Wall of Creeps

Lately there's been a lot of conversation about how to curb creepy behavior at Defcon. Last year women and goons had "red" and "yellow" cards that they gave to guys who were acting like asses. This plan backfired, as the cards became sought-after swag leading to high demand. The idea was floated this year and has been nearly universally shot down as ineffective, counter-productive and immature.

I propose a different tact - a Wall of Creeps. Creeps - men, women or otherwise - would have their photo on a physical or virtual wall, outing them. The idea is that public shame would act as a deterrent to keep people who are clearly over the line, more under control without forcing conformity. This tactic removes the incentive (scarcity and perceived exclusivity of the cards) and mixes in a strong social disincentive. It won't stop all acts of creephood, but should help cut down on the truly aberrant behavior.

The photo would be a mug shot taken by a goon, which means somebody has to be creepy enough to get dragged to a goon and have the goon stop what they're doing long enough to take the photo. That reduces false positives. Also there should be some criterion for redemption, such as a donation to a cause or a handwritten note or whatever else would make the offendee forgive. Maybe a TTL or a minimum sentence too. After 3 infractions though the creep's photo would be posted for the rest of the con.

Con-goers would be invited to heckle and deride offenders for as long as their face is up there, but not physical violence, doxing, harassment, or generally being a creep/ass, etc. The board could also be used for party organizers to blacklist certain people, etc. I'd love to hear feedback - what do you think?

Interesting Conversation from Gold Farmer

I saw this interesting conversation posted on a Diablo III fansite today and it has a lot of relevance to Information Security. The interview is around the act of gold farming, or using automated bots to find massive amounts of in-game gold and items that can then be sold for cash. But at one point the conversation goes into how online game accounts are compromised.

The gold farmer claims that most game account compromises come from one source - forums. Attackers compromise a fan forum site and get the username, email and passwords (or hashes). These credentials are then used to attempt to log into the game, as well as email accounts, PayPal, banks, credit cards and other online services. The entire process of checking accounts is automated through tools. These accounts can then be either used by the original criminals or sold to other criminals.

See below for the relevant text or see the entire interview with a Diablo III gold farmer.

MeD: Do you have any information on the account hacking that people are reporting even with having the authenticator?

Farmer: Yeah, I know everything about that.

MeD: Would you be willing to share that information with us?

Farmer: They don’t hack the computers, the passwords.

MeD: When you say they don’t hack the computers, they don’t have the player’s computers or they don’t hack Blizzard’s computers?

Farmer: They hack forums and such and take the same email and password and test it on Blizzard.

MeD: That’s what I thought. And that is testament to all of you guys out there who are using the same email and password for forums and such for your game.

Farmer: If they have 1 million stolen emails and passwords they might get 1% to 10%

MeD: What type of websites are targets for this?

Farmer: Diablo websites or Blizzard in general.

MeD: So you are talking about Diablo fansites that have forums that you know have been succesfully hacked these and get the log ins and passwords.

Farmer: Yeah, correct, it’s easy.

MeD: And in the forums of BLizzard are you able to get anything out of there?

Farmer: No. Blizzard is bullet proof, logically.

MeD: I ran forums quite a while ago and we had 130k+ members and we had issues with hack attempts at our forum accounts quite often. We were very puzzled about it. There was one time when they got everyone’s log in and password but they didn’t log into anyone’s forum account. Do you suppose that when they got into our forums do you think they were just looking to match up

Farmer: Yeah. They used it to try on people, mail and Blizzard and such. It’s called combo.

MeD: Is that a mispronunciation of your program or is that what it’s actually called?

Farmer: Nah. It’s made to make combo lists.

MeD: We reset everyone’s password, we did that for them. We were worried they were trying to hack into the forum accounts. This was many years ago by the way. What I didn’t realise then but I’m realising now is that this was all about accessing the game accounts and it had nothing to do with our forums. I bet that alot of these forums that are getting compromised are getting compromised over and over again. Would you say that is correct?

Farmer: Yeah and Paypal and banks, Facebook and so forth and small percent Russian spammers.

MeD: They are testing this against multiple things, they are not just testing this against Diablo account they also test against Paypal and their bank log ins.

Farmer: They test it against everything and sell it.

MeD: How much do they sell these for?

Farmer: It depends on what’s on them.

MeD: 10c an account, $10 an account? Do you know the range there?

Farmer: ??? Doesn’t sell.

LinkedIn Password Hash Redux

This LinkedIn password hash leak has become a real storm of activity today. This post might not have much longevity, but I hope to quickly recap and summarize what we know, what we don't, what we guess and what we recommend. Everything here comes from correspondance on Twitter, blogs and what have you, so it should all be taken with a grain of salt (pun not intended).

