Hacking Team iOS Malware

I've seen quite a few tweets about the Hacking Team iOS malware.  Specifically, I was reading this blog, today.  https://blog.lookout.com/blog/2015/07/10/hacking-team/

It's interesting, because months ago, I was wondering if iPhones could be targeted from apps/programs installed on the computer, and vice versa.  One could create malware that infects one via the other.  The reason that I thought this was because I was reading an article about USB devices being trusted, completely, by a computer.  If you really get down to it, isn't that what a mobile device is?  A storage device with a little more capability? 

The blog states this:

"It appears there are three ways Hacking Team could get its spyware onto iOS devices:

An OS X app sideloads an iOS app automatically to a device when it’s plugged in via USB. This also appears to be bundled with a jailbreak exploit that may work on older versions of iOS.

There is a Windows desktop app that appears to do the same.

By clicking on a link to download from a website, email, etc. on the mobile device"

Phones, and other mobile devices are an excellent avenue of attack.  How many of us are running some sort of security suite on our mobile devices?  Hardly anyone. What kind of things do many of us do on our mobile devices?  Banking, Buying things, checking our healthcare status, etc.

Fortunately, according to the blog, this attack appears to require physical access.  However, they also state:

"With this specific attack, we believe physical access to the device was required, but Hacking Team’s possession of an enterprise certificate means that there’s the potential for other flavors of this attack that could be delivered via a web browser (drive by download), phishing email or other remote means."

The blog also states that iOS devices prevent the password from being typed in, but in many cases passwords aren't that difficult to figure out once one has the user name.  Since it can grab e-mails.  Sometimes, the passwords are in the password reset notifications.

"It’s important to note that Apple does have some safeguards built into its third party keyboard support, which does not allow the keyboard to run in a field that is marked as a password field, so this tool won’t be able to steal passwords from properly implemented apps and websites, but it can be used to steal usernames, contents of emails, and other sensitive data."

I fear that if it hasn't been done already that malware creators will find a way to make these exploits persistent.  What I mean by persistence is making sure that once it's on the phone, it stays there, regardless of user intervention.  I'm not well-versed in how these work, but couldn't one simply uninstall the malware from the devices in this particular case?  I guess that if they have the app/program on the computer that it could just re-install itself.  Users could get rid of the app/or program on the computer, though, and then it shouldn't be a problem.

The blog has decent advice about mobile security best practices.

"And, here are some general tips for staying safe:

Keep a passcode on your phone. A lot of spyware sold on the market requires that the attacker have physical access to the target device to install the software. Putting a passcode on your phone makes it that much harder for them.

Don’t download apps from third party marketplaces or links online. Spyware is also distributed through these means. Only download from official and vetted marketplaces such as the Apple App Store and Google Play. 

Don’t jailbreak your device unless you really know what you’re doing. Because jailbroken iOS devices are inherently less protected, they are more vulnerable to attack when security protection measures aren’t properly enabled.

Download a security app that can stop attacks before they do harm. Lookout does this, but if you’re not a Lookout user, ask your security provider if they detect Hacking Team and other forms of spyware."

I would also like to note that if you are using a device with a fingerprint reader on your phone, that you should make a long pin, and use the fingerprint reader for ease of logging in.  The smudges on the phone make it easy to see what the numbers are, and people can see you entering the pin.  If you're using a 4 digit pin, those pins are fairly trivial to guess if you know the numbers that they are using.

Insecure Control Systems

My spouse sent me an article today:  http://www.dailydot.com/technology/commadore-amiga-computer-school-air-conditioning/.  I read the article, and it scares me.  The article states that an old Commodore Amiga machine controls the heat and air conditioning of the district's schools.  This is one of the most fearsome sections in the article:

"It's one of those features, the 1200-bit modem and a wireless radio signal, that makes it possible for the ancient hardware to communicate with the district's schools.  Though the radio signal allows the Amiga to get status checks, toggle boilers, fans, and the like in a matter of seconds, it also communicates at the same frequency as the walkie-talkies used by the maintenance department. This creates occasional interference and requires the maintenance crew to shut off their radios for up to 15 minutes at a time."

