Threat Stack Blog and Cloud Security News

Continuous security monitoring for your cloud.

Cicadas & Security: How an Alternate Reality Game Teaches Encryption and Security Best Practices, Part 1

by Toni Noble Jan 6, 2017 10:49:30 AM

Cicadas and Security Part 1 Blog Banner.jpg

When you think of alternate reality games (ARGs), things such as Ingress or Pokemon GO probably come to mind. While thinking about ways to use encryption or navigate the Tor network, you most likely wouldn’t think to start by browsing 4chan’s /x/ (paranormal) board. Yet on January 5, 2012 many people found themselves intrigued and began their journey to greater security knowledge, and perhaps to “enlightenment” (as a later puzzle states).

An alternate reality game uses digital and physical media on top of a real-world base to continually test players and often encourages them to work together to solve and shape the game. When an image containing the following text appeared on 4chan’s /x/ board exactly five years ago today, it was widely noticed:

There is a message hidden in this image.

Find it and it will lead you on the road to finding us. We look forward to meeting the few who will make it all the way through.

Good Luck.

3301

Some speculated that it was a Central Intelligence Agency (CIA) or National Security Agency (NSA) recruitment program while others assumed it was an alternate reality game. Whether it is one, both, or something else entirely remains to be known by nearly everyone involved in solving the puzzles, as those who have been contacted by Cicada are not vocal about it online. The mysterious post grabbed the attention of many security enthusiasts, ARG lovers, and everyone in between. Soon enough there was a community around solving Cicada 3301’s puzzles that stretched across Reddit, IRC, Wikia, and more.

The original image’s clue was found by opening it in a text editor and discovering a Caesar cipher at the end (denoted by “CAESAR says”). When decrypted, it turned out to be a URL pointing to an image of a wooden duck with the following text:

WOOPS

just decoys this way

Looks like you can't guess how to get the message out.

While starkly different in appearance and prose style from the first image provided by 3301, it did contain another clue. Solvers pieced together that they were being told to use the program OutGuess — a steganographic tool used to insert hidden information in the redundant bits of data sources. OutGuess supports PPM, PNM, and JPEG image formats and uses the following syntax to retrieve data from an OutGuess’d image:

  
outguess -r outguessedimage.jpg hiddenmessage.txt
  

If you were looking to hide data within an image, you would use something like this:

  
outguess -d messagetohide.txt originalimage.jpg outguessedimage.jpg
  

After using OutGuess against the “WOOPS” image, players exposed a message referencing a “book code” that included a link to a subreddit. Numerous text posts could (and can) be found on the subreddit, but only a couple of images were present — “Welcome” and “Problems?”— both containing a concealed OutGuess note signed using PGP (Pretty Good Privacy) signatures. “Welcome”’s OutGuess’d message explained that all messages will be signed with the key used, and it could be found on MIT’s PGP key servers. PGP allows users to encrypt and decrypt data so it can be transmitted privately and with assurance that the sender is who they say they are.

Although getting the message “how do I PGP?” again and again from people new to encryption may seem like a huge annoyance, Cicada’s solvers are often quick to point newbies in the right direction (perhaps after poking a little fun at them). For those who do not have Linux as their operating system, the tools often used are GPG4Win and GPG Tools. When a new clue is discovered it is, of course, under mass scrutiny, but the largest red flag would be it not being signed using Cicada’s provided key. As in real life outside of ARGs, you should not trust something you receive from a person if you cannot confirm their identity. (We’ll dive into how to encrypt messages with PGP in a later blog post within this series.)

At the time of writing, there are many seasoned and new solvers seeking clues for the supposed 2017 puzzle, as it is speculated that Cicada will make another announcement on the same date as they did in the original 2012 game. While only fake posts have appeared so far (as revealed by the lack of PGP signatures), there is a varying level of excitement among players as previous years’ puzzles remain unsolved.

What's Next?

In the next installment in this series, we’ll dive deeper into Cicada and explain how it got people out of their homes and searching for answers in real life.

Topics: Security Best Practices, Cicada 3301, Encryption, Alternate Reality Games, ARG

Toni Noble

Written by Toni Noble

Toni is a QA Engineer at Threat Stack, Inc. responsible for developing and executing tests on all aspects and components of distributed systems to ensure end-to-end quality. She has six years of experience in QA and has worked on various platforms, including numerous distributions of Linux and many mobile operating systems.

Subscribe via email:

Posts by Topic

see all