By Fahmida Y. Rashid
Get a bunch of hackers and other security-minded folks in the same place and a little bit of good-natured competition and hacking is inevitable.
Last week’s Kaspersky Lab Security Analyst Summit was jam-packed with interesting sessions and attended by some of the best minds in information security, but that wasn’t all. Attendees could also compete in the “Crypto-challenge,” where they use their hacking skills to solve a series of puzzles. I was among the handful who finished the challenge, and along the way learned a bit more about cryptography, obfuscation, and reverse engineering.
Most of all, I learned that hacking is like solving puzzles; you keep thinking, “Let me just try this one thing,” and feeling really excited when you get it.
Cryptography Holds the KeyAt its heart, cryptography is about taking a message and writing it in such a way that it looks like gibberish to whoever doesn’t know the secret. It’s a little like Pig Latin. If you don’t know the rules of the language, then you have no idea what “ellohay” means. Some ciphers are very simple—such as swapping the letter with the next letter, so a becomes b, b becomes c, and so on, until “hello” becomes “ifmmp.” Others are far more mathematically complex and are used to protect our credit card numbers and password credentials.
Each summit attendee, upon registration, received a letter about the crypto-challenge. At the end was a string of letters which made no sense but had a familiar format. Beginning with “vhhd://” and followed by groups of letters separated by a period (.), it was clearly the URL to a website. Once I realized the first few letters were “http://” I knew this was ROT13, a popular (and tremendously weak) cipher, which swaps each letter with one that comes 13 places later in the alphabet. There was no need to work out the URL manually, as there are tons of ROT13 decoders on the Web.
Obfuscated Javascript, Oh MyThe resulting page, with an image and a welcome message, was boring. The page’s source was anything but. It was lines and lines of more gibberish, enclosed in < script type=”textjavascript” > tags. Ah, obfuscated Javascript.
Obfuscation is a commonly used technique where malicious coders write attack code in such a way that a human couldn’t easily read the code. It’s different from cryptography in that it doesn’t rely on a secret but rather on convoluted programming methods to generate hard-to-read code. The resulting code is illegible to the human eye, but the machine has no problem understanding and executing it.
As was the case with ROT13, there was no need to try to parse the obfuscated Javascript manually. Instead, I used the DOM inspector which is built into the Chrome web browser and stepped through each page element. I could see the code for displaying the image and the welcome message hidden inside the gibberish, as well as a commented out line of code containing the next clue.
Obfuscation is not limited to just Javascript, either. I had to edit a Perl script in order to figure out what that ugly bit of code was trying to say.
Reverse Engineering Like a BossAt one point, I downloaded an executable file (scanned with Kaspersky Antivirus—it doesn’t hurt to be careful!) which prompted me to enter a username and password. It was time to reverse engineer that executable.
Working off a Linux laptop helped at this point, because I could use strings, a command-line Linux tool which prints the contents of non-text files, and gdb, a debugger which lets you see what is happening inside a file as it executes. strings was also handy later in the challenge, when I downloaded .d64 files. I could have downloaded a Commodore 64 emulator—as the challenge’s organizer intended—to run the file, but I just ran strings to figure out where to go next.
I have heard about embedding secret messages inside a picture, but when I was faced with such an image, I was initially stumped. Then I remembered that images have layers, and attackers can embed information into different layers without disrupting the visible layer. I could have looked at each layer in GIMP, an open-source tool similar to Adobe Photoshop which runs on Linux. Instead, I ran the image through strings, which extracted all the text hidden in the image. That is one versatile and handy command.
Note About PasswordsA few of the steps in the challenge prompted me for a valid password. While “password” never came up, there was at least one occasion where I just randomly entered words that had some relevance to the conference and game until I stumbled upon the correct one. In one step, I got tripped up by lowercase/uppercase, so I just generated a list of all possible combinations and worked my way through.
An attacker, armed with some information about the victim can easily try to guess the correct password, or just run through a list of possible words. I kept muttering, “I am going to outsmart you,” and when I figured it out, I thought, “HA! Got it!”
Just Puzzle-Solving
With the exception of strings and gdb, every single element of the challenge depended on something fairly straightforward, or something I could learn with a Google search. While not all hacking is this simple, it is important to understand that the skills build on top of each other. To get started, you just need a little bit of curiosity and a willingness to persevere.
You hear about people trying to break into systems or launching campaigns online for fun, or just to prove they can. What keeps hackers hacking is that elusive adrenaline rush that comes from solving a challenging puzzle.
