Kindle DRM Hacked

Amazon has implemented Digital Rights Management on its Kindle for PC product. The book you buy is supposed to only be readable on your PC. Israeli hacker Labbu has claimed to have broken this DRM. His tool is called Unswindle. The latest version is v5-rc1. The tool requires Mobidedrm from Darkreverse.

Unswindle is written in the Python programming language. It cracks the unique key that Amazon distributes per book. Previously Amazon had patched their Kindle for PC product, rendering Unswindle useless. However Labbu provided an update which got past the latest fix from Amazon.

Labbu did say that Amazon had some good security in place for their Kindle for PC. The development began in response to a challenge posted on a hacker site. This was not for illegal use of Amazon books. Some dude just wanted to open a Kindle file on a PC other than the one that was authorized through the DRM. Labbu responded in full force with Unswindle. Nice.

Let's Hack

I picked up a Hacking for Dummies book a while ago. It had an unknown date of publication. The intro was written by the dude who authored Hacking Exposed. The cheat sheet from the book had already been torn out. LOL. Owned.

The book stated that there are 23,000 professionals with the CISSP certification. An alternate certification is the Certified Ethical Hacker. There is an entire industry built around ethical hacking. This is where you conduct legal security testing. It is also called penetration testing. Another word for ethical hackers is White Hat Hackers.

Here is a cop out. The author states that he is not responsible for hacks performed by his readers. Yeah right. Let's get some terms right. A hacker is somebody who likes to tinker with stuff. A cracker, on the other hand, is someone who likes breaking into systems.

Cryptography Wrap Up

There was a whole mountain of information that I learned by reading Cryptography for Dummies. It was very insightful. I could go on and on writing about the topics I learned. However today I just want to wrap up some of the highlights I have not written about yet. Then we can move on to more existing hacking.

Be aware that the subject line for an email is not encrypted even when the contents of the email are. Here is a good recommendation. You should back up your public and private keys to different locations.

Static encryption is where the system encrypts the information before it transmits the data. The MD5 and SHA-1 algorithms do not encrypt data. They just allow the recipient to detect whether the contents of the message have been tampered with during transmission.

Finally you should not install and set up a cryptographic system if you are not 100% sure what you are doing. Good luck with your encryption exploits. Next time I think I will talk about another book I read in the past. Can you guess the title? It was Hacking for Dummies.

DECAF

Two bad boy hackers have come out with a tool called DECAF. It defends against a COFEE, which is a Microsoft tool that stands for Computer Online Forensic Evidence Extractor. DECAF will check for the presence of COFEE on your machine. It will then delete temporary files, erase logs, and disable USB ports (from which COFEE runs).

The source code for DECAF has not been released. However it is being licensed for free as long as you use it for personal and noncommercial uses. The app looks like a really simple Windows app. It does real time monitoring. And it claims to be highly configurable. You can disable all kinds of things on your machine.
In the future, the developers of DECAF intend to modify the program so that it can be remotely controlled. This sounds like some good stuff. I guess to test it out I will have to install COFEE on a memory stick and see what DECAF can do

Defense Against the Dark Arts

Suppose you wanted to make sure you could not be found. You still need to communicate with others. However you just don’t want stalkers to track you down and know where you live. I read a book that briefly went over some steps to stay invisible. Here are the highlights.

Definitely get an unlisted phone number. You can also sign up for the phone line under a misspelled or fake name. Don’t put down you address when signing up for the phone line. Use something else like a post office box.

Request that web sites take down information with your name and/or address. Use an anonymous remailer for sending out e-mail. Change you e-mail address frequently. This is easy with free e-mail services like Gmail.

Don’t use credit cards at all. And don’t use your real name for anything. This just scratches the surface of how to lay low. I am sure you could write a whole book to take the undercover living to the next level. I found this all very interesting. I myself write under a pen name so stalkers have to work hard to determine my identity. So far it has worked for me.

Net Cons

I read about a number of interesting cons in Steal This Computer Book. There was the standard fare like Multi Level Marketing (MLM) scams. You know the kind. Somebody says they will pay you to stuff envelopes at home. Yeah right.

But there were some tricky ones too. People will leave you a message. When you call back, they try to keep you on the line. That's because its a pay line like the old 900 numbers. Scammed.

Another con is a play on the chain mail letter. You get a program which enforces the chain. You have to pay the 5 or 6 people on the list. Then you get a new version of the program with your name on the list. The theory is that you will then receive cash from people who receive your program. The funny part about this is that the con software program can be hacked without you coughing up any money.

The last con was pretty interesting. You get a stock tip from a broker who says a certain stock is going up in price. Then like magic it goes up. Next the broker gives you another tip saying a different stock is going down. Like clockwork the stock price falls. Then they ask for your money to "invest". The con is that they send out a lot of e-mails, mixing up their guesses as to which stocks go up and down. For some percentage of the people they contact, their picks will be right. Go figure.

Steal This Computer Book

I checked out the latest edition of Steal This Computer Book from the library. It sounded like some type of hacking book. So I thought I would give it a read.

At home I read the back cover. I got a little scared. There was a warning on it that said the book was not to be used for illegal activities. Then the author's bio stated he was a stand up comic. Great. I may have checked out a spoof.

Luckily, when I skimmed through the interesting chapters, I found you could not judge this book by its cover. Here are some kewl facts I learned by reading it.

Hacker sites seem to appear and disappear. You got to keep up to stay current. There are sites devoted to providing links to the best sites. I have seen those before and thought they were just spam. Nope. They are the real deal.

The top conferences for hackers are DefCon, HOPE (from 2600 magazine), SummerCon and ToorCon. Next time I will go into some more gems I pulled from this book. That includes some nasty cons, and how to prevent yourself from being found.

