Pegasus spyware and MVT

So just for the heck of it I installed MVT (Mobile Verification Toolkit) the other day, which is a piece of software released by Amnesty international to check if you have Pegasus spyware installed on your phone.

If you haven’t read about it Pegasus spyware is some nasty stuff (It’s developed by the Israeli cyberarms firm NSO Group). It seems it was installed on Jamal Khashoggi’s phone (you know that chap who was assassinated by agents of the Saudi government at the Saudi consulate in Istanbul, Turkey). Also today I read that Sheikh Mohammed used spyware on Princess Haya and five associates in an unlawful abuse of power.

In short this Pegasus spyware is so bad, they recommend that if it’s installed on your phone you should get rid of / destroy the phone. Apparently even erasing the phone from scratch has no effect!

The detection software it’s self is command line interface based (So not for the average user) and it took a bit of mucking about to get it to run. Using a debian linux machine from scratch it took an hour or 2 to get the dependencies and settings on the phone sorted so that the computer could fossick about the phone for any trace of the nasty.

Although it’s satisfying to be able to do this – the need to do more to protect your devices sprang to mind – a quick glance thru some of the documentation came up a number of urls a few of which I’ll list.

free247downloads[.]com
urlpush[.]net
get1tn0w.free247downloads[.]com
infospress[.]com
https://d38j2563clgblt.cloudfront[.]net
https://2far1v4lv8.get1tn0w.free247downloads[.]com

There is more in this document that you might like to grep thru.
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/.

Be warned The [.] should be removed to find the current related ip address. Do this with care, and only use command line interface related commands, do not open any of the above in a browser!

Which brings up the issue of if your running your own network and routers. I’d slap some acl’s on these darn things and the related ip address, as it will give you a little more protection against possible infection.

In addition to this, is that this software seems to use a lot of url redirects. So if your concerned this article on how to stop redirects may be worth reading.

https://www.techadvisor.com/how-to/internet/how-block-webpage-redirects-3690103/

Stay safe people. It seems that the Internet is still the wild wild west.

You can find the mvt software here.
https://github.com/mvt-project/mvt

How long is your backup!

Computers screensRestoring backups can take some time! A number of years ago we had a NAS die on us. That was ok because we had it backed up on tape! (you know where this story is going?) Well the restore worked ok, and we were lucky because we could grab what we needed and then worry about the rest later…. but it took well over a week (and a lot of stuffing tapes into a machine) to get that thingĀ  up and running again.

I helped a friend back up her laptop the other day – we used a usb3 drive that had an ssd installed – it took about an hour to restore 6-7 hundred gig’s worth of data. How much data do you have?

One element of contemporary Cyber Security is to have multiple backups so that if you don’t want to pay all that bitcoin to the bad guys, you just start with a new machine (or wipe the old one, if your brave enough) and start from backup.

The problem is of course is that if your whole network or 70 of your machines are now large bricks? How long is that process going to take and how much human power are you going to need to get things running again? Not to mention the cost.

A couple of things to consider is Cyber liability insurance. (although this is still not going to help if your public reputation is part of the issue)

A very good disaster recovery plan that is regularly tested and paid for as part of the on going company budget. The frustrating thing of course is that we hope that you never need this (just like dental work) we hope that things are going to be just fine and all. But hey – stay safe on the inter-webs people…. and maybe consider how long that backup / restore process takes.

If you want to read more about the horrors of being hacked and ransome ware and further discussion of the backup process this article from Brian Kerbs is well worth the read.

 

https://krebsonseurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-backups/

xeuledoc

xeuledoc is a tool (hacking?) that can determine the owner of a google doc and often the name and email are available. I’ve been testing it and it seems to work well! Although it seems to only work with publicly shared documents.

The interesting thing is that you may not want your name and email address available to every one! Ever shared info via a google doc? You may be exposing at least your name and email to people who are unscrupulous – might be time to think about all the docs you may have shared! Is it a good thing that your email address and name are linked to this data?

It also seems to work with the “Security setting” anyone who has this link. It will be interesting to see if google “fix” this, and how long it might take.

Note this above example is included in the application as published by its owner.

Github link to application
https://github.com/Malfrats/xeuledoc

Apparently it can also work on
Google Docs – Google Spreadsheets – Google Slides – Google Drawning – Google My Maps – Google Apps Script – Google Jamboard

Terminal escape injection techniques

It’s interesting in that shell scripts (small one’s) seem just like friendly bits of code that you can run. That’s not always the case, it’s probably never a good idea to just download a script and run it (esp using curl or wget). I discovered this very interesting article the other day about terminal escape injection and it works on pretty much every platform – mac, windows linux and even within python!

When in dought use cat -v in fact cat -v may be my new default for viewing code!

https://www.infosecmatter.com/terminal-escape-injection/