Follow by Email

Saturday, June 30, 2012

Hackers, Part 4: Flame

Remember World War II? Well I don't, because I wasn't alive then! But seriously there is a story or two from WWII that caught my attention a few years ago. In particular, the story of Bletchley Park, of the Enigma cipher and of the mathematicians that broke the code. This heroic story was repeated in several places simultaneously, like the Hawaii-based group that helped break the Japanese Naval cipher JN-25, resulting in a decisive victory at the Battle of Midway. And they were in turn aided by Dutch and British groups.

It was the code breakers at Bletchley Park that pioneered progress in computers, with Claude Shannon and Alan Turing. Often only a nation-state has vast resources and is willing to do the research and gather the best people to make that progress. A similar thing happened at Los Alamos with the Manhattan Project, only on a much larger scale, and in a different field.

With hacking, a similar thing happens. Though individual hackers are very resourceful, the majority of their capabilities builds on the shoulders of others. The zero-day exploits are available on the web. The tools for hacking are available on warez sites. Capture one virus and disassemble it, then modify it. No, individuals rarely are the sharp point on the spear of progress in the really hard problems. They may make discoveries, but not usually the breakthroughs. It has been the nation-state that usually makes that progress and funds the research. The US has a very secret organization based in Fort Meade, Maryland that does this research in signals gathering and code breaking, called the NSA. While long ago this used to jokingly called No Such Agency, today it is simply known as the National Security Agency.

An Impressive Attack

With the Flame virus, the successor to the Stuxnet virus, a very interesting thing happened. The virus posed as a Windows update to be installed, and contained a rogue Microsoft certificate authority. To create this, the virus' creators had to mount a successful attack on the venerable MD5 hash algorithm. This attack allowed them to generate a collision, a file that generates the same hash code as the original plain text.

Such an attack is somewhat time-consuming, and depends upon generating a prefix (called a chosen prefix) that two files have in common. Then the rest of the two files (their suffixes) are adjusted so that they generate the same hash code. This is only part of the attack. Then it becomes clear that, to forge a certificate authority, it is necessary to guess the prefix of the certificate (which Microsoft has probably made it easy to do by generating them in sequential order) and then it is just a matter of having the right amount of computer time to perform a suffix search.

This could be months of computer time, or years, depending on how sophisticated the suffix-generation algorithm is.

This sounds like a world-class attack, not really possible without the resources of a nation state. In the case of Flame, this nation state is the United States. And thus it is highly likely that the NSA has something to do with Flame.

When I heard this, actually I was thinking way to go US. Why? Because I was tired of hearing of all the cyberwar attacks from China and Russia. I was tired of thinking that we were way behind in the US. It looks like both Stuxnet and Flame were the joint product of the US and Israel. If we are on the attack, then we are also on the defensive and that's a good thing.

But there is an inherent danger in the technology of Stuxnet and Flame: it becomes public.

One of the main techniques of the individual hacker, as I mentioned before, is the modification of an existing virus to create a new one. This has already been done with Stuxnet, and soon with Flame. This will cause a serious acceleration of hackers' capabilities. Even in other nation-states.

In particular, it is possible that MD5 is now completely insecure, which will be a real problem for business.

Of course, the other possibility was that Microsoft actually helped the agency responsible for this hack. And actually, I think it may be even more likely that this is true than it might possibly be true that a serious breach of MD5 has occurred. Hmm.

Which one it is remains to be seen.

And you thought that was the interesting part? Well, there are plenty of interesting parts to the Flame virus. In particular, its goals.

Goals

This Flame virus (also known as Skywiper) is intended to infect machines in Iran and gather intelligence. Which it does by hijacking Windows 7 server. And it did this by forging the authority certificate so it could masquerade as a certified Microsoft update to Windows 7 server. Flame has been in the wild since October 2010.

How It Functions

This impressive virus, contained in an executable called Flamer.A commandeers machines on the network and installs various modules for intelligence gathering. They are organized into at least 39 modules, many of them written in LUA. Another incredible analysis of Flamer.A. The known and understood modules are listed below. It makes interesting reading for any student of computer security.

Autorun_infector

This creates the autorun.inf file. This spoofs sutorun.ini, which causes an insertable medium to automatically run. This is commonly used in installers to make it totally automatic.

Beetlejuice

This component uses a bluetooth card, if one exists, in the infected machine to discover any bluetooth devices like phones and other gadgets. Turns the computer into a discoverable bluetooth device so other devices will interact with it.

