G R A N T S T A V E L Y G R A N T S T A V E L Y G R A N T S T A V E L Y G R A N T S T A V E L Y

The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for Computer Antivirus Research, to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and AV programmers to test their software without having to use a real computer virus that could cause actual damage should the AV not respond correctly. EICAR likens the use of a live virus to test AV software to setting a fire in a trashcan to test a fire alarm, and promotes the EICAR test file as a safe alternative.

Testing antivirus software with EICAR deletions one virus at a time is effective but one dimensional. Successful deletion of a single EICAR string validates antivirus software for a given system, in a given directory, at the rate of one virus per unit of time. But single EICAR string deletions do nothing to stress secondary system alerting capabilities, validate rate limiting rules, enumerate directory level exclusions, validate reactive policy changes, and so on.

Weaponizing EICAR

It looks so innocent doesn't it?

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

That later group all seem like fun, useful-to-have validation capabilities, so with them in mind, I wrote eicar based malware for a red team drill, leveraging EICAR to enumerate directory level antivirus exclusions.

The attack I wrote for the drill skipped system compromise. Sorry breakers, I was more interested in detection depth, breadth, and speed for this drill.

The components of this attack were designed to replicate real world attacker techniques, while avoiding real world obfuscation techniques that would turn this drill into a receive alert & down the host drill.

A few simple subroutines

Don't go crazy with tools. Don't go crazy with tools. Don't go crazy with tools. Don't go crazy with tools. Don't go crazy with tools. Don't go crazy with tools.

What happened?

I'm not going to tell you.

Why drill like this?

Each subroutine increases the time-to-response requirements. The DNS subroutine could run for days, the EICAR test will interrogate a full system in minutes, tools can be downloaded in seconds.

Each subroutine highlights disparate detection technologies, placement, logging, and so on. EICAR throws incident responder assumptions because it is very much an infrastructure testing tool and not malware.

spray-eicar

I've ripped out all the command and control and tool downloads. Sorry, it was rubbish anyway and you can do better.

But you can have the perl that can be compiled with perl2exe sort of tools, I've posted it on github as spray-eicar.

Weaponizing EICAR?

OK, maybe it isn't actually weaponizing EICAR. What else could be done with this trick?

And so on.

Bastardizing the Drake equation, if only a fraction of the people using twitter used it to send urls to each other, and only a fraction of those urls were artificially shortened by a url shortener, and only a fraction of those shortened urls were actually hyperlinks to Rick Astley’s Never Gonna Give You Up, and only a fraction of those Rick Astley hyperlinks were in fact not to Rick Astley videos, but instead phishing attack hyperlinks to Mills On The Hill Fish and Tackle Shop in New Market, MD, hosted on a RedHat 5 server at a local Mom and Pop ISP compromised and hardened by multiple attackers over the years but now serving free embedded javascript with every page inserting iframes from choose-your-own-nationalist-conspiracy-theory-ok-chinese-attackers, and only a fraction of the twitter users likely to find such links by searching for hashtags actually click on them, the Internet as we know it would come to a screetching halt, please can’t someone do something about these urls shorteners?

Still with me?

The Scarecrow

Some of these arguments are very good, and thorough. Or at least thorough. Oops, I mean thorough. Most are echos of As Web communication shrinks, so do links, by Rachel Metz at the AP.

Sorry, skip the foolish advertising business model of free dull razor blades, with every cut sponsored by Punch The Monkey and jump to the existing url shortening sites that are trying to reduce the risk posed by our straw man.

Preview images sound cute, I’ve never used them. I could preview a thumbnailed malicous pdf for you, would that help?

Auto-unshorteners sound neat too and I’ve seen twitter clients that use their API’s to some success, but they are just that — secondary services that some clients have.

New shorteners like safe.mn do more, but how much more? I was able to validate that safe.mn refused to shorten an old link in my spam quarantine, but not a new one.

How safe is safe enough? Does our straw man actually have a brain? How much protection does the culture of associative trust so prevalent on twitter reduce the risk that a given shortened url will actually be evil?

It won’t be the next link you get from a new follow consistent with their posting history about that-thing-for-which-you-followed-them that gets you. It will be the next #amazonfail meme. It will be thousands of opportunistic spam accounts bubbling up a Trending Topic with helpful links. Or it will be innocent meme followers, linking to their blog hosted on the same server as Mills On The Hill Fish and Tackle Shop, or, etc.

Hyperlinks never had any trustworthiness. URL shorteners seem like a great opportunity to add trustworthiness. Is anyone going that direction? Safe.mn seems to be heading in the right direction, but they make some bold claims.

I was the first to solve the Verizon 2009 Data Breach Investigations Report cover. Chris Eng's similar write-up is excellent and perhaps more in the spirit of defeating a challenge of the sort.

