Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
DNA & secret service
Posted by: jungsonn
Date: November 15, 2006 12:54AM

Interesting article to read. how the secret service is on the battle against encryption. Seems they use techniques just like software like SETI@Home, by sending multiple computers "horsepackets" to compute/bruteforce passwords.


Featured Article: Secret Service Decoding Encrypted Evidence by Brian Krebs, washingtonpost.com

For law enforcement officials charged with busting sophisticated financial crime and hacker rings, making arrests and seizing computers used in the criminal activity is often the easy part.More difficult can be making the case in court, where getting a conviction often hinges on whether investigators can glean evidence off of the seized computer equipment and connect that information to specific crimes. The wide availability of powerful encryption software has made evidence gathering a significant challenge for investigators. Criminals can use the software to scramble evidence of their activities so thoroughly that even the most powerful supercomputers in the world would never be able to break into their codes. But the U.S. Secret Service believes that combining computing power with gumshoe detective skills can help crack criminals' encrypted data caches.

Taking a cue from scientists searching for signs of extraterrestrial life and mathematicians trying to identify very large prime numbers, the agency best known for protecting presidents and other high officials is tying together its employees' desktop computers in a network designed to crack passwords that alleged criminals have used to scramble evidence of their crimes -- everything from lists of stolen credit card numbers and Social Security numbers to records of bank transfers and e-mail communications with victims and accomplices. To date, the Secret Service has linked 4,000 of its employees' computers into the "Distributed Networking Attack" program. The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis.

"We're seeing more and more cases coming in where we have to break encryption," Lewis said. "What we're finding is that criminals who use encryption usually are higher profile and higher value targets for us because it means from an evidentiary standpoint they have more to hide."

How DNA Works
The Secret Service's "Distributed Networking Attack" program consists of 4,000 computers linked together and configured to try different password combinations against a series of encryption keys. The network is organized hierarchically, according to each computer's processing power and function, with each segment of the network named with a decidedly equine theme. The machine that tells each segment of the network what to work on is called "Shadowfax," named after the horse in J.R.R. Tolkien's "Lord of the Rings" series.

Underneath Shadowfax are several "Blackhorse" machines that assign jobs to DNA computers in Secret Service-field offices around the country. The computers that actually do most of the computations are called "packhorses." DNA scours a suspect's hard drive for words and phrases located in plaintext and fetches words from Internet sites listed in the computer's Web browser logs. DNA technicians then load the suspect's encrypted data into the system, while Shadowfax tells the Blackhorse computers how to distribute the workload of testing the keys against the word lists and execute any subsequent brute-force attacks against the targeted encryption keys. Each computer in the DNA network contributes a sliver of its processing power to the effort, allowing the entire system to continuously hammer away at numerous encryption keys at a rate of more than a million password combinations per second.

The strength of any encryption scheme is based largely on the complexity of its algorithm -- the mathematical formula used to scramble the data -- and the length of the "key" required to encode and unscramble the information. Keys consist of long strings of binary numbers or "bits," and generally the greater number of bits in a key, the more secure the encryption. Many of the encryption programs used widely by corporations and individuals provide up to 128- or 256-bit keys. Breaking a 256-bit key would likely take eons using today's conventional "dictionary" and "brute force" decryption methods -- that is, trying word-based, random or sequential combinations of letters and numbers -- even on a distributed network many times the size of the Secret Service's DNA.

"In most cases, there's a greater probability that the sun will burn out before all the computers in the world could factor in all of the information needed to brute force a 256-bit key," said Jon Hansen, vice president of marketing for AccessData Corp, the Lindon, Utah, company that built the software that powers DNA. Yet, like most security systems, encryption has an Achilles' heel -- the user. That's because some of today's most common encryption applications protect keys using a password supplied by the user. Most encryption programs urge users to pick strong, alphanumeric passwords, but far too often people ignore that critical piece of advice, said Bruce Schneier, an encryption expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif.

"Most people don't pick a random password even though they should, and that's why projects like this work against a lot of keys," Schneier said. "Lots of people -- even the bad guys -- are really sloppy about choosing good passwords."

Armed with the computing power provided by DNA and a treasure trove of data about a suspect's personal life and interests collected by field agents, Secret Service computer forensics experts often can discover encryption key passwords.In each case in which DNA is used, the Secret Service has plenty of "plaintext" or unencrypted data resident on the suspect's computer hard drive that can provide important clues to that person's password. When that data is fed into DNA, the system can create lists of words and phrases specific to the individual who owned the computer, lists that are used to try to crack the suspect's password. DNA can glean word lists from documents and e-mails on the suspect's PC, and can scour the suspect's Web browser cache and extract words from Web sites that the individual may have frequented.

"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.

DNA was developed under a program funded by the Technical Support Working Group -- a federal office that coordinates research on technologies to combat terrorism. AccessData's various offerings are currently used by nearly every federal agency that does computer forensics work, according to Hansen and executives at Pasadena, Calif.-based Guidance Software, another major player in the government market for forensics technology. Hansen said AccessData has learned through feedback with its customers in law enforcement that between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.

