Sasquatch for Ubuntu

Share

I am an avid user of binwalk since it automates the initial reverse engineering work. It identifies the compression, if any, and file format of a given firmware fairly easily once you take care of the false positives.

Last week I built a virtual machine (VM) using a minimal install of Xubuntu Linux. My last Debian-based VM had become bloated and slow, so it was time to clean up. Surprisingly, I couldn’t get Sasquatch to compile for Ubuntu. Sasquatch is a helper tool for non-standard Squash file systems,  rampant in the Internet-of-Things (IoT) realm. It seems the patches made for squashfs 4.3 just won’t compile under Ubuntu Linux, likely due to the liblzma library included in the operating system.

Trying to fix the patches soon led to endless sequence of additional compiling errors, so I took the easy way out: compiled Sasquatch on Debian and just used the binary in by Xubuntu VM. It worked!

Anyone in the same situation can download the pre-compiled Sasquatch binary here. Happy reverse engineering!

Remembering the ‘Stakkato’ Hacks

Share

Philip Gabriel Pettersson, best known by the pseudonym of “Stakkato” can be said to have reached legendary status within the computer security community by his numerous successful breaches of high-level targets between 2003 and 2005. Then a 16 year-old hacker from Uppsala, Sweden, he successfully infiltrated systems of large universities, the United States military, NASA and various companies, forming a worldwide network within which he operated for around 2 years before being caught in 2005 and prosecuted by Swedish authorities. This post revisits the story of Stakkato by reviewing his motivation, techniques and exploits and potentially unearth some lessons learned from these events.

Bored Teenagers

Uppsala is the fourth largest city of Sweden and is situated around 70km north of the capital. In 2003, one of its curious and smart teenager went on to challenge himself by exploring – illegally – the digital environment surrounding the city. Some of us might remember the old definition of a “hacker”, as defined by The Mentor’s manifesto [1]. Back in 2003, owning a computer was still not totally commonplace, although it was a lot more than it in 1995. Only teenagers with a certain sense of interest and curiosity about technology would consider spending most of their time on their machines. In my corner of the world, in the 90s, computer science classes were nothing more than learning to type, using word processors and creating spreadsheets. I am sure I was not the only one in the same situation and some readers may remember the frustration of not being able to pursue their hobby in depth while in school. So we spent most the classes programming VBA games or spamming other students using WinPopup to have them call out the teacher, who would struggle to explain the innocuous messages on the screen. Only at night could we connect to the net, login into our favorite BBS, IRC channels or forums to finally learn more. Virtualization was not a thing back in the early 2000s, internet connections were still slow and owning more than 1 computer was a luxury most couldn’t afford. A solution was dumpster diving around computer shops – which were aplenty compared to nowadays – or browsing eBay for scraps. Another one was to poke around systems connected to the internet. Universities were of course perfect targets – opened, poorly secured (in order to be opened) and rich with systems, software and data.

Why am I rambling about the past? Because in many ways, Stakkato may have been the same teenager than many of us were back then, but his cockiness eventually got the better of him and caused his demise. Some even proposed that by 2005, he may have attempted to venture into criminal activities by selling stolen intellectual property. In any case, let’s explore briefly his story, because I believe many who now heads IT security companies, or experts and researchers in the field all shared the same starting point, but fortunately took a different path at some point.

The Stakkato Hacks

The first suspicions of wrongdoing were noticed in 2004. Berkeley researcher Wren Montgomery started receiving email from Stakkato [2], claiming that not only did he infiltrated her university, but that he also accessed the network of White Sands Missile Range in New Mexico, stole F-18 blueprints from Patuxent River Naval Air Station and infiltrated NASA’s Jet Propulsion Laboratory (JPL) – which to be honest, have been hacked by many in the past decade [3][4][5], almost making it an initial test for debuting hackers. These claims were later confirmed by spokesmen from both organizations. They however downplayed the importance of these breaches, claiming that there were low-level breaches and that only weather information was exfiltrated. Later during the year, several laboratories harboring supercomputers connected via the high-speed network TeraGrid reported breaches. However it was only in 2005, with the intrusion in networking company Cisco Systems, that would trigger alerts from authorities and proved to be a bridge too far. Having established a foothold within Cisco, Stakkato was able to locate and download around 800MB of source code of the Internetwork Operating System (IOS) version 12.3 [6]. IOS runs on every Cisco routers and other networking devices which are often key network component of not only large commercial and governmental organizations, but also of the worldwide telecommunication infrastructure. Samples of the code was released on IRC as proof and reported by a Russian security site. The theft of the code caused a stir, many believing that individuals or groups would comb the code and craft zero-day exploits that could be leveraged on critical systems.

