Monday, 29 April 2013

Security Challenges

A few days ago on Reddit's r/NetSec, a link containing some penetration testing challenges was posted. I've decided to post some hints to each of them since having completed some of them.

I'd like to get back and take a swing at the web-based ones as they should be doable on my part, but priorities! If I get a chance to do II, III, and VI, I'll likely post a follow up here.

Challenge I

This one is fairly straight forward. Pay attention to the URL and you'll notice that it does an include of a file. You can easily bypass this by inserting a URL-encoded null character (x00) in the string to bypass some barriers that are in the way of things. You'll then want to look for some Apache-specific password files.

Challenge VII

One of the things that threw me off in this WiFi challenge was that the packet capture was seemingly useless. Just over 5,000 IVs were captured and as a result normal methods for breaking WEP were out of the question. I tried to bruteforce this too and was pulling my hair out.

It was pointed out by a friend that the access point in question has a vulnerability that allows one to quite easily generate keys based on the ESSID--it was using one of the defaults too so I felt a bit dumb for not cluing into this, but the unit is for an Irish telecom and I am Canadian. Once I had that sorted out I was able to decode the packet capture and then was able to determine how to get my name added to the list.

Challenge VIII

Let me start off by saying this: don't bother performing a packet capture. It might give you a hint about what is going on but don't analyse it any further than that.

This is really going to be a reverse-engineering job requiring a bit of Java skills--or the ability to at least be willing to wet your feet with the language. In the end you're going to need to make use of a Java decompiler (jad) and then just parse through everything to understand what each function is doing.

It's really easy to do if you have any level of coding experience. Up until this challenge I had zero experience with the language and managed to get it to run an application that performed all of the functions I needed to reverse what was done--I was from tutorial to compiled in less than five minutes (seriously).

Break the PIN

This one was surprisingly easy. As the author of the challenge notes elsewhere, there is no need to hammer his server for a result. In the end you can do this offline if you examine what he's looking for (a 7 digit number) and then the code on the page itself. You should be able to whip something up in any language and have it cracked in less than three minutes.

Wednesday, 24 April 2013

Distances travelled by a hard drive

Once in a while I'll come up with strange ideas and one of them was the curious thought I had about distances covered by hard drives.

The diameter of the platter in a standard PC hard drive is 8.89 cm and as a result its circumference will be 27.96 cm. The typical hard drive today spins at give or take 7200 revolutions per minute, which works out to 120 per second. Since we know the distance travelled every minute, we can work this out to 120.82 KM/h, which is 10.82 KM/h faster than the speed limit on the Coquihalla Highway.

This means a hard drive could in theory keep up with highway traffic.

Let's assume that we don't have to worry about powering the hard drive because we know that otherwise it won't work, but where could the hard drive possibly go should it have access to some unique power source and it could keep itself upright and use its platter as a wheel?

The distance between the capital of British Columbia, Victoria to its island neighbour, Nanaimo is approximately 110 KM, which means the hard drive could easily drive down the highway and get there in less than an hour. However, the speed limit in the Malahat section is 80 KM/h, so it would likely get a speeding ticket for having done so. We'll ignore this consequence since the hard drive doesn't have a licence anyway.

How about a larger feat? Perhaps we want to drive from Vancouver to Toronto? Well, thanks to the hard drive's enormous stored energy, it could travel the shortest distance of 4,373 KM in just around 36 hours. But this is cutting through the United States, so if we were to stay within our own borders, it would work out to about the same as it would be 4,389 KM but would have the consequence of speeding through city streets which are set with a maximum 60 KM/h. The hard drive would be quite the rebel.

Okay. So we have this fancy energy source and as a result could go anywhere. How about to outer space? What if the hard drive managed to manipulate its gyroscopic forces to defeat gravity and fly upwards to places beyond our atmosphere? Since we're already breaking the laws of the road, we can go for broke and completely break the laws of physics.

In this Time article, it's stated that the average car's age is 11 years old and has gone a distance of 165,000 miles (266,000 KM). The distance between the Earth and the Moon is 384,400 KM, so the average car has yet to make it as far. How long would it take for the hard drive to get to our celestial neighbour? It would take about 132 days for it to reach its destination--for reference, the astronauts that visited there took almost four days to arrive.

