On WikiLeaks Methods and Motivations

Recently, the WikiLeaks Task Force tweeted something quite inflammatory:

We are thinking of making an online database with all "verified" twitter accounts & their family/job/financial/housing relationships.

In other words, that it was determined to create and publish a database of personal interconnections between verified Twitter users. This database would include information about finances, family connections, cohabitation, jobs and so forth.

This statement has, at the very least, sparked outrage.

Let's look at this statement from two points of view: (1) that WikiLeaks made the statement , and (2) that someone else made the statement and wants us to think WikiLeaks said it.

(1) WikiLeaks made the statement

That, on the face of it, would be galling.

I ask you here, honestly: does everything have to be public?

I can understand Facebook and why they would want to collect their user graph. They protect their users' privacy (although that's far more nebulous, even given their periodic missives, famous missteps, and explanations of policy).

But let's look at the author of the tweet: WikiLeaks. This sounds more like a sinister plot to me. Let's address the main reason for this.

What's all this about WikiLeaks working with the Russians?

Though WikiLeaks may never have dealt directly with the Russian intelligence services, they certainly had to know that release of the data played right into the Russians' hands. It seems pretty clear, given the timing of the release of the Podesta emails, that WikiLeaks understands perfectly the consequences of their actions.

In fact, WikiLeaks' sensitive data releases almost always damage the west and leave Russia unscathed. A visit to the wlstorage.net torrent repository shows us specifically who they target. There are very few Russia-related information troves.

If they released a trove of data on the Russians, it seems clear to me that Assange and many others at WikiLeaks would find themselves sipping Polonium-210-laced tea like that ill-fated ex-KGB whistleblower Alexander Litvinenko. Bad press for the Kremlin (in his case, looking into the assassination of Russian journalist Anna Politkovskaya) is generally punished by death in Russia. Dig too deeply and you'll discover, much to your chagrin, that it's your own grave you have dug.

WikiLeaks denies they received the leaked emails from the Russians. The US claims they know the go-betweens that prove Putin ordered the operation.

Let's just say for a moment that WikiLeaks are enemies of the west. Then this is completely consistent with publishing a database of who is related to who, what their jobs are, how much they make, and where they live. This process, called doxing enables people and organizations with malicious intent to get handles on people they want to attack. If this were true, the database WikiLeaks apparently would want to publish is, in fact, an analog of the human flesh search engine.

This kind of data would be of immense use to the Russian intelligence services, such as the FSB. So it certainly seems plausible to me that WikiLeaks was behind the tweet. But what about the other possibility?

(2) Someone else made the statement and wants us to think WikiLeaks said it

Did they even say it? It was tweeted by the WikiLeaksTaskForce, the Official WikiLeaks support account. It is explicitly intended to "correct misinformation about WikiLeaks".

Very soon after the original tweet, which has since been deleted, WikiLeaks itself tweeted the following:

Media note: @WikiLeaks is the only official account of WikiLeaks. No other accounts are authorized to make statements on @wikileaks behalf.

So the narrative might be that some troll joined (or hacked into) WikiLeaksTaskForce and posted the tweet to spread false information.

Its not unlikely at all that someone would want to discredit WikiLeaks. After all, their business is to enable whistleblowers by providing foolproof ways to release sensitive information. So anyone that has been damaged (or may be damaged) certainly has the motivation to discredit WikiLeaks. This is a big list of people, like John Kerry, Hillary Clinton, and organizations, like Bank of America, the American Intelligence community, and so on.

Tom properly discredit WikiLeaks, they would plausibly possess the means to accomplish the database in question. To assess that, we must first know exactly how WikiLeaks works.

How does WikiLeaks work?

Their primary modus operandi, I believe, must generally be given by the following steps:

• accept large corpora of whistleblower information
• put it onto an air-gapped network
• strip it of all attribution, which entails editing it
• separate it into bins of sensitivity
• encrypt and encapsulate (using BitTorrent) the bins for transport
• upload the information on wlstorage.net
• get other sites to mirror the information
• periodically release keys for the purpose of disseminating the information a bit at a time

They would use an air-gapped network to prevent anyone from hacking into them, which is definitely possible. They would want to isolate the sensitive data to completely control what is done with it and where it goes.

The stripping of all attribution information, including email headers and telltale references is done to protect their sources. This may involve redaction of information that can hurt innocent parties. But also look at this on the face of it: they are intimately acquainted with the forensics of data present in email headers.

They have admitted that they separate the data into bins of sensitivity so they can control the impact of the releases. After all, the idea that some information is more sensitive than others is a natural consequence of the information itself. But they might also want to keep the most inflammatory information as a deadman switch. Such information can be released if Assange is killed, for instance. This was demonstrated recently when, in October 2016, Ecuador cut off Julian Assange's Internet access. Soon thereafter, WikiLeaks tweeted hashes to various troves of information, aimed at John Kerry, Ecuador, and the UK FCO. So it's a virtual certainty that Assange has deadman switches.

Their favorite method of leak data storage is by encrypted, encapsulated databases, posted as a single file. This is so they can withhold the release of the data, processed using AES 256-bit encryption, until a later date, without withholding the data itself. Often, the files are hundreds of gigabytes in size, so they use BitTorrent as their transport. The file names often contain the word "insurance". This also corroborates the theory that the files constitute a deadman switch: if Assange or another key-holding WikiLeaks person is killed, then keys may be released by the others in retribution.

After the data is packaged, it is then uploaded to wlstorage.net, a storage site run by WikiLeaks that promotes mirroring. Unfortunately, from time to time, this data has often included malware which gets cleaned up, generally as soon as it is discovered.

Once there, any number of sites mirror the WikiLeaks databases. This includes CableDrum, and many other sites. This measure of redundancy prevents any single site from simply being destroyed to prevent the sensitive information from being released.

When WikiLeaks releases a trove of information, they simply need to release the AES 256-bit (64 hex digit) key. This allows anybody having access to any of the mirror sites to decrypt the information and begin the process of data mining it. Usually this means the press.

How does WikiLeaks modus operandi make the tweet more plausible, specifically?

First, because WikiLeaks is known to accept large corpora of hacked data, who says they haven't been able to get ahold of the verified Twitter database? If it's not plausible, then this tweet is a call to arms for the many hackers out there who need the cred that would stem from such a successful attack.

Second, because WikiLeaks is adept at stripping attribution information from email, metadata from photographs, wrappers from tweets, and other media, they are the perfect institution to be able to make use of that attribution information, symmetrically, to work against the "system".

Third, knowledge of encryption and the limits of its usefulness means they must also be knowledgeable about decrypting and cracking such information. They have a milieu of hackers that they are in regular contact with, certainly. They are trusted by hackers because it is WikiLeaks specific mission to protect them. They need to know what can and can't be cracked so they can keep their publicly available information troves secret from the most capable intelligence agencies in the world.

How does the tweet discredit WikiLeaks, specifically?

