Wartime Pigeons

Transcript

1. WARTIME PIGEONS 2022.3.29 OWASP SAITAMA MTG #7, TALK #2

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) 
 https://keybase.io/alterakey

   ▸ Monolith Works Inc. 
 Co-founder, CTO 
 Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ 
 ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps 
 →Financial, Games, IoT related, etc. (>200) 
 →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps 
 →POS, RAD tools etc. ▸ Network/Web penetration testing 
 →PCI-DSS etc. ▸ Search engine reconnaissance 
 (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ 
 DEF CON 25 Demo Labs (2017) 
 DEF CON 27 AI Village (2019) 
 CODE BLUE (2017, 2019) 
 CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ ϩγΞʹΑΔ΢ΫϥΠφ৵߈ ▸ IT Army of Ukraine 


   ΢ΫϥΠφ͕ࢦش͢ΔαΠόʔٛ༐܉ ▸ Ճೖཁ݅: ಛʹͳ͠ ▸ ৘ใ఻ୡ: Telegram

7. TEXT TELEGRAM ▸ Telegram ▸ ϩγΞͰVKΛڵͨ͠Durovܑఋ͕ॻ͍ͨ 
 IMϓϥοτϑΥʔϜ 
 →VK͸ϓʔνϯ੓ݖʹ઀ऩ͞ΕɺPavel͕ѹྗ

   Λݏͬͯࠃ֎Ҡॅͨ͠ޙɺ࢒ͬͨNikolaiΛۚમ తʹࢧԉ͠MTProto (લ਎) ͕ग़དྷͨ… ▸ ӳࠃόʔδϯॾౡͱυόΠʹHQ͕͋Δ ▸ ӦརΛ໨తͱ͠ͳ͍ɺ͕ͩඇӦརஂମͰ͸ͳ͍

8. TEXT TELEGRAM ▸ Telegram ▸ L&Fͱͯ͠͸LINEʹ͍ۙ 
 →ଟ෼ର৅ௌऺ͕͍ۙͷͰ͸ ▸ ೔ຊͰ͸࠮ٗूஂ͕ࢦش໋ྩܥ౷ʹ࠾༻

   ▸ Self-destruction / E2EE ▸ ௥੻͕೉͍͠ͱ͍͏͜ͱͰݏΘΕΔ ▸ ϓϥοτϑΥʔϜతʹ͸ѱ͍΋ͷͰ͸ͳ͍

9. TEXT TELEGRAM ▸ Telegram ▸ ҉߸ܥͷܽؕ → Ұ࣌ظ͕͋ͬͨɺݱࡏ͸վम ͞Ε͍ͯΔ (Royal

   Holloway/ETH Zurich) 
 ※੓ݖʹΑΔׯবʹ͍ͭͯ͸৘ใ͕ͳ͍ ▸ ߴ౓ͳ҉߸Խʁˠ E2EE͸ݸਓ͚ؒͩ ▸ ߴ౓ͳಗ໊ੑʁ → ి࿩൪߸ʹඥ෇͚ 
 Self-destruction͸Snapchat/WhatsappͰ΋ ׂͱී௨ʹ͋Δ

10. TEXT OPEN QUESTIONS ▸ αʔό͸Ͳ͜ʹ͋Δͷ͔ ▸ ੓ݖͷख͕ಧ͘Մೳੑ͸ʁ ▸ ٛ༐܉ͷࢦشʹ଱͑ΔΑ͏ͳ҆શੑͳͷ͔ ▸

    Ϣʔβͷ਎ݩׂ͕ΕΔՄೳੑ͸ʁ ▸ Ϣʔβͷपลਓ෺ׂ͕ΕΔՄೳੑ͸ʁ ▸ ཪ੾Γ͔Ͷͳ͍Ӆ͠ػೳͳͲͷଘࡏ͸ʁ Image by ☼☼Jo Zimny Photos☼☼ on flickr, CC-BY-NC-ND 2.0

11. TEXT TELEGRAM ▸ Telegram ▸ ΫϥΠΞϯτ͸FLOSS (GPL-2) ▸ UI/UX͸ඇৗʹ༏Ε͍ͯΔͱײ͡Δ ▸

    αʔό΋౰ॳެ։͢Δͱ͍ͯͨ͠ͷ͕ͩ… 
 ެ։ʹ޲͚ͨಈ͖͸ࠓͷͱ͜Ζͳ͍

12. TEXT ANALYSIS ▸ Telegram for Android 8.6.2 (࠷৽) ▸ πʔϧΩοτ

    ▸ Trueseeing 2.1.2 ▸ github (FLOSSͱ͍͏͜ͱͰ) Swiss Army Knife on black by Edgar Pierce on flickr, CC-BY 2.0

