FBI Challenge

A Network World article led me to a challenge by the FBI. They had previously put out such a challenge last year. This year they are repeating the challenge with a harder puzzle. They have encrypted some text and encourage you to try to break the code. Here is the text of the code from the FBI web site:

VFWTDLCSWV. YDNSLMIJFWEJFD GSW SLNIJNQBLM FOBV EJFDVFDLNIGTFBSL. KBVBFYYY.AHB.MSK/NSCDC.OFZFS EDF WV QLSY SAGSWI VWNNDVV.

The FBI also provides some background on ciphers. The first one they describe is the old Caesar cipher. Each letter is replaced with another one in the alphabet. You would think this would be too simple of a cipher for the FBI to use. But I thought I would try to write a program that is smart enough to tell whether some encrypted text Is using a Caesar cipher.

My plan was for the program to guess all possible Caesar cipher substitutions. Then it would use brute force to decrypt the text using each guess. The output would be checked against a dictionary to see if the result looked like English words. It would assign a score based on how many words are actually recognizable. The program would then choose the top scoring Caesar substitution set, and declare a victory if some threshold such as 90% of the words are good.

The problem with this plan was that I needed a dictionary for my program to rely on. More specifically, I needed a list of valid English words. You would think this would be an easy thing to find. However I only found lists that were split up among multiple files. Or I would find lists that contained a whole lot more than just words. So the very first task was to write a processing program that would accept some input I found on the Internet, and output a single file full of unique words in the English language.

When I get this done, I will share the code and list with you. Who knew that this was going to take such a long time? And I am only on the first simple Caesar cipher try.

About the Crypto API

Last week I read an article in CoDe magazine by Alex Feldstein about the Crypto API. This comes at a good time as I continue to study the C header file for this API. I was delighted to hear that there is a user manual for the Windows Crypto API. Unfortunately I do not know where to get it. I have since found the Crypto API documentation on the Microsoft Developer Network (MSDN). Perhaps that is the user manual.

Cryptography in general is the science of keeping messages secure. A hash is a function that can be applied to a plain text password. The client program can send the hash alone, thereby eliminating the need for sending the actual password. That makes sense. I think that is how Oracle authenticates database users with their passwords.

The Crypto API implements Public Key Cryptography functionality. This is also known as Asymmetric Encryption. It is also known as Public Key Infrastructure (PKI). You encrypt data with the public key. The recipient decrypts the data with their private key. A well known system for this is Diffie-Hellman. Some implementations of Diffie-Hellman are RSA, PGP, and Entrust.

Digital signatures also used public and private keys. The United States Government uses the Digital Signature Algorithm (DSA) from the US Digital Signature Standard (DSS). Although this does not fully explain these terms, at least I now know what some of these strange acronyms stand for.

The Windows Crypto API is implemented with a set of dynamic link libraries (DLLs). It is a part of Microsoft Windows. It has an abstraction layer. The Crypto API uses encryption servers called Cryptographic Service Providers (CSPs). The applications do not directly access the CSPs. They go through the Crypto API,. A session is established between the Crypto API and the client application. This session is the context needed for calling the API functions. You can export a session key to something called a key blob.

My next step is to continue pouring through the MSDN documentation on the Crypto API. There are a lot of topics under the Crypto API. I have been taking vigorous notes while I read through. So far I am up to 10 pages of notes. After I have finished reading, and have digested the information, I shall post further about it.

Crypto API Terms

I have previously written about my discovery of the C header file for the Microsoft Crypto API. There are many terms in this source file that are foreign to me. It is my goal to learn all I can to unlock these mysteries. I thought I would go over some more unfamiliar terms and discuss what little I know about them.

One realm has to do with Diffie-Hellman. I do know that these are the last names of two guys. However I do not know the details of their research. There were terms in the code such as KEA, SANDF, and EPHEM. These must mean something for this algorithm.

The code referenced different types of hashes. I recognized SHA which I have previously written about. However I did not know what MAC, RIPEMD, HMAS, or TLS1 were. The same thing goes for Secure Channel. I have heard about it. But I did not know what the “master” refers to. I suspect this has something to do with SSL. Again I am not sure.

There are a number of algorithm choices present in the code. I know about digital signatures using RSA. I might have heard about DSS digital signatures. However the terms SEAL, KEA, CYLINK MEK, and PCT MASTER were foreign to me. It is definitely time to study up.

Now I saw a section on Gen Key. My instinct tells me this has something to do with Netscape. If I had to guess, it must be a program or technique to generate random keys. However I want to be sure. In addition, I need to understand how the following terms apply to key generation: exportable, user protected, salt, SF, KEK, and volatile.

There was a section of code enumerating the types of “modes” available. I was not sure what they were talking about. I know I did not recognize the different values such as cipher block chaining, electronic code boo, output feedback, cipher feedback, and cipher text stealing. Only one of them sounded even vaguely familiar.

I did gain some tangible knowledge reading this source file “wincrypt.h”. Specifically it stated that Windows XP ships with a 128-bit encryption provider. And I read that the code is implemented in a file called “crypt32.dll”. I found out that OID stands for Object Identifier. However I need to know more than what the acronym stands for. I need to also learn what non-repudiation means. Microsoft is usually good with its documentation. My next stop is the Microsoft Developer Network (MSDN) for detailed info. As always I will share what I learn.

Crypto API

I was browsing the source code for one of our main applications. And I found a file that implements a C++ class for security. This file has a curious include of another file named "wincrypt.h". I have come to find out that this include file is the Microsoft Cryptographic API. I figured I could learn a lot by studying this file. Or more precisely, I could identify some topics from this file that I need to research further.

The file referenced the term "entrust" under the heading of RSA. Now I know that RSA is or was a company. But I am not familiar with what entrust is yet. I need to study up. The file also referenced the acronyms PKCS and DMS under the heading of DSS. Now I know that PKCS stands for Public Key Cryptographic Standards. However I am not confident of what DMS and DSS stand for.

