Friday, October 10, 2014

GHC14: Security: Multiple Presentations - Another Perspective

Finding Doppelgangers: Taking Stylometry to the Underground

Sadia Afroz, UC Berkeley) is using stylometry to find who is interacting on underground forums (cybercrime forums).  You want to figure out what this guys is doing there in the first place and who really is doing the work.

Current research around deanonymizing users in social networks is focused around similar usernames - but if you really care about being anonymous, you won't fall for that trap.  The next thing to look at is similar activities or social networks.  For most people you can see that they will write a facebook post and a tweet on the same event/activity, so easy to find the match.  This doesn't work for underground user forums, though.  So, instead they are using Stylometry to analyze the writing style.

Stylometry is based on everyone has a unique writing style - unique in ways you are not aware of, so its hard to modify. To do this, you analyze frequency of punctuation and connector words, n-grams, etc. But, you need quite a large writing sample to analyze, the larger the better - but still can get some accuracy on small samples.

They looked at four forums, 1 in Russia (Antichat), 1 in English (BlackhatWorld) and 2 in German (Carders/L33tCrew).  People move from oe forum to another, but not always easy for researchers to get the full data sample.

Problems? These forums are not in English... often in l33tsp3ak (pwn3d).  Also, people aren't speaking with their natural voice, they are making sales pitches (more likely to overlap with other accounts that aren't actually the same person)..

They parsed l33tsp3ak using regular expressions, and additional parsing for "pitches" vs "conversation" (if there are no verbs and repeated things in lists, it's most likely a sales pitch and was eliminated).

Then it seems to be all about probability - what are they likelihood that  these are the same person.  Lots of analysis followed, like: do these accounts talk to each other or about each other? Are there similar Username, ICQ, Signature, Conatct information, Account information, Topics. Did they ever get banned? (moderators do not like multiple accounts for one account)

People can sell their accounts - accounts that have been established with a higher rank could be sold for more. Some people also want to "brand" so they can sell different things with each account (like CC numbers with one, marijuana with another).

You could avoid detection by writing less (lowering rank), or you could use their tool, Anonymouth :-)

From Phish to Phraud

 Presented by Kat Seymour, Bank of America, senior security analyst. talk started out great with a reference to Yoda. Every talk should have a reference to Yoda!

Phishing used to be around silly things like weight loss pills and male enhancement pills.  But, it's grown up - there's real money to be made here.$4.9 billion lost to phishers last year.

Attacks come from all over the place now - mobile, voicemail, emails, websites... and they've matured. No longer plain text filled with spelling errors, they now are stealing corporate branding and well written emails. They are stealing websites that aren't well watched/maintained.

Ms. Seymour can look at things in the URL to find out more about the phisher (and to help learn for suspicious patterns).  She can also find the IP address to do further research. Additionally, she can leverage the Internet Archive (aka the Way Back Machine) to see if the website has changed a lot recently (shows evidence of takeover).

She pays attention to referrers to their website - if a new referrer shows up quickly in their logs and then disappears?  It's likely a phishing site - so then she has to watch the accounts that logged in through there for suspicious activity (in addition to doing further research on the referring site).

It's not as simple as blocking IPs - she can't control your personal machines... and all of the places you might be coming from.

She needs to work with ISPs to block known phishing websites, but ISPs are spread all over the world  She can watch logs, traffic analysis and referrers - but the phishers are constantly coming up with new ways of  doing this.  Would be great to work with email providers to get them to watch out for this - but too diverse (some email providers are trying to address this, but difficult to coordinate).

Advice? Watch your statements, watch your statements, watch your statements!




GHC14: Passwords with Lorrie Faith Cranor

Lorie Faith Cranor, a professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University.

Who knew that Carnegie Mellon had a passwords research TEAM!? (looked to be about 10 people).

