Monday, August 24, 2009

Killing Time...

Ok, I'm just killing time here so I decided to blog since I haven't posted anything recently.

Underwent something major in my lovelife. My girlfriend and I almost broke up. We made up but it was pretty emotional for a while. =)

Ok, on to hacking... (what a segue =) )

What's the best portable hacking device? For me it would be the asus eee, the ones with the atheros card for wep cracking. (Cheap too, best criteria =) )

But the problem is, if you're going to hack a specific target, presumably something corporate, you just couldn't walk into the building, pull out your laptop and start hacking in the hallway (And for pete's sake, change the backtrack logo. I've seen you booting it, dead giveaway). Yes, you could probably use a directional antenna, blah blah blah, but the typical scenario in the philippines is, your target just leases a room or a whole floor inside a building in makati. What if it was on the twenty second floor? Also what if the signal strength was just strong enough NOT to be detected outside the building?

So you have to come in close, come in corporate attire (ditch the faded denim pants, black shirt, and backpack), and try to find an inconspicious place to hack out of (the comfort rooms usually found on both ends of the floor is usually sufficient).

But what if the comfort rooms was locked or too far away? (sucks if you really do have to take a piss). You have to go to their receiving area and try to social engineer your way into staying a bit (they may even have free coffee =) ). And again the problem is you just can't pull out your laptop and start hacking there ("Bos, hindi po ito starbaks..."). So the best thing you can do is turn on your laptop beforehand, set up an ad-hoc wifi with broadcasting disabled, put it back inside your bag before you enter the room, and then use your ipod touch, iphone, or even your wifi enabled nokia cellphone to ssh into your laptop. Simple ain't it? =)

Well, there's been a talk about using an ipod touch for mobile hacking, but it's too underpowered compared to a laptop. I hear installing all the right tools can be a bitch too.

Ok, and uhm, about the creepbox (creeper box). It's a gadget you typically leave unseen connected into the target network either through wifi or through an unused lan port (there's probably a creepbox stucked behind your server rack hehe). They're to provide a (usually wifi ap) backdoor to the target network because some targets are offline networks, and some targets really really monitor internet connections (and some targets, in an effort to thwart porn left downloading in the night, disconnect from the internet at night, at least that's what I think their reason is =) ) . These are usually home made kits (soekris) or made from ripped apart netbooks (you could buy a used eee pc 2g for around Php 6k on tipidpc). You could also use an ipod touch (finders keepers), the problem is it's wifi only. I've also toyed with the idea of using linksys wifi routers (they can boot linux). Oh, and on the Stealing The Network series they had one with a gsm modem and set up so it would basically phone home.

So, uhm, what else? Oh, and the hacking stuff above? I haven't done any of it. It's fiction based on some ideas I had =)

I guess that's it...

Wednesday, July 1, 2009

CICT forms its own cybercrime unit

Original Story

WITH the prospect of the cybercrime bill becoming a law, the Commission on Information and Communications Technology (CICT) has been slowly putting up a cybersecurity coordination center in its main office in UP Diliman.

The CICT has been lobbying for the passage of the cybercrime bill, which has been sitting in Congress for at least five years.

The bill has already passed the first reading under the Lower House committee on appropriations and a Senate version is already in the works.

The office is headed by former Philippine National Police (PNP) general Virtus Gil, who also served as President Gloria Macapagal-Arroyo’s deputy national security adviser.

In an interview, CICT chairman Ray Anthony Roxas-Chua said the cybercrime division is not yet functional but its people would have the skills to conduct investigations on cybercrime.

Roxas-Chua stressed that the CICT should be leading in the creation of a cybercrime group due to its existing e-government modernization mandate.

He also expects the cybercrime division to help the private sector deal with security threats.

However, the existence of CICT’s cybercrime division is pegged on the passage of the cybercrime bill.

If a law is not passed, Roxas-Chua said they may look into other funding options to keep the cybercrime division, most likely from the e-government fund.

With less than a year to go before the next elections, Roxas-Chua said they are pushing further to have the law passed soon.

“That’s why we’re emphasizing a lot on the need for a cybercrime law. It will protect government IT projects and the country’s growing IT industries,” Roxas-Chua said.

