Friday Squid Blogging: Efforts to Film a Live Giant Squid

Japanese researchers are attempting to film the elusive giant squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Posted on August 17, 2012 at 4:16 PM35 Comments


Ronnie August 17, 2012 5:17 PM

Qylur security systems

MetLife fans now have automated security system
EAST RUTHERFORD, N.J. — Entering MetLife Stadium for Jets, Giants and other sporting events may not take so long for fans any more.
The Jets and Giants will be testing a new, automated security screening system for preseason NFL games and other events in August and September that its developers say is faster and non-intrusive than being searched by security personnel.
Developed by Qylur Security Systems, the kiosk is completely automated and self-service, handling five times the crowd flow compared to current checkpoint methods that are manned by security personnel using wands and pat-downs.
The system, which is being piloted at the stadium over the next two months, was recently demonstrated at Liberty State Park and at the World Cup FIFA preliminary draw event in Rio de Janeiro.
The Qyler system is designed specifically for major public venues such as stadiums, amusement parks, airports, public transportation and other locations. When using the system, fans will walk through what looks like a plexiglass doorway to be screened. Anything they carry will be screened by a machine.

I couldn’t find a picture or a good description of the actual process but I can’t help but think of the scene from “Total Recall”.

Tim WILSON August 18, 2012 1:26 AM

Potentially NSFW, depending upon how conservative your workplace is.

The first part of the article discusses leaving a nondescript unsecured cardboard box for putting money in, to pay for unattended goods. Overall very successful. (An aside about foreign currency doesn’t actually explain whether there was an actual non-payment event, or just whether he was bothered by receiving such foreign currency for payment.)

Thoughts include:

  • You couldn’t say somewhere like Comic-Con was truly anonymous; it’s a private event with ticketed entry.
  • Although no specific security was provided, the venue itself was no doubt crawling with security guards and in particular security cameras.
  • It is not obvious that there is no “hidden” or “surprise” security measures.
  • It looks like a pretty small takings; possibly less than the cost of entry to the event. The risk/reward ratio is probably very low.
  • The booth operator is something of a celebrity. This has the dual effect of making people feel (a little) like they would be stealing from a friend more than from a stranger; and also that the consequences of stealing from them in particular would be a greater degree of social backlash if caught (since more people consider that the perpetrator had stolen from their “friend” rather than from a stranger).
  • It’s a single data point, with no control.

Still, it’s interesting.

Chris W August 18, 2012 2:25 AM

Kind of missed this one as a Bruce blog entry.
So here it is:

Stuxnet derivative malware called Gauss contains encrypted payload which can only be decrypted on the target machine. Kaspersky asked crypto experts to help out coz they couldn’t crack it.

Gauss, at first sight, appears a piece of malware that steals financial information. But hidden inside is something more sinister.

The virus creates a list of strings based on a directory listing and selects one that, when combined with a salt, produces a specific md5-hash. That particular string is combined with another salt and the resulting md5-hash is used for RC4 key scheduling and the payload is decrypted.

What is interesting is that only entries in the directory listing are used where the first character exceeds the Unicode U+007A. This contains most non-standard character, but kaspersky explicitly pointed at Arabic and Hebrew. Even though all extended-ASCII characters are equally likely.

One reader pointed out that the first character could well be ‘{‘ of GUID {..-..-.-} directories present in the Installshield installation folder.

What is interesting about this payload is that it’s virtually impossible to determine the target. It could be looking for a specific custom-made application installed. Or a program that is specific for the targeted region. Or perhaps any computer that has software installed related to filtered-internet (China great-firewall, Iran ‘halal’ internet). You just don’t know.

If this had been done on stuxnet itself, the actual SCADA payload would never have leaked out.

I’m willing to bet that we’ll be seeing more of these.
As long as the ‘search’ parameter remain sufficiently large and the number of targets low, it’s gonna be really hard to determine the purpose of such a digital precision bomb.
With an obfuscated payload and self-deletion algorithms (a la Flame) you’ll have a whole new class of nasty critters.

Clive Robinson August 18, 2012 4:01 AM

@ Chris W,

Gauss contains encrypted payload which can only be decrypted on the target machine

Encrypted payloads are not new but the technique as described for Gauss is quite fascinating and I had some thoughts about similar but not as sophisticated methhods many many years ago.

Way back the use of very very simple encryption (think XOR) was to hide the malware signiture from AV software. The idea was to produce a very very small piece of polymorphic decryption code as “the loader” and use a randomly generated key to encrypt the main functional part or “payload” of the malware.