The ghastly specter of Big Brother looms over the tweet, that some clandestine organization is gathering information on all of us. This makes WikiLeaks the new NSA, the new GCHQ. Which makes those two organizations the ones most likely to discredit Assange.

Do they really need discrediting?

Currently their leader Julian Assange had been holed up in the Ecuadorean Embassy in London for 4 years and 7 months. This is because he has been granted asylum by Ecuador. Assange suspects that he will be extradited to the US to face charges under the Espionage Act of 1917. This could net him 45 years in a supermax prison, and potentially the death penalty.

Assange is also wanted for "lesser degree rape" in Sweden, a charge that will not expire until 2020.

The NSA has labelled WikiLeaks as a "malicious foreign actor".

Security Researcher Hit

While we were being distracted by the Yahoo half-billion-user data breach, within the last few days, Krebs On Security, a blog which I often reference here was slammed with a distributed denial-of-service (DDoS) attack of gargantuan proportions, literally silencing the blog. This was after the venerable Brian Krebs published papers on the vDOS owners. vDOS is an attack-for-hire service hosted in Israel.

Hey, what a surprise, after Krebs, a well-known security blogger (and researcher) made the people behind the attack-for-hire service also well-known, he was himself targeted by the world's largest DDoS attack! These are rich teenagers - they earned more than $600,000 (well, in Bitcoin!) in two years. Apparently their service is in great demand.

How do we know this? Oh it figures - vDOS got hacked and their client base was fully extracted and published (this is known as being "doxed", a term which I sometimes use). And Krebs obtained the information in July. This, and the fact that the FBI took notice, is why those cyber-criminal-teenagers Itay Huri and Yarden Bidani (known as AppleJ4ck) were arrested in Israel.

It's possible that these teenagers, after being arrested in Israel, were simply drafted into the Israeli Defense Forces (IDF), because they are both 18 years old (my speculation). Now they can't use the internet for 30 days.

Wow! I was sure it was just going to be a slap on the hand for these two.

Seriously, I hope they can be extradited to the US for prosecution.

The curious thing is that the documents Krebs found indicated that vDOS was literally responsible for the majority of the DDoS attacks on the web, and that the number of packets and data sent might indeed have been Internet-crippling. Apparently DDoS attackers are now taking over personal home routers and using them to accomplish their attacks, which can result on a MUCH larger number of packets being sent because literally anybody can be sending them.

When a security blog gets hit and you are temporarily in the dark about a current threat, you will need to refer to some other security blogs. Here is a decent list.

If you get hacked, you can find out if your data was included in a recent massive breach at haveibeenpwned.com.

If you have more serious concerns, there is a company, terbiumlabs.com, that can persistently search the dark web for your personal info. The info you enter is encrypted on the client side (open your computer) so even they don't know what you are searching for. This is particularly useful for corporate customers, when they're breached, and also for companies monitoring their information security (infoSec).

Data Compromise: The Next Chapter

Updated: The Equation Group hack has been verified.

It seems the Oracle MICROS malware insertion hack went a bit deeper and had a suspicious purpose. Several hotels in the US, run by HEI hotels and resorts, that run the MICROS points-of-sale and hospitality software, have been breached. This means the credit card info for lots of people has been compromised. The list of dates affected by the breach indicate that the MICROS hack went in as early as March, 2015!

It is curious that the Westin City Center in Washington D.C. was included in the list, and was compromised for more than 9 months following September, 2015. This amounts to total operational awareness for whoever is running the breach. Let's admit it: if you wanted to know what is happening in US politics, what better way than to own than the comings and goings in Washington D.C.? I suspect FSB, the entity that has replaced the infamous Russian KGB.

I doubt we have seen a complete list of breaches with MICROS. If you are an IT person, visit Krebs on Security for a good list of IOCs (indicators of compromise). If you use MICROS, then change your passwords immediately.

Recently we saw the DCCC hack and the dox'ing of a huge amount of congress, on Guccifer 2.0's site.

This, once again, speaks of a state actor attempting to disrupt American politics.

But there are still a few hacks that can't be assigned easily to state actors. The recent data breach of Sage software, based in the UK, used for accounts and payroll processing, indicates that hackers are still largely following the money.

My sense is that data compromise is perpetrated on an agenda rather than simply because "people have the right to know", the tired axiom used by the media to depict crusading whistleblowers.

More often than not we are seeing criminals looking for ways to pry money out of rich people. Or directly from banking systems. But that might simply be a cover for state actors, who are building a database much deeper than Google's. And for much darker purposes.

And Now For Something Completely Disastrous

In today's news is another story that strongly correlates to the awful scenario in which the NSA's reputed-to-exist Equation Group has been hacked. This group is responsible for Stuxnet, Duqu, Gauss, and other famous modular virus architectures used to hack, among other victims, the Iranian uranium centrifuges.

This story is developing as I write, but an analysis of the example data provided by the hackers, the Shadow Brokers, by Matt Suiche appears to confirm the hack. Just read that source to see how desperate the situation is.

Here is an example of a state actor being hacked. My fears for the Gauss modular virus architecture used to be that it would get reverse engineered and modified by less scrupulous hackers. Now my fears are that essentially every hacker will possess this toolkit. Some eastern European hacking consortium will productize it, make it easy to use, and disseminate it for bitcoins. It's a virtual Pandora's Box.

Update: The Equation Group hack appears to heavily utilize RC5 and RC6 encryption. Comparison of the code by Kaspersky's GReAT team shows it matches the Equation Group's signature. It's all wrapped up in the magical P and Q constants used by Rivest's RC5/6.

Big Time Infosec Issue!

Updated: five more point-of-sale systems breached. More info on how long the breach existed. And yet more info on where the compromises might have hit you. More identity information for Carbanak.

Did you ever get a message in a email that says: "We're letting you know your card may have been part of a compromise at an undisclosed merchant."? And not to worry because "We're Issuing You a New Card To Help Keep Your Information Safe". In title case, no less (thanks, daring fireball, for that link).

Apparently the time has come when data compromise becomes huge. Anybody who watches Mr. Robot probably knows that credit card hacking is a serious issue, and can get much more serious. We keep closing insecure points as they are discovered, of course. But, it seems, there are still plenty of ways to get into our credit card data stream.

One such way is through the Oracle MICROS system that handles point-of-sale transactions with credit cards (specifically at restaurants, delis, and hospitality points of sale). Apparently it is possible to rootkit these transaction processors, take control of them, and capture your name, credit card number, and secret code as it goes by. And, of course, send that data to the identity thieves.

Update: five more systems are reported by Forbes to be hacked, possibly by the same Russian cybercrime gang. These are UK-based Cin7, ECRS, Bankcard Services' Navy Zebra, PAR Technology, and Uniwell.

What Happened?

According to Krebs on Security, malware was placed on some internal Oracle server at their retail division. They thought it was just a small number of systems until they upgraded their security software to a new version. And at that point, they realized more than 700 systems were compromised! From there, it spread into the MICROS point-of-sale processors that accept your credit card and verify little things like that little gold chip on it. That was supposed to make the credit card SO much more secure.

