Tuesday, 17 May 2016

MyDataAngel.com is not new and is an outright scam

As evident in this KickStarter and this other one, we've seen countless snake oil being peddled to helpless people who are only looking to protect themselves on the Internet. Well, this time we have a product called DataGateKeeper (DGK), and they're looking for $25,000. Their claims are that it's anti-hacking software that provides encryption levels far more advanced than AES.

Because I hate this sort of crap, I figure it's time to document who these people are and what the product actually is. I should note that I initially wondered if it was a troll (as did Bruce Schneier), but I am now convinced that it is a scam.

I am going to refer to this as MyDataAngel.com or "MDA" as there's a tonne of confusion here due to the iterations this software has goen through. What they're selling is not only not new, it has been attempted to be sold under many different names with various other people involved.

I'd like to thank Ryan O'Horo for helping out form the timeline and provide other tidbits.

Meet the Team

Here's an image from their KickStarter:

It helps to know who these people are in order to paint a picture of what we're dealing with.

  • Raymond Talarico (CEO) - once sued over a suspected embezzlement of $30,000 (via the SEC) from a company he was formerly CEO and founder of, Raymond is the CEO of MyDataAngel.com. Formerly, he was a director of FileWarden.com, which has a relationship with MDA, until July of 2014. Talarico is also President of American Pacific Rim Commerce Group (APRCG).
  • Debra Towsley (President) - Debra has worked alongside Raymond for at least a decade and was cited in the aforementioned SEC document. She was formerly president (and later CEO) of the company Talarico founded, There are claims that she worked as Director of Marketing for Blockbuster in Florida and she has been cited as involved in several other companies. She has recently taken to scrubbing her LinkedIn profile for some reason.
  • Frank Ruppen (Chief Strategy Office) - a Harvard Business School graduate, having worked at large companies such as Proctor and Gamble (as claimed in his LinkedIn), Frank is the founder of Forward Associates, a "brand management" company whose mission statement is to provide 404 pages. I should also note that the use of "Office" in his title is not a mistake on my part.
  • Joshua Noel (Creative Director) - the creative director and likely cameraperson behind the useless videos that were incorporated into the KickStarter. Formerly a YouTube LetsPlay turned wedding videographer, Joshua now finds that his business address is being shared with MDA's.
  • Loreena Stanga (Cat Herder & Code Management) - an arts student, turned code manager for MDA. She has recently deleted her LinkedIn and Twitter accounts.
  • Jensen Dillard (Data Angel Host) - host of the dumb KickStarter videos, she left her job as an employee at a veterinarian hospital to host a fake newscast.
  • Steve Talbott (Advisory Board) - you can refer to him as "Captain Steve" as he runs a yacht tour company in the Florida Keys.
  • Chad Thilborger (Data Angel & Host) - an TV food personality who's best known for some South Floridan TV show and shoving a tonne of what I can only assume is parsley into his mouth
  • David Smith (Advisory Board) - probably one of the most generic names possible, I was unable to get any information on him so I have nothing snarky to say.
  • Frankie (Data Angel & Celebrity) - likely the most intelligent individual amongst this team as it's nothing more than a lousy skeletal model that they use as a gag prop in their videos.
There have been other people involved in the past but I will mention them as I go along. For the most part, the two people of interest should be Towsley and Talarico. I will also mention that there are no cryptographers working for them.

Update - 20-05-2016

It turns out that Talarico and Towsley are married. You can read this claim in this article from 2006:
Talarico joined family and friends in watching his filly J P Sage take the lead near the final turn and trot on to win the night's 10th race. Talarico, his wife Debra Towsley, and their group then posed with J P Sage for the traditional winner's circle photo.
This detail will help paint a picture of what is going on with this KickStarter. Thanks to Stephen Tinius for pointing out his involvement with APCRG and his relationship status with Towsley.

Before MyDataAngel.com, there were other iterations

Here are some names we should make ourselves familiar with before we go on about how the timeline makes no sense:
  • Centuri Cryptor
  • FileWarden.com
And here's an cropped copy of their KickStarter timeline up until now:

Let me give you guys a better timeline that is more factual:

