give a man a phish…

There’s an old quote, of course…

Give a man a fish and you feed him for a day.  Teach him to fish and you’ve fed him for life.

Today’s topic is about phishing, the activity in which a con artist sends a fake email to others and convinces them into giving up their credentials, credit card details, etc.

What They’re After

It’s almost always about money. They want the login details for your checking account or your credit card. If they can get your email account’s credentials then they’ll search your emails for links to your checking account or credit card. If they get your social media account’s credentials then they’ll know the people who trust you and they’ll send them email as if they’re you, conning your friends into clicking these sorts of links.

041017-Phishing-Activity-minTrust

If a stranger on the sidewalk asked you to put your wallet into a magic hat, you probably wouldn’t. You don’t trust him. So when a stranger on the Internet sends you an email, then you are probably smart enough not to click any links in it.

But now, what happens when an email arrives and it has the correct logo and content from Microsoft?  You trust them.  They wrote the software that’s on your computer, possibly.  They’re telling you that you are about to lose something or in other cases, that you could get something for free.

But of course, that email could seemingly arrive from UPS, FedEx, the U.S. Postal Service, Wells Fargo, Bank of America, Chase, Logitech, Intel, Apple, Google, Intuit, Adobe, Samsung, HP, Facebook, Twitter, Verizon, AT&T, Starbucks, Staples, Yahoo, Bing, MSN, Firefox, Chrome, WordPress…  Literally any name brand or product name you trust can be used to fool you.

Urgency

If someone told you that you had thirty years left in your lifetime, you’d probably be interested but it wouldn’t necessarily change what you do today as a result.  You’d have time to get a second opinion from another doctor, say.

We’re programmed, though, to panic when we have a limited amount of time to make a decision.  If the doctor told you that you needed to get your affairs in order because you have 24 hours left, then you probably wouldn’t calmly make an appointment with that second doctor.  You’d very likely go on a shopping spree or make some other not-so-mature decision in the spur of the moment.  In other words, the rational/analytical part of your brain wouldn’t be in charge.  Your would-be scammer knows this.  So all these attempts have some sort of expiration date/time attached to them.

Free… Isn’t

I’m not sure why people are such suckers for the word “free”.  It seems to be another method of short-circuiting the brain.  Combine free with an expiration date of some kind plus a spoofed pedigree and most people will stupidly click that link.

Antivirus Isn’t “Anti-Stupid Protection”

Unfortunately, your antivirus program can’t protect you from doing something, well… stupid, in this case.  It would be stupid to enter your credentials for anything prompted by any email.

But, what if this is legitimate?  Okay, so what if I have received an email from Geico and they’re trying to tell me that my policy is about to expire?  (Let’s assume for a moment that I have Geico insurance.)  Do I actually need to click their link to find out the status of my policy?  No.  It is infinitely safer for me to open my browser, type in Geico.com in the location field, verify that I haven’t mis-typed the domain name and then to enter my credentials on their website.  In doing so, I’ve completely removed all the dangers of phishing.

Digital Extortion

According to statistics, 64% of Americans are willing to pay a ransom to get their data back (or say control of their computer) and the average bounty demanded is $1,077 per victim. Only 34% of people globally are willing to pay money in these circumstances. Unfortunately, that makes the U.S. a prime focus for these people.

what myspace’s mistake means to us

You might not have heard about this but someone internally back in 2006 stole a huge password file for all known Myspace accounts at the time. It would takes years for this knowledge to be known by Myspace themselves at which time they then forced a password reset for everyone on their site. In their minds at least, the problem was solved.

Unfortunately for the world, a much bigger problem was born.

Password hacking

Back in World War II, for example, what was essentially a form of hacking (decrypting encoded text) would actually mean the difference in saving lives, well at least for one side of the game. You could easily suggest that it also cost lives for those whose secrets were now known by the opposition.

In today’s war against cybercrime, identity theft, credit card fraud, espionage, stalkers, blackmail and such, there are people who wish to know your secrets.

Using a file which contains a dictionary of words and adding to this the available numbers and symbols, hackers have written code to auto-generate a password and then programmatically compare the results with something that’s stored in these administrative files. If things match then they know your password and then they can log into a remote website or system as you. If that website is your checking account or PayPal then the damage could be more than just your pride; you could actually lose money.

Password hashing

Most modern websites and computer systems don’t actually store your password. They routinely create something called a hash from it. So what’s actually available in the public domain now is a few hundred million usernames + hashes of their passwords.

Immediate progress

In no time at all, very nearly every single password from that list was cracked using these hacking programs. We’re talking at least 400 million passwords. And yet, still, people don’t understand just how very terrible it is to be us now.

What this really means to us now

Several things can be learned here from this second-generation database (now with the known passwords).

  • In this database is a known list of usernames that the Internet at large has used at one time. This alone should scare you. Hackers now don’t need to try 36^8 combinations of characters and numbers to try to generate what could be a username. Their search space just became a lot smaller.
    • Having a list of several hundred million usernames means that cryptographers can use something called frequency analysis to determine which characters are more likely to appear in the next username you might create.
  • In this database is a known list of passwords that the Internet at large has used at one time. I would suggest that the average user has re-used a single password at least ten times across most websites and computer systems which they use.
    • Again, cryptographers now may do frequency analysis on characters we use to create passwords. So they know that the lowercase letter ‘a’ is used 7% of the time, roughly. In other words, it’s no longer necessary to try perhaps 50^8 combinations of characters + numbers + symbols; they can now just use this database as a simple dictionary attack!  Four hundred million may seem like a large number but it’s very much smaller than 39,062,500,000,000 (39 quadrillion).

