0936: "Password Strength"

Yakk · Postby **Yakk** » Thu Nov 03, 2011 2:26 pm UTC

Because the added complications (puns, etc) you mention are hard to analyze. And while they might be strong, without the ability to analyze them it is hard to put a lower bound on how strong they are.

In comparison, other methods can generate a lower bound on how strong they are, because they are easy to analyze.

For all you know, the puns and substitutions you are doing might somehow be weaker than the direct mnemonic. Ie, XkcdTaughtMeHowToCreateStrongPasswords might be stronger than xkcdt0Ehow2cree8st1=2pbuttwords. This might not be the case, but I don't know how I'd show if one or the other is stronger.

On the other hand, if I have a dictionary of 10k words, and I randomly string together 5 of them, and I get to look at 10 such combinations (randomly generated) and pick one to use, and I then get to add connecting words to them and change their order so they are easier to remember...

This has at least lg( 10^25 / 5! / 10 ) entropy, or 73 bits of entropy.

Postby **gmalivuk** » Thu Nov 03, 2011 4:12 pm UTC

No, that 5! would only be there if order didn't matter initially, but it does, which is how you get the 10^25. Actually, I'd suspect that decreases the entropy since it avoids many of the 10^25 possibilities as being hard to remember.

Cousj001 · Postby **Cousj001** » Thu Nov 03, 2011 6:29 pm UTC

I have a method for creating strong passwords, that are easy to remember and type but hard to guess, although it is for linux. First use http://www.rinkworks.com/namegen/ to create a word. Example word generated:
Honimcha
Not too hard to remember. Then change the keyboard layout. I have a button on the panel to do this.Now type it, but as if you were still using the old layout. As an example, if I change the layout to Armenian Eastern and type it again I get
Հոնիմքհա
That I already think is a pretty secure password. But it could still be improved. I could type as if I was on a Dvorak keyboard, in which case I would get
Ճսմգլիճա
Just to make it more confusing I could change the jeyboard settings partway through, to make something like
Ճսլcmޗހަ
which should confuse make things more confusing, especially as the last one there for the Maldives, and I think goes right to left. Of course for simpler usage the base word could be used with number substituion, like
H0m!ncha
Although if they really want my xkcd password, I have this to tell them: Make an account yourself.

Yakk · Postby **Yakk** » Thu Nov 03, 2011 6:53 pm UTC

gmalivuk wrote:No, that 5! would only be there if order didn't matter initially, but it does, which is how you get the 10^25. Actually, I'd suspect that decreases the entropy since it avoids many of the 10^25 possibilities as being hard to remember.

I'm assuming they can predict how you reorder the words, and which one (out of a set of 10) you'd pick.

So in essence, they get to solve the unordered problem, hence dividing by 5!

Or, more accurately, I'm assuming that your reordering won't make it any worse than them being able to solve it if they go the words unordered, and similarly your picking from 10 won't be any worse than allowing them to break your password if they got any one of the ten, because I'm demonstrating the power of lower bounds. In reality, their inability to perfectly and freely know your order will add more entropy, and similarly their inability to perfectly discard 9/10 of the strings because they know how which one you'll pick: but that is hard to analyze.

And I'd rather have a strong, safe lower bound, than a more accurate but less certain lower bound.

Eebster the Great · Postby **Eebster the Great** » Thu Nov 03, 2011 7:17 pm UTC

Cousj001 wrote:I have a method for creating strong passwords, that are easy to remember and type but hard to guess, although it is for linux.

This method has been suggested a couple times already in this thread, so I suspect it is fairly well known. This means an attacker might test for a variety of keyboard-layout-shifts, so it doesn't actually add much entropy.

Postby **gmalivuk** » Thu Nov 03, 2011 8:09 pm UTC

Yakk wrote:I'm assuming they can predict how you reorder the words

Indeed. I missed that that was division the first time, instead of multiplication.

Tass · Postby **Tass** » Fri Nov 04, 2011 4:18 pm UTC

Cousj001 wrote:I have a method for creating strong passwords, that are easy to remember and type but hard to guess, although it is for linux. First use http://www.rinkworks.com/namegen/ to create a word. Example word generated:
Honimcha
Not too hard to remember. Then change the keyboard layout. I have a button on the panel to do this.Now type it, but as if you were still using the old layout. As an example, if I change the layout to Armenian Eastern and type it again I get
Հոնիմքհա
That I already think is a pretty secure password. But it could still be improved. I could type as if I was on a Dvorak keyboard, in which case I would get
Ճսմգլիճա
Just to make it more confusing I could change the jeyboard settings partway through, to make something like
Ճսլcmޗހަ
which should confuse make things more confusing, especially as the last one there for the Maldives, and I think goes right to left. Of course for simpler usage the base word could be used with number substituion, like
H0m!ncha
Although if they really want my xkcd password, I have this to tell them: Make an account yourself.

Obscure word, lets give that 14bits. Change keyboard layout, probably a good twenty to choose from, I'll give you 5 bits for that. Another one gives you five more. Then some substitutions for a total of 26bits. Not that secure.