The bottom line for us, the customers, is that the breach was detected only on July 25, 2016. And here's the catch: they don't really know how long it's even been active. Could be months.

Update: Bad news! There is info from HEI hotels that the breach might have existed since March, 2015.

Who Did It?

This is a very sophisticated hack. This was no script kiddie.

Apparently the Carbanak cybergang is responsible. According to Kaspersky, they stole $1B by attacking bank system intranets in an advanced persistent threat (APT) campaign culminating last February. This gang is a big time threat, and we have stumbled onto one more page in their playbook.

It gets even more interesting. Carbanak is connected to a Mr. Tverinov, as reported by Krebs, and supported by the sleuthing of Ron Guilmette. Artim Tverinov is CEO of InfoKube, a Russian security firm, that builds the LioN anti-virus application. A Trojan horse?

It's not rocket science - Krebs, while communicating with the shadowy Mr. Tverinov through the Vkontakte Russian social-media site, literally eye-witnessed Tverinov's Vkontakte page get deleted! This was followed by a direct-email denial of any and all wrongdoing.

Supposedly Russia arrested 50 alleged members of the Carbanak cybercrime gang on June 1, 2016. Kaspersky Lab helped to identify the hackers charged, but Tverinov wasn't among them.

It also seems that Carbanak was using a C&C server that is tied to the FSB (the successor of the KGB). This according to Security Affairs.

Update: Carbanak is sometimes also known as Anunak.

Where Was I Most Likely Compromised?

This would have occurred at a chain restaurant, or perhaps a modern restaurant that is taking advantage of modern technology. And you would have used your credit card to pay. Unfortunately, this is not too unlikely a scenario, is it?

You might have seen a colorful point-of-sale display on a tablet or monitor (like this one) at a restaurant, hotel, deli, charcuterie, or even a burger chain.

Update: Forbes, in the same article as the above update, reports that your credit card might have been compromised at Donald Trump's Hotel group, Hyatt, Kimpton, or one of 1000 Wendy's restaurants. Also consult the list of hotels in the HEI list.

The Big Android Hack

Qualcomm GPUs and kernel modules are vulnerable to being rootkit'ed. This involves a huge number (900 million) Android devices. They are called the QuadRooter vulnerabilities, as explained by security researcher Adam Donenfeld in his blog post. This affects the Samsung Galaxy 7, the most popular Android device.

On another note, the Blackberry DTEK 50, "the most secure smartphone in the world" utilizes a Qualcomm 8992 Snapdragon 808 Hexa-Core, 64 bit with Adreno 418, 600MHz GPU. And so it is also vulnerable to four of the flaws.

State Actors Up The Ante?

One of the fastest changing landscapes on the planet isn't even a tangible one. It's more of a concept: security. Before we go on, for dear readers confused by modern hacker security terms, check out Kaspersky.

I'm a proponent of good encryption. The reason is simple: everybody needs security. You need to keep your banking passwords secure. You don't want malicious actors (trolls) taking over your Facebook account and somehow ruining your life.

You especially don't want anyone to rootkit your computers! Once that's done, they can steal your identity, install malware for collecting passwords and account names, and so forth. Now go to the next level: your computer might then be used as part of a DDoS attack against Homeland Security. Your computer could wind up as the storage location for the malicious actors' illegal data ... without your knowledge. You become their fall guy.

Yes, there are plenty of good reasons for all of us to keep our passwords safe and distinct.

But encryption is not all black and white, is it? And that's the rub. Enter the relativistic observer, to tell you some of the latest. Things are changing too fast to blink, after all.

It's long been known that people outside the law use the Dark Web to organize, proliferate, distribute, and communicate. And the Dark Web is run using the Tor network. Tor, short for The Onion Router, is a volunteer network of servers running special protocols that relay your browsing history and other data through virtual tunnels.

To be fair, the Tor project has lofty goals. And gets used by "family & friends, businesses, activists, media, and military & Law Enforcement", according to their web site. The US Navy uses Tor for open source intelligence gathering, for instance. The EFF suggests using Tor for maintaining secure correspondence and keeping our civil liberties intact.

For people operating outside the law, the Tor network also maintains their OpSec. The Dark Net is called this because the communication within it has "gone dark". Surveillance doesn't work there.

The Tor network and the Dark Web must be a real pain to law enforcement. Given enough desperation, it might be something they would seek to infiltrate.

So what law enforcement would do is this: create their own honeypot counterfeit Tor server (or relay). But put in their own undetectable flavor of malware. Then they can watch the criminal's Dark Net traffic. And watch the crime happening. Collect the privileged conversations.

These really exist, as doctored Tor relays. There are over 100 malicious relays that have been detected. And who could they be? My guess is state actors like the US, China and Russia. If not them, then who? The criminals themselves? This is a game of spy vs. spy, updated for the 21st century. Could the FBI be doing this? Their arrest of child pornography criminals in January 2016 was supposedly accomplished by cracking Tor.

There is a question as to how invasive such investigations should be allowed to be. I'm not saying that the FBI shouldn't go after child pornographers; they totally should. I just think that *everybody* is too broad a target for law enforcement. Privacy is a basic human right.

Weaponized Computation

Ever since the early 20th century when primitive analog computers were built to help compute solutions for naval gunnery fire control and increasing bomb accuracy, computing machinery has been used for weaponry. This trend continues to accelerate into the 21st century and has become an international competition.

Once upon a time

I had an early gift for mathematics and understanding three-dimensional form. When I was 16 or so, I helped my dad understand and then solve specific problems in spherical trigonometry. It eventually became clear to me that I was helping him verify circuitry specifically designed for suborbital mechanics: inertial guidance around the earth. Later I found out in those years he was working on the Poseidon SLBM for Lockheed, so, without completely understanding it, I was actually working on weaponized computation.

This is the period of my life where I learned about the geoid: the specific shape of the earth, largely an oblate ellipsoid. The exact shape depends upon gravitation, and thus mass concentrations (mascons). Lately the gravitational envelope of the moon caused by mascons has been an issue for the Lunar Orbiters.

At that point in history, rocket science was quite detailed and contained several specialized areas of knowledge. Many of which were helped by increasingly complex calculations. But there have been other fields that couldn't have advanced, where specific problems couldn't be solved, without the advances in computation. Ironically, some basic advances in computation we enjoy today owe these problems for their very existence. Consider this amazing article that details the first 25 years or so of the supercomputing initiatives at Lawrence Livermore National Laboratory.

Bombs

Throughout our computing history, computation has been harnessed to aid our defense by helping us create ever more powerful weapons. During the Manhattan Project at Los Alamos, Stanley Frankel and Eldred Nelson organized the T5 hand-computing group, a calculator farm populated with Marchant, Friden, and Monroe calculators and the wives of the physicists entering data on them. This group was arranged into an array to provide one of the first parallel computation designs, using Frankel's elegant breakdown of the computation into simpler, more robust calculations. Richard Feynman, a future Nobel prize winner, actually learned to fix the mechanical calculators so the computation could go on unabated by the huge time-sync of having to send them back to the factory for repair.

