Breaking Standards
by bartitsu59
Greetings from France.
I think I've always wanted to write this article. Maybe because I'm very tall (6 feet 7 inches), and got mocked about that, or maybe because I grew up more and more as a hacker with a non-traditional view of the world.
From early on, I got pissed when everyone, back in the 1990s, embraced a flawed machine called the PC, leaving behind them more beautifully engineered machines (like the Atari ST, the Commodore Amiga, or the Acorn RISC Machine).
Now, even with the Mac back in the landscape (which shows anyway a very similar hardware), we are bound by a number of standards without even thinking about it.
A Bit of Historical Context
Maybe you don't know about it, but in 2014, Carnegie Mellon University spent several months to extract the data and retro engineer the original drawing software from 20-year-old Amiga floppy disks. On those disks were exclusive digital drawings from Andy Warhol.
This story gave me a lot of insights. Not only was it quite funny and interesting to read about, but it made me realize also that using old technology, or at least a non-standard one, was a good way to conceal your data. After all, most of us prudent hackers have USB keys with, at the bare minimum, encrypted files, or VM images. Yet, putting someone else's USB key in any modern computer will reveal the nature of the data stored, with the file extension plus a beautiful icon.
For the most concealed files, say, one with no extension, a quick look at the first bytes (the signature of the file) would leave not much doubt on what kind of data is in there.
If the nature of the file is still unknown to you, then you can rely on several types of forensics software, for example Apache Tika, which will happily identify a thousand file formats. But it will fail with some...
How many of us know the Magic Shadow Archiver format, used on exotic OSes for the now vintage Atari line of computers? It's a practical format used for archiving Atari ST floppy images, supported by most Atari ST emulators.
Those fun facts can lead us to creative solutions to hide our data.
Out of Sight, Out of Mind
Imagine now that you write your password vault on an emulated ST, in a simple text file, and store it on an emulated floppy disk. Ideally, you would have chosen a compressed MSA floppy image (with .MSC extension, or no extension to complicate things).
Another option: I have on my desk a beautiful gray box called a "MiST Computer." This beast has an FPGA inside and can dynamically adapt its hardware behavior, depending on the selection of a soft core (programmed using a Hardware Description Language) copied on an SD card. Basically, I can switch from a 100 percent accurate hardware replica of an Atari ST, to an Amiga, an Amstrad, a Spectrum (see the link at the end of the article for the numerous possibilities)...
So, I could also store my password vault into a disk partition of this little machine, which is furthermore offline, and shares the same screen of my regular computer (which makes it easily available).
Alternatively, the floppy image trick will work as well, since these retro-modern machines do support those images as well.
With no physical access to the network, and an uncommon file structure on the machine's mass medium (in my case, an SD card), I don't see how one could get his hands on my sensible data.
Don't expect to be limited by the apparent lack of power of those options. Back in the days, those machines were able to cope with mundane tasks (like playing, writing, drawing, budgeting) with a few MHz and Mbytes. First, because most applications were written in assembly, but also because the operating systems were far simpler than the ones we are used to today, thus leaving all the horsepower for the user land. (Most were stored in ROM, so the RAM was left untouched.)
Of course, this applies to any decent emulator or FPGA-based computer. A nice example of an emulator, in fact a true virtual machine (that makes use of the full power of the host machine) is Atari Running on Any Machine (ARAnyM). Amiga forever and RPCEmu are also very good picks that will offer you tons of options to store your data, with the ease of use of any regular PC virtual machine.
In any case, you are strongly advised to use a hard disk image. Saving your data in this image will obfuscate it quite a bit.
If you are a PC addict and don't want to learn about alternative architectures (poor you), you could still rely on long forgotten file formats, using no-longer-supported old software, such as Wordstar, Ashton-Tate Framework, or DataPerfect. To use them, I would suggest downloading DOSBox, a very accurate DOS emulator.
Using Steganography
The icing on the cake consists of using steganography on an old image format.