That wasn't how I solved it though.

2009 Verizon DBIR cover

Below lie spoilers. You've been warned.

I have no idea what I'm doing when approaching a cryptographic challenge. My background is in art.

I approached the challenge naively unaware it even was a challenge. A designer had been asked to put 1s and 0s on the cover of the report because hey, it's about computer stuff right? That's what I thought at least. I've been asked to do that sort of thing, and copy and pasting finger-mashed 1s and 0s is boring. I always made an effort to make my gibberish mean something. At the least, I'd find Cicero's lorem ipsum dolor sit amet et cetera ad nauseum.

I assumed something amusing would be there but didn't bother much with it. It was 5:30AM and the report made better coffee reading than the cover. When I reached the end though, I found the major clue.

So I tweeted about it.

Verizon Breach Report, page 48: Notice it? It's 2 searches away from WikipediA. Common cipher lore? Neat regardless! http://is.gd/sxkL

By two searches away from WikipediA, I meant, as others have noted that it was a one-hit google search at the time, for a geocaching clue.

Handy. Even handier is the 'decrypt' link on the geocaching site, yielding the original text, le chiffre indéchiffrable. Seems like an obvious clue! As I related in my tweet, that led me straight to the WikipediA article on the Vigenère cipher.

So then I read up on Vigenère. I'm kind of into just hopping through WikipediA. I read up on Caesar ciphers, of which rot-13 is one. I joked about it on twitter and went back to syndicated feeds and twitter, then drove to work.

What is The Verizon Breach Report cover binary text? http://is.gd/hafb please be Clutch lyrics, please be Clutch lyrics, please be Clutch l-

At the office, I asked a few co-workers if they had noticed the clue on page 48, and showed them that the cover text was probably something. I had no idea what, but hey presto, let's give it a spin.

I threw the source 1s and 0s into Vim and got rid of all the newlines. Nothing useful. Then I tossed the single long line into TextMate to play with wrap points.

While shifting it around in Textmate I noticed a pattern.

A pattern emerges... http://is.gd/sz5k #vzbdir

screen shot

Neat columns, but what does it mean? I didn't know. I was getting tired of moving the source text around though, and knew it was copy and pasted a few times, because I was still going on the naive 'it is nothing or it is funny' approach. I selected the first line and searched-all in TextMate. Four hits on lines 101, 201, etc... I did the same for the second and third lines. Sure enough, only the first 100 lines were unique. Oh well that proves nothing, back to work.

Only the first 100 lines matter. Off to blue team, will have to resume after lunch. Argh, obviously a Vigenère. http://is.gd/sz5k #vzbdir

After my morning meetings, I decided to keep at it through lunch. After talking to my friend Ben, we agreed I should just script out ascii one letter at a time whether that was what I was looking at or not. All the easy to find online ascii-binary converters wouldn't accept it. I read up on perl's pack() and threw this together.

#!/usr/bin/perl -w
# bin-to-ascii
my $binary_text = shift;
open (BINARY, $binary_text) or
    die "Can't open input file: $!";
foreach my $line () {
    my $length = length($line);
    my $hex = pack("B$length", $line);
    print "$hex ";
}

Simple enough, what does that yield?

evntxigyimwsneheiefotxbscwyhrqmwguzabvycbbfreyfbvedkevmfri fngfnrbfgvksfpnbufzjgceeewakhpxebtzjczowgtbsqgtmiaydpydriryetkcjrpyhepwkuoa eknvtvzhsmznttivikmmrysnuiakbrkqmstycgccrlrriirefgytjubuxheysgleyrvhiyxdeyzcj kvtosoixjehoxevmwjbnzmtkwzefofcnbwncuwmyfiuvbkwnpwtyoeyqtirryrcmnvfvlrsbn tpwpaoczpekhlfceerrvwvuybvjpuvpoaymikqqnswzghzkdgylaegwpkesgcyzfvjdmepq ksslnvsvpuvvrvyerhdtutyymqgevwrmqszfnpnrjiggwajnnjlkoeqhnetrpuqydfzwczkvje xlmckcsiftctsutldrrmikqtninpgrpqqxptzdpaiotceuazfewdqllpzrhxlxqgslrjtblzrirvisnziwl mvyadvohfevnakkgorrxsygxpumvgbomrjlcrefcmrqvxtmiymjjvhxnbtszmtjefkfgkurfl nhxpkcwlexmiylgynnrwaksewthpkgzkkxgazellutayciekwishundkekwargbyzfgkepkqg zzsrimflgkarturainsngeeumexrveelzxtisuwvzkoyltpbhzweoqwnxnpxpkssxjhpancvfpr yadrlroewebqewhzrgatzdguceklfyhzjnnzijrgnzrvbocauyezgkpsjxjiasmvftdwfxbidhqz eykdrtdrioppkjrpisskmczjfztbvbjugeyanjigjtdcptzdeogutlzpekhtnihtggumvgbomrjlcr efswfzocroheau

Whoa! Letters! Chris Eng got this far immediately with a shell one-liner: sick fu!.

