Final Post

This year has been more exciting and interesting than I could have asked for. One exciting moment for me was the first time I created a program without any help (polyalphabetic cipher) and got it to work. This year I learned about  analyzing malware, python, ciphers, homomorphic encryption, one time pad, and much more. I created programs for all of the cipher and one time pad. I really enjoyed learning about malware analysis and cryptography. My mentor made the simplest things seem exciting and I am glad I got him as my mentor. He changed my views on computer science so much that I will be majoring in CS in the fall. My internship is definitely one of the things I will miss most when I graduate.

I don't have any suggestions for the Research and Science program. Everything was great.

Advice for next year's interns:

1. Keep up with your blog -(it will help you with your poster)
2. Try something new -(it might surprise you how much you enjoy it)
3. Talk to your mentor -(they're interesting people and it'll making working together more enjoyable)
4. Ask questions -(shows interest and it'll help you understand what you're learning) 

Poster

Today I went to my internship. I learned about so many interesting things. I learned about secret sharing which is basically when you have a number on the y-axis (y-intercept). This number is your secret. To encrypt it you create a graph and have points on that graph. Depending on the graph you will not be able to figure out the number without a certain number of points. Like for example if you just have a linear graph you only need two points to figure out the y-intercept, while for a sine graph you need four points. The more points needed the more secure the message is.

I also learned about the three things that people try to maintain in cryptography.

1. Confidentiality
2. Integrity 
3. Authentication 

In order to maintain confidentiality people use ciphers (methods of encryption). In order to maintain integrity hashing is used. A hash is a unique identifier that changes even if you only change one thing in the message or program. Authentication is maintain by using signatures similar to how we use signatures for signing important documents.

Another thing I learned about is Public Key Cryptography.  In PKC every person has two keys. One public key for people to use to send you encrypted messages and a private key to decrypt those messages. The two keys are opposite of each other meaning that if I encrypt using my private key anyone can use my public key to decrypt it. This allows people to have a signature. By encrypting part of the message with their private key they show that it is actually them sending the message.

Another thing I learned about is Deniable Encryption which allows you to have two different keys that will give you two different messages when used. This is useful if someone is kidnapped or held at gunpoint and forced to give a key to decrypt the message.

Today I went to my internship and we started preparing for my poster presentation. We talked about the key things I have done throughout the year and we also decided what I am going to demo.

Today I went to my internship and we talked about the code I used for my One Time Pad program and things I can do to improve it.

One Time Pad Encryption

Basically I start by converting the message into a bites, which is also known as one's and zero's. I then generate a random key of one's and zero's. I then compare the two strings. I then compare numbers at each position. If they are the same, it places a zero in that same position in the ciphertext. If they are different, the program puts a one in that position. The ciphertext is then printed to the screen.

One Time Pad Decryption

In order to decrypt the ciphertext, the program first compares the ciphertext with the key. Just like before if the number is the same, then it places a zero and if its different it places a one. This will give you the binary for the message. Then next step is to convert the binary to characters. After this step the program prints the original message to screen.

I am going to add a few improvements to my program. I am going to add the -e and -d commands which will allow me to control whether the program encrypts or decrypts. Right now, the program does both at the same time, which is unconventional. I also want to add a command that allows me to enter a key and ciphertext pair, and then will decrpyt the ciphertext and give me the original message.

Today I went to my internship. I made a polyalphabetic cipher. In a polyalphabetic cipher each character is shifted by a different Caeser Cipher. The Caeser Cipher used for each character is based on a key.  This prevents people from doing frequency analysis on the encrypted messages.

Polyalphabetic Cipher

I also learned about One Time Pad, which is the only encryption that cannot be decrypted. The way it works is that it first converts the message into bits (one's and zero's) and then does exclusive or with a randomly generated key. Exclusive or compares the message to the key and if the numbers are same at that position they place a zero and if they are different they place a one. The reason this is hard to decrypt is because the key is randomly generated every time. A rule with One Time Pad is that you can only use a key one time or the message will be decryptable. Another interesting thing I learned about is homomorphic cryptography. Homomorphic cryptography allows you to send an encrypted message to a company or another person, who can then manipulate the data/message without ever decrypting it. Then after they manipulate it, they can send it back to the original person who can then decrypt the manipulated data.