There had been previous attempts at creating an anti-cybercrime group by the government.

The first was in 2004 with the creation of the Task Force for the Security of Critical Infrastructure headed by Abraham Purruganan. It laid out a long-term National Cybersecurity Plan that was not implemented.

Another was the Government Computer Security and Incident Response Team led by the PNP. The National Bureau of Investigation (NBI) also has its Anti-Fraud and Computer Crimes Division.

Monday, May 18, 2009

UBT/FBT Notes

I won't go much into details.

UBT = Unlimited Browsing Techniques
FBT = Free Browsing Techniques

Basically these are hacks to be able to get online without being charged by the Globe or Smart networks. Almost all of them require a proxy server of some sort. Not all of them work and some only work using a particular network. All of them are illegal so use at your own risk!

*Whitelisted domains

Most networks allow free access to specific domains. The technique is to use a proxy and to trick the filter into thinking the proxy is part of an allowed domain. Ex. allowed-domain.proxy.com. The filter sees the string "allowed-domain" and allows the (proxied) traffic to pass thru uncharged.

*Whitelisted ports

This used to be found on the Globe networks but was (unknowingly?) patched when they did some network upgrades. Basically they allow http traffic on unconventional ports.

*DNS Encapsulation

You could encapsulate other kinds of tcp/ip traffic in dns packets. The network does not charge for domain name lookups, etc.

*ICMP Encapsulation

Similar to DNS encapsulation, you could encapsulate data in ICMP traffic. Some networks charge for ICMP traffic though.

Saturday, April 25, 2009

Defconph Beertalk II (Manila)

Ok. A quick review of what went down last night.

Got to the venue a bit late. When I got in the event had started and tikbalang was already presenting. There were a bunch of guys who came in the same time of me and we were all standing at the back. There were about ten of us who stood at the back until the presentation ended and we found available seats. Saw some slides about something about Amazon but between trying to find a good spot and the slightly poor audio I didn't understand what the presentation was about.

*Major Gripe; The venue was freaking HOT!*

It was so bad that I couldn't take it anymore and I decided to go outside while the Bullsh!t presentation was ongoing since I was not really that interested in his topic which was about a botnet. There were several of us outside and we just talked while occasionally peering in to look at the presentation.

The last speaker (thestare) did not start immediately after Bullsh!t's presentation and by the time his presentation started I've met some of my past acquaintances and we were shooting the breeze and smoking outside while he gave his presentation.

So I basically missed the first presentation. Wasn't really interested in the second one. And was standing outside during the third presentation. I'll just download the slides when they put it online.

Hackista. I came in wanting to join the game. Became bummed out because of the heat that I backed out. By the time the game started I became a bit excited and pulled out my laptop. Because of the heat inside the venue the group I was with had started hanging out inside the adjoining restaurant/bar. The game master had given an initial ip address but because of some network problems they decided to change it. Non-issue except that we were outside the venue and we're trying to attack the old ip add hehe. Somebody then told us the new target ip. But the network was having problems and I couldn't connect to the network. And also a major problem, for me anyways, with all the excitement I needed to smoke and unfortunately the restaurant we were in didn't allow smoking. So I had to either go outside or go inside the venue where smoking was allowed. Between this, and the network problems I just decided to shut down the laptop and not play anymore. Also, this was my first time to join a CTF and I was a bit bothered by all the people walking by, standing behind you and trying to look at what you're doing. Definitely not my usual environment. Maybe next ime I'll be able to adjust.

The CTF seemed to be the best part of the event. A foreigner won the game. I talked to him while he was trying to exploit the target. Another first for me, talking to a foreign hacker live :) Actually we seemed to be having the same ideas at the time about how to exploit the target. He had already gotten a shell by then but his connection has stopped responding. Anyway congratulations to him and his company. Oh, and the gamemaster was drunk hehe.

And that's it. Lots of beer available which was a very good thing. Met some new people, hanged out with some old ones.

