Complete draft

What: for our initial release, we only want to publish the TOC, chapters 1-3 in HTML, a PDF version that requires their email and an sign up form for updates.

Why: the rest of the content is draft and not ready for the public.

Lawyers can be very involved in incident response, and frequently turned to first to address liability - are we planning to engage this target group at all in our book? (from Suzanne)

http://www.cio.com/article/2956374/legal/why-every-cio-needs-a-cybersecurity-attorney.html

Notes from @dweinstein from a RSA talk prep. Good content for the book.

https://gist.github.com/dweinstein/3112291aada6de594677

Complete draft

What: web user should be able to submit their email address and receive updates we send (via our marketing email tools) about the book

Why: this is a key way for us to engage and stay in touch with our readers and move them ultimately into customers.

@ghostbar on Mon can you look into the Edit on Github plugin/config? When you click on the link you get a 404. It points to:

https://github.com/viaforensics/mobile-incident-response/tree/master/undefinedoverview/case-for-mobile-ir.md

but I think it should point to:

https://github.com/viaforensics/mobile-incident-response/blob/master/en/overview/case-for-mobile-ir.md

Complete draft of this section.

Probably relevant in an IR analysis.

This can be useful for mobile forensics, and also, it can be good to spot vulnerabilities in non-updated devices (which trust certificates that has been leaked or considered insecure). Also, it can be interesting for analyzing cheap phones where no firmware is available.

• Related: https://blog.lookout.com/blog/2011/08/31/for-rooted-android-device-users-open-heart-surgery-on-your-android-ca-store/
• Another pretty relevant blog: https://bluebox.com/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/

I had done some limited testing when styling and this was not an issue before so I'm not sure what happened.

On mobile (and semi and issue with small browser windows) the content area becomes much too narrow to read. The header is also wrapping oddly. This is across all browsers.

This may be as simple as overriding the overflow: hidden on the container.

Add this to incident response:

• Root cause analysis
• Corrective actions
• Lessons learned- what controls worked and didn’t work- people, process or technology

/cc @kstrzemp @sbakken

yesterday @ab and I discussed putting some things learned from Hacking Team data dump into either the mobile exploitation chapter or the case study. could be scattered in other places… Marco shared this blog from Lookout with me and it does a good job. For the book, we’d like want to do our own analysis but the two points in their conclusion was a big part of what I wanted to get across (besides showing a technique used for iOS):

1. We now know that attackers around the world have both the intent to compromise iOS and Android devices and access to the technology to do so.
2. Specific to iOS, devices do not need to be jailbroken to be compromised. The fact that Hacking Team possessed an enterprise certificate gave it the ability to infect any iOS device. This opens up the pool of potential victims way beyond the roughly 8% of people globally who have jailbroken their devices.

/cc @belenko @dweinstein

What: update the default gitbook style to be come compliant with the NS Style guide

Why: to ensure the user experience on our website is seamless, follows our Style Guide and builds our brand

I'll attach a few files here but for a talk given in Vienna re: Mobile IR, Yonas used SimpleLocker as his IR example because:

• It does not require a C2 server
• It locks a device, demands money (def something that happens these days)
• The encryption key is hardcoded in the source code

Unfortunately, I don't see the same scenario playing out on iOS but something to consider for Android. /cc @dweinstein @belenko @0Xroot

complete draft

Complete draft

What: need the ability to deploy the book (static) from github to our staging and production websites using the gitbook toolchain

Why: lead gen baby!

Complete draft

Complete draft

Complete draft

Complete draft of this section

there's a lot of information that can be obtained from the various caches provided by the system or an individual application.

it would be nice to explore this in a section including:

• geo location, wifi SSIDs stored by Android / iOS OS
  • OS X /usr/libexec/airportd readNVRAM
• applications storing recent locations:
  • weather apps
  • news apps that use geo to present local relevant news

all these data sources can be used to paint a clearer picture for incident response

• the vuln checker tool for android will be released soon OSS, but code is currently here: https://github.com/viaforensics/ns-android-device-vuln-checker
• it can be used to test for known vulnerabilities on the device. there are two types of vuln tests that can be performed, one only tests the vuln without actually using it, the other type of checker actually exploits the vulnerability. obviously there are different tradeoffs for both.

Complete draft

What: over the past two weeks, we will have drafted large parts of chapters 1-3. Def need some copy editing

Why: so we don't look like a bunch of amateurs :-)

Complete draft

http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/

MITRE has a nice site with attack patterns and unfortunately it is mainly focused on Windows systems/networks.

I think we should spend some time doing something similar for Mobile to help paint a picture of what an attacker can/may do when getting initial code execution on a device:

MITRE's page they trademarked ATT&CK™

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. The model can be used to better characterize and describe post-access adversary behavior. It both expands the knowledge of network defenders and assists in prioritizing network defense by detailing the post-initial access (post exploit and implant) tactics, techniques, and procedures (TTP) advanced persistent threats (APT) use to execute their objectives while operating inside a network.

I started a google doc for now to store a spreadsheet for examples from mobile persective, here

Complete draft

Complete draft of this section

Complete draft of this section.

Complete draft

Complete draft.

Awaits for #36 to be closed. Aka: just have what should be published in live branch and not all the drafts.

/cc @ahoog42
http://blogs.wsj.com/digits/2014/12/01/are-hackers-trying-to-gain-an-edge-on-wall-street/

haven't looked at details to see if any mobile relation