There were DES block ciphers enumerated in the file. Some of them had names like DESX, IDEA, CAST, and RC5. Now I know that DES stands for Data Encryption Standard. And I have previously written about RC5 when I discussed SSL. However the other acronyms have no meaning to me. I am starting to get the feeling that just about everything relating to cryptography has an acronym name.

The header file also had some terms under the heading of Fortezza. They were SKIPJACK and TEK. Now I have written about how SKIPJACK is a block cipher. And I have also written about Fortezza when discussing SSL. However I am not sure what TEK stands for.

Sometimes I found that I really did not know what the heck the code was talking about. For example, there was a heading for a KP mode. I am at a loss since I do not even know what the group stands for. I do know that some terms for these modes I need to learn are CBC, CFB, OFB, interleaved, pipelined, and masking.

I was happy that most of the time I recognized the header for groups in the source file. For example, I know what a stream cipher is. Two such ciphers listed in the code were RC4 and SEAL. Previously I have written about RC4. However I have never heard about SEAL.

For now I plan to write another post about some more goodies I have uncovered in the Microsoft Crypto API header file. Long term I want to research the unknown topics and become very familiar with them. Perhaps it is time to get some training on this.

RSA Key Exchange

Previously I have written about the Secure Socket Layer (SSL). One method that SSL uses to negotiate the encryption between client and server is the RSA Key Exchange. There are multiple modes that the RSA Key Exchange algorithm can choose for encryption. I had already described the MD5 hash function and RC2 block cipher. Now let’s go over the other modes that RSA Key Exchange can decide upon.

A frequent choice is DES with 56 bit encryption and the SHA-1 hash function. DES stands for Data Encryption Standard. It is a cipher selected as an official Federal Information Processing Standard (FIPS). It is a symmetric algorithm meaning the encryption and decryption use the same key. RC4 is a stream cipher that has been called the most widely used software stream cipher. RC4 is also called ARC4. This cipher is used in wireless networks as well.

Another choice is Triple DES with 168 bit encryption and SHA-1 message authentication. This method has the strongest security. However that means it is not as fast as some other techniques. You can do the math and see that the key is three times longer than DES. It is also FIPS compliant. Triple DES is a block cipher that employs DES three times. IT is designed to prevent man in the middle attacks. Although it is very strong, Triple DES is being replaced by AES (Advanced Encryption Standard). The SHA-1 stands for Secure Hash Algorithm. It was designed by the National Security Agency.

That wraps up the modes that are available under the RSA Key Exchange. I thought I would also mention that SSL can use Fortezza. That is an encryption system used by the United States government. It calls for hardware based encryption of a classified cipher such as KEA or SKIPJACK. You get a PC card which stores private keys on it. Like the RSA Key Exchange, Fortezza provides different modes of encryption which can be negotiated.

One cipher suite used by Fortezza is RC4 with 128 bit encryption and SHA-1. This is very strong and difficult to crack. Another suite is RC4 with 128 bit encryption, SKIPJACK, and SHA-1. This is used for classified systems. It employs a symmetric key. SKIPJACK is a replacement for DES. It is also a block cipher, and was developed by the National Security Agency.]

This almost completes my overview of SSL. I wanted to get into the SSL Handshake and also the Man in the Middle Attack. Perhaps I can leave those as topics for future posts.

Secure Sockets Layer Intro

Secure Sockets Layer (SSL) provides client/server authentication and encrypted communications on the Internet. To understand how it fits into the big picture, it would be good if you knew the Open Systems Interconnection (OSI) model for network communications. This is a sever layer model to represent a network. TCP/IP is pretty low operating at the network layer in this model. On top of that is where SSL works, which is the transport layer. Much high in the application layer is protocols such as HTTP and LDAP.

SSL makes use of certificate authorities to verify certificates. It also has two sub protocols: the SSL Record Protocol for formatting, and the SSL Handshake Protocol which negotiates the keys and techniques used for encryption. One way to perform this negotiation is to employ the RSA Key Exchange. There are many options available. The exchange algorithm lets the both ends of the network determine which option to use. I will review these options from the least secure to the strongest.

The simplest and least secure is to do no encryption. This option uses something called MD5 which stands for Message Digest algorithm 5. It is a cryptographic hash function written by Ron Rivest. This technique allows the receiver of network communications to detect whether the messages sent have been tampered with. MD5 is essentially being replaced by SHA-1 which I shall explain below.

Next the RSA Key Exchange can use something called RC2 with 40 bit encryption and MD5. RC2 is a block cipher also invented by Ron Rivest. A block cipher is a symmetric key cipher (encryption and decryption use the same key) that operates on fixed length blocks at a time. This cipher had a 64 bit block with a variable sized key. It is slower than another option of using RC4 with 40 bit encryption and MD5. RC4 uses a stream cipher and is the most widely used software based stream cipher. Both RC2 and RC4 can also be used with 128 bit encryption which makes them more secure.

There are more modes that the RSA Key Exchange can choose. I will cover them in a future posting. SSL can also use techniques other than the RSA Key Exchange to determine how to choose a method and key for encryption. I hope to also go over these in a future post. There are a lot of details to this SSL.

Cryptography

As I mentioned before, I am looking to enter the computer security field. One topic in this field is cryptography. Information transferred over the Internet is subject to all kinds of evil activities. There can be third party eavesdropping and/or tampering with the data. Furthermore a third party can misrepresent who they are. A solution to this is the encrypting and decrypting of data. This is normally done with the use of a key.

There are two main flavors of key encryption. Symmetric key encryption is one where encryption and decryption uses the same key. If is efficient and therefore fast. The other type of encryption is public key encryption. This is also known as asymmetric encryption. It uses public keys which are published, and private keys as well. This method is more complex. It has the benefit of allowing you to digitally sign messages from you using your key.

