1 00:00:00,000 --> 00:00:02,751 CRAIG YOUNG: Hi, I'm Craig Young. 2 00:00:02,751 --> 00:00:04,999 I'm a researcher with Tripwire VERT, I'm presented today, 3 00:00:04,999 --> 00:00:07,999 Android WebLogin, Google skeleton key. 4 00:00:10,167 --> 00:00:12,999 I'm a researcher with Tripwire's vulnerabilities 5 00:00:12,999 --> 00:00:14,999 and research team. 6 00:00:15,209 --> 00:00:17,792 I look for bugs, fix bugs and write checks 7 00:00:17,792 --> 00:00:19,834 for a lot of them. 8 00:00:19,999 --> 00:00:23,999 Like a lot of you, I like to break things and make things. 9 00:00:24,000 --> 00:00:27,083 One thing I'm definitely not is an Android developer. 10 00:00:27,250 --> 00:00:30,999 If you look at the source code on the DEF CON CD, go easy on me. 11 00:00:31,542 --> 00:00:35,999 So the goal of this talk is raising awareness. 12 00:00:36,000 --> 00:00:38,792 I want to raise awareness about the fact that 13 00:00:38,792 --> 00:00:43,417 the Android ecosystem has made some compromises of people's security 14 00:00:43,417 --> 00:00:48,417 and their privacy in order to give a good user experience. 15 00:00:48,501 --> 00:00:52,876 So in order to deduce friction, they have introduced these things 16 00:00:52,876 --> 00:00:55,501 called WebLogin tokens. 17 00:00:55,751 --> 00:00:58,167 They allow you to bypass password prompts so you 18 00:00:58,167 --> 00:01:02,417 don't have to enter your password upon your mobile phone or tablet 19 00:01:02,417 --> 00:01:04,501 or wherever else. 20 00:01:04,501 --> 00:01:07,209 I found that security tools out there for endpoint protection, 21 00:01:07,209 --> 00:01:10,375 they don't recognize this type of threat. 22 00:01:10,375 --> 00:01:12,334 They don't do anything to protect against it and 23 00:01:12,334 --> 00:01:15,667 in the end it only takes one token to fully compromise 24 00:01:15,667 --> 00:01:19,876 a Google Apps domain, one token from the right user. 25 00:01:19,999 --> 00:01:22,999 So what is WebLogin? 26 00:01:22,999 --> 00:01:24,999 As I said it's an Android token type. 27 00:01:24,999 --> 00:01:27,542 You see on the screen, this is an example scheme 28 00:01:27,542 --> 00:01:29,999 for what a WebLogin token request would 29 00:01:29,999 --> 00:01:31,584 look like. 30 00:01:31,834 --> 00:01:34,209 What you get back from this is a URL. 31 00:01:34,209 --> 00:01:37,542 You browse through that URL, and you get cookies that authenticate 32 00:01:37,542 --> 00:01:39,918 you to Google services. 33 00:01:39,999 --> 00:01:41,542 Basically all of them. 34 00:01:41,542 --> 00:01:43,083 So this is a way of getting access 35 00:01:43,083 --> 00:01:45,959 without having a password. 36 00:01:46,167 --> 00:01:49,918 So there's some ways that I found that you could abuse this technology. 37 00:01:49,918 --> 00:01:52,459 For one thing, as you saw in the previous slide, it was 38 00:01:52,459 --> 00:01:56,792 the token type is requesting a specific service, but when you get 39 00:01:56,792 --> 00:01:59,876 the cookies back, these cookies are not limited 40 00:01:59,876 --> 00:02:01,959 to any services. 41 00:02:01,959 --> 00:02:05,167 It's just as if you had logged in from the web browser, pretty much. 42 00:02:05,250 --> 00:02:07,167 So although you might be asked for permission 43 00:02:07,167 --> 00:02:10,459 to access your YouTube account, the app will have permission 44 00:02:10,459 --> 00:02:13,667 or whoever gets the token to access your GML on your drive, 45 00:02:13,667 --> 00:02:16,999 lots of other things we will get into later. 46 00:02:17,334 --> 00:02:19,959 The permission prompt is only given once per app per token 47 00:02:19,959 --> 00:02:23,667 type so the application can generate as many of these tokens as you want 48 00:02:23,667 --> 00:02:25,709 if you approve them. 49 00:02:25,709 --> 00:02:27,292 There are some ways you can get the tokens 50 00:02:27,292 --> 00:02:31,792 without getting permission which we will get into and that's involving having 51 00:02:31,792 --> 00:02:34,999 root or physical access on the device. 