What we know:

• 6.5 Million password hashes were posted on a password cracking website. The author said they were from LinkedIn and that they were unsalted SHA-1 format. Some of the hashes had several digits zeroed out. 
• No account names were included with the post, meaning it's not possible to link the passwords to accounts with the data found.
• LinkedIn has been investigating whether there was an internal breach, but has not yet publicly acknowledged anything they have found.
• LinkedIn has said that "some of the passwords that were compromised correspond to LinkedIn accounts." However, this statement is sufficiently vague that it could mean nothing more than common passwords are used for LinkedIn and found in the compromised data.
• Many security researchers who use unique passwords for LinkedIn and no other site have found those passwords in the leaked data. These passwords are said to be highly unlikely to be used by anyone else.
• An Android app update occurred shortly after the breach was discovered. However, it's unclear if the two events are related.
• A security vulnerability in the LinkedIn iOS app reported today does not call out password security as an issue.

What we don't:

• We don't know whether there was a breach at LinkedIn or not. Likely they haven't yet completed their internal investigation.
• We don't yet know if more information was leaked, such as account names, credit card numbers or other private information.
• We don't know if more accounts have been exposed than those found in the original source.
• We don't know if there is an active vulnerability that could be exploited again to gain access to more password hashes.

What we guess:

• Mikko Hypponen has suggested that the list may have come from a LinkedIn web interface vulnerability, but was simply speculation based on past breaches.
• Researchers have speculated that passwords that have digits zeroed out have already been compromised, or that they are used for banned passwords.
• There has been speculation that some password hashes are not from LinkedIn, though it's hard to find evidence either way.
• There has been speculation that the 6.5 Million passwords may cover all accounts on LinkedIn, due to some passwords being used by many different people. However, a number of people have reported that their password was not found among those leaked.
• Some reports suggest the leaked passwords may be 6 months old.

What we recommend:

• If you have a LinkedIn account, change your password soon. Make it something strong. LinkedIn published some very generic account and password security suggestions, but I prefer the excellent xkcd panel on passwords.
• Many security professionals have called for LinkedIn to begin adding a salt value in their password hashing process, in order to strengthen security. 
• Other security professionals have mentioned specific password storage mechanisms built into programming languages which represent the latest techniques in thwarting password cracking, such as bcrypt, scrypt and PBKDF2. This has the added benefit of reducing the risk of an improper implementation which could itself lead to security issues.
• Two sites have been set up to check your password against the list. The sites appear to be safe, in that they won't steal your password, but for the paranoid you can also submit the password hash. I don't personally recommend that anyone do this, unless you have already changed your LinkedIn password and it was unique. But it's fun to look for possible passwords!  

• http://linkedin.biorra.com/
• http://leakedin.org

On the Recent Blizzard and Diablo 3 Account Compromises

As an avid Diablo fan, I eagerly watched and waited for Blizzard to create Diablo 3. My first impression is that they did a masterful job creating it. Yes, there are some initial frustrations, but it definitely has that Diablo feel to it and despite the running jokes about Error 37 as a new prime evil, I've found that the most powerful boss enchantment has been Time Thief - the ability to suck hours off the clock without me realizing it. Bravo, Blizzard, Diablo 3 is a triumph!

But recently there has been a lot of controversy around compromised accounts in Diablo 3. Many players have found that their characters have been stripped of gold and high-level gear. That's as much a tragedy as being robbed in the physical world - the possessions you've worked for so long and felt so happy to acquire are taken from you by an unknown assailant. People feel violated and angry, which is understandable and which is our nature. Many have lashed out at the closest target. 

The most common and convenient target of anger has been Blizzard's security and practices. Many accusations have sprung up that Blizzard, its servers, the game or other technology has been "hacked" and that essentially any player or account could be compromised because of that. In an interesting parallel, this is commonly the first thing people assume when their bank account has been compromised. 

 

The banking world has long confronted security challenges for online services. For as long as online banking has been a reality, malicious individuals have been hoping to compromise accounts and steal money from them. And so banking has come a long way in combating those threats. I've performed dozens of audits for financial institutions around their information security practices, including a component dealing with authentication in online banking (FIL-103-2005, FIL-77-2006 and FIL-50-2011 if you want to look it up). 

Today, banking is one of the safest activities you can engage in online, although it is also one of the most targeted. Cybercriminals from around the world target banks, banking sites and accounts and it has become every bit as disciplined and efficient as any business. The complexity and innovation is staggering. Yet excellent security measures taken by banks effectively thwart almost any attack out there, when used as intended on both the bank's side and on the account holder's side. 