More on Keys

The best source of information I have read on cryptographic keys was Cryptography for Dummies. Seriously. Let's start with the Key Encryption Key (KEK). This is a way to wrap a key with encryption to keep the key itself secure.

Keys are not generic. They are specific to the algorithm that uses them. Keys are set up to be generated by a key server. This server distributes new keys when necessary. The downside to this approach is that if the server becomes compromised, the whole show is bust.

A key escrow is a way to store keys and/or pass phrases in case the keys are lost. This allows them to be recovered in the future. You require the answers to some secret questions before the keys can be recovered from the escrow.

Next time I will go over some of the acronyms which usually stand for security protocols. Examples are TLS, SSH, SSML, and S/MIME.

All About Keys

Keys are a crucial part of cryptography. They are also one of the more difficult things to control. There is often confusion as to what a key actually is. The key is not a token. It is a file on the computer used by an algorithm to encrypt/decrypt. The key doesn't do any encrypting. The algorithm encrypts.

A session key is a key which is disposed of when transmission of the data is complete. Do not take the short cut of choosing options which generate keys faster. That makes them less secure. You can choose short key sizes for data that is transient. But it is best to pick long keys and pass phrases.

A key ring is a list of public keys. Since a key is a file, you would think it should be stored on a hard drive. However you should put them on removable drives that you can physically take with you. Make sure you also backup your keys.

There is a lot more to talk about with keys. Next time I plan to cover key wrappers, escrow, services, and recovery.

The State of Encryption

I just finished reading an article from a magazine that the big boys read. It had the results of their survey on the adoption of encryption. Bad news. Users want quick access to their data. So any encryption strategies rolled out to the enterprise get done one piece at a time. Well that might be good news if you are trying to break in.

One related technology that seems to have taken hold is tokenization. A user has a credit card number that needs to be protected. So a system will instead use a token for the duration of the session. The token is a 64-bit number that is used in lieu of the credit card number.

So what are some other factors inhibiting the adoption of encryption? There is no clear standard for systems to work with each other. The Oasis group is working on KMIP (Key Management Interoperability Protocol). And the IEE is pitching P1619. The authors of the article I read were hopefully that Microsoft would lead the way with their Active Directory. Good luck with that.

Security in the Cloud

A big city just hired Google to do their email. They put a lot of security requirements in their requisition:

  • employees had to be fingerprinted
  • all data sent must be encrypted
  • data sitting around needed sharding
  • access to data had to be limited

It is difficult to convince a customer that the cloud is secure. The technology is relatively new. There are no standards. The act of adding encryption slows things down.

You know the hackers are going to want to target cloud repositories. There is potentially a lot of corporate data out there waiting to be stolen. I do not know enough about Cloud Computing to determine whether the thing is secure enough for my trust.

PKCS Continued

A few posts back I started to talk about PKCS. Well let's finish the discussion. PKCS #9 defines attributes which apply to extended certificates, envelopes, and private key encryption. In other words, it defines details for PKCS #6, #7, and #8.

PKCS #10 defines the syntax or format of a request to a certificate authority. PKCS #11 is Cryptoki (crypto key). This is a hardware solution like using smart cards for authentication.

PKCS #12 defines how users can share private keys. PKCS #13 is the advanced topic of elliptical curves. I am not an expert in the technology. From a distance it looks like a lot of math.

PKCS #14 defines a pseudo random number generator. Generating true random numbers is difficult. Finally PKCS #15 covers tokens. That is PKCS in a nutshell. Although it goes up to PKCS #15, there are only 13 distinct parts as #2 and #4 are rolled into the standard for PKCS #1.

Next time I plan to get deep into keys. Stay tuned.

Time Bomb Scripts

Last month a contractor was fired from Fannie Mae. The reason for termination was promoting scripts to Production without authorization. There were a lot of mistakes made on the part of the company. They did not change the root passwords to the systems this contractor had access to. They also let him stick around after they fired him. This is bad news, especially given that the guy was let go for unauthorized code deployment.

What I found very interesting were the details of a bunch of time activated scripts this guy left behind at Fannie Mae. His first act was to add some code to the end of a daily script. This code would retrieve and install a bunch of other scripts.

Here is an example of what of the payload scripts did. It would generate a list of servers in the company. Then it would disable monitoring. Finally it would disable the ability to log into all the servers that it found. Well that is bad, but is not too evil.

Next the terminated contractor wrote a script that would clear server logs. Then it would remove root access to machines and delete the data on them. Finally it would shut down the servers automatically.

The last script was especially evil. It would attempt to corrupt any systems it could find in the company. Then it would go after the backup machine, clear out the backups, and turn them off. This hacker was just plain thorough.

Luckily another engineer detected the original script that was to install all the other rogue code. Upon detection, he shut everything down in the company until they could figure out what was going on. That was the one smart move the company made. These rogue scripts could have done severe damage to the bank.

Props to The Inquirer for providing the facts for this blog post.

Microsoft Security

I just got a subscription to MSDN magazine from Microsoft. This is a good magazine to read if you program using Microsoft technologies. The latest issue had a lot of Microsoft specific security articles. Today I want to tell you about what I read. The topics were SAML, CAS, and STS. How is that for a list of acronyms?

SAML stands for Security Assertion Markup Language. It is based on XML. You can tell from the name. SAML is used for authentication between domains. For practical purposes, it helps implement single sign on. You type in your user name and password once. Then you can go everywhere and be automatically authenticated. You do not have to retype in your credentials.