1997-01-21Raymond Talarico incorporates Sci-Fi Megaplex in Fort Lauderdale, FLflorida.intercreditreport.com
1998-01-01Debra Towsley serves as VP of business development for Sci-Fi Megaplexsec.edgar-online.com
1998-07-05SOFNET, Inc. a/k/a SOFTNET, Inc. is incorporated by Raymond Talarico and Glenn Jackson in Floridasearch.sunbiz.org
2000-09-01Raymond Talarico resigns from Sci-Fi Megaplexsec.gov
2001-03-16SEC announces fraud scheme at Hawa Corporation involving future FileWarden.com director Ilona Alexis Mandelbaum of West Palm Beach, FLsec.gov
2001-01-01Raymond Talarico and Debra Towsley found Medirect Latino Inc.sec.edgar-online.com
2001-01-22Sci-Fi Megaplex files for bankruptcybizjournals.com
2001-09-21SOFNET, Inc. is dissolvedsearch.sunbiz.org
2002-01-01Raymond Talarico founds MGI Consultants Inc.companiess.com
2002-07-19MEDirect Latino, Inc. incorporated by Raymoond Talarico and Debra Towsley in Floridasearch.sunbiz.org
2003-07-22State of Wisconsin issues C&D against SOFNET, Inc., Raymond Talarico, and Glenn Jackson for selling unregistered securitieswdfi.org
2005-01-01IntelaKare Marketing Inc. a/k/a ikarma Inc.otcmarkets.com
2005-11-29Success Exploration and Resources, Inc. (SE&R), a mineral exploration company, incorporated in the State of Nevadanasdaq.com
2006-10-16Three directors resign from MEDirect Latino, Inc. citing irregularitessec.edgar-online.com
2007-02-14Ilona Alexis (a/k/a Roza) Mandelbaum files for bankruptcy in Florida Southern Bankruptcy Courtplainsite.org
2007-07-11MGI Consultants Inc. incorporated in Nevada by Debra Towsley nvsos.gov
2007-11-09MEDirect Latino Inc. goes into default with several lendersglobenewswire.com
2008-01-23HSC Holdings, LLC incorporated in Florida by Ilona Mandelbaumsearch.sunbiz.org
American Pacific Rim Commerce Group (APRM) and MGI Consultants
2010-01-01According to a LinkedIn account, Centuri Global is created and claims to come from Hobe Sound, Floridalinkedin.com
2010-05-21Fraud lawsuit filed against HSC and Ilona Mandelbaum in Texasnasdaq.com
2010-06-22Iliona Mandelbaum and HSC Holdings sued for fraud in Texas courtdockets.justia.com
2011-01-28SE&R website snapshotsuccessexploration.com
2011-02-28IntelaKare spins off Medtino Inc.otcmarkets.com
2011-06-07SEC suspends trading of American Pacific Rim Commerce Group (APRM)sec.gov
2011-10-10SEC filing connecting SE&R In Ontario and Nevadasec.gov
2012-03-15Secured Income Reserve, Inc. incorporated in Delaware, Ilona Alexis Mandelbaum and Matthew H. Sage, Executive Officersbizapedia.com
2013-07-13centuriglobal.com registeredresearch.domaintools.com
2013-07-30SE&R stock purchase agreement entered into by HSC Holdings, LLC and Matthew H. Sage, then appointed Officer and Director, Alexander and Jonathan Long resign as Executive Officersmarketwatch.com
2013-07-30SE&R change their SIC code from Metal Mining to Computer Processing and Data Preparationsec.gov
2013-08-22Centuri Cryptor demo video posted to Youtube by Nick M.youtube.com
2013-09-06Ilona Mandelbaum appointed Secretary and Director at SE&Rbloomberg.com
2013-09-11Question regarding Centuri Cryptor was posted to SpiceWorkscommunity.spiceworks.com
2013-10-04Centuri Cryptor website appears on the Internet. Matthew H. Sage is cited as COO and Henry Mandelbaum is CTO. Nick McCord is cited as software and network administrator.centuriglobal.xtreamsolution.com
2013-10-13Centuri Cryptor Twitter account createdtwitter.com
2013-10-15Raymond Talarico is compensated by SE&R for services through his majority owned company IntelaKare Marketing, Inc. with 129,400 shares of common restricted stock of SE&R and a $10,000 monthly payment.sec.gov
2013-10-18Centuri Cryptor claimed to have been presented at a nameless show at the Jacob Javits Center in New York City to a crowd of 40,000 people. Said convention centre held the PIX11 Health and Wellness Show and 135th International AES Convention that weekend.healthexpo.pix11plus.com
2013-10-18Alan Edwards of Whitehorse Technology Solutions LLC registers unbreakable-encryption.com and provides details on Centuri's unbreakable statusunbreakable-encryption.com
2013-10-22"Alan9701" of Whitehorse Technology Solutions LLC claims to have demoed the application and found it uncrackable. It was his first response to any SpiceWorks community message.community.spiceworks.com
2013-11-21Matthew Sage registers FileWarden.com with Centuri Global as the registrant organization.
2013-11-27Talarico registers xtremehacker.com, xtremehackergames.com, hackmeifucan.com
2013-12-11Raymond Talarico registers MoneyWarden.com, reflecting the FileWarden branding
2014-01-29Raymond J. Talarico appointed CEO of SE&Rbloomberg.com
2014-02-12SE&R files name change with SEC for FileWarden.comsec.gov
2014-03-28FileWarden.com's Matthew H. Sage applies to operate a business in the State of Florida. Raymond Talarico is cited as President and Director.search.sunbiz.org
2014-07-11Raymond J. Talarico resigns as Director of Filewarden.combloomberg.com
2014-07-11Talarico registers idataangel.com, mydataangel.com
2014-07-14FileWarden.com delisted from OTCBBbloomberg.com
2014-07-16Talarico registers datagatekeeper.com
2014-11-15Talarico registers safedatazone.com
2014-11-17State of Wisconsin issues C&D against Secured Income Reserve, Inc., Ilona Alexis (a/k/a Roza) Mandelbaum, Matthew H. Sage. David A. Zimmerman, and Tamda Marketing, Inc. for selling unregistered securitieswdfi.org
2014-12-01MyDataAngel.com, Inc. incorporated in Florida by Debra Towsleysearch.sunbiz.org
2015-02-04Talarico registers mydataangle.com
2015-02-09FileWarden demo video posted to Youtube by "Nick Scott" youtube.com
2015-08-08Talarico registers datagatekeeper.tv, safedatazone.tv
2015-09-11Talarico creates a demo video on how MDA worksyoutube.com
2015-09-12Talarico registers dataincidentreport.com, miangeldedatos.com, mydatatv.com, worlddataheadquarters.com
2015-09-18"About MyDataAngel.com" posted on Youtubeyoutube.com
2015-10-23Talarico registers safedatasolution.com
2015-11-11MyDataAngel.com issues an "executive brief"Mirror
2015-11-24dataangel.news is registered by Raymond Talarico
2015-12-10MyDataAngel.com issues a year-end update for its investors. Mirror
2015-12-16MyDataAngel.com issues a PowerPoint presentation with an overview of their new product. Henryk (Henry) Mandelbaum is cited as CTO, Raymond Talarico as Founder and CEO, and Debra Towsley as Founder and President.Mirror
2016-01-15Talarico registers edatabuzz.com, edatanews.com, edatatareporter.com
2016-04-01Installation tutorial postedyoutube.com
2016-04-01First use tutorial postedyoutube.com
2016-04-05DataGateKeeper help document created.Mirror
2016-05-13MyDataAngel.com KickStarter is launched.kickstarter.com