I was fortunate enough to be able to talk with Feynman when I was at Caltech, and we discussed group T-5, quantum theory, and how my old friend Derrick Lehmer was blacklisted for having a Russian wife. He told me that Stanley Frankel was also blacklisted. Also, I found 20-digit Friden calculators particularly useful for my computational purposes when I was a junior in High School.

The hunger for computation continued when Edward Teller began his work on the Super, a bomb organized around thermonuclear fusion. This lead John von Neumann, when he became aware of the ENIAC project, to suggest that the complex computations required to properly understand thermonuclear fusion could be carried out on one of the world's first electronic computers.

Codebreaking

In the history of warfare, codebreaking has proven itself to be of primary strategic importance. It turns out that this problem is perfectly suited to solution using computers.

One of the most important first steps in this area was taken at Bletchley Park in Britain during World War II. There, in 1939, Alan Turing constructed the Bombe. This was an early electromechanical computer and it was specifically designed to break the cipher and daily settings used in the German Enigma machine.

This effort required huge amounts of work and resulted in the discovery of several key strategic bits of information that turned the tide of the war against the Nazis.

The mathematical analysis of codes and encoded information is actually the science of decryption. The work on this is never-ending. At the National Security Agency's Multiprogram Research Facility in Oak Ridge, Tennessee, hundreds of scientists and mathematicians work to construct faster and faster computers for cryptanalytic analysis. And of course there are other special projects.

That seems like it would be an interesting place to work. Except there's no sign on the door. Well, this is to be expected since security is literally their middle name!

And the NSA's passion for modeling people has recently been highlighted by Edward Snowden's leaks of a slide set concerning the NSA's metadata-colecting priorities. And those slides could look so much better!

Passwords

In the modern day, hackers have become a huge problem for national and corporate security. This is partly because, recently, many advances in password cracking have occurred.

The first and most important advance was when RockYou.com was hacked with an SQL injection attack and 32 million (14.3 million unique) passwords were posted online. With a corpus like this, password crackers suddenly were able to substantially hone their playbooks to target the keyspaces that contain the most likely passwords.

A keyspace can be something like "a series of up to 8 digits" or "a word of up to seven characters in length followed by some digits" or even "a capitalized word from the dictionary with stylish letter substitutions". It was surprising how many of the RockYou password list could be compressed into keyspaces that restricted the search space considerably. And that made it possible to crack passwords much faster.

Popular fads like the stylish substitution of "i" by "1" or "e" by "3" were revealed to be exceptionally common.

Another advance in password cracking comes because passwords are usually not sent in plaintext form. Instead, a hashing function is used to obfuscate them. Perhaps they are only stored in hashed form. So, in 1980 a clever computer security professor named Martin Hellman published a technique that vastly sped up the process of password cracking. All you need to do is keep a table of the hash codes around for a keyspace. Then, when you get the hash code, you just look it up in the table.

But the advent of super-fast computers means that it is possible to compute billions of cryptographic hashes per second, allowing the password cracker to iterate through an entire keyspace in minutes to hours.

This is enabled by the original design of the hashing functions, like SHA, DES, and MD5, all commonly used hashing functions. They were all designed to be exceptionally efficient (and therefore quick) to compute.

So password crackers have written GPU-enabled parallel computation of the hashing functions. These run on exceptionally fast GPUs like the AMD Radeon series and the nVidia Tesla series.

To combat these, companies have started sending their passwords through thousands of iterations of the hashing function, which dramatically increases the time required to crack passwords. But really this only means that more computation is required to crack them.

The Internet

Many attacks on internet infrastructure and on targeted sites depend upon massively parallel capabilities. In particular, hackers often use Distributed Denial of Service (DDoS) attacks to bring down perceived opponents. Hackers often use an array of thousands of computers, called a botnet, to access a web site simultaneously, overloading the site's capabilities.

Distributed computing is an emerging technology that depends directly on the Internet. Various problems can be split into clean pieces and solved by independent computation. These include peaceful projects such as the spatial analysis of the shape of proteins (folding@home), the search for direct gravitational wave emissions from spinning neutron stars (Einstein@home), the analysis of radio telescope data for extraterrestrial signals (SETI@home), and the search for ever larger Mersenne prime numbers (GIMPS).

But not only have hackers been using distributed computing for attacks, they have also been using the capability for password cracking. Distributed computing is well suited to cryptanalysis also.

Exascale weapons

Recently it has been discussed that high-performance computing has become a strategic weapon. This is not surprising at all given how much computing gets devoted to the task of password cracking. Now the speculation is, with China's Tianhe-2 supercomputer, that weaponized computing is poised to move up to the exascale. The Tianhe-2 supercomputer is capable of 33.86 petaflops, less than a factor of 30 from the exascale. Most believe that exascale computing will arrive around 2018.

High-performance computing (HPC) has continually been used for weapons research. A high percentage of the most powerful supercomputers over the past decade are to be found at Livermore, Los Alamos, and Oak Ridge.

Whereas HPC has traditionally been aimed at floating-point operations (where real numbers are modeled and used for the bulk of the computation) the focus of password cracking is integer operations. For this reason, GPUs are typically preferred because modern general-purpose GPUs are capable of integer operations and they are massively parallel. The AMD 7990, for instance, has 4096 shaders. A shader is a scalar arithmetic unit that can be programmed to perform a variety of integer or floating-point operations. Because a GPU comes on a single card, this represents an incredibly dense ability to compute. The AMD 7990 achieves 7.78 teraflops but uses 135W of power.

So it's not out of the question to amass a system with thousands of GPUs to achieve exascale computing capability.

I feel it is ironic that China has built their fastest computer using Intel Xeon Phi processors. With 6 cores in each, the Xeon Phi packs about 1.2 teraflops of compute power per chip! And it is a lower power product than other Xeon processors, at about 4.25 gigaflops/watt. The AMD Radeon 7990, on the other hand, has been measured at 20.75 gigaflops/watt. This is because shaders are much scaled down from a full CPU.

What is the purpose?

Taking a step back, I think a few questions should be asked about computation in general. What should computation be used for? Why does it exist? Why did we invent it?

If you stand back and think about it, computation has only one purpose. This is to extend human capabilities; it allows us to do things we could not do before. It stands right next to other machines and artifices of mankind. Cars were developed to provide personal transportation, to allow us to go places quicker than we could go using our own two feet. Looms were invented so we could make cloth much faster and more efficiently than using a hand process, like knitting. Telescopes were invented so we could see farther than we could with our own two eyes.

Similarly, computation exists so we can extend the capabilities of our own brains. Working out a problem with pencil and paper can only go so far. When the problems get large, then we need help. We needed help when it came to cracking the Enigma cipher. We needed help when it came to computing the cross-section of Uranium. Computation was instantly weaponized as a product of necessity and the requirements of survival. But defense somehow crossed over into offensive capabilities.

With the Enigma, we were behind and trying to catch up. With the A-bomb, we were trying to get there before they did. Do our motivations always have to be about survival?

