New Program - TaskCtrl

Late one night I was visiting web sites I should not have been. Wouldn't you know it? Some sort of malware got installed on my PC. The system tray had a troublesome icon which kept telling me that I had been infected. Web pages started having extra links in them to virus removal sites. To top it off, my Windows Task Manager became disabled. This was some ambitious malware.

I am a programmer. So I decided to write a program to give me control over whether I can run the Windows Task Manager or not. This is just a key and a value that is stored in the registry. Thus my TaskCtrl program was born. I wanted to quickly code this and share it with you. Therefore I relied on my good old C++ programming skills. This program is provided free of charge.

TaskCtrl first comes up and shows you whether the Windows Task Manager is enabled or disabled. You can change this state by clicking on the radio buttons. This will immediately either enable or disable Windows Task Manager for you. I also added a button that brings you back to my Black of Hat blog. You never know. Maybe my program will make its way to some people who do not read my site. Enjoy this little treat. I plan to find some more time to get back to writing and distributing useful software here.

Cryptographic Service Providers

The Microsoft design in the Crypto API makes use of Cryptographic Service Providers (CSPs). Your application talks to the Crypto API. The Crypto API in turn filters your calls, and passes the requests to a CSP. You application never directly calls the CSP. You pass in a handle to refer to objects in the CSP. The CSP does all the work and retains public and private keys in memory. These keys are stored in containers. The CSPs are implemented as Windows DLLs.

There are a number of different CSPs which are provided by Microsoft. The simplest one is the Microsoft Base CSP. It comes with the distribution of the Crypto API. It is a general purpose CSP. It supports digital signatures and data encryption. It uses an RSA public key algorithm.

Microsoft also has an Enhanced CSP. It supports everything in the Base CSP. In addition, it uses longer keys. It provides more options for encryption algorithms. For example, you can choose Triple DES encryption.

You can write a CSP yourself. It is a normal Windows DLL. It must expose the cryptoSPI entry points. For those functions you do not wish to implement, expose the function, but just return E_NOTIMPL. Microsoft recommends that you put all of the code for your CSP in a single DLL. The install of your CSP must register itself with Windows using the registry. Your CSP must be signed every time it is built. It also has to be signed by Microsoft.

Certificates

Digital certificates verify a sender’s identity. They are issued to a subject (also called an entity). The certificates are issued by a Certificate Authority (CA). The certificate includes a public key for encryption. The Certificate Authority runs a certificate server. The server contains all public key issued by the CA. The server dispenses the certificates, which are themselves digitally signed by the CA’s private key.

In addition to the certificates that are granted and are valid, the CA maintains a certificate revocation list. It is, as the name implies, a list of revoked certificates. Clients access this list to determine whether a certificate is still valid.

The Crypto API uses certificates as defined in X509. The Crypto API implements a certificate store as a linked list. The list can be in memory, on disk, or in the registry. The store is further broken down into logical and physical stores. The logical stores aggregates multiple physical stores, making them look like one big store.

There is also a system certificate store. The system certificate store is a collection of physical stores. In the Crypto API, there are predefined store names such as MY, Root, Trust, and CA. The Crypto API maintains a certificate trust list. It lists the entities that are trusted. An authority certifies other authorities in a hierarchical fashion.

Microsoft’s Crypto API covers a lot of territory. Certificates are just a small part of the supported functionality. In the future I plan to continue discussion on this beast of a topic. I might also write more about X.509, which is a standard for topics related to certificates.

More Crypto API

I want to get back to sharing some information I obtained by studying the documentation for Microsoft’s Crypto API. Public and private key pairs are used in asymmetric encryption. This encryption is a method where a different key is used to encrypt versus decrypt. It is much slower than symmetric encryption where the same key is used to encrypt/decrypt. The speed difference is on the order of being 1000 times slower. You do not want to use asymmetric encryption for a large amount of data.

There is often the need to sign a message that could be large. However you want this operation to happen quickly. The goal is to verify that the message was actually sent by the person, and that its contents were not modified en route to the recipient. The way this is done is that a hash is made of the message. Then this small hash is signed and sent encrypted. The rest of the message is not.

A hash has a fixed length that is small. For example it might be 128 or 160 bits long. The hash is sometimes called the digest. Creation of the hash is a one way function. That is, given some data you can create the hash. However you cannot reverse the process and generate the original data using the hash.

So to quickly sign a message, you add a signature string to the end of it. The potentially large message gets a hash generated for it. The hash is encrypted using the sender’s private key and included in the signature string. Recipients of the message can then decrypt the hash using the public key of the sender. The recipient generates another hash from the text of the message that was received. If the generated hash and the decrypted hash match, the recipient can be confident that the sender actually sent the message, and that the message arrived intact.

I like to think of the hash as a check sum that comes in handy for encryption. There is a whole lot more to the Crypto API. I will try to post some more article about it in the future.

Skype Eavesdropping

There is an exciting rumor that the National Security Agency (NSA) is offering big money to anybody who can provide a means to eavesdrop on Skype conversations. You would think that this would not be a terribly difficult task for hard core hackers. Skype uses P2P style communications to send messages across the network.

