## The Spy Hunter, Part II – Epilogue

Posted in Packet Challenge, Spy Hunter on 10 August, 2011 by Alec Waters

Kerry Nitpick wanted to run. But to do so would be to draw attention to himself, to “show out” as the pavement artists call it. He did not know if the surveillance team following him was real or merely in his imagination, but either way he was certain they were there.

They’d probably been on him since he left Yellow Sun HQ thirty minutes ago. YS hadn’t trusted him from day one – they’d likely been watching him ever since. The team was probably plotted up away from the building; no need to have their own eyes-on in such a controlled environment. That goon in the security hut at the gate must have been the trigger.

An aware target masquerading as an unaware one, Kerry strained his hearing, trying to hear them on their radios.

RED has the eyeball
GREEN backing
BLUE, I’m on the other side of the street

Despite the odds, the advantage was still his. He knew that as he turned left onto Laker Street they’d do their silly little dance, same as always, regular as clockwork.

RED, Target is approaching nearside turn onto Laker Street
BLUE moving up to cover

He’d be able to see Blue now if he looked over his right shoulder. He considered taking an extra step or two before turning the corner just to rattle them, but that would have tipped them off that he knew they were there. “Never let them know that you know,” Dave always used to say, “That’s Rule #1.” Rule #1 changed with the wind, but this one had held the title at least once.

He turned left onto Laker Street.

RED that’s the target Left Left onto Laker Street; handover
BLUE has the eyeball. Target proceeding, corner is clear
GREEN turning Left Left; I have the eyeball
BLUE backing
RED, I’m on the other side of the street

Laker Street was routinely pounded by suburban traffic, rattling the sash windows of the tall Victorian homes on the left hand side. Most properties had basements with steps leading down from the street; RED ONE was one such basement flat, number 221b. As he passed it he looked as closely as he could without turning his head. Everything seemed in order, but he certainly wasn’t going in through the front door. RED ONE was chosen for a very good reason, one which the surveillance team was soon to discover to their cost.

Leaving the steps to RED ONE behind, he maintained his pace but quickened his thoughts. The next left turn onto Kingsway had to be just right – he’d have three or four seconds tops to evade his pursuers. The window was tight, but terrain was on his side.

GREEN, Target is approaching nearside turn onto Kingsway
RED There’s no more footpath – I can’t move up to cover the corner! There’s too much traffic for me to step into the road
GREEN, That’s understood. If the Target takes the nearside turn I’ll clear the corner myself and we’ll carry out cornering drill without you. Catch up when you can

With Red neutered by the short footpath, Kerry turned left onto Kingsway, passing the corner shop. As he did so he removed his jacket and increased his walk almost to a jog.

GREEN that’s the Target Left Left onto Kingsway. Temporarily unsighted

Out of sight of the surveillance team, Kerry turned left one last time into the alleyway alongside the corner shop. Running now, he made for the rubbish bin that stood in front of the six foot gate that blocked further passage and obscured the alley’s access to the rear of the properties on Laker Street.

GREEN, I’m crossing Kingsway. No sign of Target. Loss, Loss

Lent by adrenaline the agility of a fitter man, he leapt onto the bin and threw his jacket over the thin strand of barbed wire that topped the gate. He hauled himself over and down the other side, tugging the shredded remains of his jacket behind him.

BLUE turning Left Left onto Kingsway. No sign of Target. Loss, Loss

Moving down the alleyway to the rear entrance of number 221b, the surveillance team’s comms chatter faded to silence.

GREEN, Total Loss, Total Loss. Commence search pattern

Finally inside RED ONE, Kerry took stock. It was supposed to be a straightforward penetration job; a simple exploit, lift some assets, get out. It would have been so much better had the target not turned out to be his boss, his real boss. All this “need to know” nonsense just gets a man into trouble. Why hadn’t Dave told him SIBHOD had already penetrated Yellow Sun? Why wouldn’t Yellow Sun tell him who the target was? Keith Starr would never have taken the job if he’d known.