*Edit* Edited out thestare being late because apparently he gave notice to the organizers that he had a prior engagement

Tuesday, April 7, 2009

Linux Most Hacked

Original Story

Interesting story about Philippine websites defaced during the last six years. Statistics show that hackers seem to like linux;

"Hackers used the Linux Operating System (OS) to deface 507 of the websites, WIN2000 71 times; and WIN2003, FREEBSD and WINNT9X 13 times each.

Of the 667 government websites defaced during the period, 507 or 76 percent were using Linux as their OS."

"Sosa said they have identified 134 “coded defacers” who attacked government websites during the period and tagged a group called “Hackers” as the one with the most number of intrusions at 248 in 2006 alone followed by the “Ashiyane Digital Security Team” with 106 hits, and “Infern.4iL” with 17.

The others are “Saudi Security Terror” and “Skorptix” with nine attacks each; ‘Denger’ with eight hits; “HMEI,” “DARK HUNTER” and HIS IRAN HACKER SABOTAGE” with seven intrusions each. A group called “ALPTURKTIGIN” and “REBARZ99,” the well-known Filipino hacker each scored six hits during the same period.

The remaining 123 “coded hackers” have insignificant frequency of attacks varying from five to one intrusion a year, Sosa said. "

A group called Hackers hehehe. Isn't that a collective noun which would explain the higher number of intrusions? Rebarz99 seems to be the only filipino hacker mentioned. Prime candidate to be made an "example" since the others are foreigners and would be impossible for the PNP to capture. And why are some websites repeatedly "hit" ? Wouldn't a single or double be enough grounds to secure and prevent future hits? No statistics on the method of intrusion and if any of the hackers were caught. Interestingly enough the article was ended on the emphasis that the hacked servers were running linux.

"...the Linux Operating System, a free and openly available software which makes them highly vulnerable to hacking"

I'm waiting to see how the PLUG members react to this =)

Tuesday, March 31, 2009

Uhm, Duh?

Reports that computers of the Department of Foreign Affairs had been hacked triggers concerns about the nation's need for a cybersecurity program.

http://newsinfo.inquirer.net/breakingnews/infotech/view/20090330-196886/Cyber_spies_hack_into_DFA_computers

http://technology.inquirer.net/infotech/infotech/view/20090330-197020/DFA-to-investigate-hacking-report

http://technology.inquirer.net/infotech/infotech/view/20090331-197122/RP-govt-websites-vulnerable-to-hacking

http://technology.inquirer.net/infotech/infotech/view/20090330-197041/RP-needs-cybersecurity-program--CICT

More jobs for the nations licensed pentesters and cybersecurity professionals.

Thursday, March 26, 2009

Grrr...

Tuesday, March 17, 2009

Comelec dares hackers to crack software

(Too tired to comment on this and the preceeding blog entry. Only putting it here for easy reference and for posterity's sake)

Original Story

MANILA, Philippines—Let’s see if old-fashioned dagdag-bawas (vote-padding and shaving) schemes can catch up with technology.

The Commission on Elections (Comelec) is challenging computer hackers to take a crack at the software that will be used in the 2010 elections to prove that the system is secure from fraud and tampering.

“By the time a hacker gets into our system, the election is over,” Comelec Executive Director Jose Tolentino boldly declared Monday in a press briefing.

Tolentino said the Comelec would welcome cyber-security experts who wish to check the system for weaknesses.

Programmers and the general public can also scrutinize the source code of the company that will bag the P11.3-billion automation contract for the 2010 national elections.

The source code refers to the set of programs that carries the system’s instructions.

“The winning bidder’s software, the source code, will be open to inspection by the public,” Tolentino told reporters.

“They can look at it line by line to ensure that there is no malicious program inside,” he said.

The Comelec will also open the system and the machines to “ethical hackers” or IT experts who would be allowed by the agency to test the system.

“Then there are those who might try to hack the system without telling us. That’s OK. We are open to that,” he said.

Tolentino was parrying criticisms from politicians, poll watchdogs, and some IT experts who fear that the Comelec’s adoption of the Precinct Counting Optical Scan (PCOS) system would only give rise to a new, more sophisticated mode of election cheating.

Doubters

PCOS refers to the general scheme that the Comelec had chosen for the casting, counting and canvassing of votes for the 2010 elections. Up for bidding next month is the contract for the specific software and voting and counting machines on which the PCOS will be run.

