črypto is finished... and it's about time × (also: 'Balrog' malnet, firsthand view)

To stay ahead of new and evolving threats, cryptostorm has always looked out past standard network security tools. Here, we discuss and fine-tune our work in bringing newly-created capabilities and newly-discovered knowledge to bear as we keep cryptostorm in the forefront of tomorrow's network security landscape.
User avatar
Posts: 612
Joined: Sun Dec 16, 2012 6:34 am

črypto is finished... and it's about time × (also: 'Balrog' malnet, firsthand view)

Post by Pattern_Juggled » Tue May 12, 2015 11:27 pm

{direct link: cryptostorm.ch/balrog}

This essay forms one section of a broader paper describing a global survellance technology we have dubbed Corruptor-Injector Networks (CINs, or "sins") here at cryptostorm. As we have worked on the drafting and editing of the larger paper, we saw as a team the need for a first-hand perspective to help provide a tangible sense of how CINs work and why understanding them is so vitally important to the future of network security.

I was nominated to write the first-person account, in large part because I have spent the better part of two months entangled with a particular CIN ("painted" by it - i.e. targeted). That experience, it was decided, may prove helpful for readers as it represents what is likely to be a nearly-unique frontline report from someone who is both engaged in research in this field as a professional vocation, and who was personally painted by the preeminent CIN in the world today. Despite misgivings about revisiting some of this experience, I see the wisdom in this decision and here I am pecking away at this esay. It's late, as I've found it a challenge to comport my experience with a cohesive, easily-digested narrative arc. What follows is the best I'm able to do, when it comes to sharing that experience in a way that is intended to help others.

Specifically, I hope to accomplish two things. One, and most importantly, I am sharing what amounts to loosely-defined diagnostic criteria for those concerned they have been painted by a CIN... or who are in a later-stage state of deeply-burrowed infection by the CINs implants. In the last month or so, I have been deluged by people concerned they may be targeted or infected. While I have done my best to reply with useful advice our counsel, more often than not I've been unable to provide much of either. This essay is my attempt to fill that gap.

Apart from the designers and operators of this CIN, I am likely more familiar with the operational details if it as it exists today than anyone else in the world - by a long stretch. I have invested many hundreds of deep-focus hours in this work, with only a small minority of that being solely directed at disinfecting my - and our - machines locally, at cryptostorm. The majority has involved, to be blunt, using myself as an experimental subject... allowing my local machines to reinfect via the painting profile, and then trying to limit the spread of, and eventually revers the footorint of, the infection modules/payloads themselves. I have iteratively followed that painting-injection-infection-corruption trajector through dozens of iterations, countless kernels rotted from the inside-out and simply erased as they were beyond salvation. This knowledge base all but obligates me to share what I have learned, such as it is, so others can leverage the hard-won bits of insight I've been able to collate from all this dirty tech.

The second goal of this paper is to communicate the scale, scope, and pressing urgency of CINs as a research and mitigation subject of highest priority to anyone working in the information security field today. That's a big task. I will do my best to share the broad outline of what we, at cryptostorm, have watched accelerate into the biggest, most dangerous, most complex threat we see to internet security and privacy for the next five years.

Let's get to work.

  • & crypto really is finished.
    ...once we finish this amble,
    ...that conclusion is inescapable,
    ...its consequences both subtle & profound.

Ց forest, trees, & the sum of parts

It wouldn't be too far-fetched to say that info security is a solved problem, or was before the CINs implanted themselves in the middle of things. That sounds bizarre to say, since by all accounts the State of InfoTec is... abyssmal. Stuff is broken, everywhere; everything gets hacked by everyone, all the time. Nobody follows good security procedure, and the net result veers between chaos and satire. That's all true, no question - but in theoretical terms, I stand by the assertion that infosec was essentially solved. How to implement those solution compoments... well, that's different question entirely.

When it comes to understanding how to mitigate, manage, and monitor security issues in technology, we know how: every attack vector has its defensive tools that, if applied correctly, pretty much work. This state of affairs is so ingrained in our thinking, from within infosec, that it's tough to step back and really see how prevasive it is. As much as we all know there's horrible implementation failure out there, nobody is (or was) home alone late at night, wringing hands and sighing dejectedly... utterly stumped by a question of how to defend against a particular attack. Rather, a few minutes perusing InfoSec Taylor Swift's twitter feed... err I mean "searching the web," is enough to turn up some pretty solid knowledge on any imaginable infosec topic, from post-quantum cryptographic systems to gritty OpSec-spy advice, and off to baked-in processor hardware attack models. Winnow down the advice to the stuff that seems legit, figure out the cost and complexity of putting it in production, and off we go. This we all assume is simply the lay of the land in our corner of the world.

Corruptor-Injector networks throw that somewhat comfortable state of affairs on its head in a rude, unsettling, and comprehensive way.

This is a qualitatively different sort of security threat than is, for example, "malware" or "the fast-approaching arrival of engineered AES128 collisions" - CINs are as different from such componentry as is a castle from a jumble of uncut boulders sitting in a field. All the expertise out there, developed to thwart countless sub-sub categories of security threats to computers and the networks we use to connect them, finds itself marooned in the dry terrain of "necessary, but not sufficient." That is to say, we will need all those skills to avoid an otherwise-eventual "CINtastrophe" in which the sticky extremeties of fast-mutating, competing CINs drown the internet in a morass of corrupted data, broken routes, unstable connections, and infected packets. But we'll also need more.

Which is the first important point in all of this, and one it took me more than a month of more-than-fulltime study of this subject to finally realise in one of those "oh, wow... now I get it" moments. I'm going to boldface this, as it's a core fact: no individual functional component of CINs is - or need be - new, or unknown, or freshy-discovered, or surprisingly clever and far ahead of the curve in its specialised explot category. It's all alread seen, observed, documented, and on most all cases, reasonably well understood in the civilian world. Cryptostorm has not, nor do we claim to have, "discovered a new exploit" or attack vector that nobody has previously noted or published. The sense of urgency and... dread (not the right word, but it'll do for now) we feel and are communicating recently isn't based on a novel discovery.

Even more so, the entire concept of CINs - if not the name itself - and the example of one created by the NSA, were thrown into stark, inescapably real status by the whistleblowing of Edward Snowden in 2013. There's a hefty pile of NSA slide decks, and civilan commentary, freely available to confirm that's the case (we're collecting it all in the closing segment of this full essay, as well as in our newly-birthed community research library. It's all there, in black and white... nearly two years ago, with additional follow-on disclosures continuing along the way.

So if that's the case, why are we all hot & bothered at cryptostorm about CINS? After all, they're neither made of new pieces nor even a newly-discovered category themselves - nothing to see, move right along. I'll admit that I was, unconsciously, in that mindset abou this segment of the Snowden archives. I read them - skimmed, more like - and essentially filed them under the "interesting, but not core" tag in my internal filing model. Yes, malware... you get it, bad things happen. Don't click on dodgy links, or download "free" porn. There are pages about injectors and FoxAcid, and QuantumInsert, and so on... but it all seemed mostly Tor-specific and anyway not terribly front & centre. I say this not because I misunderstood the mechanisms - MiTM is not a new concept for any of us on the team, here - but rather because I miss the implictions entirely.

We all did, or nearly all. That's despite Snowden himself taking some effort to return focus to this category, even as we all hared off into various sub-branches of our own particular desire: crypto brute-forcing, mass interception, hardware interdiction and modification, and so on. Not surprisingly, Mikko (Hypponen) calls out as something of a lone voice, in his early-published quotes on these attack tools, in really clearly pointing out that there's something fundamentally different about this stuff. Here he is, from March of 2014, in The Intercept:
"“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.” Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.” “That would definitely not be proportionate,” Hypponen says. “It couldn’t possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance.”
[b"]Wholesale infection."[/b] That's the visible symptom, and it's the sharp stick in the eye that I needed to break my complacency. Mikko calls this category "disturbing" and warns that it risks "undermining the security of the Internet." That's no hyperbole. In fact, the observable evidence of that critical tipping-point having already been crossed is building up all around us.

