browsers and Android

The other advantage of Quickscan is that the JavaScript scanning mechanism ports easily to other browsers. That means Qualys can now offer BrowserCheck Quickscan on a lot more platforms: Maxthon, SeaMonkey, Arora, Fennec, Minefield, Flock, Rockmelt, SR Iron, Dolphin, Sleipnir, Lunascape, Orca, and K-meleon browsers.

JavaScript also ports to mobile devices: BrowserCheck is now available on Android, so you now have a tool to help you browse the Web more securely from your Android device.

BrowserCheck lets you know which plug-ins are out of date or at end of life, have vulnerabilities even in the latest versions (0-day), or are beta versions, even if you are not using them. With the new platform and JavaScript support, this service is now available to a wider number of Internet users.

Many thanks to the BrowserCheck dev team for their efforts in getting the tool to that level and keeping it updated with the latest threats. I constantly get comments on how useful the BrowserCheck is for beginners and experts alike.