I had a lot of fun with the last one, and so I have a few more ideas to trot out on this subject. A lot of these concepts can be used simply as plothooks, but can also be interesting mechanical tools to aid or challenge players.
D2NA: One of the most basic malware out there, D2NA (Digital DNA) is a basic program which has one instruction, self-replicate. When activated, it generates copies of itself as rapidly as possible, filling up free storage on the device and taking up processing cycles. The name comes from both its self-replicating nature, and the tendency to use incredibly complex data, such as DNA sequences, complex mathematical formulas or large number sequences to eat up data. If not caught, it will fill up spare storage on a device in a matter of days or hours, making it overloaded. Most trained system defenders or firewall tools will catch a spread of D2NA, especially during a security audit, but a skilled hacker can covertly install it or conceal its nature until it's done it's job. Because servers have so much storage space that it takes too long to fill up, D2NA attacks are usually used to gum up sensor motes, bots and the gear of specific computer users rather than large systems. [Minor] (R)
Fog of War: Also called "Static Wall", "Blue Screen" or "Blizzard" this software tool is adapted from actual forms of e-war defense used in the Fall. It is typically run to protect certain devices which have active administrators who are directly in control of a system, and takes the form of a new countermeasure when activated. The simplest is that Fog of War degrades the quality of connection and access for normal users. It throttles connections, spams additional UI features, AR mist or other sensory distractions and in general makes things harder to navigate. Admin accounts or other select system occupants (often certain Infomorphs or ALIs using the server) are protected from this, and can work as normal. This will slow down intruders and make it harder for them to accomplish their goals, but is also a real hassle for normal users so tends to be reserved for personal use or on highly secured servers. For normal users, they act as if they are on an overloaded device, taking a -10 penalty to all meshed actions on the device (and possibly higher if the Fog of War is particularly good) - and if this device includes an AR overlay they take the Distraction penalty as well. However, the Firewall, admin accounts and other select users suffer no penalty, able to function as normal while the enemy is bogged down. [Moderate]
Grond: Grond and its many knock offs and clones are a down-and-dirty software designed to break into systems quick. It uses optimizing algorithms to smartly pick the proper exploits for a system, rather than running straight down the list, and can even multi-task to try multiple attack angles where possible. It's "siege algorithms" continue to work even after the initial intrusion, constantly trying to preempt countermeasures and predict standard software protocols. However, Grond is anything but subtle, and thus many hackers eschew the tool. It grants a +10 on Brute-Force Hacking (taking it to a -20 penalty) and on InfoSec checks while there is an active alert (removing the penalty). [Moderate] (R)
Honey Trap: Honey Traps and their many variants are common on corporate servers to discourage or counteract espionage. Most professional hackers use proxy services and stealthed signals, and so even if one is aware of them tracking them is difficult. To do this, the Honey Trap is made - it looks like an attractive piece of data, such as crypto, blueprints, personal data, etc. However, when downloaded or opened by a hacker, it reveals itself to be a trap - if still on it's home device it will usually automatically trigger an active alert, and if it has been copied elsewhere, it has a protocol to immediately "phone home" via the Mesh with the Mesh ID of device it is currently on and positioning data unless the hacker acts fast. Nastier versions of this are known as "data mines" or "wasp nests" and instead of tracking they will "detonate" when opened, revealing malware, corrupt data or overwhelming signal traffic, dealing 2d10 DV to the offending Infomorph, ALI or Account Shell. A skilled Hacker can detect if a program is trapped with InfoSec, but only if they care to look. [Minor+] (R)
Icewall: Normal firewall software uses a neural net filter to smartly detect potential intrusions or unusual activity, a constant crucible which puts pressure on any hacker who is operating through it. The Icewall takes a different tactic, it is a single, rigid defense. A hardened structure constantly patching itself against exploits, usually with stricter than normal authentication methods. Icewalls are very firm against Brute-Force hacks, as they have very few vulnerabilities and tend to rapidly patch them, applying a further -10 (total -40 modifier). They are also hard to attack directly, having 10 AV in Mesh Combat. However, because of their front-loaded defense, they are vulnerable to spoofing, and their passive threat detection once an intruder is inside may be weaker than normal. [Minor]