Doubting the Comelec’s readiness to fully automate by May 2010, former Comelec Chair Christian Monsod earlier warned that “software specialists” would now take on the dirty job previously carried out manually by unscrupulous poll personnel and political operatives.

Among the infamous methods of large-scale fraud widely alleged to have marred past manual elections was the so-called dagdag-bawas scheme, or the manipulation of election results through vote padding and shaving.

IT expert and transparentelections.org head Gus Lugman had also noted that the Comelec would be relying on software “not written in the Philippines.”

But Tolentino Monday said anyone who planned to attack the system would not only need technical expertise but also huge funding to set up powerful computers that could crack the 128-bit encryption code.

Stored at BSP

For added security, the source code of the chosen system will be stored “in escrow” at the Bangko Sentral ng Pilipinas (BSP), he added.

Also Monday, Comelec Chair Jose Melo presented the poll body’s terms of reference (TOR) or the technical and financial requirements for the contract bidders.

The TOR mainly requires interested suppliers to provide a paper-based automation election system, a system for the electronic transmission of the results, and a management plan governing the entire process.

The Comelec will release the TOR documents, priced at $20,000 per set, on March 18.

10 bidders

“The last day of purchasing (the documents) is on March 25. On March 27, there would be a pre-bidding conference where bidders can seek to clarify matters,” Melo said.

The Comelec will open the bids on April 27 and award the contract not later than May 21.

Melo earlier announced that 10 companies had expressed interest in joining the bidding for the P11.3-billion automation contract.

He then assured critics that since these companies have international operations and reputations to protect, they would not allow their products to be used for fraud in the coming Philippine elections.

Defconph BeerTalk II (Manila)

Where:
Grilla Paseo De Roxas Avenue Branch, Makati
Near Greenbelt

When:
April 24, 2009 @ 1900 HRS PHT

Who Should Attend:
Everyone can attend not just IT enthusiasts. We mean everyone, humans on different fields like Feds, Lawyers, Salesman, anyone who are willing to learn what is going on with information security these days.

Registration Fee:
Early Php800.00 / Late Registration Php1500.00 includes DEFCONPH Official T-shirt, 2 Bottle of Booze and 2 Slice of Pizza

NOTE: Early Registration closes on April 12, 2009

DEFCON Philippines BeerTalk II(Manila) Full Track
7:00PM - 7:10PM Welcome Address
7:10PM - 7:30PM Introduction to DEFCON Philippines
7:30PM - 8:20PM Unconventional Privilege Escalation
8:20PM - 8:30PM Q&A
8:30PM - 9:20PM Penetration Testing, A Structured Approach: Conducting Penetration Tests in a business environment
9:20PM - 9:30PM Q&A
10:30PM - 11:20PM The Waledac Botnet
11:20PM - 11:30PM Q&A
11:30PM - 12:30PM Games - Hackista 2009 (Øpen Hack Challenge)
12:30PM - 12:45PM Closing Remarks / Awards and Recognition
12:45PM - onwards More BEER .... ..... .... Drink til you Drop


Unconventional Privilege Escalation

Speaker: Tikbalang

Synopsis: Conventional privilege escalation deals with vulnerabilities and acquiring root level in the system. Is there a way of escalating privilege (unconventionally) without having the root level? Up to what extent can the escalations go? Is it really a threat to consider? Are people affected by this?

Penetration Testing, A Structured Approach: Conducting Penetration Tests in a business environment

Speaker: theStare

Synopsis: Recent developments concerning regulatory requirements, the current financial turmoil and rising security threats to organizations have opened the doors of business for various security service providers. Organizations are looking for service providers who understand their business and its associated risks, capable of assessing their current security posture, identify any gaps, and provide cost-effective recommendations that can reasonably address these gaps. They are searching for professionals who can perform these services in an organized manner, using a sound approach and a proven methodology. This talk deals with the details of managing penetration testing engagements, right from proposal preparation up to report delivery.

The Waledac Botnet

Speaker: Bullsh!t

Synopsis: Botnet technology and techniques are continuously evolving, and currently, the Waledac botnet is probably the most advanced botnet out there.

