All posts by Author

SANS Brochure Challenge Write-Up

Last Summer SANS organised a security/hacking challenge through 4 of their brochures, each brochure had an “easy” challenge in the form of a hidden message to de-cipher to get a URL to the second level of each of the 4 challenges.

Below is a brief explanation of the steps I took for the main technical challenges:

1. Challenge 1, level 2: Alice’s encrypted file for Bob
First you need to load the pcap file provided for that question into Wireshark, two type of traffic should catch your attention: some HTTP and SMB traffic. Doing a quick search (CTRL-F) for the string Bob in the “packet bytes” will get you to Frame 669, which is a web chat over HTTP where Alice mentions to someone that she needs to send a file to Bob and “will encrypt it so Eve won’t take a look this time”. From the text of that frame you can also notice the following keyword: “PRIVMSG”, searching for that string (CTRL-F), will get you to frame 515 (right click and select follow TCP stream to get a nicer view). This will show you that Alice really likes Bones quotes from StarTrek and also provides a URL to some “fascinating star trek quotes gallery”:

The first quote from Bones on that page is:
“Space is disease and danger wrapped in darkness and silence.”

It is very likely to be the password used to encrypt Bob’s file, now you just need to find that file!
This is actually very easy by using Wireshark built-in file extraction capability:
Go to File -> Export Objects -> SMB/SMB2
You will see a file called: for_bob.7z
Just save it, and use the quote from Bones mentioned above and you will get a text file called super secret.txt with the URL to the file 1 out of 4 needed for the final challenge.

2. Challenge 2, Level 2: Carol’s Firefox for Android
This question provides a .tgz file, after decompressing it using tar xvzf file.tgz you just need to go through the folders, and search the cache folder for pictures, specifically you want to go there:

There is only one picture, one of Harrisson Ford.
using the exiftool command on that file will provide you with some information, and more importantly the name of the photographer:
Joe Scarnici

I tried to find the original photo so I could get the lens details but it is a Getty image that would need to be paid for.
Instead, we could try to get lucky and search for other photos Joe Scarnici has taken and that may be free… with some luck the details of his lens will be available and be the same as the one used to take that photo.
Doing a google search with the words “Joe Scarnici lens serial number” gets you to that web page:
On that page you can find the lens serial number and complete this challenge!

PS: That was lucky! photographer uses many different lenses! Also, there is an easier way to find the solution!

3. Challenge 3, Level 2: Dave’s recovered WAV file
This is by far my favourite challenge!
The question gives you an SVN Dump file. So you need to do some SVN KungFu to extract that audio file.
First we create an SVN entry:
#mkdir sans_repo
#svnadmin create sans_repo
Then using the instructions from that webpage:
(except the svn init did not work for me, hence why I used the previous svnadmin command)
You do:
#svndamin load sans_repo < repo.svn_dump
#svnserve -r sans_repo -d
#svn export svn://localhost backup

now cd to the “backup” folder and you will see some files, including a text file telling you the goals are to go to the moon, learn SVN commands and also Alienese.
Great… but no audio files!
oh… hang on a sec… take a look at the svn output from the previous command….
A file named “dontopen.mp3” is created, but then is deleted!
You need to edit the repo.svn_dump and remove the revision section that deletes that file. You can just use vi and search for the term “dontopen”, skip the first occurrence as this is where the file is created, search for the next one, and delete the section from:
Revision-number: 3
Revision-number: 4 (but leave that line)

Now you need to start the process again (Ok, I could have told you that from the beginning but you need to learn the hard way! :)
Don’t forget to kill the svnserve process before starting again, and delete those folders you created in your first attempt.

