The TrackMan mouse has four (physical) buttons which include a large left and right button (1, 3), that serve as the primary mouse buttons, and two smaller left and right buttons (8, 9) that trigger your browser’s “back” and “forward” buttons. To replace this action with “Ctrl+Click” to scroll, insert the following lines in your ~/.bashrc (or anywhere else that can call some commands):
I recently stumbled upon a copy of RedStar OS, which appears to be a RHEL-based server distribution developed by North Korea. Version 2.5 was initially purchased and reviewed by a Russian student studying abroad, and a user by the name of slipstream uploaded version 3.0 (server) to TPB in mid-2014.
Several reports portray it as a tool to monitor web usage by the regime, and while I don’t doubt that, it seems unnecessary to repackage an operating system to do so. It seems more likely that it’s a symbol of sovereignty and independence from Windows (made in USA). Since North Korea’s internet is a giant class A network (10.76.1.0/22), any reporting software would likely try to report to an otherwise “internal” network. For example, the browser packaged with the OS has its homepage set to 10.76.1.11. A quick Wireshark analysis didn’t reveal anything immediately suspicious, but I’ve yet to dig into that fully.
On the surface, it’s a pretty hollow clone of RHEL using KDE desktop. The directory structure is a cross between OSX and *nix, as is the overall feel of the desktop environment.
It comes with a couple of standard applications – a calculator, notepad, contact book, etc., as well as QuickTime and Naenera Browser (a Firefox clone). As Naenera (“my country”) is also the name of the official web portal, and that most citizens can’t access the “international internet”, the two might as well be synonymous.
You can see the public-facing Naenera at http://www.naenara.com.kp/en/, but be aware that they’ve been known to inject malware on some of their public-facing sites.
It’s also interesting to note there’s a CHM (compiled HTML) viewer. This is typically used for software documentation, and very well may be the case here. I’d be interested to see if this is utilized for something akin to Cuba’s Paquetes, downloading parts of the Kwangmyong, or something altogether different. (There is an empty “Sites” folder in the user’s home directory)
There’s an OpenOffice clone, called Sogwang Office.
It also has this music composition program, UnBangUI:
The mail program doesn’t have any clear way to add an email account, but does prevent you from checking mail until you’ve added one.
The software center only allows importing from /media. There is a repository of extra applications that’s offered on a second CD (the Russian site says the extra CD costs about twice what the original OS costs), and I haven’t started to dig through that yet.
In the “System Update” area, the Settings dialog shows a location for a URL and proxy, but I’m not sure it’s usable.
Interestingly, the user isn’t added to sudoers and the root account is disabled. Fortunately, this is trivial to bypass, since someone “overlooked” the permissions in /etc/udev/rules.d. If you’re looking for a terminal shortcut, you won’t find it – you’ll have to press Alt+F2, then run konsole to get a shell.
Once you’ve done that, fire up vi and create /tmp/freedom, or whatever you’d like to call it.
Now, open up that file in /etc/udev/rules.d and call /tmp/freedom via a RUN expression:
Now that that’s taken care of, you’ll need to refresh the udev rules. In VirtualBox, this worked simply by taking a snapshot, but you might have to reboot.
Enabling English on RedStar OS
Once you’re back up and running, you’ll likely want to enable a language other than Korean. While some reports state that Korean is the only language on the system, this isn’t true. It’s just that Korean is selected by default. Now that you have sudo superpowers, this can be done easily with sed: (obviously,for a language other than US English, use the appropriate locale code)
sed -i 's/ko_KP/en_US/g' /etc/sysconfig/i18n
sed -i 's/ko_KP/en_US/g' /usr/share/config/kdeglobals
Log out, and you should see the login screen in English:
That’s it! You should now be able to browse around the OS relatively easily. I’ll post some interesting findings later, once I’ve had an opportunity to dig through it more.
I received this error after making some changes to a Hiera config and the referenced “dev-server” role.
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Error from DataBinding 'hiera' while looking up 'role::dev-server::use_ssl': undefined method `empty?' for nil:NilClass on node servername.local
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
It turns out this is a vague syntax error. Checking the following has worked for me:
Ensuring the syntax of your Hiera YAML or JSON file is correct. Check for trailing commas in JSON, or misplaced colons. (“foo:bar”, “foo::bar:”, “foo:::bar”, etc.)
