The Spy Hunter – solution

We had a number of great entries to the challenge; it was very interesting to see how people approached it! I had fun creating it, and I hope you had fun investigating – thanks very much to everyone who played!

It was a close call, but I am pleased to announce that the winner of the “Ace Investigator” award and $25 gift card is Travis Lee (@eelsivart on Twitter). Other great entries came from Ben Downton, the Penn State IA club, and Silas Cutler.

Here are the mission objectives as submitted by Travis:

Link between Donald Burgess and the alias HomerHicks

Donald Burgess has a Facebook page and is friends with Kim Philby. They have both written on each other’s walls.  The image that Donald Burgess uses on Facebook is the same image that HomerHicks uses on Twitter.  A web search for “Donald Burgess” leads to a Wikipedia page on the “Cambridge Five”. There were two people in that group that in which one was named Donald Duart Maclean and had the crptonym “Homer” and one was named Guy Burgess that had the cryptonym Hicks.  Donald Burgess is a name comprised of both of those individuals so the cryptonyms would also be combined to form “HomerHicks”.

Names and/or aliases of HomerHicks’ associates

Name: ?
Alias: UltraVenona

Name: Kim Philby
Alias: Stanley

Name: Robert’); DROP TABLE Students;–
Alias: Little Bobby Tables

How was HomerHicks recruited and by whom

HomerHicks (Donald Burgess) was recruited by Kim Philby.  They first met at FIA 2010, day three near the Thales exhibit.  They then exchanged messages on Facebook where Kim put Donald in touch with UltraVenona to talk about some “extra part time work”.

Timeline of events

All times are in PST.  Timestamp from IRC conversation was converted from BST to PST.
Aug 16, 3:49am – Donald Burgess joins Facebook and posts “Hello Facebook!” on his wall.
Aug 16, 4:17am to 4:36am – Kim Philby makes contact with Donald Burgess on Facebook by writing on his wall.  Kim asks Donald if he would like to do some extra part time work and puts him in touch with a friend, UltraVenona.
Aug 16, 1:37pm – UltraVenona makes a tweet to @HomerHicks saying “good to meet today”. UltraVenona also gives HomerHicks additional instructions.
Aug 17, 9:17am – HomerHicks has stolen Alpha from an old backup tape and has given it to UltraVenona.
Aug 17, 9:19am – HomerHicks discovers that Bravo is also on the same tape and steals Bravo.
Aug 17, 9:20am – UltraVenona tells HomerHicks on Twitter to contact @LittleBobbyTbls for help.
Aug 17, 9:24am – HomerHicks makes contact with @LittleBobbyTbls on Twitter for help getting Charlie.
Between Aug 17, 9:41am and Aug 18, 10:13am – HomerHicks has stolen Charlie.
Aug 18, 10:13am – HomerHicks logs into IRC and has a conversation with UltraVenona.  HomerHicks gives up Bravo to UltraVenona.
Aug 18, 10:49am – UltraVenona validates Bravo against Alpha.
Aug 18, 10:54am – HomerHicks is paid and gives up Charlie to UltraVenona.
Aug 18, 10:57am – HomerHicks is extracted from the coffee shop.

Who gave Donald Burgess assistance and what kind?

Little Bobby Tables gave Donald Burgess assistance.  He showed Donald how to use SQL injection and tshark to get a packet capture of SMTP traffic which is what Charlie was.

Recovery of Assets

Alpha:
HomerHicks’ Twitter page (@HomerHicks) contained a conversation with @UltraVenona.  One of his tweets included a link to Alpha (dl.dropbox.com/…).  Browsing to that link leads us to a file named:

089d615b-4a10-4520-a87b-fd6228c50a14.bmp.

Upon downloading of the file, it looks to be just a white bitmap file. There could be a hidden message in this picture, but how is it hidden? I opened the bitmap in a text editor to take a look at details of the file. Looking at the bitmap file format, it doesn’t look like the image it just plain white. It looks as if there is something else in there.  I then opened the bitmap file with Microsoft Paint. To see if there is hidden text in the image, I use the Paint Bucket tool to fill the background with black. Low and behold there is a link in the image (dl.dropbox.com/…). Browsing to the link leads us to a file named:

bf9de2e9-f9f0-47d2-9630-63228d41fe40-alpha.pem.