This activity would prove the last Stakkato and his team would be able to brag about as the Federal Bureau of Investigation (FBI) and the Swedish authorities started to investigate the leaks. In 2007, he was convicted for breaching networks Swedish universities and paid 25,000$USD in damages. He was further interviewed by U.S. officials [7] and in May 2009, he was formally inducted in California for intrusions in Cisco Systems, NASA’s Ames Research Center and NASA’s Advanced Supercomputing Division [8]. In 2010 his prosecution was transferred to the Swedish authorities.

The Tactics

The core strategy of Stakkato revolved around a trojanized SSH client he uploaded to systems he compromised. The malicious client would be used to intercept users’ credentials and send them to a third location where Stakkato and his group would retrieve them to access additional systems. Once accessed, Linux kernel exploits were used for privilege escalation on the local system and then repeated their main tactic, creating privileged accounts and eventually building a wide network of proxies to launch their attacks. The attack on the National Supercomputer Centre [9] provides insight on the tactics and size of the compromises. The methodology used was not innovative by any mean, but was applied effectively and certainly leveraged human errors to its full extend. The process can be summarized as follow:

  1. Infiltrate a system via a kernel vulnerability or stolen credentials;
  2. Disable command history, e.g prevent the system from logging your commands;
  3. Attempt privilege escalation;
  4. Setup trojanized SSH clients, backdoors and rootkits;
  5. Extract known hosts from current machine;
  6. Attempt to infiltrate extracted hosts as per step 1.

The analysts of the NSC documented logins from universities the United States, Israel and Sweden and referenced the SuckIt rootkit [10] as being installed on one of the target machine. Unfortunately for the administrators, the rootkit was discovered only after a new root password was assigned to all machines, allowing the attackers to re-infiltrate the newly cleared systems. However this time the Swedish teenager was a lot less subtle and vandalized the systems by attempting a web defacement and modifying logon messages. This time the IT specialists took down the network, inspected and reconfigured every machine before putting the system back online. Despite the defensive operation, recurring login attempts and smaller-scale compromised originating from more than 50 compromised organizations were noted between 2003 and 2005.

Lessons Learned

This story follows the same pattern observed throughout the ages, such as sprawling empires from ancient times in which the rulers’ overconfidence led them to bankruptcy, or growing organizations that stretched into markets that proved more difficult than expected. Stakkato’s network of compromised systems grew too large, he became overconfident and tempted the sleeping bears. In other words, patience may have led him to a very different path. Or maybe his arrest was for the best afterall: there is little news about him past 2010, but coincidently there is a security researcher working in Samsun bearing the same name and credited multiple vulnerabilities in the Linux kernel [11][12]. While I have no idea if this is the same individual, I would be glad to hear that he now uses his skills fruitfully.

Arguably another lesson is how simple tricks can still work if applied efficiently. All things considered, security hasn’t changed dramatically within the past 10-15 years: it has evolved, but in the end, we still rely on usernames and passwords, users’ awareness and administrators properly maintaining their networks and hosts. Humans using these systems haven’t changed much either; we will take the simplest approach to achieve our goals. Hence we select the easiest password passing the complexity filters in place and reuse it [13] so we don’t have to remember 100 variations of the same password. Large database compromises in the past few years appears to prove this behavior. We could have many passwords and store them in password managers, but then the password managers can still be trojanized or exploited [14], allowing similar tactics used by Stakkato. Eventually most people would probably not bother to execute an additional program to retrieve their password in order to login in the service they need; it simply adds an additional step.