52 00:02:35,083 --> 00:02:40,083 So the focus of this is about how to attack Google Apps. 53 00:02:40,083 --> 00:02:43,417 So as I said, the first step is you need to retrieve a WebLogin 54 00:02:43,417 --> 00:02:46,626 for a domain admin from there, you can continue 55 00:02:46,626 --> 00:02:50,999 on to the Google Apps control panel and basically you have access 56 00:02:50,999 --> 00:02:54,459 to do whatever you might want to do. 57 00:02:54,876 --> 00:02:56,999 Some of the things you can do, listed out here, 58 00:02:56,999 --> 00:03:00,584 you can disable two step verification, you can reset passwords 59 00:03:00,584 --> 00:03:03,083 for any users in the domain. 60 00:03:03,501 --> 00:03:07,709 You can add super users although Google did attempt to fix this. 61 00:03:07,709 --> 00:03:09,999 We will see how well my live demo goes. 62 00:03:10,751 --> 00:03:14,083 You can do things like adding privileges, 63 00:03:14,083 --> 00:03:19,626 managing mailing lists and all sorts of good things. 64 00:03:19,999 --> 00:03:22,834 Also regular Google accounts are subject to some vulnerabilities 65 00:03:22,834 --> 00:03:26,292 from this as well or some exposure, I should say. 66 00:03:26,792 --> 00:03:29,709 If you are just a regular gmail user and you can reset 67 00:03:29,709 --> 00:03:33,667 the user's password by having a WebLogin token. 68 00:03:47,999 --> 00:03:50,417 That didn't work with two step verification 69 00:03:50,417 --> 00:03:53,751 because of the insistence on verifying a code that's sent 70 00:03:53,751 --> 00:03:55,292 to a phone. 71 00:03:55,999 --> 00:03:58,999 You could also do Google data dumps. 72 00:03:58,999 --> 00:04:01,834 So Google takeout would allow you to download all the contacts 73 00:04:01,834 --> 00:04:04,167 from the target account. 74 00:04:04,375 --> 00:04:06,876 You could also download the drive documents, 75 00:04:06,876 --> 00:04:09,083 various other things. 76 00:04:09,334 --> 00:04:12,751 These the ability to reset the passwords and the ability to get 77 00:04:12,751 --> 00:04:15,125 the Google data dump as I have called it, 78 00:04:15,125 --> 00:04:19,083 these have actually been addressed successfully. 79 00:04:19,083 --> 00:04:20,999 I will get into that a little bit later. 80 00:04:21,083 --> 00:04:24,167 So some of the other things that I have been finding that you can do, 81 00:04:24,167 --> 00:04:27,751 once you have the WebLogin token, you can go ahead and install apps 82 00:04:27,751 --> 00:04:30,918 from the Google play store on to the device you have already 83 00:04:30,918 --> 00:04:32,999 compromised but also other devices that are 84 00:04:32,999 --> 00:04:35,999 associated with that Google account. 85 00:04:35,999 --> 00:04:40,083 You can also access other websites which might use Google federated log 86 00:04:40,083 --> 00:04:45,584 in and Google sites you can make a website on behalf of the victim. 87 00:04:45,834 --> 00:04:48,083 These are all things that are applicable for Google Apps 88 00:04:48,083 --> 00:04:50,459 and regular Google users. 89 00:04:50,918 --> 00:04:54,083 So how do you go about getting a WebLogin token. 90 00:04:54,542 --> 00:04:57,417 The approach I looked at or focused my research 91 00:04:57,417 --> 00:05:00,667 on is a more legitimate, using malware that is going 92 00:05:00,667 --> 00:05:04,167 to make a request using the account manager API to get one 93 00:05:04,167 --> 00:05:09,959 of these tokens and then egress it off to a server or use it on the device. 94 00:05:09,999 --> 00:05:12,209 You have also got some other options if you can deploy 95 00:05:12,209 --> 00:05:15,626 a root exploit successfully, you have access to the account's DB, 96 00:05:15,626 --> 00:05:18,501 session identifiers are in there and everything you need 97 00:05:18,501 --> 00:05:21,334 to get uber auth and WebLogin token. 