6 C
London
Sunday, November 19, 2017
Home Tags Cryptographic Algorithm

Tag: Cryptographic Algorithm

HPE's SiteScope is vulnerable to several cryptographic issues,insufficiently protected credentials,and missing authentication.

XPan, I am your father

While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil.

This sample is what could be considered as the “father” of other XPan ransomware variants.

A considerable amount of indicators within the source code depict the early origins of this sample.
It's official: The SHA-1 cryptographic algorithm has been "SHAttered." Google successfully broke SHA-1. Now what?After years of warning that advances in modern computing meant a successful collision attack against SHA-1 was imminent, a team of researchers from Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have successfully developed the first successful SHA-1 collision.
In practical terms, SHA-1 should not be relied upon for practical security.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]Modern cryptographic hash functions depend on the fact that the algorithm generates a different cryptographic hash for every file.

A hash collision refers to having two separate files with the same hash.

The fact that cryptographic weaknesses in SHA-1 make certificates using the SHA-1 algorithm potentially vulnerable to collision attacks is well-known.

The National Institute of Standards and Technology deprecated SHA-1 more than five years ago, and experts have been long urging organizations to switch to stronger hash algorithms. Up until now, the only thing going for SHA-1 was the fact that collision attacks were still expensive and theoretical.To read this article in full or to leave a comment, please click here
I recently had the pleasure of interviewing Dr. Leonard Adleman -- the “A” in the very popular public cryptographic algorithm RSA -- as part of the Association for Computing Machinery’s 50th anniversary celebration of the Turing Award.
In 2002, Adleman himself won the Turing Award, often referred to at the Nobel Prize of the computing world. Like many of his Turing Award-winning peers, Adleman is still actively involved in solving some of today’s most important computer and security problems. His love of math and number theory, combined with his interest in molecular biology, created a whole new way of thinking about computing that blurs the lines between silicon and life.
If we ever see bio-robots that think and act like humans, Dr.

Adleman will be one of the people you should thank. I asked Dr.

Adleman about his contributions to the creation of the RSA algorithm back in 1977.
I knew that Whitfield Diffie, Martin Hellman, and Ralph Merkle had first worked out public key crypto the previous year, but hadn’t quite figured out how to use large prime numbers -- and the difficulty of factoring them eventually took over the world.

Adleman had this to say: I was the number theorist in residence. Ron [Rivest] and Adi [Shamir] were really more interested in public crypto than I was initially.
I was more interested in math and number theory at the time, and at first I couldn’t see how great a role crypto would play in our lives in the future.

But as Ron and Adi came to understand that solving their problems would probably involve algorithmic number theory, I got involved. Basically, Ron and Adi would propose many different solutions [42 to be exact], and I would quickly shoot them down.

They would make many attempts over the months, and I would run into them at birthday parties and celebrations and find flaws. One night, at a Passover dinner, Ron drank a lot of wine.

After dinner, around midnight, Ron called me and told me about the large prime number and factoring idea that would eventually become RSA.

And right on the phone I said, “Congratulations, you’ve done it!” I knew we couldn’t prove it was unbreakable, but I couldn’t see any flaws. The RSA guys went on to form a company and popularize public cryptography. Dr.

Adleman’s interest in molecular biology, especially the HIV virus, also bore fruit.
In 1983, one of Adleman’s students, Frederick Cohen, created the first (or one of the earliest) self-replicating programs, which copied itself to other programs to spread.

Adleman saw the similarities between his biological work on HIV and what Cohen was doing, and he called Cohen’s creation a computer “virus.” Cohen credited Adleman with creating the name in his 1984 paper, “Experiments with Computer Viruses.” Computing with DNA A decade later, in 1994, Dr.

Adleman introduced the world to DNA computing in his seminal paper, “Molecular Computation of Solutions to Combinatorial Problems.” I remember reading the news stories surrounding his announcement with a mix of astonishment and incredulity.
If it had been announced this year, I’d still probably be checking to see if it was fake news.

But it wasn’t and isn’t.
Someone had figured out how for the first time to use biological life to compute. I asked Dr.

Adleman how the concept of using DNA to compute came to him. He replied: It came to me because of my interest in theoretical computer science and HIV. My interest in HIV led me to ask a colleague if I could get into his lab to become more proficient in professional molecular biology.