Public key encryption makes use of certificates which identify individuals. The certificate associates your identify with a public key. The certificate is issued by a certificate authority (CA). Using the certificate you can confirm an identity. The other way the confirmation can be done is through passwords.

An implementation of public key encryption is the Secure Sockets Layer (SSL) protocol. It governs authentication. SSL defines a type of certification called an SSL Certificate. This technique, like all public key encryption, uses symmetric key encryption.

There is a lot more to the world of cryptography. It seems like an interesting domain. I plan to get more into this, specifically on the computer programming side. I did not have time to mention the Secure Multipurpose Internet Mail Extension (S/MIME) used to sign email. And there is also x.509.v3 which is a specification for certificates by the International Telecommunications Union (ITU). I am hoping there will be tine to explore these topics in the future.

Security Job Skills

I am looking to get a job in the computer security field. Since my background is in computer programming, I thought I would go for a development job in this field. There seem to be some opportunities. However the open jobs seem to require background in some topics I am not familiar with. To me that just means I need to study up.

One thing that the jobs like you to have is some certifications. In the past I have never been a big fan of certification. That is because a lot of times it just meant somebody without experience crammed to pass some certification test. However now that is probably exactly what I need. The certifications usually listed are CISSO and Security+. I think I have heard some colleagues say they had CISSO. But I don’t even know what Security+ is.

Some of the skills needed for development positions are generic. For example, a job may call for experience with Java, J2EE, Service Oriented Architectures, Networking, Linux and POSIX. These do not appear to be specific to the computer security industry. Unfortunately those are skills I do not have work experience with. That is ok. My plan is to bone up on my web development skills anyway. So I think I can take care of some of that knowledge.

Other skills required for development positions were very specific to the computer security industry. To tell the truth I have never used these technologies. They include Netscape Security Services, digital signatures, and symmetric/asymmetric cryptography. Well I have the web and Google at my disposal. It is time to bone up on these topics. I will share what I find.

Hacker Sting

Recently I decided to join the Association of Computing Machinery. This happened because I found out my company would pay for it. Right now I am waiting for my membership. It will give me a subscription to their ACM magazine. I will also get access to some technical references online. I though I would talk about a story from the Communications of the ACM. This story is over 20 years old. But the topic is one that I think is still of interest today.

A hacker tried to attack the computer system in a lab. The lab decided to let him think he had broken in. They further decided to use this individual to study how hackers operate. They tracked his activities for about a year. This individual used their lab computer to try to reach other systems. He mainly targeted military and defense systems. They thought he might be doing this for espionage purposes.

Over the year, the hacker attempted to attack over 450 computer systems. He did not use any new approaches. He only used techniques that were found elsewhere, like known security holes. They first detected his attack on their systems when they found a new account that was created. He seemed to search their e-mail to find signs that he had been detected. The hacker used X.25 ports to get in. He tried guessing passwords of accounts.

The intruder was evasive. He only stayed connected for a couple minutes at a time. He also disconnected when he noticed that a system manager was online. He was traced when the researchers at the lab set up a sting. They created some bogus files of interest. It caused the hacker to stay connected longer reading them. The hacker also sent in some snail mail correspondence based on what he read in the bogus files.

This hacker relied on some common account names being present in most systems like root, guest, and system. He also used utilities such as who or finger to find the user names of people logged on. Many people store all kinds of passwords in plain text files. This guy was also able to crack encrypted passwords. It did not help that many people chose passwords that could be found in a dictionary.

There is a lot more to this story. I plan to access the original story in the archives when I become a member of the ACM. Come to think of it, I tried to apply for membership quite some time ago. I have not heard from them since. Maybe it is time to call them up.

Laptop Hacked

I read a funny story about a guy whose laptop got infected. He was a college student with a laptop. He used the laptop for taking notes. One day he walks into class and turns on his laptop. For some reason the laptop kept playing music by itself. It kept repeating the song “See You Again” by Miley Cyrus. This poor guy asked for help on the Internet. He was desperate.

The student noticed that a “miley.exe” process was now always running. Some amateurs recommended that the guy delete this file. No dice. The file could not be deleted because it was being accessed (in other words it was locked due to use).

More level headed individuals recommended the guy do a Google search to help research the problem and any solutions out there. Many people chimed in that, at worst case, he could reinstall Microsoft Windows on the laptop. I had a chuckle when people started calling this the Miley Cyrus Virus. That rhymes in case you didn’t know.

Other good advice included recommendations to run antivirus software. Specifically some guys in the know said he should run Malware Bytes Antispyware to get rid of the problem. I have used this product myself with good success rates.

Some jokers said the guy should sue Miley Cyrus. Yeah. That was just a joke. One out of the box approach was to mute all the sound devices. And a hard core approach to this would be to cut the physical wires that lead to the speakers.

I hope this guy found a way to combat the problem. My own PC got into a phase where it would play sounds and music by itself. These malware and virus authors make us go through all kinds of bad times.

WPA Cracked

The Arstechnica blog has reported that some researchers have found a whole in WiFi Protected Access (WPA). This was presented in a paper by Erik Tews and Martin Beck. It discusses how they cracked the WPA encryption. They are able to successfully send bogus data to a WiFi client. The researchers started with an existing attack on Wired Equivalent Privacy (WEP). The original hack sniffed packers and modified them. They are only able to decrypt short packets.

WEP came out with a basic encryption technique. However the checksums were too weak. The replacement had a goal to be stronger. But it also needed to maintain backward compatibility. An advanced encryption system (AES) option was added. Using AES alleviates the risk of your packets being cracked. Some other techniques to make it hard for the crackers is to employ the option to rekey regularly. This makes transmission more secure. The best method is to choose a very long key.