For this example, I will use an image format called "DEGAS Elite" (well-known Atari ST drawing software) in its extended flavor.
Indeed, DEGAS Elite was only able to handle the three standard resolutions of an Atari ST: low, medium, and high, for which the PI1, PI2, and .PI3 file extensions were respectively defined.
When more powerful Atari computers arrived on the market, some other drawing software (FuckPaint) extended the DEGAS file format to handle superior resolutions.
So, our image will be in PI9 file format, with a resolution of 320x240 and a palette of 256. (You will see that this image is quite abstract, which is nice, since this technique will alter the palette.)
The technique I will use is kept ridiculously simple to just give you a primer on how steganography works. At the end of this article, you will find a link to a website describing a file format used by a fantasy console (PICO-8), on which I took inspiration.
The PI9 file format is really simple: you have the first 256 * 3 (768) bytes describing the palette in RGB format. The rest of the file contains the bitmap uncompressed.
With only a few UNIX commands, we will take a user@password couple, swap each couple of bytes (so that it does not appear in clear in a hex editor), and replace the first color declarations with it.
In our case - very simple with ten characters in total - we will then replace the four first colors with our data. Of course, the longer the data, the more the rendering will be altered. That's why I'm advising you to take an abstract scene, for which a change of colors will not be seen as suspicious.
For longer data to store, you need something more evolved, such as the technique used by PICO-8 and its special PNG format.
#!/bin/bash # 1. First encode our user@password in hexadecimal, swap the bytes of each # 16-bit word. # 2. Reverse the xxd command and write back to a 'header' temporary file echo -n "2600@rules" | xxd -p | sed 's/\(.\)\(.\)/\2\1/g' | xxd -r -p > header # A PI9 file has a consant size of 77824 bytes, our user@password couple is # 10 characters long, so write the whole source file minus ten bytes into a # 'body' temp file tail -c 77814 COLOURF.PI9 > body # concatenate 'header' and 'body' to get the resulting image with the first # four colors altered (each color takes three bytes) cat header body > COLOURB.PI9 |
I'm then using the online version of a tool called RECOIL to check that my image is: first, not corrupted; then, that it is properly shown with, at most, a minor impact on the palette. In our case, I'm seeing no difference between the original image and the new one.
With the same image, I was able to store three user@password couples for a total of 71 characters with no visible difference. This is explained by the fact that this image does not use the 24 first colors of the palette (24 * 3 color components = 72 bytes).
To retrieve the password, you proceed with a reverse approach:
$ head -c 10 COLOURB.PI9 | xxd -p | sed 's/\(.\)\(.)/\2\1/g' | xxd -r -p 2600@rules |
Using simple steganography techniques like this one, I recommend that you learn the commands by heart and clear your shell history to leave no visible clue of your manipulation. Of course, you need to properly delete your temporary files, too.
I think you get the main idea: breaking the norm and standards, or using exotic or long forgotten ones, can conceal our intention and make the reconnaissance phase far more difficult for potential malevolent people.
The key is to think out of the box. After all, many hacks are based on the assumption that 99 percent of us are using the same predictable tools.
As I'm writing this article, I'm receiving more and more corporate emails assessing the potential impacts of the Meltdown and Spectre security holes on the infrastructures of our customers. To make it simple, every modern computer with a superscalar microprocessor architecture is potentially involved, so hiding sensible data on simpler (emulated) computers night well be a safer choice after all.
All you need is to simply accept that you will get your hands a bit dirty, and learn some strange operating systems or applications you may have never heard of before.
But that's part of the fun, don't you think?
Links
- www.warhol.org/exhibition/warhol-and-the-amiga
- tika.apache.org
- github.com/mist-devel/mist-board/wiki
- aranym.github.io
- www.amigaforever.com
- marutan.net/rpcemu/
- www.dosbox.com
- pico-8.wikia.com/wiki/P8PNGFileFormat
- fileformats.archiveteam.org/wiki/Extended_DEGAS_image
- recoil.sourceforge.net/html5recoil.html