Lessons from Journalism in Threat Intelligence

Seth Godin has a great blog post that is relevant to information security professionals. He discusses the problem that the closer to the event, the more expensive and less reliable the information is. This problem directly correlates to issues we face in trying to get reliable information about threats, vulnerabilities or other news. That's because as time goes on the story gets shaped and influenced by multiple accounts, investigations and analysis.

Try this experiment. Find all of the Twitter messages about China and Hacking from the last 6 months and read them, as well as the linked articles. I'll wait. Ha - just kidding that'd take you years to take in (if you did exactly what I said I apologize - don't follow every instruction you read on the internet)! Now go take a look at a few articles on China and Hacking in a reputable business periodical like The Economist, Time, etc. In 45 minutes you're up to date on everything from 6 months of twitter feeds. 45 minutes versus 1+ years. That's a huge difference in terms of cost.

And reliability also suffers. In going through the Twitter exercise (again, really sorry about that lost year) you probably found that lots of the info was bogus, misleading, bad conclusions, duplicated, etc. Acting on that bad information costs money too (unless you spend lots of money to try and eliminate the bad information, but that again costs money).

Most companies have figured out that it's expensive to stay up to date on information. That's why there's a big business in Threat Intelligence services. Companies outsource that function. But it's still important to keep in mind that you'll never have a perfect picture of the news just after it's happened. Think of it like a Polaroid picture. No matter how much you blow on it or shake it, it still develops at the same speed.

Simple Way to Increase Security and Privacy and Reduce Spam

A few years ago I came up with a technique to reduce my spam messages. I'm sure I wasn't the first to think it up, but it's worked very well for years and I've never missed a real message or wasted too much time on spam. After IOActive released some privacy research they've done this week I realized this can help with that too. 

If you haven't followed the story, IOActive did some automated scanning of popular web services for high-profile executives. They were looking to find out whether people like Steve Ballmer use Dropbox, or if the CEO of Zappos uses Nikeplus.com (yes in both cases). This was accomplished by attempting to register for these sites using the executives' official corporate email address. 

Their approach was a pretty clever way to get the information. There may be a perfectly valid reason for some of the findings. For example, if an executive publicly announces his and his company's support for another service. But the number of results - 930 accounts across 840 executives - suggests that at least some of these are for personal use.

My Technique

I use a different email address for each new account I set up. But I don't have to create tons of new free accounts at Gmail or Hotmail. I own several domain names, one of which is just for creating throw-away email addresses. Any email to that domain gets redirected to my primary email account. Once it's there, it is put into a folder without ever hitting my inbox. 

Sounds like it might be tricky to remember all these addresses, but it's not really. I just use a consistent formula for coming up with the address. For example, "site.com@domain.com". To remember your account name just look in the browser bar. 

And ever since I started using a password manager it's gotten even easier and more secure. I just create a random name and password and store it all away. The software figures out my username and password, I just have to click a couple of buttons.

Fighting Grey-Mail

If you're not familiar with grey-mail, it's the emails you get that come from accounts you've signed up for on the Internet. Now these aren't quite spam, because they come from known senders to accounts you provided, but then they're also not something you want to wade through constantly. 

I woke up this morning to about a half-dozen new pieces of grey-mail in my email. But I didn't have to look at any of it, I only know the number because I clicked on the folder I have that collects it automatically. The system I use works perfectly because it's automated, I have total control and it never misjudges an email. 

I simply dump all the messages that come in but aren't addressed to me directly over to a folder. I check that every once in a while and try unsubscribing from the biggest offenders. It usually works, but sometimes it doesn't. And of course if I'm expecting anything then I go check that folder.

Increasing Security and Privacy

And this also adds a little more security to your accounts. But it's the security-through-obscurity kind of system, so don't rely on it solely. If you're the kind of person who reuses passwords - and just about everybody does this to some extent - then you have some additional protection against password reuse attacks. If a hacker has the account emails and passwords for one of your accounts, they can't then get into other accounts without a little extra work. That won't stop a determined attacker, but it will protect you against somebody just running a list.

