Thursday, October 27, 2016

Mirai and the IoT

!3v3! 3 - it might get geeky

One of the first major DDOS attack using Mirai was against www.krebsonsecurity.com. Brian Krebs 's site was hit with a 620Mbs attack and French Telecom OVH was hit with a staggering 1Tbs attack the follow week. Both were record setting in their volume and the reliance on IoT devices. The DynDNS attacks have not be measured, yet. Mirai, leveraging millions of poorly secured devices and the general public's inability to understand that they might have made these attacks possible by not changing the log/pass pairs of retail devices, makes this a threat that we'll probably see quite a bit more of. Last Friday's (2016-10-20) attack on DynDNS, leveraged mostly devices made with components from Chinese DVR and IP Camera manufacturer XiongMai. XiongMai has threatened lawsuits against many accusers, though I think we'll see those dropped or overturned. Expect to see recalls by XiongMai and others as the list of major corporations effected is not group one would like to anger.

The list of downed sites from this latest Mirai botnet is frightening: Airbnb, Amazon.com, Ancestry.com, BBC, Box, Business Insider, CNN, Comcast, CrunchBase, DirecTV, Electronic Arts, Etsy, FiveThirtyEight, Fox News, GitHub, Grubhub, HBO, Heroku, HostGator, iHeartRadio, Imgur, Indiegogo, Mashable, National Hockey League, Netflix, Overstock.com, PayPal, Pinterest, Pixlr, PlayStation Network, Qualtrics, Quora, Reddit, Roblox, Ruby Lane, RuneScape, SaneBox, Seamless, Second Life, Shopify, Slack, SoundCloud, Spotify, Squarespace, Starbucks, Storify, The A.V. Club, The Boston Globe, The Elder Scrolls Online, The Guardian, The New York Times, The Wall Street Journal, Tumblr, Twilio, Twitter, Verizon Communications, Visa, Vox Media, Walgreens, Wikia, Wired, Wix.com, WWE Network, Xbox Live, Yammer, Yelp, Zi

Here's a list of some of the cracked log/pass pairs:

root     xc3511
root     vizxv
root     admin
admin    admin
root     888888
root     xmhdipc
root     default
root     juantech
root     123456
root     54321
support  support
root     (none)
admin    password
root     root
root     12345
user     user
admin    (none)
root     pass
admin    admin1234
root     1111
admin    smcadmin
admin    1111
root     666666
root     password
root     1234
root     klv123
Administrator admin
service  service
supervisor supervisor
guest    guest
guest    12345
guest    12345
admin1   password
administrator 1234
666666   666666
888888   888888
ubnt     ubnt
root     klv1234
root     Zte521
root     hi3518
root     jvbzd
root     anko
root     zlxx.
root     7ujMko0vizxv
root     7ujMko0admin
root     system
root     ikwb
root     dreambox
root     user
root     realtek
root     00000000
admin    1111111
admin    1234
admin    12345
admin    54321
admin    123456
admin    7ujMko0admin
admin    1234
admin    pass
admin    meinsm
tech     tech

Another interesting point was that there, in the code, was a list of 'do not attack' IPs, including General Electric, HP, the US Postal Service, and the DOD. It would seem that the author(s) were hoping to limit the scope of the attack, perhaps to not draw too much attention to the attack? It's noteworthy as well, that some of the language used in the code point to the Russian as the creators native language.

this.conn.Write([]byte("\033[34;1mпользователь\033[33;3m: \033[0m"))

The question that this all leaves us with is, how do we secure retail level devices when people are so apathetic or uneducated about security that 'qwerty', '123456', and 'password' remain on the top 10 of passphrases used?

