Forensic Challenge: Help stop the Sbuxnet trojan!

This is a fun forensic challenge created originally for NYU's CSAW Capture the Flag Finals event. The story behind the challenge, along with additional forensic challenges were also used for ACSAC's Tracer Fire class. Now I'm hosting both the forensic image and command and control server on the net so anyone can play.

Begin here: [challenge01.c0.cx] (the challenge is over, thanks to those who played!)

Tools / Techniques / Skills involved:

  • Filesystem forensic analysis
  • Email forensics and cryptographic tools
  • Python, small bit of source code analysis
  • Filetype header analysis, image forensics
  • Minor HTML/HTTP understanding
  • Patience, etc...
Read More

SIM card curiosity, and a little Hardware Hacking

A few months ago I took an interest in the layer 2/3 protocols (and their implementations) for mobile networks. I quickly arrived at SIM card hacking and like a young schoolboy thought, “man if only I could MitM the hardware communication I could spoof other’s SIM cards and use free Internet!” Nope. Well, not nope, but it’s not that easy.

Read More

Adventures in UAV Hacking

SkyNET demo flight SkyNET Drone

My first accepted workshop paper, accepted to USENIX WOOT 2011, was called "SkyNET: A 3G-enabled mobile attack drone and stealth botmaster". Catchy name, right? Check out the project page if you'd like a review. After the paper was published, presented, and let lie for a month, the project caught the attention of MIT Technology Review. Shortly after the story was published tons of other websites started duplicating and running their own. The relation between UAVs and "Skynet" did the trick in attracting media attention. Unfortunately there's very little AI incorporated thus far into the project. Nevertheless, it's been a blast reading the various comments on the project.

Read More

Rock The Flag network, CyberSecurity Education, and logging Capture The Flag Experiences

I want to make this as concise as possible, but I haven't written in a while, so stick with me.

Rock the Flag, network, (RTFn) is a project started by myself, and my friends Mike and Nick, designed to help students play Capture The Flag (CTF) competitions. RTFn's goal is improved CyberSecurity education through CTF competitions. We hope to improve CTF experiences with extracted-and-visualized team reports per-event.  The software implements robust logging, with the help of the users, to identify trends. These trends help users identify their team strengths and weaknesses, while profiling each competition they play. At the base of RTFn is an Etherpad (real-time document collaboration on steroids) installation with three major changes.

Read More

Exploring recent PDF exploits: A Time Killer

Over the past few months I've seen numerous articles and CVEs on Adobe Reader and it's vulnerabilities. It seems like everyday I wake up to a new discussion on how to launch some bit of javascript or run application xyz. Well, I've also been seeing many attempts to exploit old vulnerabilities. (Usually by correlating suspicious domains to sets of drive-by-download PDF files thanks to a short script by my friend Dave.) Either way, this last week the number of malicious PDFs increased. So I decided to take some apart and familiarize myself with the different vulnerabilities and how JavaScript played a role. All the information I found had already been documented (and I'll try my best to link to those discoveries). But I want to walk through my investigation and maybe up-turn a few overlooked rocks.

Read More

Fun with Network Forensics: Discovering a Rouge Bridge

This is a short write up on some interesting things I found while completing a midterm project for a Network Forensics class I took last year. My network forensics group decided to map the traffic for contemporary Windows-based denial of service vulnerabilities. Our project utilized a live network of volunteer hosts connected to the university network. We used NetFlow data collected by Flow Tools. While searching for possible exploits I found a hidden network bridge. The bridge used a non-human host registered to a roaming port in a networking closet. The host was eventually found to use a rouge process which proxied connections from an external residence on to campus. A malicious user could have used this bridge to proxy requests from their home through the university.

Read More