Before break I went to my internship. I started my final project, which is to create an encryption program that can encrypt and decrypt messages in different encryption methods. First I created a Caesar Cipher and added different options, encrypt and decrypt. I then created a Substitution Cipher and added the encrypt and  decrypt options. An important thing I had to remember to do was to make the different encryption methods and encrypt and decrypt mutually exclusive, meaning that you can not do both at the same time. My next step is to add a Polyalphabetic Cipher.

Example of the code I used in my program.

In the program above the program takes what ever is in the output.txt file and encrypts it. It then places that encrypted message in the input.txt file. The message in input is then decrypted and printed to the screen.

Today I went to my internship and we talked about encryption. First I made a substitution cipher, which is when you substitute every letter of the alphabet with another for example P could be substituted in for A and Y could be substituted in for T so the word AT would be encrypted as PY.  Here is a picture of the code (white) and the actual program in run in the command line (black):

We also talked about decryption. People look at letter frequencies, letter combinations (ex. qu, th, and st), and permutation in order to crack the encrypted message. The encryption above is vulnerable to things such as repeat messages, chosen plaintext attack, chosen ciphertext attack, and English frequency analysis.
In plaintext attack you chose the text you want them to encrypt (leak info on purpose). In ciphertext attack you give them the plaintext and they give you back ciphertext for that message (man in the middle).  

Today I went to my internship and we talked about types of places someone can work for in computer security. One think that I thought was really interesting was how everyone has flex hours, which means you decide what hours during the day you work, as long as you put in the number of hours needed. You can also work from home, which is another perk. Here is a list of various branches of work:

The other part of the day was spent working on creating ciphers. Today I made a shift cipher. A shift cipher converts the text input into numbers (ascii table). We then add "key" (which is a number you establish in the beginning of the program) to the converted number which changes the letter the number now represents. Because of this when you print the message to the screen it is no longer decipherable. Below is an example:

Shift Cipher: white is python code, black is the command line that runs the program

On Wednesday I went to my internship. I learned how to run a dll file in order to analyze it with malware and I also learned some beginning python programming. In order to run a dll you need to go to the command line (cmd) and go to the C directory type in rundll32.exe dllname, Exportname then press enter. Then do dynamic analysis on the dll.


In python I learned how to write print to the screen in python. I also learned the for loop "for i in range x" which prints the variables in the string x vertically. I also learned how to shift the letters in the string, which is the start of learning how to encrypt a message. I then began trying ( but did not finish) trying to encrypt a message that can be unencrypted.

Below are some pictures of my python code and what occurs when you run the program:

AAAS Conference

      This past weekend I went to the AAAS Conference in Boston. It very interesting and a lot of fun. At the conference there were talks ranging from medicine to physics to art. An important thing I noticed, however, is that many of the talks were interdisciplinary. My favorite exhibit at the exhibition is a good example of this.  The exhibit was done by both postdoc and graduate students from Canada, who wanted to model the human brain and with its firing synapses.  At the exhibit they had both a robot and a computer model. In order to make the model they had a group of biologists, neuroscientists, computer scientists, and engineers all working together. They said that some of the hardest things are to make a model that has a similar synaptic firing rate (computing rate) as the actual human brain and to create a physical model that both looks and acts like the computer model.
   
    The talk I liked most was about strokes and how we can help patients recover better. My favorite part was on regenerative strategies. The two methods of regeneration that they covered were Endogenous Stem Cell Stimulation and Exogenous Stem Cell Transplantation. The speaker was doing research on mice and rats for both of these methods and found them both to be effective.

Below is a link to the paper written by one of the speakers on Endogenous Stem Cell Stimulation.

http://www.ecf.utoronto.ca/~molly/publications/hydrogel%20delivery%20of%20erythropoietin...after%20stroke%20injury.pdf

Some other things I enjoyed while at the conference were...

Sticking a wooden stick through a balloon without popping it! A balloon is made out of polymers. When polymers are stretched, they become very ridged and easy to break, which is why a balloon normally pops. However, at the ends of the balloon the polymers are not stretched very tightly at all, allowing them to be flexible, therefore preventing them from breaking.