All this doom-and-gloom from something that doesn't really have any new parts, and has been outed to public visibility for years... how can that be? CINs are powerful because of their systems-level characteristics, not (merely) because of their fancy building blocks. Just like the castle, vastly more useful as a defensive tool than a big pile of boulders, CINs take a bunch of building blocks and create an aggregated system ouf of them that's of a different order entirely.

The forest is greater than the sum of the trees, in other words. Much greater.

ՑՑ "...proceed with the pwnage”
“Just pull those selectors, queue them up for QUANTUM, and proceed with the pwnage,” the author of the posts writes. (“Pwnage,” short for “pure ownage,” is gamer-speak for defeating opponents.) The author adds, triumphantly, “Yay! /throws confetti in the air.”
One of the things we know - or knew, really - about infosec is what it means to be "infected" with "malware" or "badware" or whatever term is enjoying its 15 PFS re-keyings of fame. You do something dumb, like stick a big wiggly floppy drive into your TRS-80 that you got from some shady dude at the local BBS meet-up, and now you "have it." The virus. It's in your computer...
If you do silly-dumb things and bad stuff gets into your computer, then you have to... get it out of your computer, of course. A entire industry (dubious as it is) exists to keep bad things from getting in - "antivirus" - and a parallel sub-industry specialises (not terribly successfully) in getting it out when it gets in. THis same model scales up to corporate entites, except it all costs alot more money for the same not-really-effective results. Firewalls keep bad stuff out, and scanners find it when it gets in so it can get removed.

Simple - even if tough to do in practice. CINs are different.

It took me most of a month to figure this out, too. At first, in early March, I noticed odd browser activity in several machines I'd been using to do research and fine-tuning for our torstorm gateway. I whipped out my analyzers and packet-grabbers and browser-session sniffers, and got to work figuring out what had infected the machines. Because that's how this works: if you are unlucky or unwise, you disinfect. It's tedious and not always totally successful, but it isn't complex or intellectually challenging. Indeed, I was quite sure I knew with some precision what vector had infected me - and I had (still have) the forensics to demonstrate it. Feeling a bit smug, I took the weekend to collate data, write up some findings, clean the local network, and prepare to pat myself on the back for being such an InfoSec Profesional.

Then the weird stuff started happening again, on the computer I'd somewhat meticulously "cleaned" of any odd tidbits. Hmm, ok. I suck at hardware, as everyone knows, so clearly I just didn't do a good job of disinfecting - this is not unusual. Back to the salt mines, to disinfect again. This time I roped in most all of the rest of the cryptostorm staff computers, to disinfect those... a security precaution in case I gave what I had to others on the team, somehow. I still didn't really know what it was doing ("it") in the browser, specifically... but who cares? Wipe the browser to the bare earth, or if needed reinstall the entire OS image ground-up. Problem not. Done.

I took the opportunity of this extravagant downtime - nearly a whole week without being on the computer for academic or cryptostorm work, amazing! - to pick up a new laptop. Actually new, in the box - something odd for me, as I tend towards ragged conglomerates of old machines. Once again feeling smug, I laid out some elegant UEFI partitions - tri-boot, look at me being all tech! Packages updated, repositories lovingly pruned and preened with bonsai attention. I left the drives from the old infected machines, in my local network, off in a pile for later analysis and file removal. Safety first, right? No way this nasty stuff will jump onto the new, "clean" boxes I've spent days setting up.

Then the new box went weird, all at once. Not just one partition, either: I'd boot into Win and sure enough the browser would get baulky and jagged and cache-bloated if I hopped around to a few sites... not even the same sites I'd visited when I was in the lenny partition.. That matters, because we assume - unconsciously - that we get infected from a specific site. It's got bad files on the server, you visit the server, and you have those files come down to your machine via your browser. Maybe it's a creepy flash file making use of the endless deluge of flash 0days, or whatever. The file comes from a server.