CAS stands for Code Access Security. It is part of the .NET framework. CAS prevents untrusted code from executing privileged instructions. An administrator sets up the security policy for your machine. The .NET common language run time (CLR) then maps programs to code groups. These code groups have permissions set. The CLR then either allows or disallows the instructions to execute.

STS is the Security Token Service. A client wants to access a web service. The client first gets a token from an STS server. Then the client passes the token to the web service. The web service validates the token against the STS. Finally the web service honors the client request if the token checks out with the STS.

PKCS

PKCS stands for Public Key Cryptography Standards. They were developed by RSA Data Security. These standards act as a means of interoperability between the vendors out there. There are 15 parts, but numbers 2 and 4 have been rolled into PKCS #1.

PKCS #1 is encryption using the RSA algorithm. PKCS #3 uses the Diffie-Hellman algorithms. It is how you exchange a key between two people. PKCS #5 covers passwords.

PKCS #6 is the extended certificate syntax. It describes the extra information like e-mail addresses within certificates. PKCS #7 covers the use of envelopes. An example is S/MIME.

PKCS #8 is for private key encryption. I will cover PKCS 9 through 15 next time around. Be ready for things such as Cryptoki.

Certificates and Keys

I want to talk about certificates. But first let's define a few terms. A key is a number in binary form, which is stored in a text file. That being said, a digital certificate is a pair of public and private keys. It is created by a certificate authority like Verisign. The digital certificate is used for encryption and decryption. The certificate is assigned to either an individual or an organization.

Now that we know what digital certificates are, we can define a key server as a machine which holds the public keys of the digital certificates. There are some potential problems with certificate use. Some applications do not take them. And some unscrupulous individuals forge digital certificates. Finally it can take a lot of work to get the certificates in the first place.

Let us put aside the certificate problems and talk some more about them. A digital certificate can hold a lot of information such as the version, serial number, issuer name, period of validity, and public key. For companies, you are going to want to set up a certificate policy. The policy covers issues like where logs are stored, whether keys get backed up, and validity periods. Armed with all this information, I am ready to discuss what PKCS is next time. See you then.

Texas Instruments Ownage

The online edition of IEEE Spectrum magazine alerted me to some major calculator hackage. A dude cracked the TI-83 Plus calculator from Texas Instruments. He got the signing key figured out. Now the key can be used to transfer your own O/S onto the calculator.

There was just one problem. The dude posted the key on his blog. The result was a cease and desist order from Texas Instruments. Damn. Apparently he was charged with violating the DCMA. The guy submitted and took down his post. Ouch. That's weak.

Another dude wrong about the incident. He linked to a page that had the signing key. I bet you can guess what happened. Texas Instruments slapped him with a cease and desist order. WTF?

Open Source Encryption

I read an article about the legality of open source encryption software. If the software has strong encryption, and is available to all, then it may be violating some laws. Specifically the Bureau of Industry and Security (part of the Department of Commerce) will have some things to say about it.

Now I don't want to waste any time right now discussing whether it is wrong or right to block export of encryption technology. What I did find interesting was the top encryption algorithms used by open source developers. These include familiar names like DES, AES, and Diffie-Hellman. However another top algorithm was ElGamal. I have never heard of ElGamal before.

A little research shows that ElGamal is an asymmetric algorithm. It dates all the way back to 1985. It is mostly found in open source cryptographic applications. Perhaps that is why it is foreign to me. I normally do not keep on top of the open source scene.

Mail and Tunneling

You would think that hackers would try to intercept network communications. However this is a difficult task if safeguards are used. Instead most hackers like to attack data at rest. In other words, they will try to get at data sitting on a machine, not stuff passing through the network.

If you want to encrypt email you send, there are two main options: (1) S/MIME and (2) PGP. MIME is an old standard that let's you attach binary files (like images) to email. S/MIME is a secure version of that protocol.

PGP stands for Pretty Good Privacy. It is a program written by Phil Zimmerman. There is a free version called GnuPGP. This program covers encryption and the storing of keys on your machine.

Let me close by talking about secure network connections. A VPN is a virtual private network. It let's you connect to a machine over the Internet. The encryption can be applied to just the data. You can also do tunneling where even the packet headers of the transmitted data as well. Popular tunneling protocols include IPSec and PPTP.

Next time look for a discussion on passwords, keys, and certificates.

Booth Babe Syndrome

A video from the Hack Day 2009 conference was released that cause a bit of a stir. They had some booth babes doing lap dances as entertainment. The video seems to have disappeared. However some pictures are still floating around.

The event was held in Taiwan. Many said it was the wrong place for such lewd behavior. Others thought it was fine to skip being politically correct. They have this thing going on at DefCon right?

Hey. The hackers conferences are fully of dudes. And most of those dudes will probably enjoy a bunch of booth babes making things interesting. So if they give out free lap dances, I say more power to them. Next time I will return to our regularly scheduled cryptography discussion.

Algorithms

Last time we discussed asymmetric key algorithms. Now allow me to talk about a familiar name in cryptography. This is the Diffie Hellman algorithm, also known as DH. It is named after the two researchers who first documented it. These guys are Whit Diffie and Martin Hellman.

The Diffie Hellman algorithm is one that allows two parties to perform a key exchange over an insecure connection. The use a technique where it would be hard for a person watching the communications to reverse engineer the key they share. The end communication is a symmetric one, where the two parties share the same key.

Next let me briefly cover PGP. It stands for pretty good privacy. This is an encryption program that allows users to communicate via secure email. This is a system that uses asymmetric keys.

Finally there is also a newer topic in cryptography called elliptical curve cryptography (ECC). It also uses asymmetric keys. This technique is good for encrypting large amounts of data. I will not go into the mathematics behind this technique right now. Perhaps that is a research topic for another day. Next time I will go over some other mail encryption methods, and also discuss tunnelling.