 Below is an example of two enantimors:

Yesterday I went to my internship. I learned how to do basic dynamic analysis on malware. First make sure you are in the virtual machine and that it is not connected to the internet. After that the next step is to open process explorer and Regshot. In Regshot take the first snapshot. Then open process monitor. After opening process monitor and quickly open the malware. After about a minute stop process monitor. Apply filters, such as the name of the executable and some operations like WriteFile and RegSetKey. Look for new executables (exe) created and find their location. If the exe. is created in HKLM\Software\Microsoft\Windows\CurrentVersion\run than the file will be started automatically when the computer starts up. This is a common place that malware creates new files. If you see that a file is created, find the file, hash it, and compare the hash to the hash of the original malware file. If they are the same the malware has copied itself. The next step is to take the second snapshot in Regshot, compare them and see what has changed. After doing so, check to see if the malware tries to connect to the network by using ApateDNS and Wireshark. Use ApateDNS to set up a fake network and to see what websites the malware tries to connect to. Then use Wireshark to see the ports it uses and to analyze the packets that the malware tries to send. You can also use another VM that uses Linux to listen in on what the malware is sending.

These are the basic steps in dynamic analysis. I will describe later what exactly each tool is used for.

I was not able to go to my internship on Friday because of the snow.

On Friday I went to my internship. I learned that there are two types of analysis. Static and Dynamic. In static analysis we do not run the malware. We look at the strings, the dlls, the imports, exports, and functions. If the malware is packed this can be a difficult tactic to use, because most of the code is hidden from our view. There are ways to unpack malware, but I have not gotten that far in the lesson. Dynamic analysis is when you run the malware and see what it does and how it affects the machine. It is important that you do dynamic analysis in a virtual machine, so you do not harm your computer or spread the malware. In class we also "cracked" the game solitaire. We changed the program so that are any valid move, you would win the game. This was one of my favorite parts of class this week. It was fun.

I have decided that my final project will be analyzing an actual piece of malware. In order to accomplish this I will be attending my mentors Malware Analysis class. I attended the first class on Friday. In the class we reviewed PEids, Virtual Machines, and other tools useful in static malware analysis.

Last week I learned about the mIRC, which is basically where hackers communicate. I learned the basics of how to communicate and how to protect your identity. I also learned about bots, which a basically programs that connect to IRC channels. The bots can be used by hackers. The bot connects to IRC from the victims computer and the hacker then has control of the computer. This allows hackers to create botnets, which occur when one person controls a large number of computers. In order to prevent from being  caught many people connect to multiple hosts in multiple countries which makes it hard for people to find out the hackers location.

Jan 9th

Today, we went over how malware analysts investigate suspicious programs. The first step is to transfer the files off of the infected computer onto a USB drive and transfer them to a virtual machine. A virtual machine (VM) is a software implementation of a machine (i.e. a computer) that executes programs like a physical machine (Wikipedia). It is important that you are working inside the virtual machine when the USB is connected or else the entire computer is at risk of being infected. One of the nice things about a virtual machine is that you can take a snapshot of the machines current state and restore it to that state if anything happens to it. Once the program is loaded on to the machine there are various tools you can use to try to find out what the program does. Today I learned about five different tools that can be helpful. The first tool I learned about was WinMD5free. WinMD5free can translate a program into hash. A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length (Wikipedia). Hash is helpful because it can tell you if you are working on the same program, even if the name changes or the text is in a different language. It can also be useful if you are working in a classified situation because you can check to see if anyone else has encountered the program without sharing the actual program with anyone else. The next tool is Strings. Strings is helpful because it shows all the strings within the program. When using strings you want to look for IP addresses and dll’s and exe’s. These are helpful because they can tell if the malware connects to the network or creates new programs. If you find an IP address you can check the firewall to see if any other computers are connecting to that address and if they are they are most likely infected as well. The next tool you can use is dependency walker. Dependency walker is used to see what functions the malware called from the various dll’s it uses. By looking at these you try to infer what types of actions the malware performs. Another important thing to check is if the malware uses only one function out of a dll. This sometimes means that the malware is encrypted or packaged, which makes it harder to figure out what the malware actually does.  PEiD is another tool that can help you figure out whether the malware is packaged. If you find that the malware is encrypted (even if it isn’t it can still be helpful), it can be helpful to use the resource hacker tool. This tool checks the malware's resources which are the media items used in the program. The resources are not encrypted, so you should still be able to see them if the program does use resources.

 

http://en.wikipedia.org/wiki/Virtual_machine

http://en.wikipedia.org/wiki/Hash_function