But I didn't visit any of the same sites, on these different operating systems I'd just used on my new laptop... not an intentional choice, but looking back I knew it was a clean split between the two groups of sites. But now I certainly seemed to have the same problem on a brand-new, well-tightened (as much as one can, because WIndows) OS instance - with no overlap in sites visited. That's sort of weird, isn't it?

Well, ok... thinking... hmmm. And as I'm thinking, the Windows partition locks up tight. No surprise there, it happens... though with only a couple plain-jane websites loaded in Firefox? On a brand-new laptop? Odd, but whatever: Windows. Reboot, and it'll be happy once again.

I push the power button to reboot the laptop. It powers off, by all appearances... and then simply sits like turd in the hot sun. It's a new-fangled laptop, no way to do anything to it but push the power button. Heck even the battery is locked inside tight. I push, and push, and push... nothing. And my mind is repeating two words: fucking hardware. Hardware is the bane of my existence. Two days old, and a new laptop won't even power up. Hardware and I have a fraught relationship. I go through the grief stages, sort of... first is denial - it can't be broken, no way! - and then the next one is anger - damned piece of garbage, amazing how shoddy things are!

...I think there's three more stages, but I don't remember them because I was so pissed off.

Also the laptop got a bit dented-up along the way. I was frustrated: a week's worth of fiddling with hardware and kernels, and I was one step backwards from where I'd begin. No stable partition. No stable local machines, known-clean. No real idea of the infection vector, as my assumed model wasn't doing well as new data arrived. Plus now I just had an angry shouting match with a laptop that won't boot (not much shouting from that side of things)... this is really, really not me at all. But I'm feeling, at that point, a powerlessness... a sense of non-confidence in my own ability to run a computer. This might be like a truck driver who suddenly forgets how to operate the transmission in her daily driver: really humiliating, and self-eroding, isn't it?

In the dozen or two cases of people I've talked to who also have been painted by this CIN, that powerlessness feeling is a universal marker. Many are high-level tech notables, and the concept of not being able to make a computer run cleanly is... utterly foreign. As a group, we're the kids who built computers from blurry blueprints published in Byte magazine, metaphorically speaking. We not only fix computers for friends and family when they won't work, we're the ones who the people who first tried to fix them come to when they can't fix them. It's been like that all our lives. It's sort of who we are, at some level.

And then there's these computers sitting in front of us that don't work. Or, they work for a while - a few days, maybe - and then they start sliding downhill. Browser slows, then gets GPU/CPU intensive. Lots of activity from it, even when no page loads are happening visibly - or maybe only a tab or two are open. Bidirectional traffic, noted by most of us who ifconfig'd or nload'd or iptraf'd the boxes when things took a strange turn.

Next, graphical irregularities that go beyond the browser. Fonts aren't rendering quite right... or if they do, they render well but have these "slips" where they get a bit pixellated... but only for a minute or ten, and they come back. Those of us attuned to such things note that strange tls/ssl errors spin up: mismatched certs, subtle but if one's browser is a bit snooty about credentials, they appear. Maybe a certificate for a site that doesn't match the site's URL... well ok not uncommon, except in these cases it's for sites that we know have matching certs, to the character. But they're transient.

Wireshark it. But.. wireshark crashes. Update wireshark... and suddently you find yourself downloading a really big package relative to what you are pretty sure a basic wireshark binary should be. You google that, to confirm... and as you do, you notice that there's a bunch of other packages hitching a ride on that wireshark update... how'd that happen? More googling, but as you do, your machine is doing stuff. Htop and...wtf? Lots of new processes, not stuff you are used to seeing. Bluetooth? You disabled it ages ago. Avahi... what the hell is that? Cups? I don't even own a printer.

You google each one, and they're legit packages... but packages you've never intentionally installed or configured. And no big version upgrades lately, to the kernel, either... hmmm. Look at the config files for these unexpected arrivals - eeek! Ports open, remote debugging activated... that's not default settings, and you sure as heck didn'[t set those, did you? Meanwhile the CPU is hot, the hard disk platters are spinning continuously, and the blinkenlight on the NIC is a solid LED.