Now you have that mp3 file.
The question tells you to “LOOK” at that audio file… and the goals.txt file also tells you that the last step is to become fluent in Alienese.
I was therefore convinced I had to find a picture… because Alienese is not a spoken language, just a written one.
If you google the phrase: “How to hide pictures in wav” you get the following link:

From there you learn you need to use a tool like “Sonic Visualiser”.
Start that software, load your mp3 file, in the layer menu add a spectrogram, and towards the end of the file/spectrum, by playing with the zoom you will see a…. QR code!
Just use your phone with one of the many free QR code reader and you will get the answer to that challenge.
(wait!? what happened to Alienese!!!! )

4. Challenge 4, Level 2: The Cylon Question
This one was actually very easy, looking at the Pcap from the first challenge, if you look for the string “password” you will get to frame 1109, do a follow TCP stream and you will see a remote windows session (probably using the malware mentioned in the first answer) with the following passwords being edited with the windows command WCE.EXE


Using the password “iamnumbersix” gives you the answer to this challenge.

5. The last challenge!!!
You need to combine the files from the level 3 of each challenge:
First File
Second File
Third File
Fourth File

I couldn’t figure out what where those files until I re-read the final challenge giving you the file4…
It said at the end:
Remember what comes first as you proceed, though: “Mister Donut Always Delivers Muffins”

If you take the initial MDADM and google it, you get info about a raid linux tool.
After much googling I found the following info:
#mdadm —examine file1 file2 file3 file4
will show you those files are part of a raid 0 with 4 files.
But you can’t assemble them because they are not “block devices”.
this is where losetup can help…
#losetup -f
will show you where is your next free loop device… it should say loop0
#losetup -f file1
#losetup -f file2
#losetup -f file3
#losetup -f file4
This should have created /dev/loop0 /dev/loop1 /dev/loop2 and /dev/loop3
type the following command to get a list of the loop devices and where they map to (your file1-4)
#losetup -a

now let’s use mdadm (I chose /dev/md4 but you can choose what ever md# you want)

#mdadm –create –verbose /dev/md4 –level=0 –raid-devices=4 /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3

It may ask you to confirm, so say yes.
Then do
#mkdir /mnt/winner
#mnt /dev/md4 /mnt/winner

Go into the /mnt/winner directory and bingo!! you have recovered the file… especially a winner.7z file…
it is encrypted, but just read the text file and you will get the password.

Dear sir, madam, thank you very much indeed for this very nice series of challenges!
Until the next time!
Good night!

BlackHat Europe 2014 – Some Highlights

Hacking conferences are a great way to learn he latest hacking techniques and more underground ways of thinking on IT Security. They complement nicely more corporate Security Training courses such as the ones offered by SANS.

They tend to be more chaotic, the talks are not as polished, some of the techniques discussed will have limited effect in the real world and connecting to the event WIFI is asking for trouble.
On the other hand, the atmosphere is buzzing with brain activities, convictions (right or wrong!), passion and cutting edge topics. If you can follow the rythme and embrace the moment then you will get out of this type of conferences energised and full of new ideas!

This year I attended the “Nuit du Hack” in France which runs other 24h, literally. You get some talks during the day, there is only 1 track so you get to watch/listen to all the talks. And during the night there is a traditional Capture The Flag event with some great questions!

I have also attended BlackHat Europe in Amsterdam earlier this month. This was my first BlackHat and I really enjoyed it even though I was not expecting it to be so “corporate”.
Below are some highlights of the sessions I attended, I hope you find them useful.