In other words, hacking passwords just got infinitely easier due to Myspace’s mistake.

Could it get any worse?

Yes, actually. With a database this large, someone could create an artificial intelligence program which could then describe how we humans generate them in the first place. Presumably, it would look for patterns in the same way that hackers do, for example, we are often faced with the challenge of creating a password that would make Microsoft’s websites happy.

From Microsoft’s website:  “Passwords must have at least 8 characters and contain at least two of the following: uppercase letters, lowercase letters, numbers, and symbols.”

So this AI program would then look at the database and announce:

AI computer program output:  “Humans are lazy and stupid therefore they will do the following…”

  1. The password will have a length of eight or nine
  2. The first will be an uppercase character
  3. The second thru sixth/seventh will be lowercase characters
  4. 30% of the time the next will be the number one, in 20% the next will be four, in 8% the next will be two, etc
  5. 40% of the time the last will be an exclamation point, in 30% the last will be an asterisk, in 10% the last will be an ampersand, etc

The bad part is that this would be correct for about half of the passwords on the planet. And the other half would probably be the 1337 (leet) version of this where someone thinks that they’re being clever by substituting in numbers which each resemble a character:

  • zero looks like the uppercase letter ‘oh’
  • one looks like the lowercase letter ‘el’
  • seven looks like the uppercase letter ‘T’
  • three looks like a backwards uppercase letter ‘E’

All this is the fruit of crypanalysis. It tells you how to make your problem easier by restricting the search space. But if it’s now easier for hackers it’s now much harder for us, the people who want to keep our secrets and our money intact.

What if we let systems generate our passwords for us?

There are many that would suggest that this is our future. We let the system auto-generate a seemingly-random password for us and then we store that somewhere. We’d then copy/paste that when prompted. In fact, I see this done within the I.T. administrative space and each person who does this probably feels secure.

And yet, someone wrote that password generator routine. What if this person “salted” 75% of the so-called randomness with a string of characters known only to them? The NSA routinely forces big business to build things like this into cryptography so that—for the NSA at least—the problem becomes infinitely easier.

The real problem is that we believe in the security of these systems and perhaps we simply should stop believing.

What do we do now?

The cost of running many computers (virtual or real-metal) keeps going down. The cost of terabytes of storage in the cloud is still expensive ($3,000+/TB) but there are people who have ten computers in their basement each with a terabyte drive.

In the past, the search space would have required perhaps 300TB of database space to “brute force” and store the combination of all possible passwords plus their hashes. The knowledge made available from Myspace’s mistake, once fully realized, now might mean that in practical terms somebody with 10TB of space could essentially own the actual password space we use.

I wish I had some practical advice for you. The only takeaway lesson from this is that we have to do something completely different when generating passwords or we have to stop storing our secrets and our money as we’re doing now.

crowd-sourcing your bugs

Most of us in the contracting space are interested in alternate ways of making money. Personally, I enjoy straight programming to almost any other means of earning it but I discovered something recently that looks interesting. There’s a website now that seemingly pays for finding bugs in the code of others. As programmers we are often good at spotting problems early and we’re probably the best at finding them. Troubleshooting is usually something that isn’t seen as a profit center so why not flip things and make some money doing it?

Bugcrowd.com

Enter the new website which appears to be crowd-sourcing the problem of code testing. Various companies then work with the website to outsource this task to others who attempt to identify a problem worth fixing. If they decide that it’s indeed a bug then they usually pay some form of money to the researcher.

My Anecdote

From my own limited experience, I created an account, reviewed the many offers and picked the Tesla Motors website to look for security problems. Within an hour I identified something from a third-party webtiming partner which turned out to be flagged by Microsoft Security Essentials as the Win32/Spursint.A Trojan. (Not bad for just an hour’s work, I thought.) I then wrote up my findings and awaited  a response. Someone  did respond within 24 hours.

But then the fun began as I attempted to communicate what I’d found. Since they couldn’t recreate what I’d seen they submitted the linked JavaScript to other antivirus sites which found it to be clean.

Next, I tried to explain the nature of the Akamai network of caching servers and how a local version of their server might be delivering different content than what I’d received: some get the Trojan and some do not, in other words. Again, this was falling upon deaf ears.

I then tried to convince them that development-related timing code isn’t normally pushed to production, that their build process should have groomed this out in the first place. Again, no sale. They just didn’t want to hear that their third-party JavaScript provider could have been compromised. Lesson learned: don’t waste your time twice with the same company who won’t listen to reason.

Closing Thoughts

Will I use Bugcrowd again? I like the concept. I think I had rather spend my time, though, in a more fruitful venture with a less risky return.

New wisdom: Avoid systems in which you perform labor and then someone else decides whether or not your labor deserves getting paid for. Oh, and unless you have an up-to-date virus checker you may want to avoid the Tesla website since it sometimes delivers a Trojan to your browser.