Those who are reading this and have experienced some or all of that, you know what I'm describing. You can feel your OS eroding out from underneath you... but how to stop it? And how did it get in, since that's a new machine with no hardware in common with the old (infected) ones. Perhaps you go on a config jijad, like I did (many times): manually reviewing every config file of every bloody package on the bloody machine, and manually resetting to values you think sound legit... because who can google them all? Packages crash, you didn't set values right. Reading, googling, page 7 of the search results and still nobody will just post the syntax that made the damned whatever-it-is do its thing without barfing!

...what did you see??!?
Ah, yes, now you're feeling the burn. If you looked in cache (or Cache, or Media Cache - wtf? - or .cache, or...) you see gigabytes of weirdly symmetrical, hard-symmetric-encrypted blobs overflowing, in all directions. Purge cache, and it builds back up. Plug the NIC in, and traffic screams out... you didn't even up the adapter yet! And is that your wifi adapter chattering away? That was disabled, too...

Eventually you reboot yet one more time, and the grub menu is... not the same. You run grub2/pc, and this is old-skool grub, or whatever. Is your kernel image listed differently? No way... that's not possible. You mention these odd things to colleagues or friends, and they rib you about it: "stop clicking on porn, and you won't get infected again!" But you actually didn't... which is troubling in all sorts of ways.

Read boot logs closely, and you might see paravirtualisation come up. And/or KVM. If you run windows, the equivalent there. But you didn't install a virtualised kernel. Maybe you are like me, and you get downright obsessive about this: iterate through possible infection mechanisms, between boxes. Calculate RFC ranges for NFC devices you know are disabled, but who knows..? Consider that air-gapped subsonic infection magic that at first seemed legit, then got pissed all over, but is almost certainly legit and was alll along... do you need to actually find a Faraday cage to put your computer in?

Unplug from the network entirely, hard-down adapters at the BIOS. Machine is stable. OK. But... useless, right? DIsable IP6, wreck bluetooth physically with a screwdriver, read up in WiMax and all that weird packet-radio stuff (there goes a weekend of your life you'll never get back). Start manually setting kernel flags, pre-compile... only to see the "new" initrd image hash-match to the infected one. Learn about config-overrides, and config-backups, and dpkg-reconfigure, and apt-cache, and... there's a few more weeks.

Plug back into the internet after all that - static IP on a baseline wired ip4 NIC, no DHCP packages even installed, ffs! - first packet goes to cstorm to initiate a secure session. Rkhunter at the ready, unhide(s) spooled up... iptraf running, tcpdump dumin'... an hour later, having logged in to a couple sites to check week's worth of backlogged correspondence, and the browser starts slowing. Task manager shows big caches of javascript and CSS and images and... oh, no. Check your browser config files, manually - the ones you manually edited for hours last night, and set chattr +i. They're reverted somehow. There's a proxy enabled, and silent extensions with no names and no information when you look for matches by their thumbprints.

Kill your browser with pkill -9... but the browser in your window is still there. htop.... is that legit, or is that a remote xterm session? Why is sshd running? Who enabled Atari filesystem, ffs!

So it goes...

ՑՑՑ “Owning the Net”

In the first week or two after I got painted, I stuck the name of "SVGbola" on the malware I had captured... because .svg-format font files are one of the mechanisms used for the initial inject of targeted network sessions, and because ebola ofc. But quickly I saw that there were other vectors, they seemed to evolve over time. I'd block or disable or find a way to mitigate one clever ingress tactic, and a few hours later I'd see the telltale cache-and-traffic stats begin climbing... not again. Two or three days of frantic battle later, and I'd learned about a couple more attack/inject tactics, but still had no damned idea what tied them together

I'd intentionally been avoiding reading those old NSA slide decks, as I didn't want to taint my perceptions with a "one holds a hammer, and the world become a nail" dynamic. But it was time to dig into the literature (using a borrowed touchpad... I'd borrowed a few laptops along the way, from friends and colleagues, to use for some simple email and web tasks... and managed to brick the hard drives on every single one), and refresh my memory on this whole "weird NSA MiTM malware" cul-de-sac.