And where is it leading?

It's good that computation has come out from under the veil of weapons research. But the ramifications for society are huge. Since the mobile revolution, we solve problems that can occur to any of us in real life, and build an app for it. So computation continues to extend our capabilities in a way that fulfills some need. Computation has become commonplace and workaday.

When I see a kid learn to multiply by memorizing a table of products, I begin to wonder whether these capabilities are really needed, given the ubiquity of computation we can hold in our hands. Many things taught in school seem useless, like cursive writing. Why memorize historical dates when we can just look it up in Wikipedia? It's better to learn why something happened then when.

More and more, I feel that we should be teaching kids how to access and understand the knowledge that is always at their fingertips. And when so much of their lives is spent looking at an iPad, I feel that kids should be taught social interaction and be given more time to play, exercising their bodies.

It is because knowledge is so easy to access that teaching priorities must change. There should be more emphasis on the understanding of basic concepts and less emphasis on memorization. In the future, much of our memories and histories are going to be kept in the cloud.

Fundamentally, it becomes increasingly important to teach creativity. Because access to knowledge is not enough. We must also learn what to do with the knowledge and how to make advancements. The best advancements are made by standing on the shoulders of others. But without understanding how things interrelate, without basic reasoning skills, the access to knowledge is pointless.

Security, Part 1

As much as we'd like it to be true, security is not all about ciphers; it's also about physical security, the human factor, and an often overlooked area called side channels.

Physical Security

We all know that you need a password to keep a computer secure, right? But what happens when the hard drive is stolen? Your data can walk right out the door, that's what!

But even the transmission of secret keys and plain text is an issue. For instance, a keystroke logging program can easily intercept all the passwords you type. So you want to make sure that such a program never gets onto your computer.

With some cipher text, the more you get of it the easier it is to decode it. While this usually describes not-so-good security, things like feedback shift register xor cipher techniques are still employed in stream ciphers. To combat this, the feedback shift register must be re-initialized periodically to prevent the code from being broken. This is usually done by using a more secure encryption technique, like an RSA public-key cryptosystem.

But the best thing would be to make the transmission un-interceptable. This leads to the use of quantum key cryptography.

The Human Factor

The mobile computing revolution didn't invent the need for accessing your data externally, but it did make it a lot more common. So we use passwords to protect our data.

Passwords are secret keys that are possible to remember. But humans are frail and forgetful and so often they use passwords that are easy to guess. Ones they can't forget. Like 12345. I talk about just how insecure these kinds of passwords are in my first post on hackers.

But humans are always doing dumb, insecure things, like leaving doors unlocked or ajar, leaving a key under the flower pot, or leaving the keys to the car behind the visor. This kind of behavior happens out of force of habit to some people and represents a massive security breach.

But the most powerful kinds of attacks are called social engineering attacks.

Side Channels

This is the most interesting kind of insecurity, because it really describes an indirect attack.

One side channel is comprised of signals emanating from a device like an LCD screen. The video signals are generally leaked out and can be intercepted and reconstructed for spying on the device. For CRTs, a fellow named Wim Van Eck demonstrated in 1985 that he could display on a TV monitor the contents of a CRT screen, captured from hundreds of meters away, just by tuning into the video frequency emanations. The technique, known as Van Eck phreaking, can work on any display hardware.

When it comes to radio frequency (RF) emanations, a standard, known as TEMPEST since the 1960s, covers the techniques and methods used in shielding devices and components from being surveilled in this way.

Simple things like wi-fi are easily broken into, in a process called wardriving. There are published approaches for how to crack WEP and other security protocols used in wi-fi. But other methods can also be used to gain the password. Once the wi-fi is accessed, then anything transported on the wi-fi is also accessible. Google got in trouble for accessing wi-fi from their street view vehicles, but the fact is it is too easy to collect data in this manner. Thus, the mobile computing revolution introduces a whole new set of insecurities.

Another side channel concerned cryptography and this one is a doozy: just by observing the process that is encrypting or decrypting some data, you can infer information about, for instance, the size of the prime numbers used in an RSA public-key cryptosystem. If you can tell how long it takes to divide the public key by a secret key, you can infer some valuable information about the size and bitwise complexity of the secret key. If, when producing a prime number pair, you can determine how long it took to produce it, you can tell a bit about the algorithm used to produce them. Each bit of information is useful in chopping away at the space of all possible answers to the question of what the secret is.

The data you observe about the cryptography process can be power consumption, the timing, or really anything that can be measured externally. With a power consumption curve, you can do differential analysis to get really precise information about how big the multiply was, and even which parts of the multiply are more complicated than others.

And you can also measure thermal and acoustic signatures as well. For instance, by focusing an infrared camera at a chip during a certain computation, you can determine which parts of the chip are active and at what times.

Hackers, Part 6: Methods of Entry

I have often wondered how hackers gain control of your system when you are just browsing the web. It's actually an interesting process, and knowing about it can help you be aware of the threats.

Through the rabbit hole

In order to understand what's happening when you get infected by a virus or another sort of malware, it seems a bit like going through the rabbit hole. This is because computer programming can be a bit of a dark corridor to the average person. Perhaps it's a place they don't usually go.

Have you heard of compromised websites? Well, I was surprised to know that almost any website can be compromised through a number of techniques. The main thing needed is for the website to contain a link that directs you to another website. This can easily be done, for instance in an ad. But HTML code often contains SQL code in it, when a database access is done. This kind of code is susceptible to SQL injection exploits. Perhaps the hacker gains access to the website's administration via a cracked password or some other mistake in configuration.

When you visit a compromised website, you don't really notice the intrusion. Actually it's supposed to be that way. They want to catch you unaware. So you will probably just see the website's normal content. But somewhere in the HTML stream, a malicious URL is included. This is what directs you to another website.

Wait: if it directs you to another website, then you should see your browser loading another page, right? No. Pointing you off to that website does not necessarily mean loading a page from that website. So you may not even notice anything at all. It can mean merely accessing a file at a specific URL in that website. But even accessing a single file can call for HTML code to be executed. Yes, before the file is loaded, special HTML code that verifies which kind of computer you are running and which OS version you are running gets executed first. This makes sure you are an intended victim: one with the vulnerability in question that is being exploited. And then a file is accessed, and loaded.

And Flash files are the most common kind of file that are chosen.

Flash: what's happning there?

The file being loaded is specially crafted to make use of a buffer overrun or another specific security hole in Flash Player. This is the kind of fault that seems to get patched nearly every month by Adobe. A recent update is a priority 1 (critical) security flaw, initially reported by MITRE. Apparently it's quite a problem. When logging into yahoo a while ago, I was prevented from doing so until I installed the most recent version of Flash Player.

However it happens, once you load this Flash file, the inevitable process of being infected with a virus has begun.

Eventually, an unsuspecting Windows XP user ends up downloading an EXE file which gets run and the virus is now installed.