So what does this all mean? For one, the individuals involved have been scheming for years through the use of holding companies to launch their own ventures.

Sometime shortly before 2010, Centuri Cryptor was written although based on its design, it's really tough to say if it was not started earlier, had an incompetent programmer involved, or was actually written later than what is claimed on LinkedIn. The use of controls reminiscent of Windows 3.1 is really confusing. The first evidence of the application in use does not appear on YouTube until the summer of 2013.

It is at this point that Ilona Mandelbaum arranged a compensation package for Raymond Talarico's involvement in HSC Holdings (the assumed owner of Centuri) several months after Mandelbaum's mining company transitioned into a technology one. A website was launched mentioning Henry Mandelbaum as CTO and Matthew Sage as COO.

Immediately following Talarico's involvement, promotion of Centuri began via Twitter and a supposed, nameless conference in New York City. All of this appeared to be very feckless and a non-starter however.

At some point, Matthew Sage created FileWarden.com and transitioned Centuri over to that company with him and Talarico at the helm. Talarico then resigns from FileWarden just four months later but shortly before Mandelbaum and Sage were issued a cease and desist order by the State of Wisconsin for their business activities in another organization.

Eight months later, Talarico registers MyDataAngel.com, with Henry Mandelbaum (a relative of Ilona) as CTO, Talarico as CEO, and Debra Towsley as President. In November of 2015, work begins on creating a KickStarter and involvement of investors is suggested. And now in May 2016, we have the KickStarter where they're asking for $25,000 USD but with no mention of Henry or Ilona Mandelbaum.

Does the application even exist?

It's really tough to say but probably? The aforementioned YouTube video shows it in use but there are lot of problems with its claims.

The cryptography claims that it's using a kilobyte-sized keyspace is absurd and the idea that AES is weak in contrast to them is just as much. They're offering fifty to one-hundred year protection meanwhile with the right implementation of AES, you could be waiting until the heat-death of the universe to crack the data.

MyDataAngel, DataGateKeeper, Centuri Cryptor, FileWarden, or whatever it is called is complete garbage. They don't need $25,000 to launch this application: it's already available or at least is.

Here it is in 2015 (as FireWarden):

And here it is in 2013 (as Centuri):

And here's Talarico's video of him using it with Centuri's name being mentioned:

Lastly, for shits and giggles, here are some amusing folders:

Whose ethics?

My problem

KickStarter's lack of involvement in addressing these scams is really distressing as there is no legal recourse for someone in the event that it doesn't follow through on its promises. This is the third time that a campaign for security software that's outlandish and I am willing to believe that there will be no response from them on preventing new ones in the future. It's really up to us as a community to pressure these snake oil products from never seeing the light of day.

Raymond Talarico and Debra Towsley don't need the $25,000 either. As evident in the PDFs I've linked to, they claim to have investors and based on the YouTube videos, the software already exists.

This is probably not the last time we'll have to write about this sort of thing either.

I'll close off with this: someone forgot to re-register centuriglobal.com, the former domain of Centuri Cryptor so it now redirects to this blog piece.

Monday, 9 May 2016

My "new" blog funded by Canadian government "grant cheques"

It's often said that imitation is the sincerest form of flattery. However, I did not expect to ever see my name used to promote some grant scheme where one could make $17,438.27 in just under two weeks.

During a random search, I came across a YouTube account bearing my full name. I only have one account that I use so I was surprised to see a video claiming to be created by me bearing a cheque with my full name.

Now, the video in question has a link to the blog itself (I will not link to it myself) which claims the following:
My life was going great... a great job working at a local engineering firm, a beautiful wife of 4 years and a young son. Sure we had some debt, but really, who doesn't? Then it happened, i lost my job! It was devastating, but the next day i was out looking for a new job. Weeks went by and as hard as i tried to find another job, no one, i mean no one was hiring! All the while our bills kept piling up and my mortgage payments were way behind. We really did think we were going to lose our home!
And then goes on to explain how this whole grant scheme:
One day after a job interview at a local coffee shop, i was about to sit down to enjoy a hot cup of java when i happened to bump into an old high school acquaintance. Turns out he worked for the provincial government and after explaining about my financial problems, he advised me to apply for Canadian Government Grants. I had heard about them but never really looked into it before. He explained that 90% of Canadians qualify for these grants but maybe only 5% of the population actually know about them. He gave me a website to look into and i didn't even finish my coffee, i just rushed home.
Convenient story. The last time I ran into someone from high school that told me of a financial scheme where I could make money, she tried to rope me into some multi-level marketing nonsense.

To add to this, how does one go from having worked at an engineering firm where you're gainfully employed enough to have a mortgage on a home to having needing to apply for a job at a coffee shop? I get that times are tough now in Calgary (where the author claims to be from), but this was written back in 2012 when oil prices were around $90 USD a barrel.

