Wednesday, June 7, 2017

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outlet The Intercept. The documents outline the intelligence community's take on Russian efforts to hack a variety of companies responsible for facilitating US election voting. You can read the documents here.

Despite what anyone might have to say about the issue on Twitter, an arrest involving an accusation of any crime by any law enforcement agency in any country is not evidence of guilt. Even the most circumspect appraisal of the US justice system will reveal that tens of thousands of individuals are arrested every year only to have those charges *immediately* dismissed by a court, while nearly everyone who actually is *convicted* of a crime in this country has their charges reduced. Even in cases in which individuals have been convicted of the the most serious capitol crimes, courts have been forced to release dozens of individuals after DNA testing offered conclusive proof of innocence.

The point is this: being arrested is not being convicted. And being convicted is not proof-positive of guilt.

For the purposes of this post I will set aside the substance of the leak itself; again, I recommend reading the Intercept's initial reporting. This post is focused on reports of how law enforcement is claiming that it identified young Ms Winner and the consequences of these reports for computer users with an interest in privacy. The Electronic Frontier Foundation (EFF) describes the purported technique involved as follows:

Imagine that every time you printed a document it automatically included a secret code that could be used to identify the printer - and potentially the person who used it. Sounds like something from an episode of "Alias" right? Unfortunately the scenario isn't fictional. In a purported effort to identify counterfeiters the US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information. That means that without your knowledge or consent an act you assume is private could become public. A communication tool you're using in everyday life could become a tool for government surveillance. And what's worse there are no laws to prevent abuse.

The term for this technique is "forensic watermarking", "printer stenography" or "counterfeit deterrence system". The EFF definitively uncovered that a wide array of some of the most popular modern printers now print some form of watermark that can be used to definitively identify the device that printed a given document after a series of FOIA requests to some 10 US government agencies in 2008. The documents recovered through that FOIA request (some of whom date back to the 1990's) reveal that the watermarking techniques have been available since at least the 1980's, that printer manufacturers "voluntarily" adopted forensic watermarking under the ostensible justification of fighting counterfeiters, and that efforts to proliferate the use of watermarking involved the EU as well as the US.

The watermark involved in the documents published by the Intercept consists of a pattern of yellow dots that, when translated, identifies the serial number of the printer used and the date & time the document was printed. Here are those dots, made more visible by introducing additional contrast (images c/o Errata Sec's excellent post on this topic):
And here is the data gleaned from translating that watermark:
When this information is combined with the a standard corporate asset tagging system and printer logs, this watermarking can easily identify the workstation that printed a given document. The same technique can be used to create evidence that +a printer seized from a defendant's property generated a given document, as well.

So how does a privacy-conscience printer-user avoid this watermarking technique?

For one thing, do not assume that because you are unable to see any visible watermarking on documents from your printer that you are safe. Here is a photograph of a watermarked document taken in tandem with a Digital Blue QX5 microscope:

Even with the microscope the forensic dots are barely visible. Attempting to view the pattern without any form of artificial enhancement is a fool's errand.

A user can avoid purchasing one of the printers that EFF has tested and confirmed generates watermarks. Unfortunately, this list is not up-to-date; and as time goes on, the likelihood that *all* manufacturers will produce some form of watermarking increases.

The specific technique that involved the leaked documents published by the Intercept requires the use of color: the dots are a pale shade of yellow that is not easily visible without some form of digital enhancement. Avoiding the use of a color printer can avoid this specific technique. I am very skeptical of claims online that printing documents in "black & white" mode on color printers provides any form of protection: watermarks can easily be imprinted in greyscale (see "binary image watermarks"), and I have yet to see confirmation that this technique is anything other than *not* effective.

Even the use of a modern black and white printer leaves me uncomfortable. There are numerous means of imprinting imperceptible watermarks; the popular yellow dots are simply one technique of many. DCT based watermarking techniques are significantly more complex to identify than just adding some document contrast; until now the computational expense required for DCT was likely cost prohibitive for manufacturers. This is certain to change over time.

Tools designed specifically to protect users from this manner of technology are few to non-existent. I can't point the finger; I have not worked on this problem. I do have some ideas. Given that all water-marking techniques in use are unknown, it would likely be more reliable & perhaps cross-device-compatible to spoof identifying device information prior to reaching the printed document than attempting to identify & remove or modify the watermark itself. I have only marginal experience with peripheral firmware or drivers, but if anyone is interested in this type of project I learn fast & would be happy to help.

Saturday, May 20, 2017

Billing systems development now available

Good news for current and future clients of Josh Wieder Technical Consulting: customers can now retain a variety of unique services related to popular hosting billing platforms Ubersmith & WHMCS, many of which are not available anywhere else.

The services we are now able to offer include:

     - Automated per-minute DID usage billing integration for Vitelity VOIP resellers for both Ubersmith & WHMCS.

    - Credit card number and profile migration services to and from WHMCS. We are capable of decrypting CC data stored in WHMCS for you and facilitating migration to a token-based payment verification system (such as Authorize.Net CIM) that can improve your compliance with PCI standards.

    - PayPal subscription migration services to, from and between WHMCS & Ubersmith.

    - Authorize.Net CIM profile migration services.

    - Custom development of Authorize.Net & PayPal gateways for WHMCS for extending a variety of functions, for example:
                - Provide support in WHMCS for multiple Authorize.Net and/or PayPal accounts
                - FULL support for Instant Payment Notifications
                - Automatic generation of support tickets, email notifications and/or SMS gateway
                   notifications on payment gateway errors

     - Integration of WHMCS or Ubersmith shopping carts with existing client web properties. We can match the "look & feel" of your existing website with an up-to-date shopping cart without breaking regular update functionality that will keep your cart & payment software secure.

     - Individualized solutions to meet your project requirements.

Contact Josh Wieder Technical Consulting today to discuss how we can make your billing & hosting automation software more secure, effective and profitable.

Saturday, April 15, 2017

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simple rot-13 embedded PHP script. The script provides a means for establishing file transfer and permissions management via HTTP queries on the remote side and the dreaded eval() function on the local side - interestingly, these functions are somewhat protected; in order to work, it is necessary to provide a hash along with the HTTP query, and the length of the query string has to match the size of its associated file. Can't have someone else taking advantage of your hard work, I suppose.

The script includes a standard six-byte GIF header before the "<?php" establishing the opening of the PHP code, and the payload itself had a .gif file extension. It is pretty obvious either to a naked eye or a program that more than a very basic check that this .GIF is not an image. It is slightly more sophisticated than other attempts I have seen which simply rename a payload file, but not as sophisticated as payloads that are embedded within an actual image.

Developers could make attacks like these much more difficult by including more sophisticated file type checks with upload functionality. In the case of this GIF, performing a sanity check of the Logical Screen Descriptor block (must be two pair of two bytes, each 16 bit positive integers) in addition to the Header Block would have caught this as phony. Even more obviously, checking for common open tags for scripts would have caught this and similar garbage-ware (e.g. <?, <?php, etc).

Monday, March 20, 2017

Chop That Dollar

Its been quite some time since I've received a 419 spam message in my inbox. But - like matter itself - 419 never dies - only changes form. I found the message below in my inbox this morning.

I was pleased to note that the message originated from Yahoo, and contained several classic red flags for spam that even the neophyte mail server admin knows to watch out for, like from & reply-to headers with different different domains. This is the kind of l33t security I've come to expect from Yahoo. But hey, the Russians did it, and no one can be expected to secure their customers from state sponsored attacks. Susan here is no doubt a member of Nigeria's elite NIA.

From: Susan ***** desmondwilliams614
Subject: Hello,
Date: Sat, 18 Mar 2017 12:12:52 +0000 (UTC)
Reply-To: desmondwilliams614 Susan ***** deswill0119


Greetings. With warm heart I offer my friendship and greetings, and I hope that this mail will 
meets you in good time. However strange or surprising this contact might seem to you as we have
not meet personally or had any dealings in the past. I humbly ask that you take due 
consideration of its importance and immense benefit. My name is Susan Williams from Republic of
Sierra-Leone. I have something very important that i would like to confide in you please,I have
a reasonable amount of money which i inherited from my late father (Nine Million Five Hundred
thousand United States Dollar}.US$9.500.000.00.which I want to invest in your country with you
and again in a very profitable venture. Currently I am residing in Ivory coast now with my
Brother Desmond Williams where my late father deposited the money, so i will like you to reply
me immediatly[sic] so that i will give you more details about everything. Iam[sic] expecting
your reply for more explanation. Please i am urgently waiting for your response and I am
conceding 15% of this money to you for your efforts assistance.

