lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200309122211.h8CMBp523020@netsys.com>
From: jason at positivenetworks.net (On-the-fly Security Institute)
Subject: Strange Code...found in a Website...anyone who knows what this is? - [MODERATED]

Battle.net Cryptanalysis
------------------------

WARNING: We are not responsible for persons that continue reading this bulletin who do not possess the appropriate security clearance. Please see U.S. Government Executive Order 12968, Access to Classified Information" for more information.

We had received an advanced notification of the encrypted text from SANS, CERT, and DoD, but unfortunately someone posted to Full-Disclosure before the findings could be completed. Below is a step-by-step review of our analysis to date, performed over the last 48 hrs:

1) HTML steganography

The data structure appears to not match any common patterns in the FBI digital watermarking database. This implies an unknown origin or some sort of extra-processtual manipulation. Due to UCITA and the DMCA, it was difficult to analyze the precise HTML in its original format. Only after a kernel debugger was connected via a serial console to a Windows 95 workstation were we able to uncover some of the commonalities in this sequence. This was our starting point.

Reference: http://tech.millto.net/~morry/kdebug/

2) Payload extraction

Obviously, we're dealing with a highly specialized encoding devices, as the protocol headers were not even marginalized in an ISO-compliant manner (seriously!). Clearly, "@", "(", "#", "%", "*", and similar characters are delimiters for this payload.

Our team cursorily identified two major data representation groups in the message, apparently repeated for obscurity:

	Data A) JLKZXJLKD

	Data B) GJSDLKJZXLKJCOIWUTGOIWEUTR

3) ROT13 cipher attack

As is typical for high security data transmissions, a lesser-known Red Herring technique was tossed into the mix:

ROT13 of Data A) WYXMKWYXQ
ROT13 of Data B) TWFQYXWMKYXWPBVJHGTBVJRHGE

NOTE: In order to filter out potentially malicious individuals from using this information against the country in a way that could mitigate our national defense systems, I've left the interepretation as an exercise to the AUTHORIZED readers. (Though it may seem obvious to the cryptographers among you, a case study published in 1997 by the National Steganographic Society found that individuals who identified themselves as "IT savvy" were increasingly unable to produce any compelling evidence after ROT13 analysis). 

(For those of you still with us... keep reading!)

4) Chinese Remainders

After hours of dead-ends, we began looking at the message in raw form by acquiring a bridge tap lock on the serial null modem cable. It is especially lucky that we decided to serialize the data, as the observations began to concisely abstractificate into increasingly contextual form.

Specifically, we were seeing 0x23 and 0x54 appearing in rapid succession in between the ASCII milestones. What we normally would've dismissed as "random noise", actually had a detectable pattern. As of yet, the guys over in EE have not determined what the precise cause of this decipherable noise is. But, in base 10, the resultants:

Steganographic Resultant A) 35

Steganographic Resultant B) 84

The Euclidean Algorithm is a process which gives the greatest common divisor of two natural numbers. Recall that, for any natural numbers r ands, and any integer t, we have (r, s) = (r, s + tr). We will use a consequence of the Euclidean Algorithm, called the Chinese Remainder Theorem:

We compute (35, 84). Since 35 goes into 84 twice, we subtract 2 ú 35 = 70 from 84 to see that (35, 84) = (35, 14). Notice now that 35 is the larger number. We can subtract 2 ú 14 = 28 from 35 to get (35, 14) = (7, 14). Now, since 14 is a multiple of 7, we see that (35, 84) = 47.

There are several paths of interpretation, but our only crpytanalysis hit came when we calculated this to be ASCII string "47" (as opposed to its numeric representation).

What word does 47 represent? Dividing by 27, we find thatthe quotient is 1, with a remainder of 20. Since 1 is less than 27, the wordis 120, or AT. What about 13703? Dividing by 27, we get 507, with aremainder of 14. Dividing 507 by 27, we get 18 with a remainder of 21. 18is less than 27, so we are done, and we get the word 182114, or "DoD". Yes, that's right... The Department of Defense.

This message was probably placed by the Department of Defense or one of its contracting agencies on a Battle.net server without the knowledge of any of the webmasters, as public Internet distribution of this content would conjur up memories of Judge James Edwin Horton and the Trial of the "Argentinian Cipher Militia".

5) **Unprecedented information security breach**

-----
[Note from editor: For the first time in history, per instructions from international law enforcement agencies, I have been forced to moderate the contents of this post. Please expect a follow-up post after findings are made public. For media & local law enforcement, direct inquiries to privacy@...zzard.com. ]
-----

Well, there it is. Save yourselves while you still can!

Regards,
Jason Sloderbeck


On-the-fly Security Institute				Gosford, Antarctica
"Cryptanalysis performed while you wait"		ID# B418 B290 ACC0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