I noted that the old machine needs to be replaced.  Some people would say, "Why get rid of something that works?" 

Here is why:  My spouse and I were conversing, and he mentioned that the Amiga is transmitting a wireless frequency.  Since this machine was made in the 80's, the wireless signal may not be encrypted.  Anyone with a wireless sniffer, like aircrack-ng, could sniff this traffic, and potentially inject commands, which means that they could control the heat and air-conditioning.  When they have control over the heat and air-conditioning, they could cause the boilers in the schools to explode by changing the settings.

People wonder why someone would target a school.  There's a few reasons that I can think of.  I'm sure that there are more.  One)  A disgruntled employee with technical knowledge wants to get revenge because they are not getting the pay that they would like, or they've been fired.  Two)  A disgruntled student isn't happy with being in school for some reason-bullying, no one is dating them, they're mentally unstable, etc.   Three) A terrorist who can have one of many reasons to do such a thing.

There was money set aside to pay for replacing the machine.  The school opted to take care of other projects instead.  I can't say that I blame them with the information that they have, replacing the boilers and roofs, and removing asbestos was important at the time.

"It was expected the outdated system would be replaced in 2011 when voters passed a "Warm Safe and Dry" bond to release money to the district schools for upkeep and maintenance purposes. Because the computer was still functioning just fine, it didn't make the list of projects. Instead, the money was spent replacing boilers and roofs and removing asbestos."

So, it wasn't a matter of not having enough money in the budget, this just wasn't a priority.  There needs to be more awareness raised about the dangers of unsecured control systems.  Even if they don't think that they are a target, they could be.

At least they mention planning on replacing it now... if a 175 million bond for school spending is passed.

"A new system will cost up to $2 million, and will be installed if voters pass a $175 million bond for school spending."

Last, if this school has an ancient machine running their control systems, it makes me worry about what other control systems are being controlled by ancient machines and how secure they are.

Picoctf 2014 Snapcat :)

Snapcat

We were given a corrupted disk image.  We were supposed to get information off of it.  I looked at the disk image using a hex editor, and noticed that it had pictures on it.  I saw jpeg headers.  So, I used a program called Foremost on my SIFT VM to carve the images out of the disk.img file.

$ foremost -t jpg –o ~/Desktop –c etc/foremost.conf disk.img

-t: specifies what type of file that I want to be carved out.
-o: specifies the directory where I want the output file
-c: specifies where the foremost config file is
disk.img is the name of the img that I was carving files out of.

One of the pictures that was output had this flag.

i_can_has_cheezburger

Being Ethical

I post about pen-testing and digital forensics challenges that I do.  I think that that can give the wrong impression of the kind of person that I am. 

I don't like "hacking" in the derogatory sense.  It is morally wrong when you harm other people or cause their machines to malfunction.  Someone stole my identity when I was younger, and I remember all of the hoops that I had to jump through to put my life back together.  I don't wish that kind of harm on another person.

It's also unethical.  I analyze risk.  If someone is caught doing something wrong, it makes them untrustworthy.  That means that they could be blacklisted from getting hired anywhere.  I don't think that hacking someone without permission is worth that risk. 

I like doing the challenges because they are like puzzles to be solved.  Nothing more than that.  I've always liked solving puzzles.  Right now, it's a hobby that I enjoy. 

Some day, I hope to get into the field.  I'm not sure exactly which area yet.  There are many areas in the field of computer security.  Right now, I'm just learning a little bit of everything that I can.  Pen-testing and defense, for instance, are two sides of the same coin, according to Ed Skoudis.  How can you defend a network if you don't know the avenues that are available to exploit it?  So, even though I'm learning some pen-testing, it could be relevant to defense and vice versa.

What Did I Learn From My First Live Cyber Challenge

I’m writing this post in hopes that it helps people who are afraid to try these cyber challenges because they think that they don’t know enough.