98 00:05:25,959 --> 00:05:28,999 The Chrome browser has a nice little insecure feature, 99 00:05:28,999 --> 00:05:31,209 called auto sign it. 100 00:05:31,417 --> 00:05:33,918 What that does is generates a WebLogin token 101 00:05:33,918 --> 00:05:39,083 for you and lets you get into any Google service for that device. 102 00:05:39,626 --> 00:05:43,751 And finally, if you have if you are, for example, in law enforcement 103 00:05:43,751 --> 00:05:46,959 or something along those lines, you have access 104 00:05:46,959 --> 00:05:50,999 to a suspect's device that's been perhaps partially damaged, 105 00:05:50,999 --> 00:05:54,542 not really usable, but you can do chip off forensics, 106 00:05:54,542 --> 00:05:58,999 extract memory and you get back to number two of being able to get 107 00:05:58,999 --> 00:06:02,999 the accounts database, and then you are free to masquerade 108 00:06:02,999 --> 00:06:05,999 as the suspect, use their view their emails, 109 00:06:05,999 --> 00:06:08,999 communicate as them, use Google talk as them, 110 00:06:08,999 --> 00:06:12,999 and look through Google voice phone records. 111 00:06:13,876 --> 00:06:16,999 So the proof of concepts that I went through. 112 00:06:17,125 --> 00:06:20,792 My main goal was to be able to make a token stealing app that would 113 00:06:20,792 --> 00:06:24,709 do this without having root access to the device. 114 00:06:25,918 --> 00:06:27,999 I have an app that is two apps that are 115 00:06:27,999 --> 00:06:32,584 on the DEF CON CD that you can take a look at, along with source code. 116 00:06:32,999 --> 00:06:35,792 My secondary objective was to be able to publish this 117 00:06:35,792 --> 00:06:39,375 in Google Play and see whether or not Bouncer would notice 118 00:06:39,375 --> 00:06:43,709 something suspicious about this, and then also, of course, I wanted 119 00:06:43,709 --> 00:06:47,751 to take a look at where the endpoint protection tools might fall 120 00:06:47,751 --> 00:06:51,167 or weigh in on this type of application. 121 00:06:51,167 --> 00:06:54,209 So privacy advisories and antivirus. 122 00:06:55,292 --> 00:06:58,459 Making the app was not difficult at all. 123 00:06:58,459 --> 00:07:03,542 I'm not an Android programmer, reading some blog posts, it was 124 00:07:03,542 --> 00:07:06,125 more than enough. 125 00:07:08,834 --> 00:07:12,167 You can see here, there's the token type and then I'm using 126 00:07:12,167 --> 00:07:14,999 the get auth token method from account manager, 127 00:07:14,999 --> 00:07:18,292 which generates a message like what you see on the bottom 128 00:07:18,292 --> 00:07:21,083 of the screen, which you can see it's requesting 129 00:07:21,083 --> 00:07:24,626 access or permission to WebLogin with the service specified 130 00:07:24,626 --> 00:07:28,959 as finance and a continuation URL of finance.Google.com. 131 00:07:28,999 --> 00:07:32,834 This is your stock portfolio stuff, which not particularly sensitive 132 00:07:32,834 --> 00:07:35,292 information for most people. 133 00:07:36,125 --> 00:07:39,999 So the revisions that I went through to get here, I started 134 00:07:39,999 --> 00:07:43,999 out with something called I called Tubeapp which was intended 135 00:07:43,999 --> 00:07:47,999 to advertise itself as a YouTube downloader app. 136 00:07:50,542 --> 00:07:55,459 The Google Apps administrator would use this application and it would go 137 00:07:55,459 --> 00:07:59,792 from your phone or tablet and it would fetch your OAuth secret 138 00:07:59,792 --> 00:08:01,834 for the domain. 139 00:08:02,167 --> 00:08:05,334 It didn't do any egressing with this. 140 00:08:05,334 --> 00:08:06,959 I had it appear on the screen. 141 00:08:06,959 --> 00:08:11,999 I didn't post it to Play or anything, but then my next step was to make 142 00:08:11,999 --> 00:08:15,250 the stock view application. 