It didn't take long at all...
The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands. {article date: March 2014}
I had been assuming Stuxnet, in terms of initial infection vector... you know, a USB stick with sharpie writing on the side that says: PR0N, DO NOT OPEN!!! <-- that is how you get malware, right? ( speaking metaphorically, sort of)

But this isn't what the NSA is doing with these programs, not at all.

They're selecting targets for injection of malware into live network sessions - apparently http/https overwhelmingly - on the fly, at "choke points" where they know the targets' sessions will go by the hundreds of machines that compromise these NSA 'malnets.' Custom-sculpted nework injections (we call them 'session prions') are forced in, seething with 0days. An analyst in some post-Snowden NSA office tomb clicks a few GUI elements on her display and the selector logic she was fed by her bosses primes the Quantum and Foxacid malnets worldwide, waiting for that signature'd session to show up on their targeting radar.

You've been CIN-painted.

Now, whenever your sessions match that profile, you will get more Foxacid Alien-implant session payloads coming back from your routine internet activities. The selectors can be anything that identifies you as a general profile... the slide decks mention things like Facebook tracking fingerprints, DoubleClick leech-cookies, twitter oauth header snippets, and so forth. Physical IP is entirely unnecessary, as is your name or any other identifier.

Perhaps the NSA (or its clients in the civilian law enforcement world, in dozens of countries) wants to find out who runs a particular website... say, a .onion website like agorahooawayyfoe.onion...
l_ff525d308ba173b66cd3d533cc092237.jpg (5.75 KiB) Viewed 43177 times
This isn't a small-scale effort any more, either. That's what I think I had unconsciously assumed, that it was a couple hundred people on the Amerikan drone-list, or whatever. Not making light of such things, but rather for me as a technologist if an attack is bespoke and requires expertise, it limits it to a tiny, tiny percent of defensive threat modelling scenarios. And for those on the drone-lists? Well, good luck is what I'd generally say.

However, these CIN malnets are scaling/scaled to millions of concurrent painted-chumps. And growing.
The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”

In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.” The system manages the applications and functions of the implants and “decides” what tools they need to best extract data from infected machines. {ibid.}
Or for another way of saying it in the NSA's own words, dating from 2009...

ՑՑՑՑ ņame your poison

Once I realised this was about quite a bit more than simply borked svg's (which is still a pretty interesting vector, imho), I pulled out the name #SauronsEye for what I was experiencing: a totalising, all-seeing, ever-present, burning glare from a height. I was being surveilled, by some entity somewhere, for some reason. The pressure of the eye was almost physical, for those middle weeks.

But the name doesn't seem to fit, now that we've been able to fit the scrambled, jagged mess of data-pieces together into a more or less fully-coherent understanding of what the system is. Because this stuff isn't passive it doesn't simply sit there and watch. Rather, it's 'all up in your shit,' as they say... every time you get online, however innocuous and carefully-constrained your activities are, you run the risk of this happening to your browser once those prions spread through your network session and shoot right into your local kernel:
A colleague, overhearing us discussing this amoungst the team, blurted out "Balrog." And that's the fit, just so. Yes, it's LoTR and that's drifted twee of late - but at core Tolkein isn't twee, and he knew his evil as only an Oxford professor of decrepit languages can know evil.

The Balrog, for the less painfully geeky amoungst the readership, are described by JRR as "they can change their shape at will, and move unclad in the raiment of the world, meaning invisible and without form" (cite), which gets it spot-on for our CIN-naming task here. He goes on, waxing a bit more poetical...
His enemy halted again, facing him, and the shadow about it reached out like two vast wings… suddenly it drew itself up to a great height, and its wings were spread from wall to wall…
Shadowy? Check. Great height, and wide (metaphorical) wingspan? Check. But it's the imagery of the Balrog that seared the name into the very souls of Tolkein-reading boys such as I. Imagery that quite hits the nail on the head:
That's something of what it feels like to face down this stuff as it repeatedly pierces one's local perimeter and turns one's root-level kernel sanctuary into a mutating, unreliable, dishonest, corrupted mess... right in front of one's eyes. (and yes, I know that computers behaving badly are very much First World Problems of the most Platonic sort, and hyperbole aside I remain aware that starvation trumps Cronenberg-transgressed computational resources when it comes to real problems to have in one's life)