When examining the SWF Flash files, it becomes clear that hackers like to obfuscate their code internally, usually by XORing parts of it with an 8-bit key. This renders plaintext unreadable to the casual observer. Or to anti-virus code that scans for dangerous items.

Steve Jobs, in April of 2010, noted that Adobe Flash Player was the number one reason for Macs crashing. Why is this?

One reason is that Flash allows code to be embedded into an animation file that gets run locally in your Flash cache folder. So just loading an animation file can cause actual code to be run! This code can be malware, of course. It can even be encrypted so it can't be detected by virus scanning software. And that presumes that the virus-scanning software even gets a look at that file.

Ah, but is this still true? Not exactly. Adobe has implemented a Protected View sandbox that prevents malware from being executed. But, as the recent security patch indicates, the wrinkles in this approach are still being ironed out. Still, it represents some progress.

It is well-documented that, in 2010, security experts denounced Flash.

And nearly every computer has it installed. So Adobe has had a lot to lose.

Adobe has updated Flash once again a few days ago, plugging memory leaks that get exploited so malware can insert their own code.

Building secure software

But, treating security flaws like a perception problem is really at the flawed center of a public relations way of dealing with security. Sandboxing approaches, internal file fuzzing, and white-box texting are the proper ways of dealing with such issues. Also, it is possible to hire a tiger team of professionals whose job it is to break the software in question and use it to compromise test websites. In other words, be the hacker. A regimen of code review is useful as well. Some would say absolutely necessary, particularly close to a release, when it is impossible for QA people to properly assess the security of the software. It is also necessary to have the latest in compilers as well. This means having a compiler that rigorously and continuously performs deep semantic analysis: tests for logical flaws that can lead to insecurities such as buffer overruns, enumerates and discovers cases that weren't handled, spots unlikely code scenarios, and so forth. People who program make mistakes all the time. It is unconscionable (and just plain stupid) to use a compiler that does not perform as many checks as possible.

When management doesn't embrace the methods of building secure software, then the users are the ones that lose. This is because the software's insecurities cause the users to be compromised. And then the software manufacturer loses as well. Because users won't buy it. These days, word spreads pretty fast about insecurity. It's all over the news. So, even in the case of Flash, where it is a significant part of the workflow of the web, this problem can lead to market share slippage and eventual replacement by transparent standard technologies, like HTML5.

For many years, Adobe treated the problem like a public relations problem. I speculate that is because they were concerned merely with getting releases out and reaping the revenue. In other words managers were concerned with making the quarterly revenue. Not with the future viability of their product.

Those who use secure software methodologies can see the forest for the trees. They know that sustainability is important. Perhaps the page has turned at Adobe.

Back to public relations. How should public relations work when dealing with perceptions of security failures? It's hopeless unless the company they are representing takes a proactive stance in preventing attacks to their security. When the hackers laugh at your security, you are going to be a big target, because the word will spread through the hacker community that you are a low-hanging fruit. Ripe for the picking. You get it.

How Old Is Your Software?

Let's look at software vulnerability. What kinds of software are the most vulnerable?

Well, duh! The oldest, most crufty kinds of course! Whenever you add onto software year after year, you unwittingly create opportunities for exploitation. We say that our data are secure, yet we do not test software in anywhere near the rigorous fashion it requires!

This leaves us with highly-functional yet completely-vulnerable software. And the users don't even realize it. Business users, corporate users, individual users, you.

Which Software is the Most Vulnerable?

Means: Programmers only need to be connected to the Internet and have a computer capable of being programmed to become a hacker. This makes up basically every person on the planet in all but the seriously developing nations. So let's just say there is a large sample set of possible hackers.

Motive: To be vulnerable, you also have to be hiding something desirable, interesting, or perhaps embarrassing. In other words: valuable to someone who just needs some street cred. What holds this kind of data? Your computer, your hard disk, your database, managed by operating systems, software that routinely gets installed or updated, things like distributed database server software also that protect huge amounts of data. For more motives for hacking, see my first blog post on Hackers.

Opportunity: So, let's look at software that has enjoyed release after release year after year. These releases are generally done for the purposes of:

• increasing their feature set
• making them faster
• fixing their security holes

So let's examine systems which do this. Operating systems, like Windows, Mac OS X, iOS, and Android certainly are updated quite often. System software for supporting desirable things like videos are updated often as well, like Adobe's Flash. So are things like their suite of programs the Creative Suite. In business, the Oracle SQL Server is updated quite often also, to add features and, more often, to patch vulnerabilities. Programming capabilities like Java site updated a lot also. Even GNU, the Free Software Foundation's operating system, which declares proudly that GNU's Not Unix (though it is identical to it in every way I can see) is updated quite often.

These are the most vulnerable software systems on the planet, merely because they are updated so often. And because so many people and businesses use them.

What Makes These Vulnerabilities?

The best positive marketing driver is the first one: increasing their feature set. To do this, it is often necessary to allow other developers to add to their feature set. We see this in nearly every OS platform in history. Supporting Applications. Allowing Plug-ins. Enabling programmability.

Being able to program something is highly desirable. It is also exactly what causes the vulnerabilities.

In 1984, I bought my first Macintosh. Actually it was an original 128K Mac. And the first thing I did was to take it apart, with a long Torx screwdriver and some splints to crack open the shell. My business partner in Fractal Software, Tom Hedges, was doing the exact same thing in the very same room. We both came to the conclusion that it needed a real hard drive, which was an interesting hardware task. We also came to the conclusion that we wanted to program it.

I wanted to create a new application.

We met an Apple person, Owen Densmore, at Siggraph that year and he put us in touch with a key developer, Bill Duvall, who had built the Consulair C system with a text editor. Owen gave us the external terminal debugging capability, called TermBugA, that we could use to debug our applications. He put us in touch with Steve Jasik, who authored MacNosy, and had disassembled the entire ROMs in a Mac. We built our first apps for the Mac within a couple of weeks and began our development career.

This is the old school method. The very ability to program a device has a name now: pwn. This means "owning it" but it also has a whiff of programmability to it.

If a device is a computer of any kind, then the desire to program it freely is a natural consequence of these old school ways.

But those ways must change.

How Are The Vulnerabilities Exploited?

The goal is to become a privileged user on the computer. This will enable the hacker to install their programs, get access to whatever data is available without restriction, and basically to take over the computer. Once this is done, then malware can be installed. Things that log your keystrokes. Or watch you through your webcam. Or check which web sites you use, remembering whatever passwords you use to access them.

This enables them to steal your identity or your money. Or you can be blackmailed with whatever incriminating data is present. In other words, criminal activity that exploits you, your business, or your customers.

But overwhelmingly, your computer can become something that is not under your control and can be used as a base for expansion, virus propagation, or as a machine to support DDoS attacks as well.

How do they get control of your computer? Often it is with a very small bug.

Now, software above a certain size always has bugs in it, and that's the problem in a nutshell.

The kind of bugs that hackers look for are primarily buffer overrun bugs. Because all machines are Von Neumann machines, data is stored in the same place as code. This means that all the hacker needs to do is insert their code into your system and transfer control to it.

