COMP6441 Blogging

This weeks case study was quite an interesting problem, which I couldn’t think of a perfect solution for unfortunately. However, I still think that our group did a good job and came up with a pretty good solution, albeit it still has flaws.

Initially, our group was thinking of implementing all the fancy security techniques we had learned, such as HMACs and Diffie-Hellman key exchange. However, we realised that this would be too difficult to implement in the scenario presented, as they would be too complex. Another issue is that the Alien would essentially act as a man in the middle attack, which could prevent some of them from working. This meant that we had to rethink our ideas and try to come up with something more simple, yet effective.

The main issues that we had to consider, were Authenticity and Integrity. Firstly, we had to make sure that we could authenticate the invisible man, so that we knew how he was. Then we also had to ensure that the alien was not tampering with the message that the invisible man was trying to relay. After authenticating once, we could assume that we had confirmed the invisible mans identity, however integrity was still a big issue, as the alien could tamper none, some or all messages from the invisible man, especially if the man was trying to make a report that threatened the alien.

Ultimately, we thought of the solution where we would isolate the invisible man from the alien, allowing us to communicate one way with the invisible man, without the alien being able to hear or see us. We could then write down the questions and ask the invisible man to pass the answer on to the alien. This meant that the alien did not know the context of the answer, making it difficult to tamper with in a harmful manner. Of course they could tamper it however they wanted, so we would need to try and confirm this, by either repeating the same question multiple times with different variations, so that we could see if it ever changed, or use a different method such as giving them a true/false or multiple choice answer. This however limited the scope of our messaging, as we would have to ask the right questions and have the right answers, so that we could minimise context for the alien and hence minimising the ability for them to tamper with our messages.

Unfortunately I ended up not having the chance to present in class this semester. This was quite devastating, as I really wanted to give back to our awesome tutorial and show them something cool. However, with the new trimester system, I ended up having exams staggered across 3 weeks for my midsem exams, which meant that I was quite busy each week and couldn’t find the time to really do a quality presentation. 

I noticed that previously when I tail gated my friends into an unnamed gym, it would not make a sound or anything, possibly meaning that it wasn’t detected. Recently though, I noticed that it makes a short beep noise. Note that I do have my own gym pass, I was just curious about the sensors.

I read an article today about Russian hackers targeting election systems in the US. Turns out that all 50 states were actually hacked by hackers linked to the Russian Government and that they were in the position to tamper with them. There is currently no evidence in whether or not they did tamper with it though, which demonstrates the huge security threat it poses.

Google Yourself: I decided to download some information about myself on Facebook, more specifically, some of the supposed interests in ads I have, curious as to how they would analyse such a thing. From what I gathered, it kind of seemed like it was based on the videos/posts/groups/events and almost like the terms that I’ve googled over the years. Some were really strange as I don’t even know what they are, such as Jumbo (hypermarkets), Goldie Lookin Chain and Celebridade. This was quite interesting as it seems they analyse almost every part of my profile, gaining a lot of information on me.

The other category I decided to look at was advertisers who uploaded a contact list with my information. This list was also quite surprising, as there were many companies that I had not even heard of, such as Brisbane Ownership, Lifestyle and Culture, Gimlet Media and WA Super. I don’t recall ever dealing with these companies but somehow they got my permission it seems. It also seems like some companies are quite sneaky, with all the regions having uploaded my information, eg iHerb Japanese, Chinese, Arabic.

Just from those 2 small sections, we can see that Facebook actually gathers a lot of information, more than you would probably expect, unless you are super careful with how you use it and what you give permissions to. If I had downloaded every category, there would probably be my whole lifes history basically summarised, which is pretty crazy.

Deep Fakes: I remember when I was doing the neural networks course, one of the lectures played a video, which was Obama talking about fake news. It used a combination of AI techniques, including a fake face and face voice tool, which when put together, becomes quit believable. This is especially true for people that aren’t as aware of the possibilities of technology, such as some of the older generation. It is hard to detect whether it is real or not, but these days, for big events, you could probably try to search up the content of the potentially fake video to see if other people have made comments or if the video has been uploaded on any reliable sources. This kinda of ability can be quite scary, as it could easily be used to trick people or ruin other people’s reputation, so if used by people with malicious intent, it can be quite powerful.

This lectures covers the topic of identity theft. The graph at the beginning shows that fraudulent documents are actually pretty cheap to buy with passports being the most expensive at $1500, compared to $244 for a real, which isn’t too bad, very affordable. This can be quite scary if someone steals your identity and is caught in criminal acts etc, which can affect your own records, when in reality you were innocent. A cheap and dirty attack could be someone pretending to be you online and defaming your reputation.

