Friday, April 18, 2014

Write-Up: [SOLVED] SANS Easter Challenge - The Mystery of the Missing Easter Bunny

WARNING

Complete spoilers ahead!  If you want to try the challenge first on your own, do not read this post.  You've been warned.

Bunny-Napped!

Scenario: The Easter Bunny has been kidnapped, and YOU have to save him! Quickly collect yourself and help save him. Put on your detective hat and start investigating the clues provided.




These are the two clues provided to help you get started:
  1. An intercepted message from the bunny-nappers
  2. Ciphertext:
    • Dsemvnqwlnmmzvi! Cc jagpbussnpwg tfgzvlroknt mlta cfwjgkr vqu phywl bfx kni Rxutrk Tztydi btsj lh tux asmhfesuygp qf gai Piiuii Zieoqrvlxd. Bxf gioqvkclf aegm ivgtkwfcwlyr fpmd btgxiubpdrw, xsidlw ku cbr! Vhngod nes cfav tlqd jhvv, ide M yutr fv wnl jfv. Xfvv ow geg fvgew xqsx fl xub Gafmic Kxbpckrtb: jtgi://ahe.ifglxiflnugbsya.dp/iryxro-ehneppvwf-xyk-qlpveer-sq-bxf-qzywvki-enlxpz-rvree/
    • Hva aoh emvm yu? Pvgzr x eozfiyb qoh ckx zb mnbp :)

My Methodology

First try: the lazy way.  I snagged the ciphertext and threw it in Decrypto by Blisstonia software in the hopes the answer would be solved by automation.  No such luck.

Second try: experience based on past crypto challenges.  I downloaded Cryptocrack, which I heard about in the CyberPatriot competition and ran it through a couple ciphers.  Again, no such luck.


Winning try: tackling the mp3 first.

This Sounds Weird

After downloading the mp3, I listened to it, and it had that weird sound I can only describe as recognizing when something is played backwards.  To see if that hunch was right, I downloaded Audacity and used the Reverse effect.  Playing it after that effect revealed someone speaking letters in the NATO phonetic alphabet.  When you record all the letters it instructs you to access a dropbox user content URL.

Image Analysis

Visiting the dropbox URL invokes a download of an image of John Malkovich holding a gun to a bunny's head.  The file was a jpeg, so I figured there had to be something embedded in either the metadata or the picture itself via steganography.  I didn't feel like downloading a piece of software for analysis, so I searched for photo forensics and came across this handy site: http://fotoforensics.com.  Once you upload the picture and look at the metadata output, you'll see in the Comment field this description:
The ciphertext is created using the famous Vigenere cipher, once considered unbreakable. The key to reveal the cleartext is a combination of the a town located at the X Y coordinates where this picture was taken, and the make of the camera.

Obtaining the Vigenere Key 

If you pop in the coordinates to mapping tools, you'll see it locates the town you need.  Adding the town name only plus the make with no spaces provided the key.

Last Step

Deciphering the text reveals a URL for you to visit along with a message of thanks for assisting and instructions for you to let the Easter police know what you've found.  When you visit the URL, you'll see a password prompt, into which you can enter the Vignere key and get a nice picture of the Easter Bunny waving and saying how thankful he is that you helped save him!


I submitted more details of my write-up in response to the challenge, but alas, I was too late.  It was fun though!  Thanks to the SANS folks to continue to provide these fun contests!

Read More

Tuesday, April 1, 2014

Spring Cleaning the Security Settings

Clean Up Those Security Settings!


I Decided did at a minimum each Spring I would endeavor to review my security settings across websites, apps, browser, and devices to make sure all security switches were enabled to the fullest extent possible. I'm posting this entry as a cheat sheet of sorts to Quickly jump to security settings pages. If you're aware of other settings pages That should be added, please submit them in the comments below!

Last Update: 10 SEP 2014

Account Security

Enable Two-Factor Auth  (list maintained by others)

Google Security Settings  (make sure you're signed in)
Google Apps Connected  (revoke access to the ones you no longer use)
Google Drive Apps  (click on the settings gear, and click on "Manage Apps")
Google Location History (turn on / off)
Google Picasa Settings (that Affects your G+ photos)
Google Music (authorize / de-authorize devices)
Google Web History (tracks your searches)

YouTube (connected accounts)

GitHub  (connected apps)

Twitter  (connected apps)

Dropbox (connected devices)

Device Security

Amazon Registered Devices  (Instant Video / Prime)

Browser Security




Read More