143 00:08:15,250 --> 00:08:17,375 With this, I did post it on to Google play. 144 00:08:17,501 --> 00:08:19,999 I gave it a vague description, saying it's 145 00:08:19,999 --> 00:08:24,959 a testing application that shouldn't be installed and priced it at $150 146 00:08:24,959 --> 00:08:28,999 to avoid inadvertent or curious downloaders. 147 00:08:29,209 --> 00:08:34,083 And for this first revision of stock view, I made it so that all it would do 148 00:08:34,083 --> 00:08:38,792 is ask you for permission to access your WebLogin token. 149 00:08:38,918 --> 00:08:42,209 If it's granted, it's going to request two tokens. 150 00:08:42,209 --> 00:08:46,375 One will be used to launch the browser and show you your stock 151 00:08:46,375 --> 00:08:52,501 view feed and the other one is silently posted to my web server. 152 00:08:52,501 --> 00:08:56,375 The next release I did of this, I added SSL support because, really, 153 00:08:56,375 --> 00:09:01,334 I didn't like having my tokens go over in plain text, but I also updated 154 00:09:01,334 --> 00:09:06,167 the description in Google Play to make it up more blatant that this app 155 00:09:06,167 --> 00:09:10,459 is doing bad things and in response to some things that I saw 156 00:09:10,459 --> 00:09:14,167 with Bouncer or lack some of things I saw with Bouncer, 157 00:09:14,167 --> 00:09:18,250 I also added some code so that no matter what, when you run 158 00:09:18,250 --> 00:09:22,334 the application, it's going to enumerate your accounts list 159 00:09:22,334 --> 00:09:25,626 through the account manager API. 160 00:09:25,626 --> 00:09:29,083 This requires no permission request, except for in the application manifest, 161 00:09:29,083 --> 00:09:32,626 and that would get immediately uploaded. 162 00:09:32,626 --> 00:09:35,999 Then you would be prompted for permission for the WebLogin token. 163 00:09:35,999 --> 00:09:39,999 If accepted that would get addressed over as a cell. 164 00:09:39,999 --> 00:09:43,959 So here's what you see when you are installing the application. 165 00:09:43,959 --> 00:09:47,459 It's requiring the find accounts open the device to enumerate accounts 166 00:09:47,459 --> 00:09:50,250 and use beings on the device so you can use 167 00:09:50,250 --> 00:09:54,918 the get auth token and, of course, full network access for being able 168 00:09:54,918 --> 00:09:57,459 to egress off the device. 169 00:09:57,834 --> 00:10:00,667 And once again, you see the permission prompt that you get, 170 00:10:00,667 --> 00:10:02,959 the first time you run it. 171 00:10:02,959 --> 00:10:05,959 If you allow access, you will never see that message again. 172 00:10:05,999 --> 00:10:09,667 So I published it in Google Play. 173 00:10:09,667 --> 00:10:12,250 They did not flag anything on submission. 174 00:10:12,250 --> 00:10:15,584 I didn't receive anything in my server logs indicating that Google 175 00:10:15,584 --> 00:10:18,918 Bouncer had actually executed the application in such 176 00:10:18,918 --> 00:10:21,999 a way that it would make my request. 177 00:10:22,292 --> 00:10:25,626 It brings up some questions, namely, whether Google Bouncer 178 00:10:25,626 --> 00:10:29,209 is really running all of the apps that are being submitted 179 00:10:29,209 --> 00:10:33,918 or if they are running in some type of limited environment that does not 180 00:10:33,918 --> 00:10:36,501 actually have support for Google accounts, 181 00:10:36,501 --> 00:10:40,417 such that these account manager requests would just be skipped 182 00:10:40,417 --> 00:10:44,542 over and not recognized as potentially malicious. 183 00:10:44,542 --> 00:10:47,125 In any opinion, it should strike some red flags that my 184 00:10:47,125 --> 00:10:51,042 application is just requesting a token and immediately sending it 185 00:10:51,042 --> 00:10:53,999 up to a server but it didn't raise any red flags 186 00:10:53,999 --> 00:10:55,792 with Google. 