Sunday, April 5, 2015

What's In A (Pass)Word?

Prevailing wisdom among information security practitioners is that passwords are outdated as a secure means of authentication. However, until a better way achieves wide adoption they are a fact of online life.

Password Harvesting

So how do the bad guys get your password in the first place? There are lots of ways:

  • Sites like LeakedIn and Pastebin are popular locations for "dumps," collections of usernames or email addresses and associated passwords found by good guys, disclosed by rivaling bad guys, or posted as proof of an attacker's l337ness.
  • Spammers buy or trade validated credential dumps in underground forums, lists of usernames/email addresses with passwords that they've proven to be active by running them through automated account checking programs to log into the account at least once.
  • Credential-harvesting malware, like keystroke loggers and web form injections, that collect usernames and passwords typed into browsers on victim computers and get sent to a central collection point under the attacker's control.
  • Phishing emails that entice victims to login into replica, or "spoofed," websites that look exactly like popular online banking and email sign-in pages.
  • Brute force attacks against websites built on popular free platforms, like Wordpress and Joomla, or Internet-facing databases using automated scanning and exploit tools.

All of the attack tools are incredibly easy to find and so are credential dumps.

3 Basic Rules

The best defense is a good offense. It's trite but true. Let's start with the basics. Good password hygiene consists of 3 factors: complexity, length, and uniqueness.

A complex password is one that consists of upper and lower case letters, numbers, and special characters. The purpose of complexity is to defeat password crackers, automated programs that compare encrypted or hashed passwords against word lists. This is euphemistically known as a "dictionary attack" for a good reason. Password crackers run comparisons against plain language word lists and obvious variations. The more recognizable the password, the faster it can be cracked. For example, poppy123 is revealed in milliseconds, while pO9Py!@# can take hours or days, depending on the password-cracking program.

Just as important is password length. To grossly oversimplify the description of the computational process, password crackers "recognize" each character of a password, one by one. Therefore, the longer the password, the harder you force the cracker to work. It's kind of like the joke about outrunning an angry bear - you don't need to have the longest password, you just need to have one that's longer than the next guy's. Miscreants who crack passwords are typically going for quantity. They stop cracking when they've decrypted a victim list long enough to be worth their while, financially speaking. The harder password hashes get tossed out or recycled into credential lists they'll later sell or trade themselves for someone else to have a whack at them.

The single most important hygiene factor is uniqueness. This means that every time you register for an online account or change an existing password, you create a password that you don't use anywhere else. In other words, your email password is different from your Facebook password that's different from your Twitter password, banking password, and so on. Obviously, this means we have to keep track of an awful lot of passwords. There are several schools of thought on how best to do this. There are apps called password lockers that let you store all of your passwords and associations in a single place on your computer or smart phone. There's also good, old fashioned pencil and paper - writing down this information in a notebook. Some people I know use "forgot your password" as their preferred method, using this feature on websites to change their password every time they log in, subscribing to the above concepts with zeal because they're not worried about remembering it. Each password management method has its pluses and minuses. The right way is the one that works for you.

Additional Protections

But, wait, you're saying. What about that credential-stealing malware and phishing mentioned earlier? All the clever strategies in the world won't help if you hand your password to the bad guys in these cases. And you're right. This is where two-factor authentication and keystroke scrambling come in.

Two-factor authentication, also known as 2FA, is where you not only need a password but another piece of code to prove that you are who you say you are. Examples of this are cryptographic tokens, like chip-and-pin cards or USB dongles, and SMS text codes, a unique identifier sent to your cell phone that you type into a website to complete the login process. The former can't be easily replicated by miscreants, while the latter can be captured by keystroke loggers but the data is nearly worthless because it's only good for a very limited time. If you notice my equivocation, this is intentional. No 2FA method is 100% hack proof but, again, the harder the challenge the more likely the bad guys will go after easier targets and away from you.

Keystroke scramblers are anti-keystroke loggers, programs that turn your typing into random characters when collected by malware and phishing sites, while sending the real information to the website you're logging into. Keystroke scramblers do this by encrypting each action of the keyboard at the driver or operating system kernel level and verifying the recipient website. Again, this technology isn't 100% guaranteed to keep your passwords out of the hands of the bad guys but it certainly makes your information a less desirable target by wasting their time.

Will passwords be replaced with stronger authentication mechanisms some day? A lot of smart people are working towards this very goal. Until a solution is ubiquitous, these tips should help you stay safer online.

Tuesday, March 12, 2013


I love my day job. It can be a lot of fun. I used to say that one of the reasons I enjoyed my work is that no lives were at stake. It wasn't like I worked for a hospital or the military. Then I saw a call for help in a computer security forum. Life has a funny way of making a point.

Back in the olden days of 2007 computer forensics practitioners like me were discouraged from working at the defense table in a courtroom. One of the best known industry groups at the time flat-out rejected the application of anyone who had ever worked against a plaintiff or prosecution in any jurisdiction. Thus, when I saw a plea by Alex Eckelberry, a respected name in security circles, I knew he faced an uphill battle in his quest. I jumped at the opportunity to right not only the wrong that Alex set out to fight, but also what I felt to be a breathtakingly misplaced bias among industry peers. Scratch that. I didn't "feel" it, I knew. I came to technology from a litigation background. I worked almost exclusively for defense attorneys and I knew what evil lurked in the hearts of men and hard drives. As I advanced through the digital forensics field, a few among us talked about the day when computer evidence wrongly interpreted would send an innocent person to jail. The State of Connecticut vs. Julie Amero proved us prescient.

Julie Amero was a substitute teacher who had been convicted in a 6-day trial and faced 40 years in prison for multiple counts of impairing the morals of a minor. How did she allegedly accomplish this fiendish feat? Porn-related pop-ups on a classroom computer.

In  January 2007, Alex helmed an anti-malware company and read about the case in a newspaper. That was how most people got their news back in those days. He knew, without even knowing the details, that such a porn storm was the hallmark of certain families of malicious programs. These programs almost never got onto a computer with users' knowledge much less intention. The sentencing was to take place in March so Alex put out the call. He needed people who could help him free her. Fast.

If anyone asked, I would tell them we worked on the case for at almost a year. Going back through my notes and email it turns out that it all happened in a little over two months. The team was assembled in February, the evidence analyzed, the sequence of events recreated and presented in a summary document to the Connecticut State Attorney in March. None of us were paid. That was never the point. Someone's life was at stake. Hell, one life had already been lost - Julie had been pregnant when she was arrested. The emotional strain took a physical toll and she lost the baby. Our team did our damnedest to free her from further suffering at the hands of amateurs and the uninformed.

We won. Sort of. The original conviction got vacated but the AG had political aspirations. He pushed for a new trial. Julie's health continued to be pummeled, along with her reputation throughout her ordeal. She eventually copped a misdemeanor plea to end it. You can read the forensic team's report here. Alex blogged about the case case here; this post links back to many others. You can see the Good Morning America post script here.

So, yeah, I love my job. I change lives. Once in a while, I'm honored to save one.