    Adi Shamir, the “S” in RSA, spoke about a recent research he presented at a previous conference related to a new type of power analysis to extract RSA keys via Low-Bandwidth Acoustic Cryptanalysis. In other words, using the microphone from a mobile phone located next to a targeted laptop and listening to the laptop “electrical humming” to detect power consumption variation when processing an RSA key and eventually deriving the original RSA key from the noise!
    The main topic he presented at this year BHE was a practical example on how to communicate with an air gap network, similar to those used in high secure environments (i.e.: Military). The restriction of the experiment was to only use unaltered hardware and to, somehow, get a malware on one of the machine. The idea seems to be that installing malware would be easier than a Trojan hardware kit. Although the demonstration was impressive because it showed a command and control communication experiment works over 1km, it was also somewhat disappointing because of all the “IF” such attack needs to succeed:
    – IF there is an all in one (AIO) printer;
    – IF the infected malware can communicate to the AIO device and control its scanning capability;
    – IF the AIO lead is left open or IF a heavy document is scanned (i.e.: Book);
    – IF the AIO is next to a window;
    – IF the window is left open;
    – IF there is a direct line of sight to that window;
    – IF the room is dark;
    – IF no one notices the AIO scanning happening automatically;
    Then, it is possible to send a coded message through a laser beam from a long distance (i.e. over 1km) to the AIO printer, get the malware to interpret this “light Morse code” and act accordingly, such as executing a command.
    Such attack was technically impressive, and it has the merit to highlight the need to carefully consider the physical security aspect of an air gap network, not just its logical part.
    The presentation highlighted the risks related to the current standard implemented in cellular Basebands which are components used to interface with mobile phone carriers. Basebands operate at a lower level and are not controlled by the Operating System (OS) thus allowing mobile phone carriers to control devices attached to their cellular network and bypass security controls implemented by the phones’ OS (i.e.: iOS, Android, etc).
    The current standard is called OMA Device Management v1.2.1 (OMA-DM) and is on over 2 billion cellular devices. Most OMA-DM clients use the SyncML Reference Toolkit which has an open source unrestrictive license and was originally only meant to be used as proof of concept, last updated in 2004. One SyncML client vendor currently has nearly complete market dominance: RedBend. This vendor provides a software called vDirect mobile (vDM Version 4 and 5 are in use today). Clients are typically provided has a binary blob to OEMs (Basebands manufacturers included). This means phone manufacturers such as HTC or Samsung may not be fully aware of what functionalities are included into their phone basebands.
    OMA-DM security is flawed and its authentication control can be broken, furthermore, it is possible to create rogue cellular towers using OpenBTS/BSC devices such as the NanoBTS or USRP B210, or Femtocells. Such cellular towers provide full control to a potential attacker over the 2.5G GSM neighbouring network which can also be leveraged to attack LTE GSM/LTE CDMA devices by downgrading this connection to 2.5G. (See 4.5)The following commands can be executed:
    – Install and manage firmware update OTA
    – Lock, factory reset, wipe, power cycle
    – Manage device functionality such as encryption settings, camera control, GPS, etc.
    – Manage and Monitor Battery status, Memory usage, Process list, etc.
    – Ability to remotely install, remove, active, deactivate software applications.This standard is currently used as follow:
    – iOS: Only in the US at the moment (Sprint)
    – Android: Worldwide (Most Major)
    – Blackberry: Only in the US at the moment (Most Major)
    – Windows Mobile: Worldwide (Some Major)
    – Cellular Hostspots: Worldwide (Most Major)
    – Vehicles: Worldwide (Most Major)

    This presentation made the BBC headline on the day:

    Although the talk focused on electrical smart meters used in Spain to control homes electricity (usage, on, off, etc.). The same technology might be used in other parts of the world for similar or other smart meter purposes.
    The two researchers explained how they managed to reverse engineer the different commands understood by those devices, break the encryption, confirm the “secret” key used to authenticate to the devices was common to all them (hardcoded) and that their own smart meter could be used as an entry point in the electrical network.
    It meant it was possible for them to control all their neighbours’ access to electricity!

    Balint Seeber gave a very interesting presentation on the diverse wireless technologies his company/hardware can interact with (monitor/hack): Restaurant Pagers, RDS TMC, Radar, RFID and even technology used by NASA space probes. In all cases he was able to intercept and communicate with the targeted devices. He also did a live demonstration of a Rogue GSM network running on an upcoming hardware (USRP E310) that will be available in a couple of months. Anyone could connect to a “local” China Mobile network, get a phone number assigned and send/receive SMS as well as making mobile phone calls with anyone using that GSM network.
    This provided a very practical way to create a rogue GSM network and brought the risks highlighted in a previous related talk to reality (See 4.2).
    It was also amazing to hear the story about how he was allowed by NASA to interact with a lost “Space Probe” when it came back near earth!