Viewing the file in a text editor shows us that this is an encrypted private key file because it has headers describing the type of encryption used and the initialization vector:

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,06CBE99CA9D5F1534D406E5868FDE302

Bravo:
To find Bravo, we first looked at the spyhunter-irc.pcap that was provided.  This was a packet capture of an unencrypted conversation between HomerHicks and UltraVenona on IRC.  To view the conversation, we need to open the capture file in Wireshark.  Then we will select the first frame in the capture file, right-click, and select “Follow TCP Stream”.  Upon doing so, a window will pop up showing us the entire IRC conversation.  After reading through the conversation, we see that HomerHicks private messaged UltraVenona saying that Bravo is with Stanley at this link, facebook.com/ki….  Browsing to that link leads us to a Facebook page for Kim Philby.  On his Info page, he has a Favorite Quotation that says “@UltraVenona – bravo – hic sunt dracones”.  If we look back to the IRC conversation, we see a message that says to verify Bravo against Alpha.  Since Alpha was an encrypted private key, Bravo may be the password to decrypt it which could be “hic sunt dracones”.  To see if this works, we can use OpenSSL in Linux with the command:
Openssl rsa –in bf9de2e9-f9f0-47d2-9630-63228d41fe40-alpha.pem –out alpha.pem

After running that command, it asks us for a password.  Let’s try and use what Kim Philby had on his Facebook page, “hic sunt dracones”.  It works!  We now have an unencrypted .pem file.  Now what do we use this for?

Charlie:
Going back to HomerHicks’ Twitter page, we see that he made a tweet that said Charlie is at this link: wirewatcher.net….  Browsing to that link says that there is no file at that URL.  Where did Charlie go? To find out more information, let’s start up Wireshark to do a packet capture while browsing to that link. Let’s look at the packet capture now.  The first HTTP packets we see contain a “GET” and an “HTTP/1.0 200 OK” which is when we clicked on the link from Twitter.  The next HTTP packets contain a “GET” and an “HTTP1.1 301 Moved” for the redirect to the actual link.  The last HTTP packet we see is an “HTTP/1.1 404 Not Found”.  This is the error page that we saw on the browser.  Let’s look at this further.  We will right-click on this packet and select “Follow TCP Stream” to view all the packet data associated with this. What’s this? In the headers there is a header field that says “X-Charlie-Location: dl.dropbox.com/…”. Browsing to this link leads us to a file named:

9e6ef492-462a-41cf-88bc-5f692661915e-charlie.pcap

Since this is a .pcap file, let’s open this up in Wireshark to see what it contains.  It looks like SSL encrypted traffic.  If we follow the TCP Stream on the encrypted traffic, all we can see is gibberish. Since Alpha was a .pem private key file, maybe this was the server certificate used with that network traffic.  With Wireshark, we can decrypt SSL traffic if we have the server certificate.  In Wireshark, select “Edit” from the menu bar, then “Preferences”.  Expand “Protocols”, then select “SSL”.  Now there is an option called “RSA keys list”.  This is where we will specify the key.  The format for this field is this:

<server ip>,<port number>,<protocol>,<path to key file>

To find out this information, we will use Wireshark to dig into the packets a little more.  Looking at packet #4, we see that the Info field shows “Client Hello”.  This is the client connecting to the server for the SSL negotiation.  We can see that the destination IP then is “192.168.93.2” which is the server.  If we look at the destination port, we see that it is “465”.  This is the port that is being used.  To find out what protocol is being used, we will click on packet #10, which is the first encrypted “Application Data” packet.  In the middle frame in Wireshark, we will expand the “Secure Socket Layer” field.  We now see that the “Application Data Protocol“ being used is smtp.  We will now put in these values in the SSL preferences section:

192.168.93.2,465,smtp,D:\temp\alpha.pem

After applying the settings, we see that Wireshark has now decrypted the SSL traffic.  We can now right click on packet #10 and select “Follow SSL Stream” to view the decrypted traffic.  Looking at the stream shows that this is a capture of a top secret email message with an image attachment.  To view the image, we need to convert it from base64 back to an image file.  To do this, we need to select packet #639 which is the entire message in Internet Message Format.  In the middle frame after selecting the packet, expand “Internet Message Format”, then expand “MIME Multipart Media Encapsulation”, and then expand “Encapsulated multipart part: (image/png)”.  This is the section of the message which contains the base64 encoded image.  Then right-click on the field named “Portable Network Graphics” and select “Copy”, and then “Bytes (Printable Text Only)”.  We will then paste that into a temporary file named “base64_image.txt”.  Then on a Linux system, we can decode the base64 string by using this command:

cat base64_image.txt | base64 –d >ThatsNoMoon.png

That’s no moon! It’s a space station!! This looks like top secret plans for a massive space station with a weapon that can destroy planets!!

Look at the size of that thing!

Remediation

Yellow Sun Industries needs to fix the vulnerability in the space station design that could allow for a strategic shot into a thermal exhaust port which leads to the main reactor.  This would blow up the space station.  They should remove the vent if possible.  If not possible, they should protect the vent with shielding and more laser canons.