There I saw the world of DNA.
It was like being in Disney World! Since I had read Alan Turing’s 1936 paper, “On Computable Numbers, with an Application to the Entscheidungsproblem,” I knew that computing was easy, that the basic components were all around us. All you had to do was find a way of storing information and a way of doing simple operations on it.
I realized that DNA was a magnificent way of storing information and that living things had created enzymes to manipulate that information.
So I knew DNA computing would work. Life and computation are not very different from one another after all. Maybe we can’t put silicon computers into human cells, but we might be able to put DNA computers into them. One of the best parts of my discovery is what my students and others have done with it.

They have started to make structures out of DNA.
It even has a name: DNA origami.

They have even made DNA smiley faces.
If you need 50 billion statues of yourself, they can build them out of DNA. Cybercatastrophes I asked Dr.

Adleman what concerned him the most about computer security. He acknowledged what he was about to say might sound a bit apocalyptic: It’s not any immediate problem.

There are a zillion immediate problems, and a whole industry trying to respond to those.

But I hope security experts will take a longer view. What I’ve thought about, worried about, and am actually writing a book about is the “compuverse,” its extremely rapid evolution, and its potential for catastrophe. For example, we are all aware that it is an easy thing to attack an internet site.

But the major powers, and perhaps others, are almost surely working to acquire the ability to take down an entire nation’s computation power for a prolonged period of time.

A first-world country with no computational infrastructure is a country with no economy, no food, no power, and ultimately not a country at all.
In the not too distant future, cyberweapons may become weapons of mass destruction.

Computer security experts might be able to prepare for or prevent that from happening. To end on a slightly more positive note, there may be a small silver lining to our difficulties protecting computer systems.
Suppose some leader decides to hit “the button” to launch nuclear weapons.

There are lot of computations between that button and the weapons.
In today’s world, can the leader still be sure that what he thinks will happen will? Currently, Adleman is working a new approach to complex analysis called strata and writing a book on memes.

That’s in addition to his day job as a computer science professor at the University of Southern California.
It’s great to see one of the earliest contributors to computers and networks as we know them still going strong and contributing important insights to problems we face today.
Technology development seems to gallop a little faster each year.

But there's always one laggard: encryption. Why the deliberate pace? Because a single, small mistake can cut off communications or shut down businesses. Yet there are times when you take stock—only to discover the encryption landscape seems to have transformed overnight. Now is that time.

Although the changes have been incremental over several years, the net effect is dramatic. Some of those changes began shortly after Edward Snowden's disclosures of the U.S. government’s extensive surveillance apparatus. Others are the natural result of cryptographic ideas reaching the marketplace, says Brent Waters, an associate professor at the University of Texas at Austin and the recipient of the Association for Computing Machinery’s 2015 Grace Murray Hopper Award. “Many of the new tools and applications available are based on research innovations from 2005 and 2006,” Waters says. “We are just realizing what type of crypto functionality is possible.” A step closer to an encrypted world Encrypted web traffic is the first step toward a more secure online world where attackers cannot intercept private communications, financial transactions, or general online activity. Many sites, including Google and Facebook, have turned HTTPS on by default for all users. But for most domain owners, buying and deploying SSL/TLS certificates in order to secure traffic to their sites has been a costly and complicated endeavor. Fortunately, Let’s Encrypt and its free SSL/TLS certificates have transformed the landscape, giving domain owners the tools to turn on HTTPS for their websites easily.

