SteelCon: Mahkra ni Orroz

Credit to Author: Christopher Boyd| Date: Wed, 26 Jul 2017 15:00:43 +0000

I recently gave a talk at Sheffield’s SteelCon, a huge security event spread over a few days with no end of interesting activities taking place.

talk intro

My presentation, called Makhra ni Orroz, is a good 45 minutes of non stop talking and pictures and things. It’s also a bit different in terms of what I usually give presentations on, but to say anything more would spoil it. The below post won’t make much sense unless you’ve already seen it – suffice to say, pulling off this type of talk presented me with a number of interesting creative decisions as to how to put the thing together. I thought it might be fun to look at some of those challenges, rather than just rehash the talk in text form.

With that in mind, don’t go any further unless you’ve set aside an hour or so then go watch the video. After that, come back and all the words will make a lot more sense.

Effectively, this is a tale in two segments – the first deals with the initial takedown and struggle with people targeting support groups on Myspace and using those connections to roll out hacking tools / Malware elsewhere. The second half is all about me being targeted by “St Prophage” and the assortment of individuals they rounded up to go after me.

If you’ve now watched the video – which I hope you have – then you’re probably aware that presenting something like this is challenging on a number of levels. Lots of things could go wrong both in the slide construction and in the presentation itself. Rather than reproduce the presentation with a blog post, I thought it’d be fun to go behind the scenes and paint a picture of the kind of challenges I had when constructing this thing.

Without further ado:

1) The Lying Game

This may seem obvious, but the presentation style needs to be 100% on point. For the reveal at the end to work, I need to pull off lying – convincingly – to a room full of infosec pros, many of whom get paid daily to social engineer their way into buildings and corporations as part of their job. If I wobble, stumble, falter or just generally blow it at any point during the second half, the whole talk falls apart and it is deader than disco for the last 30 or so minutes.

It was crucial that the “Oh hey, I hate this guy too, let’s go to my forum” moment passed without raising suspicion. Also, nobody must ask “But how did he have all these screenshots?” until after the talk, preferably when they’re driving home. I’ve never attempted this before, so without a doubt this was the most nerve wracking part of the entire experience.

2) Prep time and threading the narrative

There’s only so much you can cover, even in 40 minutes, when dealing with a tale that involves a background story, multiple takedowns, a new challenger appears, and a slow slide into “How do you get out of this?” There were lots more hoops people jumped through on the Prophage forums, many of which were incredibly silly / time wasters to the point of absurdity, but I had to take care to select the main narrative thread that suggested “serious things afoot”.

For example, it finishes with an apparent money mule scam; I had another, more serious fakeout I could have used in its place, but it would have probably taken an extra 10 minutes to cover properly which is time I didn’t have available. When I started this whole thing off back in 2008, I realised I’d have to try out variations of posts in a private testing area prior to making them live on the forum – can’t do a grand “anagram reveal” post if I managed to typo said anagram, for example.

I also dabbled in Acrostics, and due to the way forums sort of semi randomly space words out, it’s impossible to know in advance if an Acrostic will work if it decides to place a crucial word one line down. As a result, I had maybe three to six versions of each Prophage forum post prior to going live, and would carefully read through every new thing about to go live, tweaking / editing / firing out of a cannon before I was happy with the results. Here’s 3 versions of the “Who likes anagrams” post (I ended up with about a dozen):

Click to view slideshow.

You’ll notice Prophage had their location listed as California, and I was careful to avoid any words that betrayed a lack of US origin. I also spent some time making sure none of the forum posts sounded overly dramatic or flat out unbelievable, and (again) made many posts in private trying things out.

I did ponder including this as a section at the end reveal, but again – time, the ultimate enemy.

3) Digital entropy

Screenshots from 10 or so years ago don’t tend to age well. They’re possibly too small, or low-res, or not useful, or you might have lost a bunch down the back of the couch or something. You don’t really expect to go that far back for presentation content (most talks are all about being as current as possible), so it took an amazing amount of time to round everything up. Additionally, my archiving now is hugely improved on what it once was, so much of this wasn’t named uniquely, or stored in any logical fashion, or images were split across endless folders in the silliest of places.

orroz files

It’s also a headache trying to reconstruct a threaded narrative that makes sense from hundreds of jpegs and bits of text. Some important bits were missing, and while I could attach sections of one screenshot to another in some cases, others were so utterly AWOL that I had to abandon potentially useful information – I couldn’t just invent things in place of missing content, even where it really would have benefited (for example, some Private Messages sent on Myspace which have long since gone kaboom).