So he did the best he could. He wasn’t going to give Yellow Sun anything that would damage SIBHOD; instead he turned over part of Dave’s tasteless music collection, plus his shopping list and his IE cache. Total junk, but better than nothing. It certainly bought him a ticket out of Yellow Sun’s front door.

But what to do next? From the files he turned over to Yellow Sun, he was certain there was nothing that could link him to either Dave or SIBHOD. Keith Starr’s professional reputation would take a bit of a hit, but if he kept his mouth shut, no harm done, surely? Or perhaps he should come clean to Dave, at least to tell him to update his PDF reader. Or maybe silence is golden – SIBHOD is not an organisation that tolerates failure…

A full write up of the winning solution to the Spy Hunter Part II Packet challenge is here!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

## The Spy Hunter, Part II

Posted in Packet Challenge, Spy Hunter on 13 July, 2011 by Alec Waters

In the wake of the Donald Burgess affair, Yellow Sun Heavy Industries finds itself in an uncomfortable situation. The top secret plans for Project ThatsNoMoon are in the hands of an unknown Adversary, and the traitorous Burgess has disappeared.

Only by taking positive action of its own can Yellow Sun hope to salvage the situation…

Evidence has been collected as the result of offensive action on the part of Yellow Sun against their unknown Adversary. Are you up to the challenge of maximising the haul’s intelligence yield? Click here to find out!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

## The Spy Hunter – solution

Posted in Packet Challenge, Spy Hunter on 13 September, 2010 by Alec Waters

We had a number of great entries to the challenge; it was very interesting to see how people approached it! I had fun creating it, and I hope you had fun investigating – thanks very much to everyone who played!