I had no idea how to attack the Vigenère but given the clue on page 48, that's where I had to start. I read up on brute forcing Vigenère. Yikes. If it's possible, I can probably find a tool to do it. I found lots, but the first hit was enough.

I asked Munsee and Leech's java applet to find 5 keys. The first one looked like a winner.

crangingdefaultcrrdsntialschangingdlfeultfredentials

A few typo's but that's obviously English. I fixed the typos and used the key and Munsee and Leech's java applet again to decrypt the text.

changingdefaultcredentialschangingdefaultcredentials

By the time lunch was over, I'd discovered the source text, found out it was actually a contest, and submitted my answer.

@alexhutton I just submitted my cipher text solution. Never done any code breaking before, was a lot of fun! #vzdbir (now back to work!)

I got a call an hour later.

I was the first to submit! I'd won!

Congratulate me at CharmSec this Wednesday, and I'll buy you a beer.

Update

I just used this old ascii <-> hex <->binary converter I keep handy and noticed it would have converted the binary for me. I use it for hex so much I forgot it handled binary. I didn't need that perl script after all. Doh.

Simplepedia is a greasemonkey userscript that gives mediawiki sites a modern and clean design.

Wikipedia's design and style is tiring and cluttered. There's just too much going on!

Wikipedia front page

Wikipedia main page

Without the entire left bar, banner ads, footers, and tiny sans serif type, wikipedia is much more inviting.

Wikipedia front page

Wikipedia main page

Visit your about:config to chose the heading and body fonts you'd like Simplepedia to use. You can change the link colors too.

Wikipedia as an editor

Try it in Helvetica. Wikipedia in Helvetica

Or Wikipedia's logotype, Hoefler Text. Wikipedia in Hoefler Text

And you can optionally display a drop down selection box to jump to the same article in other languages, hide edit and logon text, and more.

The script generically applies to any site built with the standard MediaWiki engine using the default theme, but works best on WikipediA.

This was inspired by Jon Hick's excellent Helvetireader user script for Google Reader.

Change Log

Grant Stavely
Grant Stavely
photo.JPG - http://www.flickr.com/photos...
photo.JPG photo.JPG photo.JPG
2 hours ago from Flickr - Comment - Like

Borges cites Lucretius re: Centaurs: They never existed: The horse-half at three years would be grown, the man-half but a babe. Duh!

@philip_daigle congratulations Philip!

Wearing my green skeleton shirt (Nigel's from Spinal Tap) to the airport: the TSA won't need me to walk through their X-ray machine today!

@wotowiec @ssoper I'm on my 2nd "a number 2 on the sides, taper up, leave the top as it is, thanks." I think I'm acting out. It's a phase.

@vurtyou: You're hair is very Flock Of Seagulls today. @grantstavely: Thanks, I like it too.

@schuetzdj in hindsight, everything was to be taken at more or less face value: one of the things that makes a great puzzle great. =] #DBIR

RT @therealKidKoala: free download available for the next 6 days. The Lost Solid Steel mix. it's sorta like Music to Draw to... enjoy: ...

@christopherkunz nice work! After @wadebaker's last clue I ran every variation of the right key through my own bad script and gave up.

@marcusjcarey thanks, I'm very much enjoying the Bay Area. The return of @dojosec/@dojocon streams is great news, I look forward to 'em.

I should use Entourage's auto-capitalization of the first word after e.g. to break myself of using latinate abbreviations. Instead: rage.

@kathybarnett way to go Kath!

Yes, yes, of course, but what is the zeroth law of the Road Runner and Wile E. Coyote? http://goo.gl/i2Jz

"They're talkin' about, weak induction. It's a motherfucker, don't you know?" —Sun Ra http://j.mp/cn5Gc2 (Link via @rands)

printf "# Or just go listen to a funky 60 minute DJ Food mix made for robots.\nUser-agent: *\nSuggest: http://snd.sc/aOT9a4 " >> robots.txt

@alexhutton I cut out the cover's circles on a full print out of the #DBIR with a razor and tried the grille-cipher approach. #nbioahd

The body language of appearing to be lost or have forgotten something is as effective as mind control. So is its inverse.

RT @electricfork: What keeps me up at night? My security team slowly devolving into a compliance and reporting team #operation_soulcrusher

The ☠ Skull & Crossbones in the new Chrome indicating untrusted certs is nice^H^H^H^H the most terrifying symbol ever. http://goo.gl/fQz1

I'm brewing an American IPA with @vurtyou. I need a fridge to keg this in! http://flic.kr/p/8sCgnr