Saturday, December 15, 2012

Tracking an Internet User with VoIP

I started taking a closer look at SIP traffic last year, looking for areas to explore - especially information leaks. Of course, if you're receiving a VoIP call plenty of information leaks out: source and destination phone numbers, source and destination IP addresses, client versions, NAT traversal data (internal IP addresses), etc. But you're part of the call, so it's not particularly significant that you're getting some detailed technical information about the caller. But what about when you call someone else, or even just scan SIP services without establishing a call?

Sunday, October 28, 2012

Monitoring GSM Networks with SNORT

Last December, during the annual Computer Chaos Congress, I was testing out OsmocomBB and monitoring the CCC test GSM base stations. It gave me a chance to monitor a GSM network being used in a test environment. Since the network was run by OpenBTS and OpenBSC I expected the network to exhibit some differences to more traditional equipment from Ericsson, Siemens, etc. I wanted to try to fingerprint the differences in GSM equipment in order to detect anomalies to assist in identifying rogue GSM towers and/or  what are often referred to as "IMSI-catchers". Within a few minutes of monitoring I realized I wouldn't be disappointed. The very first thing that caught my eye was this very interesting frame...

Wednesday, October 3, 2012

Learning from Spam


Occasionally I like to look at the dark side of the internet. And spam does a great job of bringing plenty of malware-laden websites to my spam folder for me to stroll through. Today I stumbled upon a very nicely crafted email from "YouTube":



What caught my attention was that the sender took the time to craft this naughty email with care. If you look closely, when hovering over the links that I expected to take me to www.exploit-my-accounts-please.com, my email client didn't show a link to something naughty, but rather a hover text showing a legitimate link to YouTube:

It looks strangely legitimate...


Upon closer inspection it seems that the sender hid the links in a nifty way - by assigning a "title" attribute to the style property within the <a> tag that linked to the sender's website:

<a href="http://7boxtoday.com/mentioning.html"style="text-decoration:none; color:#1C62B9;"title="http://www.youtube.com/inbox?folder=messages&feature=em-message_received">inbox</a>.

This is the kind of subtle change that can make it difficult for a common user to detect anomalies in their email. When confronted with suspicious emails I often hover over links to see where they really go and I was surprised to see what looked like a legitimate link show up in the hover text. Very nice job, Mr. Attacker. I learned something new from you today.

Tuesday, September 18, 2012

Two Quick Email Forensic Nuggets

Email is certainly one of the more prevelant methods of spreading malware to a target, and likely one that any network analyst is going to be investigating on a regular basis. While nearly every bit of an email header can be found documented thoroughly at places such as the Forensic Wiki, there are a few tricks I've figured out along the way that I haven't seen anywhere else and they could help with that email you're trying to figure out where it came from.

Saturday, September 1, 2012

Research Tip: When WHOIS doesn't work

WHOIS is a great service when trying to find who owns a domain. Of course, if the domain isn't legitimate, then much of the WHOIS data is probably fake. That said, there's one thing that people can't typically fake: the email address. At least we have that to start with right?

So, there you are, trying to find out who owns this rather shady looking domain name. You hop over to your favorite domain lookup website, or your terminal and...