The idea to move from WEP to WPA was a good one. However the limitation was that they wanted to still run on legacy hardware. The solution chosen was to use a 128 bit key. WPA, or more specifically Temporal Key Integrity Protocol (TKIP), changes the key for every packet. There is a sequence in the key. The length of the sequence is 48 bits. This is good because it will be a long time before such a long number is ever repeated.

I have seen the options to enable both WEP and WPA on my router. Previously they were just weird acronyms. However I want to get more into security and encryption and all that good stuff. There is a lot to learn however. Luckily I have a little bit of background in networking programming. Hopefully that will enable me to get up to speed quickly. The problem is that I am doing this as a side project. I am hoping that maybe I can get a job, even if it is a short term one, in this field to totally immerse myself in it.

Storm Worm Usage

I read an interesting article in the Washington Post newspaper. Some researchers from UC Berkley and another university had conducted an experiment with the Storm Worm virus. They infiltrated the network of machines that have the Storm Worm. They instructed bots to send spam sending unsuspecting readers to their phony pharmaceutical sites.

Within 26 days, they had the Storm Worm distribute 350 million spam emails. They conceded that about 75% of this email got filtered out. The remaining 25% made it to people’s inboxes. Almost 30 people decided to buy pharmaceutical products from their phony sites. They ensured that their sites aborted right before the sale completed.

The average sale was over $100 worth of pharmaceutical goods. The research team estimated that they only used 1.5% of the botnet network capacity. If they were able to fully use the botnet, they projected that they could clear $3.5 million worth of sales a year. This was all through advertising using Storm Worm spam.

There are a couple lessons here to learn here. One is that botnets like the Storm Worm are profitable ventures. Smart people can hack into these botnet networks. Some small percentage of people will make purchases in response to spam email. Perhaps it is the large numbers involved that makes the small percentage worthwhile.

Do you have the Storm Worm secretly installed on your computer? You may be supporting the huge botnet network that propagates criminal activity such as the one studied by these researchers. The thing I wonder is how much are the original authors of the Storm Worm actually making out there? And if they could get such profit from these illegal activities, could their skills be harnessed for legitimate business opportunities?

Script Kiddie Tools

I read a post to the Downgrade Blog entitled “Script Kiddies Have Awesome Tools”. The author checked out a recent hack to Wordpress. He tried to decode the source. However he found that it had been compressed and encoded many times. Eventually he got to the original code. There was an amazing suite of tools available to hackers.

The author compared this tool suite to a tool he obtained about 10 years ago. That tool was supplied as C source code. You needed to get your development environment correct first. Then you needed to supply the compiler with the correct flags for it to successfully build. Finally you needed to figure out how to run the darn app.

This latest suite of tools was much more user friendly to the hacker user community. There were a lot of tools in the suite he discovered. There was a tool to find files with security holes. There was also a program to execute commands as the web server user. It included a backdoor tool installer. It also had an FTP brute force cracker. The suite came with a self remover program as well. This is just a few of the tools included.

The guy realized that with this tool set, it would be easy to go into business. You could scan for Wordpress installations. Once found you could use the tools to check for vulnerabilities. Then you could exploit the ones you find for ill gotten gain. The hard work was done. Somebody coded and provided this tool set. You just need to be a script kiddie to use it.

The tool suite itself was about 2500 lines of PHP code. It took advantage of files not being read only on the file system. Advice from readers who commented included a recommendation to lock down your Wordpress. You should always patch third party code. And you should definitely sanitize SQL before using it. Others mentioned that this tool suite was actually old news. Well I had never heard about it.

Learn UNIX

Some guy had posted a question on Reddit asking for advice on learning UNIX. This was in preparation for doing admin work. He inquired whether he should become familiar with Linux, Free BSD, or Solaris. There was a lot of interesting commentary from Reddit readers that posted replies.

At least one person believed a good UNIX sys admin would need to learn all those UNIX flavors. It would also be most valuable to know UNIX to Windows connectivity. One way to learn any or all of these is to try them out on a virtual machine.

Some readers favor the knowledge of the Ubuntu distribution. Others recommended Gentoo. Solaris knowledge will give you the ability to be involved with interesting work. Others commented that even Apple OS X is UNIX underneath.

The best advice I read was to learn generic UNIX first, and not a specific brand. The most hard care advice was to get some source code and roll your own Linux. That would give you the truly deep knowledge. Now that may not be really needed if you want to be a light sys administrator. But it would be very worthwhile nonetheless.

Personally I am a Microsoft Windows kind of guy. However I used UNIX a lot during school. I even took a UNIX systems development class. I have found the knowledge most useful in my career. You never know when you need to get on a UNIX box and write some code. If you had never been exposed to it before, you would be in trouble. With the low or no cost UNIX available now, there is no excuse not to be fluent in UNIX.

Pause in Coding

I thought I would write a post to say that I know I have not been posting many new programs here lately. My day job is killing me. Pretty much I was going strong producing good results at work. My reward was that I got a second task that requires as much time as my primary one. This just does not add up.

There are multiple problems at work. One is that things are a bit disorganized. That’s ok when I have some slack time in my schedule. But now I am filled to the brim and it is causing me some pain. Another team keeps needed me to join their meetings. That causes a severe drop in productivity.

So now I am falling behind on my main job. And I am not even working the second task I got handed. After working in this crazy environment all week, I do not have any energy left to write some new cool progs for Black of Hat. However I still have a lot of ideas. And if I can get out of this crazy work schedule, I can go back to doing that which I love.

Here is a taste of a new idea I started coding up, but had little or no time to follow through on. I want to code a robot which writes blog posts quickly. This is talking about posts just like the ones I write here, complete with images. At first I looked into using a Google API directly to communicate with Google from the problem. That would have been the easiest. However Google looks like it has no way to automate posting images.

