Regin: State Sponsored Malware

regin1

The intercept has a good analysis of GCHQ’s ‘Regin’ Malware, including a breakdown of its likely stealthy, modular installation process.

“The malware, which steals data from infected systems and disguises itself as legitimate Microsoft software, has also been identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency.”

It’s a long term piece of software, and not just in its slow installation, the article reckons it was in development for over a decade and has been spread as widely as “Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran”.

WiFi Identification(lium)

bluetooth_street_wifi_bt_3g_gprs_big

Libelium’s ‘Meshlium Xtreme’ is a system for detecting mobile devices using their WiFi and Bluetooth capabilities, it can function even when the user is moving at speed:

“Due to the reduction of the time between scanning intervals, now vehicle traffic detection rate has increased from 50% to 80% even at a speed of 100 Km/h (62 miles/h).”

It can also, apparently, tell the difference between ‘residents’ and ‘visitants’ despite the “anonymous nature of this technique” with the MAC address unnasociated with “any specific user account or mobile phone number not even to any specific vehicle”, although it is, of course, associated with a specific device.

Monitoring Frequencies

snfrslts

This is a look at how to use RFMON mode with the Airport card in a Mac. RFMON stands for Radio Frequency Monitoring and is a way of monitoring wireless network traffic without having to associate with a particular network. My understanding of it is that it will allow general knowledge of activity on a network channel, without being able to look at the specific data sent. It should provide an understanding of the levels of wireless activity occurring in a space.

Listing Network Adapters
RFMON mode only works with wireless cards, and the aim here is to look at wireless networks, so it’s necessary to know how to identify and address the wireless card.

In terminal, run ifconfig with no arguments, this will give you a list.

Apparently, on OS X, en0 is the wired (ethernet) connection, and en1 is the wireless. This can be verified by having no ethernet conection active, WiFi on, and observing that en1 has ‘status: active’.

Monitoring the air
Included with OS X is a utility called tcpdump, the man page describes it like so:

“Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.”

Thanks to this post, it’s clear that tcpdump can be used with RFMON mode, although the example given there didn’t work for me. It uses adapter en0, presumably because the Macbook Air used doesn’t have an ethernet adapter so depending on setup it may be necessary to make changes.

This command worked for me, albeit without (yet) a full understanding of the results I’m seeing:

sudo tcpdump -I -i en1

The -i flag and ‘en1’ following specifies the network adapter to use.

The -I flag flips the interface into RFMON mode (and will cause an error if the adapter specified does not support this, i.e. if it’s ethernet).

This prints the results to the terminal window, but the -w flag can be used to write it to a file.

The -x, -xx, -X, -XX options can be used to print the data associated with each packet, as opposed to just the header, in varying formats and levels of verbosity.

Further Tools
These tools came up during research, and may be useful in the process:
Scapy
Kismet
And the ever useful Wireshark

[Note: This has been tested on a 2010 Macbook Pro, runnning 10.9.4]

Searching within Man Pages

Terminal man pages are long. What if you just want to know what one flag from some line you found on the internet does?

You can search in the man page with grep like so:

man man | grep -A 3 -e “-C”

This will search the manual page for man for the “-C” flag, and print the following 3 lines, thanks to -A 3.

basil.js

test-basil-2

Testing basil.js the scripting library for InDesign on snippets of my dissertation, manipulating type and layout with maths. Should be writing prose not code.

Audio Convolution (Processing Test)

Screen Shot 2014-08-25 at 22.52.22

Using Processing and its color datatype (an integer, ARGB ordered, with 8 bits per channel) for convolution. Creates a much noisier, colourful output – but with too little resemblance to the source image to be useful.

Amazing patterns though.

Homoglyphi.cc

Screen Shot 2014-02-18 at 12.56.36

Homoglyphi.cc is a simple tool for writing Unicode-calligraphy. The user can combine characters from the Astral Planes of the code structure to create alternative word-images. These can, for exemple, be pasted into typographically restrictive social media. The point of view of homoglyphi.cc is the basic character set of cloud-english.

Ħ◌ᴟ☻⅁⎿ჄႼǶ☝。ⓒⒸ
[also: A Chrome Extension]

Processing + Seene

Seene is an iOS application that let’s you create photos with added 3d depth. SeeneLib by Ben Van Citters allows you to work with its file format and data in Processing.