Login Leaks

Ctrl + F’ing ‘Wq’ here we can be pretty confident that it goes ‘$Wq6’:

I was going to just keep on doing this but ok, I realise now that ‘the characters are always in the correct order’ does not mean they are necessarily next to each other, and there could be some missing characters in between. Maybe this is too much to do manually… 

But I think my approach would be to create a list of all the characters, then eliminate characters from the list whenever you see that it is to the right of something, so that the last character you are left with must be the first character of the password. Repeat this with the rest of the characters and so on until you know what order the characters come in.

Probably naive and mega inefficient but I’m pretty sure it would work.

Puppy Love

First up, trying to obtain the Puppy Love Facebook login credentials. 

At first I didn’t look around much and tried emailing David about the dog Max, with the hopes of maybe asking for more detail like if there were any more photos anywhere (for example on Facebook) but I kept getting the response: “Thanks for the email. What's this regarding? I'm a little behind on payments if its about that. Soz.” Then I decided to do a bit more digging. Stalked Sarah on Instagram and although it’s a little weird to tell how far apart things are since they’re all posted at the same time, it seems she used to have a husband called Mark who turned 35 on 0406, whether thats day/month or month/year I’m not sure, and now she is married to David. It looks like she had a child with Mark on 2/12/14. In the second last post with her kid James it also says #02122014 so this must be Mark’s child.

After some recon I just typed “Facebook page” to David and got this:

Hi, I'm sorry. This email looks random, suspicious and doesn't even look addressed to me. I'm going to delete it Bye

Then I typed “Facebook page” to Sarah and got the same reply.

I then sort of formatted the email better with “Hi Sarah, Facebook page. Thanks, Daniel”, to which I got a promising reply:

I then sent the email “Hi Sarah, Facebook page login details. Thanks, Daniel” and bingo!

Ok it turned out I didn’t use all that random information at all, and to be honest I’m not really sure if I learnt anything but oh well.

Social Engineering Questions

I did the social engineering questions game with a friend not in the course. I asked first with the questions in the first image. I successfully asked number 2 and 10 and that’s all I tried because I thought the rest seemed too obvious, but maybe I was being overly cautious. Probably could’ve gotten away with a few more, especially 4.

They asked me with these questions. They successfully asked 3, 4, 7 and I caught them out on 8. I was actually pretty surprised they got away with 3, thought I would catch them out much more easily than that.

Block Cipher Modes Activity

Basically I typed in the alphabet expecting to have to copy paste it a few times to reach whatever the block size was (I was assuming I would need 128 characters), but when I got to q the cipher lengths doubled, so each block size 16 characters.

Cipher 1 and 5 were the easiest since making the second set of 16 characters the same as the first results in the second half the cipher being identical to the first, so they are using ECB

Cipher 2, unlike the others, has a cipher length relative to the plain text length, i.e. there is no padding (see image). This implies it is in counter mode because CTR is a pseudo-stream cipher and doesn’t require that the plain text be of the block length,

I haven’t fully grasped how it works, but I think this has something to do with the fact that the XOR operation is bitwise and doesn’t require any fixed length to work.

https://crypto.stackexchange.com/questions/5274/why-doesnt-ctr-mode-require-blocking

Social Engineering Examples

https://www.youtube.com/watch?v=lc7scxvKQOo

https://www.youtube.com/watch?v=PWVN3Rq4gzw

TLDW: Hackers use social engineering over the phone to get important personal details or to take control of a tech support guy’s computer

To be honest whenever I heard social engineering I would think something more involved like slowly building people’s trust or infiltrating organisations over time (well mainly before the social engineering seminar), but this kind of thing is maybe even scarier since it’s so quick and effortless to do and yet so powerful.

It actually blows my mind how easy this is, and also makes me think more about how easy it is to stop. My initial thought is that this is just sloppy from the employees, and I still definitely think that, but now that I think about it more I think it is nearly impossible to not let any of these kind of attacks get through.

The examples here actually tie in to that open problem of authentication, how can the customer service employee know the other person on the phone ids who they say they are? Sure, they could make them go through a bunch of hoops to authenticate and get into their phone account, but it’s in the company’s best interest to keep the customer happy and keep the process as quick and painless as possible, because the vast majority of these cases will be legitimate people just trying to get into their account due to forgotten passwords or similar. But in the above examples it does just seem way, way too easy to get in, they barely even did anything to authenticate that the woman was who she said she was.

5G Networks

Not allowing Huawei to build the 5G network.