    The first part of the presentation discussed the fact firmware code may be re-used among different manufacturers, and with that, any security issues contained in that code might also be replicated. Furthermore, different vendors may use the same electronic components in different products; those components may have the same vulnerable Firmware. For example a Webcam from vendor X might have the same vulnerability as a different Webcam model from vendor Z. Unless you look for the same issue on both models such vulnerability might be left unknown to the public even though if you were to look at the component level it would be obvious.
    The second part of the presentation discussed the lack of central repository for those issues and the fact it was very hard to automate the study/detection of firmware issues. The team who presented is working on their PHD and have created a framework to automatically get firmware images from the web, filter for interesting files, analyse, unpack and check for vulnerabilities. They collected 800K files, analysed 32K and found 700 firmware files with vulnerabilities which resulted in 38 new CVE.
    Although their work is great, its usefulness for the community is very limited as they do not share their detailed result with anyone!

    The creator of a tool called peepdf, used to analyse and create malware based PDF, provided an overview on how to use his tool followed by a workshop to practise the discussed technics.
    This session highlighted how surprisingly easy it is to create complex embedded malware within PDF which could evade Anti-Virus detection and provide an efficient way to deliver malware to a victim. The tool also provides a great framework for analysing malware within PDF files.

    FakeNet is a software currently running on Windows XP that can intercept all network traffic initiated from that host and respond to network queries with fake answers (HTTP, FTP, Telnet requests, etc). It also provides a framework to monitor the different host processes to analyse malware behaviours when they can successfully “call home”.
    Although it is currently only working on XP, the developers are planning to bring Windows 7 and 8 supports shortly. They also announced the release of their version 2.0, bringing better stability and a lot more functionality.
    The presentation was followed by a workshop where participants could try their software against real malware. Knowledge of the assembly language is a must to get the most value!

    Arnaud Soullie explained how many Programmable Logic Controllers (PLC) used in the energy industry have either none or weak security controls. Those PLC, if compromised, can have consequences in the physical world, i.e.: Lights, switch, valves can be turned on/off or their status changed.
    This is mainly because those PLC were designed to operate in a segregated and safe environment where security was not considered an issue. However, such environments are now increasingly interconnected with companies’ Intranet and even Internet in some cases (intentionally or not).
    During a live demonstration, Arnaud scanned for Internet facing PLC and found 100 of them. Those PLC can be modified/turned off by anyone on the Internet.
    The second part of this session was a workshop where participant were taught how to control and attack a type of PLC commonly used by Electrical companies by practising against a live environment setup for the presentation. This escalated into a “cyberwar” between two “unknown” participants to control a set of traffic light, one fighting to keep the lights off and one to keep them on. I won ☺


    Team T5 explained how rootkits on Mac currently had limited success, specifically the most popular Mac OS X rootkit called Rubilyn, which hasn’t been updated in a while and can now be easily detected by security tools such as Volatility. However, this does not have to be the case and many technics used in Windows to evade rootkit detection could be re-used on the Mac. They demonstrated a new rootkit framework they created that can evade detection even on the latest Mac OS X 10.10. They have also announced a software called System Virginity Verifier (SVV-X) to check for Mac OS X security issues.

iOS Backdoors

In the last few days there has been an increasing noise related to some iOS backdoors. Apple does not deny they exist, but contests how they can be used.

This is not new, and the security researcher who presented his findings did highlight that, it is likely related to methods being used by certain forensic software sold to law enforcement.
What is “concerning” is the following:
– These backdoors are actively maintained and developed by Apple, how much more data will they allow to be extracted from iOS device in future;
– Those backdoors provide access to SMS, Contact, and other potential sensitive data on the phone; they also allow to bypass full disk encryption. This highlight the fact that unless you phone is off, the data on your phone is no longer encrypted per say, but only protected by access control (PIN);
– If it can be used by law enforcement, it can be used by “greyer” parties too

A few links to get further:
Summary of this story

Zdziarski presentation, detailed and very informative

Apple response, not surprising and not really addressing the points of concert

Critical Infrastructure and Cyber attacks

I recently came across an article on a UK newspaper, the Guardian, about Mt Kaspersky predicting a riot. Well, not exactly. He is predicting a major cyber terrorist attack on UK soil which will disrupt major critical infrastructure.

I find this interesting, not because it is new, it isn’t. I find it interesting because there has been an increasing media visibility and attention to this topic in the last few years. By the way, I am also a big believer of “it will happen soon”. The internet of things is not a secure affair.