A buffer overrun bug allows them to do this because, by definition, once a buffer (a fixed-size place in memory to store data) is overrun then the program has lost control of what is going into memory. With a little cleverness, after overrunning the buffer, the data will go someplace that is a tender spot. This can cause another bug to happen or it can be a spot where program control will end up soon enough in the future.

And voilá, the hacker is running their own native code on your computer.

Their next trick is to become a superuser. This is sometimes referred to as becoming root. These terms come from UNIX, which is the basis for many operating systems, like Mac OS X and Linux.

This can be done several ways, but the most effective way is apparently to masquerade as a routine install of familiar software. Like Photoshop, Flash, a Windows Service Pack, etc.

But the process of taking over a computer, which comprises a rootkit, is often a several-step process.

Perhaps the computer becomes a bot, simply running jobs for the hacker: sending email spam at random times, using the computer's position in the network to attack other local computers, making the computer be part of a Distributed Denial of Service (DDoS) attack.

Perhaps the hacker only wants to get the data in that computer. The easiest way is to gain superuser access, and then you have the privileges to access all the files. Maybe the hacker just wants to watch the user and gain information like bank account numbers and passwords.

Sometimes the hacker just wants to get access to databases. The databases contain information that might be sensitive, like credit card information, telephone numbers. Since these databases are generally SQL servers, a specific kind of attack is used: SQL Injection attacks.

Poorly-written SQL can have statements in it that evaluate a string and execute it. Rather than running code with pre-specified bind variables. It is these strings that make SQL vulnerable to being co-opted by a hacker, who can modify the SQL program simply by changing its parameters. When the string gets changed to SQL code of the hacker's choice, it can be executed and the hacker can, for instance, extract all of the database records, instead of the usual case where the records on certain date may be accessed. Or the hacker can change the fields that get extracted to all the fields instead of a small number of them.

How Do We Combat This?

It is easy to say there is no way to fight system vulnerabilities, but you would be wrong.

The strongest way to stop it is curation. One form of curation is the ability of a supervisor to prevent malware from becoming installed on a system. When a system allows plug-ins and applications, these must be curated and examined for malware and the backdoors and errors that allow malware to take hold. And they must be limited in their scope to prevent conscription of the operating system and applications that run them.

In the case of Apple, curation means examining every App built for its platform for malware or even the whiff of impropriety. And this is a really good thing in itself, because it means that far less malware attacks iOS than does Android.

In the case of SQL injection attacks, rewrite your SQL to not use executed strings.

But general practices need to be followed religiously. Make sure your passwords are not guessable. Use firewalls to prevent unintended connections. Beware phishing attacks.

Cryptography, Part 1

One of the most important methods of security are cryptosystems and their application. They are the basis for security. But in the past they have been broken notably in times of war, when necessity was at its most dire. For each post in this series, I will concentrate a bit on history and also a bit on the systems used in the modern day.

How They Work

The most obvious form of cryptography is simply the encryption of a message by a sender, sending the message in its encrypted form, and the subsequent decryption of that message by the receiver. In its original form, the message is called plaintext and the encrypted form of the message is called ciphertext. This kind of encryption has been used for thousands of years, though the methods of encryption have been getting better and better.

Letter Substitution Ciphers

Early forms of encryption were simple letter-substitution ciphers. The Caesar cipher was quite simple, just treat the letters of the alphabet as though they were a circular group and rotate the wheel. If we rotate by one, then TEMPUS FUGIT becomes UFNQVT GVHJS. This appears to be quite unreadable at first glance. But once you know the method, there are only 25 possibilities to try. Well, there should be 26, but that would include the case where the wheel was not turned. In this case the ciphertext is exactly the same as the plaintext: and so we ignore it.

A graphical example of letter substitution is Polybius' square. Here, a letter is substituted by two numerical digits, a row and a column. This makes TEMPUS FUGIT into 44 15 32 35 45 43 21 45 22 24 44. Note that the blank, or word separator, is not encoded. Yet this substitution cipher is really just an early attempt at making an ASCII representation of the characters.

If you can't encode a blank, the phrase NOW IN can be decoded as NO WIN. This is a potential misread. So the better ciphers allow for more than 25 letters, as we will see. Well, the very fact that I and J share a square seems to imply yet another kind of ambiguity would arise from the use of this cipher.

Nonetheless, letter substitution ciphers fall prey to cryptanalysis, the science of breaking a code. To break the code, all you need is a long message. The letters of a message have a very likely probability distribution: the Zipf distribution for English. So we can use frequency analysis to determine likely decodings and pretty soon we have cracked the code.

How does this work? First off, we analyze the frequency of occurrence of the ciphertext letters. Then we match that up to the frequency distribution of typical plaintext. This will give us a few likely substitutions to try.

Well, actually one more thing might be needed in practice: a list of letter pairs. Some letter pairs will be commonly-occurring and others will not occur at all. We can use this to automatically determine whether a prospective substitution is valid.

So, you see, a simple letter substitution cipher is quite insecure.

So it wasn't very long in the scheme of things that this cipher was improved on. As it turns out, simply scrambling the letters in the Polybius square is not enough to make it more difficult. This just turns it into another letter-substitution cipher.

Codes During World War I

So, what can be done to make it harder to crack? During WW I, the Germans fixed the Polybius square in two ways. First, they used a scrambled alphabet. Also they used ADFGX as the row and column numbers instead of 12345. This really only made it a bit more visually confusing, since it is still a substitution cipher.

Here you see the result of modifying the Polybius square, using letters for the row and column, and scrambling the alphabet. This is a permutation. Each message could change the code book by using a different scramble. But there was more to the key than this, as you will see.

The next step is to substitute for the letters of the message, in this case MOVE GUNS WEST is converted to AA DX XF AX XG GD GX DA FA AX DA FG.

Then we lay the encoded result into the same 5X5. Note that an X is added at the end. If the message is more than twelve letters, we do this potentially multiple times, into multiple 5X5 arrays. It is important to pad the end of the message with random text (not just X's), or it may be easier to analyze!

Then we put a 5-letter word at the top, this is the next part of the key. And this is what makes the cipher so interesting. It creates a second permutation, on the columns of the text. What we do is to sort the letters of the word, and move the appropriate columns in the array as the letters move. So this means your word can't contain the same letter twice, like TWEET, nor can it already be sorted, like ABCDE.

Once we sort the columns, we get a modified array of text. The last thing to do is to read it out in columns to produce the ciphertext.

Although this method is better than simple substitution, it is vulnerable in several ways. First, there are only 120 (5 factorial) possible sorting orders (permutations) for 5 letters. If we try them all, then there will be one ordering that gives a better frequency distribution than all the others. Even if this is not so, you can try all the orderings with likely frequency distributions, and break them using known substitution cipher attack schemes. A poor fellow named Lieutenant Georges Painvin did this by hand in 1918 and successfully broke the German code (even after they had added another row and column to their array!). It nearly drove him crazy too.