Asymmetric Keys

Last time I discussed symmetric keys. Now I will talk about asymmetric keys, where a different keys are used to encrypt and decrypt the data. You use the public key to encrypt. Only the private key can then decrypt the data. An example of an asymmetric encryption algorithm is RSA.

RSA was invented by Ron Rivest, Adi Shamir, and Leonard Adleman. Thus you get R-S-A for their last names. You can use RSA to encrypt keys which themselves can later be used to do symmetric encryption/decryption.

Next time I will talk about Diffie Hellman and PGP.

Symmetric Algorithms

Let's go over some of the popular symmetric encryption algorithms. These include DES, 3DES, IDEA, and AES. Like most things in cryptography, you are going to see a lot of acronyms.

DES stands for Digital Encryption Standard. It is a block cipher with a 56 bit key. The algorithm goes through 16 rounds to get the final data.

3DES stands for Triple DES. You can probably guess that it is three times as strong as plain DES. It uses three different 56-bit keys for encryption.

IDEA is the International Data Encryption Algorithm. IDEA is part of PGP. It uses a 128 bit encryption key.

Finally AES is the Advanced Encryption Standard. AES uses the Rijndal algorithm. It is named after the two creators of the algorithm. You pronounce it rhine-doll.

Next time I am going to start up with asymmetric keys.

All About Ciphers

Today I want to go into ciphers. Remember cipher is another name for the algorithm used to encrypt data. There are two main types of ciphers. They are the block and stream cipher.

A block cipher works on a chunk of characters at a time. Examples of block ciphers are the popular DES, 3DES, and AES ciphers. You should also know about Cipher Block Chaining (CBC). This is where you exclusive OR (XOR) data with itself and the key table to encrypt the data.

Stream ciphers on the other hand work on one character at a time. An example of a stream cipher is RC4. Another example is the Secure Telephone Unit #3 (STU-III).

Next time I will enumerate the popular block ciphers, including DES and AES.

Randomness

Last time I said I would start discussing key tables. So let's do this. A key table is used to encrypt data. It is based on an original key. Other names for a key table are key setup or initialization. This is where some algorithms go wrong, and allow crackage.

The generation of random numbers is an integral part to encryption. So how exactly do you generate random numbers? When a computer does it, we call it the RNG (Random Number Generator). However there is a technique generate quasi-random numbers called PRNG, or Pseudo RNG. It allows you to "seed" the generator with a value. That value determines what numbers get generated. Every time you use the same seed, you get the same results.

Finally I want to go a little further with symmetric encryption algorithms. In particular, I want to mention a few implementations of symmetric encrption. The popular ones are DES, 3DES, and AES. However there is also IDEA and TwoFish. I will not go into the particulars of these right now. Perhaps we will review them next time.

Secure Sockets Layer

The Secure Sockets Layer is known as SSL. It is an encryption method to handle data sent from the web browser to the server. All the data sent is encrypted. It is a standard for such web transmissions. The encryption comes in 40 and 128 bit varieties.

Mathematicians create cryptographic systems. One example is RC4, which was created by RSA Data Security. RC4 is used by SSL. Keys for encryption are made from long prime numbers. I have mentioned before that the keys themselves are frequently encrypted.

Know this. Every algorithm is breakable. You just want to ensure you are using an algorithm that is difficult enough to break based on the data carried in the payload. Hackers don't know or care about crypto algorithms. They are too light weight for such work. Instead they work on tricking people out of their passwords.

Encryption stronger than 40 bits is prohibited from being exported out of the USA. This seems like a strange rule. But it is enforced. Be careful with strong encryption methods. Next time I will cover topics like the key table, as well as different techniques for random number generation.

Crypto Keys

One of the biggest weaknesses with crypto keys is sharing their use. Don't do it. Even if the key is secure, you have other problems. Cryptanalysis is the art of breaking ciphers. That sounds like cloak and dagger stuff.

They are two varieties of keys: symmetric and asymmetric. The main difference is that the same keys encrypts and decrypts the data in symmetric processing. While asymmetric processing uses a different key for encrypting and decrypting.

I just had a college class exam. One of the choice in a multiple choice questions was S-HTTP. Now I will share what I know with you. S-HTTP stands for Secure HTTP. It allows encryption to be added to web browsing. In my next post I will go into some SSL details.

Crypto Ciphers

Recall that a cipher is an algorithm which hides data from prying eyes. A very simple example of a cipher is the substitution cipher. This is a one for one replacement of characters. The Germans used such a cipher called Enigma in World War II.

Another cipher example is the transposition cipher. This is where you change the order of characters. It can become complicated depending on the strategy used to do the reordering.

Next let's talk about the hash. A hash is a one way function. That means you can transform your original data using the hash. However you cannot easily transform the hashed data back into your original text.

Hashes are used to validate the integrity of some data. You send your original data unencrypted. Then you also send the hash of the data using encrypted methods. The recipient can also compute the has of your original data, verifying that it was unaltered in transit.

Next time I will go over keys and their use in encryption.

Cryptography for Dummies

I studied up a book I got from the library called Cryptography for Dummies. Yeah it is a Dummies book. But I learned much from it. I took six pages of notes during my read. This book is from 2004. But much of the information still holds true today.

The subject of cryptography is complex. They have a lot of classes in my college on cryptography and security in general. That does not mean cryptography is all hi tech. You can use it in low tech systems.

An algorithm is a technology to hide data. It is also called a cipher. The specification on the DES algorithm is 7 pages long. Time for another read I guess.

I plan to be writing about the lessons I learned from this book for a long time. My next post will start with different types of ciphers.