The final point, for this spot of writing, is this: there is no "disinfecting" once you are painted as a target by Balrog (or any CIN). The infection exist ephemerally in the fabric of the internet itself; it's not something you can simply remove from your computer with antivirus software (or manually). Trust me on this: even if you are successful in disinfecting (and that'll require expertise in grub, Xen, containers, obscure filesystem formats, font encoding, archaic network protocols down the OSI stack, and on and on and on), dare to actually use the computer to communicate with others online, and you'll be right back to the alien-bursting-from-stomach place in short order.

Neither cryptostorm, nor cryptography, can protect you from Balrog, or from CINs. The session prions come in via legitimate (-ish) web or network activity. You can't blacklist the websites serving dirty files... because they aren't coming from websites, these prions. They're phantom-present everywhere in the internet that's a couple hops from a Foxacid shooter... wihich means everywhere, more or less. You can blacklist the internet, I suppose - offline yourself to stay pure... but that in and of itself reflects a successful DoS attack by the NSA: they downed you, forever...



Https - as deployed, in the real world, based on tls & thus x509 & Certification Authorities & Digicert & ASN.1 & parsing errors & engineered 'print-collisions & DigiNotar & #superfisk & all the rest - is so badly, widely, deeply, permanently, irrecoverably broken on every relevant level that it merely acts as a tool to filter out dumb or lazy attackers. Those aren't the attackers we worry about much, do we?

I mean, if we put a lock on our door that would be totally effective in keeping out newborn babies, caterpillars, and midsized aggregations of Spanish Moss - but was useless against some dude who just hits the door with his shoulder to pop it open - then it'd be less than wise to go cavorting about the neighbourhood, crowing to all who can hear that you left 500 pound sterling on the kitcken table and too bad suckers, no mewling infant will ever find her way in to steal that currency... wouldn't it?

That's https.

Indeed, I have a... something between a theory, and a strangely intense fantasy... concept that PEM-encoded certs themselves are being used as an implant vector by Balrog :-P Or, as my colleague graze prefers to (more reasonably) suspect, strangely-formatted packets for use in transporting data between Balrog-sickened victims and the MalCloud of Balrog's control architecture, globally. Or maybe the're used as meta-fingerprints... beyond-unicode control characters embedded in obscure fields nobody even decodes client-side but which can be sniffed cross-site to identify sessions over time...

Anyway, https. Were we to discover (or read the work of others who discovered, more likely) super-exotic cert-vectored exploit pathways, we would be not surprised in the least; it's not that it's 'only' marginally useful in securing actual data (and network sessions) against CIN-level active attackers, but rather it's a question of how destructive it is, on balance. Alot, a little, or in the middle? That's an open question, but it's the only one when it comes to https and security.

But remember, many keystrokes ago, we discussed "necessary but not sufficient?" This is where it folds back in, like an origami crane tucked in one's pocket...

The defensive techniques that can - and will - protect us from Balrog and other CINs (there will be others, likely already are... that's a given), systems-level infected-cloud virulence, must also act as integrated, coherent, cohesive, outcomes-defined systems as well. Cryptography (symmetric & asymmetric primitives alike) is a piece of that, a crucial piece without which overall systems success would likely be impossible.

But crypto alone is no more protection from Balrog than would be a single thick mitten serve as protection from a month in the Arctic during coldest wintertimes. There's more, and more importantly it all needs to fit together as a sum far greater than its parts: a big pile of right-handed mittens won't substitute for a proper Inuit snow suit.

