Schneier on Security
A blog covering security and security technology.
« STUCCOMONTANA: NSA Exploit of the Day |
| Friday Squid Blogging: Camouflage in Squid Eyes »
January 17, 2014
PowerLocker uses Blowfish
There's a new piece of ransomware out there, PowerLocker (also called PrisonLocker), that uses Blowfish:
PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday's post warned. CryptoLocker, by contrast, was custom built for use by a single crime gang. What's more, PowerLocker might also offer several advanced features, including the ability to disable the task manager, registry editor, and other administration functions built into the Windows operating system. Screen shots and online discussions also indicate the newer malware may contain protections that prevent it from being reverse engineered when run on virtual machines.
PowerLocker encrypts files using keys based on the Blowfish algorithm. Each key is then encrypted to a file that can only be unlocked by a 2048-bit private RSA key. The Malware Must Die researchers said they had been monitoring the discussions for the past few months. The possibility of a new crypto-based ransomware threat comes as developers continue to make improvements to the older CryptoLocker title. Late last month, for instance, researchers at antivirus provider Trend Micro said newer versions gave the CryptoLocker self-replicating abilities that allowed it to spread through USB thumb drives.
Posted on January 17, 2014 at 2:57 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So, basically, backup anything you need to read only media.
Bruce, I guess you can start selling your Blowfish backdoor documented in '24' to the victims.
CryptoLocker uses the Delphi RNG for it's AES implementation, so it's actually possible to recover the files without paying a ransom. I think it's already been done on some Russian forums.
I will say this: the designs are ingenious. Just using basic programming with good ciphers and out of bound key storage the ransom holders are practically untraceable and invested almost nothing into a high-profit system, except the cost of the exploit kits and botnet leases they buy for propagation..
Right now they are using generic propagation, if they weren't it'd be a pretty big problem..
I wonder why people continue to choose Blowfish over Twofish. Do they just like the name better?
@Anura Anyone who found blowfish code before twofish code. Especially anyone not primarily concerned with a supremely competent adversary (or at least one unlikely to get such assistance).
There is also the small chance that it was someone willing to lose a lot of money to find out who will publish a blowfish attack. Note that the first condition (and that wiki on blowfish includes the code, the one on twofish doesn't) is *vastly* more likely. Nobody is going to hand out a crack of blowfish for some sucker to avoid paying ransomeware.
where in the linked to articles was Blowfish even mentioned?
either I'm nuts or Bruce made some sort of mistake
apologies. i'm an idiot. just a reminder to all of the importance of reading carefully
I have to admit - I know about the potential weak key problems with Blowfish and its advanced age, but it's still usable. And it does have a cool name.
include an evil bit in your next revision of the algorithm so folks can tell when the encryption is nefarious.
How good is the DRM on [$100 license] Power Locker? Does it advance DRM, or do standard cracks work?
Doesn't everyone with any sense keep everything important on paper?
Paper is too darn flammable and fragile.
I agree with the implied point in your question, specifically, important data are more durable on paper than on electronic or optical media. I strongly disagree with @ Stonecutter, who opined "paper is too darn flammable and fragile". The Dead Sea Scrolls effectively preserved thoughts through more than seventeen centuries. Hard drives, on the other hand, have MBTF measured in thousands of *hours*. And then there's "bit rot" ... and rapidly changing HD/computer interface methods. I trust paper much, much more than any digital device.
I print my encryption keys *and*revocation*certificates* on 20# cotton bond paper, using a decidedly unsexy but very effective dot-matrix. (Readers here: do you know where your revocation certificates are?)
I trust paper much, much more than any digital device
You are not the only one.
Aside from the fact paper is actualy harder than wood to burn (try comparing lighting a book and bit of 2x4 with an oxy torch/cutter if you don't beleive me ;-)
It can with the adition of certain chemicals be made sufficiently fire retardant that it's used as a light weight sprayed on coating to protect structural steel in buildings and industrial facilities from fire damage.
One major advantage with "printed data" is "you see what you are giving away". To many file formats these days have hidden metadata and error histories that enable you to "undo" back to the first charecter in the file.
Thus giving a potential enemy (as you have to do with disclosure) information hidden in the meta and history data that you may not be aware of.
It's why I advise clients "Paper, Paper NEVER data"
And if a judge gets "cute" at the request of the other party and insists on "electronic discovery" being in "electronic format" then print out and scan back in and give them "image files" disguised as PDF's, and make sure the scaning in is a little wonky to make OCR difficult at best (if you hunt around on the internet there is "anti-watermark" software that does this).
In these days of electronic discovery and rapidly aging file formats it is very unwise to have documents stored in either complex or propriatary file formats. It is better to set up a database or repository into which documents are put.
If you are going down the "roll your own" way you could use something like GIT as the repository of "print to file in Postscript" files, and run these through a Postscript to text filter which then goes to be converted to an "inverted text" format to store in either a conventional flat file or relational database for fast searching.
Oh and build in the destruction of any other files on a six month at most life time into your company data retention policy.
The simple fact is as we are now waking upto with the likes of the NSA disclosures "privacy" is only for the prepared. But worse current "electronic tools" make possible overnight what would have less than a life time ago taken thousands of "man hours" such as searching a million documents for certain key phrases...
IANACPA, but I believe the (US) IRS requires requires businesses with $10 million in assets to keep electronic business records, and they're probably not the only ones.
You should also be extremely careful when recommending document destruction to clients, because it's generally illegal to destroy records that may have a material effect on tax collection — and in the US, there's no statute of limitations on tax fraud.
@ Jason T. Miller,
Business records covers the entire gamut of documentation produced within a business as far as electronic discovery is concernend.
