Sunday, May 11, 2014

As a Recon Target of BSides Boston Capture the Flag CTF

BSIDES BOSTON CTF  

Bsides Boston CTF, May 9-10 2014

As @safehex I was a Recon target for the BSides Boston Capture the Flag CTF.
This meant that the key the players needed (an md5 hash string) was hidden somewhere in plain sight, e.g. social media, git hub, public spaces that were available to all.

Covert Communications

This is one of my favorite topics because it strikes right to the matter of protecting information advantage during collaboration activities, e.g. communicating securely with another trusted party across a monitored path.

Public Channel Selection 

I wanted to be as public as possible without too much noise on my normal channels like Facebook, where the users would question my sanity. I have two twitter accounts one of them my main account @macycron which is broadly technology and humanities focused. The other is mentioned in the byline of @macycron, the @safehex account whose tweets are more focused on information security topics.
@safehex was selected to transmit the covert message, the md5 key.

KEY GENERATION
Quick note I just used an online md5 hasher to quickly generate an md5 number from text.
I think i put @safehex pwns bsides or something like that in the text, and got the md5 result.
This result was the key: 1eb66679f32a1ee06dd60d9bc9a


Hiding in Plain Sight

There are lots of easy ciphers that simply go unnoticed in the noise of the internet.
Like mixed case messaging.
I put in the @safehex twitter tag line a mixed case message.  "d_IS_rup_T_ion t_E_chnolo_G_y tweets:    "
The upper case letters spell "ISTEG"

My first tweet of the day from my @macycron account:


Here I am setting the channel of communication to @safehex
Next I need to embed the key.


Establishing a protocol

I needed a place that wouldn't get buried during my #bsidesbos tweets during the event so I had to do a couple of things. Twitter has a couple of features that could be interesting for this challege. The text of messages, or profile information. The images in the profile, like avatar, background, and header. And also images, locations and test in the messages. I needed a place that would remain constant during the day, so I picked images and profile to do this. First I changed my header photo after sending the tweet from @macycron to a new image. This NSA EFF eagle is one of my favorites. So I changed my header photo, and also uploaded the original output.jpg as generated by the iSteg application and used twitter's "pinned image" feature.




Steganography

Hiding text in plain sight gets really interesting by putting text inside other media formats. Steganography applications are apps that use flip the last bit in image files to encode string data.
I could go on and on and on, I will put up my preso on that somewhere. Ok basically the TL;DR is you can encode text in images with free appz on the internetz. Yay! Because I'm on a mac the one that worked the best for me in a reproducible manner was iSteg.


I put the key in a text file, pointed the app at my source image, and hit the button. yeah it's that easy. Of course in a high risk environment you would want to use a different algorithm for encoding, NOT a free algo off the internet. Because the choice of start position should be customized, and other control variables are baked into the program so that each copy of the app can decode the image and get the same hidden text.

Basically, brew your own if you want to really keep yourself out of sight from the more motivated eavesdroppers.

Shared Key, Password

I want to mention that iSteg also uses a password to embed the key. Since I had no prior contact with the intended receiptents I had no oppurtunity to share a key in a trusted way. I didn't know the participants ahead of time, so the key would need to be the easiest one available. I used my twitter handle as the password, "safehex" so that would be the app's required key.


Conclusion

Covert communications is happening all over the real world and the internet. This game we play has a lot of collaborating groups which are trying to gain information advantage. Encrypted communications is a basic requirement of that activity, but most encryption is easy to spot because of it's highly unusual and out of place format. Scrambled strings are very easily seen in regular monitored channels. Like this tweet from the NSA earlier this week. Source:  http://www.cnn.com/2014/05/07/tech/social-media/nsa-coded-tweet/


So you can't really use this on a public channel like twitter without being noticed. Right now the internet is getting to be very image heavy with all the photo sharing capabilities, so images make an ideal medium to hide text without being observed.