Last Friday, Wikileaks ruined my day by releasing the MARBLE CIA exploits, including source code. I say ruined in that I spent most of the day deciphering the code to determine the inner-workings of MARBLE instead of working on more code to protect your privacy. Still, the analysis does reveal some nice features and possible uses in the normal work of information security.

MARBLE is not a destructive or surveillance tool. Instead, MARBLE is used to hide things inside other code and data. Its basic operation is to stop forensic investigators and anti-virus companies from attributing viruses, Trojans and hacking attacks to the CIA. It also can be watered-down to display purposely planted miss-direction code and comments in various foreign languages such as Russia, Farsi (Iran) and Chinese.

MARBLE does this by hiding text fragments used in CIA malware from visual inspection. It is not encryption but a form of digital camouflage. According to the CIA documentation, MARBLE is "[D]esigned to allow for flexible and easy-to-use obfuscation" as "string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop."

The forensics on the code shows a few interesting things. First, the CIA MARBLE appears to be aimed mainly at Microsoft Windows and Apple IOS and Mac operating systems. The code was modified as recently as early 2016 so the information is fresh. The Apple exploit has a feature designed that appears to use launch thru Firefox. Most of the coding aimed at the Apple systems is either in C or Python. This generic coding using common languages does allow the CIA to transport the exploits to other platforms such as Linux.

Ironically, the CIA elected to not use expensive (over-priced) vendor built encryption libraries to work with MARBLE. These corporate built state of the art contractor/vendor distributed systems sell for hundreds of thousands of dollars and are reportedly the peak of encryption technology. Instead, the CIA elected to use the same encryption libraries that we do here at Softwar Inc., Bouncy Castle. The reason why we used the Australian supplied encryption library is because they are well documented as being accurate, fast, and sound. Bouncy Castle has no back doors or known flaws unlike some vendor driven libraries which, for example, contained versions of the DUAL_EC back door exploit that ended up biting Juniper.

Now, on the Microsoft side... The CIA uses... drumroll please ... Microsoft Visual Studio Solution File, Format Version 12.00 and Visual Studio 2013. All very basic Microsoft products using C as the source code. They use standardized libraries of Microsoft code, OPENSSL for any secure web coding, Microsoft encryption and compression libraries. In short, you could purchase the same coding systems from a retail box store.

However, one queer item located in the Python code notes not to use first number out of random number generator. There is no open documentation in the regular world warning not to use the first number from Pythons random number systems so one can assume the CIA coders put this quirk in there on purpose to avoid something inside the pseudo-generator. Translation - someone may have rigged the roulette wheel drawing random numbers inside Python.

Loyal readers of the Softwar ENews know that in 2015 a rigged roulette wheel called Dual_EC inside the high-dollar corporate communications equipment made by Juniper Inc. allowed someone a back door. This hack affected the stock market, the global banking system, financial institutions, Homeland Security, Dept. of Defense and various other law enforcement agencies. It seems that the NSA or CIA decided to plant a back door to monitor terrorist financial transactions but - as with any back door - someone else found it. This someone else was able to alter it, allowing them to not just monitor but change things without getting caught.

There is a fine distinction between defensive surveillance - using passive measures to monitor data and offensive operations. Again, the recent CIA leaks such as MABLE are designed for offensive operations, planting exploits that could destroy or alter data. The use of a rigged roulette wheel is not just for criminal nation states but for individual criminals too.

One such criminal, a programmer named Eddie Tipton, was recently caught. Tipton's job at the Iowa-based Multi-State Lottery Association was to write software designed to pick numbers for lottery computers used for games by 37 state and territories. In court testimony, a close friend and fellow partner in crime of Tipton confessed that Tipton told him that he'd created computer code that allowed him to predict lottery numbers for certain games on certain dates.

The scheme was deadly simple, Tipton installed software on the random number generators that worked as intended 362 days of the year, programming them to produce predictable numbers May 27, Nov. 22 and Dec. 29. While Tipton wouldn't know the precise winning combinations he did know that he could play certain combinations and score a winning number. Tipton gave his partner in crime cards with hundreds of numbers on them to play and as he predicted, one of them hit the jackpot. Once they won, they sought out friends and family members to cash the tickets for a share of the winnings.

The scheme was uncovered when the group tried to cash the $16.5 million jackpot from a December 2010 Hot Lotto ticket. Iowa Lottery officials became suspicious when a group of attorneys tried to cash the ticket without revealing who bought it.

Tipton's attorney, Dean Stowers, said the programs were certified by third-party vendors responsible for verifying the random function and at no time flagged anything unusual. He denies Tipton did anything illegal. Tipton was convicted of two counts of fraud and sentenced to 10 years in prison.

It is here where we can see both the complexity of verification that allows a hacker to mask his code even from professionals. Tipton’s codes passed audits and were not discovered. Tipton's code was not exploited by others since no one else knew of it.

Ironically, this same kind of masking is what the CIA MARBLE project was designed to do, hide stuff that you don't want anyone else to find. The Juniper Dual_EC code rigger was also well masked and hidden. It too was missed by trained code auditors.

The Juniper hack, however, was discovered by someone else either by observation of the code or by an inside mole who leaked the project. Of course, instead of hacking a single lottery, the Dual_EC rig allowed some unknown third party to possibly hack the stock market, or the government and remain undetected. To this day - the Juniper hacker remains person or persons unknown.



PS - this is what I was working on... Go For It!


Contact Us: