Bitcoin transaction in timelines

Investigation bad people might involve bitcoin, the blockchain technology is very popular among criminals, as it is easy to use and „untraceable“ [1]. E.g. in most ransomware cases like „Ryuk“ [2] the company Crowdstrike has listed several bitcoin wallets, that they attribute to the threat actor.

How can that information help your investigation / your intelligence gathering? IN certain ways, you could track your own wallets for transactions to these wallets. Another aspect, that this blogpost will cover on is the timeline aspect of it.

As bitcoin transactions make use of the blockchain, who is public by design, it is possible to:

  • tell, how many bitcoins a certain wallet currently holds
  • see transactions from the past

The second aspect is what I want to focus on, because if we have a look at the transactions, we might be able to identify the point in time a certain group was active and enhance our other DFIR activities enriched with that information. The transaction log is like your journal of your bank account, it tells basically who is transferring money to a wallet and where the bitcoins are transferred to.

In the example above, the bitcoin wallets we are interested in are (Source Crowdstrike Blog post):

BTC AddressTotal ReceivedNo ReceivedTotal Value (USD)
12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL55.003$221,685.46
1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY182.9910$734,601.91
1FtQnqvjxEK5GJD9PthHM4MtdmkAeTeoRt48.2504$188,974.93
14aJo5L9PTZhv8XX6qRPncbTXecb8Qohqb25.002$113,342.70
1E4fQqzCvS8wgqy5T7n1DW8JMNMaUbeFAS0.0011$6.47
1GXgngwDMSJZ1Vahmf6iexKVePPXsxGS6H30.003$132,654.91
1Cyh35KqhhDewmXy63yp9ZMqBnAWe4oJRr0.000$0.00
15LsUgfnuGc1PsHJPcfLQJEnHm2FnGAgYC0.000$0.00
1CbP3cgi1Bcjuz6g2Fwvk4tVhqohqAVpDQ13.002$82,917.49
1Jq3WwsaPA7LXwRNYsfySsd8aojdmkFnW35.001$221,979.83
129L4gRSYgVJTRCgbPDtvYPabnk2QnY9sq0.000$0.00
1ET85GTps8eFbgF1MvVhFVZQeNp2a6LeGw3.3251$12,661.74
1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm38.993$246,893.95
1CW4kTqeoedinSmZiPYH7kvn4qP3mDJQVa24.0772$152,727.13
13rTF3AYsf8xEdafUMT5W1E5Ab2aqPhkPi0.000$0.00
17zTcgKhF8XkWvkD4Y1N8634Qw37KwYkZT0.000$0.00
14dpmsn9rmdcS4dKD4GeqY2dYY6pwu4nVV0.000$0.00
17v2cu8RDXhAxufQ1YKiauBq6GGAZzfnFw0.000$0.00
1KUbXkjDZL6HC3Er34HwJiQUAE9H81Wcsr10.001$63,358.27
12UbZzhJrdDvdyv9NdCox1Zj1FAQ5onwx30.000$0.00
1NMgARKzfaDExDSEsNijeT3QWbvTF7FXxS0.000$0.00
19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op25.001$164,774.21
1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ40.0354$259,478.16
18eu6KrFgzv8yTMVvKJkRM3YBAyHLonk5G30.001$198,651.35
1C8n86EEttnDjNKM9Tjm7QNVgwGBncQhDs30.00822$194,113.76
12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau0.000$0.00
162DVnddxsbXeVgdCy66RxEPADPETBGVBR0.000$0.00
1ChnbV4Rt7nsb5acw5YfYyvBFDj1RXcVQu28.002$175,177.98
1K6MBjz79QqfLBN7XBnwxCJb8DYUmmDWAt1.72$12,455.95
1EoyVz2tbGXWL1sLZuCnSX72eR7Ju6qohH0.000$0.00
1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz0.000$0.00
15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb40.000$0.00
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk10.002$64,990.62
1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp15.001$92,934.80
1LKULheYnNtJXgQNWMo24MeLrBBCouECH70.000$0.00
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj50.413$326,477.83
1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ0.000$0.00
1NuMXQMUxCngJ7MNQ276KdaXQgGjpjFPhK101$41,034.54

Source of transaction information

There is a whole bunch of public webpages who give transaction history for a given wallet, but as it should be an automated step, the goal is to have a page with an API, after some searching I found: https://chain.so/api .

Making the call

Doing the API call to get transaction information is pretty simple:

GET /api/v2/address/{NETWORK}/{ADDRESS} 

That will give you the following information

{
  "status": "success",
  "data": {
    "network": "DOGE",
    "address": "DM7Yo7YqPtgMsGgphX9RAZFXFhu6Kd6JTT",
    "balance": "31.03885339",
    "received_value": "25828731.93733507",
    "pending_value": "0.0",
    "total_txs": 225,
    "txs": [ ... ]
}

Which is exactly what we need, with some Python JSON parsing, it is easy to get the info we want – the code I am using is available on https://github.com/deralexxx/osint_to_timesketch

After that we have an CSV with the date, the transaction happened, the raw information from the API and some meta data, enough to bake into a timeline.

Automation

The script is already made to output CSV files ready for importing them into Timesketch, as I found it to be the ideal tool to work with data points related to timestamps. Importing the CSV is straight forward and explained in the official documentation page [3].

The timeline csv looks like the following:

CSV of BTC history

Making it pretty

Importing it into Timesketch, the timeline looks very nice:

BTC transactions in Timesketch

Added Value

Now what is the added value for investigations? The above is another layer of data points /evidence. It can be used to weight limit findings in your organisation, e.g. you assume you are hit by a phishing campaign, if your phishing campaign was seen a lot earlier or a lot later than the transactions above display, it is unlikely you are hit by the same campaign. It can also be used to make a case against individuals if enriched by host forensics – your imagination is the limit.

End

I hope the article is helpful and the scripts can be used, let me know via comments within the blog, issues on github or twitter messages https://twitter.com/alexanderjaeger if you have any questions, improvements.

Thx for reading

Further reading / references

  • [1] http://www.sciencemag.org/news/2016/03/why-criminals-cant-hide-behind-bitcoin
  • [2] https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • [3] https://github.com/google/timesketch/blob/master/docs/CreateTimelineFromJSONorCSV.md

Autotimeliner to CyberChef to Timesketch

As you might know, I love to combine several OpenSource tools to get things done. One thing I wanted to play for some weeks is Autotimeliner by Andrea Fortuna.This tool is made to extract events from an Memory Image to combine it into a timeline. If you have a timeline, what comes next? Of course, putting it into Timesketch. So let’s give it a try.

We start with a memory dump from a Stuxnet infection from https://github.com/ganboing/malwarecookbook. Download the four files, extract them and you are good to go.

Prerequisites

Volatility

Installation is pretty easy, install Volatility either via pre-compiled binary or install it manually, see the Volatility installation wiki for further information.

Test it running:

vol.py -v

Sleuthkit

To install sleuthkit run:

brew install sleuthkit

or

sudo apt-get install sleuthkit

Installation Autotimeliner

Simply clone the GitHub repository:

git clone https://github.com/andreafortuna/autotimeliner.git

Run it

python autotimeline.py -f /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem -p WinXPSP2x86 -t 2009-10-20..2018-10-21

That might take some time depending on your hardware.

Now you have an csv file around 5.6 MB.


                _     _______ _                _ _
     /\        | |   |__   __(_)              | (_)
    /  \  _   _| |_ ___ | |   _ _ __ ___   ___| |_ _ __   ___ _ __
   / /\ \| | | | __/ _ \| |  | | '_ ` _ \ / _ \ | | '_ \ / _ \ '__|
  / ____ \ |_| | || (_) | |  | | | | | | |  __/ | | | | |  __/ |
 /_/    \_\__,_|\__\___/|_|  |_|_| |_| |_|\___|_|_|_| |_|\___|_|

- Automagically extract forensic timeline from volatile memory dump -

Andrea Fortuna - andrea@andreafortuna.org - https://www.andreafortuna.org

*** Processing image /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem
-------
*** Using custom profile: WinXPSP2x86
*** Creating memory timeline......done!
*** Creating shellbags timeline......done!
*** Creating $MFT timeline......done!
*** Merging and filtering timelines......done!
Timeline saved in /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem-timeline.csv

The format used for the dates is not compatible with Timesketch:

more /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem-timeline.csv
Date,Size,Type,Mode,UID,GID,Meta,File Name
Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,84995,"[MFT STD_INFO] Python26\Lib\SITE-P~1\setuptools-0.6c11-py2.6.egg-info\TOP_LE~1.TXT (Offset: 0x8a28c00)"
Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,85000,"[MFT STD_INFO] Python26\Lib\SITE-P~1\SETUPT~1.EGG\DEPEND~1.TXT (Offset: 0x75e4000)"
Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84985,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.PY (Offset: 0x91b9400)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84986,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.MAN (Offset: 0x91b9800)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84987,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.EXE (Offset: 0x91b9c00)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84988,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.MAN (Offset: 0x1042f000)"
Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84989,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.PY (Offset: 0x1042f400)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84990,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.EXE (Offset: 0x1042f800)"
Tue Oct 20 2009 21:21:26,0,...b,---a-----------,0,0,66083,"[MFT STD_INFO] Documents and Settings\Administrator\Desktop\SysinternalsSuite\ZoomIt.exe (Offset: 0x1a8a5c00)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\Tools\DRIVER~1.EXE (Offset: 0x14b9c800)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\Tools\DriverList.exe (Offset: 0x14b9c800)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT STD_INFO] Program Files\NTCore\Explorer Suite\Tools\DRIVER~1.EXE (Offset: 0x14b9c800)"
Wed Oct 21 2009 18:25:52,780800,m...,---a-----------,0,0,65338,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\TASKEX~1.EXE (Offset: 0x14b1b800)"

so we need to adjust that. In the past, I used an own developed python script https://github.com/deralexxx/timesketch-tools/tree/master/date_converter for that, but that does not really scale, so I considered another option.