I will wait to hear from you.
Thanks and God bless you.
Our sincere regards to you,

Susan and Desmond Williams

The NIA's battle cry:

Tuesday, March 7, 2017

Wikileaks releases massive trove of CIA documents

Today Wikileaks released a massive new trove of leaks focused on the CIA's IT-based espionage capabilities. Wikileaks has named the document release Vault 7. The trove has just been released this morning, so details remain sketchy, however the included documents appear to contain detailed information related to dozens of malware tools used by the CIA's Center for Cyber Intelligence.

Earlier this morning I heard an NPR report claiming that Wikileaks was redacting the source code associated with these hacking tools. I'm not sure if that is correct; I've found a few files with executable scripts included, but none of the scripts I've found so far are essentially malicious (although they were almost certainly used in the development and packaging of malware). I have found indications that Wikileaks redacted exploit files that were ready for as-is distribution. For example, the files I reviewed in the dump appear to be part of an internal wiki. I reviewed a file list associated with one of the users registered for the wiki (; clicking through the link for a file named '~02.2.3.tmp` - - provided  me with this:

File: ~02.2.3.tmp
MIME: application/x-dosexec; charset=binary
Size: 389632

I have taken significant issue with Wikileaks in the past. My complaints have focused entirely on Wikileaks' unwillingness to remove dangerous (and almost certainly state-sponsored) malicious software from document dumps. The example I cited above is the first time I have ever seen any indication that Wikileaks removed malware from a dump. Unfortunately, this particular editorial decision is of substantially less value then the requests I repeatedly made to Wikileaks to inform their users of the presence of infected files within and older document dump that they continue to publish through the website. The censored malware files in Vault7 were contextually and obviously labelled as malware. The malware I found in earlier Wikileaks dumps included infected document files that were in many cases completely indistinguishable from normal document files and in several cases not detectable for a substantial variety of antivirus platforms.

If you are a journalist or concerned citizen preparing to begin reviewing the Vault 7 document dump, I strongly advise you to take strong security measures prior to beginning your review:

    1. Assume every file in the dump contains a malicious file & govern yourself accordingly. The principle here is similar to the sort of "universal precautions" utilized by medical professionals. This includes files that you may not think of as having the ability to infect your computer with malware, such as text documents, images, spreadsheets and PDFs.

    2. Download & inspect the documents using a computer dedicated to the task. An operating system designed for secure analysis of malware should be used, such as Kali Linux or TAILS. There is compelling evidence that Microsoft provides state-sponsored attackers with backdoors to the Windows OS. After downloading the files, completely disable the internet connectivity for your review computer by disabling (or even disconnecting) any network interfaces.

The inspection of malware is a complex topic that can't be covered in a single post, however the consequences of insecure handling of documents infected with state-sponsored malware are serious - while the advantages of safe handling are substantial. Would you feel comfortable providing a list of your sources to a random government intelligence service? Every reporter I have discussed the issue with feels a strong sense of responsibility for protecting their sources, up to and including a willingness to face incarceration. Securing your IT tools is not as dramatic as saying "No" to a judge threatening you with contempt, but for many sources the threat posed by an intelligence service dwarfs that of a court. Arrest is bad; being "disappeared" is worse.

The average reporter would not defend herself from a finding of contempt of court  - newsrooms invest substantially in legal resources under the calculation that protecting the sources and first amendment rights of journalists serves the both the bottom line & cultural interests of newspapers. Likewise, newsrooms must now consider the expense of an on-staff or consulting systems administrator with a background in security as a cost of doing business. Its not a happy thought, but this is the world we now live in: a world where every communication is spied on, documented, indexed and stored, secretly; and it has been for many years.