Crack Detection

I was reading a blog about a guy’s application that got cracked. He thought he was losing sales due to cracked versions of his app being distributed on torrents. Whether that is an accurate depiction of reality is not of concern to me right now. I was more interested in his desire to get back at the crackers. His rage was understandable. His methods were of great interest.

First this software author decided to be able to detect a cracked version. He decided to make his applications “phone home” over the Internet. They would use some type of public/private key encryption to make sure he knew it was his applications. Each app he sold would have some unique keys. Once he found the same key phone home from all over the place, he could assume that people were stealing his software.

Here was the big decision. What was he to do when the software detected unauthorized use? Some say he should just make his app behave poorly. If people think his app is no good, they will not use it. That might defeat the purpose of marketing though. He did not want to be known to legitimate buyers as making shoddy software. That’s when the evil plan clicked in his head.

The app could do evil thing to the target computer once it detected that it had been cracked. There was a world of bad things he could do. After all, the guy is a programmer. His disgust at losing cash due to being cracked would drive him on. His goal would be to do the most evil before the user who stole his software knew what hit him. Alas. This fellow programmer had crossed over to the dark side.

It was time to redirect the energy into future improvement to his program. It was time to refocus on the original goal of solving legitimate user problems, and in the process making cash. I still liked the sound of this developer laughing the mad scientist laugh while he worked on code to hack the machines of thieves. And no, this evil programmer is not me. I don’t have any software for sale that someone can crack. I give all my stuff away for free anyway.

Virtual Girlfriend

I just finished skimming a book on artificial intelligence. It was written for novices. There was a lot of great information in there. One conclusion was that there are commercial applications for AI in the sex industry. Thus I decided to try out a virtual girlfriend.

One of the first hits on Google for a virtual girlfriend was Kari. I downloaded a trial version. You get to run it three times. I tried to figure out how to bypass this. A data file had a "Run Times" parameter. That was not the trick.

Here is the funny thing. This AI bot is supposed to learn how to deal with you. But I found her more stupid than your average real life bimbo. Here is some of the conversations I had with Kari. I swear that I am not making this up.

Black: How big are you boobs?
Kari: Am I ticklish?

Black: What is 1 + 1?
Kari: I am not much of a girlfriend.

Black: Your voice sounds fake.
Kari: Damn girl.

Black: How can I hack you to run more?
Kari: God damn.

After this severe lack of coherence, I almost want to code up my own virtual girl. Yes it is a monumental task. But I got to be able to produce something a little smarted than this waste of memory. I will share what I come up with. In the mean time I recommend you avoid Kari. She might make you dumber.

256 Byte Mastery

Today I read a story about a programmer who wrote an Assembly language program in only 256 bytes. It produces a morphing 3-D world. You got to see this to believe it.

I have heard about cool programs that fit in 4k of memory. But a hot prog that runs in only 256 bytes of code? That is wicked. The program name is Puls. And it was written by Rrrola.

Virus Infections

My home PC is infested with viruses. The quick way to get rid of them is to reinstall Windows from scratch. However I am studying these critters to gain knowledge on viruses in general.

Every so often, my system tray has an icon that says my computer is infected. It asks that I click the icon to disinfect. Clicking it take my browser to some rogue web page where they try to get me to buy antivirus software.

LOL. Yeah right. I am not going to pay the guys that actually came up with the virus. How stupid do you think I am? A quick check to the Task Manager shows a "braviax.exe" process running. When I kill the process, the icon goes away. This is the culprit. I find a copy of the file in the C:\Windows folder. So I delete the file and pat myself on the back.

Here is the first trick. When I reboot, the problem comes back. The "briaviax.exe" file comes right back. I run msconfig and find that file it set to run on Startup. How did the file get back there? A little research and I find that there is another copy in C:\Windows\System32. That's actually smart. You have to eradicate both locations.

My system is still full of viruses. Let's try to get rid of them. Then we can find out how modern day PC viruses operate. This is good stuff.

Power of Proxy

I was reading a post with a lot of comments. One dude said he was trying to make money with Google AdSense by clicking on his own ads. Normally Google detects and blocks this type of behavior. The guy said he got around this by clicking once a day using a web proxy.

The web proxy hid his computer IP address from Google. That made it like somebody else was clicking on the ads he hosted on his site. This pissed some people off, especially those who were paying Google for displaying ads in its AdWords program.

This sounded like an interesting idea. The guy stated that it was not worth it. So he quit. I wonder whether he was telling the truth. So I decided to investigate. There are a number of drawbacks to this technique.

Not all proxy sites let you see ads on the pages they serve up. Furthermore, some sites that do show ads force you out of the proxy when you click the Google ads. This defeats the purpose as Google can then detect who you are. Still I consider the original idea a great hack. It is thinking outside the box to get a little cash.

Malware Marketing

This past year a team came out with an instant messaging client. It was provided free of charge. They needed to make some money. So they started experimenting on how they could profit off their users. Of course they tried having ads in their app. Then they got creative. They released some malware but got busted by LifeHacker.

Later the company came out and tried to do damage control. They call the malware their "research" module. That is a spin on the act of some software getting installed with their instant messenger, then taking over control of your computer to do their parallel processing.

In the good old days, sneaky code like this was shipped out with free programs. The bad boys just hoped you did not detect that your machine had been compromised. Now it has been taken to another level. When some tech site does detect you app doing sneaky things, you put the marketing spin on the evil deed to make it look like you are doing no evil. LOL. Damn those marketing guys.

Oh yeah. If you are wondering what product I am talking about, it is Digby. I am safe. My IM software is Yahoo Messenger. And Yahoo makes some green backs off me. However they just put the ads in my face. At least they are not trying to hide anything there.