Cyberchef

An open source tool by GCHQ: https://gchq.github.io/CyberChef/

A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.

https://gchq.github.io/CyberChef/#about

Installation

git clone https://github.com/gchq/CyberChef

https://github.com/gchq/CyberChef/wiki/Getting-started

Now open it

From the CSV that was generated, use your favourite tool to extract the first column of the csv which should look like that:

Date
Tue Oct 20 2009 12:08:04
Tue Oct 20 2009 12:08:04
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 21:21:26
Wed Oct 21 2009 00:02:28

Now use the following CyberChef Recipe

Fork('\\n','\\n',false)
Translate_DateTime_Format('Automatic','','UTC','YYYY-MM-DDTHH:mm:ssZZ,x','UTC')

And paste them all into input. It will result in a file you can download with the output.

Now the output txt has two CSV columns, you need to combine them with your autotimeliner csv to have the following headers:

datetime	timestamp	timestamp_desc
2009-10-20T12:08:04+0000	1256040484000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:04+0000	1256040484000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline

Now the csv should like like:

more stuxnet.vmem.zip/stuxnet.vmem-timeline_timesketch.csv 

datetime,timestamp,timestamp_desc,Date,Size,Type,Mode,UID,GID,Meta,message
2009-10-20T12:08:04+0000,1256040484000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,84995,[MFT STD_INFO] Python26\Lib\SITE-P~1\setuptools-0.6c11-py2.6.egg-info\TOP_LE~1.TXT (Offset: 0x8a28c00)
2009-10-20T12:08:04+0000,1256040484000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,85000,[MFT STD_INFO] Python26\Lib\SITE-P~1\SETUPT~1.EGG\DEPEND~1.TXT (Offset: 0x75e4000)
2009-10-20T12:08:06+0000,1256040486000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84985,[MFT STD_INFO] Python26\Scripts\EASY_I~1.PY (Offset: 0x91b9400)

There is one little caveat, you need to add „“ around the message, because some values might break the Import process.

That can now be imported into Timesketch



Et voila, a timesketched Memory Dump

Combining Virustotal, PassiveSSL and Timesketch

Motivation

Playing with Timesketch for a while and working on some OSINT timelines I was tired to investigate MD5 and domains / ips all manually so I tried to automate some of the work. Why is that important? If you have a list of hashes, domains and IPs, you of course can check your SIEM, EDR solution etc – but what if you have a hit? Would it benefit your investigation to at least have an idea of the timeframe something was used by attackers or seen in the wild?

Most shared indicators are lacking the timeframe, so we need to add those values by external information on our own.

Virustotal

There is no need to further explain Virustotal, it is basically a huge dataset of malware and information about domains and ips.

In particular information about a specific point in time a domain was seen to point to an IP and back is good to know to build your timeline.

E.g. if you have verymalicious.com pointing to 127.0.0.1 all the time, only on one day it was pointing to 1.2.3.4 – hits in your infrastructure should be higher escalated if seen during that day, out of that time window it might still be important, but not as urgent as during that day.

In regards to hash intelligence, Virustotal is nice, because if you add the info, when the last scan date of a file was, you can at least tell, that the file was known after that day.

I asked Virustotal to add more information they already have to the API and we will have wait till it is exposed:

  • First seen in the wild
  • First uploaded to VT
  • PE compile time

PassiveSSL

Alexandre Dulaunoy and Eireann Leverett have given a talk at the FIRST conference in Berlin back in 2015, which took my attention, but it took some time till I really had time to implement something to use the idea.

The basic idea is that, out of several sources, passive ssl services such as CIRCL passiveSSL collect certificates and expose information via API.

For timeline analysis in particular, the following dates are important as they might shine some light of attacker activity:

  • first seen in the wild
  • last seen in the wild
  • not use before
  • not use after

If you now add all of the information above, you might be able to get a better idea, when an IP / Domain / File was active.

This information should then be fed into a Timesketch investigation.

Example

Using some sample data from APT33: https://github.com/deralexxx/osint-timelines/blob/master/2018/2018-12-21.OVERRULED:-Containing-a-Potentially-Destructive-Adversary-APT33.csv

Combining with the python script below with the following indicators:

basepack.org
103.236.149.124
5.79.66.241
8d3fe1973183e1d3b0dbec31be8ee9dd
fa7790abe9ee40556fb3c5524388de0b

Findings

Domains resolving to IPs

It is transparent when the hashes have been last scanned and what Ips resolve to the domains mentioned in the report.