Conclusion

Studying the past of computer security is sometimes quickly dismissed, often seen as irrelevant given the change in technologies, but one can easily find inspiration in the stories of hackers, malware writers and the analysts that battled to gain and maintain control of systems. Much like studying the battles of Alexander the Great or Patton, there is much to be learned from studying the techniques used and wargaming their applications in modern organizations. Would the current administrators blindly enter their passwords if a windows suddenly popped up requesting their credential for some update? Users still get fooled by fake login web pages [15] and end up with their bank accounts plundered or their Twitter account spewing nonsense to all their followers. It still works.

Obligatory XKCD

References

[1]    “Phrack Magazine” [Online]. Available: http://phrack.org/issues/7/3.html. [Accessed: 05-Nov-2016].

[2]    J. M. L. Bergman, “Internet Attack Called Broad and Long Lasting by Investigators,” The New York Times, 10-May-2005. [Online]. Available: http://www.nytimes.com/2005/05/10/technology/internet-attack-called-broad-and-long-lasting-by-investigators.html. [Accessed: 02-Nov-2016].

[3]    K. Zetter, “Report: Hackers Seized Control of Computers in NASA’s Jet Propulsion Lab,” WIRED, 01-Mar-2012. [Online]. Available: https://www.wired.com/2012/03/jet-propulsion-lab-hacked/. [Accessed: 04-Nov-2016].

[4]    “Hacker Sentenced in New York City for Hacking into Two NASA Jet Propulsion Lab Computers Located in Pasadena, California (September 5, 2001).” [Online]. Available: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2005/gascaConviction.htm. [Accessed: 04-Nov-2016].

[5]    “Hackers penetrated NASA computers 13 times last year,” USATODAY.COM, 02-Mar-2012. [Online]. Available: http://content.usatoday.com/communities/ondeadline/post/2012/03/hackers-penetrated-nasa-computers-13-times-last-year/1. [Accessed: 04-Nov-2016].

[6]    “Sweden to prosecute alleged Cisco, NASA hacker.” [Online]. Available: http://www.theregister.co.uk/2010/02/08/swedish_hacker_prosecution/. [Accessed: 04-Nov-2016].

[7]    D. Kravets, “Swede Indicted for NASA, Cisco Hacks,” WIRED, 05-May-2009. [Online]. Available: https://www.wired.com/2009/05/swede-indicted-for-nasa-cisco-hacks/. [Accessed: 03-Nov-2016].

[8]    United States of America v. Philip Gabriel Pettersson aka “Stakkato.” 2009.

[9]    L. Nixon, “The Stakkato Intrusions: What happened and what have we learned?,” presented at the CCGrid06, Singapore, Singapore, 17-May-2006.

[10]    D. Sd, “Linux on-the-fly kernel patching wihtout LKM,” Phrack, no. 58, Dec. 2001.

[11]    P. Pettersson, “oss-sec: CVE-2015-1328: incorrect permission checks in overlayfs, ubuntu local root.” [Online]. Available: http://seclists.org/oss-sec/2015/q2/717. [Accessed: 05-Nov-2016].

[12]    “Linux Kernel ’crypto/asymmetric_keys/public_key.c ‘ Local Denial of Service Vulnerability.” [Online]. Available: http://www.securityfocus.com/bid/81694. [Accessed: 05-Nov-2016].

[13]    T. Spring and M. Mimoso, “No Simple Fix for Password Reuse,” Threatpost | The first stop for security news, 08-Jun-2016. [Online]. Available: https://threatpost.com/no-simple-fix-for-password-reuse/118536/. [Accessed: 04-Nov-2016].

[14]    “How I made LastPass give me all your passwords.” [Online]. Available: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/. [Accessed: 05-Nov-2016].

[15]    Bursztein, Elie, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, and Stefan Savage, “Handcrafted fraud and extortion: Manual account hijacking in the wild,” in Proceedings of the 2014 Conference on Internet Measurement Conference, Vancouver, Canada, 2014, pp. 347–358.

The Syrian Civil Conflict in the Cyber Environment

Introduction

This is an article I wrote a while ago and never got published. It’s a bit outdated now, but I still think it can be useful for historical purposes, so I’ll post a link to it below.