The Result

I still get spam emails. Even with this system every day I get a handful of messages that show up in my spam folder. But it's not many - in fact, far less than the grey-mail number. In the last month I have gotten 9 spam messages, but over 150 grey-mail. 

The only people who have the email address I use are my friends. So either my friends' accounts have been compromised or somebody guessed my email address. But still, only 9 spam messages per month and no time wading through grey-mail is pretty spectacular! And as a side benefit I'm protecting my privacy and security a little bit more. 

Wall of Creeps

Lately there's been a lot of conversation about how to curb creepy behavior at Defcon. Last year women and goons had "red" and "yellow" cards that they gave to guys who were acting like asses. This plan backfired, as the cards became sought-after swag leading to high demand. The idea was floated this year and has been nearly universally shot down as ineffective, counter-productive and immature.

I propose a different tact - a Wall of Creeps. Creeps - men, women or otherwise - would have their photo on a physical or virtual wall, outing them. The idea is that public shame would act as a deterrent to keep people who are clearly over the line, more under control without forcing conformity. This tactic removes the incentive (scarcity and perceived exclusivity of the cards) and mixes in a strong social disincentive. It won't stop all acts of creephood, but should help cut down on the truly aberrant behavior.

The photo would be a mug shot taken by a goon, which means somebody has to be creepy enough to get dragged to a goon and have the goon stop what they're doing long enough to take the photo. That reduces false positives. Also there should be some criterion for redemption, such as a donation to a cause or a handwritten note or whatever else would make the offendee forgive. Maybe a TTL or a minimum sentence too. After 3 infractions though the creep's photo would be posted for the rest of the con.

Con-goers would be invited to heckle and deride offenders for as long as their face is up there, but not physical violence, doxing, harassment, or generally being a creep/ass, etc. The board could also be used for party organizers to blacklist certain people, etc. I'd love to hear feedback - what do you think?

Interesting Conversation from Gold Farmer

I saw this interesting conversation posted on a Diablo III fansite today and it has a lot of relevance to Information Security. The interview is around the act of gold farming, or using automated bots to find massive amounts of in-game gold and items that can then be sold for cash. But at one point the conversation goes into how online game accounts are compromised.

The gold farmer claims that most game account compromises come from one source - forums. Attackers compromise a fan forum site and get the username, email and passwords (or hashes). These credentials are then used to attempt to log into the game, as well as email accounts, PayPal, banks, credit cards and other online services. The entire process of checking accounts is automated through tools. These accounts can then be either used by the original criminals or sold to other criminals.

See below for the relevant text or see the entire interview with a Diablo III gold farmer.

MeD: Do you have any information on the account hacking that people are reporting even with having the authenticator?

Farmer: Yeah, I know everything about that.

MeD: Would you be willing to share that information with us?

Farmer: They don’t hack the computers, the passwords.

MeD: When you say they don’t hack the computers, they don’t have the player’s computers or they don’t hack Blizzard’s computers?

Farmer: They hack forums and such and take the same email and password and test it on Blizzard.

MeD: That’s what I thought. And that is testament to all of you guys out there who are using the same email and password for forums and such for your game.

Farmer: If they have 1 million stolen emails and passwords they might get 1% to 10%

MeD: What type of websites are targets for this?

Farmer: Diablo websites or Blizzard in general.

MeD: So you are talking about Diablo fansites that have forums that you know have been succesfully hacked these and get the log ins and passwords.

Farmer: Yeah, correct, it’s easy.

MeD: And in the forums of BLizzard are you able to get anything out of there?

Farmer: No. Blizzard is bullet proof, logically.

MeD: I ran forums quite a while ago and we had 130k+ members and we had issues with hack attempts at our forum accounts quite often. We were very puzzled about it. There was one time when they got everyone’s log in and password but they didn’t log into anyone’s forum account. Do you suppose that when they got into our forums do you think they were just looking to match up

Farmer: Yeah. They used it to try on people, mail and Blizzard and such. It’s called combo.

