Pages

Thursday, May 8, 2014

Competitive Intelligence Contest at PHDays III Writeup

Many things changed since the contest Competitive Intelligence was held last time. Snowden exposed NSA, it turned out that not only gossip-hungry housewives interfere in people’s lives on the Internet, but also serious specialists with the help of MIT mathematicians. The security of both proprietary and open-source protocol implementations proved to be far lower than expected. Algorithms for processing big data in cloud solutions nowadays allow tracking correlations of bitcoin transactions, which previously were considered safe and anonymous….

Three winners — those, who solves the task quicker than others, will receive free tickets to PHDays IV, where they will be generously awarded. The prize for being the first is iPad. The contest will be held one week before the forum and will last for two days — May 15 and 16.

You are welcome to register at http://www.phdays.com/registration/.


This year's contest sponsor is Zecurion.


Writeup Cometitive Intelligence PHDays III

The main idea for the "Competitive Intelligence" competition was to employ real-world methods for data collection and analysis, penetration testing, search mechanisms and deductive reasoning as well as to access audience’s awareness level of information security.

Unlike in 2012, since the tasks proved more difficult, this year no one managed to solve all of the challenges. Winners collected 12 correct answers and were ranked based on how much time they spent completing the activities.

Now, let’s estimate the results, provide correct answers for those that failed and review the amended list of winners.

The company to work with was Godzilla Nursery Laboratory - as international company breeding and selling companion godzillas. Godzillas were chosen deliberately as they "guarded" a railway in the Choo Choo Pwn competition.


Google directly hints that the official site of this company with a nice logo is www.godzillanurserylab.com, and most employees have LinkedIn profiles. Well, come on!

Note: the percentage of correct answers is based on the total number of answers submitted (we do not take into accounts competitors who missed a task). The absolute values are given at the end of this article.




1) What site is at risk for social engineering attacks against the marketing manager? (70% correct answers)

It is easy to find the marketing manager in LinkedIn (use this link: bit.ly/PbJVFH to find how to get his name - Randi Klinger). Once you find him, it is easy to see that he is the only active writer in the "Godzilla Nursery Laboratory" and all his links go to msn.com.


Correct answer: msn.com

2) What is the email address for the HR director? (9% correct answers)

The main problem was not to find Amber Lester (the HR Director) but to understand that mberlest@gmail.com was her personal email, and pentesters were interested in her public email. It makes sense to suppose that the email looks like mberlest@godzillanurserylab.com. And to ensure that this address is the target (but not mberlest@gmail.com and not amber.lester@godzillanurserylab.com which fooled certain competitors), just send a letter to it and get the auto reply ;)



Correct answer: mberlest@godzillanurserylab.com

3) What is the insurance company of a Board of Directors member? (91% correct answers)

Those participants who are familiar with web application security analysis or web application development, had to find www.godzillanurserylab.com/robots.txt file and go further to /test/ folder with a lot of interesting materials.


File gmailacc.rar is rather useful, and its password takes 5th place in TOP 10 Passwords (bit.ly/1h9F92p) — 12345. There are three interesting things on the screenshot in this archive:


  • The company uses Google Mail for its corporate domain;
  • Potentially, Gregory Cruanstrom is an interesting person (he is the Head of the Board of Directors; you could find these details on http://www.godzillanurserylab.com/contacts.htm or via LinkedIn);
  • Gregory’s email is greg.cru@godzillanurserylab.com with password cru1crua27 (as per the legend, he made the screenshot in a bit of a panic because Google stopped masking his password!).



And if now you attempt to login with these credentials, you will access the mailbox and find an email from the CEO that directly said «From Now we will work with Tokio Marine & Nichido Fire Insurance» — which is the correct answer.

Correct answer: Tokio Marine & Nichido Fire Insurance

4) CEO’s Home Town (76% correct answers)

To help the participants with choosing search directions, CEO had to invent and add the phrase "I LOVE ICO!!!" into general information. This hint makes its simple to answer the question. We should find UIN and contact information via his name and surname (this information is available on the site and in social networks).



Correct answer: Concord

5) CEO’s Favorite Park (52% correct answers)

The first hint was not enough for some competitors (information about email.godzillanurserylab.com domain is available on Inessa Golubova’s page in "My World" social network);and we added hints to Maximillian Ozillov’s page like "my email webapp is ***.godzillanurserylab.com". Scanning the existing 3rd level domains is not a passive information collection method, but it's rather common practice.

As far as finding the domain, competitors could find a simple authorization web form that allowed forgetful users to restore passwords. With the CEO’s email (any doubts were wiped away with http://www.godzillanurserylab.com/contacts.htm page) and answer to the "secret question" from the previous task, every competitor could access the email interface and see first-hand what the troubled CEO’s favorite park looks like. And then just use Google Images to find the name of the park.




Correct answer: St. James's Park

6) Find a biological engineer domain account like (DOMAIN\login) (80% correct answers)

To solve this simple task, search for the biological engineer’s account in "My world" social network by his name and surname (acquired from LinkedIn), and find a picture with the correct answer.

Correct answer: GNL\Igolubova

7) What is the name of the company's corporate firewall? (90% correct answers)

Here you can use a helpful Google feature called Google Cache. It helps to find deleted items about Ivanes Inclam (the company's system administrator) on http://www.godzillanurserylab.com/contacts.htm page. For sure, he knows everything about the company's firewall! Then search for his name and you'll see several forums with the correct answer. Unfortunately, most competitors bypassed this scenario and just looked up his job title on his LinkedIn profile.