Since cars are averaging 11-years on the road, how much further does the hard drive go in that time? It would be approximately 11,649,963 kilometres. The hard drive would take half-a-century at best to reach Mars when it is at its closest, but considering the closest that planet will be to us will be about 58,000,000 KM in 2018, it's unlikely that it would get there in time and would probably take a whole century if it were to leave now as the distances can reach around 100,000,000.

This is all presuming that the hard drive just doesn't give out before it gets there. These devices are quite amazing and have the ability to outlast expectation and sometimes just flat out die. My rule of thumb is that a hard drive is only good for up to 5-years of continuous operation, which means it would die out long before it made it to our planetary neighbour.

Closing on this, a 10,000 RPM hard drive is only going at 160 KM/h so while it would get to Mars a tad faster, it's not really an improvement.

Monday, 22 April 2013

The Boston Marathon bombing and the Reddit circlejerk

What happened in Boston last week goes without saying as one of the most horrific events I have ever seen in the United States. The raw images of limbs scattered about and people missing them as a result were just horrifying. Regardless of the reasons, attacking innocent civilians anywhere is uncalled for and completely unjust.

However, one of the ugliest things that came out of all of this is the Internet vigilantism that had its goal in trying to catch whoever was responsible for the attacks. Specifically, the creation of the Reddit subgroup, r/findbostonbombers (it has since been closed so I haven't linked to it). It was Reddit's response to the search for who was responsible by combing through images on Flickr, Twitter, Facebook, and whatever else had photos that may or may be relevant--none were just in case you're wondering.

When you have people pleading that they're not the Boston bomber, those who go missing for unexplained reasons who are then accused of being the attacker, and then racial profiling because they're brown or some other colour other than good ol' fashioned American-proud white (because white people have never bombed any Americans), you have to wonder what these people think about racial profiling at the government level.

I refuse to link some of the images here as enough damage has been done to these falsely accused individuals, but it was amusing to see first-hand people trying to prove to me that certain people were likely guilty just because they were looking in the wrong direction, their clothes didn't match everyone else, or somehow they had a backpack but when seen in other photos it appeared that they didn't have them on, but of course in a later taken photo they're shown with their backpacks again. Just because you've watched enough CSI does not mean that you can take a look at a crowd and tell me who's a terrorist, rapist, murderer, paedophile, or whatever.

Unlike the Internet, the FBI had the ability to sift through video evidence provided via CCTV cameras placed in buildings and the surrounding area. What did the Internet have? Just photos they stumbled across on social media and elsewhere. What did the FBI pull off that the Internet did not? They had photos of the actual suspected bombers wandering around with the backpacks. They released video and stills of the suspects and only then did details about these people started to emerge.

It was only when the photos of the two suspected bombers did any other photos appear but it was from people who looked at their own damn images. How many photos of these suspects did Redditors find? None. In fact, they went on to falsely accuse an innocent missing person. Yeah. He sort of matched the blurry, digitally-zoomed image of one of the suspects, but it's not hard to go on your Facebook friends list and do the same damn thing.

Now comes into play is the whole Reddit circlejerk. I would refuse to call the subgroup created to find the bombers anything near altruistic in terms of its goals, but rather a lynch mob. Yes. Their intentions may be objectively good, but it's nowhere close to being actually useful or thoughtful.

Why was it so hard for people to not just do what the FBI wants and just send the damn images to them if they happen to find something that might be helpful in the investigation? Why did these Redditors have to go out and start playing with Microsoft Paint to figure out where Joe Shmoe and Susan Smith were looking at? In fact, I don't even recall a single image where a woman, a child, delivery driver, grandparents, et cetera were suspected as being involved.

How did these Redditors not know that some kid was instructed to place a backpack somewhere? How do they know it wasn't a woman who was involved? Why did they focus mostly on dark-skinned people or those with clothes that didn't match the rest? How did they come to the conclusion that just looking in one direction was sufficient for a probable suspect?

Really, Reddit is not above the rest of the Internet when it comes to moral authority--not by a long shot.

Honestly I think what it all boils down to is this notion in the Reddit community that whatever they do is for the good of the world. Yes. There have been instances where members of Reddit (I have been on the site for almost four years now FYI) have done some rather good work for the benefit of others, but there have been enough examples of where they have done harm. For example, after a post discussing Reddit's involvement in finding the bombers, it was pointed out by someone who has the same thoughts that I do that the founder of the aforementioned sub-Reddit was receiving threats as the aftermath of having someone falsely accused.