I am left with coding up a sort of screen scraper. My robot will trick the browser into thinking it is a regular user. That is hard to code. But it is the safest way to make sure things work. After I resolve how my program interacts with the browser like a human, I will dive into the artificial intelligence required for the robot to write coherent sentences like any real blogger would. Does that sound like a tight program or what?

Malware Continued

This post continues the story of my PC being viciously hacked after visiting a rogue website. Every few minutes there would be a popup from a new icon in my system tray. This popup stated that Windows detected spyware on my computer. There were a couple tell tale signs that this message actually came from the malware. The popup continued to say “that it recommend [sic] that I allow it to automatically download antispyware software to prevent [sic] problems.” Usually Microsoft spells words correctly in its error messages.

I saw that a program called “brtask.exe” had been installed in my Windows system directory. And I could not delete the file. It was locked because it was in use. At first I could not get my Task Manager running because the malware was preventing me from running it. However I installed another type of Task Manager. But the process did not show up in the list of active processes.

My initial reaction was to run some antivirus software. I had an old copy of McAfee from 2007. Here was the odd thing. The McAfee software could not perform an update. It thought that I was not connected to the Internet. I suppose this was more shenanigans from the malware. I still ran my old copy of McAfee antivirus. It did the trick to get rid of the popups from the system tray. However my Google search results were still being hijacked with bogus links.

This time I turned to a software I was not familiar with. I installed and ran Anti-Malware from Malwarebytes. This software also was unable to update itself. It thought my computer was not connected to the Internet. This evil malware was quiet tricky. Luckily I had version 1.30 of AntiMalware, which might even be the most recent version. Running this software got rid of my Internet Explorer hijack. The version I had was free. Thanks Malwarebytes.

Regardless of the extra work this malware brought me to clean my system, I still thought it was quite an impressive piece of work. It had some tricks to ensure I could not manually eradicate it. Good thing a couple antivirus software packages were able to quarantine it. I wonder how much work went into constructing this piece of malware. And I fear the evil deeds it was secretly accomplishing when it was running on my PC. For now I am going to keep McAfee antivirus running all the time. And lucky for me, it now is able to update itself from the Internet.

Malware Ownage

This weekend I was browsing the web. I found a link for what appeared to by a juicy story. The headline was that Miley Cyrus, the actress who plays Hannah Montana, had moved in with her boyfriend. Link any chump I clicked through. I got the feeling I was in trouble when the web page never showed up, but my system starting acting like it was very busy.

Here is how I knew I was definitely in trouble. I tried to bring up the Task Manager but it was grayed out. In other words, my Task Manager had been disabled. Normally I use Task Manager to kill malware executables when my system gets infected. However this ability had been stripped. At first I thought some rogue program just disabled the access from the menu. So I went to the Start Run menu, and tried to launch “TaskMgr.exe”. What I saw next was the beginning of a very long weekend. The message I received back was that the Task Manager had been disabled by my system administrator.

I figured that I was up against a pretty smart malware program that was going who knows what with my PC. So I went to Google looking for a way to get my Task Manager running again. Google had a lot of hits on this particular subject. There was just one problem. Every time I tried to click one of the links from the Google search results, I got sent to some advertising page. It looks like the malware was hijacking my search results. That was painful.

Now I am not one to give up easily. It was a little annoying that I did not have control of my system. But I was confronted with what I would call a very smart malware program. I did notice that my Google search results had the real URLs listed at the bottom of each result. I copied and pasted the link for a page which hopefully would restore my ability to run Task Manager. Apparently the trick was to modify a certain registry entry.

I had thought I reached some level of success. My ability to run RegEdit had not been compromised. But I still could not run Task Manager even after a reboot. Then I found out the pain. This malware program was detecting that I was changing the registry entry. And it was changing the value back before I could reboot. This was indeed one smart program. It did all kinds of other damage to my system. I will continue the tale of my battle with this malware program in a future blog post. I promise you the story is filled with juicy details.

Network Security Appliance

I was reading this week’s issue of Information Week magazine. There was a full page advertisement for the SonicWALL NSA 240. It was being hyped as the next generation firewall. The ad claimed it could support 600 Mbps network throughput. The proposition declared this was three times better than similar priced competition. There were a lot of buzzwords in this advertisement. So I thought I would try to digest what the heck they were selling, and determine whether there was any substance to the claims.

The first thing I did was look to the fine print at the bottom of the page. They said their massive throughput was assuming use of their “RFDPI” engine and specialized multi-core processor. Now I did not immediately know what that means. However I assumed that meant you had to pay more for some if not all of these features.

To tell you the truth, I do not think I have heard of SonicWALL before. I did know some of the big competitors they listed like Cisco Systems, Fortinet, and Juniper Networks. The ad stated that it provided full network protection without compromising performance. It was in the sales text that I found out that NSA means Network Security Appliance in this context. That is funny. Everywhere else I thought it mean National Security Agency. Perhaps they chose this acronym on purpose to align with the real NSA.

Here is what I have gathered this box does. It performs antivirus, spy ware, and other intrusion detection activities. I also decoded that RFDPI refers to Reassembly Free Deep Packet Inspection. Once again I cannot be totally sure, but I am hoping this means that they check every single byte that goes through their device. A look at their web site shows they are aligning the NSA 240 to compete against products which cost between $1000 and $2000. Unfortunately I could not find their price listed anywhere.

Well I am going to be honest here. It is going to take a while to further digest how good this box does its job. At least I found out that SonicWALL was founded in 1991, and employs over 700 people. They appear to be a real company. I am not sure, but I believe their headquarters is in Sunnyvale, CA. Shortly I shall also inspect competitor products like the FG100A, the SSG 20 Extended, the UTM-1 Edge, the X55e, and the ASA 5505. Those are great names, aren’t they? Hopefully I will learn something more about intrusion detection systems by researching this.

