MISP Issues with certificates

Recently I came a across some MISP issues with Certificates with remote servers. Even it is okay with Test connection, if you try to push or pull events it will not do anything. Also logs will not tell you anything. If you run tcpdump to debug and watch in Wireshark you will see something like the screen shot.

Before adding it to the documentation of MISP, here is a brain dump what I did:

Scenario:
Server 1 – running MISP
Server 2 – running MISP

Server 1 wants to push events to Server 2

Server 2 has a TLS / SSL certificate signed by an internal CA. Because cakephp is not respecting the OS CA store. This needs to be done manually.

Looking up the certificate with full chain in Firefox will not reveal the FULL cert patch because it is not showing the ROOT CA.

What you need to do is create a new text file and add all public certificates to that file and save it as a .pem file (including the sign of the Root CA)
This pem file then needs to be added as certificate to the MISP Server config.

Within gitter we had a discussion why it is not okay to simply mark the „self signed“ box. It appears that certificates that are signed by a CA (and not signed locally) have several indications for such signatures:

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
...

and

ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

Useful:

keytool -printcert -file certificate.pem

And:

openssl s_client -showcerts -connect server2:443

Mount a VDH file within linux

To mount a VDH (Virtual Hard Disk) file in linux (e.g. ubuntu):

sudo apt-get install virtualbox-fuse
sudo mkdir /mnt/vhd-mountpoint/
sudo vdfuse -f disk.vhd /mnt/vhd-mountpoint/
mkdir /mnt/vhd-mountpoint
sudo mount -o loop  /mnt/vhd-mountpoint/Part1 /mnt/part1

VDH is mostly used within Windows 7 and newer.

VLC OSX dock history deactivate

To deactivate the history of recent files opened with VLC displayed in the OSX dock can be done with the following commands (execute in terminal):

defaults write org.videolan.vlc NSRecentDocumentsLimit 0
defaults delete org.videolan.vlc.LSSharedFileList RecentDocuments
defaults write org.videolan.vlc.LSSharedFileList RecentDocuments -dict-add MaxAmount 0

Restart dock:

killall Dock

Find more

Adding your own crt from a CA to ubuntu local ca store

If you are trying to for example develop python and accessing something encrypted with SSl and that SSL certificate is not signed by a well known CA you might get an error.

That is because your CA is not added to the local CA store of e.g. Ubuntu.

You can add your signatures by:

sudo mkdir /usr/share/ca-certificates/extra
sudo cp FOO.crt /usr/share/ca-certificates/extra/FOO.crt
sudo dpkg-reconfigure ca-certificates

Then the new certificates will be added to your local store.
(please be careful as sudo dpkg-reconfigure ca-certificates is only checking for files *.crt, so no *.cer etc).

raspberry pi libgcc1 problem

Havin problems with your PI to update:


sudo apt-get install libgcc1
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden NEUEN Pakete werden installiert:
libgcc1
0 aktualisiert, 1 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
2 nicht vollständig installiert oder entfernt.
Es müssen noch 0 B von 54,2 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 210 kB Plattenplatz zusätzlich benutzt.
E: Debconf-Version konnte nicht ermittelt werden. Ist debconf installiert?
debconf: apt-extracttemplates schlug fehl: Datei oder Verzeichnis nicht gefunden
dpkg: Vor-Abhängigkeitsproblem betreffend .../libgcc1_1%3a4.8.2-21~rpi3rpi1_armhf.deb, welches libgcc1:armhf enthält:
libgcc1 hängt (vorher) von multiarch-support ab
multiarch-support ist entpackt, wurde aber nie konfiguriert.

dpkg: Fehler beim Bearbeiten von /var/cache/apt/archives/libgcc1_1%3a4.8.2-21~rpi3rpi1_armhf.deb (--unpack):
Vor-Abhängigkeitsproblem - libgcc1:armhf wird nicht installiert
Fehler traten auf beim Bearbeiten von:
/var/cache/apt/archives/libgcc1_1%3a4.8.2-21~rpi3rpi1_armhf.deb

(Sorry for german only)

ans other stuff is also not working:


sudo apt-get install --reinstall multiarch-support libgcc1 debconf
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Probieren Sie »apt-get -f install«, um dies zu korrigieren:
Die folgenden Pakete haben unerfüllte Abhängigkeiten:
debconf : Hängt ab von (vorher): perl-base (>= 5.6.1-4) soll aber nicht installiert werden
Empfiehlt: apt-utils (>= 0.5.1) soll aber nicht installiert werden
Empfiehlt: debconf-i18n soll aber nicht installiert werden
E: Unerfüllte Abhängigkeiten. Versuchen Sie »apt-get -f install« ohne Angabe eines Pakets (oder geben Sie eine Lösung an).