I got into this challenge, not necessarily because of my knowledge, but because of my ability to find answers when I need them.  I could read a little code, I could understand a little bit about what was going on, but I can’t write code very well anymore.  It’s been 9 years since I graduated college.  As anyone knows, in tech time, that’s a long time.  There are version changes and new languages being made.  Sure, the basic things that I had learned still apply, but it’s not exactly the same.  I’ve been out of the workforce for nearly that long as well.  So if you’re in that same boat, don’t let it discourage you.

You’d be surprised how much of a distance in learning I’ve made since I started doing these online cyber challenges and this live challenge just by giving them a shot.  My first attempts weren’t very elegant.  So just try them, you might surprise yourself.

Once you make it to a camp:

Listen to the instructors.  This seems obvious, but sometimes we get distracted by minor glitches, like having connectivity issues, or taking notes, so we don’t pay attention to their message. 

Take advice from other students and the TA’s.  Another student who was more experienced than I told me to not worry so much and to open notepad or bring a notebook, and make notes of page numbers of important info as we go along.  He’s absolutely correct.  Indexing is a great idea.

Use every avenue within legal means.  I tried a little social engineering and recon before the challenge.  I'm going to put a disclaimer on this.  This does not mean send a phishing e-mail to your instructor and attempt to own their machine.  This means, ask them what they've been reading.  Ask them what projects they've been working on, ask them what ctf's that they've done before.  Here is why.  People are busy.  Many times, they will reuse material from things that they are working on, reading, or doing.  Sometimes, they even reuse the same challenges.  If you've read my previous blog posts, Shmoocon, and the SANS 2014 Brochure challenge were pretty much the same with minor changes.  Yes, the target may say, “No, I can’t help you,” but it never hurts to ask in a respectful manner.  You never know, they may go for it because that is part of the lesson that they are trying to teach you.  Know human behavior.  If they aren't willing to answer, read their blogs.  You can usually find those things on their blogs.

DO NOT SKIMP on RECON and SCANNING. People quickly dismiss this part of the process without realizing that the creators of the challenge will make the contest much like the real world.  People in the real world make mistakes.  If you focus on the exploits, you’ll never see the easy solutions sitting right in front of you.  Sure, it feels awesome to pop that first shell, but in the real world, we are on a time-limit, we have a scope of what we are allowed to do, and we can’t afford to chase down exploits that could easily be accomplished in other ways like finding a plain text password from a search of user logs that takes about five seconds.  During my research last night, I uncovered this blog:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Notice that many of the privilege “exploits” are actually just social engineering, in other words, knowing human behavior.

I also looked up one of the hostnames because people commonly name their machine whatever OS they are running, and/or the version number.  I didn’t understand the significance of it until today.  I wasn’t entirely wrong.  I just didn’t think that I had all the info that I needed.

I looked up the other OS versions, as well, looking for vulnerabilities for those particular OS's.  If you have notes, for heaven’s sake, share them.  I was so nervous today, that I forgot to share my research.  I spent a long time last night doing research, and that effort wasn’t exactly wasted, because I learned, but it could’ve been more useful. 

Don’t expect metasploit to find everything for you.  You can help narrow down results the night before.  I suggest not waiting until the last night to study and research.

Know your tools.  There were a couple of questions I'm sure that we could have found the answer to if we knew how to use the tools.  We were okay with the tools we learned in class, but lacked skills in other useful tools.

When you find out who your teammates are, make a plan of attack.  Find out what each others strengths and weaknesses are, and play to your strengths.  I suggest having each person take one section of what you have learned and research it extensively.

On the Challenge Day, listen to what the instructors and challenge creators say.  I know, you want to dig right in, but sometimes they give hints on challenge days that you may miss if you’re trying to attack.  Their first advice, go for the low hanging fruit.  Don’t spend hours going into the machine and trying to do the exploits because you might end up losing a lot of points if you’re chasing a tangent that may or may not be the correct solution.

The ctfs, any of them, so I'm not giving anything specific away, have different sections.  Pick a section that you are good at and go for it.  That being said, plan with your teammates on who does what, accordingly.  You do not want to waste time answering the same questions.  It only counts for points one time.

