Unmasked - Ars Technica [22]
The second lesson, however, is that the standard advice isn’t good enough. Even recognized security experts who should know better won’t follow it. What hope does that leave for the rest of us?
On November 16, 2009, Greg Hoglund, a cofounder of computer security firm HBGary, sent an e-mail to two colleagues. The message came with an attachment, a Microsoft Word file called AL_QAEDA.doc, which had been further compressed and password protected for safety. Its contents were dangerous.
“I got this word doc linked off a dangler site for Al Qaeda peeps,” wrote Hoglund. “I think it has a US govvy payload buried inside. Would be neat to [analyze] it and see what it’s about. DONT open it unless in a [virtual machine] obviously… DONT let it FONE HOME unless you want black suits landing on your front acre. :-)”
The attached document, which is in English, begins: “LESSON SIXTEEN: ASSASSINATIONS USING POISONS AND COLD STEEL (UK/BM-154 TRANSLATION).”
It purports to be an Al-Qaeda document on dispatching one’s enemies with knives (try “the area directly above the genitals”), with ropes (“Choking… there is no other area besides the neck”), with blunt objects (“Top of the stomach, with the end of the stick.”), and with hands (“Poking the fingers into one or both eyes and gouging them.”).
But the poison recipes, for ricin and other assorted horrific bioweapons, are the main draw. One, purposefully made from a specific combination of spoiled food, requires “about two spoonfuls of fresh excrement.” The document praises the effectiveness of the resulting poison: “During the time of the destroyer, Jamal Abdul Nasser, someone who was being severely tortured in prison (he had no connection with Islam), ate some feces after losing sanity from the severity of the torture. A few hours after he ate the feces, he was found dead.”
According to Hoglund, the recipes came with a side dish, a specially crafted piece of malware meant to infect Al-Qaeda computers. Is the US government in the position of deploying the hacker’s darkest tools—rootkits, computer viruses, trojan horses, and the like? Of course it is, and Hoglund was well-positioned to know just how common the practice had become. Indeed, he and his company helped to develop these electronic weapons.
Thanks to a cache of HBGary e-mails leaked by the hacker collective Anonymous, we have at least a small glimpse through a dirty window into the process by which tax dollars enter the military-industrial complex and emerge as malware.
Task B
In 2009, HBGary had partnered with the Advanced Information Systems group of defense contractor General Dynamics to work on a project euphemistically known as “Task B.” The team had a simple mission: slip a piece of stealth software onto a target laptop without the owner’s knowledge.
They focused on ports—a laptop’s interfaces to the world around it—including the familiar USB port, the less-common PCMCIA Type II card slot, the smaller ExpressCard slot, WiFi, and Firewire. No laptop would have all of these, but most recent machines would have at least two.
The HBGary engineering team broke this list down into three categories. First came the “direct access” ports that provided “uninhibited electronic direct memory access.” PCMCIA, ExpressCard, and Firewire all allowed external devices—say a custom piece of hardware delivered by a field operative—to interact directly with the laptop with a minimum amount of fuss. The direct memory access provided by the controllers for these ports mean that devices in them can write directly to the computer’s memory without intervention from the main CPU and with little restriction from the operating system. If you want to overwrite key parts of the operating system to sneak in a bit of your own code, this is the easiest way to go.
The second and third