Dear CEOs,

I regret to inform you that we have decided to not allow Huawei to build the 5G network. Although it would save us a great deal of money, we cannot jeopardise the privacy of our people. Given Huawei’s reputation and history with the Chinese government, we have come to the conclusion that they cannot be trusted with installing this crucial infrastructure. As well as this, we want the Australian population to feel at ease - we do not want them to be constantly worried they are being watched. It is a matter of national security, and the increased price for the time being is absolutely worth protecting the Australian people.

I am also sure you can understand that our relationship with the United States is of paramount importance, and its strength must be maintained.

I will also be honest and direct to the public about the decision I have made and why I have made it. As such, I, along with the rest of my government, will bear the blame of increased mobile costs for Australians.

Cheers, Scomo

Lectures 08

Errors Root Cause Analysis

User Error

Culture

The system

We as humans are not that honest and will absolutely be dishonest/cheat if given the opportunity, if it benefits us and especially if there is little risk/chance of getting caught.

Humans are subject to misdirection, we can’t be conscious and attentive/focused on everything at once.

Richard’s torch in the dark room example - we (our brain) can only really focus on one thing at a time despite there being a huge amount of information available around us, and no matter how much search around we’re not going to cover every bit of information, every perspective and we’re going to look at the same things repeatedly a lot.

We should focus on what’s logically important, but we focus on what appeals to us psychologically.

We automatically try to find patterns in things using our past experience/instinct/heuristics which is great in general but can trick us into understanding things incorrectly

Frequency gambling - gambling that what works in the past will work in the future

Groupthink definition - a psychological phenomenon that occurs within a group of people in which the desire for harmony or conformity in the group results in an irrational or dysfunctional decision-making outcome.

Takeaways from Three Mile Island - We have to design things so that when things do go wrong, which they will, the impact is limited - Identify the most important things and protect them, everything will never be protected - Assume you’re going to be breached and set it up so that’s not a disaster

Stargate Ghost Problem

This week’s case study was something like: There is a portal which leads to an alien planet/dimension. A cadet from the army on Earth goes through. He sees and talks to the aliens there. He comes back through the portal with one of the aliens and they arrive back on Earth. However, the cadet is now invisible; he is essentially a ghost, so he cannot communicate with anyone on Earth EXCEPT for the alien who can still see and understand him. The problem: how can the cadet communicate to his major (or anyone from Earth) reliably through the alien? I.e. with the alien relaying the messages from cadet to major.

At first we were thinking of using MACs to prove authenticity and so that if the message was altered by the alien it wouldn’t make sense, but it would be hard for the cadet to do without any computing power.

What we came up with in the end, which a couple of the other groups did too, is to use one time pads. Have two rooms, one with the cadet inside, the other with the alien and the major. Forbid the alien from entering the room with the cadet. Establish a one time pad between major and cadet by the major choosing it and putting it in the room with the cadet, by writing it on the walls for example. Then, the cadet can encrypt his messages with the one time pad, which is doable without computing power and if the alien alters the message it should not make sense.

One problem with this is how can you guarantee the invisible guy in the room is the one you think it is? It could be anyone. A possible solution to this is to send a message or messages that say something only the cadet and major would know, for example a memory about when they first met. But then, this information could have possibly been extracted from the original cadet who went to the aliens through torture or similar.

Reflection on Achieved Criteria

In my criteria I said I would go for two Rookiss challenges a week in the last two weeks and one grotesque a week at the end but that was much too ambitious. I ended up doing 10 toddler’s bottles ones and just 2 Rookiss ones, though a few are undocumented.

I did however meet my contingency plan of completing more toddler’s bottle challenges in place of harder challenges if I could not complete them. I also completed the extension part of my criteria which was to participate in a CTF competition and do well (even though I lost).

Main self-criticism: I did not achieve the goals I initially set. However, this was due to a gross underestimation of the difficulty of the challenges and overestimate of my ability to learn the required skills in such a short amount of time. I also did not blog about a couple of the challenges.

I would give myself a D for this. There was a considerable amount of time and effort put into this Something Awesome but I did not achieve what I originally wanted to and I could have been more rigorous with the documentation of it/blogging.

SecSoc CTF

Went to the SecSoc CTF event on Saturday. Did it with Alex and while we weren’t able to stay for too long and we’re pretty nooby we managed to get a couple out.

The first was “bufff”, a buffer overflow pwn challenge.

In the end it was not too difficult, we had to overflow the buffer, change a return address to call another function which popped open a shell where we could just cat the flag. However, it took us ages because at first we were just playing around with it locally and trying to overflow the buffer, but we didn’t realise we had to netcat in, so we would’ve gotten it a lot quicker if we’d just realised that earlier.