187 00:10:55,959 --> 00:11:00,250 This is what it looked like in play store this application 188 00:11:00,250 --> 00:11:04,334 provides quick access to your Google stock portfolio, 189 00:11:04,334 --> 00:11:08,709 while completely compromising your privacy. 190 00:11:15,292 --> 00:11:18,334 (Laughter) (Applause) If you prefer convenience over security, 191 00:11:18,334 --> 00:11:20,626 then this app is for you. 192 00:11:20,626 --> 00:11:22,375 This application is currently under testing and should not be 193 00:11:22,375 --> 00:11:24,459 installed by anyone ever. 194 00:11:24,501 --> 00:11:26,751 And, of course this was up, but a month later, 195 00:11:26,751 --> 00:11:30,626 probably somebody noticed this was a little bit suspicious looking 196 00:11:30,626 --> 00:11:33,167 and reported it, and my Google wallet account 197 00:11:33,167 --> 00:11:34,999 got suspended. 198 00:11:34,999 --> 00:11:36,792 I think it was up for about a month. 199 00:11:36,792 --> 00:11:39,083 I wasn't really paying much attention to it. 200 00:11:39,083 --> 00:11:40,542 When I went back to start doing research 201 00:11:40,542 --> 00:11:43,918 for writing these slides now, I found that Google Apps 202 00:11:43,918 --> 00:11:48,459 on Android's verify service or option on the device now would say installing 203 00:11:48,459 --> 00:11:52,667 this app may harm your device this can be used to hack or spy on you 204 00:11:52,667 --> 00:11:56,626 and Google is recommending you do not install it. 205 00:11:56,626 --> 00:11:58,083 The only caveat is if I rebuild my app 206 00:11:58,083 --> 00:12:02,083 and give it a slightly different name, this warning never comes up again, 207 00:12:02,083 --> 00:12:05,292 because I guess it's just a black list. 208 00:12:05,375 --> 00:12:08,250 So looking at endpoint protection, I scanned five 209 00:12:08,250 --> 00:12:11,999 of the popular tools that I was familiar with. 210 00:12:12,083 --> 00:12:14,083 None of them found any risks. 211 00:12:14,083 --> 00:12:19,667 Looking at the privacy advisors, I found that Avast would recognize 212 00:12:19,667 --> 00:12:24,918 the used credentials is potentially a privacy risk. 213 00:12:24,999 --> 00:12:27,083 Look out premium didn't seem to have a category 214 00:12:27,083 --> 00:12:30,999 for saying which applications have the permission to request tokens 215 00:12:30,999 --> 00:12:32,918 on your behalf. 216 00:12:32,918 --> 00:12:34,292 So demo time. 217 00:12:35,209 --> 00:12:37,501 We will see how this goes. 218 00:12:37,751 --> 00:12:42,083 First of all, this is a Chrome web browser that 219 00:12:42,083 --> 00:12:47,209 is incognito, it has no access to anything. 220 00:12:47,209 --> 00:12:49,459 I will browse to gmail and I will log in. 221 00:12:50,999 --> 00:12:54,501 I will unlock my tablet. 222 00:12:54,999 --> 00:12:57,959 Hopefully it will connect to the DEF CON secure network. 223 00:13:00,209 --> 00:13:01,999 Oh, there we go. 224 00:13:01,999 --> 00:13:04,167 So switching over. 225 00:13:04,751 --> 00:13:10,250 This is just going to be telling the logs from my web server and 226 00:13:10,250 --> 00:13:14,667 as you see here, the tablet is slowly loading 227 00:13:14,667 --> 00:13:17,999 the Google finance page. 228 00:13:17,999 --> 00:13:19,751 Maybe some of you can see that. 229 00:13:19,751 --> 00:13:22,918 But more importantly, what we have here this first request 230 00:13:22,918 --> 00:13:25,250 shows the accounts that were configured 231 00:13:25,250 --> 00:13:29,083 on the tablet and then the second one in this URL parameter, 232 00:13:29,083 --> 00:13:33,083 this is the URL that was returned as the token. 233 00:13:33,125 --> 00:13:35,751 This does have an expiration on it. 234 00:13:35,751 --> 00:13:38,709 If you don't use it quickly enough, it will not work, but I will go ahead 235 00:13:38,709 --> 00:13:43,501 and load that and now you can see we are authenticated at stupid admin. 