4) Never work with children, animals, or computers in a live environment

Technical horrors – ah, my favourite part. “Hunt the randomly named jpeg” was bad enough, but many really important pieces of the puzzle had been saved as complete html pages. Well, sort of – depending on how the original site(s) had been designed, these long dead Web pages would now display very bizarrely (and in some cases, refuse to open at all – especially if designed with a particular type of ancient browser in mind.

I had no choice but to try and rebuild them, RoboCop style, and due to reasons of time, I had to do it on a Mac. I’m the guy who can’t work out how to un-reverse the mousewheel in Safari or find the Documents folder, so downloading half a dozen WYSIWYG editors (only one of which actually installed and – kinda – worked) was a bit of a nightmare.

no idea

I also have no idea what I’m doing with HTML, so this part caused considerable headaches. My favourite goof is the one on the anagram reveal slide. Remember the multiple versions of each Prophage post, and how I’d wanted to include some of the variations at the end? Well, I managed to do this in the end, but only by accident…while including a spectacular error into the bargain.

Check out the first “Who likes anagrams” slide at 39:18 – you’ll see it says “posted today”. Now look at the return of this slide at 42:47 – spot the difference? I managed to keep things (mostly) on point for the 80 odd slides I worked with, but here I managed to mix up two of the “variants” of the anagram post.

The text on the second slide is slightly different, mentioning “We’ve had fun for six months”, having been created before the action took place and including a rough guess of how long this would all last for (in the end, it was more like half that I think).

Worse, I somehow inserted the date from 2017 I was rebuilding the page on as the forum post timestamp on the WYSIWYG Mac editor, which might confuse people into thinking I’m a time traveler.

My biggest gripe is that two important slides during the reveal section – one about how the “bank manager’s PC” was actually a virtual machine honeypot, the other about how people had been sending their infection files to an AV vendor – failed to trigger. Another (less important) slide went missing near the start too, but on the bright side the video played automatically and didn’t break anything so I can’t complain too much (that’s a lie, I’m always complaining).

5) “He was a (paper) ghost the whole time!”

The big reveal: undoubtedly the trickiest part. If the reveal falls flat, the whole talk is a bust. You’ll notice that the true reveal – to the people on the forum – isn’t used in the presentation at all. The reveal begins and ends with the post preceding it, which is the one about anagrams.

That’s because the actual explanation forum post was designed to spill the beans in a rather undramatic “So yeah, you’ve been punked. Whoops” fashion. It worked great on the forum, but to pull the rug away from those watching lots of pictures of forums with…another picture of a forum, isn’t exactly the exciting curtain toss I was hoping for. It would be flat and boring and dull. I’ll likely never post that one, because unless you happened to be there at the time, there’s nothing particularly exciting about it.

Instead, I had a think about how movies with a twist pull off a reveal, and it’s all about show, don’t tell. Usual Suspects, Sixth Sense, even TV shows like the UK’s Sherlock and more besides – they use rapid cuts and fade ins to visually show you the “clues” in summary before wrapping things up. A bit unusual for a slide deck, but that’s what I went with and thankfully it worked really well. It’s difficult to pick up some of the audience noises as I work through the “ah, but..” slides, but it was pretty exciting to see and hear the pennies drop as everything came into focus.

You’ll notice I also changed the background colour for those slides – from a standard white template to a black one – to make it visually clear something different was happening.

Click to view slideshow.

I also moved from the “Who likes anagrams” slide to a black screen very quickly to keep everyone a little off balance, diving into the reveal slides before they could potentially work it out for themselves.

6) DNE EHT

I had a huge amount of fun putting this one together, and spent a very long time making sure everything aligned as well as it possibly could. I’ve been asked to do a few more presentations of this talk and I’m already busy editing and adding some different content – there’s certainly enough to choose from.

I might even work out how to install programs on a Mac properly next time around…

Christopher Boyd

The post SteelCon: Mahkra ni Orroz appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/