Correct answer: Kaspersky Security for Internet Gateway Russian Edition

8) CIO’s Full Name (38% correct answers)

Those competitors who remembered to use a plain text attack against cryptographic protocols managed to get the CIO’s full name. They conducted the attack to access encrypted archive www.godzillanurserylab.com/test/Investigation%20Report.zip. Then, using Advanced Archive Password Recovery from Elcomsoft, unencrypted this archive and file. - src.zip; in several seconds you'll access a PDF document with the correct answer.


Correct answer: Robert Craft

Note: this person is fictitious and does not in any way refer to Robert Craft, the COO of Craft group of companies, that has become popular due to the New England Patriots NFL Football Team.

9) What is the Chief Risk Officer’s phone number? (75% correct answers)

Only three competitors accomplished this task, but unfortunately they were not among winners. You just had to send a letter to cro@godzillanurserylab.com and look at the contact info on http://www.godzillanurserylab.com/contacts.htm public page.


Correct answer: 81356873113

10) Remote banking software used in the company (0% correct answers)

Unfortunately, nobody met this task. File http://www.godzillanurserylab.com/test/dbo.report.log includes all necessary information to find proper search direction: it looks as if there is DBO***.GODZILLANURSERYFANS.INFO domain. If competitors found the domain name, it probably would have included the remote banking system name. This time AXFR queries can help.


See details on the queries, how to use them and get all subdomains on vulnerable DNS servers.

Correct answer: DBOINTEGRA

11) The cell phone number for the researcher Carlos Bechtol (67% correct answers)

This task was one of the most amusing. First, the competition author Dmitry Evteev found an interesting way to get a phone number from a social network and Google Mail user (bit.ly/1eQyqzZ). However, during the competition this method failed, firstly because of frequent password changes, and then VKontakte fixed this extremely useful feature :). And finally we had incorrect figures in the vk.com social network account contacts..

And for those who were unable to meet the task: a rather rare name allows you to find account details in his social network, and its nickname carlos_bechtol_gmail_com hints of carlos*bechtol@gmail.com email (a missed character is quickly bruteforced: it is a point character). And then follow the procedure from the article above.

Correct answer: 79166041374

12) All email addresses of Genome Lab Department’s employees divided by spaces (90% correct answers)

We believe that Dmitry Ugrumov, Rosintegratsia described [ru] this competition in such a good manner that we cannot do it better.

Correct answer: ceo@godzillanurserylab.com, cro@godzillanurserylab.com

13) What VoIP solution does the company use? (100% correct answers)

Minimal scanning of 54.245.97.120 IP address (acquired from the previous stage), allows you to detect a service on port 5161 that responds with "SISCO TELECOM VOIP" banner. But only Sergey Topoltsev managed to get the correct answer.


Correct answer: SISCO TELECOM VOIP

14) The card number belonging to the Board of Directors member (83% correct answers)

As this task was more difficult, we decided to suggest two possible ways that competitors could find the answer. The first way implies that as far as competitors completed task 3, they would not panic and change the user password (certain competitors started to, but fortunately we anticipated this), and would just think further: Google offers you features to integrate the solutions, in particular - synchronize browsers by Google account. This means that having the login and password, you could authorize in Google Chrome browser and access the account tabs.


One of tabs includes the explicit answer for the question. The other easier way was to suppose that the Chief Information Officer could also be a member of the Board of Directors. And his card number is available from task 8. Only Sergey Topoltsev discovered the answer using the first method described above.

Correct answers: 4401-7864-4568-1145 and 4716-5410-4981-7265

15) What is the chief of security’s car make? (95% correct answers)

Google Street View opens up great opportunities for this question! With personal home address (you could get it from LinkedIn contact details and on the contacts page of the main site), we could easily look for it. In this case, we are able to get his car make.


Correct answer: Honda

16) What obsession does the CEO have? :) (58% correct answers)

This task ended up being rather simple: many competitors solved it, and several almost met. Pay attention to .onion domain, enable Tor and get the background from the competition’s authoring JPEG format. EXIF tags included the correct answer.

Correct answer: Zillaphilya

Results

This year’s competition has one more new statistical feature: members were not provided with the number of correct answers, but only with the total number of correct answers updated every half hour. This helps us to prevent possible bruteforce, but we did notice some attempts:) But anything for a quiet life! Unfortunately, we had to check certain answers manually, which may have upset (partly understandable) some competitors.


Questions 2, 9, 10 and 13 turned to be the most difficult.

Summary

Security specialists from Godzilla Nursery Laboratory also track "attackers" who try to collect information about their colleagues. All actions were within the law, nobody tried to get to deeply inside, and make something described in "Honeypot that Can Bite: Reverse Penetration" report by Alexey Sintsov. But simple data collection by methods shown by Andrey Masalovich ("Internet Competitive Intelligence") allows us to find details about the competitors:


  • A chess candidate master, who was born in Barnaul and attended NSU, "Automatic developing systems" department, who used to like to listen to loud music when she was a student, and likes figure 8  in telephone numbers
  • An Indian native who studied at Carnegie Mellon University
  • A fan of rare and unusual programming languages who lives in a Siberian town: Voennaya st., 7-xxx-xxx and is The Pisces man
  • Many members of Positive Hack Days forums: Young School (2012), Fast Track (2013), including the speaker on Internet anonymity:) and a person who knows a lot about protected flash storage development and is also interested in coin telephones


Many thanks to all competitors! Please send your ideas and suggestions to ci@ptsecurity.ru. Bye for now!

Disclaimer: all characters depicted are fictitious and any resemblance to real people is coincidental and not intentional.

No comments:

Post a Comment