Uncrackable

Insomniac came out with the Spyro game 10 years ago. I played it a couple times. It has some nice animation when the little dragon flies around. The company had their profits robbed when their game was quickly cracked for the Playstation. They decided to step up their anti-crack efforts with the release of their Spyro Year of the Dragon release. They shared some of what they did to protect their program and their revenue. I highlight some of their techniques here because it is very interesting.

The first thing to realize is that no program is crack proof. You are only trying to delay crackers when you put protection in there. It is a cat and mouse game. Typical cracks insert some intro code which tell the user who cracked the game. Then the crack runs the normal executable that is cracked. The normal executable is compressed to keep the overall size of the game the same.

So how to do prevent such a crack? A simple method is to introduce checksums. You see whether the code has been altered. If it has, you do something to prevent the game from continuing. There are ways to store checksum data in tables which makes checksum anticrack methods weak. The better checksum protection interleaves the checksum protection with actual program code.

Crackers do their work in their spare time. Make it hard for them to debug your application. Then it will also be hard for them to crack your app. Another technique that works is to delay what you do on detection of the app being cracked. That way it is hard for crackers to test whether the crack worked. They may also just assume that the crack worked, when in reality you will detect the crack and later halt the game.

I put some simple encryption into a product for work once. It was just a way to encrypt keys that were required to activate the app. Luckily we did not have a lot of general users who wanted a cracked app. This was just a method to keep the business users honest. They were too busy to actually crack the darn thing. If you are selling to the general public, you are going to want to research ways of your own to slow down the crackers. Your profit may hinge on the productivity of this effort.

Zero for 0wned

With the recent news about the release of the ZF05 zine, I thought I would ask the following question. Who are the authors? They call themselves Zero For 0wned. This is the fifth installment of their zine. I assume this is an electronic only zine.

Having read most of ZF05, I find myself getting bored looking at all their listings of hacking into systems. But get this. Their general writing is very amusing. It is a good read. I laugh out loud at many things they write such as "Dan Kaminsky is a noob".

It is hard to pin down any facts about Zero For 0wned. They are an underground group. In their zine they say they are silent at conferences, not revealing themselves. Their mission appears to be to destroy people or movements they are against.

There are some lessons learned from seeing the mass ownage from their latest zine issue. You should not reuse passwords. If you are a security professional, you had better employ good security practices yourself. And finally, nobody is safe. You are vulnerable if your computer is connected to the net.

PerlMonks Hacked

The PerlMonks site has been hacked, exposing all kinds of user information. Zero For Owned has taken responsibility. They have published passwords and e-mail addresses of some of the "cherished" members of PerlMonks. Specifically the janitors and saints at PerlMonks have been outed by Zero For Owned.

A PerlMonks update on their site states that the root password on one of their servers was compromised. They store the user information in plain text. That includes user passwords as well. It was thus easy for Zero For Owned to, well, conduct mass ownage.

This was just a demonstration by Zero For Owned. Their e-zine states they just exposed the weakness, and did no harm to any code repositories. It is still a sad state of affairs. I have been e-mailed users that were affected. I was not sure if PerlMonks was doing this already.

Peer Sharing Ownage

Some dude just got handed a verdict which will make him pay big for sharing files using Kazaa. The recording industry company sued him. His Kazaa stash was about 800 songs. However the suit was for copyright infringement over about 30 of the songs. In the end, he was getting charged over $20k for each song.

I think part of the problem with this case was the poor choice of lawyer. He had some professor that used the case to increase his own popularity instead of trying to get his client off the hook.

The individual found guilty was Joel Tenenbaum. He does not have the $600k that the verdict handed down. If the decision does not get overturned, he will just file bankruptcy. There has not been a lot of cases where the individual was sued for a huge amount like this. However we can see where this is going. The record labels want their money. And they are tired of file sharing sights "stealing" their profits.

So what are we to do? Should we stop downloading songs for free illegally? Normally I would say no. But you have to do a cost benefit analysis. If the legit song costs a buck, and you might get sued for $20k or $30k if you get caught, you might just want to pay that buck. Or you can do what I do. Just listen to the radio. No charge.

Zero For Owned

All right peeps. I know I have not been posting much recently. Time to make up for the loss. I have been super busy at work. Crazy deadlines and not enough resources. That's the life of a programmer.

Today I came across a zine called "Zero For Owned". Apparently these dudes target high profile security professionals and hack their sites. Then they show logs of the hacking activity. To tell the truth, I am not that interested in their hacking. I just love their commentary.

The latest issue of the zine is ZF05. They go after Kevin Mitnick. I quote ZF05 as stating, "You can move your box anywhere Kevin, we'll find you and own you." Their take is that blames his host for the hackage he endures. Ha ha.

ZF05 seems to really hate Dan Kaminsky. They label him a script kiddie and a noob. Their attack uncovered a lot of Dan's emails. You may recall that he came out with a press release about DNS poisoning about a year ago. That's when they set their sites on Dan.

I tell you. These guys at ZF05 are hilarious. They recommend that some guy "Go up to the mountains and train under a Shaolin monk in the art of hax". On a serious note, they close out this issue of their zine by telling peeps to learn to code really well. That is sound advice.

Reading this issue of Zero For Owned gave me an idea for a program. Their zine is filled with huge logs of hacking. I just want to read their commentary. Perhaps I will write a program to strip out all the hack loggage and just get to the good stuff. To make this experiment educational, I shall try my hand at coding it in Java.

Stallman on Copyright

I have been reading some blog entries recently portraying Richard Stallman in a negative light. And they have been pretty much successful. Take a look at the guy. Then read some of the first hand evidence of his personality. You can draw the conclusion that the guy is nuts.