So thats the stick. What about the carrot? Malicious software contained within the files is as much a part of the story as the files themselves. Sourcecode comments and filesystem metadata can provide important clues related to the authors of, history behind and justification for distributing data. A thorough investigation of leak files can be the sole opportunity to reveal the true story behind a leak; the alternative, in the absence of communication with the true source of the leak, is to print a summary of a Wikileaks press release supplemented by a Government press release.

Tuesday, February 21, 2017

Testing Laptop Batteries

Since I was gifted a new Raspberry Pi this Xmas, I've found myself becoming much more interested in the details of computer hardware than I've previously been. Among the first thing that I've wanted to do with my Pi is build an on/off switch - Pi are very bare bones, and require you to shutdown or reboot using software. Cold booting happens immediately after plugging in a power cord. This sort of setup is less than ideal for a huge number of reasons - there is little to no in-built hardware to protect my Pi from a power surge, and I have a lot of uses in mind for this and future Pis that make an external surge protector unrealistic. Even for home/office use where the Pi is connected to a stable power source, I'd like something akin to the power button that comes with desktops & laptops that can send an ACPI signal which I can in turn manage a bit using /etc/acpi/

Anyway, I have quite a bit to learn in this area. I've worked with power, but its almost always been external / data center-scale power. Onboard power is less sexy but no less interesting and substantially more helpful to my own individual hacking efforts. This new-found interest has lead me in all sorts of directions. I've found myself testing laptop batteries instead of reflexively replacing them when they start acting funny. The video below has been quite helpful to me - testing the actual capacity of a laptop battery can be a bit complicated, and measuring the voltage of a battery requires you to run to ground (which in turn requires you to figure out which terminals the ground *is*). Check it out:

Tuesday, December 13, 2016

How to Authenticate WHMCS Admin Users with PHP

Over the past few days I've been working on a project that involved building an authentication mechanism for a new website which checks user logins against a WHMCS admin database. There are a variety of options for authenticating normal, non-admin WHMCS users: on the easy side of things, you can simply use the WHMCS API's validatelogin() call, or for a more advanced project its possible to implement OAuth within your WHMCS instance. For my project, neither LDAP nor Active Directory were options.

I was surprised to find that the WHMCS API did not contain a mechanism for authenticating admin users. I'm somewhat sympathetic given the security implications: WHMCS is a billing application and it should not be used to provide a sortof infrastructure authentication backbone, particularly given the many much more mature options available for this sort of thing. With that said, this project wasn't about looking to turn WHMCS into LDAP ... it was about allowing WHMCS admin to authenticate into a custom application that was directly and inextricably linked to WHMCS functionality.

When I came up empty on the API front I started Googling for a reasonable alternative, and I found a small number of other options. I became interested in the idea of building my own WHMCS API function to take care of this, but I still needed to take care of the authentication mechanism itself. WHMCS has a page in its documentation that describes in general terms how Admin passwords are hashed, and this page even contains PHP code samples that purport to allow you to auth admin user:password combinations. There are two samples; the first sample demonstrates how to use the WHMCS\Auth namespace and the comparePasswords() function, like so:

use WHMCS\Auth;
$authAdmin = new Auth;
if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) {
    $isValid = true;
} else {
    $isValid = false;

Pretty straightforward; and this sample works as far as it goes. However, WHMCS provides a second, more thorough example demonstrating how to use the function within a form. You can download a ZIP fie containing this sample here. Unfortunately, this second snippet is broken in a number of places. This second example provides a single file that contains an HTML form with some javascript to display a popup notification when an authentication failure occurs, and a PHP script that takes care of the password comparison. It is the PHP that has problems. I found a variety of fatal errors which made the example unusual: the WHMCS\Auth namespace was called in the wrong scope, the include for the WHMCS init Autoloader is called within a function in such a way that it remains unavailable for other functions, the example uses a class - WHMCS_Auth - which does not exist ... it took a little while for me to sort them out.

Anyway, I found the experience irksome enough that I posted a corrected version of the WHMCS Admin authentication script in a Github repo so that no one else will have to deal with this in the future. I've tested my new version in WHMCS 6.3.1; no guarantees for the latest version 7 at this time, but I can guarantee that WHMCS' example won't work in 7.

I hope it helps!

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...