13. TEXT MANIFEST ANALYSIS ▸ API: 23ʙ (target: 30) ▸ Network

    Security Con fi g: ͳ͠ ▸ ݖݶཁٻ: ඇৗʹଟ͍͕ɺ·ͩଥ౰ͳൣғ

14. TEXT DATACENTER GEOLOCATION ▸ GB: 
 149.154.175.50:443 
 2001:b28:f23d:f001:0000:0000:0000:000a:443 


    149.154.167.51:443 
 2001:67c:4e8:f002:0000:0000:0000:000a:443 
 149.154.175.100:443 
 2001:b28:f23d:f003:0000:0000:0000:000a:443 
 149.154.167.91:443 
 2001:67c:4e8:f004:0000:0000:0000:000a:443 
 149.154.171.5:443 
 2001:b28:f23f:f005:0000:0000:0000:000a:443 
 149.154.175.40:443 
 2001:b28:f23d:f001:0000:0000:0000:000e:443 
 149.154.167.40:443 
 2001:67c:4e8:f002:0000:0000:0000:000e:443 
 149.154.175.117:443 
 2001:b28:f23d:f003:0000:0000:0000:000e:443

15. TEXT DATACENTER GEOLOCATION ▸ NL/GB: 
 95.161.76.100:443 ▸ Telegram Messenger

    Inc (AS62041) ▸ Global Network Management Inc (AG) ; AS31500 ▸ Vodafone Group PLC (GB) ; AS1273 ▸ Telecom Italia S.p.A (IT) ; AS3269 ▸ Amsterdam Internet Exchange B.V. (NL) ; AS6777

16. TEXT FINDINGS ▸ AS62041ͷ୅දऀ͸Nikolai ▸ ࠃ֎Ҡॅͨ͠ͷ͸ఋͷPavelͷํͳ͸ͣ ▸ Wikipedia͕ؒҧ͍ͬͯΔʁ ▸ ࿐಺ʹ͍ͭͭࠃ֎اۀͷCEOΛ͍ͯ͠Δʁ

17. TEXT FINDINGS ▸ API: 23ʙ (target: 30) 
 Network Security

    Con fi g: ͳ͠ ▸ TLS interception (API == 23) ▸ ݱ࣌఺ͰAPI 23Λٹࡁ͢Δཧ༝ͱ͸…

18. TEXT FINDINGS ▸ ฏจ௨৴ ▸ Google Map Directions: ݱࡏ஍ͱߦ͖ઌ͕࿙ ΕΔՄೳੑ

19. TEXT FINDINGS ▸ ฏจ௨৴ ▸ ͋Δಈըڞ༗αʔϏεΛ࢖༻ͨ͠ࡍʹɺӾཡ ཤྺ͕࿙ΕΔՄೳੑ

20. TEXT FINDINGS ▸ ฏจ௨৴ ▸ ಺ଂWebViewʹ͓͍ͯMIXED_MODEͷ໌ࣔ త༗ޮԽͷࣔࠦ → Ϛϧ΢ΣΞૠೖՄೳੑ

21. TEXT REPORTING POLICY? ▸ Issueͷӡ༻͕ͳ͍, PRͷϚʔδ͕ۃ୺ʹগͳ͍ 
 →ಁ໌ͳҹ৅͸ड͚ͳ͍

22. TEXT FINDINGS ▸ ి࿩൪߸ͷ޿ൣͳ࢖༻ ▸ ͳͥి࿩൪߸ʹؔ࿈෇͚͕ͨΔͷ͔… ▸ ॳظcontactsͷੜ੒

23. TEXT PHONE NUMBERS AS IDS ▸ ి࿩൪߸ͷ޿ൣͳ࢖༻ ▸ SignalͳͲͰ΋͜ͷ܏޲ ▸

    Session͕͜ΕΛഉ͢Δ࣮ݧΛ͍ͯ͠Δ͕…

24. TEXT TAKEAWAYS ▸ IT ArmyͷࢦشʹTelegram͕࢖༻͞Ε͍ͯΔ ▸ TelegramΫϥΠΞϯτ͸FLOSS ▸ αʔό͸ӳࠃ·ͨ͸Φϥϯμ ▸

    ໨ཱͬͯ҆શͱ͍͏Θ͚Ͱ͸ͳ͍ ▸ Ή͠Ζएׯͷෆ͕҆࢒Δ 
 →͍͔ͭ͘ͷ໰୊ɺՃ͑ͯӡӦ͕ෆಁ໌ 
 →ݸਓతʹ͸࢖͍ͨ͘ͳ͍

25. TEXT TAKEAWAYS ▸ ͲͪΒ͔ͱ͍͑͹Signalͷ΄͏͕͍͍͕… ▸ ి࿩൪߸ʹؔ࿈෇͚Δͷ͸΍Ίͯ΄͍͠

26. TEXT OPEN QUESTIONS, REVISITED ▸ αʔό͸Ͳ͜ʹ͋Δͷ͔ ▸ ੓ݖͷख͕ಧ͘Մೳੑ͸ʁ → ଟ෼ͳ͍

    ▸ ٛ༐܉ͷࢦشʹ଱͑ΔΑ͏ͳ҆શੑͳͷ͔ ▸ Ϣʔβͷ਎ݩׂ͕ΕΔՄೳੑ͸ʁˠ͋Δ ▸ Ϣʔβͷपลਓ෺ׂ͕ΕΔՄೳੑ͸ʁˠ͋Δ ▸ ཪ੾Γ͔Ͷͳ͍Ӆ͠ػೳͳͲͷଘࡏ͸ʁ 
 →ଟ෼ͳ͍ Image by ☼☼Jo Zimny Photos☼☼ on flickr, CC-BY-NC-ND 2.0

27. FIN. 2022.3.29 TAKAHIRO YOSHIMURA (@ALTERAKEY)