2016-10-27

MDux

Wednesday, October 26, 2016

Passphrases and DDOS

Level 2

The impact of not having adequate passphrases. I alluded to the 'great internet outage' of 10/20 previously. It's not an understatement to say that the entire event was made possible due to very simple and lazy login/passphrases. On the morning of October 20th a Domain Name Service, Dyn, was overwhelmed with internet traffic. It was quickly guessed that this was a Distributed Denial of Service(DDOS) attack. This type of attack has been in use for over 15 years and most large companies have been hit and have learned to deal with them. To explain a DDOS attack in a different way, imagine a Subway sandwich shop near your house. Let's assume that the normal foot traffic for the store is about 10 customers at a time. If 20 people show up to order sandwiches at the same time, it's pretty busy. If you call everyone you know, and get them to call everyone they know to show up at the same time, you could have 10,000 people trying to get into a Subway at the same time. Regulars that always eat there at this time, would be unable to get their footlong meatball sub. Service Denied, by a distributed group of people. The DDOS attack on Dyn involved over tens of millions of unique requests. Imagine everyone from your home state going to that same Subway at noon tomorrow.

Back to passphrases. Those unique requests were mostly from hacked Internet of Things (IoT) devices that had week security. A malicious program found and hacked DVRs and other home electronics that have internet access and were installed using the default log/pass pairs. "root" and "password" or "admin" and "password" were very common on these devices. Do you have any home electronics hooked up to the internet? IP security cameras perhaps. If so, you could have unwittingly participated with one of three major DDOS attacks in the last month. By the way, the name of the malware that was behind the attacks is "Mirai" and the code was made public last month. I fear that we'll be hearing from this one again.

Last note on passphrases: size matters. The longer the passphrase, the longer it takes to brute force.

For example, the passphrase ‘1234567890’ would take about .111 seconds for an offline fast attack. (one hundred billion guess per second). Using the same method, ‘ 12345678901234567890’ would take about 35.33 years to brute force. This is the concept of entropy, or the randomness and unpredictability of data.

And to prove a point, the ‘Pr8f8]]8dte’ password that we generated earlier would take around 18.28 centuries to crack in an offline fast attack.

2016-10-26
MDux

Tuesday, October 25, 2016

Passwords and Options

Level 1

You might have seen in the news, or experienced, that a good portion of the US internet was down on Friday. I'll get into this event in a few different levels, but I want to talk about security and password in general first.

Passwords. We all have them, most of us hate them. Some of us can even remember a few. As this lovely thing we call technology presses onward, we're having to keep track of more passwords than ever before. In a previous job, I had over 100 passwords for my work computer and various vendor sites. A point of syntax. I will no longer be using the term 'password'. If you're using a word, or string of words, that is found in the dictionary, you are open to a type of attack called a 'dictionary attack'. I'll use 'passphrase' instead, though that's not quite the right term either.

So the question is, how do we maintain a decent level of security with such an overload of things to remember. We don't, well at least we (as a society) aren't doing very well. In 2015 the 10 most used passphrases were:

1. 123456

2. password

3. 12345

4. 12345678

5. qwerty

6. 123456789

7. 1234

8. baseball

9. dragon

10. football

If you're using a passphrase from this list, or even something similar. Stop. Right now. I mean it. This list, and the choices that went into thinking that these were secure are the reason many sites require UPPERCASE, lowercase, Numbers and special characters for every passphrase. Of course, passphrase length is important too.

A Great Passphrase Plan

How do we build more secure passphrases? And better yet, to protect your organization, how do you enforce good passphrase policies for your employees? Perhaps the best way is to deploy a Single-Sign-On(SSO) application. This type of application will allow your end users to log into their device and authenticate against Active Directory. From there, the SSO can grant login/passphrase pairs to nearly any application or site utilizing very secure passphrases that are unique to each site. If you want to learn more about SSOs and how they can help secure your business, reduce the impact on your helpdesk, and improve employee morale and productivity. You know how to find me.

A Good Passphrase Plan

Use a trusted passphrase utility like:

Lastpass.com

Dashlane

Zoho Vault

KeePass

All have good reviews. Do some research and pick one that covers the different platforms that you use.

A Simple Passphrase Plan

For personal use, and for smaller organizations I'm going to through out this little system. Note: This system is NOT SUITABLE FOR ANYTHING THAT DEALS WITH MONEY OR SENSITIVE DATA.

Eh-hem. Let's continue. The goals of a passphrase are:

Generous mix of the four characters:

Uppercase

Lowercase

Numbers

Symbols

Sufficient length to make brute force attacks time consuming.

Step One: Pick a word that is 6+ letters in length. For this example, I'm going to use 'Preferred'.