In this presentation, we will give a brief overview on botnet evolution, the technical aspects of Waledac, the botnet, what it does, and how the bot masters are raking in cash out of this.

Hackista 2009 (Øpen Hack Challenge)

Mechanics: The goal of this challenge is to obtain administrative level privileges on a windows 2000 server with no security patches by exploiting vulnerabilities in the RPC/LSASS Services on the target machine. The target machine IP address will be announced prior to the start of the challenge. Upon successful compromise, create a text file with your name on the target machine's desktop and notify any of the the goons for verification. The first one to compromise the machine after verification will be considered the winner and gets a change to do a demo on the methods he used. The first one to create their HANDLE.txt on the desktop of the compromised machine wins the game.

Tools: Any hacking tools are allowed, Metasploit, Nessus, Nmap etc..

Rules: No direct DoS on the server, anyone caught DoSing the server will automatically disqualify you from the game.

Price: The first one to create handle.txt will be getting black badge, black badge entitles you for lifetime access to the DEFCON Philippines event.

Saturday, March 7, 2009

Poll machines prone to hacking -- IT expert

Original Story

The high-tech poll machines that will be used by the Commission on Elections (COMELEC) in the 2010 elections are prone to hacking, an IT expert said Thursday.

“The [poll] machines are only computers, they can be hacked. Someone can insert bad instructions into it and manipulate data,” IT expert Ike Señeres, former director-general of the National Computer Center, told ABS-CBN’s morning show, “Umagang Kay Ganda.”

Señeres explained that computers with vulnerable operating systems (OS) can be infected by viruses.

He said that the machines used by COMELEC in the ARMM elections used Windows, which he said is vulnerable to virus and hacking.

He added that the poll machines can also be manipulated by an “untrustworthy” person.

Señeres said that if COMELEC would allow him, he will sit in a room and if given enough time, he can hack into the poll machines and manipulate the results of the elections.

COMELEC spokesman James Jimenez admitted that there are no “fool-proof” systems and even an automated election can still be rigged.

Jimenez, however, said that critics of the automated elections should be reminded that the COMELEC is trying to replace a “system that is flawed and vulnerable.”

“With the automated system, it is new and it is less vulnerable,” he said.

Señeres, meanwhile, said that the possibility of the automated being hacked can still be prevented by helping COMELEC guard the process.

PCOS not OMR

COMELEC Chairman Jose Melo, meanwhile, said that the poll body will be using precinct count optical scan (PCOS), an improved version of the optical mark reader (OMR), which was used in the ARMM elections.

Melo said that compared with the OMR, PCOS has better security features and less vulnerable to cheating.

He said PCOS can take pictures of the ballots inserted by voters into the voting machines. He said the ballots' images are transmitted to COMELEC for better monitoring of the ballots' conditions.

The COMELEC had said that it will set up at least 80,000 PCOS machines nationwide during the May 2010 elections.

It said 14,000 units will be deployed around Metro Manila, 13,000 units in urban areas, 3,000 units in problem areas and 50,000 to each voting precincts in the rural areas.

OES on standby

Melo, meanwhile, said the COMELEC will put as standby the proposed "open election system" or the half manual, half automated elections.

He said if ever the winning supplier of the PCOS machines fail to meet COMELEC standards, it will be forced to switch to the open system.

"We won't have enough time to conduct another bidding, so we have to go manual," Melo said.

He said the COMELEC will publish the terms of reference for the meeting this month and start the actual bidding by April.

He said they will set the final testing for the poll machines on November 17.

By December 2009, the COMELEC will start educating teachers and their employees on how to use the poll machines.

In a marathon session that started Wednesday night, the Senate approved the supplemental budget bill for the COMELEC to implement automation in the 2010 elections.

Senators approved the budget bill with a provision for "transparency and accuracy in the selection of the relevant technology of the voting machines to be used for the May 10, 2010 automated and local elections."

The Senate passed the supplemental budget on its last session day before it goes on a five-week Lenten recess starting March 7.

House Bill 5715 was passed by the House of Representatives on Monday evening and was then transmitted to the Senate the next day.

The supplemental budget bill will still have to go through a bicameral debate.



Automation shortens the window needed to cheat. Couple that with PCOS, a nice md5sum+timestamp hashing algorithm, a secure way of transmission, and that would be way way better than the system used before.

It could be possible to install trojans prior to the election but that would require physical access to the (possibly hundreds of) machines since I doubt that they would be online prior to the election. And I'm sure (actually hoping) that they're going to be heavily guarded prior to deployment. Weak point could be in the counting mechanism itself. You could somehow sniff the connection, find out the receiving ip address(es), determine the protocol format (probably POST data to a webserver with the md5sum+timestamp I was talking about earlier), send a spoofed corrupted message, and (hopefully?) crash the counting mechanism. A DoS would be enough to undermine the validity of the election. Politically, that would also be enough.

Sunday, March 1, 2009

SILICAQ Released

SILICAQ is a handheld penetration testing and security assessment device sold by Immunity, Inc.

It's predecessor SILICA used the Nokia 770 as the hardware platform. SILICAQ seems to be using different hardware.

SILICA price = $3600.00
SILICAQ price = $8500.00

Using the current Peso exchange rate;

$8500.00 X 48 = PHP 408,000.00

Here's a Honda CRV SUV being sold for PHP 400,000.00 =)

Heh, quite expensive!

I think I'm gonna sell my personal penetration testing netbook. It's an eee 900 running Ubuntu. Some features;
- uses non standard drivers that enable you to inject and sniff data wirelesly
- Nmap installed
- Metasploit installed
- Aircrack-ng installed with a single command to scan, inject packets, and crack
the WEP key for an AP you select
- ability to connect to (and scan/exploit) a wired LAN (I'm guessing SILICAQ can't do this =) )
- Karmetasploit installed
- Virtualbox installed with a Windows XP virtual machine to give access to all your Windows-based tools.
- Firefox and Open Office installed for all your normal internet surfing, work-related stuff
- Different pentest tools installed for you to play with

Normal eee 900 specs except that it's upgraded to 2 gig RAM

Price is PHP 19,500. Interested buyers email me at sujiru@gmail.com =)

Saturday, February 28, 2009

Sulit.com.ph Hacking Incident

Awesome story of how the guy who hacked sulit.com.ph was traced. It would be very interesting to follow his (possible) ensuing trial.

Original story source

So let's say you run a website with huge, huge traffic. You have a big, dedicated community, and you're raking in the ad money. Then one day, you see that your site has been hacked. You can't find a way to get inside to fix it, and your formerly awesome site is now one big ad generating revenue for somebody. That sucks, right?

That is what happened to Sulit.com.ph, the largest free classified ads site in the company.

Back in November 6, 2008, Sulit, along with some high-traffic Filipino websites, all using the .ph domain, mysteriously went down and were pointed to SEDO advertising pages. This happened just after makeuseof.com was hacked and was pointed to an advertising page. Of course, panic ensued. Onthe web, there was rampant speculation of domain hacking and poisoning, and for a while, everybody was scared of their domains going down.

As it turned out, this wasn't just an ordinary case of a hacker trying to prove he could do something. This guy wanted to actually profit from his misdeeds, a case of fame taking a back seat to fortune.

While this was going on, we at dotPH were working round the clock to stop further hacking, and more importantly, to catch this hacker.

How to catch a hacker

Everything you do on the web leaves a digital fingerprint behind. Whenever you make a transaction, leave a comment on a blog entry, or even watch a video at youtube, those websites will take note of your IP address. It's like leaving behind a digital trail of crumbs for internet detectives to follow. It's like CSI, only without the UV lights and the gross bodily fluid splatters.

dotPH head developer Sherwin Daganato soon checked our logs during the time it happened. He was able to paint a pretty clear picture on what the hacker did, step-by-step. On 9:24 PM of November 6, 2008, the hacker, using Internet Explorer 7 on a Windows XP computer, logged into our system and exploited a vunerability in our website. He tried to log in to Sulit.com.ph's account. Then he clicked on the "Forgot Password" button. Using a specially-crafted cookie, he was able to get into our system without having to enter the correct password. He was now inside Sulit.com.ph's account. First thing he did was to change the login information there, effectively locking out the legitimate owner of of the account. He then pointed the domain to his own Sedo account, so that he is able to monetize any traffic made by Sulit.com.ph. The hacker also used the same process on more .ph sites.