A nonprofit certificate authority run by the Internet Security Research Group, Let’s Encrypt is backed by such internet heavyweights as Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai. How ubiquitous has HTTPS become? In October, Josh Aas, head of Let’s Encrypt and former Mozilla employee, posted a graph from Mozilla Telemetry showing that 50 percent of pages loaded that day used HTTPS, not HTTP. While the graph showed only Firefox users, the figure is still significant, because for the first time, the number of encrypted pages outnumbered unencrypted pages. NSS Labs expects the trend to continue, predicting that 75 percent of all Web traffic will be encrypted by 2019. Free certificate offerings will further accelerate adoption. By next year, the number of publicly trusted free certificates issued will likely outnumber those that are paid for, says Kevin Bocek, vice president of security strategy and threat intelligence at key-management company Venafi. Many enterprises will also start using free services. With certificate cost no longer a consideration, certificate authorities will focus on better tools to securely manage certificates and protect their keys. Speaking of certificate management, after years of warnings that SHA-1 certificates were weak and vulnerable to attack, enterprises are making steady progress toward upgrading to certificates that use SHA-2, the set of cryptographic hash functions succeeding the obsolete SHA-1 algorithm. Major browser makers, including Google, Mozilla, and Microsoft, have pledged to deprecate SHA-1 by the beginning of the year and to start blocking sites still using the older certificates.

Facebook stopped serving SHA-1 connections and saw “no measurable impact,” wrote Facebook production engineer Wojciech Wojtyniak. From May to October 2016, the use of SHA-1 on the web fell from 3.5 percent to less than 1 percent, as measured by Firefox Telemetry.

Enterprises can’t be complacent, though, since recent estimates from Venafi suggest approximately 60 million websites still rely on the insecure encryption algorithm. “We look forward to the industry's movement toward greater use of stronger certificates like SHA-256,” Wojtyniak said. Crypto is still king Cryptography has taken quite a beating over the past few months, with researchers developing cryptographic attacks such as Drown, which can be used to decrypt TLS connections between a user and a server if the server supports SSLv2, and Sweet32, a way to attack encrypted web connections by generating huge amounts of web traffic. Nation-state actors also have encryption in their crosshairs. Late last year, Juniper Networks uncovered spying code implanted in specific models of its firewall and Virtual Private Network appliances. Many experts believe the NSA was involved. Shortly after the cache of hacking tools allegedly belonging to the NSA made its way to underground markets this summer, Cisco discovered a vulnerability in its IOS, IOS XE, and IOS XR software that powers many of its networking devices.

The flaw, which could be used to extract sensitive information from device memory, was similar to the vulnerability exploited by the tools and was related to how the operating system processed the key exchange protocol for VPNs, Cisco said. Even Apple’s iMessage app, the poster child for how companies can bring end-to-end encryption to the masses, had its share of issues.

Cryptography professor Matthew Green and his team of students at Johns Hopkins University were able to develop a practical adaptive chosen ciphertext attack that could decrypt iMessage payloads and attachments under specific circumstances.

The team also found that iMessage lacked the forward secrecy mechanism, meaning attackers could decrypt previously encrypted messages, such as those stored in iCloud.

Forward secrecy works by generating a new key after a set period of time so that even if the attackers obtained the original key, the previously encrypted messages can’t be cracked. One thing remains clear despite all the bad news: Cryptography is not broken.

The mathematics behind cryptographic calculations remain strong, and encryption is still the best way to protect information. “The latest attacks have not been on the math, but on the implementation,” Waters says. In fact, encryption works so well that attackers rely on it, too.

Criminals are equally as capable of obtaining keys and certificates to hide their activities inside encrypted traffic.

The fact that this attack vector is fast becoming default behavior for cybercriminals “almost counteracts the whole purpose of adding more encryption,” Bocek says. Cybercriminals are using encryption to great effect in ransomware. Once the files are encrypted, victims have to either pay up to obtain a key or wipe their systems and start over. Just as attackers target flawed implementations, security researchers have successfully developed decryption tools for ransomware variants that contained mistakes in their encryption code. Government backs down on backdoors Technology firms have always had to balance security and privacy concerns with law enforcement requests for user information.

FBI Director James Comey had been pushing hard for backdoors in technology products using encryption, claiming that increased use of encryption was hindering criminal investigations. While companies frequently quietly cooperate with law enforcement and intelligence requests, the unprecedented public showdown between the FBI and Apple showed that in recent years, enterprises are beginning to push back. The FBI backed down in that fight, and a bipartisan Congressional working group—with members of both House Judiciary and Energy & Commerce Committees—was formed to study the encryption problem.

The House Judiciary Committee’s Encryption Working Group unequivocally rejected Comey's calls for backdoors and advised the United States to explore other solutions. “Any measure that weakens encryption works against the national interest,” the working group wrote in its report. “Congress cannot stop bad actors—at home or overseas—from adopting encryption.

Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.” Weakening encryption so that police can break into encrypted devices would speed up criminal investigations, but it would be a short-term win "against the long-term impacts to the national interest," the working group warned.

Alternative strategies include giving law enforcement legal methods to compel suspects to unlock their devices and improving metadata collection and analysis. While the working group report indicates Congress will not pursue legal backdoors, other encryption-related battles are looming on the horizon.

The report seemed to support letting police use "legal hacking" to break into products using software vulnerabilities that only law enforcement and intelligence authorities know about, which poses its own security implications.

The technology industry has an interest in learning about vulnerabilities as soon as they are found, and not letting the government stockpile them with no oversight. As for Comey's "going dark" claim, the working group said “the challenge appears to be more akin to ‘going spotty.’” Adding to the enterprise tech stack Governments have been trotting out the terrorists “going dark” argument for years and will always play on those fears, says Mike Janke, co-founder and chairman of encrypted communications company Silent Circle. What's changing is that the enterprises are becoming more serious about securing their communications stack and are less willing to compromise on those features. Many organizations were shocked at the extent of government surveillance exposed by former NSA contractor Edward Snowden.

They reacted by integrating secure video and text messaging tools along with encrypted voice calls into the enterprise communications stack, Janke says.

Encryption is now a bigger part of the technology conversation, as enterprises ask about what features and capabilities are available.
IT no longer treats encryption as an added feature to pay extra for, but as a must-have for every product and platform they work with. Consumers were outraged by the surveillance programs, and anecdotal evidence indicates many have signed up for encrypted messaging apps such as WhatsApp and Signal.

But for the most part, they aren't paying for secure products or changing their behaviors to make privacy a bigger part of their daily lives. The change is coming from CSOs, vice presidents of engineering, and other technical enterprise leaders, because they're at the forefront of making security and privacy decisions for their products and services. With Tesla now digitally signing firmware for every single one of its internal components with a cryptographic key, it's easier to ask TV manufacturers or toymakers, "Why aren't you doing that?" says Janke. Consumers are the ones who will benefit from encryption built in by default as enterprises change their mindset about the importance of encryption.  Riding the innovation wave Cryptography tends to go in waves, with important innovations and research from 2005 to 2006 finally coming out as practical applications. Researchers are currently looking at improving the "precision of encrpytion," instead of the current model of all or nothing, where if something is exposed, everything gets leaked. "Encrpytion can be precise like a scalpel, giving fine-grained control over the information," Waters says. Google has looked at cryptography in its experiments with neural networks. Recently, its Google Brain team created two artificial intelligence systems that was able to create their own cryptographic algorithm in order to keep their messages a secret from a third AI instance that was trying to actively decrypt the algorithms. The dawn of quantum computing will also spur new avenues of research. “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,” wrote the National Institute of Standards and Technology in a public notice. Once such machines become widely available, “this would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere." To prepare for that eventuality, NIST is soliciting work on "new public-key cryptography standards," which will "specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.” The submission deadline is Nov. 30, 2017, but NIST acknowledges the work will take years to be tested and available, noting that "historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure." “Regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing,” NIST said. There have been a number of intriguing advances in cryptography, but it will likely be years before they become available to enterprise IT departments, and who knows what form they will take.

The future of cryptography promises even more security.