Lorrie Faith Cranor noted that everyone hates passwords, but no matter how much we hate them, text passwords are here to stay.  These types of passwords have a lot of attack vectors: shoulder-surfing, online attacks and offline attacks.

Offline attacks are difficult to protect against and are very effective and the cause of many publicized breaches.  Passwords are leaked hashed or encrypted and the computers an take BILLIONS of guesses per second, comparing hashes to find matches. Additionally, they exploit the common usage of the same password at mutliple sites.

CMU had rolled out a new password policy (number of numbers required, upper/lower case, allowed symbols, etc). Everyone hated the rules and blamed her (alas, IT department did not consult her). She asked them, though, where they got the rules from: NIST.  Sounds good - so looked into where NIST came up with their recommendations. Seems they came up with their rules based on what they thought would be a good idea, but had not done any tests on actual passwords.

System administrators don't want to get in trouble - they are going to use "best practices". If Dr. Cranor wants them to use something "better" - she has to prove it and get it published in a respected source.

How can you get passwords to study?

One of the easiest ways to get passwords is to ask users to come into your lab and create passwords for you - bu not everyone wants to walk into your lab to do this.  You can expand the reach by doing online and get thousands of passwords.  The problem?  You're asking people to NOT give you their real password, so this is not real data.

Another approach? Steal passwords. Of course, CMU cannot steal passwords - it's not ethical.  But, hackers like to post hacked password lists, so they can do research on some real passwords.

You can ask users to tell you about their passwords (where they put the special symbol, where do they put the number and capital letter, etc).

Or you can ask sysadmins for passwords, but they usually don't want to give these out. [VAF note: the sysadmin should NOT actually have access to the raw password?]

The passwords you get from leaked systems are often from throw-away sites, so not high quality.

Her lab was able to convince CMU to give them 25,000 real, high value passwords. Could compare these passwords to leaked and previous study data to see how relevant it was. These CMU passwords have the CMU password restrictions.  They also got the error logs:how often people logged in using the password, error rate for wrong passwords, and h ow often they changed - along with information about gender, age, ethnicity, etc.

To get this information took a LONG time.  Had to have two computers - one off of the Internet, locked in a room and not accessible by the researchers.  Researchers would write their tests and analysis scripts on a separate machine - then hand it over to the IT staff to run.  Black box testing.

How did they get these passwords that should've been hashed?  Many enterprises don't actually use hashes, they encrypt them with a system they can reverse so they can more easily deploy new systems. [VAF: ARGH!?!?!? what?!] So, at CMU they could decrypt the passwords (in the locked environment that the researchers did not have access to).

CMU Real Password Study

Dr. Cranor's team looked at things like how guessable the password was? Simple ones, like 1234 would be guessed in 4 tries. More complicated may be 'impossible'.

Since they had clear text passwords, they could run a guessability meter on them, as opposed to actually guessing them.  They could see that CS students createad the strongest passwords, business students did not create as good of passwords.

Could not find an effect for facutly vs student vs ethnicity made no difference in password strength, but men didmake a passwords that were 1.1x stronger than women.

You can make your password stronger by dong simple things - like adding a digit. If you put the digit at the beginning of your password, it was better than no digit - but not as good as having a digit in the middle. If you have multiple numbers in your password  - if you spread them out, it's harder to guess.

Password creation was annoying - if you're annoyed while doing it, though, you'll create a weaker password. :-)

They additionally took a look at leaked hash/cracked passwords - those were weaker than those created by sites like CMU that has an "annoying" password policy.

But, they could then compare the spread and diversity of their passwords collected in studies against real CMU passwords and found they were similar enough that her team could do further research with study passwords.

Large-Scale Online Experiment

Used Mechanical Turk - a site you can pay users to participate in your study (10 cents, a dollar, etc). Found this is a great way to do online studies, as Amazon has to manage credit cards, etc.

Asked participants to create passwords under randomly assigned constraints. They could see entropy estimates and guessability estimates. They could also see that people would drop out of the study the more difficult and onerous the password rules were.