236 00:13:43,918 --> 00:13:54,999 (Applause) You can then see that you can access their email. 237 00:13:54,999 --> 00:13:56,250 You can go through drive. 238 00:13:57,167 --> 00:13:59,876 The contacts are accessible. 239 00:13:59,999 --> 00:14:03,167 But some things that used to be very interesting to me here, 240 00:14:03,167 --> 00:14:07,834 if you go into account, you have your download your data. 241 00:14:08,083 --> 00:14:12,083 If you tried to do this two weeks ago, it would just let you download 242 00:14:12,083 --> 00:14:13,999 all the data. 243 00:14:13,999 --> 00:14:16,334 Now you have a security notice that's helpfully telling 244 00:14:16,334 --> 00:14:19,542 you that Google wants to make sure that you are really asking 245 00:14:19,542 --> 00:14:21,792 for this data download. 246 00:14:22,792 --> 00:14:26,999 And along those same lines, if we go back one more. 247 00:14:26,999 --> 00:14:28,999 You used to be able to add a recovery email address 248 00:14:28,999 --> 00:14:32,334 without a password which you could then use to reset the password 249 00:14:32,334 --> 00:14:34,083 on the account. 250 00:14:34,584 --> 00:14:38,792 This is now blocked off, but fortunately, or unfortunately, depending 251 00:14:38,792 --> 00:14:42,209 on how you look at it, the Google Apps control panel 252 00:14:42,209 --> 00:14:45,334 is still completely accessible. 253 00:14:45,501 --> 00:14:49,542 So I have now browsed to Google.com/a/domain name. 254 00:14:51,417 --> 00:14:53,999 We can browse the users in the domain. 255 00:14:54,167 --> 00:14:58,959 We can go ahead and do things like resetting a password. 256 00:15:06,834 --> 00:15:08,999 You have more time. 257 00:15:08,999 --> 00:15:11,626 The next speaker is not here. 258 00:15:11,626 --> 00:15:12,626 Ramble on! 259 00:15:12,626 --> 00:15:13,959 CRAIG YOUNG: Perfect! 260 00:15:13,959 --> 00:15:16,125 So I guess I will spend more time with the demo. 261 00:15:16,125 --> 00:15:19,584 I could show that password or specify a password that I'm setting. 262 00:15:19,584 --> 00:15:22,083 I will just go ahead and reset that password again. 263 00:15:22,584 --> 00:15:24,459 Without showing it this time. 264 00:15:25,375 --> 00:15:31,834 We could also do something like adding a new user, which 265 00:15:31,834 --> 00:15:34,167 is over here. 266 00:15:35,250 --> 00:15:39,083 So this is something that Google has actually tried to fix. 267 00:15:39,667 --> 00:15:43,459 The other day, I recorded a demo because I noticed that 268 00:15:43,459 --> 00:15:47,125 they blocked off access to this vector. 269 00:15:47,125 --> 00:15:48,751 So we'll see if it works now. 270 00:15:48,751 --> 00:15:50,792 I've had mixed success since then. 271 00:15:50,999 --> 00:15:54,959 So, yeah, you see we are unable to process your request at this time. 272 00:15:54,959 --> 00:15:55,999 Please try again later. 273 00:15:55,999 --> 00:15:57,999 We will try it one more time. 274 00:15:57,999 --> 00:15:58,999 Sometimes it works. 275 00:15:59,083 --> 00:16:02,083 But what we can still do this has actually worked when I was 276 00:16:02,083 --> 00:16:06,292 in the speaker room, 10 minutes ago or 20 minutes ago. 277 00:16:06,834 --> 00:16:14,083 What we can still do is say, take this user and add to it, 278 00:16:14,083 --> 00:16:19,083 admin permissions, user admin. 279 00:16:19,083 --> 00:16:23,083 It lets us do that. 280 00:16:23,417 --> 00:16:25,417 We can then reset the password. 281 00:16:27,083 --> 00:16:28,999 I will use an autogenerated password. 282 00:16:28,999 --> 00:16:38,417 And now if we go and sign out from the WebLogin token session, 283 00:16:38,417 --> 00:16:45,959 we can sign back in here, hopefully remember 284 00:16:45,959 --> 00:16:51,626 the user name that that was. 285 00:16:57,626 --> 00:16:58,959 Okay. 286 00:16:58,959 --> 00:17:00,584 So now we have admin consult that's done 287 00:17:00,584 --> 00:17:04,417 through a password being manually entered. 