You might want to do the following:

goto:
http://archive.raspbian.org/raspbian/pool/main/e/eglibc/
Locate the latest multiarch file
wget it...
sudo dpkg -i --force-depends multiarch-support_2.13-38+rpi2+deb7u3_armhf.deb
sudo apt-get -f install
sudo apt-get update
sudo apt-get upgrade

Things I have googled for:


raspberry libgcc1 problem

raspberry debconf has never

sudo dpkg -i --force-depends multiarch-support_2.13-38+rpi2_armhf.deb
sudo apt-get -f install
sudo apt-get update

Simsme a secure messenger

(c) Deutsche Post AG

(c) Deutsche Post AG

There have been some ongoing discussions about Facebook Messanger / Whattsapp – security, encryption, privacy etc.
Just a few days ago Facebook made a big move pushing more users to the Facebook Messenger.
And now a new big player enters the field of messengers: Deutsche Post.

They announced a product called „Sims Me“ being a „free and secure messenger on iOS and Android“.

Of course Deutsche Post has some expirience with delivering messages for hundrets of years. But this is not the first App Deutsche Post is providing, officially the apps are developed by „DP IT Brief GmbH“.

Key Features of SimsMe

– End to end encryption
– everything stored on servers
– self destructive messages *
– Ability to connect to your existing contacts (but only by granting SimsMe access to your contacts)
– Confirm users by QR code (same like Threema)
– App is password protects -> if your possword got lost, your app data is gone, you have to reinstall it.

* only for th first million users for free

There is a good FAQ on the page.

Conclusion

The starting phase was a bit to much for Deutsche Post as to much users tried the service, but for now it is okay, some bugs have to been fixed, there is some space for improvement regarding UI, but overall a nice product.

Of course stating „it is end-to-end encrypted“ does not mean anything. I haven’t seen a Audit of the App, even if it would be open source, there is no evidence that the open source code is the code DP IT Brief GmbH is sending to Apple / Google. And there is no way to check wether the app uploaded from DP IT Brief GmbH to Apple / Google is the App that you are downloading to your device (they are in a position to madify apps). That said, having a big company providing an app with end to end encryption is better than using a plain-text or not properly encrypted app. But still, if you want to exchange sensitive stuff, face to face is the way to go.

Download

iOS Itunes download
Andoid Google Playstore

REMNux set time

REMNux, an awesome Unix distribution built by Lenny Zeltser for reverse engineering malware. It is build for out of the box reversing.

The documentation is almost complete, but one point I was missing while using it is quite important: correct time settings!
In order to check certain logs, contain evidence etc you want to have an accurate time setting on the system.

First: set the right timezone:

sudo dpkg-reconfigure tzdata

The first shot then would be NTP by:
sudo ntpdate ntp.ubuntu.com #or your prefered NTP server (maybe in your lab envirenment)

Because of the content running in the system, you might want to limit network access so NTP might not be available.
To set the date manually use:

sudo date $newdatetimestring
Format:
nnddhhmmyyyy.ss

To print this string on another unix system use the following command:
date "+%m%d%I%M%Y.%S"
040211422014.48

Copy this string and modify it according to the difference between copy paste process.
Check your correct date settings with:
date

Now happy reversing

Reference: Install REMNUX as virtual instance

Recovering Photos From Bad Storage Cards (with ddrescue)

Today, Jonathan Zdziarski wrote a Blog post about recovery of Photos on a corrupt SD card. In total, the article is very good, but I would prefer to use ddrescue instead of dd only.

Had good expieriences with ddrescue in the past while recover data from SD cards and HDDs as well.

Hope this helps