Sunday 15 April 2018

FAQ I True Mart data leak

On Friday, I published my findings into a data leak of citizen data by a company in Thailand. The Register also picked up on this story and the reaction on Twitter was relatively low.

However on Saturday, this all changed. My Twitter mentions feed was all in Thai and my DMs were filled with people asking for their data and what they should do.

To save my sanity and stop the spread of misinformation here are some clarifications in a Q&A style

Q. Did you hack the site?
No. I found the location. It was a lucky guess is the best way of describing it.

Q. True Corp are saying it is a hack?
It is a data leak. There was no security on the S3 bucket with the data. Google could have indexed it as well as any other search engine. If you found it, it was the same as browsing to a website.

Q. Did you download all of the data that was publicly accessible?
No. I selected 4 files at random to verify the contents of the bucket. Past those initial files that confirmed that this bucket was holding sensitive data, I did not download any other files. At this point, I notified True Corp of the issue.

Q. Have you a copy of my data?
No. I have deleted all files related to this disclosure

Q. Can you help me find if my data was in the leak?
No. I do not have a copy of the data nor can I check if your data was in the leak. You can however ask True Corp to verify that your data was not in that particular location

Q. What did you do once you found the files?
I notified True Corp support as detailed in my original post

Q. How many files were involved?
45736 files which were a mix of JPG and PDF files.

Q. How did you find out there were so many files?
I used a tool called s3-ncdu to generate a list of all of the files and file sizes in the bucket. This showed the folder structure and approximate files sizes.

Q. How long was the data available?
For at least from when I found it and until the 12-April-2018. It could have been available before that as well.

Q. Could someone else have found it other than you?
Yes. If I found it, someone else could have done so

Q. Could someone else have downloaded the data?
Yes. If they wanted to, they could have downloaded the entire bucket.

Q. People are calling you a hacker, is that true?
No. There was no hack here, the files were publicly facing on an unsecured system. This means that anyone could have found them with a careful Google search for example. No tools other than your browser (IE, Chrome, Firefox etc) are needed. What I did was find the issue, alert True Corp to the mistake and push that they fixed it before anyone else could find it and use it.

Q. Why did you wait one month before publishing?
To ensure that people's data was not put at risk by me publishing this information, I had to wait until the files were not available anymore. If I had published while the files were still available, someone else could have found it and used it for bad things.

Q. Why didn't True Corp respond?
When you send in information like this to a company, some are very good and will respond within minutes and fix the issue which is good. Others, take more time or do not have the correct processes in place to handle this type of problem.

Q. What is the risk to my data?
I don't know. I can give information on the technical part of this issue.

Q. What should I do if I am worried my data was in this leak?
Contact True Corp to verify that your data was or was not in the leak. Once you know, you can decide on the correct course of action for you.

Q. How could this happen that the data was not protected?
It could have been a simple oversight due to lack of testing or understanding of the security implications. Someone could have disabled security accidentally or worse someone could have turned it off maliciously which would a more worrying issue.   

Q. Where can I find more information
Please see the ThaiCERT page here

Q: Have you been contacted by the company after this?
No. They have not contacted me to ask for clarification on any of the issues.

Friday 13 April 2018

Another telco is failing at security

Update: 14-04-2018 : True Corp have issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai 

Back in January 2018 while at NDC London, Scott Helme introduced me to an interesting new technique for finding Amazon S3 buckets, Using the certificate transparency logs that are created when someone creates a new certificate, you can use the domain names as the wordlist for finding buckets. Its a novel approach as normally most people use the Alexa top 1 million list.  

Luckily there was a tool already for this on GitHub called bucket stream. I demo’d it at NDC Security Day in Oslo and left it for a bit before coming back to it again in March and deciding to do some digging and see what was out there. After about one hour, I had circa 500 open addresses.

What bucket stream doesn’t show is the content of the buckets, only that they are open, and the permissions associated. To get the contents, you can either visit the site manually and scan it or find another tool. In this case, that was bucket-finder which will list the contents of an S3 bucket and give you the public or private attributes.

Having an open S3 bucket is not a bad thing. For example, you can use it as storage for a website or other such things, but when you use it for storing sensitive data and leave it open, this is a serious problem

The output from bucket-finder showed several issues such as config files, source code and other potential information disclosures. Bucket finder only gets the top 1000 files via the AWS S3 API. To simplify things, I loaded the results into a small SQL database for analysis. I found all the sites that had 1000 files and did a quick visual scan to see what they contained and if there was a way to identify the owner if the need arose. 