And I also find it quite a coincidence that Mr Kaspersky is warning us about a real life Die Hard 4 risk scenario as only yesterday I came across that following article:

Where someone is about to demonstrate in an upcoming conference, in details, how to disrupt the traffic light system used in many countries. Something he has confirmed works and I would be surprised if he doesn’t get into trouble very soon!

The concept of the conference itself is interesting: Infiltrate 2014. No vendor, you do not wear a tag, no photograph, no video, etc.

(but then, they have past conferences speech’s videos…)

Heartbleed, do not panic!

The security issue related to OpenSSL has been all over the news in the last couple of days.

It is indeed a very bad issue, one that can let an attacker access the login details, including passwords, of registered users from vulnerable Websites/Servers. Yahoo mail, was one of those sites…out of nearly a million others!

This vulnerability has been around for 2 years, it affects servers using OpenSSL 1.0.1 through 1.0.1f (inclusive).

Those servers could be running consumer websites or other applications. For example, the Network Security Monitoring suit: Security Onion, was vulnerable until yesterday when a security fix/update was released. The same applies to the Penetration Testing platform Kali 1.06, which was vulnerable until today!

If those applications/environments were internet facing, userids and passwords may have been compromised in the last 2 years.

This issue allows the attacker to access the memory of a vulnerable server, it means that unless you have logged on recently to that server your credentials are unlikely to be in its memory. Although we don’t know who knew about the issue, now everyone knows! and a lot of people now have access to exploits to leverage this issue.

What does it mean?
It means that by blindly changing your passwords on all the websites you have registered in the past, you might end up making it worse for yourself!

Indeed, if the servers you are changing your credentials on are still vulnerable, all you would be doing is loading your shiny new passwords into the servers’ memory waiting to be hacked!

Therefore you should only change your passwords on servers/websites that are no longer vulnerable. To find out, you can ask the relevant webmaster or use one of those online/scripts checks available in the following links:

Heartbleed  information website
Tidbits article discussing the impacts (not just for mac users)

And if you own such servers and have access to its command prompt, a simple “openssl version” should give you the version you are running.

Below is a link to a first hand account as to how it was discovered and fixed in one company, it is a great story with great insight:

A day we won’t forget

What is important though, is not to panic. Stay calm, and carry on! You should soon receive emails from a lot of websites telling you they have patched their system and recommend you reset your password.

Along with those genuine emails, you can expect a lot of spam emails so it is even more important to take your time and check those “reset password links”.

EDIT – 11th of April:
As discussed in the link below, it is interesting to note this vulnerability is also impacting client applications using openssl to protect their connection. We have yet to see the full impact this issue will have for both servers and clients!

Sourcefire Article on OpenSSL clients impact

Also, as usual, xkcd has produced a great piece of comic describing the issue :)

Heartbleed Explained


Bluetooth under attack

I have heard of Ubertooth for a while now and it seems it use to attack bluetooth devices keep growing. Once recent attack described HERE can leverage the Ubertooth sniffing capability to crack the encryption algorithm used by the Bluetooth Low Energy (BLE) standard. BLE is also referred to as Bluetooth Smart.


Sure, BLE/Bluetooth Smart is different from Bluetooth, but it is supported by most recent mobile devices (i.e.: the latest iPads and iPhone as well as some Android devices), and will be increasingly used in “smart” appliances, from toothbrushes to fridge if you believe this ARTICLE.

Nonetheless, if you were not convinced before that Ubertooth was a very useful piece of kit, you should reconsider it. Bluetooth is a technology that hasn’t seen much successful attacks until now, mainly because the attack vectors were limited to expensive kit or dark magic knowledge. This, may be about to change and it is as much a good think for driving better security, as it is worrying for  the integrity of all our accessories and smart devices we use every day.

Apple Security in the Enterprise

There is a good document from the UK government describing the different security features available in Apple Mac OS X 10.8 and the ones you should consider if using a Mac as an enterprise end point:

OS X 10.8 UK Gov security guidance document. 