The problem with this system was the decryption key had to be sent in “plain text” for the decryption loader to find it and in general it was very very short.

What I was looking to do was to improve the length of the “key” by using strings of OS code that were in “known positions” on the target PC so in effect I was sending not a key but a pointer to a key, but the pointer had to be obsficated as well (which is a subject for another day).

Now one problem I came up against was my loader was OS specific because MS used to change bits from version to version of DOS so the loader needed a checking mechanism to indicate if the decrypted code was good or bad so I had to embed some “known plaintext” into the payload.

Now for various reasons not just to keep the loader small I originaly used A5A5 (see BIOS/POST and loading I/O card software for why I chose those values). Although I doubt Gauss uses the same known plaintext it will almost certainly use some known plaintext and very probably at a fixed offset point.

Now Gauss supposadly uses ARC4 which is a stream cipher. Stream ciphers happen to be quite vulnerable to “known plaintext attacks” at fixed offsets as thay enable you to strip out the “known plaintext” and recover. part of the key stream which carries forward into other attacks on the stream generator.

Now the $64,000 question is,

“Have they obsficated the known plaintext?”

If not then that may well be the most promising opening.

If however it was me I’d obsficate it and the way to do it would be similar to the way Gauss generates the key.

That is if you work on the assumption it is looking for a particular software package on the target PC, you could use a chunk of that programs code segment as the “known plaintext”. Because you would only need to calculate the offset to the start point of the chosen string of data in the code segment. If the program was not in memory or of a different revision then with a very very high probability the “known plaintext” would be wrong.

But also let’s assume a false positive in the detection code causes a key to be generated which is incorrect and thus produces a garbage decode of the payload. The probability of a matching “known plaintext” would be vanisingly small. Thus it would be very very unlikley that a garbage decode would be treated as valid code causing the loader to try and execute it and causing the PC to crash.

Something else that is perhaps slightly odd about Gauss is it loads a narrow font onto the PC…

So the question is “why?”

I can think of several reasons some of which are,

1, It contains the known plaintext.
2, It contains data to obsficate or as KeyMat.
3, It has TEMPEST advantages.

It is known that some fonts have a very high spectral content and this is realy quite usefull when doing “van EcK” monitoring of VDU’s and other displays. The folks over at Cambridge Labs did some work on this ( ) and actually demonstrated van Eck phreaking at a trade show some years back.

What ever the reason is I suspect that Guass is going to be quite a fruitful beast to disect and provide the up and coming security bods with some new things to think about (whilst those with “impressive beards” nod and say “Back in my day…” 😉

Mr. Anderson August 18, 2012 9:01 AM

Google Employees Find 60 Security Holes In Adobe Reader

Google warns of using Adobe Reader – particularly on Linux

“The researchers who discovered the holes now fear that potential attackers could find enough clues to build an exploit by comparing the current Windows version of Reader with the previous one. This would leave Linux users defenceless. On top of that, even the patched versions still contain a total of 16 open security holes.”

nobodyspecial August 18, 2012 10:55 AM

@ Tim WILSON – I just moved to Canada, there was a ad today in the local paper:
“PYO fruit at XXX’s house, leave the money in the kitchen, please don’t let the dogs out”

Canada is not real life!

Jacob August 18, 2012 11:20 AM

Clive and will.
Smoke tis me ears..gonna work on understanding what you guys are discussing. Love the stimulation for this old fart. Now if Israel loads drone 747 with bunker busters…..well, nothing til after election..godel module. Settings based on target. Gonna be hard to figure this out…fun.

Wael August 18, 2012 1:02 PM

@ Clive Robinson, @ Chris W

1, It contains the known plaintext.
2, It contains data to obsficate or as KeyMat.
3, It has TEMPEST advantages.

I am leaning towards (2). I have done something similar in the past. The purpose however was to move the secret key from the data segment (where it can be sniffed) to the code segment (meaning part of the algorithm) I may need to clarify that later, as I suspect I am not clear.