The other thing is that right before some malware was mentioned by Fireeye in the report, SSL certificates became invalid:

SSL Certificate

Of course the individual SSL certificate can also been investigated:

Python

The example is available on github: https://github.com/deralexxx/osint_to_timesketch

Next steps

  • Waiting for VT to expose more things
  • Improve the script
  • Introduce multiple pDNS providers

Timesketch on an Raspberry Pi3

TLDR

Does not work at the moment

Idea

Playing with Timesketch (timesketch.org) for a while I was wondering if it is possible to install Timesketch on a Raspberry Pi 3 to do some basic analysis, no heavy GB plaso imports and such.

A raspberry Pi is around 40 $, so pretty cheap and can be ordered almost everywhere on the planet, and you might already have some PIs from previous projects like:

I have also written about Timesketch / and or maintaining the following Github repositories:

Basic installation

I used the Noobs Image to install the raspberry using a 128 GB Micro SD card to have enough storage.

Java

Trying to install Java will cause some Java issues because you need to install it manually, follow:

https://www.raspberrypi.org/forums/viewtopic.php?t=101543

sudo mv /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/arm/client /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/arm/server

Installing Elastic Search

Follow that article:

Installing Timesketch

Simple, SSH to your raspberry pi and follow:

When installed elasticsearch:

vi /etc/elasticsearch/elasticsearch.yml

Add the following:

network.bind_host: 127.0.0.1

pycipher

This one is a bit tricky because it might fail with:

Collecting pycypher==0.5.9
Could not find a version that satisfies the requirement pycypher==0.5.9 (from versions: )
No matching distribution found for pycypher==0.5.9

Docker

https://medium.freecodecamp.org/the-easy-way-to-set-up-docker-on-a-raspberry-pi-7d24ced073ef

Docker-compose

sudo apt-get install docker-compose

So pycypher does kill the posibility to use Timesketch on a raspberry at the moment:

 Getting page https://www.piwheels.org/simple/pycypher/
  Looking up "https://www.piwheels.org/simple/pycypher/" in the cache
  Current age based on date: 30
  Freshness lifetime from request max-age: 600
  The response is "fresh", returning cached response
  600 > 30
  Analyzing links from page https://www.piwheels.org/simple/pycypher/
  Could not find a version that satisfies the requirement pycypher (from versions: )
Cleaning up...
No matching distribution found for pycypher

Amazon Fire HD als digitaler Bilderrahmen

Das perfekte Weihnachtsgeschenk wäre doch ein digitaler Bilderrahmen der sich aktuelle Fotos immer aus der cloud zieht sodass man ganz einfach neue Bilder mit den Eltern oder Großeltern teilen kann.

Ausgangsprodukt

Genau dieses Ziel hatte ich, möglichst günstig und anwenderfreundlich sollte es sein. Meine Wahl fiel dabei auf die Fire HD Tablets von Amazon. Diese sind nicht nur schön günstig, sondern von der Ausstattung auch ausreichend.

Einrichtung

Nach dem Kauf und der Lieferung muss eine Aktualisierung der Amazon Fire OS durchgeführt werden. Das dauert ein paar Minuten.

Google Play Store

Der nächste Schritt ist das installieren von Google Play Store bzw. einigen notwendigen Abhängigkeiten, ich habe mich dabei an die folgende Anleitung gehalten:

Hat man das gemacht kann man sich die App „Fotoo“ im Google Play Store installieren.

App: Fotoo

Es ist zu empfehlen, die Premium-Variante als InApp Kauf zu erwerben, es schaltet einige coole Features frei und hat keinen Session Blocker (heißt nach einiger Zeit bekommt ihr einen zwei Minuten delay, in denen kein neues Bild angezeigt wird)

Bild 1: Fotoo your session will resume in… Go premium

Premium

Es ist Empfehlenswert, sich Fotoo in der Premium Variante zu kaufen. Nutzt man den gleichen Google Account auf mehreren Fire Tables, muss man die Premium Variante auch nur einmal kaufen.

Einstellungen

Die Einstellungen in Fotoo selbst sind in dem folgenden Artikel schön beschrieben

https://www.howtogeek.com/335161/how-to-turn-an-old-android-tablet-into-an-auto-updating-digital-photo-frame/

Einziger Stolperstein dabei, wie man den Developer Mode im FireHD aktiviert:

In Android: Settings –> Device Options –> Tap Serial Number Field  7 times

Jetzt ist der developer mode aktiviert und man kann das Display auf „stay awake“ schalten. 