However those that legaly need to be kept are little different from those that were required to be kept in a business back in the 1960's and 70's, when most businesses did not have any kind of electronic records. Thus they did not have hidden meta-data nor did they tend to have attached extranious or irelevant information.
Further the legal time requirments for keeping such documents is often relativly modest and can be as little as 18months. For others the time falls to the reasonableness test "of the man on the Clapham Omnibus".
In general it's not these legaly required documents that cause problems by electronic discovery but the documents where there is no legal reason to keep them, and thus those making them excercised no caution in making them. As they had no reason to beleive they would be anything other than as equivalently ephemeral as a chat round the coffee machine or quick "PostIt note".
Provided there is a clearly identified business policy in place for the destruction of such documents that is adheared to then the potential question of hiding information in civil or criminal cases is usually negated.
@Clive: The US seem to be *really* modest about retention time. In Germany, you're required to keep some records for up to ten years, even for tiny one-man businesses (they're ok with paper, though).
I suppose if I imaged my drive once a week or so that would pretty much negate this threat.
@Autolykos @Clive: 30 years for (some?) medical records.
If you want real long times there are some records that need to be kept for what seems like forever.
Property leases can be 999years in duration and some land is constrained for ever by having a Church tax upon it, which is realy quite nasty (in the UK a couple inherited a paddok and shortly there after the Church commissioners hit them with a charge for repairing the church that was many times what the land was worth... basicaly the commisioners had been negligent in maintaining the church and had alowed it to fall into disrepair but went to court to make the couple pay...).
The point of my original comment was not about how long you are required to keep some records but the problems that electronic records make for individuals, companies and other organisations if they are not carefull.
When it comes to paper records most people think it's reasonable to do a bit of housekeeping and throw out what is in effect "dead wood", courts recognise that "you can not keep evrything" with paper records. However since "electronic records" have started a myth has arisen "that you can keep everything" as the storage media is so inexpensive and easily obtainable and you can "data warehouse" it etc etc.
Then as others have already found some smart mouth legal type will use it to argue that not keeping it was a deliberate attempt to "destroy evidence", which can only be negated by a well designed policy that can be clearly seen is enforced. If that does not work the next gambit will be to get a judge to order you to produce all electronic records in some format that benifits them not you, knowing full well thatl the cost will if it does not bankrupt you certainly cost you a kings ransom, again there are ways to defend against this with an enforced policy.
The sad part about the electronic record myth is the "zero cost storage" aspect, people have seen the cost of home storage effectivly half every year and because they don't look after their data properly they think the actual costs involve are halved every year. In fact as a number of organisations can confirm it's usually more expensive and less secure to store electronic records than it is to store paper records, not because of the storage media costs but the on going maintanence costs in doing the job to a level a court finds acceptable...
There is the old "Keep it Shipshape" saw which people should practice, which in effect is shortened to "keep it clean and tidy". But those who have spent time on boats know it also includes keep it well ordered and prioritized against use and risk in limited space, which also means you have to be ruthlessly about culling that which is infrequently used and has low risk value.
@Clive Robinson, @CallMeLateForSupper
Looks like I was wrong about paper.
WRT "you see what you are giving away": This is not strictly true. On paper you may inadvertently give away several bits of unexpected information:
- On Laser-Printed documents, yellow microdots may encode your printer's serial number and additional information. This can be discovered with a magnifying glass.
- On handwritten documents, your writing may indent pages lying beneath the one you're writing. Forensic methods may thus reveal information from preceding pages.
- Forensic analysis of paper or ink may reveal further information (origin of materials, approximate datation, ...). It may also reveal the order of strokes drawn -- a bit like an undo log.
- Given enogh reference data, handwriting may be dated quite precisely.
- During any interaction with paper, fingerprints and/or DNA evidence can be left.
With digital documents, you can exclude passing on unwanted information, but it's very hard. You most likely will give something away and it'll be easy to find. On paper, it's impossible to exclude the possibility, but the process of finding more information can be made extremely hard.
Yup and a few other issues besides (like planting false DNA trace etc).
Over the years I've mentioned most if not all of it and the ways to reduce or avoid the risks not just where possible but in simple and effective ways.
For instance the little yellow dots don't survive being photocopied or faxed, nor do they make it into simple electronic records.
The problem is it takes a whole blog page to cover even just the major points, and me saying "Paper paper, NEVER data" is a short way to make people think about the issues quite seriously then hopefully work out mitigations such as having glass tops to desks and tables etc that they can mention here for others to pick up on.
My own prefrence is for using cleansed electronic records for internal use, which then only get printed to paper on demand of the legal profession or authorities.
Paper records are "scaned in" and unless there is a legal reason to keep them the paper records are securely destroyed (shred and burn on site). Those that must be kept are bagged and vacume packed with anti tamper threds and other "tell tales" included and these are kept in a secure location off site that for older records is "out of juresdiction" and not linked back by other records paper or otherwise.
Part of the cleansing process is over the winter break build build a new server as "preventative maintanence" clean up the records on the old server and then do a safe copy of the clean data to the new server. Test this and take a clean back up as the start point for the coming years backups.
The old server storage and backups are then securely destroyed on site.
It's a moderate pain to organise and setup but fairly quickly picked up by employees of most organisations especialy as it makes the "clean desk" policy a lot lot easier. What they arn't keen on is no internet access and no removable media but as one CEO put it "They are here on my dollar, if they don't like it they know where they can go!". Oh and despite Exec squealing no BYOD, and work "does not go home" at night it stays in the safe.
I have already been online on-line greater than Three hours currently, however Irrrve never uncovered just about any amazing post just like your own house. It truly is wonderful truly worth satisfactory in my situation. I believe, in the event that just about all internet marketers plus people created just right written content since you in all probability performed, the internet may very well be far more useful than any other time.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.