Excellent work, Travis! Honourable mentions go to the Penn State IA club for their use of curl to investigate the 404 on the way to recovering Charlie, and to Ben Downton for his remediation suggestions which were:

• Yellow Sun should examine the backup tape to determine any other information that may be ‘at risk’.
• Yellow Sun should consult with HR (if they have not done so already) to decide the fate of Donald Burgess. There is likely already grounds for disciplinary proceedings after failing to show up for work and checking out backups unecessarily. Given the results of this investigation there is very likely grounds for firing him and pursuing civil or criminal action.
• Yellow Sun should disable any of Donald’s accounts and revoke any physical access tokens. It is also recommended that door/lift and other authorisation codes are changed.
• Yellow Sun should certainly work with law enforcement officers to track down how far the blueprints have leaked and recover them if necessary.
• It is recommended that budget is immediately set aside to be devoted to pursuing the investigation and preparing for any consequential loss (such as loss of market position, fines imposed etc.)
• Yellow Sun should consult with the legal/pr departments (if they exist) in order to decide on preparing a statement to be issued to affected parties.

One of the best things about a challenge like this is seeing how people’s approach and suggestions differ from my own. When confronted with the “blank” BMP, I would have followed Travis’ route. Ben’s approach was different:

This bitmap file appeared as a plain white image, visually ‘hidden’ on the page. Extracting this image revealed small variations in the data structure of the image invisible to the naked eye (offset by 1 bit). Opening the image in GIMP and auto correcting the levels revealed a link http://j.mp/aLEdYa

When I was setting the challenge, I gave the image to a friend of mine, an experienced Photoshop jockey. I was hoping his image manipulation skills would help him uncover the clue in about 30 seconds. In the end it took him closer to a minute, but he got the job done. As Infosec pros, it’s helpful for us to remember that skills in “non-security” domains can often help further an investigation – recognise when they’re needed and seek them out. As usual, the “NOKIA” principle applies – No One Knows It All.

Again totally different to Travis and Ben, this was what I had in mind for remediation steps:

• Patch or replace the installation of VeryVulnerableCMS that allowed Donald Burgess to run tshark.
• The SSL certificate for mail.yellow.sun is well and truly compromised as the private key has been leaked. Looking at frame 5 from Charlie, we can see a bit more about it:
• The first thing that is highlighted is the certificate’s serial number – cert 21314 should be revoked and re-issued immediately.
• The second thing that might draw the eye is the length of time that the certificate is valid for – from 16th August 2009 all the way until 12th March 2016!! Yellow Sun could consider issuing certificates with a shorter lifespan.
• Next, we look at the decrypted SSL:
• Yellow Sun make use of SSL-protected authenticated SMTP. However, once you’ve stripped off the SSL, only BASE64 protects the passed credentials. The AUTH LOGIN exchange above reveals this:
  • 334 Username:
  • design@yellow.sun
  • 334 Password:
  • password123
• The credentials above are therefore compromised, and should be changed. Also, Yellow Sun employees should be encouraged to make more of an effort when choosing passwords…
• Lastly, and there’s no proof of this, but Yellow Sun might like to take a look at their personnel files. I strongly doubt that Philby approached Burgess at FIA totally at random. Perhaps there’s someone else inside Yellow Sun who marked Burgess for Philby’s attention? Could there still be a mole inside Yellow Sun?

The Penn State IA club produced a nice timeline, which you can see here. I also had a play with creating an interactive timeline of events; I can’t embed it directly into this post, but click the image to take a look:

Finally, don’t I know you from somewhere?

As Travis alluded to, I’ve not been entirely original in my selection of the characters’ names. Here’s where my inspiration came from:

• HomerHicks/Donald Burgess is indeed a composite of Donald Maclean and Guy Burgess (codenamed Homer and Hicks respectively), two members of the Cambridge Five.
• Kim Philby (codenamed Stanley) was another member of the Cambridge Five.
• UltraVenona is a composite of Ultra (the codename given to intercepted Enigma traffic during WW2) and Venona (the codename given to intercepted Soviet traffic during the Cold War).
• Yellow Sun was a British free fall nuclear weapon of the Cold War.
• The briefing document said that the investigation of Donald Burgess was codenamed Operation FOOT. The real FOOT was the mass expulsion from the United Kingdom of Soviet diplomats and trade delegation officials in 1971 (more here (bottom of page) and here).
• Finally, Yellow Sun’s Keith Tarkin shares his name with the other Mr Tarkin who is also in possession of something that definitely isn’t a moon.

That’s all for now, folks. However, I doubt we’ve seen the last of Donald Burgess and associates!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk