Improving Passwords

Troy Hunt, a Microsoft MVP, has done some terrific analysis of the passwords people use. Unfortunately, what has made this possible is the recent trend in hacktivism whereby it is common for hackivists to post the spoils of their attacks online to generate publicity and shame the company being attacked. While this has been bad news for the companies and their customers, it has provided a rich data set for researchers to analyze. The results from Troy’s research are pretty interesting. Rather than rehash the results here, I’ll let you read them yourself: www.troyhunt.com/2011/06/brief-sony-password-analysis.html

What struck me while reading the blog is how much we know about what kind of passwords people create and how little we’ve been able to make practical use of any of this knowledge. Sure we all run off and write blogs about how people need to make their passwords harder to crack. I don’t want to insult anyone’s blogging skills, but so far this hasn’t produced a lot of progress.

I think there is a way we can drive benefit, and better security, from this data. And the responsibility to do that falls back to those of us responsible for creating security solutions. Where it should be.

Here’s the situation: websites all seem to have rules about what characters to use for a password. They have rules about the length of the password. And they enforce those rules. I can’t create a password for the site if I don’t follow the rules. Although these sites ought to make sure these rules are aligned to best practices of length and character usage, this isn't always the case. But that’s not where I see the biggest opportunity. I'm sure they keep the password length low to help prevent forgotten passwords or to keep from just annoying users, so I'll save discussion of those practices for another day. 

Here is an easy to implement solution to forcing users to create better passwords: since the account creation program is checking my password for the wrong number of characters and the right mix of numbers and letters, why can’t it check for the use of passwords that hackers have in their database of common passwords?

Here is the list of the top 25 most used passwords from Troy’s research: seinfeld, password, winner, 123456, purple, sweeps, contest,princess, maggie, 9452, peanut, shadow, ginger, michael, buster, sunshine, tigger, cookie, george, summer, taylor, bosco, abc123, ashley, bailey.

I went to a couple of websites and set up new accounts. I created one account using purple (the fifth one in the list above) as a password. The site told me it was a weak password, but let me use it anyway. At another site, it would not allow purple, not because it was a common password, but because it was too short. So back I went to Troy Hunt’s blog. He listed a couple of passwords found in password dictionaries. They were “1qazZAQ!" and  “dallascowboys.” I tried those. I was again told it I was using weak passwords, but because they met length rules the site didn’t prevent me from using either one.

Here’s my proposal. These password dictionaries are not hard to get. Why don’t websites add these as a check, and not allow their customers to use common passwords. Sure, a few Dallas Cowboys fans might not be happy, but they have bigger problems with the team’s recent on-field performance.  Don’t think of it as annoying or limiting customers. Think about it as educating them. Oh yeah, and you’ll be protecting them, too.

All your Bitcoins are ours…

Malware authors move fast. Following on from the previous blog post on Bitcoin botnet mining, we have seen a recent Trojan in the wild targeting Bitcoin wallets. The Trojan is Infostealer.Coinbit and it has one motive: to locate your Bitcoin wallet.dat file and email it to the attacker. This is not surprising considering the potential values in a Bitcoin wallet. We have also discovered source code on underground forums which locates the wallet and, using FTP, uploads it to the attacker's servers.

infostealer.coinbit code to send Bitcoin wallet info to attacker
 
Figure 1. Code snippet found on underground forums to steal Bitcoin data via FTP

We expect that code similar to the techniques described above will find a way into other malware considering the amount of attention this sort of attack is currently receiving and with the amount of Bitcoins currently available for purchase. (For an overview on how Bitcoin works, view this Bitcoin overview video).

If you use Bitcoins, you have the option to encrypt your wallet and we recommend that you choose a strong password for this in the event that an attacker is attempting to brute-force your wallet open.

Thanks to Mario Ballano for his assistance in identifying the threat.

Bitcoin Botnet Mining

A digital currency known as Bitcoin (BTC) has been causing a bit of a media stir of late due to its use for illicit purposes. Some readers of this blog will be familiar with and have used a digital currency of some form in the past to purchase goods online. Some may even remember failed digital currencies such as e-gold, which had operations suspended by US authorities after its proprietors were indicted on four counts of violating money laundering regulations back in 2007. With Bitcoin, we now have another multi-million dollar digital currency market without any central authority for regulation. (An in-depth explanation of Bitcoins is available on Wikipedia.)

One of the selling points of the Bitcoin currency is that anyone with a computer can begin to earn Bitcoin blocks by using his or her computer’s computational power, along with open source Bitcoin software, to solve a difficult cryptographic proof-of-work problem. This is referred to as Bitcoin mining and, if successful in solving a block, it will lead to a reward of up to 50 Bitcoins per block. As of June 2011, there are just over 6.5 million Bitcoins in existence, with a finite number of 21 million possible to be reached over time. With Bitcoins presently trading at close to $20, Bitcoin mining sounds like an easy way to make some money. Well, cybercriminals might just be thinking the exact same thing.  

It has been known for some time that a botnet’s combined computing power could be used for a number of nefarious purposes. We can now add Bitcoin mining to that list. While Symantec has not observed any botnets currently being used to mine Bitcoins, the possibility is there. Through the use of pooled Bitcoin mining, a botnet herder could covertly mine Bitcoins using the computational power of a victim's computer. Another selling point of the Bitcoin currency is its apparent anonymity; along with decentralized authority spread across a peer-to-peer network, this makes the currency even more attractive to cybercriminals. But is Bitcoin mining really worth a botnet herder’s time? Let’s find out.

Using an average computer and only the CPU for computational purposes, we found that when Bitcoin mining, we were able to compute roughly 1 mega-hashes/second. So what does that mean if we want to do pooled Bitcoin mining on a botnet? Using an online Bitcoin mining calculator—which takes into account the current difficulty factor for solving Bitcoin blocks, the computer's hash rate, and Bitcoin exchange rates—we get the following data for Bitcoin botnet mining:

Bitcoin mining calculations
 
Caveat: calculations based on mining constantly for 24 hours using CPU only at current exchange rate and difficulty factor.

Difficulty Factor 567358.224571
Hash Rate (mega-hashes / second) 1.0
Exchange Rate ($/BTC) $20

 

Bot earnings broken down
  Coins  Dollars
Per Day 0.00 $0.03
Per Week 0.01 $0.23
Per Month 0.05 $0.97

 

Botnet mining per day
Bots   Bot earnings per day Total earnings
100 x $0.03 $3
1,000 x $0.03 $30
10,000 x $0.03 $300
100,000 x $0.03 $3,000

 

Botnet mining per week
Bots   Bot earnings per week Total earnings
100 x $0.23 $23
1,000 x $0.23 $230
10,000 x $0.23 $2,300
100,000 x $0.23 $23,000

 

Botnet mining per month
Bots   Bot earnings per month Total earnings
100 x $0.97 $97
1,000 x $0.97 $970
10,000 x $0.97 $9,700
100,000 x $0.97 $97,000

A point to note about these figures is that, as mentioned in the caveat, the compromised computer systems would have to be running 24 hours a day, which is highly unlikely. Also, the earnings would vary from day to day depending on luck. So, as we can see, there is the potential for cybercrimanals to earn money this way. However, another question is if Bitcoin mining is more profitable than other uses for the botnet. Let’s just compare one alternative: renting the botnet out for DDoS attacks. While Symantec has observed DDoS attacks being offered for as little as $5, the more usual offer is similar to what is seen in the screenshot below, offering at the high end of $400 dollars rent a week for a few hours a day.

Advertisement for botnet rates
 
Taking this information into account, Bitcoin botnet mining as an attractive and profitable venture for cybercriminals is very questionable. However, with recent spikes in the valuation of Bitcoins reaching as high as $26, it may become more appealing in the future to cybercriminals as another source of illegal earnings from their botnets.

We are already starting to see reports on fraud involving Bitcoins and a Bitcoin account being hacked with a substantial monetary loss of approximately $500,000. Symantec has seen one such threat designed to steal Bitcoins from your digital wallet called Infostealer.Coinbit, and we expect to see more in the near future.

As always, Symantec recommends that you keep your antivirus definitions up to date to ensure protection against new threats such as Infostealer.Coinbit.

Puddles

I believe that we have reached a saturation point.  You know how, after heavy rain, the ground can’t absorb any more water and it begins to pool on the ground? We’ve reached that point with security incidents.  

 
The bad guys just can’t pump out new malware any faster. Check out the Norton Cybercrime Index.  The trends for 2011 are pretty much flat. The explosive growth in malware we’ve seen in the previous 10 years is just not sustainable. Maybe new hacker tools will come along, new propagation methods, or more platforms, or more people to infect.  But for now, things are beginning to stagnate.  
 
This is not to say the problem is going away.  There were 286M new malware variants in 2010. 286 million! But even that mind-blowing number reflect a slow down.  It’s more than the year before, but not the 100% increase we've reported in previous years.  It’s not like the growth we use to see.
 
So how to explain the nearly endless parade of security incidents we've seen in the last few weeks?  Well, in some ways, these are the puddles forming on the ground.  It’s not that rain has gotten harder, it’s just that the ground has stopped absorbing them all.  Some of what we are seeing does reflect the bad guys attacking new platforms and finding new people to infect.  But it’s mainly puddles.  And the fact that many of these incidents show how much higher the stakes have become.  
 
Before declaring a trend one way or the other, it's worth understanding the types of security incidents we’ve been reading about in the last few weeks.  While there have been a lot of incidents, they are not all the same.  What we’ve seen these past few weeks break down into three well-known categories: massive attacks, targeted attacks and hacktivism.
 
Massive attacks - Fake AV has been around for years. It remains the most popular type of massive attack.  At $49.95 per victim it’s a profitable business.   News coverage here does not reflect a major increase in these attacks; it reflects the novelty of these attacks now being directed at Macintosh computers. 
 
It’s called a “massive attack” because the bad guys are trying to infect as many people as possible.  They know only a small percentage will fall for their scam, so the best way to increase profit is to increase the number of computers targeted. In their search for new targets, eventually these crooks were going to start looking at the Mac. So the appearance of fake AV on Mac was inevitable.  If you were shocked when this happened you should prepare yourself.  These things will be showing up on mobile phones next.
 
Targeted attacks - Hardly a new occurrence.  But two events in 2010 started to increase the conversation about targeted attacks.  The first was Stuxnet.  The second was the phrase advanced persistent threats.  I’m pretty ambivalent about the term APTs.  The phrase has certainly captured people’s imagination and if it makes it easier to have a conversation about security because of the phrase, I’m all for it.  But the majority of the attacks being labeled APT are frankly not very “advanced” and often not that “persistent.”  “Targeted attacks” may be harder to create an acronym from, but it’s a better description.  Take the recent compromise of webmail accounts that was widely reported on in the media..  It certainly wasn’t an advanced type of attack; it was spear phishing.  There wasn’t even malware involved. What it was, was targeted - and that’s what got our attention.  That, and the fact that the affected company told us what happened.  Credit to Google.  They seem to have started the trend in 2010 with Hydraq, of companies talking publicly about attacks targeted at them.  This has benefited us all.  They’ve built awareness about these types of threats and allowed security companies to have meaningful conversations with their customers about targeted attacks.  It’s no longer a discussion about the theoretical.  The real risks of security incidents are now a lot clearer to businesses.
 
So the trend here is not an increase in targeted attacks, but an increase in companies willing to talk publicly about them.
 
Hacktivism - Crunch together the words hacking and activism and you get hacktivism.  My spell checker hates this phrase almost as much as I do.  But, until a better one comes along, it will have to do. The phrase was created in 1994; it’s been going on a lot longer than that.  A hacktivist’s main form of expression used to be in defacing webpage, spamming and the occasional DDoS (distributed denial-of-service) attack. 
 
The last major example of this was a DDoS attack targeting payment processors, online retailers and others.  This happened last  December in protest against sites that stopped handling transactions for Wikileaks.  The DDoS attacks were generally considered ineffective, but I think they were a major success.  They may not have shut down any site for any significant period of time.  But they generated an enormous amount of publicity.  And isn’t that really the goal of hacktivism?
 
So, if there is any type of security incident seeing a significant rise, it would be hacktivism.   The group responsible for the December incidents has since moved on to another highly publicized attack, breaking into a security company and posting all their email online.  Now a multinational gaming and entertainment company has felt the sting.  User passwords were stolen, but not for profit.  They were posted on line to generate publicity.  And this has worked brilliantly.  It’s worked so well that other hackers jumped in and launched their own attacks against the same company.  These created new news, which encourages other hackers to… It’s a vicious cycle.
 
So, is the threat landscape worse than before?  Yes.  But, we’ve been saying that for years. It’s reached the point of being a cliché. What’s new is that there is greater visibility to these threats.  The good news is that these events are finally getting the attention they deserve.  The bad news is that these incidents make clear the stakes are higher than they’ve ever been before.