But today I read one of his essays on Misinterpreting Copyright. Wow. The thing blew me away. That was some serious critical thinking and analysis of the history of copyright from the United States Constitution. It made me rethink some of the copyright ideas that I assumed were the truth, which may have been planted in my head by big business (e.g. book publishers).

The jury is still out on Richard Stallman. I bet he is a tough guy to get along with. Now I have never met the man. But the stories about him are too specific to overlook. But who cares. Maybe the guy is nuts or is a dick. From reading one of his essays, I was able to determine that the guy has the ability to think clearly and communicate effectively. Even if somebody is crazy, that does not mean that everything they say is without merit. Maybe this rms dude deserves a second look. I highly advise you to take a look at the copyright essay I read. You will be enlightened.

Detecting Viruses

How do you go about writing a virus scanner? Well I guess there are two obvious ways. You could study existing computer viruses. Or you could try to write some yourself. The outcome should be similar. You will understand how a virus operates. With that knowledge, you can detect and remove viruses. It sounds simple. But I bet it is involved.

Let's try to think about the second technique. How can we write a virus? Essentially we want to run our own malicious code. What better way to do that than to latch onto a trusted existing program that users run. The key here is how to latch on. The program you want to act as your host is an executable. That means it has a section which consists of the code it runs. We want to have that program run our code instead.

Therefore we have two tasks to accomplish: put our code somewhere in the file, and make sure our code gets executed. How about we just tack our code on to the end of the file? There is an existing entry point for the original executable. Let's just substitute the original entry point with the location our of rogue code which is now at the end? Sure that's a good plan. Now let's get back to our original objective. How can we produce a virus detector that can find instances where a legit program has been jacked. Easy. Just check whether the entry point for the program points to the code at the end of the file. If so, you are probably looking at an infected application.

Of course all of this is very simple. Existing virus scanner probably do all this as part of their most simple virus detection techniques. However we are on the right track. We could think up more complicated ways to achieve takeover of a program. And thinking of those methods, and the means to detect/remove them is the very topic I am interested in. Perhaps I shall spend some time furthering this idea. Come with me as I venture into the world of computer viruses.

Laptop Theft Protection

There are some software products you can put on your laptop that may assist if it gets stolen. One such software is Prey. It will phone home and tell you which programs are running on the stolen laptop. It also takes and sends you screen shots. Network information is collected and transmitted. Finally Prey can take some web cam shots of the thief and send them to you.

An open source alternative for this type of software is Adeona. The main benefit of this software is that it does not rely on a central server. The owner can track a thief with their computer. The Mac version of this software also snaps pictures of the perpetrator using the web cam.

These software solutions are not fool proof. However they can give you some details of the person who ripped off your laptop. There are other techniques to combat laptop theft. An example is Foo Zoo Lockdown which is a Mac anti theft software package.

My company and our client both have software on their laptops to combat theft. However the main goal in the corporate setting is to prevent the loss of the crucial data on the laptop. It is not as high a priority to locate the thief to retrieve the hardware. I have both my laptops set up with such software. They essentially encrypt the entire contents of the hard disk.

Prevent Decompiling

I read up on some basic tips for decompiling an executable. That is, I learned how you can take an executable, and reconstruct the source code used to build the software. There were a number of things listed that made it hard to understand how to decompile an executable. I thought I would use these difficulties to make my most secretive applications hard to reverse engineer.

One thing that slipped up the hacker is compiler optimizations. Yes this will slow down your application build. But you can turn it on at the end when you are doing the final release of your software. The compiler will work harder to make your code fast and/or small. The result is that it is more difficult for somebody looking at the binary to figure out what is going on.

Another thing that trips up decompilation is the use of user defined types. In the C programming language, that means use structures. Somehow the access to memory of such constructs makes it hard to reverse engineer. This is good news. Using structure is good programming practice anyway. We use that for our production code at work. I might a well use it on home programming projects where I want to keep the source code secret.

To truly combat the decompilation process, you probably need to spend some time trying to crack binary executables. Then you will have first hand knowledge on how to make it harder. However I figure I could take one expert’s advice and use it to my advantage. That is a way to work smarter and not harder.

Inflating Page Views

My profile on the Blogger platform shows how many times somebody has viewed the profile. This is something of a bragging point if you have a lot of views. Being a programmer, I figured I would just write a program to "visit" the profile many times.

At first I had some success. My program spawned Internet Explorer and navigated to the URL for my profile. It waited, killed Internet Explorer, and started again. However Google must have figured out what was going on. The view count capped out around 1000.

I thought perhaps the blocking had something to do with how frequently my program visited the profile. So I tried delaying the visit to be about 5 minutes apart. That did not help. Now my view counts are getting capped around 100 to 300. Do you think Google has logged my IP address as a script generator or something? I can only try some more tests to figure this out. The logical next step might be to use web proxies to hide my IP from Google.

Crypto API Encoding

Finally I am getting to the point where I am following the Microsoft Crypto API documentation in order to actually encode some data. But first let’s talk about what you need to get your software to compile and link. You must link in the crypt32.lib library. You may also need access to the advapi32.dll. You C or C++ code must include the wincrypt.h header file. And last you must define MY_ENCODING_TYPE in your code.

Now let’s get down to business. Here is the pattern you will follow to encode data. You start by calling the cryptmsgopentoencode function. Then you call cryptmsgupdate as many times as you have data to add. On the last data addition, you call cryptmsgupdate with the fFinal parameter set to true. To end the encoding, you call the cryptmsgclose function. These are the basics in a nutshell.