Step Two: Substitute one or more of the letters with numbers. Do not substitute 0 for O or 4 for A. This is common and too easy to guess. I'm going to select the letter 'e' and substitute it with the number 8. 'Preferred' becomes 'Pr8f8rr8d'. Let's add some symbols in there to mix it up. Avoid the '#' and '!' symbols as there are very common. Let's use the ']' for the 'r'. 'Preferred' becomes 'Pr8f8rr8d' becomes 'Pr8f88]]8d' While there's a bit of repetition in that passphrase, it's complicated enough to be fairly secure.

Step Three: use the first and last letters of the site or program you're logging into to make the passphrase more unique. Let's say you need a passphrase for a site that's requesting you to crate a login so that you can receive an e-mail newsletter, let's say you're interested in tiny houses and went to this site: http://thetinylife.com/tiny-house-plans/

If you take the 't' and 'e' from the beginning and end of the URL thetinylife and add them to the passphrase you get 'Pr8f8]]8dte'. That passphrase is fairly unique and fairly secure.

I'll say it again, because I care, DO NOT USE THIS SYSTEM FOR SITES THAT DEAL WITH MONEY OR SENSITIVE INFORMATION.

As you'll see in future posts, this is a fairly strong passphrase. The problem is with the system. If you're using this system then the core of your passphrases are the same. While this still poses a problem for code based attacks, it wouldn't take long for a human to see two of these passwords and figure out the pattern. With the core being the same, you would be fully exposed on all sites, instantly.

Oh, and don't ever reuse a passphrase. Don't make it easy for the bad guys/gals to be bad.

Bonus alternate "Simple" version (YMMV):

I understand that this might seem a bit too complicated, so I've come up with another version:

Take your favorite quote or poem or song lyric, and remove all the vowels. Replace them with numbers and special characters.

Take "Any sufficiently advanced technology is indistinguishable from magic." by Arthur C. Clarke

Remove all the spaces:

Anysufficientlyadvancedtechnologyisindistinguishablefrommagic.

Replace one of the vowels with a number:

3nysufficiently3dv3ncedtechnologyisindistinguish3blefromm3gic.

Replace another vowel with a special character:
3nysuff&c&ently3dv3ncedtechnology&s&nd&st&ngu&sh3blefromm3g&c.

Need more help? Send me a request.

2016-10-25

MDux

Sunday, October 16, 2016

Project TPM day one.

Yesterday, was my official Day Zero tackling a long held goal. I've wanted to learn how to program for a very long time, but I'm great at finding excuses.

After several false starts, and even some mediocre work, it's time to get serious. I have committed to learning how to code. (AutoHotKey scripting just isn't enough any more)

With the consistent motivation and support from a great friend and Mentor, I've been learning Python. Up to now, most of my efforts have been on the static education side using How To Think Like A Computer Scientist : Interactive Edition. This was a recommendation from my Mentor and I must agree that it is a fantastic resource. The exercises are very much worth doing.

Yesterday represents the first real day that I've sat down in front of my text editor and plodded through code creation on my own. (I've attempted the introduction course through Coursea (Rice University IIRC)) twice. While I believe that course to be exceptional, I could not maintain the cadence required to keep up. It's still on my ToDo list. That might actually qualify as recursion...

I'm not sure where to go from here (writing wise).
Should I outline my project?
Should I walk through my mistakes and how I fixed them?
Would it be useful for me to post actual code?

Most of the mistakes I've made this far were syntactical. Print vs print etc.
Hmm... only 46 lines of code (with about 25% of that psudocode or comments)

Is that a good start, or not?

Enter any 11-digit prime number to continue...
2016-10-16
MDux

Friday, October 14, 2016

Ah, my network is fine.

Written 2016-09-xx

Level 1

Dropbox, Part 1
If you were with Dropbox back in 2012, you might recall the global request for everyone to update passwords. There was quite a bit of speculation at that time as to the reason (there's always a reason) though the prevailing thought was a data-breach of some type. The only question was the method of the breach. This last week, it was confirmed that 68 Million account were compromised including all "secure" file and documents. 68,000,000 user names and password pairs went on sale on the Darknet this week. The take-away, don't recycle your passwords. Using the same password on multiple sites is a significant risk, and Dropbox's breach is the perfect example of why. Password guidelines: Don't use words found in the dictionary and longer passwords are better. 'newpassword' is very week. 'nwpssrd.............' is considerably stronger (though too repetitive to be considered strong).