NIST research has shown various password entropy estimates.  NIST notes that adding dictionary checks raises entropy and that having one with more rules (comprehensive 8) would be 24 bits of entropy.  Compared to "basic 16" (no dictionary check), they estimate the highest entropy.

Users only seem to use very few symbols (@ sign and ! are the most popular), even though many are available to them.

Found that in general, basic 16 could be pretty good - except for dumb users. Found these passwords quite easily: baseballbaseball, 123456789012345 and xxxxxxxxxxxxxxxx.  Oops!

Some minor restirctions will bring the basic 16 (which is less annoying to set and easier to remember) will make it stronger than a comprehensive 8 password.

Longer passwords though take longer to type... so that is annoying in a different way.

Recommended Policy?

Not sure - our password cracking algorithms are fine tuned to 8 character passwords, so just that they are having a hard time cracking 16 character passwords may not really be because it's harder, but rather because they have the wrong tools.

So... more research on N-grams (Google, book quotes, IMDB, song lyrics, etc) - now 16 character passwords become much easier to crack (Mybonnieliesovertheocean, ImsexyandIknowit#01).  Her students used this to win the DefCon password hacking context this year with their new tools.

Found that password meters can be frustrating - the same password gets different ratings on different meters, but they do make people make better passwords.

XKCD?

Did XKCD solve this all already?

So, Dr. Cranor's team studied this! Found that that the passphrases were not easier to remember, and people didn't like the random word passwords (but didn't like them any less than other password rules).  They tried a method of adding "auto correct" to the random word passwords, which helped people log in faster.

Research uncovered one of the most common words that appears in passswords: MONKEY! Why? Updated their password survey and asked any user that included "monkey" in their password and asked them WHY!? A: a lot of people have pets named Monkey or a friend nicknamed Monkey or... well, they just like monkeys.

As much as they've tried, they have not found a way to make users be random. More research... :-)

Interesting thing about Dr. Cranor? She made her dress and it's covered with discovered password graph (iloveyou in giant letters along the side).

Her team is starting to do more research on Mobile vs Desktop: users are seeming to avoid anything that involves shift key on mobile.

Interested in going to grad school and studying this? Join her team: http://cups.cs.cmu.edu/passwords.html

Question from audience: does changing passwords make them better?  No, her research shows that changing your password more frequently: you end up with a BAD password.  People do simple incremental changes to their passwords that make them easier to guess, particularly if the attacker has an "old" password.  The only time sysadmins should make users change their password is in response to a breach.

Password reuse: sure, for junk websites (newspapers, etc), but do NOT use that for work, bank, personal email. It's better to write them down (requires someone breaking into your house, as opposed to attacking a news site and then having access to your bank account).

This blog is syndicated from Security, Beer, Theater and Biking!

Thursday, October 9, 2014

GHC14: Security: Multiple Talks

With: Morgan Eisler, Shelly Bird, Runa A. Sandvik

Visualizing Privacy: Using (Usable) Short Form Privacy Policies

Morgan Eisler, @mogasaur, works at Lookout, a mobile security company.  This year over 2 billion people worldwide use the internet - more added every minute. Many (most?) of these are mobile devices.  Many companies have privacy policies, but only 12% of Internet users read privacy policies all the time - and only 20% of those that read them (even occassionally) understand them. Simply too long!

Facebook's privacy policy is longer than the constitution of the United States!

If nobody reads them, can we really say that the customers are making a choice? Certainly not an informed one. Users trust their providers - but, expectations rarely match, and can cause negative surprises that lead to loss of trust and loss of revenue.

Consider "Yo".  An app that you can share all of your contacts with, and it will send them push notifications - a literal "Yo".  The app became very popular, and was hacked over night - suddenly peoples phone numbers were no longer private.  This wasn't even an app created by a company - just a few friends having fun.