Have you thought about the possible meaning of Godel? I read the thread at securelistDotCom that @ Chris W pointed to, but did not see this possibility:
God = God in English
El = God in Hebrew

Another thing: Guass may not be looking for a pre-installed program. It maybe looking for a trigger, when another “virus” puts that value or classID the expected path. Heh! Multi-channel or two factor malware…

Another thing that puzzles me is the 10k rounds of MD5… I could only guess why someone would do that. Maybe looking for some kind of side effect on the infected device (if it is targeting a known hardware)

Clive Robinson August 18, 2012 1:29 PM

OFF Topic:

And another bit of news that might be of interest,

Firstly though a bit of background on UK Gov Ministerial idiocy that has kept the more important news out of the main media outlets,

You may have heard that the UK Gov is kind of “throwing the toys out the pram” because Ecuador has decided to recognise that the WikiLeaks founder might just have a point about what will happen if he is extradited to Sweden and to then to the US where he may now be “held on suspicion without trial indefinatly”. So as he’s holed up in the Euadorian Consulate in London he is apparently making the UK Gov look bad and endangering the US-UK “special relationship”. So the UK Gov’s “William Hague” has rather foolishly said the UK Gov will remove the “diplomatic status” from the Ecuadorian consulate and send the police in to search for and arrest the wikileakes founder all of which is against the Vienna Treaty… All in all it would set a bad president in that if done once by the UK it leaves all UK diplomatic buildings vulnerable around the world. So well done Mr Hague you’ve taken a cheap shot at your own foot and potentialy endangered the life of every person who has UK Diplomatic status. It’s interesting to note that a number of ex-UK senior diplomats have come out and said in best diplomatic terms “he’s an idiot”.

So baack to the real technology news behind that… whilst all this stuff and nonsense was happening Wikileaks. dropped some new papers into the public domain about something called “Trapwire”. It would appear to be a plan to link all CCTV cameras upto a central DB via face recognition software to track the movment of all individuals either activly or in retrospect.

There are some “hysterical reports” out there about how ‘life is now a goldfish bowl” and others that say the technology is not currently possible and it’s just a ruse to slurp off more tax payer dollars to the chosen few.

Either way this artical gives some background on Trapwire and some other things we should be keeping a watching brief on,

Clive Robinson August 18, 2012 1:40 PM

@ Wael, Chris W, Jacob,

Another thing that puzzles me is the 10k rounds of MD5… I could only guess why someone would do that

I suspect the most likely reason is to make partial “brut force” guessing to expensive to contemplate trying, in the same way it’s done with passwords.

However I agree 10K does seem a little excessive, you get the fealing they are trying to protect against level three opponents.

Chris W August 18, 2012 1:42 PM

@Clive Robinson

Interesting story.
Of course Gauss isn’t the first to use such an encryption mechanism. But what struck me the most is the difficulty of dissecting it. With a likely small group of targets the chance you run into the required key is remote.

As mentioned in the article Gauss actually has a verification stage, where the key is verified for correctness before being used. And in such a way that you would, as far as I can see, require a pre-image collision attack on md5, for which no practical method has been found as of yet.

You want to target anyone who has TrueCrypt installed on his PC (with the aim to steal the key from memory), easy, but your virus could be dissected fairly easily because the directory name TrueCrypt is prevalent enough to be tested for.
You want to target anyone who has TrueCrypt installed and has schneiers blog in his browser cache, easy, and quite more difficult to detect.
The smaller your target group, the easier you can obfuscate your payload.

The deployed font is indeed a mystery.
I considered it could be part of a mechanism to mark the infected machines. Any javascript enabled browser would be able to ‘leak’ whether the system is infected. simply have a css rule that uses the unique font and eg. Courier as backup. Then use javascript to determine the div/span width and use that to signal the server, you would be able to gather spread ratios from internet-connected computers world wide.
But Gauss already calls home, so this explanation is unlikely.

But I concur, it’s gonna be interesting to hear what the ‘real experts’ are gonna say about it next year. (I’m not one of them.)

mcb August 19, 2012 2:11 AM

64-year-old Adam Stuart Busby a Scottish Separatist living in Dublin, Ireland, was indicted this week for making many of the email bomb threats at the University of Pittsburgh this spring.

“Prosecutors say Busby used computer servers in Austria and the Netherlands to make those threats. He also threatened to bomb four federal courthouses in Pennsylvania, and even threatened the U.S. Attorney for the Pittsburgh area, David J. Hickton.”

With cyber-terrorists like him it’s no wonder Scotland is still part of the UK…

Clive Robinson August 19, 2012 4:20 AM

@ mcb,

64-year-old Adam Stuart Busby a Scottish Separatist living in Dublin, Ireland

Now I was wondering what a “Scottish Separatist” is doing living in what is still called “Southern Ireland” or more politicaly correctly as Éire (the accent is important as eire is a purjative word meaning “burden” although Eir… is used as a preface to many Irish companies)

While the article you link to does not currently (08:30GMT) mention anything about him being a Scottish Separatist, this article does,—police-say-motive-unknown-166522946.html

And further information about his odd behaviour (it appears that others started the threats by writing messages on toilet stall walls etc, and he just joined in and sent some messages which indicated the threats would stop if the $50,000 bounty was lifted, when it was he stopped sending the threats).