Edit: Oh wait you didn't even talk of combining them. Baseword with common substitutions are just what this comic is about. Gives few bits compared to how hard it is to remember.

Postby **gmalivuk** » Fri Nov 04, 2011 4:23 pm UTC

I'm not sure how many bits we should give the starting word, since it's generated by that website. So without knowing the algorithm used there, we don't know much about the entropy.

fatso83 · Postby **fatso83** » Thu Dec 29, 2011 12:25 pm UTC

It has been a while since I dabbled with discrete topics and number theory, and I simply have troubles understanding the math behind 0936 (http://xkcd.com/936/). Could someone enlighten me?

I assume entropy has something to do with randomness, but why is there only 28 bits of randomness? 16 of these are from the 9 characters used to form the first part of the passwords. I guess that means that the degree of entropy is not entirely correlated to the number of variations (which is less than < 26^9 because it has to be a valid word)... ?

cowsarenotevil · Postby **cowsarenotevil** » Thu Dec 29, 2011 6:03 pm UTC

I'm pretty sure that the math is "correct" in roughly the same way that Windows 7 is actually the seventh version of Windows.

briand · Postby **briand** » Thu Dec 29, 2011 7:08 pm UTC

The math is good.
There are about 2^14 uncommon words in the English language (2^14 is about 8000).
The other bits are all from the tweaks and extra things added, including combinatorial variations of those.

The OPIE dictionary (used in S/Key) has 2^11 very common and short words, or 2048 words in total.

Picking 4 of those at random produces 4 x 11 == 44 bits of randomness.

For those uber-geeks, there is now a PERL module for doing password generation using this dictionary.

It is Crypt::PW44, and the cpan network can be used to download and install it.

The package includes a couple of sample scripts in contrib/ including how to put it on a web site as a password-generating page.

Thank you, Mr. XKCD, for this, and all your other good stuff!
briand

briand · Postby **briand** » Thu Dec 29, 2011 7:33 pm UTC

While other folks have put up password generators on their web pages, and posted links to them and to the source, I took it one step further.

I created a perl module to do the password generation.

Anyone wanting to include this into any code they have, or a web page they have, can do so easily.

The module is:
Crypt::PW44

(The 44 is the bits of entropy, of course.)

Samples are included in the cpan package...

Enjoy your correct horse battery staples...

Socks · Postby **Socks** » Fri Dec 30, 2011 2:05 pm UTC

Harold wrote:Everyone in this thread is far over estimating the speed at which even a local attack can be mounted. I have experimented with this; some example hashes and 40 x iMacs running a distributed GPU based MD5 cracker. It still took an insane amount of time.

Agreed. I once, er... borrowed the use of 40 PCs running i7s and other decent processors and tried multiple word dictionary hacks, 8 character brute forces (not that bad), etc. I didn't accomplish much more than make the sysadmin grumpy.

Eebster the Great · Postby **Eebster the Great** » Fri Dec 30, 2011 5:10 pm UTC

Socks wrote:8 character brute forces (not that bad)

Even with a set of just 64 characters, that's 48 bits of entropy, or over 281 trillion possible passwords. Even at 4 billion hashes per second, it would have taken you 19.5 hours to find them all.

Randall's suggested method, on the other hand, only generates 44 bits of entropy, which at that rate you could easily find in like 70 minutes.

Yakk · Postby **Yakk** » Mon Jan 02, 2012 4:03 pm UTC

The math is about the difference between (say) 8 random alpha-numeric-punctuation characters (with case) (52 alpha, 10 numeric, 10 punctuation = 72 options per character, or ~6 bits per character) and what people actually do (pick a not all that rare word, and do simple substitutions, like 0 for o and 1 for l).

If you then chose 3 characters (8 choose 3 = 8*7, which is ~6 bits of entropy) and changed them in 1 of 4 ways (2 bits each), that's only 12 more bits of entropy.

Things get a bit tricky, because you'll want to "Huffman encode" the changes you'll make -- common changes are fewer bits, rare changes are worth more bits, in effect.

So, a relatively uncommon word (14 bits) with 3 random tweaks of 4 possible tweaks each (~12 bits) is 26 bits of entropy. You'll see how this pattern ends up being fewer bits than the one that Randall posted.

Kaiman · Postby **Kaiman** » Tue Jan 10, 2012 9:25 pm UTC

The math is about the difference between (say) 8 random alpha-numeric-punctuation characters (with case) (52 alpha, 10 numeric, 10 punctuation = 72 options per character, or ~6 bits per character) and what people actually do (pick a not all that rare word, and do simple substitutions, like 0 for o and 1 for l).

If you then chose 3 characters (8 choose 3 = 8*7, which is ~6 bits of entropy) and changed them in 1 of 4 ways (2 bits each), that's only 12 more bits of entropy.

This whole thing assumes the brute force cracker knows which method you used, which he probably doesn't. And brute force isn't how most passwords are taken anyway, they usually are sifted from a database, spoken by someone who doens't realize "i need your password to help you" is a ruse, or social engineered.