It was a close call, but I am pleased to announce that the winner of the “Ace Investigator” award and $25 gift card is Travis Lee (@eelsivart on Twitter). Other great entries came from Ben Downton, the Penn State IA club, and Silas Cutler. Here are the mission objectives as submitted by Travis: ## Link between Donald Burgess and the alias HomerHicks Donald Burgess has a Facebook page and is friends with Kim Philby. They have both written on each other’s walls. The image that Donald Burgess uses on Facebook is the same image that HomerHicks uses on Twitter. A web search for “Donald Burgess” leads to a Wikipedia page on the “Cambridge Five”. There were two people in that group that in which one was named Donald Duart Maclean and had the crptonym “Homer” and one was named Guy Burgess that had the cryptonym Hicks. Donald Burgess is a name comprised of both of those individuals so the cryptonyms would also be combined to form “HomerHicks”. ## Names and/or aliases of HomerHicks’ associates Name: ? Alias: UltraVenona Name: Kim Philby Alias: Stanley Name: Robert’); DROP TABLE Students;– Alias: Little Bobby Tables ## How was HomerHicks recruited and by whom HomerHicks (Donald Burgess) was recruited by Kim Philby. They first met at FIA 2010, day three near the Thales exhibit. They then exchanged messages on Facebook where Kim put Donald in touch with UltraVenona to talk about some “extra part time work”. ## Timeline of events All times are in PST. Timestamp from IRC conversation was converted from BST to PST. Aug 16, 3:49am – Donald Burgess joins Facebook and posts “Hello Facebook!” on his wall. Aug 16, 4:17am to 4:36am – Kim Philby makes contact with Donald Burgess on Facebook by writing on his wall. Kim asks Donald if he would like to do some extra part time work and puts him in touch with a friend, UltraVenona. Aug 16, 1:37pm – UltraVenona makes a tweet to @HomerHicks saying “good to meet today”. UltraVenona also gives HomerHicks additional instructions. Aug 17, 9:17am – HomerHicks has stolen Alpha from an old backup tape and has given it to UltraVenona. Aug 17, 9:19am – HomerHicks discovers that Bravo is also on the same tape and steals Bravo. Aug 17, 9:20am – UltraVenona tells HomerHicks on Twitter to contact @LittleBobbyTbls for help. Aug 17, 9:24am – HomerHicks makes contact with @LittleBobbyTbls on Twitter for help getting Charlie. Between Aug 17, 9:41am and Aug 18, 10:13am – HomerHicks has stolen Charlie. Aug 18, 10:13am – HomerHicks logs into IRC and has a conversation with UltraVenona. HomerHicks gives up Bravo to UltraVenona. Aug 18, 10:49am – UltraVenona validates Bravo against Alpha. Aug 18, 10:54am – HomerHicks is paid and gives up Charlie to UltraVenona. Aug 18, 10:57am – HomerHicks is extracted from the coffee shop. ## Who gave Donald Burgess assistance and what kind? Little Bobby Tables gave Donald Burgess assistance. He showed Donald how to use SQL injection and tshark to get a packet capture of SMTP traffic which is what Charlie was. ## Recovery of Assets Alpha: HomerHicks’ Twitter page (@HomerHicks) contained a conversation with @UltraVenona. One of his tweets included a link to Alpha (dl.dropbox.com/…). Browsing to that link leads us to a file named: 089d615b-4a10-4520-a87b-fd6228c50a14.bmp. Upon downloading of the file, it looks to be just a white bitmap file. There could be a hidden message in this picture, but how is it hidden? I opened the bitmap in a text editor to take a look at details of the file. Looking at the bitmap file format, it doesn’t look like the image it just plain white. It looks as if there is something else in there. I then opened the bitmap file with Microsoft Paint. To see if there is hidden text in the image, I use the Paint Bucket tool to fill the background with black. Low and behold there is a link in the image (dl.dropbox.com/…). Browsing to the link leads us to a file named: bf9de2e9-f9f0-47d2-9630-63228d41fe40-alpha.pem. Viewing the file in a text editor shows us that this is an encrypted private key file because it has headers describing the type of encryption used and the initialization vector: —–BEGIN RSA PRIVATE KEY—– Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,06CBE99CA9D5F1534D406E5868FDE302 Bravo: To find Bravo, we first looked at the spyhunter-irc.pcap that was provided. This was a packet capture of an unencrypted conversation between HomerHicks and UltraVenona on IRC. To view the conversation, we need to open the capture file in Wireshark. Then we will select the first frame in the capture file, right-click, and select “Follow TCP Stream”. Upon doing so, a window will pop up showing us the entire IRC conversation. After reading through the conversation, we see that HomerHicks private messaged UltraVenona saying that Bravo is with Stanley at this link, facebook.com/ki…. Browsing to that link leads us to a Facebook page for Kim Philby. On his Info page, he has a Favorite Quotation that says “@UltraVenona – bravo – hic sunt dracones”. If we look back to the IRC conversation, we see a message that says to verify Bravo against Alpha. Since Alpha was an encrypted private key, Bravo may be the password to decrypt it which could be “hic sunt dracones”. To see if this works, we can use OpenSSL in Linux with the command: Openssl rsa –in bf9de2e9-f9f0-47d2-9630-63228d41fe40-alpha.pem –out alpha.pem After running that command, it asks us for a password. Let’s try and use what Kim Philby had on his Facebook page, “hic