"Most of the time this happens the password is some quirky word related to the suspect's area of interests or hobbies," Hansen said.

Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup. Having the ability to craft custom dictionaries for each suspect's computer makes it exponentially more likely that investigators can crack a given encryption code within a timeframe that would be useful in prosecuting a case, said David McNett, president of Distributed.net, created in 1997 as the world's first general-purpose distributed computing project.

"If you have a whole hard drive of materials that could be related to the encryption key you're trying to crack, that is extremely beneficial," McNett said. "In the world of encrypted [Microsoft Windows] drives and encrypted zip files, four thousand machines is a sizable force to bring to bear."

It took DNA just under three hours to crack one file encrypted with WinZip -- a popular file compression and encryption utility that offers 128-bit and 256-bit key encryption. That attack was successful mainly because investigators were able to build highly targeted word lists about the suspect who owned the seized hard drive. Other encrypted files, however, are proving far more stubborn. In a high-profile investigation last fall, code-named "Operation Firewall," Secret Service agents infiltrated an Internet crime ring used to buy and sell stolen credit cards, a case that yielded more than 30 arrests but also huge amounts of encrypted data. DNA is still toiling to crack most of those codes, many of which were created with a formidable grade of 256-bit encryption.

Relying on a word-list approach to crack keys becomes far more complex when dealing with suspects who communicate using a mix of languages and alphabets. In Operation Firewall, for example, several of the suspects routinely communicated online in English, Russian and Ukrainian, as well as a mishmash of the Cyrillic and Roman alphabets. The Secret Service also is working on adapting DNA to cope with emergent data secrecy threats, such as an increased criminal use of "steganography," which involves hiding information by embedding messages inside other, seemingly innocuous messages, music files or images. The Secret Service has deployed DNA to 40 percent of its internal computers at a rate of a few PCs per week and plans to expand the program to all 10,000 of its systems by the end of this summer. Ultimately, the agency hopes to build the network out across all 22 federal agencies that comprise the Department of Homeland Security: It currently holds a license to deploy the network out to 100,000 systems. Unlike other distributed networking programs, such as the Search for Extra Terrestrial Intelligence Project -- which graphically display their number-crunching progress when a host computer's screen saver is activated -- DNA works silently in the background, completely hidden from the user. Lewis said the Secret Service chose not to call attention to the program, concerned that employees might remove it.

"Computer users often experience system lockups that are often inexplicable, and many users will uninstall programs they don't understand," Lewis said. "As the user base becomes more educated with the program and how it functions, we certainly retain the ability to make it more visible." In the meantime, the agency is looking to partner with companies in the private sector that may have computer-processing power to spare, though Lewis declined to say which companies the Secret Service was approaching. Such a partnership would not endanger the secrecy of their operations, Lewis said, because any one partner would be given only tiny snippets of an entire encrypted message or file.

Distributed.net's McNett said he understands all too well the agency's desire for additional computing power. "There will be such a thing as 'too much computing power' as soon as you can crack a key 'too quickly,' which is to say 'never' in the Secret Service's case."

Brian Krebs is Staff Writer at washingtonpost.com



Edited 1 time(s). Last edit at 11/15/2006 02:45AM by jungsonn.

Options: ReplyQuote
Re: DNA & secret service
Posted by: Ghozt
Date: November 15, 2006 02:17AM

I'd like to give them a go at my external Truecrypt disk.

Options: ReplyQuote
Re: DNA & secret service
Posted by: jungsonn
Date: November 15, 2006 02:40AM

Yeah but the technique of gumshoe detective seizing a computer and analysing and building a custom dictionary from your browser history/logs, and all other logs which resided on a pc against computer power over a distributed network is a clever idea if you tell me.

:))

Options: ReplyQuote
Re: DNA & secret service
Posted by: kuza55
Date: November 15, 2006 05:58AM

Its an interesting idea that I'm sure anyone who's ever had something to crack has toyed with (i.e. surreptitiously installing a program on the computers where you work to act as a distributed password cracking network for you), but even with their method of using custom word lists would be rather inneffective against anything even trivially random. Because it is after all word list based, and even if they apply permutations, and add digits, etc, it is still based off words, if your password is not, then you're safe.

What'd be really interesting though would be to get hold of the program client (since I doubt anyone would be willing to give out the server if they got it, :p) and some network logs, and see if you could get the machines to do your cracking for you. Or to see if you could find an exploit in the software, and be able to compomise the client.....or the servers.....

Options: ReplyQuote
Re: DNA & secret service
Posted by: jungsonn
Date: November 15, 2006 10:51AM

It also says they wanna spread it over all offices in every state, that mean there is an internet connection between them. Hope for them that is a fat dedicated pipe!