Linksys WRT54G Router

Recently I was reading an article from Wired on making money with open source hardware. It mentioned the Linksys WRT54G router in passing. This router was released in 2002. It was initially a $150 router. The firmware was based on Linux. You could do all kinds of tricks to turn the router into one that rivals a $1500 one. These changes include boosting the antenna power, making it a signal repeater, and create a mesh network. The point of the article was that the hacking of this router actually boosted sales for Linksys. I was more interested in the history of these modifications. I am pretty sure I have a WRT54G myself.

First let’s look into the hardware contained in the WRT54G. It has a 200Mhz MIPS processor. Specifically it is a BCM5352E processor from Broadcom. The versions of this model come with 16 to 32 megabytes of RAM, as well as 5 to 8 megabytes of flash RAM. You have the ability to add more RAM if you like. The router actually consists of a wireless access point, a switch, and a cable/dsl interface.

The more interesting part of the WRT54G is what runs on the processor. Prior to version 5, the router ran embedded Linux. This was later replaced with the VxWorks operating system. In order to comply with the GNU GPL, Linksys released the source code.

Note that any mods to the router void its warranty. This box has been called the most hackable router. The great part is that it is easy and free to do so. Most of this starts with upgrading the firmware. And there are many open source replacements which are free such as DD-WRT, OpenWRT, and HyperWRT to name a few.
You can run customer applications and scripts if you replace the firmware. A common change is one to boost the transmit power. By default the transmission is at 28 mW. However you can modify this to be boosted almost ten times that amount. Be warned that higher transmission power may cause overheating. I have heard that levels less than 100 mW work best. Apparently there might be laws as to how high you can transmit.

Knowing all this, I want to run home and tear apart my router. I am hoping that I have the right version which runs Linux. If so, get ready for a firmware upgrade. Who knows what kind of cool programs I can write to run on my $50 router.

Keyboard Attack

I read an article from the BBC News. Some researchers found a way to read computer keyboard presses using a radio antenna. It detects the radiation from the keystrokes. It can then determine which keys were pressed. This is all supposedly possible using cheap hardware. Unfortunately the details of the hack were sparse. I imagine there will be more details posted later when they actually publish their research.

This was done by some PhD students at a security and cryptography lab. They were part of a Swiss university. It sounds like interesting research for students. It must be nice to have the time to research this stuff. The big deal is that this is yet another way that criminals might be able to snoop on what you are doing on your computer without your knowledge.

You can think of this as a hardware key logger that does not need to be physically connected to your computer. The researchers did give some tidbits of information about their research. They stated that they have 4 attack vectors in which to guess the keystrokes you are pressing. I think I want to follow this story more carefully. Any strong coder can write a secret application that logs keystrokes if this rogue application is installed on the victim’s computer. However this latest hack is describing some snooping at a distance. Nice.

Spammers Revenge

Recently I discovered a Security and Risk site. There were some nice articles there. I read one column that talked about the scams that are sent via spam email. The latest one was somebody claiming to be from a bank, and needed the reader’s account information. The spam advised the reader to contact the spammer, not their own bank. The author of this piece questioned who would be gullible enough to believe this nonsense.

The real gems from this site were contained in the user comments. One commenter said he received a doctored up VISA card picture in an email from a spammer. The person decided to entertain the spammer and contacted them. They said that they could not clearly read the information on the card. They requested that the spammer FAX and enlarged copy to a certain FAX number. The punch line was that they provided the FAX number of the local FBI office. Ownage.

I can confess that I have never responded to any of the spam sent to my many email addresses. The fact of the matter is that I just do not have time to deal with it. It all gets deleted. I like some free email accounts that filter out the spam into a junk email folder. However it might be educational to actually respond to these jokers. I might generate some funny stories of my own here.

Security Virtual Event

I got this week’s copy of Information Week magazine. There was an advertisement in it for a Security Virtual Event. This is like a conference. However it only simulates face to face interaction. The event is being held on October 23rd. It is being marketed as a gathering of the best known white hat hackers. Kevin Mitnick is presenting the keynote speech. The event is being sponsored by Information Week and Dark Reading.

To tell the truth, I have never heard of Dark Reading before. Maybe that’s one of the reasons why they are sponsoring the event – to get more exposure. A little research taught me that Dark Reading is a web site. The group that produces it is a division of CMP Technology. It was started in May 2006, and is a security web site. They analyze and report on security vulnerabilities.

The event is an online one. It is supposed to be interactive. In other words, you can participate in discussions. Some of the big topics being addressed are cybercrime, risk management, and compliance. You can network with other security professionals. There will be virtual booths staffed by security companies.

If you register for the event, you have the chance to win some prizes. Kevin Mitnick’s keynote is “The Art of Deception: The Shifting Face of Cybercrime”. That sounds a little like his first book. There are also a number of sponsors for the event. The only name that sounded familiar was Symantec. The big sponsors get 45 minute blocks during the day to present.

All of the speakers listed show their actual names. There are no hackers code eLiTe handles presenting at this conference. I guess it is a legitimate security conference. The only difference is that the whole thing is being presented online. I hope I can get off from work that day to check it out.

Comcast Newgroups

I got an e-mail from Comcast, which is my Internet service provider. They are dropping the availability of USENET newsgroups. I will have to arrange for newsgroups myself if I want access to them. In other words, I may have to pay a separate extra fee for this privilege.

Comcast stated that newsgroups popularity has declined. However they did admit that there are customers who do still use newsgroups. I myself do not use them as often. But I still read a couple newsgroups occasionally. I think what Comcast is saying is that they do not want to pay for this newsgroups service.

So I am getting a decrease in the services that are being provided by Comcast. This comes on the heels of another e-mail from Comcast that stated they were going to cap total bandwidth for users. The icing on the cake was that I also got a letter from Comcast. They are raising my rates.