Last week’s Kaspersky Lab Security Analyst Summit was jam-packed with interesting sessions and attended by some of the best minds in information security, but that wasn’t all. Attendees could also compete in the “Crypto-challenge,” where they use their hacking skills to solve a series of puzzles. I was among the handful who finished the challenge, and along the way learned a bit more about cryptography, obfuscation, and reverse engineering.
Most of all, I learned that hacking is like solving puzzles; you keep thinking, “Let me just try this one thing,” and feeling really excited when you get it.
Cryptography Holds the KeyAt its heart, cryptography is about taking a message and writing it in such a way that it looks like gibberish to whoever doesn’t know the secret. It’s a little like Pig Latin. If you don’t know the rules of the language, then you have no idea what “ellohay” means. Some ciphers are very simple—such as swapping the letter with the next letter, so a becomes b, b becomes c, and so on, until “hello” becomes “ifmmp.” Others are far more mathematically complex and are used to protect our credit card numbers and password credentials.
Each summit attendee, upon registration, received a letter about the crypto-challenge. At the end was a string of letters which made no sense but had a familiar format. Beginning with “vhhd://” and followed by groups of letters separated by a period (.), it was clearly the URL to a website. Once I realized the first few letters were “http://” I knew this was ROT13, a popular (and tremendously weak) cipher, which swaps each letter with one that comes 13 places later in the alphabet. There was no need to work out the URL manually, as there are tons of ROT13 decoders on the Web.
Obfuscated Javascript, Oh MyThe resulting page, with an image and a welcome message, was boring. The page’s source was anything but. It was lines and lines of more gibberish, enclosed in < script type=”textjavascript” > tags. Ah, obfuscated Javascript.
Obfuscation is a commonly used technique where malicious coders write attack code in such a way that a human couldn’t easily read the code. It’s different from cryptography in that it doesn’t rely on a secret but rather on convoluted programming methods to generate hard-to-read code. The resulting code is illegible to the human eye, but the machine has no problem understanding and executing it.
As was the case with ROT13, there was no need to try to parse the obfuscated Javascript manually. Instead, I used the DOM inspector which is built into the Chrome web browser and stepped through each page element. I could see the code for displaying the image and the welcome message hidden inside the gibberish, as well as a commented out line of code containing the next clue.
Obfuscation is not limited to just Javascript, either. I had to edit a Perl script in order to figure out what that ugly bit of code was trying to say.
Reverse Engineering Like a BossAt one point, I downloaded an executable file (scanned with Kaspersky Antivirus—it doesn’t hurt to be careful!) which prompted me to enter a username and password. It was time to reverse engineer that executable.
Working off a Linux laptop helped at this point, because I could use strings, a command-line Linux tool which prints the contents of non-text files, and gdb, a debugger which lets you see what is happening inside a file as it executes. strings was also handy later in the challenge, when I downloaded .d64 files. I could have downloaded a Commodore 64 emulator—as the challenge’s organizer intended—to run the file, but I just ran strings to figure out where to go next.
I have heard about embedding secret messages inside a picture, but when I was faced with such an image, I was initially stumped. Then I remembered that images have layers, and attackers can embed information into different layers without disrupting the visible layer. I could have looked at each layer in GIMP, an open-source tool similar to Adobe Photoshop which runs on Linux. Instead, I ran the image through strings, which extracted all the text hidden in the image. That is one versatile and handy command.
Note About PasswordsA few of the steps in the challenge prompted me for a valid password. While “password” never came up, there was at least one occasion where I just randomly entered words that had some relevance to the conference and game until I stumbled upon the correct one. In one step, I got tripped up by lowercase/uppercase, so I just generated a list of all possible combinations and worked my way through.
An attacker, armed with some information about the victim can easily try to guess the correct password, or just run through a list of possible words. I kept muttering, “I am going to outsmart you,” and when I figured it out, I thought, “HA! Got it!”
Just Puzzle-Solving
With the exception of strings and gdb, every single element of the challenge depended on something fairly straightforward, or something I could learn with a Google search. While not all hacking is this simple, it is important to understand that the skills build on top of each other. To get started, you just need a little bit of curiosity and a willingness to persevere.
You hear about people trying to break into systems or launching campaigns online for fun, or just to prove they can. What keeps hackers hacking is that elusive adrenaline rush that comes from solving a challenging puzzle.
Via PC Magazine