Eigenschaften

Ab dann hat der Bilderrahmen folgende Eigenschaften

  • Schaltet sich automatisch bei Anschluss des Ladekabels an
  • Bilder werden automatisch gewechselt
  • Bilder werden über die Cloud verwaltet

Stolperstein in Google Photos

Einziger Wermutstropfen, Google Fotos erlaubt es aktuell noch nicht, geteilte Alben über Apps abzurufen, d.h. ihr müsst die Alben in euer lokales Album kopieren, oder eben auf einen Dropbox oder Google Drive Ordner zurück greifen.

Fertiges Vergleichsprodukt

Ein vergleichbarer fertiger Bilderrahmen wäre z.B. der NIXPLAY Seed Digitaler Bilderrahmen WLAN 8 Zoll W08D Schwarz, aktueller Preis sieht man im unteren Banner. 

Dem gegenüber hier ein paar Amazon Fire HD Angebote, welche auch für andere Zwecke genutzt werden könnten.

Ablauf um Bilder mit der Familie zu teilen

Wir gehen mal von drei Familien aus, bei der Familie A Bilder mit Familien B und C teilen wollen.

Familie A macht Fotos wie es ihnen gefällt, laden die schönen Fotos in Google Photos hoch, arbeiten gemeinsam an einem Album. Irgendwann sagt Familie A, wir wollen diese Fotos jetzt Familie B und C zeigen, also teilen sie das Album mit Google Account 1 und Google Account 2 von Familie B und dem / den Google Accounts von Familie C.

Google Account 1 bekommt jetzt einen Hinweis, dass er neue Fotos freigegeben bekommen hat, er öffnet die Einladung, sieht die Fotos und klickt auf „Add to library“ (siehe Screenshot). Dadurch wird das Bild in eure eigene Library kopiert und Fotoo kann auf diese nun zugreifen.

Bild 2: Add to library

Danach öffnet Account 1 Person sein Fire HD Tablet, öffnet Fotoo (sofern noch nicht geöffnet), öffnet die Settings und fügt das neue Album zur Fotoo Show hinzu – fertig.

Bild: Fotoo Photo Streams Quellen Auswahl

Wenn jetzt neue Bilder zu dem geteilten Album hinzugefügt werden, muss der Empfänger erneut den Button zur lokalen Library hinzufügen durchführen, man kann sich also überlegen, immer das gleiche zu nutzen oder immer neue Alben zu teilen.

Amazon Account entfernen

Wenn man das Fire HD Tablet verschenkt, muss in den bisherigen Schritten ein Amazon Konto hinterlegt sein, um die Apps zu installieren usw. Wenn man bis zu diesem Schritt gekommen ist, kann gefahrlos der Amazon Account von dem Fire HD entfernt werden. Solange der Google Play Store mit Google Installiert bleibt, bleibt auch die Fotoo App bestehen.

Den Amazon Account entfernt man über Einstellungen –> Mein Konto –> Abmelden

Dann kann das Tablet gefahrlos verschenkt werden, ohne, dass das Tablet Einkäufe im eigenen Namen machen könnte.

Amazon Werbung entfernen

Wurde ein Fire HD Tablet mit „Spezialangeboten“ gekauft um etwas Geld zu sparen, kann man getrost einfach das Amazon Konto entfernen, damit entfallen auch die Werbeangebote.

Anleitung

Um den Nutzern des Bilderrahmens eine Anleitung zur Hand zu geben habe ich ein Google Docs Dokument angelegt, welches auf aktuellem Stand gehalten wird : https://docs.google.com/document/d/11VTXk1-aKlKOdWG0BTiSjbFy-PSn3iVSJZOlkcHFjlI/edit?usp=sharing

Next steps

  • Nächster Schritt wird dann der Bau eines Ständers mit Lego.
  • Induktives Aufladen
  • Optik an einen Bilderrahmen anlehnen

Fazit

  • Günstiger digitaler Bilderrahmen
  • kann auch als normales Tablet genutzt werden
  • Sehr gute Bildqualität
  • Schaltet sich automatisch bei Anschluss des Ladekabels an
  • Bilder werden automatisch gewechselt
  • Bilder werden über die Cloud verwaltet
    • Google Drive
    • Google Photos
    • Dropbox
    • Microsoft OneDrive
  • Bilder können auch lokal auf dem Gerät gespeichert werden
  • Verteilbar auf verschiedene Familien
  • Bilder können remote aktualisiert werden
  • Digitaler Bilderrahmen kann WLAN

lnav the log file navigator

This is a recommendation to a tool that I am using since months – the log file navigator.

Who does not know the issue, you have to look at logs from various places and you start with stuff like more, grep, cat etc. or upload it to your ELK, Splunk, QRadar – you name it.