Level 2

Dropbox, Part 2
IIRC, Dropbox uses an algorithm to identify duplicate documents. If you upload a file that they identify as something they already posses, Dropbox simply places a pointer in 'your' Dropbox to the original file, thus saving them a fair amount of storage space. With 68 million users, I would imagine that the data storage and cost savings is significant. While data-depupe is a regular practice with data heavy organizations, and at first blush it's easy to see how the decision was made to leverage this technology. The greater the number of users, the higher the probability that there will be several versions of the same file in storage. Where things begin to make me nervous, and you should be thinking about this too, is that Dropbox is creating a digital signature of every file that you have. From a high level, your data is being examined. Are they looking at your files, No, but they are poking at them. Where does that sit with you?

The PC (or Mac) is Locked, so it's safe, right?
Turns out that credentials are easily comprised. Circulating this week is an account of how ~ $200 worth of HW and SW, the login credentials can be stolen from a locked Win or Mac machine. Using Hak5 Turtle and USB Armory (both running Linux) its possible to either crack or downgrade pilfered authentication hashes regardless of the complexity of the plaintext password. Essentially, Hak5 Turtle and USB Armory can be configured to present themselves as a DHCP server, making the USB device capable of receiving network traffic. The device can then catch authentication tokens. To be noted that it's possible to create a similar setup with a RaspberryPi Zero, reducing the cost to less than a lunch.

Ransomware - it our new reality. *sigh*
New - Kaspersky has identified a new version of the RAA ransomware and the implications are scary. It arrives in e-mail (like they all seem to), it's written in Jscript, and appears as a password protected zip. The file format slips past anit-virus software and looks legit to end users.

2016-10-14
MDux

Thursday, October 13, 2016

It's official - Winter is coming.

As the first storm rolls into the Pacific Northwest, this is a great reminder to us to check our Disaster Recovery / Business Continuity Plans.

When is the last time the plan was revised?
When is the last time the plan was tested?
Do you know how many hours/days’ worth of data you have at risk?
Do you know how long it takes to recover data?
Do you know the cost per day of disruption?
Are you storing data on multiple media formats?
Are you taking backups of site, either physically or digitally?

Key Terms to know:
RPO - Recovery Point Objective
How much data can be lost - worst case scenario.

i.e. If you perform a full back up on Thursday night, and an incremental on Tuesday night: If a disaster happens right before the backup on Tuesday, all data from Friday, Monday and Tuesday is at risk. Alternatively, if a disaster happens right before the full on Thursday, all data from Wednesday and Thursday is at risk. The RPO in this scenario is 3 or 2 days.

RTO - Recovery Time Objective
How long does it take to actually recover the data? Remember that recovering from an incremental might include a recovery from the last full AND the incremental.

MTPoD - Maximum Tolerable Period of Disruption
Adding the longest RPO and RTO is your MTPoD. Hopefully, this would be the longest period of time that business would be at a dead stop.

I say if you have it, you won't need it, but if you don't have it, you'll need it.

2016-10-13
MDux

Salve, mundi!

Here is the obligatory "Hello World!" post.

Let's Start.

It's required.
I'm just following the rules.

This blog may not be for you. That's your warning. Don't come at me a few dozen posts from now and complain. I'll have none of it. The title of this leetle slice of the webs is a mildly clever take on the supposed medieval practice of warning would be travelers of possible dangers. "HC SVNT DRACONES" (i.e. hic sunt dracones,'here are dragons'). In my, oh so clever way, I've modified it to 'Serpents'. The reason for the change might become clear later on.

The intention of this space if a mental dumping ground for the various projects, interests, hobbies, musings, and philosophies that swirl through my mind. Much of which will be on the other side of the norm. I make no claims of coherency, continuity or even resolution.

The ideas expressed here may or may not be my own, but most certainly do not reflect upon any employer that I may or may not have.

Now, if you're still with me, why don't we do a bit of wandering and see if we can't get ourselves into a bit of trouble.

Here Be Serpents.

2016-10-13
MDux