Boost

Compiles a list of files that appear to be of interest to Flame's creators. This module leaks whole files, like CAD (.dwg) and pictures (.jpg).

Boot_DLL_loader

This is a configuration module, and it contains the list of modules that can be run on this particular infected computer.

Flask

This module extracts local information from the computer that profiles it and its user. Stuff like the names and serial numbers of the volumes, the name of the computer, a list of applications installed, open TCP/IP connections, DNS servers used, files and history from Internet Explorer, contact lists, and even whether the user has a mobile phone. The data is assembled and encrypted using RC4 and also an additional base64 algorithm of unspecified nature. The product data is sent over HTTP in a compressed form.

Jimmy

Looks for documents with extensions like .doc, .docx, .xls, .ppt, etc. and assembles and encrypts them for delivery.

Euphoria

This creates a special desktop.ini and target.lnk file, useful as a clever way of launching Flame automatically when the machine starts up.

Frog

This component actively infects computers within the local network. It uses backdoor accounts named "HelpAssistant", created by Limbo.

Gadget

This component is the one that acts like a legal Windows update server.

Gator

This component connects with the command and control server. In other words, it reports back to its masters. It sends all the collected data back. The data is stored in a database named StorageProducts. The product is the leaked data, of course. In Flame's sophisticated approach, data is graded by desirability. Documents (collected by Jimmy) have highest desirability, CAD drawing files are in the middle, and JPEG files (collected by Boost) are at the bottom. If the database gets filled with leaked pictures, they will get thrown out and replaced by more valuable documents.

In restricted networks, a clever technique is used. When the virus spreads, a message is kept which indicates which computers can connect with the command and control server. The data transmission then happens via USB sticks, which get infected by the Euphoria component. When a computer sees a USB thumb drive, and it can connect with the command and control server, then it reads and sends the data collected on the restricted network computer.

All server communication is done in encrypted form so it can't be detected easily.

In an amazing twist, this module can also download new modules from the command and control server, which keeps the virus current, particularly when new threats are noticed or when bugs have been found and fixed.

Headache

This module contains a configuration that customizes the particular personality of the attack against the infected computer and its network.

Infectmedia

This component decides which is the best method for infecting media, such as USB thumb drives, with Flame for the purposes of propagation. This includes the possibility of using the Autorun mechanism, or the Euphoria mechanism. Also, the stolen data (the contents of a StorageProducts database) that is stored on the USB drive is in a file called dot ("."). This particular name looks like the current directory to Windows and this simple trick ensures that it can't be opened or displayed!

Limbo

This creates new accounts in the other machines in the network with the innocuous name "HelpAssistant" if possible and if the right privileges are available to the module. These become backdoors.

Microbe

This component records audio from built-in microphones. It examines all the multimedia devices and selects the appropriate recording device.

Munch

This component provides the binary certificate of a Windows server. An HTTP server which responds to /view.php and /wpad.dat (Web Proxy Autodiscovery) requests. So this basically helps to fool the DNS search for a Windows update server.

Rear Window

This is a spying component.

Many spying capabilities have been detected in Flame. For example, it installed keystroke recording malware, took pictures with the computers' webcams, accessed machines' microphones to intercept Skype conversations, make screen captures, and it even used Bluetooth to access local cellphones and extract contacts!

Security

This module detects processes and programs that might be harmful to Flame. This is used to pause Flame when the processes are around, to avoid detection of things like a wholesale directory search.

Snack

This module pays close attention to the network traffic. It logs NetBIOS Name Service (NBNS) packets, which helps the virus to determine which computers can be spread to. Sometimes this module only runs when Munch is run.

Spotter

This contains all the scanning modules. Network scanning, file system scanning, multimedia device scanning, etc.

Suicide

This component removes the virus from the infected computer when the command and control server gives the word. Flame maintains a stealthy profile by cleaning up after itself.

Telemetry

This is the keystroke logging component.

Transport

This contains all the ability to replicate the virus. Copying the files, packaging them into an auto-installing file, etc. The ability to change filename and extension of each transported file is a clever part of this module.

Weasel

This module prepares a list of all the files on the infected computer. It is careful to pause whenever a process runs that might be looking for a suspicious search of the entire computer's file system, as determined by Security.

Tuesday, June 26, 2012

Winding River

Life is a winding river flowing through the events of our life and the river's course, its bends, and forks are like the decisions we make and also the ones we are compelled to make by external forces outside our control.

