Monday, April 8, 2013

Capture The Flag, Social Engineering-style

Recently, I attended the Austin B-Sides security event. B-Sides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers.  It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.

As I alluded in a previous post, I brought home a trophy in the social engineering CTF contest. In the hacking community, Capture The Flag (or CTF) refers to a contest to test various computer security skills.  There are many variations, but the basic premise is a set of goals, or "flags," that each participant has to achieve. The contest will generally have a set of "rules of engagement" that provide boundaries, but within those RoE, anything goes.

This year I participated in the social engineering CTF at B-Sides. Social Engineering is commonly referred to as hacking the human - using social and psychological skills to get someone to give you what you want, as opposed to "breaking in." This was my first time competing in any such contest, so I had limited expectations beyond simply learning something new. 

The contest was sponsored by InfoSec firm Squirrels in a Barrel (as in, social engineering is so easy it is like shooting fish ... er, squirrels in a barrel). Participants were given the objectives of identifying 3 secret targets, collecting information about them, locating their private webmail portal, and gaining access to their webmail. The game took place both on the conference grounds as well as within a nearby shopping center (whose merchants and customers were unaware of the exercise).

The only clue we started with was that certain individuals at the conference were wearing badges with QR codes that would provide additional clues. So, the first step was to find out who, and either get them to allow us to scan the tags, or scan the tags without their knowledge.

Once I had found and scanned each of the codes, I had 6 new clues: 3 possible names of @secretsqrl1, @secretsqrl2, and @secretsqrl3, and 3 seemingly random text strings. @<whatever> is the common representation of a Twitter handle, so that was not hard to figure out.  I had some command-line experience with early email attachments back in the 1990's (thank you, college days with pine) so recognized the first two strings as base-64 encoded. That gave me the URL of the webmail portal, and a phone number. The last string revealed itself as a ROT-13 cypher after a little experimentation, yielding a weird phrase that turned out to be just a red herring: "Weird Security is a capital idea for all to pursue."

So, a phone number, a web site, and three Twitter handles.  The first thing I tried was the webmail portal ... it turned out to use Adobe Flash, which my Android phone did not support, so I had to put that clue aside until I was back at my computer that evening.  The phone number went to voice mail but gave me a name: Alvin Corbin. The area code also gave me a likely location for him - Las Vegas.

The Twitter streams gave me much more information. I got 3 personalities, a few location-tagged tweets, and hints as to what each person was interested in (in other words, clues as to what each person might have used as a password). I also learned that Secret Squirrel 1 was having computer difficulties (an opportunity to impersonate a service tech?), and had lost his work badge (maybe check with various lost-and-founds). Secret Squirrel 2 was expecting a delivery (could I pick up his delivery from the hotel?), and Secret Squirrel 3 was looking for a fax machine (might there be an incoming fax somewhere with his real name on it?).

Using this information I explored the hotel and the shopping center. I talked with a hotel receptionist, asking for a delivery in the name of Alvin Corbin. Unfortunately, someone else in the game had beat me to that clue. I talked with the clerk at a nearby fitness center, looking for clues, but overlooked the most obvious one: I didn't think to ask to see lost and found, where I would have found three badges with names, hometowns, photos, etc :-/

Later that night, once I had access to my computer, I played with the webmail portal and I found my way into the first user's email. The person's obvious love of a particular brand of coffee from his Twitter stream had given that password away (ptscoffee). But I still did not have real names for the other two Secret Squirrels.

That's when inspiration struck. My technical skills are much stronger than my SE skills, so I did what any good hacker does: I cheated :-) (OK, cheated is a stretch - nowhere in the rules of engagement was I prohibited from reverse-engineering the webmail portal ... as any good hacker does, I relied on my particular strengths and put my technical skills to work). 

Using WebScarab (a web proxy that lets me see exactly what is going to and from my browser), I discovered that the webmail client did not send anything to the server when I tried to log in. That suggested that the login credentials were being authenticated locally, meaning somewhere in the Flash client I had the usernames and passwords.  



I next used wget (a command-line web browser, useful for retrieving web content when I don't want to actually render it) to download the Flash movie.


Then used the Sothink SWF Decompiler to crack open the Flash movie and see what was in it.  15 minutes later, I found the subroutine that authenticated the login attempt, and so had the usernames and passwords for all three Secret Squirrels.



The results of the contest were quite interesting - and I believe caught the contest coordinator quite off guard. In the end, 4 teams accomplished the goal, in 4 completely different ways.

  • My approach was to reverse engineer the webmail portal and gain access.
  • A second team (the one that beat me to the hotel office) followed the traditional social engineering approach and garnered physical clues to follow.
  • A third individual actually wrote a program that used the GPS coordinates of the Twitter posts to track each Secret Squirrel on a map, and so precisely located each clue's "drop point." There is in fact a freely-available program that works similarly - the aptly-named Creepy.
  • The fourth team managed to talk their way onto the manager's PC at the local UPS office, gaining access to shipment manifests, before realizing they felt that was far outside the boundaries of the game - a true social engineering feat. 

Incidentally, one team also called the coordinator's website hosting company, seeking to change the account password so they could log in and obtain the flags that way. It turned out the flags were not stored anywhere on the website - but the team was successful in not only gaining access to the site, but also talked the customer service agent into giving away the credit card number on file. Needless to say the contest organizer no longer uses that hosting company.

My takeaway from this experience (besides the pure fun of putting some of my education to work) is amazement at how much information we leak without even thinking about it, and how a skilled social engineer can use that information to wheedle their way to their goal.


Incidentally, after the contest an unrelated researcher wrote about a project he did on Twitter, capturing phone numbers that other people posted publically. It is amazing how much personal information people will put on the Internet - phone numbers, email addresses, prescription information, even X-ray images - never considering the fact that what is posted is freely available to anyone, regardless of their intent.

If that doesn't get your attention, check out this video of a "mind reader" revealing highly personal details gleaned from the cyberverse. The pretext is people off the street auditioning for a fortune-telling reality show, but every detail revealed by the host was found on Facebook, Twitter, etc. Scary. How much can someone discern about _you_ online?


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen