Thursday, November 5

The PhishSeine Advantage

Making improvements in our services is one of our top priorities.  The feedback we get from clients is invaluable in connecting with the needs of others and making sure our solutions remain effective.

This is a great opportunity to share the feedback we've got on our PhishSeine service.  The social-engineering platform provides our clients with the ability to test their users susceptibility to phishing attacks and provide on-the-spot training to those users that need it.

The first key difference in our service is the lack of a need for whitelisting.  Other vendor's solutions require you to whitelist their servers so that the messages bypass traditional spam and email filtering.  We feel that this is cheating, if our campaigns aren't good enough to bypass your spam filters, then either you have very effective filtering (whitelisting) or we're not good enough at our jobs.

The second key difference is our ability to custom tailor the experience to your users, each of our campaigns is built specifically for you as the client with tweaks made to reflect the really risky targeted attacks that are becoming very common.

The last important difference is our licensing model, instead of charging a higher rate per user included in the program we have a lowered fixed per-campaign fee and only charge for users that are successfully phished.  So as your education gets better your costs go down, motivating you to build the most effective educational messages for your staff.

Give us a call or email for more information on how you can take advantage of this service.

Thursday, September 25

ShellShock Basics - Updated Oct 1st

Update 2 - October 1st: As expected still lots going on;

As the mainstream media attempts to make sense of all the hype surrounding the latest security vulnerability, IT support staff are left to try to make sense of it all and determine what if anything needs to be done.

Background: Bash (aka Bourne-again Shell) is used as an interactive shell on most Unix-like operating systems.  It comes by default on many popular distributions such as Ubuntu, OSX, and other Linux platforms.

The bug:  One feature of the shell is to allow a user to set environment variables, unfortunately the bash shell does a poor job of interpreting these values and if the right sequence of characters is used, extra commands can be executed.
Exploitation:  By simply injecting extra code that will get passed to bash it will get executed in the context of the process reading it.  This happens as soon as the environment variables are read by bash.
Am I vulnerable:  Any software that you use that reads environment variables from untrusted, unauthenticated inputs should be examined.  Example if a CGI script parses HTTP headers.  It is prudent to review all of your public interfaces for potential exposure.  Use the Cert list to see if your vendors are listed and get a link to the specific advisory.
  • CERT List of Vendors Affected -
  • Nmap tests
  • Masscan tests
Is it patched yet:  There are numerous vendors affected.  Many of the major vendors were informed about the bug prior to release to prepare patches, some have patches that work, others do not.  Basic patches have been released.
What else should I do:  Monitor requests (in the past if you have the capability) this will tell you if people are attempting to exploit you.  Look for signatures that have been released by Sourcefire, BroIDS and other IDS vendors.  If you can look at past traffic captures then you might be able to determine if you had been a target prior to the bug's disclosure.
Monitor the situation closely, it is likely that there will be details of the specific applications and software affected as well as other mitigations that can be taken until robust patches are released.

Thursday, May 1

Testing the CVE2014-0160 HeartBleed Attack - Part I

This is part one of a multi-part series associated with the HeartBleed vulnerability.  This part deals with getting your environment setup with a vulnerable SSL webserver (using Kali Linux), and the client software used to test for and exploit it.

Setup the vulnerable web server.

Kali Linux already has apache installed, so simply enable the SSL mod, create a directory to hold the key material, generate the private key and ssl cert, and restart the server to

sudo a2enmod ssl
sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo openssl req -x509 -nodes - days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/webserver.key -out /etc/apache2/ssl/webserver.crt

Then you'll need to edit the ssl site configuration to enable it for your ip address (not the one below).

vi /etc/apache2/sites-available/default-ssl
Add the information for your server.


and change the following lines to use the newly generated key material:

SSLCertificateFile /etc/apache2/ssl/webserver.crt
SSLCertificateKeyFile /etc/apache2/ssl/webserver.key

Then restart the apache server

sudo service apache2 restart

And test the server using a web browser:

Your browser should still complain about the self-signed cert.

Install the HeartBleed test software:

To test for / exploit the vulnerability I'm initially using the python test code here:

git clone
cd 10107280

Great I can confirm that I have been able to extract data from the vulnerable OpenSSL library.  But the returned data doesn't make much sense.

Many people have been kind enough to release tools that take the exploitation a step further.  Robert David Graham @erratarob released the heartleech tool as a response to the cloudflare challenge.  This tool provides a bunch of extra features including;

  • Automated extraction of mass amounts of memory
  • Automated retrieval of private keys
  • Limited IDS evasion (most signature based IDS products)
  • STARTTLS (email server library)

Building the binary on OSX 10.9 is fairly easy but you need to download and compile the OpenSSL library as documented in Robert's instructions.  Once built simply run it against the site in question;

Extract and Use the Private Key:

Good, it reports it as vulnerable.  Now lets try to extract the private key.

Very quickly it came back with the key material, now I could create a new server certificate using this private key and impersonate the server.  Which should match the one on the vulnerable web server.

Now with the private key extracted, I can create a message and encrypt it with the extracted private key, and verify the signature using the certificate that I got from the web server.

Very good work by @erratarob on the speed of getting a tool like this out publicly, I should have a new post soon with results of testing the IDS evasion functionality soon.

Monday, April 14

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future. 
Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released.

With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.  

Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics, and peer discussions.

