As an IT infrastructure manager, Jerry spent more time skimming his junkmail folder than he liked. Unfortunately, a large number of important messages landed there, because Garrett, the CSO, mandated an extremely aggressive approach to identifying spam. No less than once a week, a vital message was marked as spam.

NCI bacon.jpg

One afternoon, Jerry noticed an email from Garrett canned away in the spam folder. It was badly formatted, incomprehensible, and CCed to a large list of people. He forwarded the message to the security office, noting, “This looks suspicious. Could someone have malware? Or is this a phishing attempt?”

Over the next few weeks, Jerry didn’t waste any brainpower on the mysterious email. Garrett’s latest mandate required a new proxy server, to “harden security”, and a new firewall to “minimize breaches”. As the dust cleared from that effort, a new message from Garrett reached Jerry’s inbox.

“Based on the CC-SPOOF line, bcaec51a8bd23bf2c604fb04f899, I’ve tracked the sender to a location outside of Armonk, NY. I suspect they were WAR-driving on the Taconic Parkway, probably trying to breach IBM.”

CC-SPOOF? An obvious hash? Breaching IBM based on Garrett’s email address? Jerry scratched his head for five minutes, and then decided he needed an explanation. He grabbed a stiff cup of coffee, and then scaled the stairs up to the literal upper management floor. “Garrett, how on Earth did you turn that gobbledygook into a location in New York State?”

Garrett’s office was a haven of creative disarray. Papers, most of them detailing internal security arrangements and other limited access data, piled up high on his desk. The walls and his monitor were spackled with Post-It™ notes; they were a mixture of todos, reminders, and more than a few marked “user:/pass:”.

Garrett leapt from his chair in a flutter of papers, and landed beside the whiteboard. Thrilled to have someone interested in his hard work, he grabbed a marker, cleared off some space on his whiteboard, and launched into his explanation.

“The email contained this line in the headers,” Garrett said as he scribbled:

Content-Type: multipart/alternative; boundary=bcaec51a8bd23bf2c604fb04f899

“That’s an interesting string, isn’t it? A boundary? Like a… border perhaps? What border could it be talking about? What’s encoded in there? Ha! Well, you’ll notice that if you ignore the last three digits, which are obviously meaningless, the string is 25 characters long. If it’s a multiple of 5, that means it can be a Baconian cipher. Now, a simple Baconian cipher works like this…”

Outside of Garrett’s little world, a Baconian cipher is a simple binary encoding that can be used for steganography. The letter “I” is “01000”, and “D” becomes “00011”. “Idiot” could be rendered as “01000 00011 01000 00111 10010”. These binary values can be encoded into a document through formatting changes, like using italics to represent “1”, and normal characters to represent “0”.

“This, obviously, is a complex Baconian cipher,” Garrett continued. He sketched out sprawling diagram connecting the various characters in the hash up through an epic conspiracy that roped in the Bilderberg Group and the Illuminati . In the end, Garrett “proved” that the hash encoded “411737”, which obviously was a lat/long- 41.1ºN by 73.7ºW. “It was encoded as boundary because Armonk, NY is on the NY/Conneticut border.”

Garrett set the marker down, panting. Unconsciously, Jerry had been inching back towards the hallway for the entire speech, but now Garrett was looking at him, expecting some sort of reply. “Um… according to the MIME specification, that boundary marker is just a random string, good only for separating the parts in a multi-part message. But you’ve… you’ve found that it was actually a cipher that contains the location of the sender?”

“Yes! Many times a private key is configured in the threat actor’s email or spam mailer program. Currently spoofing has taken on a nefarious attack profile, and with the cipher usage, in fact, I believe it has been in use for the past six years! This Google+ malware has been moving through friend circles.”

“Oh, I see.” Jerry extracted himself from Garrett’s office, careful not to touch anything lest the crazy be contagious. Still, the conspiracy-mongering had his curiosity piqued. Where did the email come from? Jerry found a secret code in the headers himself, cryptically marked “client-IP”. In an unlikely coincidence, that number matched exactly to the IP of Garrett’s computer. A remote scan of the machine revealed that it was riddled with malware. One of those was probably responsible for the garbled message… or maybe that’s just what they want you to think.