Monday, 18 April 2022

NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!). 

The NULLCON 2022 badge...

There are three, and arguably four, puzzles hidden in the badge, plus a hint, as you will see, to a very different text obfuscation technique that looks like strong crypto, but has a very light CPU overhead. That's quite a bargain for something that most people will dismiss as a silly bit of graphics on the back of a piece of thick cardboard.

Let's start by looking at the grid of characters in the centre section, by rotating it by 90 degrees:

Not a word-search grid...

At first glance, this looks like it might be a word-search grid, and so you might go along the rows and columns, looking for words...

And you will get 'NULL', '2022' and 'FOR', which isn't very helpful. But you do also get some incomplete words: 'BERLI' and 'SECUR', which looks like they might be 'Berlin' and 'Security' - but the other required letters are in different rows or columns... Also, the 'N' at the beginning of 'NULL' was bigger...

Underneath the grid of characters, there is the NULLCON logo, although it has a few additions:

A slightly modified NULLCON logo...

The logo starts from a circular blob, along a path indicated by an arrow, and ends up at an exclamation mark, where the dot of the symbol is the end of the path.

Imagine that the NULLCON logo is a map, where the path that is indicated is the path that you must follow on the map. Also imagine that the character grid is the map... 

It seems that the circular blob at the start coincides with the big 'N' at the start of 'NULL', so what happens if you trace along the path? To make it easier to see, the next image colours all the off-path characters in light blue:

The character grid and the NULLCON logo path...

 Starting at the 'N' blob, it now reads: 'NULLCON2020BERLINGE' as you trace along the path. it is easier to see this if the background is also light blue:

Blue on blue...

Looking at the logo, the diagonal line across the zero or zed or zee (it depends how you look at it!), is quite a shallow angle, so maybe the path isn't adjacent characters? Aha! From the 'G', you should be able to find an 'E', then and 'R', then an 'A', and finally an 'N' - and turning round again a 'Y' on the right. So the path now reads:

NULLCON2022BERLINGERMANY

Which can be split up into:

NULLCON 2022 Berlin Germany

Because, as you should know, cryptographers always:

USECAPITALLETTERSDONTUSEPUNCTUATIONANDDONTUSESPACES

If we carry this along the path, then we get the name and part of a phrase from the NULLCOM 2022 web-site (I have added capital letters and punctuation where appropriate...):

NULLCON 2022, Berlin, Germany. A unique platform for security showcasing!!

The two exclamation marks were added by me, of course!

And that's the first part of the answer to the badge puzzle...

---

At the very top of the badge is some strange text:


It looks like it is maybe upside down, or rotated? But no matter what you do with rotations or mirroring, it just doesn't turn into anything readable... But do you notice anything about the NULLCON logo - does it have rotational symmetry? Could this be a clue?

Let's rotate it by 180 degrees and put the two versions one above the other:


You might be able to see that now, the lambda has become a 'y', that weird rounded 'w' has become an 'm', and the rotated 'e' has become an 'e'. 

If you alternate letters from left to right, then the letters which are the right way up are these:

p z l b a t n u s

 and the other alternate letters are rotated by 180 degrees:

u z e y m r i r s

And if you put these letters together, you get:

puzzle by martin russ

Basically, your eyes are quite happy with rotations and mirroring if they affect the whole of the text, but if you do it on individual characters, then your brain stops being able to read it without a lot of concentration.

You can use a variant of this technique to obfuscate text to avoid any simple dictionary-based text scanning program from finding any plain text that you have left as strings in a program. Just add 1 (or any other number - this is the 'key') to alternate letters (so A becomes B, etc.) and you have something that no longer looks like text:

PVZALFBZMBRUIORVST

This also wrecks conventional letter frequency analysis, has high entropy (so binwalk highlights it as keys!) , and looks like strong crypto, except the 'key' is a single (or double) digit number and there is no ordinary crypto! Just obfuscation!

There are various things you can do to this to make it even more obscured. Adding '=' instead of spaces makes it look like broken Base-64 URL encoding, for example. Another wrinkle is to rotate through QUJZ?!=+ and use those as spaces, and now it looks like very broken Base-64 URL coding! I'm sure you can figure out a neater variation, and then a fast encode/decode routine (the more obtuse the code, the better - my personal preference is to make it look like an AES routine, because people will then automatically assume that it is AES, and not delve any deeper...).

<sound of frustrated cryptographer scouring the code, desperately looking for the key transfer mechanism (that isn't there!) so they can decode the above text....>

This text obfuscation is probably worth your time reading this, already!

