Blog‎ > ‎

Steganography, SCADA, Propaganda, Windows SYMLINKs

posted Jul 4, 2016, 12:45 AM by Sami Lehtinen   [ updated Jul 31, 2016, 9:39 AM ]
  • Sometimes it takes some provoking to get people to access honey pots. It's unfortunately often assumed that the adversary hasn't prepared for what's happening. But it can happen just so easily, that the hunter becomes the pray and the pray is just luring the hunter into honey pot trap
  • Played a while with steganographic social overlay network. Which worked very well. Using three layers: First steganography to layer to hide presence of the message. Next generally well known and trusted encryption. And as third layer, very strong niche encryption. This just in case that if the generally well known encryption fails for any reason, there's even worse layer beneath it. But if the niche encryption fails for some reason, it doesn't matter because there's still the well known and generally trusted encryption layer protecting it. Niche encryption might not be better technically than the mainstream alternative, but also it has received a lot less scrutiny and there aren't as good existing theories and tools for cracking it.
  • Over 2000 industrial controllers (SCADA) are accessible in Finland publicly from Internet, says CERT.FI. What could go wrong with IoT? If even professionals won't get things right, how would the 'it seems to work' random consumers get these things right? 
  • Pro-America propaganda on Social Networks by Sockpuppets? - That's great. I was expecting to see this story on Sputnik News, but now it's The Guardian. Actually there's nothing new. Spreading disinformation and propaganda are age old tradition.
SYMLINKs are highly confusing for most of Windows Administrator / SysaAmins, because they haven't ever seen or used those. I've seen people failing miserably with those. Most of people won't know what would happen if this would be the situation:

C:\>dir
...
22.06.2016  14:05    <SYMLINKD>     temp [d:\temp]
...
C:\>del temp

... Ask here, don't show the prompt ... What would happen next?
Promopt will be quite revealing:

C:\temp\*, Are you sure (Y/N)?

That will remove the content of that path as expected. - So how do you delete symlink? Using rmdir command, of course.

Btw. Directory junctions on Windows / NTFS seem to be a better option when dealing stuff than symbolic links, when linking is used to merge paths instead of allowing user to easily navigate to different paths.