Most bank account compromises in the last decade or so haven't happened because the bank was hacked - they've happened with legitimate account credentials. It used to be that most online banking accounts were compromised by the victim giving away their username and password or other sensitive information after clicking on links in fake emails. But banks improved the security and attackers responded by becoming more sophisticated. Now most of the time compromises happen because the account holder logs into their account from a computer that has malicious software installed. And it's highly likely that this is what has happened with most of the Diablo 3 account compromises. 

So how does this relate to Blizzard and to Diablo 3?

Blizzard has, in fact, said that malware has been the root cause in nearly all of their compromise investigations. Today's cybercriminals have become very sophisticated in their methods. As Blizzard has also pointed out, there is no one way that they get the information and access necessary to compromise accounts. Essentially they use whatever means they need to, in order to get what they want. In practice, this means there are likely multiple groups, each using many different types of attacks to get as many accounts as they can. 

As with bank account holders, gamers have gotten more savvy about giving away information which would allow someone else to access their account. But the attackers have adapted as well and use other ways of getting that information than by sending fake emails. Here are some of the more creative and sophisticated ways the thieves operate.

• By calling you, if you can believe it! There's a good video walking through a typical attack where a cyber criminal may call you on the phone. 
• Text messaging or emails directing you to call a phone number, usually about account compromise, expiration or closing. The phone number then has a recording asking you to enter your information. You never even have to talk to a person and you've given up too much information.
  
• If you are using the same email address and password on another site, if that site is compromised your Diablo 3 account may be too. These compromises happen somewhat frequently, such as the Gawker Media account compromise a couple of years ago. 
• It's possible to buy compromised systems from cybercriminals. Many of the more sophisticated networks have millions of computers that are infected - far too many for the original criminals to take advantage of. So they sell access to others.
• It's also possible to buy accounts from cybercriminals. Often they have account credentials for systems they don't typically target - for example if they only target bank accounts, they may sell gaming accounts for some additional profit.
• Newly compromised accounts are prioritized. The criminals have so many accounts they target the ones that have the highest net worth first. There are stories of operations centers with account queues where each new account is evaluated and ranked according to the amount of money the thieves can get. 

By far the most common way most bank accounts are compromised, and likely Diablo 3 accounts, is simply by installing malware on your computer without you knowing it. Without going into the myriad ways that this can happen, it's sufficient to say that you don't have to visit the shadier side of the Internet to run into malware. Most sites that distribute malware are legitimate. In fact, more than 90% of infected sites find out that they're compromised from someone else. Even some of the most mainstream sites have become malware distributors at times - ESPN, NASA and the Wall Street Journal have all infected their visitors with malware. Many of these sites use standard malware toolkits which exploit dozens of vulnerabilities, generate new malware package for each site visitor and test it against the common antivirus suites before sending it along. It sounds like science fiction, but it's not.

How to protect yourself? 

Security is hard. That's what makes it so hard for an organization like Blizzard to give you one simple answer. But that's not what a lot of people want to hear - even the people in charge of security for companies with huge budgets to protect their information assets often ask "What's the one thing I should do?" So it's not a surprise that most individuals would look for the "silver bullet" solution, if you will.

It's hard to describe how to protect yourself much better than Blizzard themselves did. So instead of rehashing it, I'll just link to Blizzard's excellent article on keeping yourself safe from account theft. But if you're in a hurry I'd say the top 3 things you can do are:

1. Use the authenticator. Banks use similar technology to protect millionaires and billionaires. If you value your stuff, you can't get a better bargain than this! Even the cost of the physical token is inexpensive compared to what it's worth. Blizzard modestly says they're selling these at cost, but that really means they're taking a loss because of all the infrastructure and personnel resources they deploy on the back end. If you're looking for a "silver bullet" to protect your Diablo 3 account, this is the closest you'll come.
2. Don't reuse passwords. If you use the same password for your email, battle.net and bank, odds are you're practicing poor password security. My recommendation is to use something like LastPass or KeePass, which make good password security easy.
3. Update your OS, browser and plugins. Most modern operating systems and browsers will automatically update for you. But it's easy to see the update notification and procrastinate. Don't. Don't wait more than a day or two to update, once you see the notification. For plugins, it's sometimes harder because they don't often announce their updates. Adobe Flash, Adobe Reader and Oracle/Sun Java are the main attack vectors used of all the plugins out there, and they're getting better about notifying you of updates.

How can Blizzard do more to protect you?