The variable name is unique. In one case, “dev-server::use_ssl” was configuring a child resource with the same “use_ssl” property/param/variable.
There are no empty YAML or JSON files in your hieradata directory. I think I’ve had a similar issue with temp files (*~)
If you’ve modified your hiera.yaml to add a new hierarchy or something, restart Puppet.
This is a series of posts on CryptoPHP, a PHP backdoor used for spamming and blackhat SEO. It seems to come bundled with certain copies of WordPress themes from unofficial sites and resides in a file named “social.png”. It comes installed with a list of email addresses and domains to contact and communicates with a C2 server using cURL and OpenSSL for encryption. Its main purpose appears to be to facilitate the display of links and other content, sent from the C2 server. When the script determines that a web crawler (e.g., GoogleBot), and not a real user, is viewing the site, it injects links to third-party sites in hopes of being indexed.
CryptoPHP communicates with external servers, requiring multiple external requests. You may see the following symptoms:
WordPress is slow to load, especially during the first pageview
Error messages in your server log, possibly due to failed requests.
Error messages from IDS/IPS or other security software (e.g., Suhosin) indicating that someone is making calls to exec and eval.
A few days ago, I noticed that a WordPress installation was running extremely slowly. After enabling xhprof and profiling the index page, I noticed that a single method (RoQfzgyhgTpMgdUIktgNdYvKE) was taking around 160 seconds to run. The method name (others in the stack were similarly named) and the 23 calls to curl_exec came off as immediately suspicious. I used grep to search for the file and found it under the themes folder as images/social.png.
This file was included at the bottom of a theme file, causing it to be executed on each page load.
<?php include_once(‘images/social.png’); ?>
Opening social.png in a text editor reveals obfuscated and minified code. While it looks like a mess, it’s simply renamed variables and functions with whitespace removed, and can be undone rather easily with the “Find/Replace All” feature of your favorite text editor.
How to Remove CryptoPHP or social.png
In the limited tests that I’ve done, the offending file – social.png – is the only file that is malicious. It seems to be added to the images/ directory in themes downloaded from unofficial sources. Another line in the main theme files (index.php, header.php or footer.php) includes the file.
While nothing in the file itself indicates that personal or sensitive data is being transmitted back to the server, the file allows its controllers to send commands to it. These commands are then executed by the eval and exec commands in PHP. It is theoretically possible for content, account information, etc. to be transmitted back to the controlling server.
Since the WordPress instance I was using was running on localhost, it would have been unreachable by the controlling servers. It could still phone home and download commands, but could not be controlled directly. However, due to the possibility of sensitive data being stolen, and the evidence of storing information in the database, I’d recommend a complete re-install of WordPress and changing your admin password(s).
Encryption methods (including a script to decrypt database contents)
A week or two ago, the following popped up on my screen during a search for a Python-related topic:
I had seen this before after our CTO got the same mysterious message a few months ago. We initially thought it was another one of Google’s Easter eggs, but a quick search revealed that everyone from HN and Reddit to Business Insider seems to think it’s a recruiting move by the search giant. (A similar program was rumored to be a search for cryptoanalyists, but turned out to be related to The Imitation Game, so who knows?)
Update: it isrecruiting portal. Both of us were contacted by Google and interviewed on-site. The actual interview is under NDA, but I’ll post more about the interview process itself later.
The first time around, we discovered that replicating the query doesn’t necessarily trigger an invite, and visiting the URL without an invite doesn’t work. It was suggested that the invites are sent to a subset of users who have enabled search history. When I got the invite a week or two ago, I registered and then hit the “Back” button. The query string was preserved, so we tried an experiment: Is the invite based on a tagged query string, or the result of some back-end processing? After sending the URL to a couple of coworkers who had not received an invite after searching the same query, they tried accessing the URL directly. We learned two things:
Both of them subsequently received an invite.
One of them hit “refresh” as the animation began to show the box, and no invite was shown upon refresh. Opening the link in an Incognito window gave him a second chance.
The most likely scenario is that certain queries redirect to the results page with a query string, which triggers the message. Since neither of the other developers write lots of Python, but still got an invite after visiting the link, it’s likely that Google doesn’t validate invitee status. I doubt this is a simple oversight, and more likely indicates one of two things:
Invitees are not on some sort of pre-selected list; and/or
Google isn’t worried about additional invitees.