There's a lot more that I could say on this topic such as those involved not understanding what a reliable source is and why you shouldn't act upon it--for example: police scanners provide detailed information but there is a reason why the media was not reacting at the same rate as Reddit does. They need to know if what is being said is valid and radio communication amongst the police during a standoff situation is only so accurate.

In the end, Reddit, you embarrassed yourselves.

Tuesday, 16 April 2013

"Debrowning" plastic

As some of you may know, I maintain a collection of video game consoles and have done so for almost a decade. One of the largest annoyances of such a hobby is the fact that the ABS plastic that most video game consoles and peripherals are made from have a habit of turning into a brown colour after long-term exposure to ultraviolet light--this is a byproduct of bromine used as a fire retardant. I am not alone in this annoyance and there is actually a whole community of people that have come up with a rather simple solution that doesn't involve painting, using a simple solution called Retr0bright.

Since I have plans to do this with a number of items in my collection, I have decided to do a test with a Super Nintendo controller I had picked up sometime ago and share the results here.

Here's the test subject prior to any work being done:



This is not as bad as other situations I have seen. However, the controller was a good test subject because someone had previously opened up the thing prior to me acquiring it and had stripped its screws. It's going to be used for parts in the end, but since it was a donor controller, I figured that it would be a good candidate for what I wanted to do.

To make Retr0bright, the ingredients are quite simple:

  • Hydrogen peroxide

  • Active oxygen cleaner

  • Arrowroot



All of these ingredients can be acquired for a few dollars each. I believe that the peroxide solution set me back $8, the cleaner was $4, and the arrowroot was most expensive at $10 for 300 grams. It is suggested that you get at least 6% or higher solution of the peroxide, but I picked up 3% because it was cheaper--I will explain the trade-offs a bit later. It also seems that you can get away with the dollar store variety of the cleaner too as it didn't seem to be much different than mainstream brands like Oxy Clean.

Combining the stuff is fairly straightforward but be prepared to add more arrowroot than what some steps state and you will likely have to heat the combined substances while mixing--short 30-60 second periods in a microwave are sufficient. In the end I used about a litre and a half of peroxide, 90 mL of the cleaner, and then about the same with the arrowroot. You're going to find that you'll adjust the measurements as you go along until you get something that is quite soupy.

Once this stuff is made, let it sit overnight and it should have a gel-like substance that you can apply to the plastic.



You're going to want to reapply the stuff every once in a while while letting it bask in the sunlight. It's safe to let the solution sit out in the open for the day as it shouldn't evaporate very quickly, but it will dry off on the plastic. You'll want to ensure that you get the maximum amount of sunlight possible too.



As you can see, there is a noticeable difference between the before and after shots of the controller. One of the things I immediately noticed was that there was no negative effect on the silk screening on the plastic. It has been said that stickers should survive just fine during the process as well.

Regarding the use of a 3% hydrogen peroxide solution: it just takes longer. It only took me about 6-8 hours to pull off the change in colour, but it is likely that this would be far faster if the solution was more concentrated.

Overall I am glad to see that this works and likely will try it on something bigger later on.

Monday, 1 April 2013

Being an Avivore and data mining Twitter

How easy is it to pull phone numbers, IP addresses, and Blackberry PINs from Twitter? It should be no surprise that it isn't very difficult at all and it was the topic of a presentation that I gave at BSides Vancouver last month. This is more of a follow up to my talk more so than my previous write-up on the event.

Background

This began really due to boredom on my part. I was working on a Twitter-related project for Maker Faire Vancouver and due to some missing components, I had to delay what I was already writing. Being that I do not like to have idle hands, I started to mess with what I already had and decided to make it so it would search for phone numbers. I didn't anticipate anything at first but then I started to get results.



After seeing the large volume of results from the script, I decided that I would bear a bot that would respond to people who have been found to be erroneously posting their numbers on Twitter. Oddly it seems that I am the first to go and search for this information openly, but not the first to do something related to user-initiated privacy violations--not sure what else to call this.

@PhoneNumberTwit

After some fumbling around, I managed to create a Twitter bot.



The bot was designed to only respond to one tweet at a minimum of ten minutes and only when a random number generator hit a certain value--so not to cause a flood of tweets. It also was set to tweet a randomly chosen phrase to avoid the anti-spam actions that Twitter itself would take should I tweet the same thing each time.