I want to preface this section by saying that I don't know the details on what Blizzard is doing on their end to protect player accounts. I'd guess there's a lot going on that they don't talk about, or at least that I haven't read about. But that doesn't mean they can't improve. But I know they're already doing a lot to secure accounts. In many cases, more than your bank does! Things like forcing stronger passwords, investigating many of the reported instances of theft, publishing and linking to a great deal of information, giving you the authenticators, proactively communicating security steps. It even seems like they're refunding money to some gamers whose accounts were compromised, even after determining that Blizzard wasn't at fault - that's got to be some of the best response ever from a gaming company!

What follows is a few ideas I've taken from other industries that may help Blizzard improve. (Or not - again, I don't know for sure what they're doing on their end.)

• Look at metadata associated with each previous login for the account. Often this metadata will differ between legitimate and malicious login attempts. Things like geolocation, keyboard layout, OS or game language or other data will be significantly different between a player and a thief.
• Watch the common locations where compromised accounts are publicly posted for any gamer accounts that use the same account name or email address.
• Drop a unique "cookie" that identifies the system a player logs in from. If the cookie has changed since the last login, or the cookie has been used with multiple accounts, this should raise a flag.
• If there are multiple logins in rapid succession from a single IP or IP block, this should raise a flag.

All of these items can be indicators of a potentially compromised account or of a potential cybercriminal. Of course these measures consume personnel and system resources, meaning it will cost more to administer - but then how much do the reputation damage and time spent answering questions cost? And it will also result in frustrated players unable to login - but then you can take the stance of "we're sorry that you're unable to login, but it's for your own security" which is hard to argue with. And in conjunction with an email address, phone number, Skype or Twitter account, or other contact mechanism these false positives can be resolved very quickly.

And for our part, players should really be more tolerant of security measures. Again, adding an authenticator to your account takes an additional 5 minutes to set up and 5 seconds to use in practice. But it cuts the probability of compromise to nearly zero even if your system is fully compromised! And if you're like most people I know today, you appreciate it when your bank stops an apparently fraudulent transaction, even if it turns out to be legitimate. So do what's needed to help yourself be more proactive with security. A little initial setup can save you a lot of frustration in the end.

Is there anything I've missed? Do you have a different opinion? I'd love to hear about it so I can address the concern or amend my article. Constructive feedback is always welcome.

UPDATE: In an interview, a Chinese gold farmer claims to know the source of compromised accounts. According to him, forums are being compromised and the email addresses and passwords from there are used to try to log in to Battle.net. This is a pretty common tactic and underscores the importance of using unique passwords across sites and games. And if you're not willing to do that, get the Authenticator which will prevent this.

New Research Published on Mobile Malware

Researchers at NCSU have started the Android Malware Genome Project, which is designed to identify and classify known malware samples for study. The researchers' results were recently presented and published at the Proceedings of the 33rd IEEE Symposium on Security and Privacy in San Francisco, California. The paper, entitled Dissecting Android Malware: Characterization and Evolution (PDF link), analyzes the 1,200 samples collected between August, 2010 and October, 2011. The research analyzes the samples to attempt to determine how it is installed (infection vector), how it updates and its primary activities on the mobile device, as well as the sample's relation to other samples.

The research groups infection vectors into several categories. Far and away the largest infection vector is through repackaging and redistributing modified versions of legitimate applications. The second group is spying applications - that is, software for one person to watch another person's activities. Some malicious software purports to do something (which it may or may not), but installs malware in addition - these are so-called Trojan Horses.

There were also several primary types of activity that the samples performed. Many of the samples attempted to elevate privileges on the device by taking advantage of a flaw in the Android operating system. The goal with this action is to allow the application to have greater access to the functionality of the device. Nearly all of the samples attempted to connect the device to a larger group of compromised devices controlled by the malware authors - a so-called Botnet. Researchers found that another common activity was contacting premium services, such as SMS text messaging. Many of the malware samples also collected information, such as user accounts, text messages and phone numbers.

The researchers also looked at the evolution of the malware samples and families over time. Specifically they looked in depth at two malware families to illustrate the rest, DroidKungFu and AnServer Bot. These two malware families show that authors have incorporated many sophisticated features to help circumvent detection and frustrate researchers attempting to study the samples, among other things. And their analysis showed that mobile malware is rapidly maturing.

Some other interesting analysis was performed on the samples. The researchers ran all the collected samples against four mobile anti-virus packages Detection rates ranged from 20-80% effectiveness, with a big name A/V company firmly at the back of the pack. Unknown malware is likely much more successful than these results indicate, meaning anti-virus software really needs to catch up.