The good news is we are already experiencing some of the benefits now.
reader comments 18 Share this story Google Brain has created two artificial intelligences that evolved their own cryptographic algorithm to protect their messages from a third AI, which was trying to evolve its own method to crack the AI-generated crypto. The study was a success: the first two AIs learnt how to communicate securely from scratch. Enlarge / The setup of the crypto system. P = input plaintext, K = shared key, C = encrypted text, and PEve and PBob are the computed plaintext outputs. The Google Brain team (which is based out in Mountain View and is separate from Deep Mind in London) started with three fairly vanilla neural networks called Alice, Bob, and Eve. Each neural network was given a very specific goal: Alice had to send a secure message to Bob; Bob had to try and decrypt the message; and Eve had to try and eavesdrop on the message and try to decrypt it. Alice and Bob have one advantage over Eve: they start with a shared secret key (i.e. this is symmetric encryption). Importantly, the AIs were not told how to encrypt stuff, or what crypto techniques to use: they were just given a loss function (a failure condition), and then they got on with it. In Eve's case, the loss function was very simple: the distance, measured in correct and incorrect bits, between Alice's original input plaintext and its guess. For Alice and Bob the loss function was a bit more complex: if Bob's guess (again measured in bits) was too far from the original input plaintext, it was a loss; for Alice, if Eve's guesses are better than random guessing, it's a loss. And thus an adversarial generative network (GAN) was created. Alice, Bob, and Eve all shared the same "mix and transform" neural network architecture, but they were initialised independently and had no connection other Alice and Bob's shared key. For Alice the key and plaintext are input into the first layer of the neural network; for Bob the key and the ciphertext were input; and for Eve, she got just the ciphertext. The first layer is fully-connected, so the text and key can mix about. Following the first layer there are a number of convolutional layers, which learn to apply a function to the bits that were handed to it by the previous layer. They don't know what that function might be; they just learn as they go along. For Alice, the final layer spits out some ciphertext; Bob and Eve output what they hope is the plaintext. Enlarge / Bob and Eve's reconstruction errors during training. You can see that Eve starts to improve, but then a change in the Alice-Bob crypto method shuts her out again. The results were... a mixed bag. Some runs were a complete flop, with Bob never able to reconstruct Alice's messages. Most of the time, Alice and Bob did manage to evolve a system where they could communicate with very few errors. In some tests, Eve showed an improvement over random guessing, but Alice and Bob then usually responded by improving their cryptography technique until Eve had no chance (see graph). The researchers didn't perform an exhaustive analysis of the encryption methods devised by Alice and Bob, but for one specific training run they observed that it was both key- and plaintext-dependent. "However, it is not simply XOR. In particular, the output values are often floating-point values other than 0 and 1," they said. In conclusion, the researchers—Martín Abadi and David G. Andersen—said that neural networks can indeed learn to protect their communications, just by telling Alice to value secrecy above all else—and importantly, that secrecy can be obtained without prescribing a certain set of cryptographic algorithms. There is more to cryptography than just symmetric encryption of data, though, and the researchers said that future work might look at steganography (concealing data within other media) and asymmetric (public-key) encryption. On whether Eve might ever become a decent adversary, the researchers said: "While it seems improbable that neural networks would become great at cryptanalysis, they may be quite effective in making sense of metadata and in traffic analysis." You can read the researchers' preprint paper on arXiv. This post originated on Ars Technica UK
Cryptor malware programs currently pose a very real cybersecurity threat to users and companies.

Clearly, organizing effective security requires the use of security solutions that incorporate a broad range of technologies capable of preventing a cryptor program from landing on a potential victim’s computer or reacting quickly to stop an ongoing data encryption process and roll back any malicious changes. However, what can be done if an infection does occur and important data has been encrypted? (Infection can occur on nodes that, for whatever reason, were not protected by a security solution, or if the solution was disabled by an administrator.) In this case, the victim’s only hope is that the attackers made some mistakes when implementing the cryptographic algorithm, or used a weak encryption algorithm. A brief description The cryptor dubbed Polyglot emerged in late August.

According to the information available to us, it is distributed in spam emails that contain a link to a malicious RAR archive.

The archive contains the cryptor’s executable code. Here are some examples of the links used: hXXp://bank-info.gq/downloads/reshenie_suda.rar hXXp://bank-info.gq/downloads/dogovor.rar When the infected file is launched, nothing appears to happen. However, the cryptor copies itself under random names to a dozen or so places, writes itself to the autostart folder and to TaskScheduler. When the installation is complete, file encryption starts.

The user’s files do not appear to change (their names remain the same), but the user is no longer able to open them. When encryption is complete, the cryptor changes the desktop wallpaper, (interestingly, the wallpaper image is unique to each victim) and displays the ransom message. The cryptor’s main window New desktop wallpaper with the “open key” block unique to each victim computer The user is offered the chance to decrypt several files for free. The free trial decryption window After this, the user is told to pay for file decryption in bitcoins.

