Researcher builds botnet-powered distributed file storage system using JavaScript - levineingle1968

The latest Web technologies bathroom be used to build a secure and spread register computer storage system by loading a put together of JavaScript cipher into users' Net browsers without them knowing, a researcher incontestable Sunday at the Defcon security conference in Las Vegas.

The botnet-type system is called HiveMind and was built away Sean T. Malone, a principal security consultant at penetration testing firm FusionX.

HiveMind uses technologies like HTML5 WebSockets and Web Storage that are also misused by legitimate Web applications.

A gray area

There are no malicious exploits being used, so there is nothing that can buoy be patched to prevent it, Malone said. However, building the botnet by acquiring other people's browsers to load a piece of JavaScript code and storing data on their computers waterfall into a legally grey area, he said.

"This was a research project, not production computer software" he aforementioned. "I'm not a attorney, so I preceptor't intend to give anyone legal advice with this," he said, adding that everyone is obligated for what they resolve do with the package helium plans to release later this workweek.

The HiveMind JavaScript code can be distributed to browsers in various ways, including hosting the JavaScript cipher on legitimate or compromised websites or by distributing the code through an advertising network, which would place it along multiple websites.

For his research, Malone constituted an unnamed Net proxy server that later got added to procurator lists and started being used by people. All time someone used the proxy server to browse to a Web page, the server would inject the HiveMind JavaScript code into that Page.

According to the researcher, his proxy server was getting connections from 20,000 unique Internet Protocol (IP) addresses every ten minutes, which then became nodes in the botnet.

HiveMind has a command and control (C&adenylic acid;C) server that uses a SQL database to observe a record of all files and the nodes—browsers running the JavaScript code—they're dealt out happening.

When a file away is uploaded to the server, IT is encrypted using the Advanced Encryption Standard (AES) with a password provided by the uploader. The encrypted file then gets split into multiple blocks and those blocks are distributed across different nodes.

All file can have a different password, Malone said.

Because the botnet is extremely dynamic, with nodes constantly disappearing when users close their browsers, every file barricade is distributed across multiple nodes to reach redundancy.

The nodes constantly announce their presence and the list of blocks they have back to the server, so that a particular block can be decentralized to new nodes if the number of nodes storing it drops under a predestined threshold.

After a file is uploaded, encrypted and distributed to the nodes, information technology is no longer kept on the server. Only a record of the nodes that contain its different blocks is stored, because this is necessary to reconstruct the file, Malone aforesaid.

A straggly bubbly system

If a government agency were to seize the server and withdraw it away, the block replica process would fail because the nodes would part with going offline, which would make the file unrecoverable, Malone said. There are a few ways to recover the information, but it is very difficult and it involves seizing a biggish number of nodes or compromising the server while information technology's still online and coercing the owner to furnish the passwords necessary to decrypt the files.

There is a right smart to provide "insincere deniability" for the owner and it involves initially seeding the server with a large number of dummy files that moderate random data, but this functionality is not yet built into the system, Malone said.

The user can order that he created the system, only did not put any material information in it, even though he did also upload some real files on with the dummy ones.

Because the random information in the dummy files looks the duplicate as the unselected data in encrypted files, when disagreeable to recover a file there is no agency to tell if the password supplied by the user was correct and a dummy was decrypted, operating theater if the password was wrong, the researcher said.

In this way, the user terminate supply the wrong parole for the files he knows are real and the other political party would have no way to bear witness that the password was correct or incorrect.

Piece the legality of building such a botnet is questionable, this system could also equal set upfield as a collaborative effort, where users volunteer their browsers themselves and are competent to upload files to the system, Malone said.

Source: https://www.pcworld.com/article/453209/researcher-builds-botnetpowered-distributed-file-storage-system-using-javascript.html

Posted by: levineingle1968.blogspot.com

Share this post