It still looked odd however a quick google on his name pulled up a wiki page ( ) which does indicate he may be the same person and had tried to forge links to the old IRA (which is odd because broadly the IRA was Catholic and the unionists Protestant of Scottish descent).

But more interestingly it reveals he has been on a US “watch list” for some time due to his other activities. Further that he was also on various other “watch lists” for some time. Which begs the question of why it took so long to get around to him.

I have a feeling this story is going to get a lot more interesting as further details emerge, and others such as PSU start asking why it took the FBI so long as Mr Busby was on their watch list…

Nick P August 19, 2012 1:26 PM

NSF’s Secure and Trustworthy Cyberspace Program (SaTC)

It sucks that I found this program after the submission deadline. I couldn’t find a list of proposals. Twiddling with their strange “awards” search engine, I’ve created this link to give you a list of proposals. Some look boring, some look academically interesting, & some look like they might have a quick payoff. (I have a preference for the last kind.)


There’s 165 (!) in all according to the search engine. I won’t be able to look at many today. I’m posting it in case anyone else wanted to get started looking through the proposals. Might help you with your own project(s). 😉

Clive Robinson August 19, 2012 3:50 PM

@ Nick P,

There’s 165 (!) in all according to the search engine. I won’t be able to look at many today.

Atleast one you’ve already seen (Bruce posted about the “guitar Hero” password game on a few weeks ago).

I must admit I only recognise a couple of the names up on the list, I guess I’m loosing contact with the field of endevor 😉

Nobodyspecial August 19, 2012 6:14 PM

@Clive Robinson – traditionally the most fervent Scots nationalists live somewhere else, perhaps this guy couldn’t afford Spain or the Bahamas ?

Petréa Mitchell August 19, 2012 11:26 PM

A catalog of ways people cheat to use the high-occupancy* vehicle lane lane:

Police have caught I-5 HOV violators with plastic skeletons and blow-up dummies in their passenger seats. Some simply dress the seat with a jacket and baseball cap to make it look like a rider. […] Fort said he once stopped a woman, was six months pregnant, who argued that her unborn child allowed her to take the fast lane home.

And the risk-reward calculation changes when the violation is common:

“We keep track of them when they try to get away by blending into traffic,” Fort said. “Of course, if there are six or seven cars diving out of the HOV lane and only two officers, there’s only so much you can do.”

  • For those outside the US: “high-occupancy” means more than one person in the car.

Figureitout August 20, 2012 1:14 AM


So, how about the story about the stranded jet skier who breached airport security?

I would be very surprised if Bruce never addressed this specific incident; especially since he is a native New Yorker and has made part of his reputation on criticizing airport security theater. You know he’s definitely seen it and is thinking about it.

karrde August 20, 2012 12:00 PM

Have you thought about the possible meaning of Godel? I read the thread at securelistDotCom that @ Chris W pointed to, but did not see this possibility:
God = God in English
El = God in Hebrew

My first thought went elsewhere.

Though his name properly has an umlaut over the letter ‘o’… He worked in mathematical theory, and is best known for the Incompleteness Theorem.

karrde August 20, 2012 12:16 PM

@Petrea Mitchell,

The dummy-in-the-passenger-seat problem reaminds me of a story about a small town. The Police in that town parked a cruiser next to an intersection, and placed a mannequin wearing a Police Uniform in the seat.

They claimed to have successfully reduced troublesome accidents and speeding through the area…

Anyway, the HOV lanes are a privilege. Users can enter the HOV lanes through the routine privilege-escalation of crossing a painted line on the roadway.

I suspect that constructing a more-restrictive barrier would be expensive…but if the goal is to reduce the abuse of the lane, I would recommend some form of barrier-to-entry for that lane.

Or some form of camera-based enforcement of fines. Would HOV-enforcement cameras be more popular or less popular than red-light cameras?

Wael August 20, 2012 1:15 PM

@ Karrde

This was not my first thought either. Given the name Gauss, your understanding is probably the closest to being correct. I just wanted to point out another possibility – albeit a weak one… Good point though!

jacob August 22, 2012 9:56 AM

Hello all, Question. Drones and even blimps are being discussed for surveillance over U.S. soil. (and UK).

The blimp over NJ needs to have a 10pt circle painted on it. 400ft? It will get shot down. 😉

Even assuming encryption for comms and video. If the encryption is known and the control commands (software) for them can be figured out. Up, down, rudder, etc. How long before someone shows how to hack one of these things at defcon or blackhat???

Just a wandering question…(thoughts while driving)…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.