At Lookout, they made a really short form policy that you could view on just one page on a mobile device - but was it helpful?

It is important, but if people are not reading it - it's not really helpful. the NTIA does give guidelines here to help anyone create a privacy policy.

Lookout created a new short form policy that was quite simple - greyed out icons for things like "Government" to show that they were not showing their data with the Government.  For people they did share with, like "Carriers" - you could click on the icon and get more information.

Did usability studies and found that customers liked it - but did they understand it?  People, for example, weren't sure what the icon of  "user files" meant -  it looked like pictures. Did that mean it only applied to pictures?  Used usability studies to clear up some of the icons.



The Flattening of the Security Landscape and Implications for Privacy

Customers are like sheep (which is not at all like they are portrayed in movies). Sheep are stubborn and if you try to push them too hard, they scatter (enter picture of sheep dog working hard :).  Even though Shelly Bird isn't "in" security, when a security breach happens - customers come to her.  She has to pay attention to everything before deployment, like making sure the bios is up to date.

Shelly thinks of security as a bowl - a container to store and protect your data/applications/etc. Also, like a castle - defense in depth.

Ten years ago, during a deployment, a customer said she had to remove IPsec from all of the machines. Huh?  The router/switch engineers said: That's our job!  What about the "last mile"?  Same customer didn't want IPv6 - convinced their firewall would be confused and not able to process it.

Once Shelly got though all of this - then the Intrusion Detection folks were unhappy! They could no longer read the packets.

Essentially, fear of change.

Shelly could see that the more she could push the work down the stack - the faster things worked.  For example, high level app encrypting a disk took four hours, but letting the OS do it - two!

There are other bigger problems here - credentials! The government likes to authorized users to have something physical to prove their affiliations.  Shelly ended up with a dozen of these cards. Ugh.  Now they are moving them into the mobile device, using TPMs as a trust anchor.  This is claims based authentication, allowing business to move faster.

This is still very complicated, though, as the US Government doesn't even have trust across branches.

 People want to have multiple identities, people travel/move around and have different reasons for doing different transactions - lots of work to get this right.

The Data Brokers: Collecting, Analyzing and Selling Your Personal Information

Runa Sandvick works for Freedom the Press - they protect the press and help to inform the press of their rights. Like those that have been arrested in Ferguson for not moving fast enough.

While she often talking about NSA, today she's talking more about consumer privacy.

It's surprising how much companies know about you by just watching your patterns.  You are volunteering this information in exchange for a discount. Like the father that found out from Target that his daughter was pregnant. She wasn't even buying diapers or anything that obvious, but changed the products she was using in a way that indicated pregnancy to target.

But this stuff happens online, too, and we don't even know about it.

And this information isn't just kept by the one company you are shopping at - it's getting collected by data brokers.  For example, OfficeMax addressed a letter to a man with the title "Daughter Died in Car Crash". Where did they get that data? Why did they have that?

Data brokers sell lists of rape victims, alcoholics and erectile dysfunction sufferers.  Where are they getting this? Why are they collecting it?

When asked directly, data brokers talk about caring about privacy, but don't want to share things like: how to see what information they have about you? How to remove/correct information? How to decline to share?

How many people have read the privacy policy for GHC? No hands went up...Runa did read it for us, and wasn't happy with what she found.  Things like your resume could be shared with non-recruiters.  Privacy policy also notes that they will not use encryption, unless required by law, to protect your information.  She also used a tool, Disconnect, to see what sites were gathering information from users of the GHC website - there was a data broker there (New Relic, which does help you analyze your site traffic, but what is *their* privacy policy? will they share GHC stats with other orgs and corps?).

You can use Tor to protect yourself from these data brokers. The only way the site will know it's you is if you log in. There's no way for them, otherwise, to know who you are so they won't have anything to track against.  Runa only uses Chrome for cat photos. :-)

wow - this really goes beyond the annoying targeted banner ads!