The Skype P2P protocol is not an open one. However you would think that there are former Skype employees who know the secrets. It has also been mentioned that Skype itself could use some extra cash, and might be tempted to sell out to the NSA. I know this sounds a bit evil. However this is just business after all.

How would one go about breaking the Skype protocol? Well you could hook up a packet sniffer, filter out anything other than Skype, then participate in a Skype conversation. This is a reverse engineering exercise. The advantage is that you know what you are communicating over Skype.

I imagine this is not a simple task to reverse engineer the Skype protocol. But when a lot of money is at stake, I bet a motivated hacker can figure it out. Heck. I might even get myself Skype and take a crack at it. However I will not be sharing my findings with you. I will be going directly to the NSA or whoever else is willing to pay up.

Back to Coding

It has been a while since I have released a program on this blog. Times have been very busy. But now I am getting a breather. So I thought I would whip up a program and share it here. Today I give you Easy Grader.

This programs requires the Java 1.6 runtime. I am learning the Java programming language now. So I am going to write programs in Java rather than my normal C++ these days.

Somebody actually asked me to write this program. If you are grading papers, and there are a total of n questions on the paper, this program will give you a percentage out of 100 given that the student missing x questions.

Yes you could easily do this with a calculator. But when you have a stack of 100+ papers, you want to be able to convert to a percentage quickly. That's the easy in Easy Grader. I am sure you could use this to figure out what you score is based on how many questions you got wrong on a quiz or test at school. The real lesson here is to download and install the Java 1.6 runtime so you can run my program.

Sometimes You Have to Hack

I like to write code that is clean. This takes a deliberate effort and a lot of time. It also takes skill and experience. In the long run, this is a best practice if you are going to use that code any time in the future.

However there comes a time when you just need to slap something together and get it work. This is usually caused by some external time constraint. Maybe you have entered a challenge and have seven days to clone a game like Angband.

More often than not, there is a customer demand which requires you to just hack a fix without regard to future maintainability. Often times such a customer needs a fix yesterday and does not care about the long term ramifications. The problem is that you have to pay sooner or later.

Permutations

My customer's organization allow us to lot into their network using a VPN. This means we do not have to be on site to gain access to needed resources. Normally I work from my company's office. However I also have the ability to connect from home as well.

There is a two phase authentication. First we need to be able to type in our username and password. Then we are challenged with some codes to enter. These codes are based on a set of combinations that are unique to each person. You would think that this was a very strong defense against intrusion. However I found something weird about the secondary layer.

You are told to enter some codes in order. There are only n numbers. If you chose all the combination and permutations of those n numbers, there is a universe of possible choices. However if you restrict the codes so that they must always be in order, you have cut down the problem space of the possibilities significantly.

I am not a Math major. However I bet I could study up a bit and determine exactly how much less secure the ordered code entry is. This is very strange. My customer is a big organization. You would think they would have top notch security. They would most likely blame their security vendor.

Back to Crypto API

Recently I have been busy trying to get Oracle certified. So I have not had a lot of time to devote to my Black Hat duties. In addition, I am entering a programming contest this week. There goes another chunk of my time. However I thought I would share some insight into the Crypto API that I have learned by studying the documentation from Microsoft.

Authentication in the Crypto API uses a digital certificate. The encoding and decoding is conducted using a standard called Abstract Syntax Notation One (ASN.1). The certificates contain information about an entity and its public key. The certificates are issued by a certificate authority.

The Crypto API makes use of Cryptographic Service Providers (CSPs). These are lower level routines which the Crypto API calls to do the dirty work of encryption and decryption. The Crypto API is a uniform layer above the CSPs. The CSPs themselves are shipped as a dynamic link library (DLL) and a signature file.

Microsoft itself ships the Microsoft Base Cryptographic Provider with the Crypto API., It uses 40 bit session keys, and 512 bit public keys. Now that we have used the term “session keys” to characterize the Microsoft CSP, I had better define it. Session keys are also called symmetric keys. The key changes for each message that gets encrypted. However the same key is used to encrypt and later decrypt the message.

Symmetric keys are used with symmetric encryption algorithms. Such algorithms include RC2, RC4, and DES. I will go over these algorithms in more detail later (in some future blog posts). The symmetric key is kept internally in the CSP. There are other types of keys. I will also go into those at a later time.

John Schiefer Imprisoned

The CEO of a company recently said he would stand behind an employee of his that was convicted. This was John Schiefer. He was charged back at the end of 2007 for doing some misdeeds. He installed his botnet on a lot of Microsoft Windows computers. Then he used this botnet to do things like install other software for money, collect PayPal information, and steal identities.

A big shame was that this guys was a security consultant. He was only 26 years old when he was caught. And he went by the handle acidstorm. Schiefer had some accomplices doing the crime. He plead guilty and could have received up to 60 years in prison. Instead he was given four years in prison. The strange part about this case is that I had never heard of Schiefer before his CEO blogged about his stance on the controversial subject.

Do you know this guy? Ever heard of acidstorm? Yeah. Me neither. Let's hope his botnet is deactivated by now. Maybe prison will reform him. You can't hold it against a guy for learning how to write botnet software. But it is plain evil to steal people's identities and then rip off their PayPal info. Not cool.