You see, metaphor is a very powerful method of depiction, indeed.

The presentation of symbols in illustration is a natural method, and it is used in more drawings than I can count. It has been used in paintings since the medium was invented. I suppose initial paintings were quite literal: pictures of animals that were hunted and the tribe and their weapons. But one iconic form appears: the outline of a human hand. This is the artist's signature and simple metaphor for "I painted this", usually done in berry juice. The hand is a symbol, a relic, of the artist himself or herself.


In a recent blog entry, Back to Drawing, I introduced a concept sketch of a banner which, laden with symbology, was a metaphor for a singular event. In this post, I present two more banners that also further the concept of metaphor in illustration.


Here is the first banner, the winding river. In the sky are the Pleiades, also known as the seven sisters (although eight are shown: what do you make of that?).

I have used a digital woodcut technique for this banner, as it is my style of late, and I also employed a technique of colored chiaroscuro for suggesting distance.

The river cuts deep channels through the rock, suggesting that, downstream, greater and greater effects are made as the river gains volume from the tributaries and momentum from its rush from the mountains. In this way our works gain momentum and have greater and greater effects through the course of our lives.

My symbolic suggestion is that the stars have some influence on the path of the river, and thus of life. The seven sisters are known for their ability to impart divine knowledge and wisdom. The wisdom that governs our works.

A river's flow is known and set, and rarely changes over the course of a hundred years. The lay of the land it flows through will determine its course, like the situation our lives occur in and also the examples set for us which can influence our own acts in life.

But sometimes a river meets a point where the terrain shifts suddenly, and the course is altered in an abrupt free fall. This is the subject of the second banner.

Ah, the waterfall. When something comes down as a result of the force of gravity, it always reminds me of an avalanche. Because I have survived one.

This notion of a river rushing and going over the edge is a powerful one. I have shown the waterfall with the steps leading up to it: a dangerous and tenuous set of stairs leading to the top. At the top, are railings so you can see the rushing river as it plunges.

It reminds me of Vernal falls in Yosemite. I have been to the top and I have seen the rushing river. The rock slopes to the river are a channel cut deep, with slopes that make them quite dangerous. Since the rock is wet, they can be slippery and people have been known to circumvent the railing so they could be photographed in a dangerous position, and then subsequently fall into the rushing river where they were simply and hopelessly carried over the edge to fall over 300 feet to their inevitable death.

The waterfall is the symbol of life out of control. Events which you cannot control force your life into a specific direction. The path seems implacable, cut deeply into rock. The forces that drag you along are unstoppable.

I have placed the moon in the dark sky to light the scene.

Using the digital woodcut technique, I employ lines of black against white or white against black. Then I sculpt them into channels that taper, by working from one end in white and the other end in black.

Here is a close-up of the first banner, done at a high resolution.

I find it interesting to create three-dimensional forms using this kind of shading. I then employ a gel layer to add the color. Usually its just a color-by-numbers kind of approach, using Digital Airbrush. But this time, I used Just Add Water to create a continuum of color in the river, and also in the hills in the foreground. It does resemble scratchboard-watercolor, a favorite look.

The gel layer allows me to rework the color without affecting the black-and-white shading layer, of course.

Actually one layer you don't see is the sketch layer that lays underneath. It contains the original sketch, which I shade over to create the image.

Here is the sketch for the Pleiades banner. My sketch is a rough indication of what I want, but I worked on a layer directly on top of the sketch to flesh out the banner.

As you can see, the river might have been drawn as a winding road, but I thought a river to be better because of the inevitable draw of gravity as the metaphorical force of destiny on our lives.

I added the small tributary (shown in the close-up above) as another allusion to the metaphor of decisions and their effect on the course of causality.

Someday, I might put a tassel onto the banner.

Oh, and I forgot my chop marks! ;-)

Sunday, June 17, 2012

Look Out Any Window

What you see depends upon where you are. But it also depends upon who you are. If you are here you will see day. If you are there, you will see night. Sometimes there is a sun, sometimes there is a moon. An ocean surrounds an island, but dry land surounds a lake.

But, hey, windows are a metaphor, right? And it is what our minds see that distinguishes us from other people. Some literal person might say that red is red no matter what and that is that. But I say that your point of view makes a huge difference.

And though the concept that red is red is strictly true within statistical perception parameters, it is also unbearably unimaginative.

This is why it is certainly good to look at the same old thing and yet have a totally new outlook. Something clicks!