The amount of reports on identity theft is relatively low, due to factors such as embarrassment, confusion, no loss of money etc, but in reality it can have a traumatising effect, as once your identity has been stolen once, it is at a much higher risk of being stolen again at any time, due to a lot of identifying factors not changing, such as your fingerprint.

Another difficult issue to deal with is that your data is usually stored by another database and if that isn’t protected well, this means that your information can be breached and there is nothing you can do about it. 

Some things that criminals can do with your data include: Take out loans, social security benefits, criminal acts, tax refunds, buying phones, entering contracts, take out a credit card and conveyancing etc. idcare and ACRON may be some of the better organisations that can help in case you have had your identity stolen. 

Not sure where video 8.2 went, maybe it’s no longer relevant, but I’ll keep the title of the post matching what the title of the video is for clarity.

This lecture covered biometrics, with the beginning showing a video of someone copying a fingerprint to get into an iPhone. It was not even hard, using a basic scanner and a bit of modifying along with some more processes to create the dummy. This means that a fingerprint is actually potentially a really bad method of authentication, as you can’t change it, so once someone steals it, they could have access to anything that uses your fingerprint. Another problem is that the fingerprints could be slightly different every time, due to cuts or sweat etc, which means that it won’t match exactly, so there must be some leeway that allows for it to check if it still matches, meaning it is much more vulnerable than initially thought. Richard estimates that there is about 30-40 bits of security in a fingerprint which is actually extremely weak and can be bruteforced, assuming you attack it further in the chain where the fingerprint has already been converted into information. He also reckons that facial recognition probably only has at most 50-60 bits of security. Interesting food for thought which is hard to calculate.

He then covers a bit more on bits of security and brute forcing, along with the link between time and bits of security, so that you could estimate roughly how long it would take depending on what assumptions made, such as how many instructions the computer could do per second and how many instructions it would take to attempt once.

This lecture talks about identity and authentication, which Richard calls the “meat and veg” of security, meaning it must be pretty important. Richard gives a pretty straightforward example in the lecture, in which someone basically tries to guess whether the message came from a specific person or someone else. I think that learning about this earlier would’ve been more useful for the Houdini case we covered earlier on, but these aren’t in the same order as the content covered this semester. In that example of authentication, there is no way of authenticating it, as there is not enough information to confirm the identity of the sender of the message. He did guess it right due to sheer luck, but that is not a valid method of authentication.

In real life, some ways of authenticating ID include bringing in 100 points of ID, which usually consists of a drivers license and a passport or other forms of identity such as those. A stronger method of identification could include facial recognition, DNA, dental records or finger printing, where it is much harder to fake.

One student made an interesting remark where he was trying to cancel a credit card and the operator asked where he lived and what the weather was like, which is an interesting method that is also easy to do. Another interesting thing was that another student said sometimes he tells the operator a couple of wrong numbers when authenticating some cards, but the operator has corrected him instead. This shows that human error is potentially a huge issue, as they are not doing their job properly, assuming the person is authenticated already. People of Justice signing copies off as authentic is also another issue that could be abused, as they could be bribed or socially engineered to help you fake documents.

They did the example earlier again but with the students reversed. Funnily enough, the real sender added a message at the bottom ps “I am Norwegian”, but somehow the fake one also had the same message, presumably another student told him about it. Thus the student guessing was tricked and authenticated the message thinking it was from the real sender. This shows that authentication is quite difficult, as if other people have some insider information, it is hard to determine which is the real message. This is an example of authenticating through a shared secret not working.

3 main factors authentication people often use - Something you know (Shared Secret), something you have (ID), something you are/do (Way you walk). Eg 2 factor authentication - 1. password (something you know) 2. sms code (something you have). Richard however argues that these are all authentication by knowledge, as everything is transferred as data, for example, a fingerprint could be converted to bits and processed to be verified, which can be tapped in the middle. Having a chain of actions means that there is many vulnerabilities in which it can be leaked and attacked.

After finishing 10/21 of the Toddler’s Bottle challenges on pwnable.kr, I have come to the conclusion of my Something Awesome project, in which I wanted to take on some CTFs and learn a bit about finding bugs and breaking into things. The ones highlighted in green are the ones I completed, earning 31 points on my account and achieving a rank of 4972 apparently!? Maybe not that many people use this website, or they just dont bother making an account and submitting the flags.