In light of all the noise created by the NSA and GCHQ surveillance programs you might be tempted to dismiss governments’ position and view when it comes to IT Security. However, I found that document quite good and high level enough to be understood by mid-level management at least :)

They do refer to an MDM solution for some of the controls without specifying which one, so I assume they are referring to a OS X Server Profile Management solution as described by Apple HERE.

A new look

It seems I refresh the look of this website every 3 years and 3 years was up so here the new look :)

I decided to go with a slick, low maintenance theme.

It has also been a few months since I updated this website, hopefully this should change soon!

Using a phone as a keylogger, next it will be a smartwatch!

There is an interesting paper from Georgia Tech College describing a clever proof of concept where a phone is used to eavesdrop on keystrokes.
This is done by leveraging the phone motion sensor capability and placing it next to a keyboard. They managed to create a dictionary of words/vibrations that is able to recognise words typed on a keyboard just by analysing the vibrations made from typing.
Of course, you are likely to notice someone’s else phone sitting next to your keyboard but what if your phone got hacked and that software loaded onto it?

They conducted their proof of concept on an iPhone 4 but this is likely to be also possible on other platforms/devices.

In fact, with upcoming smart watches this concept will be even more relevant! Now I can see a use for that Apple M7 chip! ;)

As I am typing this note, my phone is next to my keyboard. Maybe I should move it away…

New iPhone 5S Fingerprint reader, a step in the right direction!

Apple has just announced two new models of iPhones, one of them is the iPhone 5S which comes with a fingerprint reader. Like others I believe this is no silver bullet, but it is a step in the right direction in terms of helping the masses to secure their iPhones.

There are two main areas of potential security failures:
– Fingerprints can be copied and once compromised you can’t “change” for new ones;
– The Fingerprint reader security implementation will be very important, any defects or flawed could be exploited to gain unauthorised access.

Apple may not be the first company to provide an embedded fingerprint reader into their phones, but like it did for tablets and smartphones, it will be the company that will popularise its usage and set the direction for others to follow. This is likely to be emulated and we will soon see fingerprint reader probably everywhere.
Because it is actually a very convenient way to unlock/authenticate, it is very user-friendly if done right and somewhat secure/unique (as long as they are not compromised). It means users will love it, and prefer that way of authenticating over having to remember a very long password or a different one for each system they need to authenticate too. It makes sense for some kind of password safe to be release at some point, either by Apple or a 3rd party, that would leverage the use of a fingerprint reader to authenticate users to all their systems. In the background you would still be using long, random and unique passwords but as a user, all you would be asked for is to select which website/system you want to sign on and to authenticate with your fingerprint so it accesses that secret password for you and uses it to log you in.

All this is great, and I would love to use such a system. But as fingerprint readers become more and more popular and especially more and more available, so will be the points of failure…
If every device has a fingerprint “read-er”, every device could also act as a fingerprint “captur-er”!
And your precious fingerprints could be compromised through malware or social engineering by leveraging features like guest access, micro-payments, fun apps that pretend to predict your future by reading the shape of your fingerprints, etc.

More importantly, due to the very nature of smartphones today that are using “touch technology”, users’ fingerprints will be left all over the device’s touch screen. It means if someone steal your smartphone, they also steal the very information they need to gain access, your fingerprints. The challenge then becomes about “lifting” those fingerprints from the touch screen to re-use them.

Also, the more popular fingerprint readers become and the more embedded their usage will be in how the masses authenticate to different systems. It means, it will be increasingly attractive for attackers to target such means of authentication. There is already a hacking challenge that will do just that: Hackers iPhone5s bounty.

What Apple has just done is providing an answer to a problem people are increasingly aware off, protecting your password whilst making it simpler to authenticate in the process. This is bound to catch on.

To conclude, in the short term, this will be a huge security set-up for most people, “normal” people who do not handle state/corporate secrets. In the medium to long term, this may actually backfire, because fingerprint alone is no security silver bullet. However, combining fingerprint authentication with more traditional mechanisms such as passcodes or passwords might actually provide extra security through embedded dual factor authentication.

Nonetheless, well done Apple for aiming in the right direction!