Shapes are not shapes, but three-dimensional objects. Displacements in reality.

Shadows are holes in a light field.

The sky is a scattering of more blue light and the absorption of less red and green light. Oh, and I almost forgot: some air.

A hole is really a door in space through which you might reach.

Objects fall into two categories: the possible and the impossible. But all ideas are possible in our mind.

A vertex is a discontinuity in curvature. It can be the meeting of any number of faces, even one.

What happens when you cross a cube and a sphere? Is that like squaring the circle?

Though we can imagine an impossible figure, and people can make them, from one perspective, they still can't make it hook up. But our minds can.

What is magic about the pyramid's shape? It just seems like another five-sided solid. But wait, shapes are more than just shapes.

Is the inside of a solid conceptually similar to its outside? What about a torus?

Passing a polygon through a curve not lying in is plane creates a three-dimensional extrusion, like a prism. If you pass a solid through space, does it make a four-dimensional extrusion?

Dr. Seuss once said it best: if there are flashlights for when it's dark, are there flashdarks for when it's light?

Take three cylinders at right angles to each others and with centerlines passing through a single point and intersect them. What shape do you get?

I was once impressed by the Wankel engine and how a shape other than a circle still possessed a constant width when rotated. How many other kinds of shapes can do this?

If the magnetic field is uneven over the face of the earth, then what does that imply about the shape of the liquid iron core? If gravitation is uneven over the face of the earth, then what does that imply about the mass distribution internal to the earth?

What would gravitation on a torus-shaped (or a cube-shaped) world look like? And, by the way, what transmits gravity from point A to point B? Is gravity transported using the states of dark energy?


My point is that sometimes the technical and the fantastical face off and somewhere in the middle is a thing of beauty. And sometimes that thing can be a realization, a lightning bolt of discovery.

Mixing one field with another can result in the creation of something much more useful than something created for one field alone. And it all depends upon your point of view. Look out any window, but first look out through your mind's window.

Sunday, June 10, 2012

Back to Drawing

After a hiatus, I like to start drawing again to clear my mind. Usually it starts with pen on paper. And eventually it finishes with a tablet and stylus in Painter.

I have been on a big project with lots of details recently, and hence the lack of posts. I must apologize, but sometimes work does call!

And when drawing comes back, like when music comes back, there is a lightning bolt moment of realization, like I have been swimming in a deep sea and I finally washed up on dry land: that drawing is a golden touchstone of my existence and how could I ever live without it for so long? The end of dark days and the start of a golden age, a renaissance of expression.

There is something ineffable to this moment. So I have attempted to create a smart banner to show my inner joy. This is the first piece I did after joining the living again at the end of the long dark tunnel.

In this work, like so many others I have done recently, I am attempting to create clean lines. Lines in search of a woodcut or linoleum cut look. Lines sculpted and individually shaped. But still irregular and hand-made. I can't see the value of perfection in this kind of work, like someone used illustrator to create the design.

If I used Illustrator to do this, I would have to continually play with the result because it would look too regular. Perfection still has a hand-made look, to me.

The second piece I created in celebration of having time to solve the Rubik's cube again, which I find to be another touchstone of my inner self, is this one.

In this piece, each line is once again sculpted. Drawn and re-drawn. Tapered, carved from left and right.

I created this by setting up a clone and drawing using crude, fat lines wherever I saw an edge I wanted to keep. This produced a very dumb-looking drawing in black lines on a white page. being unsatisfied with the look, I began to sculpt the lines to create a look that simulates using a ductal carving implement in soft linoleum. It took hours and hours before I had a piece that was worthy of coloring. It was in black-and-white and actually made a pretty nice drawing in and of itself.

Then I colored the cube. But I switched around the colors, which were originally yellow on top, green to left, and orange to right.

To shade the hand, I created a layer of the original picture and set it to gel, pasted it on top of the image, and carved away all the other parts of the image using the eraser.

Then I processed the remaining image, with locked transparency, using Just Add Water to create a smooth shaded version of the image. Because it was a gel layer, it preserved the black lines underneath it. I think I lowered the opacity as well, to give it an ethereal look and also to favor the lines.

I also started using a chop mark, which also smacks of a woodcut. I imagined the woodblock coated with orange and red paint to give it more of a hand-work look.

The original piece is almost three thousand pixels high, by the way, since it comes from an iPhone 4S frame grab.

Siri, where did I put my tablet?