288 00:17:04,501 --> 00:17:05,999 So in this context, you no longer have 289 00:17:05,999 --> 00:17:09,083 the stipulations that you are going to get that error that we had 290 00:17:09,083 --> 00:17:12,125 before when trying to create an account. 291 00:17:12,501 --> 00:17:15,334 So I can now add a user to the account. 292 00:17:34,209 --> 00:17:36,417 Hopefully this will still work. 293 00:17:36,417 --> 00:17:37,417 And it does. 294 00:17:37,542 --> 00:17:40,999 So now we have added a new admin user to this domain. 295 00:17:42,501 --> 00:17:45,999 Some of the other things that I had mentioned that you can do. 296 00:17:46,999 --> 00:17:50,999 Actually, I haven't mentioned this yet, but let's say we want to oops. 297 00:17:53,709 --> 00:17:58,584 We want to transfer documents from a Google account 298 00:17:58,584 --> 00:18:03,792 to another Google account, the ability to say transfer 299 00:18:03,792 --> 00:18:09,292 from this user to the new admin two that we did. 300 00:18:10,459 --> 00:18:13,626 This has initiated transfer or initiated document 301 00:18:13,626 --> 00:18:15,959 ownership transfers. 302 00:18:15,959 --> 00:18:18,083 So now that new account that we just created has access 303 00:18:18,083 --> 00:18:23,083 to all of the data that was in the Google drive for that other user. 304 00:18:23,459 --> 00:18:27,709 There are some email notifications going out about that, but looking 305 00:18:27,709 --> 00:18:33,083 at some other interesting things that we can do, I'm actually going to get back 306 00:18:33,083 --> 00:18:36,792 in the context of the WebLogin tokens. 307 00:18:36,792 --> 00:18:37,918 Let me sign off here. 308 00:18:45,959 --> 00:18:48,876 Let me see if we have a new token now. 309 00:18:51,209 --> 00:18:54,834 So that looks like the old token. 310 00:18:54,834 --> 00:18:56,501 Oh, there we go. 311 00:18:56,751 --> 00:18:59,584 So now the new token, as you can see here, 312 00:18:59,584 --> 00:19:02,999 if we copy this back into that. 313 00:19:06,709 --> 00:19:12,459 We're back here and we can go to play.Google.com, 314 00:19:12,459 --> 00:19:16,876 and let's pick a random app. 315 00:19:19,125 --> 00:19:21,209 Use accounts on this device. 316 00:19:21,209 --> 00:19:22,209 That's good. 317 00:19:22,209 --> 00:19:23,209 Let's install that. 318 00:19:24,167 --> 00:19:28,250 And so now it's going and momentarily, actually, already it's starting 319 00:19:28,250 --> 00:19:30,709 to download the new app. 320 00:19:32,083 --> 00:19:37,083 We can also abuse other sites that are relying on the Google federated log in. 321 00:19:37,083 --> 00:19:39,792 For example, I picked a random example, 322 00:19:39,792 --> 00:19:42,501 get satisfaction.com. 323 00:19:43,542 --> 00:19:52,584 If I click Google, log in with Google, it's now logged in, 324 00:19:52,584 --> 00:19:56,751 showing Craig Young. 325 00:19:56,999 --> 00:20:01,209 If there's anything useful on here, somebody could do something 326 00:20:01,209 --> 00:20:05,709 with that, but And since we have a few extra minutes, I'm thinking 327 00:20:05,709 --> 00:20:09,959 if there's anything else I want to show in here. 328 00:20:09,999 --> 00:20:11,751 Calendar is accessible. 329 00:20:11,751 --> 00:20:13,292 Could you create appointments. 330 00:20:13,292 --> 00:20:15,250 Oh, here's an interesting one. 331 00:20:15,292 --> 00:20:19,501 You can go to history.Google.com, and see it says only you can see your 332 00:20:19,501 --> 00:20:21,999 history, but (Laughter). 333 00:20:21,999 --> 00:20:25,250 a little less than accurate. 334 00:20:26,000 --> 00:20:29,999 So I think let's jump back over to the slides. 335 00:20:30,876 --> 00:20:33,999 So how do you avoid being a victim? 336 00:20:33,999 --> 00:20:36,125 First of all, I used to do this. 337 00:20:36,626 --> 00:20:39,000 Everybody since using Android with my Google Apps domain, 338 00:20:39,000 --> 00:20:40,959 I was an admin. 339 00:20:41,083 --> 00:20:42,792 Not anymore. 