While those tools have their good reason, log files usually have a specific set of requirements to handle effectively. And for that reason use lnav. The tool enables you to work with your log file(s) locally, offline and effective.

Some quotes:

Just point lnav to a directory and it will take care of the rest.  File formats are automatically detected and compressed files are unpacked on the fly.

The log message format is automatically determined by lnav while scanning your files.   The following formats are built in by default:

More features on the project website.

The best part? The tool is free! Yes free as free, so no data is shared with the developer, no shareware, it is free!

It runs on Apple OSX and linux – I am waiting for a Windows version as there is Linux subsystem support on Windows 10.

CVE-2018-5559 my first CVE

TLDR

CVE-2018-5559 is a information disclosure security vulnerability in Komand Security Orchestrator (v0.40.2) that has been disclosed responsibly to Rapid 7 and has been mitigated and patched within days (version >0.42.0). The vulnerability itself is not worth to have a logo.

Introduction

Being a security professional I happen to hear a lot of people complaining about companies handling responsible disclosure in a way that is not appreciated by customers (by sitting on patches to long) or by the disclosure (by not reacting etc). The following blog post is report about a very positive case that I happen to have by disclosing my very first security vulnerability. I really hope this one is being shared and that companies adopt some of the positive aspects. At the very end of the post I will also try to lead to further points where either researchers or companies can read further about the topic.

The stage

Being interested in various APIs that are interesting to security people (eventually turning into dedicated list of APIs on Github) I stumbled across Komand Security Orchestrator. As there was no documentation available (heads up Rapid 7, that fact needs some love!) I spent some time to reverse engineer and discover APIs with Google Chrome developer tools and Python and actively sharing my results on github.

One of the API endpoints was /connections:

https://komandurl/v2/connections 

Connections

Komand Security Orchestrator is made to interact with various (security related) tools to interact and create so called workflows. To achieve that goal, Komand needs credentials to those tools. Every set of credentials is stored in a central keychain that is accessible for workflows. Most connections store some kind of URL, Username and password.

Given this nature, credentials stored in this keychain have either higher Privileges to accomplish tasks or are able to see more than the regular user.

Every Plugin can have it’s own set of credentials, so let’s say you have the LDAP plugin to connect to Active directory, there could be a dedicated set of credentials for prod and qual active directory.

Surprise

After my first GET request to the connection API endpoint something got my attention. While most of the connections have the password field *****ed out, some did not – WTH?
Most look like the following:

"name":"VT Private API","type":"plugin","parameters":{"api_key":"********","url":"https://www.virustotal.com/vtapi/v2/"} 

But OTRS looks like the following:

{"connection_id":36,"plugin_id":75,"name":"OTRS Dev User:komand_test","type":"plugin","parameters":{"server":"https://`EDUCTED","credentials":{"password":"REDUCTED","username":"komand_test"}},"created_at":"2018-08-08T10:56:54Z","updated_at":"2018-08-08T10:56:54Z","deleted_at":null,"deleted_by_id":null} 

And LDAP:

{"connection_id":39,"plugin_id":72,"name":"ÀD","type":"plugin","parameters":{"host":"ldaps://LDAPURL","port":636,"use_ssl":true,"username_password":{"password":"CLEARTEXTPASSWORD","username":"AD\\USER"}},"created_at":"2018-10-05T11:53:47Z","updated_at":"2018-10-05T11:53:47Z","deleted_at":null,"deleted_by_id":null} 

Scope – pre-requisite

To get the above mentioned list of connections you need to have a to be an authenticated admin, so it is not open to everyone.

Scope – affected plugins

As not every password was visible, several plugins have been tested (not every plugin!) and thus two Plugins seem to be affected:

LDAP plugin and OTRS plugin

Impact

To score the vulnerability, the best way to go for is leverage CVSS, and the rating for this vulnerability is a CVSS Score:3.1

CVSS Base Score:3.4
Impact Subscore:1.4
Exploitability Subscore:1.7
CVSS Temporal Score:3.1
CVSS Environmental Score:3.1
Modified Impact Subscore:1.4
Overall CVSS Score:3.1

Responsible disclosure process

October 25, 2018 14:42 created issue with Rapid 7 online portal / Mail to Circl.lu

So I found the issue and wanted to get it fixed as soon as possible and have a CVE assigned, my first reaction was to reach out to my friends from CIRCL.lu to assist and assign a CVE, so I sent them a pgp encrypted mail to info@circl.lu.

Side-note: By accident I had a local mail rule, filtering out all mails from info@circl.lu to a sub folder and marked them as read, that is a stupid thing to do if you expect an answer from them and caused some confusion afterwards, so for clarification, they were very responsive and their reaction time is in hours, so if you do not know who to disclosure with a 3rd party, CIRCL is a great way to get it started and they have a profound network of contact points.