Here is the cipher text for the original message. The reason it is longer is that the result is essentially in base 5, which takes roughly twice the space in symbols vs. base 26.

What the Germans wanted was a system where they could freely transmit the message in the clear (in ciphertext form) but not have it decoded by an interloper, in their case the French. To make this work, the sender and receiver both must know the same key. This is called a shared secret in cryptography. A system where one key is used to both encrypt and decrypt the message is called a symmetric-key cryptosystem.

The advent of computers really did change cryptography. But it also simultaneously changed cryptanalysis. This is where cooler, and more mathematically-oriented, heads prevailed and systems were developed that were extremely hard to crack, even using modern computers.

Public-Key Cryptography

A fellow named William Stanley Jevons figured out that one-way functions could be applied to cryptography in 1874. This was exploited by Rivest, Shamir, and Adelman at MIT in 1977 to create the RSA algorithm.

The basic idea is that there are two keys. One, the public key, is used to encrypt the plaintext, and another, the private key, is used to decrypt it. The keys are related mathematically, but computationally it is very difficult to extract the private key from the public key.

The technique for relating the public and private key pair in RSA is factorization. It's really quite clever. The public key is the product of two large (and I mean large) prime numbers. The private key is one of the prime numbers. What makes it work is this: it is relatively easy to determine if a large number is a prime. However, when a number is not a prime, it is very hard to factor it into a product of primes.

There are many wrinkles to public-key cryptography. For instance, the protocol for key revocation or replacement is one. Timestamps can be added for additional limits on the spread and validity of the privilege of decoding.

Authentication

The main reason for the private key is, of course, the authentication of the intended receiver. But can an interloper do something to compromise the message? Absolutely. Modifying the ciphertext when it is en route from the sender to the receiver is one way to compromise the message. This gives rise to authentication schemes.

When it comes to security, it is important to have three bits of knowledge: The first is that the message is being received by its intended recipient. If you are sending a message an ally, you would like to prevent your enemy from getting it. The second is to verify that the message did, in fact, come from the origin that is advertised for the message. If your enemy sends you a message that says it comes from your friend, this can be used to deceive you. The third is to know who had the message along the way. This is akin to the chain of custody in forensics. The point is this: can you trust the message?

We now use digital signatures to authenticate messages. More on this in a future installment.

Hackers, Part 3

There is no shortage of money at banks, usually. That's why criminals are motivated to rob them. But the act of robbing a bank is considerably less risky if you don't actually have to go there. Enter the hacker.

Money, It's a Hit

In previous installments of the Hackers posts we talked about the motivations of hackers. In the case, the motive is money. What drives computer programmers to steal money? Probably bad people with money that want more of it. Yet, a lot of them are overseas and I can't simply ask them, much less even identify them. I can speculate that some are state-supported, looking for handles on the US and other economies to exploit. Or they are criminal organizations that keep their own stable of indentured hackers in the back room, fed with Doritos and Mountain Dew. Or they are simply businesses that do things in shady ways, by contracting hackers to attack their competitors.

Either way, they typically employ a zero-day exploit and a chain of other buffer-overrun bugs to gain superuser access to a machine running Windows XP. At that point, they install a rootkit in the machine so they can gain superuser access at any point down the line. The machine becomes a bot.

Perhaps the most interesting and disconcerting fact is that there exist entities that sell and update rootkit programs. They need updating as Microsoft issues patches to the known exploits. But Microsoft's task is like trying to put your finger in the bottom of the boat when there are hundreds of holes. Ot thousands.

So there is a market, I expect, of zero-day exploits. These are bugs in software that make a system crash. And allow the hacker to upload code. That code might be part of a buffer overrun - the contents written into a buffer that's just too small to hold what's written. Since all machines are Von Neumann machines, this means that you can execute data just like you can execute code. Data and program are interchangeable. This is why the linker can exist, and dynamic linking of libraries can occur.

And it's also why it's possible to upload malware through websites.

Let's take a case in point: Microsoft has been fighting a war of attrition against the Zeus botnet. But, why do they call it the Zeus botnet?

First, a bunch of machines under control of one master hacker is called a botnet, a network of bots. Each machine can be activated by its master to do their bidding. With many machines under the hacker's control, operations like DDoS attacks can be run with greater effectiveness. Or they can use the botnet for sending ridiculous amount of spam emails advertising for fake Viagra. The botnets also give a certain degree of anonymity to their masters as well, because they are only, after all, operating by proxy.

It is apparent that a group of professional attackers maintains the Zeus code, which is code to help penetrate systems. How can such a group exist? They run their shop somewhere in Eastern Europe, away from the reach of the FBI and other law enforcement groups. I really wish that whatever country they are in would have the guts to shut them down. I'm not even sure Interpol has a presence there.

And maybe there is the question as to whether the construction of a tool to penetrate systems is even illegal at all, in and of itself. Still, selling the tool and supporting the tool seems like it is aiding in the commission of a crime.

Yes, the Zeus code costs money also. They charge between $700 and $15,000 US for their code and also for support, which includes updates to current zero-day exploits and also probably tech support via some anonymized IRC chat.

The presence of Zeus means that it's much easier for state-supported hacking and business-supported hacking to exist. These institutional hackers simply buy Zeus and then rent servers to make botnets.

And this is Microsoft's war of attrition: to take down the server farms (otherwise operating legally and used for housing websites and e-commerce operation, and possibly unaware that they house botnets) that have been converted into botnets. Some 13 million computers are used in this way. And this has resulted in the theft of about $100 million since 2007, that we know about.

Business as Usual

Another real problem is the rampant increase in hacking for the purposes of gaining a business advantage.

A really fascinating and discouraging piece of news showed up today. News Corporation, run by Rupert Murdoch, has been accused of another hacking scandal. This time it was purportedly hiring hackers to crack rival ITV network's smart card encryption scheme, and posting it online so most of ITV's customers could simply avoid paying them.

This put ITV out of business, which was just fine for News Corporation's Sky TV service, which likely picked up the customers.

News Corporation was found guilty of hacking one smart card for the DISH Network. And fined a piddling sum. But what actually happens is that they can post the hack (anonymously) and ruin their competitors.

Pretty sneaky, massively illegal, and very immoral.

The tiny fine was a classic Pyrrhic victory for the DISH Network.

4 teh Lulz

It is interesting to see a return of the splinter group LulzSec, so soon after Sabu, LulzSec's leader, was deftly converted to a mole and then turned on LulzSec itself. This had the useful effect of decreasing the hacker world's trust in itself.

Now, an enterprising hacker with the handle lalalalala has penetrated MilitarySingles.com and posted on pastebin all the information about the 171,000 dating servicemen (and women). As part of a new group. And they are calling themselves LulzSec Reborn.

Reborn, presumably, from the ashes of the FBI sting on the group.

This is the trending problem: that technology can change much faster than law enforcement. Tech is the fastest changing thing on the planet. So its a wonder that the FBI, Interpol, and MI-5 can barely keep up with it: they don't always have the tools they need to be effective. Why?

The real problem is that laws can't keep up with technology.