Rolling back here a bit, you might be wondering how a cheque bearing my name (with middle initial no less) made it online. For a bit, I was confused but then I remembered that back in 2003, I was filing my own taxes for the first time and was sent back a cheque for a grand total of $0.07 CAD. The humourous part was that the cost to mail it would have been $0.48 CAD. Since I found it funny, I scanned a copy of the cheque, edited out details, and then posted on a message board.

Years later, I got into the habit of editing Wikipedia to pass the time when I was living away from my hometown. When I came across the article on cheques, it at the time either had no images or didn't have enough so I decided to lend my previous scanned image. The easiest thing to assume here is that this individual decided to use the image in their video because it had a full name to make use of and fit their assumption of how convincing it would be.

I was able to confirm that this was my cheque because the monospace font matches the address I would have had at the time of the cheque's issuance. There are other people out there who have the same name as me, but it definitely was my image being used here.

Back to this whole grants nonsense, there are actual grants you can get as a business or an individual looking to run a business if you fall under some of the following as per this website with a horribly deceptive domain:
  • Employ PEI - as a PEI business owner, you can apply for a wage subsidy to hire and train eligible individuals for up to a year
  • Fuel Injection Program - your advanced manufacturing or social innovation business could access up to $30,000 in seed funding for growth projects in Southern Ontario
  • Self-Employment Assistance - if you are unemployed and want to create a job for yourself by starting your own business, you may be eligible for financial and entrepreneurial assistance
  • Sivummut Grants to Small Businesses - if you live in the Baffin (Qikiqtaaluk) region of Nunavut, you could get up to $25,000 to start or grow a business
  • B.C. Buy Local Program - if you are in the agriculture, agrifood or seafood sectors, you could receive funding up to $75,000
As you can see, there are plenty of grants available that can get you a lot of money for your existing business or to get one off of the ground. However, all of these have a lengthy-ish application process and you have to prove what you're looking to do is legitimate. This isn't some scheme where the government will throw $40,000 like the blog suggests for doing absolutely nothing, as you have to commit to doing whatever the government is trying to promote.

These grant scams are not really all that new as there have been reports about them going back to before this blog came into existence in 2012; a more recent article mentioned this scam in 2015.

The photos on the blog itself came from some stock image websites. You can see some of them here:

What a very happy family.

If you're curious about the cheque image itself, it was deleted from Wikipedia in 2011 so it doesn't appear to be anywhere on the Internet now. I do now have a cheque for $0.07 from TD due to an overpayment on a loan but I have opted to not deposit to see how long things go before they hound me if at all.

I have yet to see my $17,438.27 cheque from the Canadian government.

Wednesday, 2 March 2016

This Medium post about Wireshark is the result of poor system hygene

Ross Hosman posted this Medium entry complaining that 1Password exposes user data via the loopback interface in an unencrypted format.

Ross was nice enough to provide a "TL;DR":
TL:DR 1Password sends your password in clear text across the loopback interface if you use the browser extensions. 
Note: Running Mac OSX 10.11.3, 1Password Mac Store 6.0.1, Extension Version (Chrome)
I posted a response on Reddit but felt like sharing it here too:
This is likely the result of the OP having installed Wireshark and would otherwise not be a problem if he hadn’t done so. 
Countless guides on the Internet recommend doing something like this: 
sudo chown <username> /dev/bpf* 

Now fortunately after a reboot, these permissions get set back automatically. However, Homebrew for OS X by default implements ChmodBPF, which keeps the permissions needed so you don’t have to do this every time after you reboot.
This isn’t a Mac OS X thing either as under Windows, WinPCAP is installed, and Wireshark tells you that any user can make use of it:
The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data. This requires administrator privileges. Once the driver is loaded, every local user can capture from it until it’s stopped again.
So default behaviour in Windows is to allow anyone to make use of the capture driver and it is encouraged in guides and Wireshark themselves to make use of the OS X tool. Under Linux, you need to be a member of the wireshark group in order to make use of the capture interface (or just haphazardly use “root”). 
These details are important because under any other circumstance where Wireshark or any packet capture software is not installed, what the OP complains about would be completely unnecessary to worry about because typically (as in a default, non-SELinux Linux; OS X, or Windows installation) the permissions required to sniff the loopback interface are at the same level as sniffing for the key within memory. 
His concerns are valid in a sense but having a packet capture driver with global access permissions is along the same lines as having no password on your administrator accounts. If you’re concerned about this being a real problem, run Wireshark on a separate machine or at least within a virtual machine.
Overall there is nothing to panic about unless you are running Wireshark.

Tuesday, 9 February 2016

The hype about Crypter is misplaced and overall dangerous

My problem with cryptography boils down to this: every once in a while, someone comes along claiming that they have a system or software that will revolutionize everything. Naturally, a media frenzy ensues with minimal fact checking. The security industry then catches wind of it, and it is quickly and thoroughly demonstrated to be a pile of vaporware garbage. Then we collectively discover that the enterprising individual has also managed to secure a hefty amount of funding and has spent most of it on a swank office and catered lunches.

Recently, several media outlets gave praise to a project by a student at Sussex University named Max Mitchell. This project, called "Crypter", is a tool to enable encrypted conversations using Facebook's chat service.

Here are the headlines that were given (linked directly from Crypter's home page):
Why and how did Max Mitchell get so much coverage for his encryption tool? Likely it stems from this statement in the BGR article:
Imagine you’re Edward Snowden with a Facebook profile. You text an ace reporter at the Guardian and have a new bit of information to share: you totally found a great new coffee place in the heart of Moscow where the CIA can’t poison you with thallium. How do you send that news securely over Facebook Messenger?
On the website they do in fact use Edward Snowden in their examples:

Edward Snowden is sexy to the media and therefore it appears that Max's borrowing of his name was enough to get attention.

It got further press when Facebook reportedly "blocked" the application--something changed that Max didn't account for really. Of course, RT picks up on this and erroneously quotes my sarcasm on Twitter as support.

Too bad that this entire application is complete garbage and doesn't actually protect anyone.

Key exchange or lack thereof

Crypter's developer mentions that "[its] extension locally encrypts and decrypts your Facebook messages using AES encryption along with a preset password" and "[both parties] must have the same password to ensure you can encrypt and decrypt messages correctly". However, Max's proposal for a key exchange is very, very troubling.

There are entire algorithms for exchanging keys (Diffie-Hellman for example), so the idea that a static key needs to be exchanged using some other means is preposterous and someone like Edward Snowden would very likely agree. Exchanging a static key for decryption of a symmetrical encryption algorithm like AES using any other means other than what has been established is going to be made a mess of simply because users will definitely get it wrong.

This is to me the most frustrating aspect of why Crypter is really just a toy and nothing more even if the author and the media are thinking otherwise. The lack of a secure handshake between two or more parties means to me that it'll never be secure.

I ended up asking them on their Facebook page about this problem:

Crypter's website does mention www.⊗.cf (also known as pulverize.xyz), but it's in the "about" section of the page, and not in the "how to use" part, meaning that someone may end up completely missing the service and will just do something else to send the key off--such as just send it in plaintext before. Pulverize is also ridden with problems so even if you were to use it per the author's suggestion, the suggestion that it is an acceptable key exchange method is laughable.

To describe Pulverize, it's a service written by Max himself where you enter some text into a field and it then generates a link that you can exchange with someone else. When someone else views it, the message is destroyed on the server's end and it displays the text itself. If one attempts to view the page again, they'll receive a message that it doesn't exist. To protect the page from being scraped by an automated service, it uses a Google Captcha service to determine whether or not you're a human being.

In theory, this idea could work because once the link is sent to the other party and they retrieve the self-destructing link, it should exist no more. However, it doesn't take into account two things: do you trust the author to destroy the details about the key intentional and or properly and do you also believe that Facebook or some other incepting party doesn't get to it first?

Being that Pulverize is open-source, it's easy to take a look at their source code and issue tracker. Here's how it works:

  1. It generates a fixed-length string (5 characters) using an insecure random number generator to generate a lookup key
  2. It writes a PHP file to the directory containing details about the secret message
  3. Data contained within the PHP file is stripped of all HTML tags, meaning that if you have any special characters in your AES key, they won't show up
  4. When the link is opened by another party, after confirming the captcha, proceed to not quite delete the file
So far we have a potentially predictable URL and data that is stripped of any characters removed by PHP's strip_tags function. There's no assurances that the file is removed either as PHP's unlink function just removes the file headers from the drive, not the file data itself. So in theory, if the server running Pulverize was seized, the data may be recoverable from the hard drive--that is also assuming that the code we see on Github is being truthful as how can you trust that Max is even making any attempt to delete data to begin with?

To add to all this, in prior versions of Pulverize (as in up until last Friday), a remote code execution (RCE) vulnerability existed in its codebase. The aforementioned use of the strip_tags function was what replaced this particular line of code:
This means that one could just put in the following as the text that they want encoded:
<?php phpinfo()?>
Instead of seeing the above line you'd have the output of the phpinfo function, meaning that whatever PHP code you wanted to execute would execute. This would also mean that JavaScript and HTML were all injectable.

For the key exchange, this would have meant that we could have read keys before anyone else without having to worry about them being "destroyed". This sort of RCE should have been spotted from a mile away and yet here we are with Max promoting a crypto tool alongside another tool that is completely inadequate.

Fortunately this has been fixed but we're still dealing with a situation where we're being limited on what characters are acceptable for use on the site and that the data is not entirely being scrubbed from the server. There are far, far better solutions than this but I get the impression that Max hasn't taken the time to read into what he's trying to achieve.

Facebook as an adversary and a lack of verification

So let's take a step back here for a second and assume for a moment that we can trust that Pulverize will destroy all records of that key and let's look at an easy scenario that Crypter likes to portray here: Facebook being the adversary.

Ignoring the fact that if Facebook was an adversary you wouldn't be using it in the first place, how do you know that Facebook isn't intercepting the key exchange itself?

Here are things that Facebook is in control of here:
  1. All messages going back and forth between all involved parties
  2. The formatting of the messages coming in and going out
  3. The collection and storage of the conversation
So what's to stop Facebook from the following:
  • Intercepting a key exchange using Pulverize and then feeding a different link to the other party
  • Interfering with the application by changing the page so you think that you're using Crypter when in fact you're using something Facebook is serving up
  • Using the reduced number of characters available to your key size to determine the key using bruteforce methods
With the first point, this does require some human intervention as Pulverize does require you to go through an image-based captcha in order to make and retrieve encoded text. So yes, it would be difficult for Facebook to automatically retrieve the key without resulting in having either party aware, but what if we decided to just intervene?