I feel like I have definitely learnt a lot, spending hours at a time trying to search things up and figure out what is wrong. I enjoyed how these basic challenges taught a lot of basic, crucial concepts which gave me a more enjoyable reason for me to learn them, such as file descriptors and environment variables, as well as basic security vulnerabilities, such as buffer overflows and the flaw of rand().

There is definitely a lot more for me to learn in this field, as there are 3 more difficulties that I did not even manage to reach, despite spending a decent amount of time. The challenges that I took hours to complete would probably take a veteran minutes to complete. 

Some of the challenges that I struggled the most with, would be the ones that did not involve reading the source code and trying to figure out the mistake. Having to decompile the binary file was an extremely new concept to me and thus took me a lot of time to pick up and learn. I think it would’ve been better if I firstly completed all the non reverse-binary needed challenges first to learn the basics of things, then moved onto those after. 

I think that I enjoyed the line by line analysing, as it helped me improve on my ability to understand code and detect and solve the problem hidden. I did not enjoy the binary stuff as much, as that stuff was really complicated, dealing with low level architecture with bytes and assembly language. I know that it is still very important to learn, so it was still a good revision of some knowledge that I hadn’t touched upon in a while. It also allowed me to go back and do a bit of C, as it’s been quite a while since the last time I’ve used it.

This will be my last something awesome for the semester, as our something awesome videos are due on Tuesday, which is in 3 days. I’ll be doing this one early so that I have time to create the video as well, averaging 6 posts over the last 6 weeks, completing an average of 1-2 challenges per week.

First up, I shall choose the challenge shellshock, with the description talking about bash and the shellshock news. We start it up as usual, sshing in and taking a look at what we got. We have the following files: bash, flag, shellshock and shellshock.c. This appears to have an extra bash file compared to the usual setup. But lets dive into the source code and have a look at it first:

This was a lot smaller than I expected, with it calling setresuid and setresgid, then calling the system function, which echos out shock_me. Interesting. Looking up setresuid and setresgid, I find out that they are used to set user and group id. The 3 arguments are real, saved and set ID respectively. Getegid returns the effective group id. It looks like we are setting all the user and group ids to the effective group id. 

Since I get a bit stuck, I decide to look up shellshock and see what it was about in the news. I find that shellshock is actually a bug that allowed Bash to execute commands. Now things are starting to make a bit more sense, I probably need to use the vulnerability like shellshock. Reading about the vulnerability on the wikipedia page, we get env x=‘() { :;}; echo vulnerable’ bash -c echo this is a test. 

Let me see if that works in our terminal. Yep, it works exactly as stated in the wiki, in which case I just need to modify it slightly to get the flag and it should give me what I need! I’m not sure what all the setting of uid and gid was actually for, but I guess I didn’t need to worry about it in this challenge.

After testing a few different variations and reading up a bit more on how exactly the vulnerability works, I end up with env x='() { :; }; /bin/cat flag' ./shellshock, which works! This gives me the flag only if I knew CVE-2014-6271 ten years ago..!!

Onto the last challenge! I will be doing lotto, with the description talking about a lotto program. Sounds interesting. Setting it up the usual way with SSH, we get the following files: lotto.c, lotto and flag. Back to the usual setup. Lets get straight into it and look at the source code. The code was actually really long, so I’ll separate it into the important parts.

Basically, the code was a lotto game, with a main, play and help function. The main function acts as the main menu where we can choose from Play, Help or Exit as seen below:

This seemed clear enough. Next up was the help function, which describes the objective of the game and provides a link for more details which didn’t really help since it looked like the rules for a lotto in Korea, so it was all written in English. I don’t think I need it anyway.

Lastly and most importantly was the play function, where all the logic occurred. Basically, I had to input my 6 bytes and hoped that it matched the 6 lotto numbers, winning the game and printing out the flag. Lets start by analysing the code line by line as usual and seeing if we can spot any errors, as theres no got to be some vulnerability in this code that I can abuse.

Looking at this section, I noticed a couple of funny things. Firstly, lotto[6] is an unsigned char, which means that it will be a character and not an integer. Secondly, in the for loop we can see that the numbers have to be between 1 and 45 as explained. This means that it will only be a character with the ascii value between 1 and 45. Looking at the ascii table, we can only use the characters from 32-45 which are symbols such as !#$%.

 Onto this weeks challenges and almost the end of the something awesomes. This time, im starting it off with the challenge cmd1, with the description talking about PATH environments in linux. Setting things up, we ssh in as usual and find 3 files: cmd1, cmd1.c and flag. Seems like the same as the other few challenges, cracking cmd1.c to get the flag.