While I took the time to ensure that Twitter itself wouldn't ban me, it ran for something like 36-hours before it got banned. I had eventually appealed it but I spoke to a contact I had for the company and was told upfront that it would probably remain banned if it were to get in trouble again.

Some of the reactions during its brief lifetime were kind of interesting:



Poor decisions are made regardless of what country they're from--especially mine.



Justin Bieber is pretty wild these days. Maybe?



Note: no mobile phone was harmed or abused for this portion of project.

So what next?

Well, I wanted to be persistent on this and thoughts about a few different approaches. One idea someone had proposed was to follow the lead of @NeedADebitCard and just retweet the phone numbers. However, I didn't want to run the risk of getting banned from Twitter should they decide that it should be banned--mine would likely follow soon after.

Maybe I should just compile the findings into a list?



This ran for a few days as well and I killed it eventually (it could be revived at a moment's notice) for reasons that I cannot recall at the time of this writing. It basically followed similar footsteps to that of Please Rob Me, which compiled results found of Twitter users checking in using services like Foursquare to demonstrate that one can be easily followed.

It worked quite well as my application would take results and then dump them into a database. The page itself would then display items from the database and then display the number in the format '(555) 555-1xxx'. It was intended so one could just delete their tweet should they find their phone number showing up on my page. By deleting the tweet the obfuscated number would be all that remained and would just fall off of the list as others would make the same mistake.

In addition to that, I had briefly configured it to use Twilio to send text message very sparingly to random users who ended up in that list. Out of the 400 or so tweets that I archived before shelving the project, about nine people were texted with the message "I found your number on Twitter. You should not tweet these things, y'know". Most of the responses were fairly benign but I discontinued from this behaviour as I was unsure to what laws I may or may not be violating at the time.

Ed - April 3: I was asked why I discontinued from this overall. I had decided that I wasn't sure of the consequences of doing this. Add the fact that I didn't want my hosting service to have any troubles over this so I opted to not let this service operate any further.

Going for broke

In the end I opted to just create some code to search Twitter on a cycle and pull everything into a database. The code is somewhat not well written but it does the job and lets you see how effective it is in retrieving information. It was initially designed to just pull phone numbers but then it sort of mutated into finding IP addresses and Blackberry PINs.

A sample output is as follows:

$ python avivore.py
Avivore 1.0
A Twitter-based tool for finding personal data. │
Licensed under the LGPL and created by Colin Keigher
http://github.com/ColinKeigher
[1364844946] Using existing database to store results.
[1364844946] 12447 entries in this database so far.
[1364844956] Type: bbpin, User: SocialGamerMax, PIN: 261D288C, TweetID: 318808517685440513
[1364844957] Type: bbpin, User: AsgharBhatti3, PIN: 21D91A46,TweetID: 318808291490791424
[1364844957] Type: bbpin, User: MIDOO_889, PIN: 26CFA12B, TweetID: 318807746273214464
[1364844957] Type: bbpin, User: Tsa7el, PIN: 25ba2a8f, TweetID: 318806708887629824


The 12,000+ entries you see above were created over the course of 24-hours, so as you can see there is just a tonne of personal data sitting on Twitter for everyone to have their hands on.

Closing

Some other ideas that came up was to harvest e-mail addresses or prescription medication. E-mail addresses would be straight forward, but prescriptions were an interesting one that would probably require me to build a database of names of common drugs. This would be interesting to search for using the limitations that Twitter has put upon me, but I would not be surprised if this and the other data has some sort of use.

The talk I gave at BSides Vancouver touched loosely on the ramifications of this sort of information and what use it could serve. For example, someone who is willing to provide their personal details on the service may also be highly likely to be susceptible to social engineering attacks. An easy one to pull off would be to call the individual a few days or so afterwards stating that they were from Twitter and wanted to ensure that everything was okay and to also "verify" their password. For businesses, it could allow you to know who might be a risk to your company and might be willing to produce certain, proprietary information that you may not want divulged. These are of course all hypothetical but it was something that ran across my mind as I was working on this project.

As a result of this work, I've expanded on this data retrieval for other services and have a new project in the works that may likely be demonstrated sometime soon. For now, feel free to try out the script and have a sigh or two.