Sherwin was able to get the IP addresses of the hacker. We also know that the hacker, in all of the times he broke into our system, used MS Internet Explorer (Version 7), and the same Operating System version (MS Windows XP). We noticed that the hacker was using the same series of IP addresses, and he was using Bayantel. A quick GeoIP scan of the IP addresses point it to Legaspi City, Albay.

We contacted Bayantel to give us more information regarding the IP addresses. At first they were reluctant to cooperate because disclosing information about their subscribers isn't really company policy. We explained that one of their accounts was used in a hacking incident, which is against their terms and conditions. Bayantel was pretty cooperative afterwards, giving us the name the subscriber: Mark Anthony Clemente. Clemente's registered address is at Clemente Building, Gov. Forbes St., Legaspi City, Albay.

Following the money trail

Sulit.com.ph and the other hacked sites were pointed to a SEDO advertising account. We were pretty sure that the SEDO account contains the real name of the hacker, because how else is he going to claim his money? Calling SEDO, we explained the situtation, and we needed to get the name of the hacker behind the account.

SEDO was reluctant to give us the information at first. It was understandable, because nobody wants to have their financial information readily available. SEDO told us that they suspended some accounts that made a lot of money in a short period of time. We asked them if they could give us info on these suspended accounts. Again, we got a "we can't answer that" from SEDO. In a gamble, we told them that we'll say some domains, and they tell us if they encountered those domains, or if those domains are familliar to them.

"So, is Sulit.com.ph familliar to you?" we asked SEDO.

"Yes."

And we mentioned around five domains, all getting a "Yes" from the SEDO representative. By the time we mentioned the fifth domain, the representative just laughed because everything was right on the money. The noose was tightening around our hacker.

Closing In

Since we learned of the IP addresses used by the hacker, we had been monitoring our system to see if the same IP addresses get in again. True enough, since the hacker was already able to get inside our system easily the first time around, he got greedy and created seven (7) new domains using the same IP address range used to hack the domains. Interestingly, the seven new domains had an expiry period of ten (10) years each. These new domains were created under the reseller account of an Alex Laguilles, from Gov. Forbes St., Legaspi City, Albay.

We just needed a way to confirm if he owns those domains. Laguilles had registered his legitimate and hacked domains under fake names and addresses like “Alex Pogi”. Using fake names and/or addresses were against our terms of use.

We called Laguilles, hoping to gain more information. During the call, our representative immediately identified himself as a dotPH employee, and Laguilles went silent for a good few moments. Afterwards, he was audibly nervous. We decided to not confront him on the hacking issue just yet. Instead, we asked him about the domains he legitimately owns, and why were they registered under fake names like "Alex Pogi".

He admitted that he owns those domains, but mid-conversation he backtracks and says that he just registered those domains for a friend. We also asked him if he uses MS Internet Explorer (Version 7), and the same Operating System version (MS Windows XP) when he surfs the internet, and he says yes.

We advised him to change the ownership of the domains to real names and addresses.

At the end of the call, he asks us "Yun lang? (That's it?)," apparently expecting something worse.

Result: He basically admits to accessing the same dotPH account used in the hacking, and using the same computer and browser the hacker used.

We then called SEDO again to see if both hacked domains and new domains were pointed to the same account. SEDO confirmed that they were, and that they had already suspended all payments because of our concern and also the unusually high volume of traffic -- usually indicates fraudulent clickthroughs.

All we need to close this case would be to prove that Lagulles was indeed the hacker, and to see if he was working with somebody else.

Going Cloak and Dagger

We sent Mario Inocando to Legaspi City. As our operative was en route to Albay, we were gathering all that we can about Legaspi City, Clemente Building, Mark Clemente, and Alex Laguilles. Looking up the address on Wikimapia to make sure our operative knows the exact location, we coordinated with our operative every step of the way.