We have no verification that the other party is receiving the correct key. In fact, we have no verification that the Pulverize URL that the other party is to receive is the URL that they are to get. If we're dealing with a situation where Facebook has been coerced to intercept traffic going from one party to another, what's to stop them from going through this process?
  1. Intercept and monitor all messages using a human actor
  2. Wait for a Pulverize URL to come in, grab that URL, note the key, make a new Pulverize URL with said key, and then pass the message on
  3. Intercept and decode all messages using the preset key
Since the Pulverize URLs would supposedly be gone and the key is consistent, there is no way to actually confirm that an adversary does or does not have access to the messages.

To add to this, how Crypter goes about enciphering and deciphering text is pretty scary.

Here's the encryption process:
var encrypt = tag+CryptoJS.AES.encrypt(messageContent, getPass($(this)))+tag;
Here's the decryption process:
var decrypt = CryptoJS.AES.decrypt($(this).attr("id"), getPass($(this))).toString(CryptoJS.enc.Utf8);
What's missing here? There's no verification of the message; Max has opted to just encipher and decipher the text without actually verifying that the message in question is actually what was intended. There are a few things to add to this as well (how the key is being used is one problem), but really there is no integrity of the message being sent.

Crypter is garbage and should not be used. I've seen bad things before and have ranted on similar topics, but this takes the cake considering the coverage it got.

Closing off and venting

How does Max know that both parties are getting the messages that they intend to get? Of course, this is what he believes:
Talking encrypted with no password (impossible to do with Crypter) is more secure and private than having no password. We doubt Facebook bots are able to decrypt encrypted text (even if the encrypted text doesn't have a password). We built crypter to *help* with internet security similarly to PGP's (*pretty good* encryption) philosophy but our main ethos is actually privacy. We want to make it harder for facebook and the NSA to know what people are saying to each other over Facebook (see more about us on our website www.crypter.co.uk). We are not claiming that this is a 'bullet proof' application and we don't believe we are "reinventing the wheel". We just see it as having put two things together - Encryption and Facebook.
And what does the website say?
It’s human nature to want privacy. In light of Edward Snowden’s Global Surveillance disclosures, people don’t want their messages stored and analysed regardless of whether their topic of discussion is illegal. Crypter can put millions of people at ease.
So what's the difference between "putting people at ease" and then saying that "it's not bullet-proof"?

Of course, TechCrunch sees it this way:

I’d have a hard time trusting my secret tiramisu recipe to any service. Mitchell has created something that is nearly invisible and seems like it might be a good one-off solution to secure communications between friends, reporters, and secret dessert lovers.
The thing that Max Mitchell and media outlets seem to overlook is that the fact that if an adversary is after you, Facebook and other similar services will never be able to provide a secure platform to communicate over. If Edward Snowden was using Facebook to chat and was using Crypter, I can promise you that at some point somewhere the conversations would become compromised.

There are better solutions out there too. I accused Max of reinventing the wheel and for good reason: why not use OTR? A native JavaScript version has existed for years now and is actively developed. While I lament anything JS-based, it would have been far better than what Max had gone an implemented.

If Max had been paying attention to the whole Edward Snowden fiasco, he'd have known that the secure e-mail service which was centralised like Pulverize  was shutdown to get further information.

I hope that Max sees the light and stops before he does any further damage.

Tuesday, 5 January 2016

Bank of Montreal has horrible password policies and does not store them securely

One of the aspects of a bank is that it generally touts some pretty decent physical security controls. They maintain a safe in every branch to ensure valuables cannot be taken without authorization and they generally require some level of identification in order to make a transaction. However, it doesn't appear to be the case when it comes to some banks' online services.

It was made aware to me that Bank of Montreal (BMO) has a very inadequate password policy for its online banking service, stating that you could only use the letters A-Z and the numbers 0-9 to a maximum of six characters with no special characters such as ampersands or spaces.

This seems really problematic considering that most people with decent knowledge in security would recommend a minimum of 8 characters to start, ignoring the whole special characters problem here.

A Real Problem

On the surface, BMO's problem seems almost benign: it's a really weak password scheme. However, it gets worse when you start to examine it closely.

One may think that with these restrictions that there would be 62^6 possible combinations based on that keyspace, or 56 billion possible passwords based on the assumption that they're allowing upper-case and lower-case characters and the digits 0 through 9.

However, we get no indication of such and in fact we're told that the password is used to access online, mobile, and telephone banking. Here's a picture to illustrate where this becomes a huge gaping problem:

When you sign into your telephone banking, you're prompted for the very same password and are told to enter the password based on the letters on your dialpad. What does this mean? Well here's a list of passwords:

All of these passwords are the same when you use your telephone banking--assuming you have the password dialed in as "788743". When you go into BMO's online portal to set your password, it's not storing the password but the digits it will look for when you press them into your phone. So if you were to set your password to "stupid", it would become "788743".

This all would mean that in addition to that password, you could also input "788743" or any of the above list and you'd be able to authenticate just fine. As a result, instead of 56 billion possible passwords it really just boils down to a million. BMO claims that it has over seven million customers, so we don't have quite a lot of passwords to go around here.

I had two BMO customers test this out and they were able to log in with passwords that did not match what they had intended. If you want to try this out for yourself, make a mental note of your password, look at your telephone keypad, and then just jumble the letters around based on which digit your existing password matches.

This is stupid and unfortunately not unique to BMO either as I have heard of anecdotes where other banks in the United States have similar systems in place.

Do any of the big banks do password security right?

TD does. Here's how it looks when you attempt to set a password:

That implies to me that they on the surface store the password in a sane manner because I can put anything I want into the field as long it meets their requirements. Since I am setting this password via a password manager and it's accepting it, everything appears to be in good order.

What does BMO have to say about it?


BMO declined to reply on Twitter about the matter and instead opted to request I provide some contact details so they could go off-the-record to explain why they have such a lousy password policy.

If you're looking for a major bank in Canada that likely has better online banking security, go for TD or someone else that has taken the time to upgrade their banking services to work in the 21st Century.

Tuesday, 1 December 2015

Internet Identity, Threat Intelligence, and a need for cooperation

As I wrote a few weeks ago, a company called Internet Identity based out of Tacoma, WA decided to engage with me by requesting that information be taken down from Canary. I had considered the matter dropped after having written that entry, but it appears that I had hit a nerve with someone at their organization and received a rather patronizing e-mail earlier today:

Subject: Canary.pw - Credential Gathering and Public Distribution
Date: 2015-12-01 8:52
From: Chris Sills <chris.sills@mail.internetidentity.com>
To: Colin Keigher <colin@keigher.ca>

Hello Colin,

My name is Christopher Sills and I’m an Operations Manager over at IID
and I wanted to reach out to you and discuss the various ways your data
from Canary.pw could be abused.

I fully understand that you’re attempting to create some form of 0-day
search engine for compromised credentials and ideally you would want
major corporations signed up for your platform and attempting to recover
data leaked in dumps you present, however, even that doesn’t do much
to protect the innocent users compromised in your data.

Your service, Canary.pw, can be used as a storefront for distributing
stolen credentials. The only thing a criminal would have to do is submit
samples of their stolen credentials to you, wait for you to host them
and then point prospective buyers to you so they may verify.

Your service also contains many lists of e-mail addresses scraped from
various sources that have likely been used at one time or another as
spam lists. Canary.pw makes aggregating that data less costly and more
efficient in regards to volume of valid e-mail addresses likely still in
use and ready for more attacks.

Additionally, anyone can search for employees of major corporations who
have had accounts using their corporate e-mail address as the username
compromised. The information in your data could then be used to either
blackmail those people or obtain legitimate credentials to corporate
resources (It may be bad security practice, but not everyone uses a
unique password for each unique login).

We (IID) have noticed that leaked data pertaining to our clients is
available within your platform and we would like for you to abandon your
current model of public availability. We would feel significantly
different about your Canary service if you forced all users to have an
account in order to get data and had some form of vetting process to
ensure only Threat Intelligence Services or Professionals had access. We
believe what you’re doing is irresponsible and may cause more problems
than it solves.
If you really want to help the community at large I recommend you reach
out to the NCFTA to discuss their Internet Fraud Alert program
(https://www.ncfta.net/internet-fraud-alert.aspx) or the Canadian Cyber
Incident Response Centre (CCIRC
Both have a vetted clearinghouse for compromised credentials and will
distribute found credentials back to the involved parties. Something you
don’t seem to readily do at this time.

If you require any assistance with my recommendations please let me know
and I’ll see what I can do to help put you in contact with someone we

Thank you,

Shift Manager of Service Operations
IID _Security Central_

I don't care to respond to this unnecessary e-mail directly because it's going to work out as effectively as me yelling at my radio when a Tory comes on the air to speak their opinion about some socio-economic matter. Instead I am going to point out what is wrong in Chris' and Internet Identity's position on this matter.

Mr. Sills opens up by completely misunderstanding the purpose of Canary, incorrectly assuming that it's "zero-day" and that I built it with the intention of having corporations using the platform. First of all, I am not sure where "zero-day" comes into play but considering that many security firms like to latch on to such terms (including "APT"), it should come as no surprise that it gets dropped inappropriately. Second of all, Canary is intended to be multi-purpose in both being a research tool to correlate breaches and a tool to determine whether or not a person or organization has been compromised.

He then continues to try and place me in the same bed as the attackers, which is highly inappropriate and erroneous. For one thing, the data stored on the site is not readily indexable for search engines to digest as by design you cannot do something like N+1 to grab everything from Canary. Additionally, I do in fact keep track of searches (so no, you're not really anonymous when using it) and I would happen to notice if someone started to bombard the server with far too many requests. Really, the work required to fully scrape all of the data from Canary would be better spent on just replicating everything I did.

What Chris and IID are failing to understand is this: the barn doors have already been opened and their fix is closing them after the horses have long-since escaped. If the concern is that the data is now available for everyone to see and they're looking to protect their clients, the solution is to not police the information off of the Internet, but instead they need to tell their clients to change passwords and let them know of the risks going forward. Trying to get the Internet to forget things simply does not work.

If we're going to protect users on the Internet, we need to come up with more open systems to alert everyone to what is going on. It simply won't work to contact each user individually, so there needs to be a system in place that anyone can subscribe to. I'll elaborate on what I mean a bit later.

Infuriatingly, they seem to suggest that I should stop allowing anyone to access the data and go through some "vetting process" and to put all data behind a wall. I guess it's only fair that since I called out their seemingly shady business practices that it was acceptable for IID to talk me down further and tell me that I am to make changes on how I operate my service.

This suggestion that I build what is effectively a "walled garden" makes absolutely no sense because I am sourcing the data from services that require no such access to begin with. As I've already pointed out, any person can go on to the sites that I monitor and again start taking the data for themselves and do as they please. Is IID going after other services that publish data it doesn't like to see?

How should I go about vetting people on that note? Besides routinely removing accounts that make use of untrustworthy e-mail services or banning access for those who abuse Canary, I simply cannot determine who's a security or IT professional by asking for them to register. It's time-consuming and is going to do absolutely nothing in terms of preventing whatever problem IID is conjuring.

Of course when his company is charging money for access to the same data that I am providing, I guess it should come as no surprise that this the narrative that they wish to take considering that my model is a threat to theirs.

While I cannot speak for IID's prices, I've had other threat intelligence services request over $150,000 USD for a year's worth of services for what appeared to be just a glorified list of IP addresses being sent to us on a regular interval. Being that they cited Chase Bank as a client to me in the originate complaint, I can only imagine how much they're worth to them and how much they likely charge to their other customers. So when I or anyone else comes on the scene offering a service that effectively undercuts them, I guess I cannot say that I am surprised that I'd get this sort of reaction.

And it should be apparent that I am indeed a competitor. Here's an article from Reuters, published this past September where they announced their product "Rapid Insight" (now renamed "Dossier") that seems to do some pretty familiar things:
IID, the source for clear cyberthreat intelligence, today announced the launch of a new threat indicator research tool, Rapid Insight. IID's Rapid Insight allows threat analysts and other security professionals to simultaneously search a dozen or more sources in one place for contextual information about questionable domains, hostnames, URLs, IP addresses, email addresses and more -- providing faster and more accurate responses to cyberthreats.
Rapid Insight allows researchers to simply paste a suspicious threat indicator into the search field found in the Rapid Insight search section of ActiveTrust, IID's big data solution for Internet security. These search strings may be in the form of a domain, hostname, URL, IP address, email address, MD5, SHA1 or SHA256. Rapid Insight checks that information against intelligence found in over a dozen sources, including: Alexa, DNS Lookup, IP Geolocation, Google Custom Search, Google Safe Browsing, IID ActiveTrust, Passive DNS, Reverse DNS, Reverse WHOIS via DomainTools, Virus Total and WHOIS via DomainTools. More sources are scheduled to be added in the near future. 
And this is sort of the problem that companies like IID present to cyber security as a whole: they make their products grotesquely expensive for what is really just stuff they sniffed out on the Internet no differently than say myself, Troy Hunt, and others. Canary does all of these things that "Dossier" does and has an open API, but IID is threatened by it because it offers what they have for free.

One of the things I am interested in doing and have been talking about it in closed circles is forming a working group to deal with breaches and other related data. There are many of us out there who have an interest in approaching this from a sane point-of-view and also doing it in a manner where it doesn't require participants to pay an arm and a leg.

Data breach details should be available in a similar fashion to that like an RBL. Companies like Google and Facebook do keep track of the same data that I do, but for good reason only focus on their own users. Individuals, small businesses, and NGOs have very few options and forking out six-figure sums to companies is not going to work.

If you're interested in helping me form this idea, please let me know.

Sunday, 29 November 2015

Tassimo T-Disc Barcode Encoding

One of the things I happen to own is a Tassimo coffee machine. It's pretty good compared to a Keurig because it allows for the use of syrup and milk. I do have to admit that from an environmental standpoint, it's pretty awful however. I recommend that if you're using one that you look into recycling the pods, but in Canada it appears that TerraCycle has stated they're no longer accepting them for their programme.

A thing that I was curious about years back was the barcode system and how it worked. I was able to find this page that contained details, but it has since become removed from the Internet and is only available via the Internet Archive. Because I'd like to keep this information readily available for others to see and searchable, I've gone ahead and copied down the details written by the original author.

So going forward none of this is my own, original writing but has been mirrored here for future reference.


What sets the Tassimo apart from similar single-serve machines on the market is the encoding of the brewing parameters for beverages on the surface of the pod (T-DISC) using a barcode that has been encoded using the Interleave 2 of 5 symbology.

On this page, you will find information related to investigating the correlation between the barcodes on the T-DISCs and the operation parameters for the Tassimo.

Operation Parameters

There are five parameters that comprise a typical Tassimo beverage brewing cycle:

  1. Water Temperature
    • This parameter sets the temperature for the internal boiler prior to brewing.
  2. Cartridge Charge
    • This parameter controls how much/long for pre-soaking T-DISC contents prior to brewing.
  3. Beverage Volume
    • This parameter controls the amount of water dispensed for the beverage - depending on the type of beverage, material in the pod, etc. the actual dispensed volume will vary.
  4. Flow Rate
    • This parameter controls the flow of water through the T-DISC during brewing, measured as a percentage.
  5. Purge
    • This parameter controls the final phase of the brew cycle which is used to evacuate or flush the T-DISC. This may be short or long depending on the type of beverage.

Binary Coding

While not definitive, the Tassimo patent application suggests that the data encoded by the barcode can be broken down into 13 bits, which in turn directly control the operation parameters of the machine:

Water TempBitsDecimalParameter
10283C / 181F
11393C / 199F
Charge000fast charge w/ soak
011fast charge no soak
102slow charge w/ soak
113slow charge no soak
Purge000slow flow / short period
011slow flow / long period
102fast flow / short period
113fast flow / long period

Decoding Barcodes

Initially, the process for determining the symbology and thus encoding of the T-DISC programs was uncovered through a process of trial-and-error that began with using a hacked :CueCat barcode reader to scan the T-DISCs to determine the numbers behind them.

From this exercise, a list of six digit numbers was compiled and next used as input to a barcode generator to determine the symbology used for encoding.

By comparing generated barcodes with the corresponding T-DISC, it was discovered that Interleaved 2 of 5 symbology was being applied - a common standard.

Next, the codes were broken down into their binary equivalents to try and discern common patterns that may correspond to key parameters like volume of dispensed water.