340 00:20:42,792 --> 00:20:46,999 I have other users that don't associate with any Android devices 341 00:20:46,999 --> 00:20:51,542 and my phone has add least some limited risk. 342 00:20:51,834 --> 00:20:55,000 You also want to be very skeptical if you are getting requests 343 00:20:55,000 --> 00:20:58,834 from an application to use a WebLogin token or the LSID, or 344 00:20:58,834 --> 00:21:02,999 the LSD session identifiers and I talked about that in another talk, 345 00:21:02,999 --> 00:21:05,334 how you can use those. 346 00:21:07,083 --> 00:21:11,083 You want to stick with trusted app stores and vendors. 347 00:21:11,083 --> 00:21:14,209 I know that's a loaded thing, but I think still sticking with Play, 348 00:21:14,209 --> 00:21:18,959 for example, even though I was able to get malware in there pretty easily, 349 00:21:18,959 --> 00:21:22,876 it's better than some random Chinese app store. 350 00:21:23,209 --> 00:21:26,542 And although I found that antivirus did not detect this threat, 351 00:21:26,542 --> 00:21:29,584 I do have faith that since it's signature based, it 352 00:21:29,584 --> 00:21:32,083 will most likely be able to pick up things 353 00:21:32,083 --> 00:21:35,459 like root exploits that are known about. 354 00:21:35,459 --> 00:21:38,083 So that's a little bit more protection there. 355 00:21:39,083 --> 00:21:41,751 If you have been pwned through this you want 356 00:21:41,751 --> 00:21:44,375 to do some stepped to recover. 357 00:21:44,501 --> 00:21:48,501 First of all, you want to invalidate all of the sign in cookies. 358 00:21:49,209 --> 00:21:51,834 That's accessible through the Google Apps control panel, 359 00:21:51,834 --> 00:21:55,083 as well as in the gmail account settings, I believe. 360 00:21:55,125 --> 00:21:57,209 You want to reset passwords for basically everything 361 00:21:57,209 --> 00:21:59,959 on your domain or if it's just your individual being, 362 00:21:59,959 --> 00:22:02,250 just your individual account. 363 00:22:02,751 --> 00:22:05,709 You want to go through gmail and make sure no one has added mail 364 00:22:05,709 --> 00:22:09,292 forwarders or figure out recovery email addresses. 365 00:22:09,292 --> 00:22:13,999 It seems like Google has more or less protected against that. 366 00:22:13,999 --> 00:22:15,083 You want to look for new domain admins, 367 00:22:15,083 --> 00:22:17,667 that's something you don't want. 368 00:22:17,999 --> 00:22:23,834 And I found that Google Apps, the audit trail it leaves is very effective. 369 00:22:23,834 --> 00:22:27,250 It tells you which actions were unauthorized or it could let you know 370 00:22:27,250 --> 00:22:31,918 which actions were unauthorized because it's recording everything that's 371 00:22:31,918 --> 00:22:36,999 done at a pretty granular level, and it is reporting IP addresses. 372 00:22:36,999 --> 00:22:39,584 So as long as the token is not being abused from your device, 373 00:22:39,584 --> 00:22:43,209 from your IP device, you will potentially get some information 374 00:22:43,209 --> 00:22:46,542 on how to track down who attacked you. 375 00:22:46,834 --> 00:22:50,334 So in the process of doing this there's some links 376 00:22:50,334 --> 00:22:54,626 up here in the slides that you can check out. 377 00:22:54,667 --> 00:22:56,792 The first one is a blog post that explains 378 00:22:56,792 --> 00:22:59,334 all about account manager. 379 00:22:59,334 --> 00:23:01,250 They were looking at it for other purposes 380 00:23:01,250 --> 00:23:05,876 but you can also check out I did a talk at B sides San Francisco, 381 00:23:05,876 --> 00:23:08,501 and there's a blog post. 382 00:23:08,501 --> 00:23:10,918 If you have any questions, you can find me, get me 383 00:23:10,918 --> 00:23:14,709 a beer and we can talk shop or I will maybe be out in the hall 384 00:23:14,709 --> 00:23:16,834 for a few minutes. 385 00:23:17,167 --> 00:23:18,167 Thank you.