The latter was proven when the program displayed a “refer a friend” link. Assuming the recruitment theory is correct, it’s likely that Google is operating under the assumption that high-quality developers will refer other high-quality developers. I don’t know for sure, but this is probably a valid assumption.
To clarify some of the speculation, I was asked if I’d like a Google recruiter to contact me after completing the first six challenges.
Others have asked Google directly about the program, and received a Python snippet that prints “glhf” in response – essentially “no comment”.
A Quick Tour
The pseudo-terminal responds to *nix commands like ls, cat and less and features its own editor. Listing the directory shows a textfile
The help menu offers several possible commands:
The levels consist of at least 5! challenges, split into 5 levels where each level n has n challenges. Challenges fall into one of five categories, or tags.
Unfortunately, there has only been one crypto challenge available so far, and I haven’t been able to score a low_level challenge. Most of the challenges I’ve completed so far involve one-off applications of computer science problems – like whiteboard interview questions with a twist. Additionally, there are constraints on execution time and memory use, which prevent some naive implementations from passing the test cases. This speaks to the needs of a company like Google who requires, or at least desires, efficient implementations rather than generic Algorithms 101 approaches.
I’ll be posting my solutions to GitHub shortly, along with some explanations here.
Today, Pennsylvania announced the scope of practice and medication list for Critical Care Emergency Medical Service Providers. Unfortunately, all of the skills and medications listed apply to interfacility transports and/or must be performed in the physical presence of a PHRN/PHPE/PHP.
Critical Care Scope of Practice
Critical Care Transport Provider (Paramedic, PHRN, PHPE or PHP)
Chest tube thoracostomy, monitoring of existing tube in a closed system (for example water seal or suction)
Chest tube thoracostomy, acute insertion
Biphasic positive airway pressure (BiPAP) for patients acutely on BiPAP for <48 hours
Ventilation—Maintenance of previously initiated neuromuscular blockade
Laryngeal mask airway (LMA)
Ventilators, transport—single or multi-modal, with or without blender, using volume control mode only, on patients >1 year of age with no anticipated need to actively titrate ventilator settings during transport.
Transvenous or Epicardial pacing, Management of
Hemodynamic monitoring/assist (pulmonary artery catheter, central venous pressure)
Intra-aortic balloon pump or invasive cardiac assist device or extracorporeal membrane oxygenation—monitoring/assist
Sub-cutaneous indwelling catheters—access of existing catheters
Venous central line (blood sampling)—obtaining
Blood products—initiation and continued administration
Medication administration routes
Enteral Feeding Devices, Management of
Medications for Critical Care Transport Providers as published in Pennsylvania Bulletin by the Department
Over-the-counter (OTC) medications (Note: aspirin and glucose covered elsewhere)
Portable blood analysis devices, use of (glucometer covered elsewhere)
Intracranial pressure monitoring/assist
Yes—The skill is in the scope of practice for paramedics, PHRNs, PHPEs and PHPs who are authorized to function for an EMS agency that has been licensed as a CCT ambulance service. (Emphasis added)
1. Paramedics, PHRNs, PHPEs and PHPs who are authorized to function for an EMS agency that has been licensed as a CCT ambulance service may only perform or assist with these skills during interfacility transport with a CCT ambulance. (Emphasis added)
2. Paramedics who are authorized to function for an EMS agency that has been licensed as a CCT ambulance service may assist a PHRN, PHPE or PHP with this skill only during interfacility transport with a CCT ambulance and when in the direct physical presence of, and supervised by, the higher level provider. (Emphasis added)
Critical Care Medication List
Anti-Coagulants/Anti-Platelets: All Types (Not otherwise specified)1,2
Anti-Emetics: All Types (Not otherwise specified)1.2
Anti-Hypertensives: All Types (Not otherwise specified)2
Fibrinolytics/Thrombolytics: All Types2
Other Non-Benzodiazepine Anti-Convulsants2
Prostaglandins: All Types2
Tocolytics: All Types (Not otherwise specified)2
Total Parenteral Nutrition2
1. Paramedics who are authorized to function for an EMS agency that has been licensed as a CCT ambulance service are restricted to the maintenance and monitoring of medication administration that is initiated at the sending medical facility. (Emphasis added)
2. Paramedics who are authorized to function for an EMS agency that has been licensed as a CCT ambulance service may only administer the medication in the direct physical presence of, and supervised by, a PHRN, PHPE or PHP. (Emphasis added)
Here’s a quick Python script to visualize binary data. In the grayscale example, each pixel is the color of the bit value (0x00 – 0xFF). The same method is used for colorization, except the bit value is used to provide hue and value values for HSV colorspace (saturation is fixed at 0.99).
The cols parameter is the width of the image to be generated (in pixels). By default, the script generates a couple of different sizes. The height is calculated based on the width. Patterns tend to be clearer when the column width is a multiple of 8 (16, 32, 64, 128…), though that could depend on the format and type of data in the file.
As an example, here are some images from a 256-byte file generated with the following Python program:
with open('foo.txt', 'wb') as fd:
for i in range(256):
./process_dir.py <dirname> <cols>
The program will generate images for each of the binaries in the specified directory, create an “index.html” file and attempt to launch it in the browser.
The generated image on the left is from a PNG file. A dark patch in the beginning with a mostly-uniform distribution is consistent with file headers followed by image data.
The image to the right is an OpenOffice Writer file. The striped area indicates a repeating pattern of bytes, which often separates the metadata header and content in word processor files. The example screenshot shows an image generated from a compiled binary.
This can also be used to visually approximate the amount of entropy in a file. A high-entropy file would have a uniform byte distribution, thus occupying all of the available colorspace. I’ll include a histogram function later. This would show the frequency distribution of the bytes as well.
This is a walkthrough of InfoSec Institute’s CTF challenge, Level 12.
As I mentioned in some of the other walkthroughs, the first step is to look through the source code for anything that’s out of place. After that, I typically evaluate the headers and other responses (with Chrome’s developer tools) and proceed from there. Anything that the site loads will be revealed in the “Network” tab, so it’s a pretty good source of information that’s always available.
In this level, the file “design.css” was out of place. Viewing the contents showed an invalid CSS statement:
In CSS, colors are typically specified with their hexidecimal value. (There are a couple of other acceptable formats, but that’s irrelevant for now)
Load that string into a Python interpreter, and use the built-in “decode” function. Pretty intuitive, yeah?
This is a walkthrough for InfoSec Institute’s CTF Challenge, Level 11.
The only immediate difference between this and level 10 is the addition of a grainy PHP logo.
Grainy images are one indicator of steganography, so I proceeded along the route of checking for readable strings. Using the strings command again revealed the flag instantly (but read on!). However, opening it in emacs revealed that it was in the header of the image file.
This is hardly the same as steganography, which hides the message in the image data. This flag is hidden in the image’s EXIF (Exchangable Image Format) data, which provides metadata about the image. If you have exiftool installed (apt-get install exiftool, IIRC), you can get the same information:
exiftool php-logo-virus.jpg | grep -i infosec
The “document name” field contains the string, plus two additional bytes. If you had trouble viewing the image properties, it was likely because the viewer wasn’t prepared for the extra bytes at the end of the string. Remember, the “strings” command only reveals printable characters.
Depending on whether or not the flag includes the extra bytes, there are two options:
Bytes 240 and 206 are outside of the printable range, and not valid Unicode, as they’re missing the BOM. The control characters correspond to the end of the field, which is NUL-terminated. These characters are present because of the way emacs is forced to display something, but you can see the true value with a hex editor. I used hexedit in the following screenshot:
The additional unprintable characters are in red and NUL bytes in yellow. Since the bytes are part of the field (as far as any EXIF parser is concerned), these bytes are part of the field. That leaves us with bytes A0 86 01 unaccounted for.
Note: Your raw data may differ from mine, due to endianness. If your hex editor displayed this, it’s correct, but you’ll notice each pair is switched.
Before we cross over the threshold into text-encoding hell, extended ASCII sets, control characters, and all the levels dedicated specifically to Unicode, let’s take a step back. (Sorry guys, I only led you down this road to take a look at the actual contents of the field!)
Occam’s razor says the field was obfuscated to prevent what I’ll dub a “View Properties Attack”, and we’re dealing with a printable-characters-only string. This is a n00bs challenge, afterall.
Although it lacks the characteristic ending equals signs of a base64-encoded string, the flag we have does contain a valid base64 string. (The ending == signs are for padding, and not always present.)