Then I looked on rapid 7 webpage and found that they have a responsible disclosure statement and procedure in place as well so I gave it a shot with opening an issue there.

The portal is very well done and requesting information that are good for engineers to assess the impact as fast as possible, it is even possible to propose a CVSS rating (more to that later)

October 26, 2018 First reaction of Rapid7

Rapid7 gave a SYN / ACK to have received the issue and that Engineering and Support is working on scoping and verifying the issue.

October 26, 2018 Rapid7 verifies it is an issue

On the same day the designated person made a note in the online portal to verify it is an issue and that they are working on fixing it.

October 30,2018 Rapid7 case update

Note on the online portal, Rapid 7 team is working on a fix and providing a rough timeline that a patch should be available the same week and that assigning an CVE is in progress as well.

November 1,2018 Rapid 7 case update

Another note that fix is on the horizon

November 1,2018 Komand Release Notes

On that day a Mail was sent out announcing a new version „Komand Release Notes“. In the Bug fixes area this was mentioned:

v0.42.0: Certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response. We fixed this issue, and all configurations of connection data are now correctly obscured.

November 1,2018 Komand slack

Via Slack, Komand engineers are asking for my feedback if the patch is indeed fixing the issue I reported, after updating I was able to confirm that.

November 2,2018 pro assigned CVE

Rapid7 reached out to me and CIRCL (who seems to have reported the issue in parallel but I had no SYN ACK from them but told them that they did not need to further disclose as soon as I discovered the Rapid 7 portal.
In this mail I was told the pre assigned CVE for the issue and the CVSS rating their engineering team came up with. They also asked if I plan to write a blog post or other coverage (which you can read at the moment).

Affected?

All versions below 0.42.0 is affected. Afaik it is only the OTRS and the LDAP plugin.

Mitigation

Patch to Komand version 0.42.0 or later. I would recommend to reset the password to all accounts stored for LDAP and OTRS plugins.

Exploited?

Most people might ask – alright, so how can i find out if someone with bad intention has used this vulnerability. The only way to tell is to check the web logs of Komand and look for GET requests to /v2/connections from unusual source IPs.

Feedback

The way this issue was handled was straight forward, at any point I had the impression that my issue was treated on the right level, no over hyping and no „we don’t care“ just the right balance.
It is notably that the online form used by Rapid7 is supporting this process a lot, I assume it makes it easy to scope issues on engineering site as well as easy for the researcher who wants to know what the current status of the reported issue is.

It is also good to see that the work from the FIRST CVSS sig is adding value in such issues as it helps both sides to rate the vulnerability.

Links

https://nvd.nist.gov/vuln/detail/CVE-2018-5559

https://github.com/CVEProject/cvelist/pull/1303

Further reading

To lean more about best practices in responsible disclosure I would recommend:

https://titanous.com/posts/security-disclosure-policy-best-practices

 

timesketch-tools

Overview

I am happy to say that a new tool made it to github called „timesketch-tools“.
It is basically a way to interact with Timesketch via CLI. For those who don’t know Timesketch, it is an amazing opensource tool developed by Johan Berggren and is used to create timelines for forensic investigations as well as incident response cases.

Reason

Back in 2017, Johan tweeted:

Why is the WebUi not enough? Well in some cases you might want to automate stuff, have no browser or other reasons, so it is not „Why“ but „why not“.

So I did during the last few days and built a client for it: timesketch-tools

Capabilities

At the moment only two methods do work, but it should be enough to show the power of it.

List sketches

timesketch-tools.py -ls
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
+-----+-----------------------------+
|  id |             Name            |
+-----+-----------------------------+
| 130 |     test1Untitled sketch    |
|  3  | The Greendale investigation |
+-----+-----------------------------+

Add event

timesketch-tools.py --add_events
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
Please provide the sketch id you want to add events to as (an integer): 3
Please provide informations to the event you would like to add timestamp, timestamp_desc, message will be promted

Timestamp (use Format: YYYY-mm-ddTHH:MM:SS+00:00 2018-01-15T10:45:50+00:00) use c for current time c
timestamp_desc this is the description
message something was hacked
Event added, ID: 18 Date:2018-10-31T14:49:41+00:00 timestamp desc this is the description messagesomething was hacked
Add another event? (y/n)n

I have a lot of ideas to improve, so expect some more functionality added soon…

Komand-tools

Out of my attempt to reverse engineer the Komand API (a security orchestration tool) I found myself writing some python helper to use the API. Maybe it is useful for some people, so I decided to OpenSource it.

It is hard to understand why a tool, thats main purpose it to connect APIs does not have an API documentation / client itself.