The cryptor contacts its C&C, which is located on the Tor network, for the ransom sum and the bitcoin address where it should be sent. C&C communication window From this moment on, the cryptor allows the user to check the ransom payment status on the C&C. Ransom payment details If the ransom is not paid on time, the cryptor notifies the user that it’s no longer possible to decrypt their files, and that it is about to ‘self-delete’. Last window displayed by Polyglot Imitating CTB-Locker Initially, this cryptor caught our attention because it mimics all the features of another widespread cryptor – CTB-Locker (Trojan-Ransom.Win32.Onion).

The graphical interface window, language switch, the sequence of actions for requesting the encryption key, the payment page, the desktop wallpapers – all of them are very similar to those used by CTB-Locker.

The visual design has been copied very closely, while the messages in Polyglot’s windows have been copied word for word. The main graphical interface windows: Polyglot CTB-Locker List of encrypted files: Polyglot CTB-Locker Window for the trial decryption of 5 random files: Polyglot CTB-Locker The private key request window: Polyglot CTB-Locker The desktop wallpapers: Polyglot CTB-Locker The ‘connection failed’ error message: Polyglot CTB-Locker Offline decryption instructions: Polyglot CTB-Locker The similarities do not stop there.

Even the encryption algorithms used by the cybercriminals have clearly been chosen to imitate those used in CTB-Locker. Polyglot CTB-Locker Algorithms used for file encryption File content is packed into a ZIP archive and then encrypted with AES-256. File content is compressed with Zlib and then encrypted with AES-256. Algorithms used while working with the keys ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. Extensions of encrypted files File extensions are not changed. File extensions are changed, depending on version:– .ctbl– .ctb2– 7 random lower-case Latin symbols Demo decryption 5 files are decrypted for free as a demo.

Their decryption keys and file names are saved in the registry. 5 files are decrypted for free as a demo.

Their decryption keys are only stored in the RAM memory while the process is running. C&C location C&C is in the Tor network, communication is via a public tor2web service. C&C is in the Tor network, communication is via a Tor client integrated into the Trojan, or (in some versions of CTB-Locker) via a public tor2web service. Traffic protection / obfuscation Bitwise NOT operation. AES encryption. That said, we should note the following: a detailed analysis has revealed that Polyglot was developed independently from CTB-Locker; in other words, no shared code has been detected in the two Trojans (except the publicly available DLL code). Perhaps the creators of Polyglot wanted to disorient the victims and researchers, and created a near carbon copy of CTB-Locker from scratch to make it look like a CTB-Locker attack and that there was no hope of getting files decrypted for free. C&C communication The Trojan contacts the C&C server located on Tor via a public tor2web service, using the HTTP protocol. Prior to each of the below data requests, a POST request is sent with the just one parameter: “live=1”. Request 1. At the start of operation, the Trojan reports the successful infection to the C&C.

The following data is sent to the C&C: {“ip”:”xxx.xxx.xxx.xxx”,         //ip address of the infected computer“method”:”register”,         //action type. “register” = Trojan informs C&C of new infection“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,         //Infected computer’s ID“version”:”10f”,         //Trojan version contained in its body“info”:”Microsoft (build xxxx), 64-bit”,         //OS version on the infected computer“description”:” “,         //Always a whitespace (” “)“start_time”:”14740xxxxx”,         //Trojan’s start time“end_time”:”0″,         //Encryption finish time. 0 = no encryption has run yet“user_id”:”5″         //Number hardwired in the sample} This data block is passed through a bitwise NOT operation, encoded into Base64 and sent to the C&C in a POST request. Contents of the sent request Parameters of the POST request: signature – CRC32 from the sent dataver – Trojan versiongcdata – data, with contents as described above. Request 1 and the reply received from the C&C Request 2. When the Trojan has finished encrypting the user’s data, it sends another request to the C&C.