The algorithm to decode data mimics the one to encode. There is one extra step in the beginning where you call the cryptmsgcalculateencodedlength function. Then you call the cryptmsgopentodecode function. Does that sound familiar? You call the cryptmsgupdate function. And you end by calling the cryptmsgclose function.

Since we are down to the details of actual coding here, I also have the algorithms to encrypt and decrypt data. Perhaps I will share that with you in my next post. For now I will leave you with the concept of enveloping data. This is where you would like to encrypt a message for a whole set of recipients. You encrypt the message with a key. Then you in turn encrypt that key for each of the recipients on your distribution list for the message. The encryption is done in PKCS 7 format. Each recipient can then decrypt their key, and subsequently decrypt the message.

The Return of Click

I needed to up the page view count of some new pages I put up. It did not matter whether these were legitimate page views. All I wanted was it to appear like the pages were viewed a lot of times. To do this I pulled out an old program I had written called Click.

So what happened? Things were going fine for the first 250 visits to my web site. Then Google redirected me to another page, preventing my page view count from increasing. It seems Google had blocked me. They said that my query looked similar to automated requests. Duh. They were automated.

Google did not always enforce non-automation. This must be some new defense against the Black Arts. I tried to delete my cookies. Still blocked. Then I deleted all cached info in my browser. No luck. I even tried switching to another browser. Google still would not let me view the pages I had automatically visited.

As a last resort, I went to a web proxy site. From there I was able to view my web pages. What's a programmer to do? I need to code web proxy use into my program. That's what. When I am done, I will release my program here. Perhaps we shall call this The Return of Click. See you soon.

Freehackers Union

Some time back I read a rant on the web from Zed Shaw. He was planning to start up the Freehackers Union. This would be a meeting of like minded hackers in big cities around the world. You had to present some hacker project of interest to be able to attend the meetings. He was fed up with the business people getting in the way of true hacking.
Zed is an outspoken guy who lives in New York. Not surprisingly the first Freehackers Union meeting was held in New York. Zed is known for previously working in the financial markets. I think he was an employee at Bear Sterns. He was previously associated with Ruby (and maybe Ruby on Rails). I think he got into too many arguments with the powers that be in the RoR world. Zed talks like a tough guy. This may be due to his surroundings (New York), or perhaps because he knows some martial arts, or maybe even because he thinks he is a tough guy,

Enough about Zed. I listened to the first Freehackers Union audio broadcast from Zed’s web site. It seemed like a big rant about ideas. I guess that was the whole point of the meetings. Most people in the crowd did not present anything that day. There seemed to be a rule that you could not present using PowerPoint (remember that this was about rallying against the business guys).

One presenter had written an Objective C program for the iPhone. He got a lot of applause. There were a bunch of other technical presentations. I heard that there were plans to have such a meeting near my house. Initially it sounded exciting. Doesn’t everyone want to be part of some cool underground and elite group? Unfortunately it appears that the Freehackers Union did not really materialize past the initial New York meeting. Oh well. Maybe it is time to look around for a local 2600 Magazine meetup.

More Crypto API

This week I finished my college course on Java programming. I am hoping this will free up some time to get back to my Black Hat projects. Specifically I have some ideas about the Windows Task Manager control which I have previously written about. I may be posting a new program to enable and disable Task Manager silently. However for now I thought I would talk some more about the Windows Crypto API.

I have written at length regarding Crypto API details that I have reverse engineered by browsing the C header files provided by Microsoft. In addition, I discovered some Crypto API documentation in the Microsoft Developer Network web site. So without further ado, let’s get into some Crypto API details.

The Crypto API supports PKCS #7. Recall that this is a standard published by RSA Laboratories, a division of RSA Data Securities. PKCS #7 covers cryptographic message syntax (CMS) structures. Going back to terminology, a digest is the result of applying a hash to data. The digest is sometimes called the hash itself.

Although “message” is a generic term, it has a more specific meaning within the Crypto API and security. A message is data that has already been encoded. Normally this data has been signed. It includes a certificate.

One goal of the Crypto API are to provide simplified message functions. The functions are very high level. They in turn wrap many lower level messages. They shorten the code required to accomplish security purposes.

Finally I want to define some file extensions used by the Crypto API. The “.cat” files are those with a digital thumbprint. And a “.stl” is a file with a certificate trust list. On that note, I may provide another Crypto API post in the future which covers certificate services. For now I bid you a good day.

Hacker Challenge

Some guy with a name like Akon posted a challenge to the hackers out there. He made key decoder program. His challenge was for programmers to come up with a key generator to match his decoder program. One C++ and one header file were provided as the source of the decoder. This sounded like a simple challenge. However the algorithm within the provided code was difficult to follow. A couple sample working keys were provided to help with the challenge. And a hint was provided that this was a well known encryption algorithm.

I consider myself a relatively experienced C programmer. There was not any C programming language issues I had. I could understand what the code was doing. However like I mentioned earlier, the algorithm was complex. It was too hard for me to keep everything in my head to follow the algorithm.

There was a big discussion in the comments of Reddit about this challenge. Somebody with security insight identified this decoder as decrypting 12345678 under RSA with two public keys. Thus the goal was to factor one of those keys. You could also add one of those keys to a working existing key. I got the feeling that the algorithm in the decoder was a PK algorithm.

Once the RSA was identified, people commented that RSA uses much larger prime numbers than used in this decoder. Thus it should be easier to crack and provide a key generator. The comments led into a general discussion on security. Some people talked about the use of key servers by companies. It was recommended that zero and the letter O should be mapped to the same number to make things easier. It was also mentioned that a dongle cannot guarantee security. This is because a hacker can create a dongle emulator.