This is a double jeopardy that Comcast is putting on me. They are raising the rates and reducing the services. On the surface this may be good for their bottom line. However it is irking customers such as me. I guess the only way for me to respond so that Comcast notices is for me to walk.

Yes I can go with Verizon FIOS. However they probably have the same greedy policies. In some markets, you just can’t win. Time to look for a pay raise to deal with this nonsense.

RealDVD

I read a post on the Technologizer blog. It was entitled “A Real Review of RealDVD” by Harry McCracken. Real Networks has released a new application which copies DVD contents to your computer hard drive. There are already other programs out there that do this. However the competitors actually decrypt the DVD, which might be an illegal activity. The RealDVD product from Real Networks takes another approach.

RealDVD is a DVD copying program. It is, in fact, a DVD ripper. However it does not violate the DCMA rules. It achieves this by not removing the copy protection. In fact, RealDVD adds extra copy protection to the output it stores on your hard disk. In essence, you cannot share copies of the rip with anybody else.

This program costs $30. McCracken says that it is easy to use. The ripping does not degrade the quality of the DVD. The amount of DVDs you can rip is only limited by the amount of disk space you have. You can also rip a DVD to a USB drive. The ripped movie is bound to the device you rip the DVD to. So you cannot just make a copy somewhere else and hope that it will work. This is the key benefit of RealDVD.

Personally I watch all my DVDs on a DVD player. So I don’t have the need to store a copy on my computer. I am also not worried about backing up the DVD. If something happens to my DVD copy, I will just buy another one. The interesting part of the RealDVD program is that Real Networks found a way to copy the DVD, encryption and all. You can then play the DVD back, but it is somehow tied to where you ripped the DVD to. I wonder how many takers Real Networks will get for this product. It is not excessively expensive. I just don’t know whether they can stand out in a crowded market or not.

Comcast Limits Confirmed

Previously I had read an article about Comcast possibly limiting the monthly download bandwidth for customers. It seems this article was right. I am a Comcast high speed Internet customer. Yesterday I got an e-mail from Comcast. They are going to be modifying their acceptable use policy (AUP). Starting in October, monthly bandwidth usage over 250GB will be considered excessive.

The e-mail had all kinds of justifications as to why this was a fair policy. Their spin was that this would protect customers from negative impact. Comcast stated that users with ultra high bandwidth consumption caused performance problems for other users. Then Comcast went on to quantify how this limit would not hurt the average user.

Less than 1% of their customers use over 250GB of bandwidth. Normal consumption is between 2 and 3 GB per month. Therefore the new limit is 100 times the average usage. The 250GB limit is equivalent to 50 million e-mails, over 62 thousand songs, or 125 high definition movies. Comcast was also careful to point out that online gamers do not come close to consuming 250GB of bandwidth either.

Hey. I am all about protecting my ability to have good Internet performance. However it seems like Comcast is trying to move to a pay per usage model at the high end, while still charging users at the low end the same normal rates. That does not sound right. I would be unhappy if I was one of those high bandwidth consumers. Luckily I am not. However I would still prefer Comcast to truly go to a per usage model and save me some money. Of course they are not going to do this, as it would eat into their profits. This still seems like a sleight of hand.

Sarah Palin Hacked

Have you heard the news about Vice Presidential candidate Sarah Palin getting her yahoo mail account hacked? I read a blog entry by Michelle Malkin entitled “The Story Behind the Palin E-mail Hacking” to get the details. It put some of the details in perspective.

The main clarification was that the perpetrator who did the hacking was not part of some elite hacker group. There is a site called 4chan that has a lot of discussion boards. People post on this site as Anonymous normally. You don’t need to sign in with your credentials. One person hacked Palin’s Yahoo account early Tuesday morning. The account and password were then shared on one of the 4chan discussion boards. The plan was for other readers to go crazy and use the e-mail.

In the end, this discussion board thread was deleted by the moderators. Some users had taken screen shots of what they saw on 4chan. It was these screen shots that were shared with the mass media. Later a poster that goes by the handle rubico claimed to be the original person who hacked the account and shared the password on the 4chan board. Rubico’s e-mail address is rubico10@yahoo.com.

Here is a synopsis of what rubico said he did. He used Wikipedia to find information about Palin. He then used Yahoo’s password recovery features to trick Yahoo into providing him with Palin’s password. Rubico then proceeded to read each of Palin’s e-mails. However he did not find any incriminating evidence. There were just personal things like family pictures in there. He decided to post the password to 4chan as a prank. He was unhappy that somebody who disagreed with he work went in and changed the password of Palin account.

There were a number of interesting issues surrounding Palin’s account being compromised. One is that Palin uses a free e-mail service like Yahoo. The other is that it is easy to take advantage of the Yahoo password recovery system. Finally, there was a lot of misinformation about the story in the mass media. That is typical I guess.

Comcast Limits

Some time ago, I read an article that stated Comcast would cap downloads at 250 Gigabytes a month. You would get a call from Comcast if you exceeded that amount. They are planning to add an extra fee if you go over this amount. The fee will be something like an extra $10 for every 10G you go over 250G per month.

Comcast’s spin on this new charge is that it will help ensure that everybody gets good performance. That is typical management speak. It means that they can give everyone good performance, but somebody other than Comcast has to pay. It almost seems like we are going back to a per-use charge. However they are leaving out the part where you get to pay less if you use less bandwidth. Companies are tricky like that to maximize their profit.

To tell you the truth, I have no clue how many Gigabytes I download on a monthly basis. Comcast says the medium amount for their users is less than 3G per month. I have not received any calls from Comcast recently. Maybe that means all is well. However I would still like to pay a lesser monthly charge if I only download 1G a month, and somebody else downloads 200G in the same time frame. You either charge us a flat fee, or you give me a discount. You can’t have it both ways.

I know I do watch videos on the Internet all the time. However these are usually short videos from YouTube. Someone calculated that 250G a month download is equivalent to downloading 4 high definition movies a day. Yeah I fall way under that limit. Comcast better give me a better Internet plan if they are going to charge the heavy users some more money.

This is post is not directed solely to Comcast. Other cable companies like Cox and Time Warner cap the monthly download at lesser rates. They too should either charge all users a flat fee, or give rebates to those of us who do not use up a lot of bandwidth. What do I have to do to be given a fair deal in broadband access? Call the FCC?

SSH Passwords

I read the abstract for an Association of Computing Machinery (ACM) paper entitled “Timing Analysis of Keystroke and Timing Attacks on SSH”. The paper was written by Dawn Xiaodong Song and others. Unfortunately you have to be a member of ACM to read the body of the paper. I am looking into getting my company to pay for my membership. However I thought it would be fun to go over the abstract and think about what these researchers did to break SSH.

The key finding of this paper is that you can determine the approximate size of the original data sent over SSH. This is furthered by the fact that SSH sends every keystroke immediately to the server. Thus you can find out thing like how fast somebody is typing. You can also employ some statistics to figure out how long a person’s password is. The authors are not claiming they can decode the password. But given the length, they can severely cut down the number of guesses a brute force attack needs to do.

In case you do not already know, SSH stands for secure shell. It provides a mechanism to exchange data over a secure channel. SSH is used to remotely log into UNIX accounts. It replaces older telnet technology, which passed passwords as plain text over the network. SSH instead uses public key cryptography. Initially, SSH was vulnerable to man in the middle attacks. That alone is worth a separate discussion. However SSH was updated a long time ago to plug this gap. SSH uses both encryption and compression. So you would think that you could not easily determine the exact length of your password. However you can probably determine a good guess using a little statistics like the abstract says.

I will share some more information if I get a subscription to the ACM. Until then I will be trying to think how the researchers took apart SSH.

Chrome First Impressions

I had some trouble accessing the CarMax web site this weekend. I thought maybe there was something wrong with my Internet Explorer browser. This was the perfect opportunity to install and try out the Google Chrome browser. During install, Chrome displayed an options screen. However the screen just froze. Nothing seemed to be happened. All I could do was move the screen. Underneath the window, I found another window that said the Chrome install was complete. That was very strange. This cannot be the correct behavior.

Nevertheless, it looked like Chrome installed on my computer. I chose to import my Internet Explorer bookmarks. Unfortunately Chrome reordered my bookmarks in alphabetical order. I did not like this. So I tried to manually reorder the bookmarks. Chrome did not want to let me do that. I guess I had to live with the order that Chrome chose.

The good news is that Gmail feels a little faster in the Chrome browser. Netflix also feels a little faster. But I have lost the ability to drag and drop movies in my Netflix queue. This must be some web features that Chrome does not support yet. Playing videos seemed to work at about the same speed in Chrome as in Internet Explorer.

I understand that Chrome runs different tabs in different Windows processes to assist with crash protection. That sounds like a good idea on the surface. But I went to one web site on a single tab. I spied on Chrome user Windows task manager. I found three separate Chrome executables running. That did not feel right. I also found that a GoogleUpdate process running even when I have not launched the Chrome browser.

The main goal I had with Chrome was to see if it could help me view the CarMax web site. It was not the cure for this problem. That web site must have been physically down this weekend. So Chrome did not work much better than Internet Explorer for me at all. In fact, I was annoyed with some of the Chrome executables running at what seemed strange times and multiple instances. I don’t want my computer being slowed down by secret Chrome processes. Therefore I uninstalled Chrome for now. It is still in Beta mode. Maybe I will try it again later.

Master Boot Record

I read an interesting article entitled “Writing Boot Sector Code” by Susam Pal. He has a whole set of articles that describe what happens when a computer boots up. The article I read concentrated on how to write boot sector software which automatically gets executed when a PC boots up. This can allow you to take over a computer from the start.

Susam said that PCs start executing code at location 0xFFFF0 at start up. This is a memory location in the BIOS ROM. The boot sector is the first sector of data storage. The first byte of this sector is actually executable code. Deeper into the sector is information on the disk itself, such as the partition information. Susam recommended you first verify your code before putting it into the boot sector. You can do this safely by running an emulator such as DOSEMU or DOSBox.

I found this topic so interesting that I did some more research on the boot sector and how a PC starts up. I consulted sources such as Wikipedia, About.com, Microsoft, PC Guide, and Ars Technica. Here I will share some of my findings. This is a ripe topic for much further research. The great thing is that you only need a PC to start tinkering with it.

The boot sector is for booting programs. Usually you will boot an operating system. The BIOS first selects a device (such as a hard disk) for booting. It then copies the first sector on the disk to memory location 0x7C00. Viruses sometimes replace this code with malware for evil purposes.

All disks are divided into sectors. The very first one is the boot sector. The first section contains the Master Boot Record (MBR). The MBR has information about the partitions on the disk. The MBR has code which loads file “io.sys” for MS DOS. Windows XP has a built in recovery console. One utility in the recovery console is Fixboot, which can correct partition problems on the boot sector.

Know that we are talking about machines with the 80x86 architecture here. PCs first conduct a power on self test (POST). Then they figure out which device to boot from. Sector one is loaded from disk to memory. The PC then begins executing instructions at that location. Normally the first 3 bytes of the boot sector do a jump to another memory location. That is because the next 8 bytes are data and not code in the boot sector.

The Master Boot Record used to be a target of malicious code in the old days. Antivirus software now detects and prevents this. Windows Vista has built-in safeguards to prevent malware from messing with the MBR. However some companies that track viruses say that MBR attacks are on the rise.