Abstract

This document analyzes the use of the cyber environment in the Syrian civil war by both the population and the government in order to characterize online tactics and strategies developed and used by each belligerent. This overview allows for generalization of online behavior by hacktivists and nation-state sponsored actors on communication networks in the region, which will continue to see online attacks from various parties in the foreseeable future during similar conflict. In Syria, because of poor infrastructure, low rate of Internet penetration and early adoption of control mechanisms by the current government, the authorities had dominance over their information environment early in the conflict, enabling rapid gathering of intelligence on dissidents. While social medias were leveraged by the population as in many other uprisings for coordination, it was also the theater of multiple offensive cyber operations by internal and external groups, mostly for information operations purposes. Despite the high level of activity, none appeared to have a definitive impact on the ground. While events recorded in this space have not reached the level of intensity of other conflicts, it proves a useful model for similar conflicts in the Middle East region.

Reference:

Racicot, Jonathan, The Syrian Civil Conflict in the Cyber Environment, https://www.academia.edu/15182402/The_Syrian_Civil_Conflict_in_the_Cyber_Environment, last accessed 2015-09-03

The Past, Present and Future of Chinese Cyber Operations

China, as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.

Share

Out of nowhere, here’s an article I wrote for the Canadian Military Journal. China,  as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.

See the full article here: https://www.academia.edu/7633668/The_Past_Present_and_Future_of_Chinese_Cyber_Operations; or

here: http://www.journal.forces.gc.ca/vol14/no3/PDF/CMJ143Ep26.pdf

 

Phusking PhotoBucket and Other Pictures Sharing Sites

Fusking picture sharing sites in order to retrieve pictures from private album.

Share

It came to me while I was reading an article on Slashdot about sites popping up, offering the customer to hack into a Facebook, MySpace or other social site for 75$ to 100$. EWeek as a similar article[1]. Seems like those sites mostly use social engineering by sending grammatically deficient e-mail to the victim and somehow, still working most of the time. Most of the time, the goal is to get access to private pictures or information. Hacking Facebook and MySpace accounts is the new “How do I hack Hotmail accounts” of the decade. Just search Google for “facebook hacking service” and plenty of website will be returned.

Same thing with pictures from services like PhotoBucket or Flickr and such. Getting pictures from private albums is much more easier thought and is done thru fusking. The goal is simply to access directly pictures from the private album by guessing the filename of the picture.

As you might know, most cameras have a default naming convention, i.e DSC0001.jpg, Picture0001.jpg etc… (see then end of this article for a complete list) and humans, being lazy as they are, don’t bother renaming them. Since I believe that a example is the best way to learn than 30 pages of detailed explanation, here how it’s done.

Let’s create an account on PhotoBucket first. I used a username I always take everywhere, but it seems that Photobucket didn’t liked it:

PhotoBucket New Account Error
PhotoBucket didn't like me the first time...

Anyway, just deleting the Photobucket cookie solve the problem. Registered using brand new data. Small tips, if you are looking for zip code, try this page: Find A Zip, it has about every zip code for every town in the US (I haven’t verified but looks like it…).

Once in, I created a private album and put two pictures in it; one I renamed and the other I left with a camera default filename.

PhotoBucket Private Album Creation
Private album I created in Photobucket

I named one of those pictures DSC0005.jpg and the other an uncommon name:

PhotoBucket Private Pictures
Private pictures I put into my private album

The URL of my private album is

http://s991.photobucket.com/albums/af33/Cheetah897/Real%20Private%20Album/

The filename is

DSC0005.jpg

So just to try out the concept,  I signed out and look if, with the album’s URL and the filename, could access the picture. Oh ! Look at that:

PhotoBucket Private Picture Direct Link
Accessing a private picture thru a direct link

So you should be able to guess the rest from here. Nevertheless, there are tools out there to even do the guessing work for you. The one I will use is PHUSK. It’s especially done for PhotoBucket and is for Windows. This shouldn’t be hard to program for another website and another platform.

PHUSK 1.5 Main Window
PHUSK 1.5 Main Window

There is really not much to explain, just type the username of the victim and set up any properties you want (which are pretty much self explanatory). On the first try, it didn’t found any private album, so I had to specify it by selecting “advanced mode” which show this window:

PHUSK 1.5 Advanced Mode Windows
PHUSK 1.5 Advanced Mode Windows

Select “Add Album”, type the album name and then it will appear in the list of albums (which is ordered).

PHUSK 1.5 Add Album Name
PHUSK 1.5 Added Album Name in the List

Started PHUSK again and this time it found the private album, it will then try to brute force filenames, which might take a while.

PHUSK 1.5 Result Window
My private picture with a default filename has been found !

I changed the default lists to make it faster, otherwise it might take a long time (411 albums name X 439 filenames X ~9999 file numbers each…).

Here is a list of filenames used by PHUSK. This can be use to build your own list.

###.jpg Unknown-#.jpg Me.jpg
##.jpg Untitled-###.jpg ME.jpg
#.jpg Untitled-##.jpg mygirls.jpg
Picture###.jpg Untitled-#.jpg Mygirls.jpg
Picture##.jpg untitled-###.jpg MYGIRLS.jpg
Picture#.jpg untitled-##.jpg fine.jpg
Photo###.jpg untitled-#.jpg Fine.jpg
Photo##.jpg stuff###.jpg FINE.jpg
Photo#.jpg stuff##.jpg sexy.jpg
#####.jpg stuff#.jpg Sexy.jpg
####.jpg Stuff###.jpg SEXY.jpg
CIMG####.jpg Stuff##.jpg hot.jpg
CIMG####.JPG Stuff#.jpg Hot.jpg
DSCN####.jpg stuff-###.jpg HOT.jpg
PICT####.jpg stuff-##.jpg hott.jpg
DSC_####.jpg stuff-#.jpg Hott.jpg
DSC0####.jpg mycamerapics###.jpg HOTT.jpg
Image###.jpg mycamerapics##.jpg really.jpg
Image##.jpg mycamerapics#.jpg Really.jpg
Image##.JPG mypics###.jpg REALLY.jpg
Image#.jpg mypics##.jpg ass.jpg
PICT####.JPG mypics#.jpg Ass.jpg
IMG_####.jpg Misc-###.jpg ASS.jpg
_MG_####.jpg Misc-##.jpg bad.jpg
000_####.jpg Misc-#.jpg Bad.jpg
001_####.jpg misc###.jpg BAD.jpg
100_####.jpg misc##.jpg face.jpg
100-####.jpg misc#.jpg Face.jpg
100-####_IMG.jpg misc-new###.jpg FACE.jpg
101_####.jpg misc-new##.jpg page.jpg
101-####.jpg misc-new#.jpg Page.jpg
101-####_IMG.jpg New###.jpg PAGE.jpg
102_####.jpg New##.jpg tits.jpg
102-####.jpg New#.jpg Tits.jpg
102-####_IMG.jpg New-###.jpg TITS.jpg
103-####.jpg New-##.jpg boobs.jpg
103_####.jpg New-#.jpg Boobs.jpg
0##########.jpg new###.jpg BOOBS.jpg
1##########.jpg new##.jpg breasts.jpg
0########.jpg new#.jpg Breasts.jpg
1########.jpg new-###.jpg BREASTS.jpg
########.jpg new-##.jpg naughty.jpg
#######.jpg new-#.jpg Naughty.jpg
######.jpg Old###.jpg NAUGHTY.jpg
Cimg####.jpg Old##.jpg smile.jpg
DCAM####.jpg Old#.jpg Smile.jpg
DC####S.jpg old###.jpg SMILE.jpg
DCFN####.jpg old##.jpg light.jpg
DCP_####.jpg old#.jpg Light.jpg
DCP0####.jpg nude###.jpg LIGHT.jpg
dsc#####.jpg nude##.jpg kiss.jpg
DSC#####.jpg nude#.jpg Kiss.jpg
DSC####.jpg Nude###.jpg KISS.jpg
dsc0####.jpg Nude##.jpg kisses.jpg
DSCF####.jpg Nude#.jpg Kisses.jpg
DSCF####.JPG Sexy###.jpg KISSES.jpg
dscf####.jpg Sexy##.jpg muah.jpg
DSCI####.jpg Sexy#.jpg Muah.jpg
DSCI####.JPG sexy###.jpg MUAH.jpg
dscn####.jpg sexy##.jpg mwah.jpg
EX00####.jpg sexy#.jpg Mwah.jpg
HPIM####.jpg sexxy###.jpg MWAH.jpg
IM00####.jpg sexxy##.jpg drunk.jpg
IMAG####.jpg sexxy#.jpg Drunk.jpg
IMAGE_####.jpg pictures###.jpg DRUNK.jpg
IMAGE####.jpg pictures##.jpg drunken.jpg