The content of the request is identical to that of request 1 except the field “end_time”, which now shows the time encryption was completed. Request 3. This is sent to the C&C to request the bitcoin address for payment and the ransom sum to be paid. {“method”:”getbtcpay”“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”} The C&C replies to this request with the following data: {“code”:”0″,“text”:”OK”,“address”:”xxxxxxxx”,         //bitcoin address (may vary)“btc”:0.7,         //amount to be paid in BTC (may vary)“usd”:319.98         //amount to be paid in USD (may vary)} Request 4. This is sent to request a file decryption key from the C&C. {“method”:”getkeys”,“key”:””,“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,“info”:[“DYqbX3m9u0Pk9bE9Rg2Co3empC2M/yrnqgNS3r0AT2vwCw8Zas08bd4BNiO3XuAqi6/5WQ0VBiUkRUToo+YFL/QtPkiRIQ/D9RyKhzpBHlNpf2hPb9eloDzpkonQl7L6cQyJ2FipEG2ggZOdTDBcNAEAAAA=”]} Request 5. The Trojan reports that data decryption has been completed and states the number of decrypted files to the C&C. {“method”:”setend”,“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,“decrypted”:”1″} Description of the encryption algorithm During our analysis of the malicious code, it became evident that the Trojan encrypts files in three stages, creating intermediate files: First, the original file is placed in a password-protected ZIP archive.

The archive has the same name as the original file plus the extension “a19”; Polyglot encrypts the password-protected archive with the AES-256-ECB algorithm.

The resulting file again uses the name of the original file, but the extension is now changed to “ap19”; The Trojan deletes the original file and the file with the extension “a19”.

The extension of the resulting file is changed from “ap19” to that of the original file. Flowchart of the search and file encryption actions performed by Polyglot A separate AES key is generated for each file, and is nothing more than a ‘shared secret’ generated according to the Diffie-Hellman protocol on an elliptic curve. However, first things first. Before encrypting any files, the Trojan generates two random sequences, each 32 bytes long.

The SHA256 digests of each sequence become the private keys s_ec_priv_1 and s_ec_priv_2.

Then, the Bernstein elliptic curve (Curve25519) is used to obtain public keys s_ec_pub_1 and s_ec_pub_2 (respectively) from each private key. The Trojan creates the structure decryption_info and writes the following to it: a random sequence used as the basis for creating the key s_ec_priv_1, the string machine_guid taken from the registry, and a few zero bytes. struct decryption_info {        char s_rand_str_1[32];        char machine_guid[36];        char zeroes[12];}; Using the private key s_ec_priv_2 and the cybercriminal’s public key mal_pub_key produces the shared secret mal_shared_secret = ECDH(s_ec_priv_2, mal_pub_key).

The structure decryption_info is encrypted with algorithm AES-256-ECB using a key that is the SHA256 digest of this secret.

For convenience, we shall call the obtained 80 bytes of the encrypted structure encrypted_info. Only when Polyglot obtains the encrypted_info value does it proceed to generate the session key AES for the file. Using the above method, a new pair of keys is generated, f_priv_key and f_pub_key. Using f_priv_key and s_ec_pub_1 produces the shared secret f_shared_secret = ECDH(f_priv_key, s_ec_pub_1). The SHA256 digest of this secret will be the AES key with which the file is encrypted. To specify that the file has already been encrypted and that it’s possible to decrypt the file, the cybercriminals write the structure file_info to the start of each encrypted file: struct file_info {        char label[4] = {‘H’,’U’, ‘I ‘, 0x00};        uint32_t label2 = 1;        uint64_t archive_size;        char f_pub_key[32];        char s_ec_pub_1[32];        char s_ec_pub_2[32];        char encrypted_info[80];}; The elliptic curve, the Diffie-Hellman protocol, AES-256, a password-protected archive – it was almost flawless.

But not quite, because the creator of Polyglot made a few mistakes during implementation.

This gave us the opportunity to help the victims and restore files that had been encrypted by Polyglot. Mistakes made by the creators As was mentioned earlier, all the created keys are based on a randomly generated array of characters.

Therefore, the strength of the keys is determined by the generator’s strength.

And we were surprised to see the implementation of this generator: A graphical representation of the random sequence generation procedure Let’s convert this function into pseudocode so it’s easier to follow: Please note that when another random byte is selected, the entire result of the function rand() is not used, just the remainder of dividing the result by 32. Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC. Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file.

Although there was a password-protected archive below the layer of symmetric encryption, we already knew that the cybercriminal had made another mistake. Let’s look at how the archive key is generated: We can see that the key length is only 4 bytes; moreover, these are specific bytes from the string MachineGuid, the unique ID assigned to the computer by the operating system.