MeD: Is that a mispronunciation of your program or is that what it’s actually called?

Farmer: Nah. It’s made to make combo lists.

MeD: We reset everyone’s password, we did that for them. We were worried they were trying to hack into the forum accounts. This was many years ago by the way. What I didn’t realise then but I’m realising now is that this was all about accessing the game accounts and it had nothing to do with our forums. I bet that alot of these forums that are getting compromised are getting compromised over and over again. Would you say that is correct?

Farmer: Yeah and Paypal and banks, Facebook and so forth and small percent Russian spammers.

MeD: They are testing this against multiple things, they are not just testing this against Diablo account they also test against Paypal and their bank log ins.

Farmer: They test it against everything and sell it.

MeD: How much do they sell these for?

Farmer: It depends on what’s on them.

MeD: 10c an account, $10 an account? Do you know the range there?

Farmer: ??? Doesn’t sell.

LinkedIn Password Hash Redux

This LinkedIn password hash leak has become a real storm of activity today. This post might not have much longevity, but I hope to quickly recap and summarize what we know, what we don't, what we guess and what we recommend. Everything here comes from correspondance on Twitter, blogs and what have you, so it should all be taken with a grain of salt (pun not intended).

What we know:

• 6.5 Million password hashes were posted on a password cracking website. The author said they were from LinkedIn and that they were unsalted SHA-1 format. Some of the hashes had several digits zeroed out. 
• No account names were included with the post, meaning it's not possible to link the passwords to accounts with the data found.
• LinkedIn has been investigating whether there was an internal breach, but has not yet publicly acknowledged anything they have found.
• LinkedIn has said that "some of the passwords that were compromised correspond to LinkedIn accounts." However, this statement is sufficiently vague that it could mean nothing more than common passwords are used for LinkedIn and found in the compromised data.
• Many security researchers who use unique passwords for LinkedIn and no other site have found those passwords in the leaked data. These passwords are said to be highly unlikely to be used by anyone else.
• An Android app update occurred shortly after the breach was discovered. However, it's unclear if the two events are related.
• A security vulnerability in the LinkedIn iOS app reported today does not call out password security as an issue.

What we don't:

• We don't know whether there was a breach at LinkedIn or not. Likely they haven't yet completed their internal investigation.
• We don't yet know if more information was leaked, such as account names, credit card numbers or other private information.
• We don't know if more accounts have been exposed than those found in the original source.
• We don't know if there is an active vulnerability that could be exploited again to gain access to more password hashes.

What we guess:

• Mikko Hypponen has suggested that the list may have come from a LinkedIn web interface vulnerability, but was simply speculation based on past breaches.
• Researchers have speculated that passwords that have digits zeroed out have already been compromised, or that they are used for banned passwords.
• There has been speculation that some password hashes are not from LinkedIn, though it's hard to find evidence either way.
• There has been speculation that the 6.5 Million passwords may cover all accounts on LinkedIn, due to some passwords being used by many different people. However, a number of people have reported that their password was not found among those leaked.
• Some reports suggest the leaked passwords may be 6 months old.

What we recommend:

• If you have a LinkedIn account, change your password soon. Make it something strong. LinkedIn published some very generic account and password security suggestions, but I prefer the excellent xkcd panel on passwords.
• Many security professionals have called for LinkedIn to begin adding a salt value in their password hashing process, in order to strengthen security. 
• Other security professionals have mentioned specific password storage mechanisms built into programming languages which represent the latest techniques in thwarting password cracking, such as bcrypt, scrypt and PBKDF2. This has the added benefit of reducing the risk of an improper implementation which could itself lead to security issues.
• Two sites have been set up to check your password against the list. The sites appear to be safe, in that they won't steal your password, but for the paranoid you can also submit the password hash. I don't personally recommend that anyone do this, unless you have already changed your LinkedIn password and it was unique. But it's fun to look for possible passwords!  

• http://linkedin.biorra.com/
• http://leakedin.org