Funny thing is, we know how to do that - the systems stuff, the integrated functionality. It's been where we've headed since last fall, perhaps reflecting a team-wide intuition that our membership's needs were pulling us that way. Too, we've been seeing the weirdness out there - fractal weirdness on the network - for many months: borked routed, fishy certs, dodgy packets, shifty CDNs, https being https, etc. Little fragments of mysterious code piggybacking on "VPN service" installers (pretty sure we know where some of that comes from now, eh?), microsoftupdate.com hostnames used as C&C for... something? Repository pulls showing up weird-shaped, with signed hashes to back their dubious claims to legitimacy.... it goes on and on.

“La semplicità è la massima raffinatzza” (Łeonardo da Vinci)

CINs work by corrupting network integrity, at the most fundamental levels: routing, packet integrity, DNS resolution, asymmetric session identity validation. They use the trust we all have in those various systems more or less working a they were designed to work, and as their maintainers strive to enable them to work... they use that trust as a weapon against everyone who uses the internet to communicate, from a father in Ghana texting the family to find out what they'd like for dinner from town, to the Chilean wind-farmer planning future blade geometries with meteorological data available online, to the post-quantim information theory doctoral student in Taiwan who runs her latest research results up the flagpole with colleagues around the world, to see who salutes... all get leeched, individually, so CINs can frolic about & implant malware as their whims dicatate.

Galrog, and CINs generally, will prove to be our era's smallpox-infested blankets dropped on trusting First Nation welcoming parties by white guys behaving badly. We trust the internet to more or less inter-network, and CINs use that trust as an ideal attack channel because who would really think?

Well, Balrog - this Balrog, not Tolkein's - is real. Funding is in the order of $100 million USD a year and growing. It's been up and running a decade or so, long since out of beta. There's other CINs in the works, surely... if not deployed already regionally or in limited scale; When more than one is shooting filth into whatever network sessions catch its fancy, attribution will be hopeless. Its not like one checks ARIN for Foxacid records, eh? As to C&C, all evidence suggests Balrog piggybacks on the incomprehensible route-hostname complexity of the mega-CDNs - cloudflare, akamai, others so shady and insubstantial it's likely they'll be gone before this post comes out of final-round edits: you can't blacklist those, and their hostnames cycle so frequently you can'd even do subhost nullroutes.

So if you are painted, and Balrog is whipping at your NICs, you'll likely never 'prove' to anyone whose whip made those scars. But the scars are real, eh? They burn. And it'd be a heck of alot better to avoid the whip, rather than burn endless spans of time in Quixotic attempts to prove whodunit when whodunit dun moved to the cloud, address uncertain and changing by day.

So that's our job now, at cryptostorm: post-crypto network security. Crypto, Reloaded. Crypto... but wait, there's more! Protectiion from an ugly blanket of festering sickness already grown into the fabric of the internet itself, and sinking its violation deeper every day. Assurance that sessions go where intended, get there without fuckery, and come back timely, valid, & clean.

One cannot simply 'clean' Balrog off, as the infection is entwined with the internet itself.

Within that spreading rot, there exists the latent possibility of clean secret pathways, reliable protected networks delivering assured transit and deep-hardened privacy for every session, every packet, every bit... an underground railroad of peaceful packets. Identifying and alerting to network level threats is all well and good, but useless compared to threat transcendence.

Done right, that kind of service delivery creates a network-within-the-network, a sanctuary for people to talk and share and live their lives with meaning, confidence, and peace.



...cryptostorm's sanctuary comes now ±

  • ~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github

User avatar
Site Admin
Posts: 495
Joined: Thu Jan 01, 1970 5:00 am

Re: črypto is finished... and it's about time × (also: 'Balrog' malnet, firsthand view)

Post by df » Sat May 16, 2015 6:27 am

shutup :lol:


Re: črypto is finished... and it's about time × (also: 'Balrog' malnet, firsthand view)

Post by Zn1s » Tue Jun 02, 2015 3:17 am

I appreciate the work you have done here. However, I do not possess the two PHDs required to actually understand or make sense of it.

Last bumped by Anonymous on Tue Jun 02, 2015 3:17 am.