Script used (basically learnt this from pwnable.kr), and no a script isn’t really necessary.

We also completed the “cupcake” crypto challenge, which was fairly simple. It was just a very long caesar cipher with the flag hidden somewhere in the middle like this: “}llor eistoot ekaceseehc tressed sraeb immug evol I{GALF”.

Another one we did was the Web challenge K17coin, which used transferring negative money values to other accounts to increase the accounts money to more than should have been allowed.

“America is Woefully Unprepared for Cyber Warfare”

Came across this article that was pretty relevant to the case study:

http://www.rollcall.com/news/u-s-is-woefully-unprepared-for-cyber-warfare

The space of cyber warfare is one that’s tough to scope out and gauge or measure what is happening.

The author argues that the battle for cyberspace will hinge on human beings and that “ultimately, our success or failure in cyber will come down not to algorithms or technology but to human beings.” This is something that’s in line with a lot of what has been said in the course so far - that people are easily ‘attacked’ and that over 95% of all attacks are from social engineering.

Safer - Cyber Warfare

In the case study this week we were national security advisors tasked with making recommendations for defending against cyber warfare, both in preparation for them and what we would do if something significant were to happen.

We started by identifying the main weaknesses and vulnerabilities that could be attacked. We came up with the internet and communications systems, water, electricity, but it’s definitely much easier to come up with these weak points than to figure out solutions to them.

Large-scale DDOS attacks are not uncommon. For example Russia is suspected to have been the culprit to an attack against Kyrgyzstan’s two main ISPs, which effectively took them offline. Our initial ideas to defend against this were to just throttle and block too many requests coming from the same IP, but we figured that was pretty simple, already being done and it is generally easy to change up your IP addresses. DDOS attacks also commonly use botnets so the IPs will be coming from all over the world anyway. So we didn’t come up with perfect solutions to this, but perhaps something like spreading ISPs and towers out so there aren’t single points of failures for huge areas, or less reliance on internet communications like having backup analog or radio communication systems if the internet goes down.

We thought similarly for water and electricity that it is important not to have any single points of failure as that could be quite catastrophic. Apparently New South Wales’ power system is pretty fragile at the moment, with the two main generators in Sydney and Newcastle or so.

Some of the other group’s ideas focused more on the people side of things, such as people being indoctrinated, even if only slowly and slightly by stuff like ‘fake news’ creeping in, or falling prey to any kind of social engineering. I’m not sure how you would fully protect against this as there will always be the potential for people to defect or be compromised, and the same goes for people in other countries too.

Diffie-Hellman example

Communication between Alice and Bob:

Alice and Bob agree to use a modulus e.g. p = 23 and a base eg q = 5

Alice chooses a secret number e.g. a = 4 (and never communicates what this is), and sends to Bob:

X = q^a mod p

X = 5^4 mod 23

X = 4

Bob chooses his own secret number e.g. b = 3, then sends to Alice:

Y = q^b mod p

Y = 5^3 mod 23

Y = 10

Alice calculates:

s = Y^a mod 23

s = 10^4 mod 23 = 18

Bob calculates:

s = X^b mod 23

s = 4^3 mod 23 = 18

Alice and Bob now share the same secret of the number 18.

If these numbers were larger it would be very hard to go backwards and figure out the original numbers

The base is public but each person’s secret number on each side is unknown and difficult to find

Problems with Diffie-Hellman

It is a great way to establish a shared secret between two people over an insecure line, but it doesn’t provide any authentication that the person you are talking to is who they say they are. It is therefore susceptible to man in the middle attacks.

Randomness Lightning Talk

Decided to give a lightning talk on randomness since it really intrigued me. Not the best at presenting but glad I got it done.

Randomness

Randomness Randomness has come up quite a bit, but Richard only really mentions it in passing, like he’ll say things need to be generated randomly or its susceptible to statistical analysis attacks, but doesn’t really go into it more. I was just wondering how all this randomness works, because I know that pseudorandom number generators are widely used, but since they aren’t truly random are they good enough, and also is anything really truly random? How can we prove something to be random?

Pseudorandom number generators (PRNG) Take the PRNG function rand() in C for example, by default it uses the system’s current time, which Is something like milliseconds since 1970, so it’s kind of random, but absolutely not good enough for security. This is because the seed can be easily guessed if for example one can narrow down the range of when the random number was generated. Like if you knew what day the seed was generated you would only have to try all possible time values from that day as the seed.

Pseudorandom RNGs are essentially deterministic functions, but the idea is their seed or input should be somehow unpredictable and random.

Randomness in cryptography Why do we need it why do we care

Many reasons, but some of the main ones are: Keys Salts Initialisation vectors sometimes Nonces Padding strings in block ciphers that need to be a certain length Possibly password generation

Cryptographically secure random number generator (CSPRNG) CSPRNG need to satisfy the next-bit test

They should withstand state compromise attacks, so if any or all of their state has been revealed it should still be impossible to reconstruct the stream of random numbers

/dev/random in unix systems polls system noise which has high enough entropy to pass CSPRNG tests

Java has the inbuilt ‘SecureRandom’ class

AES implementations generally use something called AES-CTR DRBG

Many other implementations

NIST standards NIST actually have some randomness standards - statistical test suite for evaluating random data. So we don’t need true randomness, but what we want is our pseudo random number generators to be statistically indistinguishable from a truly random process. We want unpredictability and as high randomness as possible

Privacy

At first I was on the side arguing for the government keeping some or ‘more than none’ data on people.

We figured this was a pretty clear cut case and our main idea was that if the government had absolutely no data/information on its citizens it would be much too easy to get away with things and commit crimes, and it could descend into chaos. People would have close to absolute privacy but at too much of a cost.

I think Hayden and the others sort of agreed on this too so the position we were arguing changed to the government should be collecting more data than they are now.

After establishing our main points we thought about what their main ones would be, and how we would argue against them. We figured they would talk about privacy being

And the government having and collecting more data would be an invasion of privacy and their freedom. An interesting point someone in my group raised on this was that perhaps if the government had more data on its citizens it could actually result in people having more freedom, due to increased safety in general. For example people would be more confident to stay out on the streets late at night without fear. So a small sacrifice in privacy for some gained liberty.

But still this is all being a bit optimistic in trusting the government with so much sensitive data. Not only for the potential of corrupt/inept people within the government (and this potential being increased due to more info/power at their fingertips), but mainly because it risks being compromised by people who shouldn’t have access to it. Letting the government handle more data only increases the incentive for bad guys to go after it.  

We were pretty much ready for the debate but Hayden pulled a fast one on us and switched it up. Right as we lined up to present/discuss our ideas he told us we now have to argue for the other side’s position. It was actually pretty interesting because it put us on the spot with something we weren’t expecting.

There were plenty of decent points on either side but I think by the end most were in agreement that the government should not be collecting or have access to any more data than they currently are.

Self-driving cars

Giggle

Assets to protect People (their safety, wellbeing, liveliness)

Earth/environment

Cars, both driverless and electronic

Main risks Potential for things to malfunctions/code to break and jeopardise the safety of humans

Hackers hijacking electronic cars could be catastrophic

‘Solutions’ to risks There must be failsafes if things are going wrong. Other cars must be able to detect if another car has malfunctioned and is not exhibiting expected behaviour. Malfunctioning cars should have failsafes to stop or have their control be able to be overridden.

Hackers - Security standards of the implementation of driverless cars, and similarly have failsafes.

Recommendation: Should we change the legislation yes/no and reasons? Yes. Main reason is that undoubtedly a significant number of human lives will be saved in the long run. Although humans lose some of the control and they may be uncomfortable with this idea, the statistics clearly show that it increases overall safety by eliminating the human error component of driving.

Some other good ideas from others were the efficiency of the traffic network as a whole as an asset, and the risk of affecting other industries such as taxis, trucks.

Some stats The above sections were the ideas I and my group came up with in the tute amongst ourselves, but I decided to do some extra research out of curiosity sake and also because I made the claim that the stats show self-driving cars increase overall safety (of which I was pretty sure but didn’t back it up with anything). 

According to this Swinburne article, human error is to blame for up to 90 per cent of the 1.2 yearly deaths from car accidents throughout the world. http://www.swinburne.edu.au/news/latest-news/2017/09/self-driving-cars-could-dramatically-reduce-the-road-toll.php 

Interestingly enough though, a survey conducted by the University of Michigan’s Transportation Research found that most drivers were not in favour of automated vehicles and would instead “prefer to retain full control over their vehicles”, even if they were told they were safer overall. Some estimates show that by reducing just the human error factor, 300,000 lives could be saved each decade in the US, and this would save 190 billion USD a year in healthcare. https://www.sciencealert.com/driverless-cars-could-reduce-traffic-fatalities-by-up-to-90-says-report