sunt dracones”. It works! We now have an unencrypted .pem file. Now what do we use this for? Charlie: Going back to HomerHicks’ Twitter page, we see that he made a tweet that said Charlie is at this link: wirewatcher.net…. Browsing to that link says that there is no file at that URL. Where did Charlie go? To find out more information, let’s start up Wireshark to do a packet capture while browsing to that link. Let’s look at the packet capture now. The first HTTP packets we see contain a “GET” and an “HTTP/1.0 200 OK” which is when we clicked on the link from Twitter. The next HTTP packets contain a “GET” and an “HTTP1.1 301 Moved” for the redirect to the actual link. The last HTTP packet we see is an “HTTP/1.1 404 Not Found”. This is the error page that we saw on the browser. Let’s look at this further. We will right-click on this packet and select “Follow TCP Stream” to view all the packet data associated with this. What’s this? In the headers there is a header field that says “X-Charlie-Location: dl.dropbox.com/…”. Browsing to this link leads us to a file named: 9e6ef492-462a-41cf-88bc-5f692661915e-charlie.pcap Since this is a .pcap file, let’s open this up in Wireshark to see what it contains. It looks like SSL encrypted traffic. If we follow the TCP Stream on the encrypted traffic, all we can see is gibberish. Since Alpha was a .pem private key file, maybe this was the server certificate used with that network traffic. With Wireshark, we can decrypt SSL traffic if we have the server certificate. In Wireshark, select “Edit” from the menu bar, then “Preferences”. Expand “Protocols”, then select “SSL”. Now there is an option called “RSA keys list”. This is where we will specify the key. The format for this field is this: <server ip>,<port number>,<protocol>,<path to key file> To find out this information, we will use Wireshark to dig into the packets a little more. Looking at packet #4, we see that the Info field shows “Client Hello”. This is the client connecting to the server for the SSL negotiation. We can see that the destination IP then is “192.168.93.2” which is the server. If we look at the destination port, we see that it is “465”. This is the port that is being used. To find out what protocol is being used, we will click on packet #10, which is the first encrypted “Application Data” packet. In the middle frame in Wireshark, we will expand the “Secure Socket Layer” field. We now see that the “Application Data Protocol“ being used is smtp. We will now put in these values in the SSL preferences section: 192.168.93.2,465,smtp,D:\temp\alpha.pem After applying the settings, we see that Wireshark has now decrypted the SSL traffic. We can now right click on packet #10 and select “Follow SSL Stream” to view the decrypted traffic. Looking at the stream shows that this is a capture of a top secret email message with an image attachment. To view the image, we need to convert it from base64 back to an image file. To do this, we need to select packet #639 which is the entire message in Internet Message Format. In the middle frame after selecting the packet, expand “Internet Message Format”, then expand “MIME Multipart Media Encapsulation”, and then expand “Encapsulated multipart part: (image/png)”. This is the section of the message which contains the base64 encoded image. Then right-click on the field named “Portable Network Graphics” and select “Copy”, and then “Bytes (Printable Text Only)”. We will then paste that into a temporary file named “base64_image.txt”. Then on a Linux system, we can decode the base64 string by using this command: cat base64_image.txt | base64 –d >ThatsNoMoon.png That’s no moon! It’s a space station!! This looks like top secret plans for a massive space station with a weapon that can destroy planets!! Look at the size of that thing! ## Remediation Yellow Sun Industries needs to fix the vulnerability in the space station design that could allow for a strategic shot into a thermal exhaust port which leads to the main reactor. This would blow up the space station. They should remove the vent if possible. If not possible, they should protect the vent with shielding and more laser canons. Excellent work, Travis! Honourable mentions go to the Penn State IA club for their use of curl to investigate the 404 on the way to recovering Charlie, and to Ben Downton for his remediation suggestions which were: • Yellow Sun should examine the backup tape to determine any other information that may be ‘at risk’. • Yellow Sun should consult with HR (if they have not done so already) to decide the fate of Donald Burgess. There is likely already grounds for disciplinary proceedings after failing to show up for work and checking out backups unecessarily. Given the results of this investigation there is very likely grounds for firing him and pursuing civil or criminal action. • Yellow Sun should disable any of Donald’s accounts and revoke any physical access tokens. It is also recommended that door/lift and other authorisation codes are changed. • Yellow Sun should certainly work with law enforcement officers to track down how far the blueprints have leaked and recover them if necessary. • It is recommended that budget is immediately set aside to be devoted to pursuing the investigation and preparing for any consequential loss (such as loss of market position, fines imposed etc.) • Yellow Sun should consult with the legal/pr departments (if they exist) in