We even provided our operative with a spy camera (yes, that camera inspired hundreds of bad James Bond jokes). This proved to be pretty useful afterwards, because our operative was able to send us surveilance photos of Clemente Building. Well, the operative was at a loss on how to approach the people inside the building and we needed the photos to figure out a plan.

There was an office called Megapixel on the ground floor. We decided that the best way to approach them without arousing any suspicion was to pretend to be interested in their business. We called them up. As we fished for information about Clemente and Laguilles, we found out that Megapixel is owned by Clemente. We told them that we were sending somebody so our operative won't come off as suspicious.

True enough, our operative was able to talk to the people at Vodacom. Even though Clememte and Laguilles were not present at that time, he was able to gain a great deal of information.

We found out that Alex Laguilles worked as a developer/programmer for Vodacom, another company owned by Clemente. Vodacom is also housed in the same building. Laguilles used the office internet connection that Clemente owns (which explains the IP addresses) to hack into our system. Interestingly enough, the people there knew about the hacking incident, even though they were reluctant to disclose any of the details. So far, no evidence points to Clemente being involved in this, except that his internet account being used (probably without his knowledge) for the hacking incident.

The hacking incident took place on November 6, and by Monday the 10th we had already ID'ed the guy and found out where he operates from. It took us some more time to get the documentation needed to file a case, after which we handed all our evidence to NBI. Laguilles should be expecting a knock on his door any time soon.

Now all evidence points to Laguilles not being in the hacking game for long. He probably found a hole in our security and he used it for monetary gain. There was no real effort at all to cover his tracks. There will be more hackers, and they will not be as careless as Laguilles. dotPH will remain vigilant for more hacking incidents in our system, and end any hacking activity as soon as we detect it, find the source, and use legal action agains the perpetrators.

Sunday, January 11, 2009

BDO ATM Cmd Shell

Great shot by Yugatech of a Banco De Oro ATM machine dropping to a cmd shell and executing an ftp script. The ip address shown is inside their local network and uploads are sent to a "backup" folder. Seems to be a backup script executed by the "at" service which is why the script is executed by svchost.exe. No idea why it would show the cmd window although unless the /interactive switch was included although that would be very weird on such a machine. Some exploits do execute a cmd shell through svchost though. =)

Tuesday, January 6, 2009

I.T. Security Bootcamp 2009


Brought to you by Bitshield

Other events scheduled are;

EC-Council Certified Security Analyst/Licensed Penetration Tester
January 23, 24, 30, 31 & February 13, 2009

Certified Ethical Hacking and Countermeasures
February 20, 21, 27, 28 & March 6, 2009

Certified Ethical Hacking and Countermeasures
IT Security Essentials
"Are You Safe And Secure?" January 26, 2009


The I.T. Security Bootcamp 2009 costs 7,000.00 Php but you get to stay at a resort in Puerto Galera =) There's probably a separate fee for the CompTIA Security+ Examination though, the ad didn't state that =)

Sunday, December 14, 2008

Defconph.org's Bloggers Conference Meeting

In an email sent to it's members, the organizers of defconph.org gave a brief summary of what happened at the meeting with members of the Cebu Bloggers Society.

Greetings DefconPH Forum Members,

This is to inform you that the Bloggers Conference Meeting with DefconPH this morning (Dec. 14, 2008) was successful with the presence of some members of Cebu Bloggers Society. We started at around 1030AM and finished at around 12noon, location was at Bo's Coffee Shop near Cebu Doctor's College.

Agenda during the Bloggers Conference Meeting (Dec. 14, 2008):
a) Intro about DefconPH as an organization
b) Overview about the topics on Dec. 20, 2008
c) What to expect from DefconPH
d) Future Plans of DefconPH
e) Mechanics of some games during the Con (June 2009)
f) Inviting members to help organize future events of DefconPH
g) Look for sponsors for the Con on June 2009
h) TShirts to be distributed on Dec. 17, 2008 at the event venue
i) History of well known IT Professionals / h**kers
j) And many more...

DefconPH is not a company but an organization. The success of the organization entirely depends on its members.

Like what I said to Semprix, let's start small using our available resources and manpower.

Thanks for your support and we're always looking for members who can actively contribute for the success of DefconPH, collectively.

Thanks and more power to you as well.