Looking at the source code:

Analysing the code, we have the main and a filter function. I’m not too familiar with path environments, so I look up char** envp, which seems to be an environment pointer and putenv, which seems to set the value of an environment variable. In filter, it looks like it has a series of comparators looking for substrings in the argument cmd, with r increasing by 1 if the substrings are found. Oh and system() runs the command, so it seems like I would need it to run cat flag in this case or something similar to print out our flag.

Reading up on what the PATH variable is, I realised that the problem is it is overwriting our PATH variable, which means we would need to type out the absolute path to get to cat. We can use which cat, to find it at /bin/cat. The other problem is that filter also picks up the words flag sh and tmp, so I somehow need to get it to print flag out but I cannot let it detect the string flag. Hmm.

We currently have ./cmd1 “/bin/cat flag” which doesn’t work due to flag being detected in filter. Since we can’t type specific words, I try cat * instead, printing out everything. Lo and behold, we manage to print out flag as well! This gives us the flag mommy now I get what PATH environment is for :). I feel like there would’ve been some more ways to solve this, but I guess whatever works.

Lets move on to challenge cmd2, since it seems like it will be somewhat related, so I might as well get them both done as cmd1 was more like a warmup for it. Setting it up we have the usual setup but with cmd2 instead. Looking at the source code:

We can see that we have a very similar setup, except this time there seems to be a few more rigorous filters in place. Firstly, there’s a new function delete_env and there are also more substrings that are detected in the filter. Apart from that, it seems to be the exact same. Looking at the extra filters they added, it seems that I could’ve solved cmd1 by using a environment variable, exporting or re-setting PATH directly. It seems I just used the easiest solution. I try it again but unfortunately this time it does not work. This is due to the ‘/’ being filtered out. So I need to find a way without using any slashes.

This week, we immediately got into 2 large groups that was for and against privacy levels when dealing with overall national security. I was put in the group that was promoting higher levels of privacy, with the idea that privacy is a human right and security measures such as state surveillance is too much.

One of the key arguments that we came up with, was that we should be innocent until proven guilty and that it is an invasion of privacy, a breach of our human rights, if the Government monitored everything we did and stored it online. This would basically be the same as a totalitarian state in which we were all monitored like in “Nineteen Eighty-Four” and other novels like that.

Another key issue that we had was that our data would not be secure. It is impossible to have an unbreachable security measure in place that would guarantee that our data would not be breached and stolen. There was also the issue of authority in who would be allowed to look and the data and what if they were corrupted or bribed. It would be impossible for us to detect whether someone has sneakily or maliciously analysed our data.

On the other hand, one of the counter arguments brought by the opposing team was that it could be extremely useful in protecting our nation from terrorism and espionage. This is a huge issue that is hard to protect against, kind of like a Type 1/2 error situation. They also stated that innocent until proven guilty could mean that they just store the data, but do not investigate it until they have basically a “warrant” but for your data.

The other idea that they had was to improve overall regulations, so that collecting the data could be feasible without intruding too much on our privacy, highly restricting the ability to access such sensitive data. The idea was for it to kind of be like how a warrant works currently, needing to take the necessary steps before being able to search our property.

We only had enough time to talk about the above issues before running out of time, but I think that they were quite interesting with merits to all of them. In my opinion, I think that there needs to be a fine balance between the two. I think that it would be fine for them to collect the information but not access it, unless there is enough reasonable suspicion. There would also need to be strong security measures in place and the relevant authoritative party would also need to be considered.

I read an article whilst I was at work about someone that had earned $10k for bug bount from Tesla. The owner of a Tesla 3 was messing around with the security, trying to hack into it, when he realised he could name his car anything in one the apps. After messing around and inserting an XSS, he left it there without managing to do anything. Months later, when a rock hit his windshield and he called in for service, he noticed that the script was ran when technicians were trying to access his vehicles data, allowing him to see sensitive information on the vehicle. After a few back and forth messages with Tesla, they sent him $10k as a bonus, despite not saying anything about a reward.

Block Cipher Modes: After reading through the information, I attempted to do the exercise to determine which cipher was using which mode. Firstly, Cipher 2 was easy to determine as the Counter Mode, due to how it increases in length slowly. Next it was a bit harder trying to figure out whether they were Electronic Code Block or Cipher Block Chaining. From what I figured, I should be able to see a pattern in ECB due to the hint that repeated input would give the same output. I initially tried repeating input of short length, such as hellohello, but it didn’t work. Then I realised that this was due to the block size, so instead I gave an input of all 0′s. In Cipher 1 & 5, I noticed that the pattern repeated itself after the second block of Ciphertext was repeated and thus by process of elimination the other 2 must have been CBC.