One such owner was True Move H, the second largest mobile operator in Thailand (source: Wikipedia). Their name was in the folder that contained many files mainly JPGs and PDFs. The interesting thing that was I first observed was it was the format of truemoveh/idcard/YYYY/MM/FILENAME. 

I checked the first couple of files in the directory and it was a picture of a Minion from Despicable Me and some were logos. This led me to believe that it was a development server, but the site name contained -prod, so I scrolled further down and opened a later file which was a scanned ID card of a Thai citizen.





At this point, I realised that they were storing scanned ID cards that they got from customers in this S3 bucket and there was no security on it at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details.

In all over 32GB of data existed in this bucket totalling 46K files, neatly organised by year.




I connected with True Move H on Twitter to ask for some contact information and they sent me to their support email address.



I sent the details to their support department a full report on Saturday 10-Mar detailing how this was found, examples of the files that were available and asking to talk to their security team. 

The response was quite shocking. They admitted not having a security department and that I should contact their head office between business hours





Now it was a case of trying to figure out what to do. I contacted Scott Helme to get his advice on the most effective course of action. He suggested that I should contact some journalists to help put some pressure on them to get this blatant problem fixed. Scott connected me John Leyden of The Register who also pushed True Move H to fix it.

We had heard nothing for 2 or 3 weeks and I decided that I was going to press the issue finally and told them on Mon 02-April that I would be publishing an article the following week.


On Wed 04-04 both John and I received identical messages from True Move H, saying that a team had been informed and were working on it. 



I checked again on Thursday 12-April 10:00 to verify if the files were available still and they were. At 19:00 they had finally been made private.

Unfortunately, this is not the first time this company has had issues with ID cards. Back in 2016, True Move H issued a sim card to a thief without checking ID first and the person linked to the SIM card lost a substantial sum of money. 

Along with T-Mobile Austria last week and other telco's are serious failing at security and protecting their customers privacy. You should connect with your provider and ask what they are doing to ensure this type of thing doesn't happen.

Update: 14-04-2018 : True Corp has issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai 

Sunday 3 January 2016

Configuring the Wi-Fi Pineapple Nano

With the new white user interface for the WiFi Pineapple, there are some things that are not quite apparent when you are setting it up. So here is my quickstart guide to configuring the Pineapple with Windows (10 in my case)

Setting up your network

Once you plug in your Pineapple, Windows begins to install the necessary drivers and set itself up to use the device. Once it is installed, the network adapter will appear in the Network and Sharing Center. You should now enable sharing from your internet enable network adapter to the Pineapple

I usually rename the adapters based on what I use them for because I have on average 6 different network cards attached to my machine at any given time.

To rename your network adapater, just open Network and Sharing Center, click on the Change adapater settings link in the left menu. Right click on the network you want to rename and click the Rename menu item. Your Pineapple will be the ASIX AX88772A USB2.0 to Fast Ethernet Adapter type. In the screenshot you can see that I have renamed mine to “Pineapple”

RenamedPineapple

Now you can share your internet access using the Internet Connection Sharing function in Windows. Right click on the network that has internet access and click Properties. Select the Sharing tab and check the box Allow other network users etc. Select the Pineapple from the dropdown and click OK

Sharing

A small caveat here. Sometimes (ie more times than I would like), Windows will change the IP address of the Pineapple to its own internal sharing address. So to be sure your settings are correct for the Pineapple by right clicking on the network adapter and clicking Properties. Double click Internet Protocal Version 4 (TCP/IPv4) and check that your IP address is 172.16.42.42

ipv4

Configure defaults on the Pineapple

At this point, you can browse to http://172.16.42.1:147 and log into your Pineapple

pineappleLogin

First things first, you should update your timezone settings so you can see the correct timestamp against your logs. Go to http://172.16.42.1:1471/#/modules/Configuration and change your timezone to your local one. Remember to click Save Time Zone

timezone

 

Browse to the PineAp settings page http://172.16.42.1:1471/#/modules/PineAP

Here is where you can setup your default settings for your Pineapple to persist from session to session. In my case I have set the following

Defaults

If you want to persist these settings so that they stay the same between reboots, click on the dropdown arrow beside the Configuration titles to save the settings as default.

SaveDefaults

 

That will get you started at least with the Nano. The next post will detail how to create storage and swap partitions on a MicroSD card to use with the device.

Friday 1 January 2016

First look at the Wi-Fi Pineapple Nano

If you have seen any of my security presentations or attended any security talks hosted by Troy Hunt, you will be familiar with the Wi-Fi Pineapple. This is a small rogue access point that you can deploy within a couple of minutes and cause havoc with the Wi-Fi connections of the people around you. Hak5, the creators of the Pineapple have now updated their product line with the new Wi-Fi Pineapple Nano.

The main reason for the update is the scarcity of the components that made up the Mark V and also the methods used by people who use the Mark V have changed. So the new Nano addresses these concerns with new radios and a new form factor.

I ordered mine from the US on the 20th of December, and I had it in my hands on the 24th of December in Ireland. So here is my review of the new Wi-Fi Pineapple Nano

NOTE: The Wi-Fi Pineapple Nano is available as a developer kit right now as Hak5 are waiting for SAR certification. This means that its not official yet but the hardware is V1.0 and ready to use. If you are buying this type of equipment right now, it shouldn’t make any difference to you but Hak5 have to tell you this.

What's in the box?

Opening the box you see straight away the new Nano form factor nicely cradled in protective foam. Under that is a USB Y-Cable for powering the device, 2 RP-SMA antennas and a very small instruction card. I picked up the Tactical edition which includes a Pineapple Juice 4000 battery pack, an attachable pouch and a morale patch.

WP_20160101_14_37_31_Pro_thumb[1]

With a standard issue external hard disk for scale

WP_20160101_14_37_03_Pro_thumb[2]

Nano in its protective foam

WP_20160101_14_37_54_Pro_thumb[1]

Unboxed and with an external hard disk for scale

WP_20160101_14_38_34_Pro_thumb[1]

diagram_large_thumb

The device has 2 Atheros high gain radios and a USB Ethernet adaptor. With the new USB Ethernet adaptor interface, you can power the device from your PC. It also means that the device can be used by mobile phones that have support for USB Ethernet such as Android devices. This makes the Nano much more mobile and easier to use in public places.

Setup

Setting up the device is a lot easier than it was with the Mark V. You just plug it in and it automatically assigns itself the correct IP address as compared to the Mark 5 where you have to reconfigure the network settings.

You can go to http://www.wifipineapple.com/nano to get the latest walkthroughs on setup and also a copy of the latest firmware for the device.

On first browse to the Admin page, you are greeted with an update to the latest firmware page. The page advises to turn off the Wi-Fi radios using the multi function reset button. A quick press turns off the radios and you can upload the latest firmware. It is a similar process to the Mark V after that. You create a new root password, SSID and password for it. Once that is done you log in to the new Admin UI.

Admin UI

The new admin dashboard is a change from the existing Pineapple Mark IV and V UIs. Its white for a start and not panel driven as in the previous incarnations. This both good and bad and I will go through these points later.

dashboard_thumb[1]

The menu on the left shows all the different areas that you can play with. One of the major improvements is you get a responsive design in the UI and it will work on mobile devices.

One of the issues I have found with the new UI is that unlike the previous black UI, this version does not auto refresh so you will need to manually refresh the page to see the uptime, new SSIDs in the pool etc. I am guessing with such an early release this will be fixed in newer updates.

On the new PineAP menu you have the configuration for the powerful PineAP features. This is what allows you to spoof SSIDs and also attract devices to your access point instead of the real ones.

pineap_thumb[2]

You need to enable the PineAP Daemon if you want to use the additional options below it such as Beacon Response and Broadcast SSID pool. The SSID broadcast is one of the most useful features in the whole Wi-Fi Pineapple arsenal as you can create a custom SSID list with the most common SSIDs in use, which can be hotels and airports in the area. Hotels chains normally use the same Wi-Fi name so their customers will have an easier time connecting. All the better for me!

reporting_thumb[1]

The new reporting module is what really struck me. For extended engagements, you can get reports emailed to you and also paint a picture when you are doing recon for a penetration test. Stick this device under a desk in a cable mounting and it will work away happily sending you information.

Overall thoughts

The Nano is not the successor to the Mark V but an update of the existing concept. It is wrapped in a new form factor, more portable but it is still limited to the 2.4GHz range. The very recently announced Wi-Fi Pineapple Tetra will allow both 2.4GHz and 5GHz in the one box and looks more like the Pineapple Mark VI.

Does that mean that the Nano is already out of date. No!. It still serves a very handy purpose. More devices operate on the 2.4GHz frequency than are on the 5GHz and I don’t know off the top of my head if any devices work exclusively in the 5GHz band. For portability, this device is excellent and it is also discrete in comparison to the Mark V which is saying something considering how small the Mark V is.

Depending on your usage requirements and your attack scenarios, the Nano will make more sense than the Mark V or the Tetra.

If you are in Oslo for the ProgramUtvikling Security Day, you will get a chance to see the device up close and have a play with it.