Last Updated: 2009-09-28 16:22:33 UTC
by Joel Esler (Version: 2)
One of the friends of the Internet Storm Center, Johnathan Ham, put out a nice Network Forensics Puzzle Contest. Check it out below.
The answers can be sent to the email listed below. (Don't sent them into the Internet Storm Center. It's not our contest!)
*Prizewinner to be announced at Sec558 "Network Forensics" in San Diego, 9/16-9/18.
Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company's prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company's secret recipe.
Security staff have been monitoring Ann's activity for some time, but haven't found anything suspicious-- until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann's computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.
"We have a packet capture of the activity," said security staff, "but we can't figure out what's going on. Can you help?"
You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:
1. What is the name of Ann's IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?
Here is your evidence file:
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
Email submissions to email@example.com. Deadline for submissions is 9/10. Good luck!!
UPDATE: We usually don't update these older diaries, however, since so many submissions/email has been sent about this, I thought I'd update it. The results are in, and posted here.
Last Updated: 2009-08-20 13:12:37 UTC
by Joel Esler (Version: 1)
Time for your daily patch.
CORE security technologies published a vulnerability in libpurple. Libpurple is the backend frame work to many Instant Messenger clients.
Pidgin, Finch, Adium, Meebo, and Gaim among others. Although CORE only specifically mentions GAIM, Libpurple, Pidgin, and Adium specifically, the other libpurple based ones may be vulnerable as well.
Versions of Libpurple <= 2.5.8 (Pidgin <=2.5.8 and Adium <=1.3.5) are vulnerable. The vulnerability is an exploit in the function msn_slplink_process_msg() which handles instant messages from the MSN network.
All it takes to exploit this vulnerability is to receive a message from another MSN user. They do not have to be on your buddy list. Unless your buddy list states that you only allow specific users to contact you, it's the only mitigation step. (Other than patching or logging off of the MSN network.)
Upgrade to a version of your respective IM client that is based off of pidgin. Non vulnerable versions of Libpurple are >=2.5.9.