Options: ReplyQuote
Re: DNA & secret service
Posted by: maluc
Date: November 15, 2006 11:50AM

well a dedicated 100mbit should be more than enough.. especially if they work off bruteforce

and i think many of us, including myself, have considered using a botnet for some distributed bruteforce cracking. Using only the idle cycles it should be relatively inobtrusive. I've also considered a distributed rainbow table, but with unconsenting bots you can often be pretty limited on disk space.

Anyway, finals came so i put it on hold and eventually forgot about it - but that's how alot of my ideas go :/

-maluc

Options: ReplyQuote
Re: DNA & secret service
Posted by: rsnake
Date: November 15, 2006 04:49PM

Ever thought of XSS distributed networks? ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: DNA & secret service
Posted by: kuza55
Date: November 15, 2006 07:03PM

@rsnake

Heh, yeah, that'd be interesting, but then you get issues with peristence.

Its the same issue that I've had with all the XSS shells, proxies, etc, sure you *can* do evil things, but if the user closes the tab/window, or navigates away from the page (sure you could shove them into an iframe, and have your code running outside the iframe so it doesn't get deleted, but the user would notice that the URL bar isn't changing), then you've lost it.

This matters even more if you're trying to use it to crack stuff for you because of how long it takes to crack things, and even though XSS is widespread, getting 500 people with an XSS thing for 2 minutes each, is equivelant to getting 5 people for 2 hours each. So while its a cool idea, it seems rather impratical.

It'd be interesting to see how long (on average, or by user demographic) you can maintain control over a users browser without them doing anything though.

Options: ReplyQuote
Re: DNA & secret service
Posted by: WhiteAcid
Date: November 15, 2006 08:15PM

Quote

It'd be interesting to see how long (on average, or by user demographic) you can maintain control over a users browser without them doing anything though.
Is that the start of a competition?

Now that would be fun.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: DNA & secret service
Posted by: rsnake
Date: November 15, 2006 09:03PM

500? Myspace was 1,000,000 users and it wasn't even designed to carry from page to page like some of the XSS worm stuff we've seen. It just needs to carry some variables from page to page. I really don't think it's impractical, but you'd definitely need a pretty elaborate command and control system.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: DNA & secret service
Posted by: maluc
Date: November 16, 2006 12:06AM

heh, i never thought about that before .. and it's actually doable. But it would need some clever way to give each user a different piece of the keyspace to test. I don't know that i trust the randomness of Math.random() .. And to regive out the keyspace if some user navigates away before they finish.

It won't work for all encryption types, but md5 is an easy one to implement in javascript. http://pajhome.org.uk/crypt/md5/

I'll have to give the C&C more thought though. And hopefully as little bandwidth intensive on the C&C as possible .. or perhaps even headless ^^

-maluc

Options: ReplyQuote
Re: DNA & secret service
Posted by: jungsonn
Date: November 16, 2006 04:14AM

I never thought about building my own, i don't have the resources to build a DNA.

I have thought about this though: there already millions of accounts installed on PC's from SETI@home and more of the likes, one would only have to burst into the main servers who distribute those packets, and take over all pc's to do some fancy math on your own. :]



Edited 1 time(s). Last edit at 11/16/2006 04:15AM by jungsonn.

Options: ReplyQuote
Re: DNA & secret service
Posted by: jungsonn
Date: November 16, 2006 04:24AM

@maluc

It's easy to collect mouse entropy in JavaScript as a seed for randomness.

Options: ReplyQuote
Re: DNA & secret service
Posted by: maluc
Date: November 16, 2006 07:11AM

Well my guess is that Seti@home is not built to run arbitrary code - but rather do some very specific image processing (or whatever the hell theyre doing) algorithms.

So even pwning the hive mind, you'd still need to either 1.) send some sort of bufferoverflow to all the clients to run the arbitrary code. or 2.) utilize it's auto-update if it has one, and patch in some additional 'features'

If you can do #1 though, it's probably easier to attack the clients directly rather than trying to pwn a well-guarded server (would depend on the type of overflow)

There's a million exploits to search for and herd bots with.. no need to search for a new zero-day in Seti (which will probably be closed up within a day)

-maluc

Options: ReplyQuote
Re: DNA & secret service
Posted by: maluc
Date: November 16, 2006 07:19AM

Oh, and i don't think javascript lets you seed the Math.random() - and coding your own random function is a bit excessive. i assume it seeds from the system clock

but even still, i'd like to use a method that tries to crack them linearly, but i dunno that that's possible without being very C&C intensive. With random, you're never really sure when you've exhausted the keyspace (without also being very C7C intensive)

I'll have to give it more thought

-maluc

Options: ReplyQuote
Re: DNA & secret service
Posted by: rsnake
Date: November 16, 2006 11:47AM

Okay, the second option is all the machines that have PHP exploits in them. There's at least hundreds of thousands of machines at your disposal. Same issues with command and control, but doesn't have limitations of the programming language or browser control.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.