---

The other badge puzzle is simpler, but because it is in two parts, it is harder to spot. Plus, it is so simple that most people will dismiss it as being trivial.

At the top, there is another NULLCON logo and another character grid, and then another bit of graphic at the bottom:

The other puzzle is in two parts...

Note also that the bottom of the badge contains the first 24 characters of the answer to the first 'path map' puzzle, just to make it easier to solve that one!

The top part of this is exactly what it looks like, another path map. This time, by tracing out the logo's path (not the edges!), you get 'GOA' 11 times, followed by 'BER' (Don't forget the turn upwards to get the 'R'!). It turns out that there have been eleven NULLCONs held in Goa, and this is the twelfth NULLCON - the first held in Berlin, Germany. 

The end of the path is a '*' (with 5 ends, not six... which isn't significant), and this leads to the bottom part of the puzzle, where the star points to a 3x9 matrix of dots, some of which are filled in, and some of which are empty. There are two clues to what to do here. The first is the 'puzzle by martin russ' text at the top of the badge - you have to rotate alternate characters by 180 degrees to be able to read all the characters. So rotate the badge 180 degrees (remember that the NULLCON logo has 180 degree rotational symmetry), and look at the 3x9 matrix - it spells: 'LIN'. The second clue is in the name text right at the bottom of the badge - it says: 'NULLCON 2022 Berlin Germany' (as you probably well know by now!). But look at the positioning of the 'Ber' text in the name, and the 'LIN' spelled out in the 3x9 matrix - do you see an alignment?

Yep, the size of the matrix and the arrow are set so that the 'Ber' and the 'Lin' line up, (you go up from the 'r' and you hit the 'L', and then go across backwards) as an extra clue! (plus the rotation aligns the logo again!) I did think about using the '|' vertical character instead of the lower case 'L', but decided that this made it too obvious...

So the 'puzzle by...' text, and the name text at the bottom of the badge are not accidental, and the size of the matrix and the arrow are connected to them. On a larger scale, this would be called a meta-puzzle...

The second puzzle is thus a reminder of the history of NULLCON: 11 in Goa, and one in Berlin, Germany.

So here's a photo of one of the winning entries:


What I like about this is the way that an image of the badge itself has been annotated as the answer!

---


If you find my writing helpful, informative or entertaining, then please consider visiting this link (only one store for all my blogs!):

Synthesizerwriter's Store (New 'Modular thinking' designs now available!)

Buy me a coffeeBuy me a coffee (Encourage me to write more posts like this one!)... or...

Buy Me a Coffee at ko-fi.com (Encourage me via a different route entirely...)

Or just tell someone else that there's this amazing blog about security


 


   



 




Thursday, 24 March 2022

The ongoing uncertainty in the-world-at-large (just choose your area of concern...) is probably going to increase the risk of cyber attacks, so what can you do to reduce your risks of being affected?

Photo by olieman.eth on Unsplash

Here are 5 practical things to do. 1-4 apply to individuals or corporates, 5 is probably developers only...

1. This is a good time to check your backup processes. Many people just make backups and never check that they can do a restore successfully. Get an old computer and try to restore some files to it. You would be surprised at how many people find problems with their backup process just by trying to do a restore. 

2. Spear-phishing and phishing attacks, via email, texts and other messaging services, can give bad guys a foot-hold into breaching your systems. Make sure that everyone in your family, group or company knows not to click on links in emails, texts or messages. It doesn’t matter how important the sender is, or how urgent it sounds, or how great the offer is, don’t fall for it - don’t click on links!

3. If you have been putting off 2FA or MFA, then now is a good time to implement it. Two Factor authentication, or Multi-Factor Authentication are very good ways of making it much harder for someone to attack your systems. They take a few minutes to add, and make you much more secure against attack.

4. The tension in the world is a good opportunity to get people to change to a Password Manager, and to implement stronger, longer passwords - and a different one for every service. Yep - different for everything!

5. For developers, the news of the Anonymous hacking of Russian IT systems has probably led to an increased interest in cyber security. Visit https://owasp.org/www-project-top-ten/ as your first step towards making your code more secure. Visit https://owasp.org/www-project-juice-shop/ to start learning about how to make your web-apps more secure.   

And a word from me as one of the leaders of the Suffolk Chapter of OWASP:

The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences. The Suffolk Chapter has lots of videos on a wide range of cyber security topics: https://owasp.org/www-chapter-suffolk/  and we also do live demos of pen testing software, as well as live discussion on many security topics...

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):



NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...