order to decide on preparing a statement to be issued to affected parties. One of the best things about a challenge like this is seeing how people’s approach and suggestions differ from my own. When confronted with the “blank” BMP, I would have followed Travis’ route. Ben’s approach was different: This bitmap file appeared as a plain white image, visually ‘hidden’ on the page. Extracting this image revealed small variations in the data structure of the image invisible to the naked eye (offset by 1 bit). Opening the image in GIMP and auto correcting the levels revealed a link http://j.mp/aLEdYa When I was setting the challenge, I gave the image to a friend of mine, an experienced Photoshop jockey. I was hoping his image manipulation skills would help him uncover the clue in about 30 seconds. In the end it took him closer to a minute, but he got the job done. As Infosec pros, it’s helpful for us to remember that skills in “non-security” domains can often help further an investigation – recognise when they’re needed and seek them out. As usual, the “NOKIA” principle applies – No One Knows It All. Again totally different to Travis and Ben, this was what I had in mind for remediation steps: • Patch or replace the installation of VeryVulnerableCMS that allowed Donald Burgess to run tshark. • The SSL certificate for mail.yellow.sun is well and truly compromised as the private key has been leaked. Looking at frame 5 from Charlie, we can see a bit more about it: • The first thing that is highlighted is the certificate’s serial number – cert 21314 should be revoked and re-issued immediately. • The second thing that might draw the eye is the length of time that the certificate is valid for – from 16th August 2009 all the way until 12th March 2016!! Yellow Sun could consider issuing certificates with a shorter lifespan. • Next, we look at the decrypted SSL: • Yellow Sun make use of SSL-protected authenticated SMTP. However, once you’ve stripped off the SSL, only BASE64 protects the passed credentials. The AUTH LOGIN exchange above reveals this: • 334 Username: • design@yellow.sun • 334 Password: • password123 • The credentials above are therefore compromised, and should be changed. Also, Yellow Sun employees should be encouraged to make more of an effort when choosing passwords… • Lastly, and there’s no proof of this, but Yellow Sun might like to take a look at their personnel files. I strongly doubt that Philby approached Burgess at FIA totally at random. Perhaps there’s someone else inside Yellow Sun who marked Burgess for Philby’s attention? Could there still be a mole inside Yellow Sun? The Penn State IA club produced a nice timeline, which you can see here. I also had a play with creating an interactive timeline of events; I can’t embed it directly into this post, but click the image to take a look: ## Finally, don’t I know you from somewhere? As Travis alluded to, I’ve not been entirely original in my selection of the characters’ names. Here’s where my inspiration came from: • HomerHicks/Donald Burgess is indeed a composite of Donald Maclean and Guy Burgess (codenamed Homer and Hicks respectively), two members of the Cambridge Five. • Kim Philby (codenamed Stanley) was another member of the Cambridge Five. • UltraVenona is a composite of Ultra (the codename given to intercepted Enigma traffic during WW2) and Venona (the codename given to intercepted Soviet traffic during the Cold War). • Yellow Sun was a British free fall nuclear weapon of the Cold War. • The briefing document said that the investigation of Donald Burgess was codenamed Operation FOOT. The real FOOT was the mass expulsion from the United Kingdom of Soviet diplomats and trade delegation officials in 1971 (more here (bottom of page) and here). • Finally, Yellow Sun’s Keith Tarkin shares his name with the other Mr Tarkin who is also in possession of something that definitely isn’t a moon. That’s all for now, folks. However, I doubt we’ve seen the last of Donald Burgess and associates! Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk ## Packet Challenge – The Spy Hunter Posted in Packet Challenge, Spy Hunter on 23 August, 2010 by Alec Waters I’ve concocted another packet challenge for you to try, entitled “The Spy Hunter”. This one’s a little different in that solving the technical challenge is only part of the solution – you’re going to have to conduct an investigation along the way, too. Maintain vigilance to detail and keep notes, and you’ll uncover all the secrets. There’s a prize of a$15.00 Starbucks or iTunes card up for grabs for the writer of the best entry.

The challenge is posted over at ismellpackets.com; many thanks to Chris Christianson for giving it a home and putting up the prize.

Good luck, and have fun!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

## Packet Challenge

Posted in Packet Challenge on 3 August, 2009 by Alec Waters

I enjoy the little “packet challenges” that people post, and I’ve had a reasonable amount of success of late.

So, now it’s my turn. Chris Christianson over at ismellpackets.com has kindly posted a challenge I came up with – The Crypto Kitchen. There are two versions of the challenge, easy and hard, but the answer is the same in both cases. It’s your explanation that will count!

The question to be answered is – “what is the secret ingredient?”

Good luck, and thanks Chris for posting the challenge!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk