SANS Holiday Hack Answers

Now that the submission deadline has passed, I can share my answers to the SANS Holiday Hack that I wrote about last month.

Since there are awards for both best technical answer and best creative answer, I chose to go with creative.  I still have a lot to learn in my budding InfoSec career, so I assumed I’d have no shot at writing up the best technical explanation.  As a father of two young children, I’ve read a ton of Christmas stories recently so it seemed like a no-brainer to try and structure my answers like the holiday fairy tale the challenge was based on.

The questions were:

  1. Where did you find the remainder of Snow Miser’s Zone 1 URL?
  2. What is the key you used with steghide to extract Snow Miser’s Zone 2 URL? Where did you find the key?
  3. On Snow Miser’s Zone 3 page, why is using the same key multiple times a bad idea?
  4. What was the coding error in Zone 4 of Heat Miser’s site that allowed you to find the URL for Zone 5?
  5. How did you manipulate the cookie to get to Zone 5 of Heat Miser’s Control System?
  6. Please briefly describe the process, steps, and tools you used to conquer each zone, including all of the flags hidden in the comments of each zone page.

My answers (I’ve omitted the flags from question 6):

Question  1: 

Snow Miser was careless with social media, a textbook case for Wikipedia.

A public tweet, his desk was shown.  But in the pic his cover’s blown.

“The URL’s private!”, He may think….

But it’s inverted in his drink.

Question 2:

He was a fan of 90s white-boy rap, (though music lovers knew it was crap)

“IceIceBaby!” was the secret key, but he carelessly left it plain to see.

Just look in the Jay Pee Gee’s properties

To defeat his steganography.

Question 3:

The URL for snow-zone four was encrypted with a simple XOR

But the miser’s mistake, as you can see, was reusing a single key

“Zone four’s old string!! ”, he must have cursed

Since the bitwise function can be reversed.

Question 4:

Heat Miser thinks he’s awfully sneaky, but his security model’s pretty leaky.

He thought zone four was locked down tight, but the redirect was not done right.

The location switch function wasn’t run until AFTER the page loading was done.

So anyone who inspects their traffic, can see the info in the packets.

Question 5:

A cookie protected the final site, much to a casual hacker’s delight

The label was clear, a UID.  But how to guess the value correctly?

A ha! It’s just a simple hash, cracked as 1001 in a dash.

A common guess for the administrator…MD5 of 1 and see you later!

Question 6:

Christmas was in trouble again this year, but not from Martians or sickly reindeer

Santa was not quite feeling his best, he wanted to stay in and get some rest

But Mrs. Claus devised a way to ensure a normal Christmas Day.

It’s complicated to put it concisely, but there were two brothers not acting nicely.

They each intended to hack the other, both confident they were the smarter brother.

But now in trouble with their mama, there’s bound to be some Christmas drama.

So now I guess it’s up to me to get a present under every tree.

Hacking Snow Miser:

Zone zero, my journey had begun, seeking a clue for zone number one

Fortunately the address I need was right in snow miser’s twitter feed.

It seems that he carelessly acted, posting a picture that should have been redacted.

With the completed URL in tow, onward to zone one I go!

Here I found a little clue to break into zone number two.

The images on the page are the key…must be steganography!

To unlock the secret with Steghide, a password I must now provide,

Under the mat, look for the key…in this case, check the properties

The comments field, in plaintext, I find the words that I’ll use next

Message decoded, I’m in zone two, what now do I have to do?

Back to Twitter once again, Heat Miser is now my friend

Luckily he happened to find a phone image his brother left behind

With that in hand, it’s easy to see the address for Snow Zone number three.

Now Snow Miser sets the score to break into snow zone number four

The address is given, but it’s encrypted.  Left a critical error, so the key could be lifted.

He showed a different text and the cipher produced, and then the same key he simply reused

Getting the key was hardly a chore, he did nothing more than a bitwise XOR.

Key in hand, the cipher decoded, zone number four was finally loaded.

The final zone was secured a bit wiser, I turned once more to my friend Heat Miser

He Tweeted a tip about a recent excursion, wherein Tim Medin exploits Subversion.

Snow Miser’s directories weren’t secured, and so his change database was quickly procured.

Following along with the directions from Tim, I got to the source code quick as the wind.

Now I could see how the zone had been locked, the hash generated was based off the clock.

Just set the right password at the right time, and suddenly zone five is totally mine.

Now I’ve achieved half my goal, I can disable the chillers at the North Pole

But to complete the task at hand, I’ll start turning the heat down in southern lands.

Hacking Heat Miser:

Now at the site of the hot-headed son, he gave out a clue to unlock heat zone one

It seems quite apparent that mister Heat Miser was having some trouble with Internet spiders

I just simply typed in robots dot text…can you guess what transpired next?

The address that I sought was there in plain sight!  (and I thought that this hack might have taken all night)

From zone one to zone two didn’t get any harder, it seemed that Heat Miser was not getting smarter

True, in a comment the link wouldn’t show, but the HTML source still has it in tow

Right-click, show source…this security’s a joke!  He could get hacked by a Jersey Shore jamoke.

The security problems seem to repeat, with another case of a careless tweet

Heat Miser’s screenshot brimmed with audacity, but he neglected to check on the window opacity.

Though it was blurry and borderline legible, I was able to tease out the right hexadecimal.

Now from zone three it was hardly a chore, since heat miser gives out the link to zone four.

His confidence shows with this info supplied, since a click on the link leads to “Access Denied”

He was mistaken to be quite so cocky, since his poor execution was defeated by proxy.

Loading up Fiddler, my traffic inspector, I found out that he was a bad redirector

The redirect function did not have an exit(), so I still got the data he thought he’d protected

The URL for the last zone was now out, I would surely save Christmas, I hadn’t a doubt.

Once again I saw Heat Miser’s page redirect me, unfortunately now he had done it correctly

Still looking at headers through Fiddler’s display, a cookie was set…that must be the way!

The value I saw was a UID string, but I hadn’t a clue what to do with the thing

Then…Inspiration! It hit like a flash.  This length looks familiar, I think it’s a hash!

To an MD5 cracker I headed with glee, one thousand one was the decrypted UID.

I assumed that the admin ID would be one, I was moments away from my task being done!

Now with the hash I thought would work best, I went back to Fiddler and changed my request

I had saved Christmas! I knew it was true! It returned two hundred and not three oh two.

And so, dear reader you might have one last query.  Who am I, the hacker who kept Christmas cheery?

I’ll give you a hint, though you still might not guess…I can often be seen in a red and white dress.

Did you guess who I am? It’s me, Mrs. Claus!  I can see that the answer has given you pause.

See, the Misers were prone to dropping the ball, so I picked up my phone and made a quick call

I signed up for SANS training classes from home (they never have anything closer than Nome)

With vLive instruction I now had the tools to break into both sites and embarrass those fools.

So now as I help Santa load up his sack,  “Merry Christmas to all, and to all a good hack!”


It’s official, Samsung is the new Adobe

I keep thinking “this will be the last time I post about a big security hole in a Samsung product”, but Samsung just can’t seem to stop giving me material.

Here’s two more for the pile:

First, the appetizer:  Samsung Smart TVs can be remotely exploited

This isn’t an Earth-shattering security hole, since there’s not a lot of valuable data on most Internet connected TVs, however it is possible that this could be used against a TV installed in a company’s waiting area.  Then imagine the attacker is able to install a bit of code that lets him pivot from the TV to probe the company’s network for other vulnerabilities.  Did the IT department sequester the TV to a safe subnet, or is it just plugged in with everything else?

Now, the main course:

Lax security on Samsung’s mobile processor allows for complete memory access

This one’s really bad.  The memory location within the kernel has basically no protection on it, so a maliciously crafted app can completely take over the phone or tablet.  Details are still emerging at this point, but if the reports are accurate there needs to be a patch issued for this immediately.  Of course being an Android issue, the patch will take anywhere between two and eight months to be approved for release by the carriers.

I hadn’t planned on getting any Samsung devices in the near future, but now I’m certain to avoid them.


Mid-december updates

Well, now that I’ve taken a little break, it’s time to start updating again.

First, if anyone is interested in security challenges, the SANS 2012 Holiday Challenge is running through Jan. 6.  I’m submitting an entry because unlike many security challenges…”I want a challenge I can do!” (Lisa Simpson).

I’ve still got one more piece left before I complete it, but I found this challenge to be a nice blend of basics and more advanced techniques.  There’s also enough hints sprinkled around so that you generally know what your next steps entail.  After the challenge is over I’ll post my answers here (I’ve decided that my best chance to win is through the “most creative” answers.  I think they’ll be a fun read).

In other news, last week a Frankenstein’s monster of computing was unveiled that can crack most passwords in a typical workday.

25-GPU cluster cracks every standard Windows password in <6 hours

As most articles about this have mentioned, the problem is that most hashing algorithms were designed to operate quickly.  As hardware advances, brute-forcing passwords becomes more and more trivial.  Systems need to migrate to more computationally complex encryption algorithms like bcrypt.  In normal usage, the slightly slower processing when a user logs in will be unnoticeable, but the effect on a brute-force attempt is huge.  If  we take the top quoted speed of 350 billion guesses per second and compare it to the quoted speed for bcrypt (71,000 guesses per second), it reduces the ability to crack passwords by 99.99998%.

That’s more effective than Lysol.

Holiday break

I made it.

A post every day in November (with a few backdated after missing the midnight deadline).

It seems like this should be an easy thing to do, but it was a tough exercise. Writing is a slow process for me, and I think forcing myself to do this has helped me a lot. I’m more decisive as a writer and getting better at identifying topics I can write about.

So while I won’t be on a daily post schedule going forward, I hope to be writing more than I was before this month. For now, I’m taking a break for the holiday season. I’ll get a post in here and there, but I think December will be a light blogging month.

Happy holidays to everyone out there, and if you get any shiny new technology for Christmas (or Hanukkah, or Kwanzaa, or Festivus, etc.), may it not send you personal data to an Eastern European crime syndicate.

Sure, here’s my password!

I came across a fun new site today.

The link is safe to click on but under no circumstance should you enter any real passwords that you use.

While the site claims “there simply was nowhere on the web a person could go to find out if their password had been stolen”, there have absolutely been sites to check if you were impacted by a specific breach. One thing those legitimate sites had that this one doesn’t was some transparency. For example, I could see that the JavaScript on those pages encrypted the password on the client side before being sent to the server to be checked against a list of hashes.

Another thing they did was use https.

This one does neither and is highly dangerous. I’ve been poking at the site to see if there was any way to find out what it was doing, but found nothing conclusive to this point. After submitting data it reports that it checked against some number of records, but that number fluctuates wildly and is clearly just a randomly generated number. So at best, whoever is running this site is playing a poorly thought out joke on the visitor.

More troubling is the likelihood that they are harvesting user credentials to perpetuate fraud and/or identity theft.

If the site is not writing the entered credentials into a database, it is still transmitting the username and password in plaintext over http and represents a major security risk.

I brought this up on the #misec IRC channel (freenode), and a great idea that came up (I cannot remember whose idea this was, sorry!) was to set up a dummy account and pass those credentials to the site. Then you wait to see if the account is accessed and where it is accessed from. That would prove the site is stealing passwords, and potentially lead you to the parties responsible.

SC Tax data breach details

I didn’t write anything about it at the time, but there was a major breach of South Carolina taxpayer data a few months back. Mandiant’s report about the attack is now available.

Reading through the findings gives us a few takeaways. First, the initial compromise seems to be from a user getting malware installed through a phishing attack. Users need to be aware of threats that may come to their inbox and how to deal with them. (Succinctly put by @jadedsecurity – Don’t Click Shit!)

I haven’t looked at email security systems in a while, but if none are doing so, I’d like to see someone develop a system that looks at the links inside emails and disables suspicious looking ones. Since attachments are very frequently scanned, attackers are more likely to send malware through links nowadays.

The other big takeaway from the report is to see how long it takes for an attacker to gather information and set up everything to steal the data. With better monitoring in place, the initial breach might be detected and rectified before any damage can be done.

Oops, how did that get there?

Usually I’m writing about security on digital property, but its important not to overlook physical security as well.

For example, just because those documents with sensitive information were shredded, that doesn’t mean it’s alright to dump it out in the street.

They are still investigating what exactly went wrong here, but when destroying documents that are not meant to be seen by anyone, try to use fire. It tends to make any information on the document completely unrecoverable.

Hypothetical hacking: Vol. 1

This was another long travel day, so this is going up late.

I decided to start a thing on this blog. Hypothetical hacking is where I’ll think through a theoretically possible attack on something that has not yet been attacked (to the best of
anyone’s knowledge.)

As I was driving home, I thought about how I could possibly write a blog post and drive at the same time and I naturally thought of dictating it to my phone. Voice controls are a fast developing area with Apple’s Siri and Google’s own offerings becoming marquee features. It got me wondering as to how exactly these services work and how well secured they are.

I’ll just focus on Siri for now. A group of researchers dissected the service by providing a false certificate. This tells us that in practice, the service is secured, and unless you specifically break the security on your iPhone, your Siri requests will go directly to Apple’s servers.

The interesting thing from this research was that they found the voice recording was encoded, compressed, and sent to the server. I suspected this was the case, since they need to collect different voice data to properly understand every accent and dialect, but I wasn’t 100% sure. Knowing this now, I got to thinking about how this could be exploited.

This would have to be a highly targeted attack, with a huge bankroll behind it. It’s probably better suited for a Hollywood screenplay than a real life situation, but it is theoretically possible, and that is the point of these posts. Our target is an extremely important person, high up in government or some industry where there are highly secured areas. One area this person has access to is guarded with a voice recognition system*.

In order to gain access, our attackers need the victims voice recorded saying a variety of phrases which could be require by the system. They learn that the victim utilizes Siri, and hatch a plan.

They are going to harvest Siri requests over the course of several months, and build a database of the victim’s voice. There are two ways to go about it. One would be to gain access to Apple’s server directly, either by getting employed there or coercing a current employee with access to Siri’s database.
The other way would be to hack the default DNS server and trusted certificates of the victim’s phone much like the security researchers did. Perhaps they would prepare an otherwise identical phone to the victim’s (if they hacked into his iCloud backups, they could easily restore all expected contacts and apps), and swap it when left unattended for a moment.

Now they collect the data they need and strike when ready.

*here is an easier way to break a voice control system. (Last two paragraphs)

More sneaky malware tricks

This is the perfect time of year to spread malware via email. A bogus invoice like the one here will likely catch a few victims. Some people will be expecting an invoice like this and click a link to follow up on it, others will notice the charge and believe the may have had their credit card stolen through a recent holiday purchase. They might also click the links to protest the charge.

Pay close attention to where your email comes from, and where any links go to.