Google your heart out.  You may find the answer that way.

Don’t give up.  Keep trying until that last call.  You may learn something in the process.

Cyber Camp CTF

I survived this week and the ctf.  I'm not allowed to give out any answers for this until the other challenges have been done.  I was fortunate to be assigned to a team of brilliant people.  We ended up in 3rd place.  We were all first year Cyber Camp CTF Competitors, meaning that this was our first time attending this event.  Other teams had the advantage because it was their second+ year.  Thanks for doing such an excellent job, guys!  Thanks to the creators for such a great ctf.  Thanks to the instructors and everyone who took time out of their jobs to run the event.

I was a little disappointed with myself.  The guys knew a bit more Linux than I did, so I stayed off of the boxes and manned the scoreboard, trying to get little 5, 10, and 15 point questions.  Some of the guys didn't have the online challenge experience that I had, though, so I should've at least checked out the file systems because even though I might not know that much, I may know that one thing from other challenges that I have done that would answer higher point questions.  My reasoning for staying off the machines:  We had a limited amount of resources, so I didn't want to slow down their attempts to scan or attack.  There are also a couple of questions that I knew the answer to, but didn't trust myself to answer properly, so I wasted time googling, even though I knew the answer.  Alex Rams told me to believe in myself.  I should've taken his advice.  I'm still happy with the result, but unhappy that I didn't challenge myself this time around.  I had to think of what was best for the team though, and sometimes, what's best is to be the research person.

I think that this challenge was well worth the investment that my family made in it.  I have new resources to hone my skills.  I met a lot of interesting people.

Cyber Camp-Day 2

Today was a decent day.  I had a connectivity issue with a couple of my VM's because I had to use a bridged connection in VMWare Fusion.  I'm using a MAC.  That was a headache.  Fortunately someone helped me figure it out.  Thanks person who I-don't-know-if you-want-a-shout-out-or-not.  Also, thanks to the other person that helped me change the config files yesterday to facilitate communication via my VM's.  That course, yesterday, was made for Windows hosts.

I thought that I would post for future me or anyone else who may find it useful.

In order for the bridged connection to work for my VM's, I had to go to Virtual Machine Settings>Network Adapter>Wi-Fi>Adapter>System Preferences>Advanced Button>Set Elevator Box to "Manually">Type in an IP Address in the same range as my VM's Network IP's>Type in the same subnet mask as my VM's>Make sure that the Wi-Fi is connected to a Wireless Access Point and is on

Then I followed the directions in my lab to set the IP's and subnet masks of the VM's.

Note:  It does not have to be a Wi-Fi Adapter.  Later I configured a wired adapter in the same manner.  The key is to make sure that whatever medium you are using is plugged in to a working port on a nework switch or that the Wi-Fi is connected to a wireless access point.  Also, make sure that your VM Firewalls and host firewalls are not getting in the way of communication.

After that the course went fairly smoothly with the exception of one minor glitch that was not my fault.  One lab went pear shaped when we couldn't connect to the machines that we were supposed to.  They got it up and running fairly quickly.

These courses seem to be previews for SANS courses.  It's nice that we are doing different courses each day, but there is some material that I wish we had time to study more in depth.

Cyber Camp-Day 1

Today was an interesting day.
1). Never rely on public transport.  Being stuck in an unfamiliar area, in the pouring down rain is not my idea of a good time.

2). Don't buy a computer with an unfamiliar OS right before a class.  I was tempted by the shiny specs.  I ended up okay, but it made me a bit nervous.

3). Make sure that you come prepared.  Our class material was destributed on CD's.  Fortunately, I packed an external dvd player, patch cable, and an ethernet adapter.  I did not have something to decompress a 7z file on my host OS.  I had to open my SIFT VM, decompress the file, and move it to the host machine.  It took longer than necessary.

I'm not exactly sure what I'm allowed to discuss about the class.  I will say that it was extensive.  I'm not sure how much will sink in.  It was well worth doing Cyber Quest.  They were not kidding when they said that the instructors are top notch.