from the you-didn't-really-trust-them-did-you? dept.
ERNW security analyst Florian Grunow says North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags.
The operating system, developed from 2002 as a replacement for Windows XP, was relaunched with a Mac-like interface in 2013's version three. The newest version emerged in January 2015.
Grunow says files including Microsoft Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers.
"When analysing the OS the first thing that came to our attention is that they have built an own kernel module named rtscan. There is a binary running that is named opprc and a few more binaries, one that seems to simulate/pretend to be some kind of 'virus scanner' and seems to share some code base with opprc," Grunow says.
"The first thing that came to our attention when looking at the functions in the binary was gpsWatermarkingInformation.
"Creating and using media files and documents on RedStar OS can get you into trouble if you are living in North Korea; do not assume that the files can be kept private and cannot be traced back to the creator."
Grunow says the operating system does not watermark files created with the open source OpenOffice word processing suite.
Related Stories
Following Winner's arrest and subsequent charging, the security researcher has submitted a pull request to the PDF Redact Tools, a project for securely redacting and stripping metadata from documents before publishing.
[...] "The black and white conversion will convert colors like the faded yellow dots to white," Szathmari told Bleeping Computer in an interview.
related stories:
Feds Arrest NSA Contractor in Leak of Top Secret Russia Document
North Korea's Red Star Linux Inserts Sneaky Serial Content Tracker
Doctor Who Season 8 Scripts Leak Online
(Score: 5, Funny) by chewbacon on Tuesday July 21 2015, @03:57AM
Really, this is my surprised font.
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 21 2015, @08:27AM
Yeah, one would have thought they'd know to better hide their code. Never name your hidden functions for their actual functionality! Had the function been called updateVirusSignatures it would not have raised suspicion.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 21 2015, @08:57AM
(Score: 0) by Anonymous Coward on Tuesday July 21 2015, @09:29AM
I think that theory is as valid as the theory that a gold digger who finds a nugget will be satisfied and stop searching for other nuggets.
(Score: 4, Interesting) by penguinoid on Tuesday July 21 2015, @04:58AM
How easy would it be to add some spoofed data? (This would protect people by diluting the usefulness of the data)
RIP Slashdot. Killed by greedy bastards.
(Score: 2) by MichaelDavidCrawford on Tuesday July 21 2015, @04:59AM
Use Red Star Linux.
I mean like I could use it here in Vancouver.
There would be so many marked documents that the disdidents would be lost in the noise.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Informative) by Anonymous Coward on Tuesday July 21 2015, @09:24AM
This is adding a hardware ID to the document. It's not a surveillance tool, it's an identification/evidence generation tool. So if they find a document they don't like, they'll read out the hidden ID and look it up in their database of domestic hardware IDs (which I'm sure they have). Your "noise" document will not show a hit in that database (but frankly, it probably won't even get to the point of being tested, because it most likely will not pass the relevance filter). However if they come across a dissident document, they'll find the ID in their database, and then can directly go after that dissident.
If you want prevent someone finding a needle in the haystack, adding more hay will help. But if you want to prevent someone identifying the needle they already found, more hay will not help.
(Score: 3, Funny) by K_benzoate on Tuesday July 21 2015, @05:10AM
Time to change my distro, again!
Climate change is real and primarily caused by human activity.
(Score: 3, Funny) by Geotti on Tuesday July 21 2015, @09:33AM
Why, did RSL switch to SystemD?
(Score: 2) by pkrasimirov on Tuesday July 21 2015, @06:05AM
Is it illegal to recompile the kernel or unload modules?
----
> pretend to be some kind of 'virus scanner'
In Soviet Korea the virus is YOU!
(Score: 5, Informative) by Marand on Tuesday July 21 2015, @06:34AM
Is it illegal to recompile the kernel or unload modules?
Unless something changed recently, Red Star is distributed Android-style, where the end-user doesn't have root without using privilege-escalation exploits, so that would not be an option for most. Not impossible, though; when the last version got leaked, researchers found an extremely trivial udev exploit caused by how they set things up. Of course, with the way NK controls information, the knowledge of that is probably not widespread there still.
(Score: 3, Interesting) by jmorris on Tuesday July 21 2015, @04:50PM
I'd be more worried about the fact you probably only get one try to get root. If a product here phoned home every time somebody tried to get root the manufacturers would quickly stop doing it to end the effective DDOS they had unwisely called down. Slightly different result in a beacon of progress like North Korea. Don't worry though, North Korea is just the vanguard and that sort of effective, progressive government will get to everyone else soon enough.
Hacking root generally isn't worth seeing your three generations of your family put in forced labor camps. That is how they handle dissidents there, and breaking their DMCA style content controls is considered a political act. And yes, that is basically what this is, control of content by controlling the PC.
(Score: 0) by Anonymous Coward on Tuesday July 21 2015, @06:52AM
Not just interface then.
(Score: 0) by Anonymous Coward on Tuesday July 21 2015, @01:19PM
No, they just rebadged Windows. After all, it's the most secure OS in the world.
(Score: 0) by Anonymous Coward on Tuesday July 21 2015, @05:53PM
Fortunately you're not confined to the two big fuckers!
(Score: 0, Funny) by aristarchus on Tuesday July 21 2015, @07:56AM
Only now, at the end, do you realize the true source of systemd! Prepare to renounce your paltry gods! Bow before Kim, you mere mortals! Ok, I am all out of memes. Oh, wait, all your kim-chee belong to us?
(Score: 4, Informative) by PizzaRollPlinkett on Tuesday July 21 2015, @11:00AM
"Grunow says files including Microsoft Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers."
What is this article trying to say? You don't have JPEG "code" that "executes". Does he mean that the image editing software on this Linux distro puts metadata into the JPEG's tags? Why couldn't you strip that out? And are they running MS Word? Do they mean Open/Libre Office puts watermark information into Word documents, in the metadata fields? No, it later says Open/Libre Office doesn't. So what software puts what kind of tracking information in a Word document?
The report would be more informative if it made more sense.
(E-mail me if you want a pizza roll!)
(Score: 0) by Anonymous Coward on Wednesday July 22 2015, @08:23AM
Well, Given that it is done in a kernel module and an independent proces, I guess it just intercepts file writes/scans the disk for files, and if it detects a file of a certain type, it inserts its watermark.
So essentially, it probably doesn't matter whether your file was written with OpenOffice or Microsoft Word, but whether the file is saved in Microsoft Word Format or in Open Document Format.
Anyway, after that omission has been published, I wouldn't bet on that this remaining to be the case. Possibly they already pushed an update which is closing that gap. I bet Red Star Linux has an automatic update mechanism that you cannot disable.
(Score: 4, Funny) by digitalaudiorock on Tuesday July 21 2015, @12:59PM
...the freedesktop.org team has announced that the Sneaky Serial Content Tracker will be included in the next version of systemd." (ducks)
(Score: 0) by Anonymous Coward on Tuesday July 21 2015, @09:16PM
I wonder if either or both of the programs "jhead" (CLI tool) or MAT (GUI tool) could sanitize these files.
jhead: http://www.sentex.net/~mwandel/jhead/ [sentex.net]
MAT: https://mat.boum.org/ [boum.org]
(Score: 0) by Anonymous Coward on Wednesday July 22 2015, @06:49AM
https://en.wikipedia.org/wiki/Printer_steganography [wikipedia.org]