Furthermore, a slightly modified MachineGuid string is displayed in the requirements text displayed to the victim; this means that if we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive. The MachineGuid string displayed in the requirements screen Conclusion Files that are encrypted by this cryptor can be decrypted using Kaspersky Lab’s free anti-cryptor utility RannohDecryptor Version 1.9.3.0. All Kaspersky Lab solutions detect this cryptor malware as:Trojan-Ransom.Win32.PolyglotPDM:Trojan.Win32.Generic MD5 c8799816d792e0c35f2649fa565e4ecb – Trojan-Ransom.Win32.Polyglot.a
Enlarge / The US Navy Bombe used during World War II to break Germany's Enigma encryption system.National Security Agency reader comments 12 Share this story When you're an applied cryptographer, teaching your preteen daughters what you do for a living isn't easy.

That's why Justin Troutman developed PocketBlock, a visual, gamified curriculum that makes cryptographic engineering fun. In its current form, PocketBlock is a series of board-like grids that allows players to transform plaintext messages into secret ciphertext and convert it back again, one move at a time.

By restricting the operations to little more than addition and subtraction performed by rearranging squares on a piece of paper, PocketBlock helps students understand the fundamentals of encryption without requiring a formal background in mathematics.

At the same time, it stays true to the principles of modern cryptography and goes well beyond the classical cryptographic concepts, like the Caesar cipher, reserved for the most kid-centric material on cryptography today. "The goal is for kids to feel like they've worked with something of substance, to an extent that intrigues them," Troutman, a trained cryptographer who is currently the project manager at the Freedom of the Press Foundation, told Ars. "[PocketBlock] introduces cryptography as everything from a pillar of the modern Web to the tradecraft of spies past.
It introduces the same cryptographic concepts that I work with as a cryptographer in industry—the same underpinnings you'll find in academic papers.
It reduces these concepts to easy-to-solve problems and uses a visual language to map what happens to bits as they travel through a cryptographic algorithm." Enlarge While suitable for kids eight and older, PocketBlock is by no means restricted to kids.

Troutman said it's also suitable for professional developers who want to deepen their understanding of the way cryptographic algorithms work, given that they're often implementing them.
So far, Troutman has used PocketBlock in four workshops: for kids of all ages at r00tz Asylum (Defcon 24), for middle school girls at a Hackers Girls Summer Camp sponsored by Facebook, for high school students at Cal Poly SLO's EPIC engineering summer camp, and for professional developers at Facebook's internal Hacktober event. The first entry in the PocketBlock series is called Pockenacci (pronounced POCK-uh-notch-ee), an authenticated encryption scheme that introduces the inner workings of a block cipher. Pockenacci includes a simple key schedule based on Fibonacci-style addition, which transforms a password into a cryptographic key; two P-boxes that permute, or shift, the location of characters inside the plaintext message; an S-box that substitutes one character for another; and a Message Authentication Code for verifying that an adversary hasn't tampered with an encrypted message while it was in transit. Adolescent Encryption Standard The next entry will be "aes," or the "adolescent encryption standard," a version of the Advanced Encryption Standard that has been simplified enough to be done by hand. While it has been scaled down, Troutman said it will retain the full structure of AES. In its current form, PocketBlock mostly resembles a crude board game, but Troutman said this is just the early curriculum-based stage. He has plans to expand PocketBlock to an interactive app for tablets with tangible components like physical, programmable blocks that work with the app for more of a hands-on experience.
In addition, Troutman is also planning to integrate a narrative interactive fiction environment in which players use their newfound crypto skills to complete missions.

The first installment of this narrative adventure will be titled "Mudspeak." "The goal of this narrative, interactive-fiction-esque component is to gamify things even more, by having players both build and break ciphers in order to level up," Troutman said. "They'll need to build ciphers in order to set up secure and private communication, break ciphers in order to read secret messages, and forge new ones.

Completing missions will depend heavily on keeping their secrets safe while learning the secrets of their opponents." The PocketBlock curriculum source is free and open source and available on the official PocketBlock repo on Github. Project updates and upcoming workshops can be found at the official PocketBlock website.