Per gli italiani: scusatemi, prometto di scrivere di nuovo in italiano presto :).
It was about time for a little manhunt… I didn’t one since the last intrusion on Lastknight.com, but a dear friend of mine, Fabio pointed me to an interesting study that smelled a little too much of “marketing stunt”.
DISCLOSURE: Fabio and I are long time friends and we’ve done some work together. Presently we do not have any kind of business together, aside from some beers and som dinners together :) He asked me to lend a hand in finding “if I could trace who’s behind InfoSecurityGuard.com” and I decided to throw a little bit of my Sunday on it…
Fabio works in a Secure Communication firm, which has created a nifty little cellphone encryption app and some days ago the protocol underlying this app, along with a bunch of other competitors, was tested by a strange unknown indipendent examiner which presented himself with the name of Notrax, a YouTube Channel and a a funny bio:
¾ Human, ¼ Android (Well that would be cool at least.) I am just an enthusiast of pretty much anything that talks binary and if it has a RS232 port even better. During the day I masquerade as an engineer working on some pretty cool projects at times, but mostly I do the fun stuff at night.
The testing method seems to me a little shaky, but that’s not the point (not mine, at least) and Fabio explained in some length his view on the subject that may or may not be the truth. The point behind it is the total anonymity that Mr.Notrax seems to want to achieve with the report. That seems strange, considered how many man-hours he has surely spent on the detailed and time consumptive work.
Fabio’s sixth sense tingled some strangeness when shortly after publication he found a complex press releases by SecurStar Gmbh published on BusinessWire flaunting their solution (namely PhoneCrypt) as:
PhoneCrypt from SecurStar was one of only three solutions that successfully blocked hacker attacks that were made using a simple wiretapping Trojan
And the press release goes in much more detail:
Like most security breaches, Notrax went for the weakest link; he did not attempt to crack the encryption itself, but used simple wiretapping techniques, said Wilfried Hafner, CEO at SecurStar that developed the PhoneCrypt solution. Unlike most of the vendors investigated, we recognized this potential security gap from the start and designed in measures to deliver complete end-to-end protection against eavesdropping.
Don’t get me wrong: it is perfectly fine for every business to prance a little bit when someone finds out your product rocks :) I’ve been doing it more than once as a CEO for our product FoolDNS and I know how it feels. But for Fabio it seemed sort of wrong for some reason, and in a Sunday morning in Skype, after a good dinner together the day before, he started thinking maybe something wasn’t good and asked me a little bit of help in trying to find out who is the mysterious Notrax behind the domain InfoSecurityGuard. And here the story start to grow interesting :)
Domain Name: INFOSECURITYGUARD.COM Registrar: GODADDY.COM, INC. Name Server: NS61.DOMAINCONTROL.COM Updated Date: 01-dec-2009 Creation Date: 01-dec-2009 Expiration Date: 01-dec-2010 It is fairly new, something you expect for a custom-created domain, and it has the common Privacy Guard services we have all learned to know:
Private, Registration INFOSECURITYGUARD.COM@domainsbyproxy.com Domains by Proxy, Inc. DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax — (480) 624-2598 So we can only hope in a sort of error fron kind Mr.Notrax. The one everyone does now and then (and me more than anyone I know :P).
And this time the error is quite stupid: a single wordpress trackback. In fact when Fabio commented on InfoPrivacyGuard, the admin action made by Notrax on his Anonymous Blog by approving the post, generated a beautiful http request on Fabio’s WordPress blog, a request that we were able to recover from the Apache logfiles:
126.96.36.199 – – [30/Jan/2010:02:56:37 -0700] “GET /20100129/licensed-by-israel-ministry-of-defense-how-things-really-works/ HTTP/1.0” 200 5795 “http://infosecurityguard.com/wp-admin/edit-comments.php” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)”
As you may see, the the action was generated by a page (edit-comments.php) that can be accessed only by the Administrator of the InfoSecurityGuard blog. We can be quite sure, so, that the administrator logged into the WordPress Dashboard and visited Fabio’s Blog from the IP 188.8.131.52.
This is, by now, our only data. We must find everything we can about it, because it can be either most useful or completely useless if Mr. Notrax has used a Proxy and/or a TOR like connection to administer the domain (which is quite common with paranoids like us).
First of all the IP 184.108.40.206 seem to be German as SecurStar is, but this can just be a coincidence. In addition to this many TOR servers are located in Germany as anyone can discover with a little effort. So let’s take a look at the data associated with the IP 220.127.116.11:
inetnum: 18.104.22.168 – 22.214.171.124 netname: DTAG-STATIC03 descr: Deutsche Telekom AG T-DSL Business static dial-up
Traceroute infos are not intresting too and the Reverse Lookup on the domain only tell us that 126.96.36.199 is pd907d53b.dip0.t-ipconnect.de.
Nothing intresting, so? Almost…
In fact, CONNECTING to http://pd907d53b.dip0.t-ipconnect.de gives us a very interesting answer: not only the machine on the other side is a CentOs server, but it seem to run an instance of FreePBX, a beautiful and most easy to setup OSS Voip PBX:
The SysAdm seem to have been a little shaky on the Security part: the Administrative Interface, which normally isn’t exposed on the web, is there in clear. We do NOT know the user and password and surely we do NOT want to do anything illegal by trying to force it, but still we are able to take a peek at the Flash Operation Panel, mapping all the phones connected and giving the common name of the single phones on this page:
Ok, aside from a funny interface to play with (something that we do not want to do) what have we got here? Nothing very specific, to be fair, aside from some names:
- Wilfred Hafner
- Tiago Mendez
- Shaun Holligworth
- Can Yavuzylmax
- Markus Besinger
- Karina Cabral
- Dragos Pirte
- Mark Incley
It doesn’t need the young Sherlock Holmes to find out that all these names are from SecureStar Gmbh and, precisely: * Wilfried Hafner – CEO * * Shaun Holligworth – *Guru of Security * Can Yavuzylmax – County Manager (LinkedIn) * Markus Besinger – System Administrator (LinkedIn) * Mark Incley – Mobile Software Developer
And so SOMEONE at SecurStar headquarters quite obviously has been playing strange games and while I don’t really have anything to say with that, it seems to me that crafting the press release and spreading it without disclosing that the study was internally made or at least made by someone who work there isn’t really proper.
I don’t really know if it was deliberate or not (maybe they just didnt know some of their employers did it… hemmm…), but certainly I’d like to know a little more about WHO in the company is known by the name of Mr.Notrax and why he has crafted the site at InfoSecurityGuard to place their product in the best light. And feigning there wasn’t any kind of involvement.
Mr.Notrax is certainly a smart and awfully good guy, but until a little bit more light is shed on the entire thing I think I’ll have to doubt everything that comes from him.
And I really hope all this stuff isn’t really just undercover market for the German company, a maneuver that is even Illegal in most parts of the world, for example prohibited by the UK Consumer Protection from Unfair Trading Regulations.
Paranoia is a virtue.
UPDATE: Fabio has updated his blog with a very strong opinioned that doesn’t necessarily reflect my position. The only thing I want to find out is the level of trust I should put in Mr.Notrax…