KeyChain: This software comes by many names (Skeleton Key, Key Ring, MasterKey, Pick Lock, etc), and is a fairly common hacking tool, though often not a reliable one. Normally, to Spoof, one must first sniff data transmissions, or forge an authentication by copying the original somehow. KeyChain is a type of software which skips that step, instead it brute-forces a spoofed authentication by studying the authentication, then rapidly making attempts to enter it via a brute-force attack. This functions as a normal spoof attack, but doesn't require sniffing, and imposes a -30 penalty on the hacking test, as it is highly likely the attempt will be flagged by the Firewall as suspicious. KeyChain cannot defeat some forms of authentication, and systems with particularly complex authentication (like very long passcodes) might take more time than a complex action. [Minor] (R)
Logic Gate: Logic Gates are an unusual form of authentication which resembles a passkey, but requires one not just know (or have stored) their passcode, or possess a specific key, biometric, Ego or device, but to actively solve a puzzle. These can come in the form of Captcha, or riddles, visual puzzles or even complex subjective ethics questions which an administrator will assess. Because of this, spoofing a Logic Gate is not possible, and most of them have a complex library of questions to ask, so simply listening in to a correct answer won't work either. You either can solve it, or not. Clearing a Logic Gate requires a COG test, which might be opposed if it is an assessment test. Failure causes a passive alert as normal. Because there is no "convenient" way to pass them, Logic Gates are incredibly unpopular for systems which are heavily trafficked, but are often used by personal eccentries, or to guard specific devices, storage spaces and tiers in networks by limiting who can access. Guanxi operators often us a Logic Gate variance which offers "tests of loyalty" to check a user's bona fides, and some servers who wish to prevent ALI access will use them. They can also be used as an active form of authentication, giving a specific user a test and kicking them out if they fail. [Minor]
Plumber: Networking has sometimes been referred to as a series of pipes or tubes. And who better to check on your pipes than a plumber? Plumber is a form of software used by both hackers and system defenders - originally intended as a simple script to check network health, a few iterations and it is a sophisticated tracking system. A Firewall can normally re-authenticate or terminate connections if threatened, and a security account can trace specific users, but sometimes you want to do a lot of tracing all at once, and not let anybody know you're doing it. Fire up Plumber and let it run. In the normal timeframe of a re-authentication, it will instead actively run a trace on all accounts on the system, attempting to ping their connection and trace them to a Mesh ID or other tag, and note and report all discrepancies to the system defender (such as proxy services, user accounts in privacy mode, duplicate accounts and other unusual transmissions). This is useful for an admin to trace all suspicious connections and flag them to lock them out or otherwise catch them, though obviously it rarely beats efforts to prevent tracing a hacker. Intruders on the other hand, will often use Plumber to trace all users on a network for further traffic analysis, or figure out where the next device or node in a network or tier is. [Minor]
Poison Pill: Another one of the classic malware tricks, a poison pill looks like good software, but it is actually bad. It can be seen as kind of a reverse honey trap. Firewalls actively monitor for unusual activity, so a hacker can try and cloak their work by making it seem like normal data. Most poison pills will fail against a dedicated scan of their code (an InfoSec test), but for purposes of passive defenses, can be safely uploaded or copies to most devices. Depending on what exactly is in the poison pill, it can do multiple things. Most when opened will dry and directly crash the OS (including possibly the Cyberbrain of a morph) of the system it is stored on with viral or corrupt data, but can also be used to damage infomoprhs or account shells which handle the data. When opened it deals 2d10 DV to the appropriate software. [Minor] (R)
Remora: Sometimes, you don't want to crash software, delete data, or even read secret files - you want to see where that data goes. Enter Remora, a common style of spyware script which attaches itself to a file and then is designed to log where that file goes. Installed with a Program test as a complex action, Remora embeds itself in the data and then covertly logs whenever that file is accessed, modified, copied or moved. If a the data is duplicated, the Remora is duplicated with it. What it does with the log depends on how the specific Remora is configured, some will simply "phone home", using an encrypted communication to upload the log to the hacker or a secure cloud storage they can access later - but this is risky if intercepted. More commonly, after a period of time, Remora will disconnect itself and through normal network processes "swim" home, connecting through public networks to find it's home device. This means that if a file with Remora attached ever makes it to an air-gapped network, however, it's useless unless the hacker can hook back up with it. [Minor] (R)
No comments:
Post a Comment