Usage should be pretty simple, clone the repository and good to go:


usage: komand-tools.py [-h] [-v] [-wm] [-j JOB]

optional arguments:
-h, --help show this help message and exit
-v, --verbose increase output verbosity
-wm, --workflow_map show workflow map
-j JOB, --job JOB show job status

Feel free to open Issues or Make Pull Requests. The repository is hosted on Github: https://github.com/deralexxx/komand-tools/

100 days on the board of directors of FIRST

There is this thing looking back after 100 days of starting a new challenge. This post is doing the share my perspective on my 100 days on the board of directors of FIRST (Forum of Incident Response and Security Teams).
On June 28th, 2018 the annual general meeting of FIRST elected five people to serve on the board of directors for a two year term and I was one of the five individuals.
Still remember the day as it was yesterday, I was very nervous going into the AGM knowing that outstanding people throwing their hat into the ring. In my diary I wrote the great relieve I felt after the results where called out.

Kuala Lumpur

Right after the election the first board meeting was called to order from the chair Thomas Schreck and we had to elect the new officers and start think about different tasks to be taken by the new elected people. Been a guest to board meetings before, I thought I am use to the structure and Robert’s rules that are used to run the meeting – but it is a different story calling out „aye“ and „nay“ to reflect your position when a decision is needed. Being new on the board means you will get an adhoc bootcamp of „duties and obligations of the board of directors by the FIRST lawyer and also some organisational topics and infrastructure to get you up to speed, such as a @first.org mail address and access to various only tools, all within hours.

San Fransisco

This first physical board meeting was a new experience, so let me share it with you.

I have never been to San Fransisco before, so that alone was mind blowing to be at the center of the digital revolution. Anyway the reason or that trip in September was to bring 8 people (two board members joined virtually) from around the globe together to meet, discuss and work on FIRST and for the community that FIRST is representing.

Let me say those meetings are intense, I am use to attend meetings – in most meetings you either need to concentrate for an hour or two and then the meeting is closed or it is a workshop setup where most of the content is already agreed / prepared in advance. For FIRST board meetings, you have to pay attention for eight hours straight, most coffee breaks are exploited with continuing the conversation and lunch is also about FIRST. As a non native speaker that is even more intense to follow. But we did get things done, we worked on topics that will enable FIRST to further grow and also using the resources we get from members and participants of our events even more targeted.

Even on the travel days, we managed to squeeze in some 1on1 meetings to brainstorm on topics on a detailed level that will sooner or later be proposed to the board of directors and the members.

That trip showed me how much enthusiasm every individual on the board has, they are truly committed which is great to see and also a prerequisite, as everyone has his tasks and duties to keep FIRST running.

Recognition of FIRST

Before joining the board, I truly believed the fact that FIRST is a key player in addressing some of the challenges global population is facing, e.g. fake news, cyber warfare and privacy. After 100 days, I can now say that it is a matter of fact that more and more organisations value FIRST by asking for our opinion, input or expertise by training policy makers and our efforts with our valued partner organisations. We are still on a long journey to prepare for that and be able to answer all that demand on a level that we feel comfortable with.

Secretary

If you read thus far and think serving on the board is a tough job, you are right, but I haven’t covered one particular aspect which is the central point of every meeting: Nora Duhig.

Every meeting has an agenda (obviously) and needs to have minutes. Imagine 10 adults who are experts in their professional area discussing and arguing on all aspects starting from finance over contracts to nifty details of infrastructure (hosting infrastructure on prem. or in the cloud, which technology to use…). For transparency reasons, every meeting has to have meetings, so someone must keep track of everything, and that is Nora. It is impressive to observe her ability to follow the discussions, writing minutes while keeping the ability to be pulled into the discussion out of the blue at any time – because she has been attending board meetings way longer then most current members combined and it is critical to get the reason a certain decision was taken in the past to make decisions for the future by either stick to that decisions or change the strategy, having that context is gold.

Conclusion

It is hard to imagine how complex an not-for-profit-organisation that „only“ enables a community is. This organisation has 30 years of history, that includes some small things that we as a board need to work on to transform things we have done in the past into a modern way to operate an organisation. FIRST is doing business with entities literally all around the globe because of the membership spreading and the events we host or co-host.

I am in no way saying I am now settled at the board as the planning phase for the FIRST conference 2019 and already 2020 and 2021 (yes not a typo!) are increasingly taking more time on board calls and the other communication channels that we use almost on a daily base. So I am looking forward to the challenges we have to tackle as a group and I am thankful for that opportunity.

Statistics last 100 days

– 2 board meetings in Kuala Lumpur
– 3 virtual board meetings
– 1 physical board meeting in San Fransisco (3 days + various side meetings).
– 2 virtual meetings with the membership committee
– 3 calls as the liaison for special interest groups (SIGs)
– was active on 16 of the last 30 days in our internal chat
– 50+ mails written to the board mailing list
– 300 mails received via board mailing list

Thanks to Serge Droz for the picture shown above.