We encourage you to attend and invite others that you think might benefit from this session. Space is limited to approximately 50 people on a first-come first-serve basis.  Please have lunch before you arrive as no food will be served.

We'll make our presentation available after the session, and as always you are welcome to send questions to me directly.

See you there,


Friday, September 27

Touch ID - Distributed Fingerprint Lookup

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service.  Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government.

One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems.  In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches.

Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print.

There are some limits to this, as there is likely only going to be one print stored (Thumb in most cases) and the matching wouldn't be perfect (high false-accept and false-reject rates), and distributing a request for matching over public networks could potentially be discovered.  But, the pros of attempting matches across the entire iPhone population might outweigh these cons.

If anyone has more detailed information about the potential for this type of use I would like to hear about it.

Thursday, May 16

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be.

Many people turn toward online classified sites to buy and sell items online.  This example starts with which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a "Samsung Galaxy Note 2" returns a posting from today with someone selling one for an unreasonably priced unit.

$125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location.

About an hour passes before I get a response from what appears to be a legit seller.

Notice no answer to the questions I asked, but a friendly pointer at where the unit came from and how I could get one for the same price.  What is though?  Well this online penny auction site claims to allow for purchases way below the value of the items being sold.

Including a not-so-obvious but intentionally generic newsreel video.

That's when I get the second email from another email account with the exact same content and a link to a different URL but same exact site.

Ok so even now I'm suspicious and I do a little digging into the DNS registration information, YouTube account posting the videos and the posts on Kijiji related to the items.  All appear to be somewhat anonymous and scammy.

Switching mindsets to that of the people behind this scheme.  What might be going on here?  Here is one likely scenario:

  1. The scammers setup the fake bidding site and youtube accounts and probably twitter and email accounts too.  Including fake items and auctions.
  2. They post a few ads on local advertising sites for desirable items for too-good-to-be-true prices.
  3. Setup a script to auto-reply to inquiries about the items from legitimate buyers with links to the scam site.
  4. Ask for registration from the user which includes an email address and password.
  5. Use this email address and password to attempt to access the email provided.  Any that work add them to the list of people that scam messages are sent from.
  6. If the user is gullible enough to bid and pay for items using a credit card or paypal, this is free cash.
  7. Wait a week or two then switch to another email address, URL, payment gateway etc
  8. If the scammers were really nefarious they could also extract all of the email from the user and likely use it to conduct additional fraud or ID theft.

Simple scams like these are obvious to critically minded people, but with so many people online exposed to this how do we find out about them?  Plus what's to stop more from springing up all the time.

Three lessons for people:
1.  If something looks to good to be true, it almost always is.
2.  Follow safe browsing practices.  Be patient and don't rush into giving anyone your information or registering with unknown sites.
3.  If you fall for a scam, tell people about it and register it with local law enforcement (, Internet Crime Compliant Center (, and google's phishing report (

Monday, December 5

Creating an Encrypted Bootable OSX Lion USB Recovery Disk

With Apple's latest operating system release 10.7 - Lion they have included a number of new features which make it a bit more convenient to both backup and secure your data in case of a failure.  In this short post I'll explain how to use a generic external drive to make a secure bootable disk for your mac.

First a disclaimer and some assumptions regarding your setup.  I have used these instructions to get a working disk on my setup - but this does not mean that the same steps will work for you, so use caution - and if anything goes wrong please feel free to add to these steps.

I am also assuming that you are using the latest operating system patches for OSX and I'm at version 10.7.2.

Step 1 - Connect and prepare your external USB drive.

Connect your USB disk and open disk utility.
Change the formatting scheme of the disk to include two partitions, a 1GB partition, and a partition using the remaining disk space.  I named one as RECOVERY and one as TIMEMACHINE.  Ensure that under "Options" the format is GUID Partition

Select the format for both of the partitions as Mac OS Extended (HFS) and click apply. Note - this will erase all of the data from the selected drive so make sure you have the right drive selected.

Step 2 - Download and Install the OSX recovery disk assistant from Apple -
The wizard will ask you which disk you'd like to use to install onto.  Select the RECOVERY Volume.  Be aware that this will erase all data on the selected disk (well except for the TIMEMACHINE partition that we created earlier :)).
There is now a hidden recovery partition with a type of "Apple_Boot" on the USB drive that you used.  To see it, in a terminal window type:
diskutil list

Step 3 - Open Time Machine preferences and click select disk.  Select the TIMEMACHINE volume.  Also check off the encryption checkbox to ensure that your files are protected.  You will be prompted for a passphrase to use for this.  Note - this is a different passphrase than is used for the user on the computer and for the wholedisk encryption you have on the hard drive.

Step 4 - Wait until the first backup is complete.  Once the files are transfered for the first time the backups will be encrypted as well.  This also will take some time.  During these operations you can eject the disk and have it resume once the disk is reconnected.  When you reconnect the encrypted disk, you will be prompted for you password.

Step 5 - Once the backup and encryption operations are complete, you should test your backup solution by rebooting the computer and holding down the Option key, then select the USB disk.  The recovery wizard will walk you through the processes of restoring your computer from the recovery Volume on the USB drive.

I will update this post, when I get a chance to test out the recovery process.

Step 6 - Always remember the rule of 3 when making copies of your important data.  1 live copy, 1 backup copy, and 1 copy stored somewhere other than your other two.  In this case you could get by with just periodically (weekly / monthly) backing up to the USB drive and then storing this drive in a different location.