IMG0####.jpg pictures#.jpg Drunken.jpg
IMG####.jpg Pictures###.jpg DRUNKEN.jpg
Img#####.jpg Pictures##.jpg sleep.jpg
IMG_00####.jpg Pictures#.jpg Sleep.jpg
IMG_#####.jpg sexypic###.jpg SLEEP.jpg
IMG_####.JPG sexypic##.jpg sleeping.jpg
IMGA####.JPG sexypic#.jpg Sleeping.jpg
IMGP####.JPG sexypics###.jpg SLEEPING.jpg
IMGP####.jpg sexypics##.jpg tongue.jpg
IMPG####.jpg sexypics#.jpg Tongue.jpg
KIF_####.jpg Smile###.jpg TONGUE.jpg
mvc#####.jpg Smile##.jpg cute.jpg
MVC0####.jpg Smile#.jpg Cute.jpg
MVC-####.jpg smile###.jpg CUTE.jpg
MYDC####.jpg smile##.jpg hehe.jpg
P00#####.jpg smile#.jpg Hehe.jpg
P10#####.jpg mirror###.jpg HEHE.jpg
P101####.jpg mirror##.jpg us.jpg
PC00####.jpg mirror#.jpg Us.jpg
PANA####.JPG single###.jpg US.jpg
PDR_####.JPG single##.jpg mesexy.jpg
PDR_####.jpg single#.jpg Mesexy.jpg
PDRM####.JPG Happy###.jpg MESEXY.jpg
PDRM####.jpg Happy##.jpg underwear.jpg
pdrm####.jpg Happy#.jpg Underwear.jpg
pict####.jpg happy###.jpg UNDERWEAR.jpg
Picture#####.jpg happy##.jpg thong.jpg
Picture####.jpg happy#.jpg Thong.jpg
Picture###-1.jpg picture###.jpg THONG.jpg
Picture##-1.jpg picture##.jpg panties.jpg
Picture#-1.jpg picture#.jpg Panties.jpg
Picture###-2.jpg cute###.jpg PANTIES.jpg
Picture##-2.jpg cute##.jpg bra.jpg
Picture#-2.jpg cute#.jpg Bra.jpg
Photo####.jpg xxx###.jpg BRA.jpg
Photo###-1.jpg xxx##.jpg costume.jpg
Photo##-1.jpg xxx#.jpg Costume.jpg
Photo#-1.jpg delete###.jpg COSTUME.jpg
S#######.jpg delete##.jpg heart.jpg
S######.jpg delete#.jpg Heart.jpg
S#####.jpg Halloween###.jpg HEART.jpg
S####.jpg Halloween##.jpg bed.jpg
SANY####.jpg Halloween#.jpg Bed.jpg
SDC#####.jpg halloween###.jpg BED.jpg
scan#####.jpg halloween##.jpg shower.jpg
SPA#####.jpg halloween#.jpg Shower.jpg
ST@_#####.jpg Me###.jpg SHOWER.jpg
STA#####.jpg Me##.jpg bath.jpg
STP#####.jpg Me#.jpg Bath.jpg
PANA###.jpg ME###.jpg BATH.jpg
{user}#.jpg ME##.jpg closet.jpg
DSCI###.jpg ME#.jpg Closet.jpg
DigitalCamera###.jpg me###.jpg CLOSET.jpg
Image(##).jpg me##.jpg kitchen.jpg
Image(##).JPG me#.jpg Kitchen.jpg
mvc-###.jpg 1-###.jpg KITCHEN.jpg
MVC-###.jpg 1-##.jpg fridge.jpg
Sony#.jpg 1-#.jpg Fridge.jpg
PhotoMoto_####.jpg IMG_###.jpg FRIDGE.jpg
###-1.jpg IMG_##.jpg table.jpg
##-1.jpg IMG_#.jpg Table.jpg
#-1.jpg naughty###.jpg TABLE.jpg
Picture###.png naughty##.jpg risque.jpg
Picture##.png naughty#.jpg Risque.jpg
Picture#.png Naughty###.jpg RISQUE.jpg
stuff###.jpg Naughty##.jpg new.jpg
stuff##.jpg Naughty#.jpg New.jpg
stuff#.jpg ass###.jpg NEW.jpg
stuff-#.jpg ass##.jpg old.jpg
S###.jpg ass#.jpg Old.jpg
S##.jpg Ass###.jpg OLD.jpg
S#.jpg Ass##.jpg halloween.jpg
s###.jpg Ass#.jpg Halloween.jpg
s##.jpg Pic###.jpg HALLOWEEN.jpg
s#.jpg Pic##.jpg cleavage.jpg
unknown-###.jpg Pic#.jpg Cleavage.jpg
unknown-##.jpg pic###.jpg CLEAVAGE.jpg
unknown-#.jpg pic##.jpg pic.jpg
Unknown-###.jpg pic#.jpg Pic.jpg
Unknown-##.jpg me.jpg PIC.jpg

So basically, the way out of phuskers is only to rename your files so that it won’t fit any of the above masks. So a simple description (3-5 words) on what’s on the picture might be able to defeat most of these software.

So here you have it how to get pictures from Photobucket.  Although I haven’t shown it here, this concept can be used for other picture sharing sites. As in anything that ever existed, this can be used for good and evil purposes. I started to get interested in computer security by reading that stuff when I was young so my goal here is to do the same, knowing that some script kiddies will probably use this.

Sayonnara


1 Security Researchers Find Alleged Facebook Hacking Service ”, Brian Prince, eWeek, September 18, 2009,http://www.eweek.com/c/a/Security/Security-Researchers-Find-Alleged-Facebook-Hacking-Service-358854/ 2009-12-29

A Study of Smart Cards

Share

Cards are quite an interesting species of object that have invaded our lives in every way: we either use them for public transit, laundry, gift cards, phone cards, credit cards etc… One could gather quite a lot of power buy not only understanding their functioning, but also by being able to tamper their data. I must admit that I have absolutely no knowledge (or almost) of those devices, but hopefully, by the end of this project, this will have completely changed.

Visual Study of Smart Cards

Smarts card are usually the size of the credit cards and dimensions are defined accordingly to the ISO/IEC 7810 standard. The standard defines four card sizes: ID-1, ID-2, ID-3 and ID-000. Smart cards are usually comprised in the ID-1 category although some are into the ID-000 category, which mostly comprise of SIM cards. Each of them are 0.76 mm thick. The properties are defined as follow1:

Example of a card using a chip
Example of a card using a chip
Format Dimension Usage
ID-1 85.60 × 53.98 mm Most banking cards and ID cards
ID-2 105 × 74 mm German ID cards issued prior to Nov 2010
ID-3 125 × 88 mm Passports and Visas
ID-000 25 × 15 mm SIM cards

The material use for the card is usually Polyvinyl chloride (PVC). Of course the most interesting item on rhe card is that golden connector. There are various type of connectors as shown in the picture below:

Different Layouts of Cardpads
Different Layouts of Cardpads

There are also three main types of smart cards: contact cards, contactless and vault cards [2]

The three main types of Smart Card available
The three main types of Smart Card available

Actually the two that are actually important in everybody’s life are the contact and contactless cards, the latest being use in public transit most of the time. For now I’ll concentrate on contact cards.

Contact Cards

Information is transferred using electrical connectors, i.e the golden chip on the card to the reader. Usually, the chip as around 8 connectors as follow:

Now contact cards are divided in two categories : memory cards and multiprocessor cards. Memory cards are furthermore divided into 3 categories:

  • Straight Memory Cards
  • Protected/Segmented Memory Cards
  • Stored Value Memory Cards

The Project

I recently got handed a laundry smart card and for some reason, got fascinated with it. I never really played with hardware but studying those devices have interested me to the point of studying them in a special project. The goal is to be able to modify the contents of the memory of the card. This project will be conducted in two phases :

  1. Dump the content of the memory into my computer
  2. Alter the content and write it back to the card

System Description

A client is handled a Smart Card called “SmartCity” from a company called Coinamatic, which provide laundry solutions to property managers. The card can be loaded and recharged using coins or debit/credit cards through “reload centers“. You can put up to 50$ maximum on the card. To use the facilites, you need to insert the card  into a slot built into the washers/dryers. The washer is a Commercial Energy Advantage Top Load Washer MAT14PRAWW model. The dryer is a 27″ Commercial Single-Load Electric Stack Dryer model MLE24PRAZW.

Next post : the card reader/writer

See also:

EMV 4.2 Specification, EMVCo, May 2008, http://emvco.com/ accessed on 2009-07-20

Infineon SLE4442, Flylogic Engineering’s Analytical Blog, December 1st, 2007, http://www.flylogic.net/blog/?p=17 accessed on 2009-07-20

How-to: Read a FedEx Kinko’s smart card (SLE4442), Ian Lesnet, Hack-a-day, November 28th, 2008, http://hackaday.com/2008/11/25/how-to-read-a-fedex-kinkos-smart-card-sle4442/, accessed on 2009-07-20

Intelligent 256-Byte EEPROM SLE 4432/SLE 4442, Siemens, 1995, http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf accessed on 2009-07-20

Kinko’s Smart Card (Siemens SLE4442 memory chip), Strom Calson, http://www.stromcarlson.com/projects/smartcard/format.pdf accessed on 2009-07-20

1K EEPROM – Security Logic with Two Application Zones AT88SC102, Atmel, 1999, http://www.datasheetcatalog.org/datasheet/atmel/DOC1419.PDF accessed on 2009-07-20

[1] ISO/IEC 7810, Wikipedia, http://en.wikipedia.org/wiki/ISO/IEC_7810 accessed on 2009-07-20

[2] Types of Chip Cards, Smart Card Basics, 2005,  http://www.smartcardbasics.com/cardtypes.html accessed on 2009-07-20

RAAF website defaced

Share

Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.

This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”

Racist incident in Australia against Indian students has increased in the last months
Racist incident in Australia against Indian students has increased in the last months

This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:

“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1

Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.

It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.

Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.

See also:

Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17

WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17


1Indian hacks RAAF website over student attacks”, Asher Moses, The Sydney Morning Herald, July 16, 2009, http://www.smh.com.au/technology/security/indian-hacks-raaf-website-over-student-attacks-20090716-dmgo.html accessed on 2009-07-16

2 “How did Atul Dwivedi hack the RAAF web site this week?”, David M Williams, ITWire, July 17, 2009, http://www.itwire.com/content/view/26344/53/ accessed on 2009-07-16

Firefox Javascript Vulnerability

Share

Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of Firefox and affects machine running a x86, SPARC or arm architectures.

The vulnerability resolves around the return value of the escape function in the JIT engine. It’s exploited using the <font> tag. The code for the exploit is public and can be found at milw0rm. The exploit use a heap spraying technique to execute the shellcode.

A fix should be available soon, but the best solution is always to disable Javascript, although a lot of sites rely on it to operate. Another way is to use the NoScript plug-in, which let you enable and disable scripts easily according to a whitelist/blacklist system.

See also:

Mozilla Firefox Memory Corruption Vulnerability”, Secunia, July 14, 2009, http://secunia.com/advisories/35798/ accessed on 2009-07-15

Exploit 9137”, SBerry, July 13, 2009, http://milw0rm.com/exploits/9137 accessed on 2009-07-15

Stopgap Fix for Critical Firefox 3.5 Security Hole”, Brian Krebs, The Washington Post, July 14, 2009, http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html accessed on 2009-07-15

Critical JavaScript vulnerability in Firefox 3.5”, Mozilla Security Blog, July 14, 2009, http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/ accessed on 2009-07-15


1 “Mozilla Foundation tackles Firefox bug”, Nick Farell, The Inquirer, Wednesday, 15, July, 2009, http://www.theinquirer.net/inquirer/news/1433480/mozilla-foundation-tackles-firefox-bug accessed on 2009-07-15