The real problem with the strip is the way he tried (and failed) to assert that 4 random words you have no association to are easier to remember then something you are familiar with - especially if the substituted words use things meaningful to you as well (in ways other people don't know).

Eebster the Great · Postby **Eebster the Great** » Wed Jan 11, 2012 1:02 am UTC

Kaiman wrote:This whole thing assumes the brute force cracker knows which method you used, which he probably doesn't.

Even if there is only a 1% chance that the attacker knows which method you used, that only effectively adds 6.6 bits of entropy, and as this probability is pretty much impossible to measure, the worst case scenario is usually assumed anyway.

And brute force isn't how most passwords are taken anyway, they usually are sifted from a database, spoken by someone who doens't realize "i need your password to help you" is a ruse, or social engineered.

Right but then password entropy is completely irrelevant. The reason you are supposed to make a secure password is because people DO use a wide variety of attacks including slow remote ones.

The real problem with the strip is the way he tried (and failed) to assert that 4 random words you have no association to are easier to remember then something you are familiar with - especially if the substituted words use things meaningful to you as well (in ways other people don't know).

The real problem with this sentence is the way you assumed everyone was the same.

J Thomas · Postby **J Thomas** » Wed Jan 11, 2012 2:00 pm UTC

Socks wrote:
Harold wrote:Everyone in this thread is far over estimating the speed at which even a local attack can be mounted. I have experimented with this; some example hashes and 40 x iMacs running a distributed GPU based MD5 cracker. It still took an insane amount of time.

Agreed. I once, er... borrowed the use of 40 PCs running i7s and other decent processors and tried multiple word dictionary hacks, 8 character brute forces (not that bad), etc. I didn't accomplish much more than make the sysadmin grumpy.

I wondered about that too. If you're trying to guess a password, and you get a lot of computers to log in with just a few quadrillion passwords, isn't that a DOS attack? Wouldn't there be some sort of consequences? I think I would like it if, the first day my account gets 10,000 logins with bad passwords, I get an email telling me so.

How often does this really happen? Do we really get quadrillions of failed logins a day across the net?

For myself, I generate weak passwords with a pattern that's easy for me to remember. Each site gets a different password, but somebody who owns one of the sites could probably guess the pattern easily and get all the others. (Randall put that into a strip whose name I don't remember.) On the other hand, somebody who owns one of the sites would get a large number of passwords from people who just use the same password every time -- unless he's gunning for me he won't bother to look at mine personally and figure out the pattern.

Important passwords each get a unique method unconnected to anything else, not written down anywhere.

If I was running a site that faced a few brute force password attempts, my natural thought is to set up an automated system to:

1. After 200 failed password attempts, email the target that the account has been closed, and suggest making arrangements for new accounts.

2. The targets from then on log on with new names, but for anything public their old names get displayed.

3. Any attempt to log in with the old name gets an automatic password failed response.

Brute force attempts must then inevitably fail.

The XKCD forum would get a significant degree of security if we logged in with email addresses rather than user names. Anybody who sees "J Thomas" can attempt to guess my password. Since my email address is not displayed, anybody who wanted to hack this account would first have to guess who I am and find my password.

Even better if the login name was something else that was not displayed. If my login name is "horse" and my password is "staple" then a brute force attempt is very unlikely to find it. Of course, a brute force approach is very likely to find *somebody's* account, but they can't predict who. On average half the users will be found before me.

(Of course, all somebody gets from my xkcd password is the chance to post as me, plus whatever information about myself I gave xkcd. Not real important. So I use a pattern, and somebody who breaks my xkcd password can figure out my password on the Washingto Post too.)

Unfortunately, this way the system gets no idea who is being targeted by a brute force attack, and no evidence that a brute force attack is happening except by the number of random failed logins.

My old ATM card was only allowed 4 digits. That's 10,000 total combinations. What would happen if somebody gave 500 consecutive wrong passwords with it? Shouldn't the bank reject the card at that point? I sure hope they would.

Why should a computer system accept a billion wrong password attempts?

Eebster the Great · Postby **Eebster the Great** » Thu Jan 12, 2012 1:16 am UTC

The problem here is that people are confusing local and remote attacks, which occur at very different speeds.

Yakk · Postby **Yakk** » Thu Jan 12, 2012 1:49 am UTC

The 'best' remote attacks involve botnets attacking nearly random targets, never attacking the same site twice, and rarely attacking the same user twice.

Sure, you don't get to exhaustively search a password space, but at the scales I just described, you don't care.

And all of the "lock out an account if someone tries too often" jazz doesn't do anything against the above attack. Either basically every account you have is locked out (which means you'll have to unlock them), or none of them are (in which case, the attacks continue).

TranquilFury · Postby **TranquilFury** » Thu Jan 12, 2012 5:47 am UTC

Yakk wrote:The 'best' remote attacks involve botnets attacking nearly random targets, never attacking the same site twice, and rarely attacking the same user twice.

Sure, you don't get to exhaustively search a password space, but at the scales I just described, you don't care.

And all of the "lock out an account if someone tries too often" jazz doesn't do anything against the above attack. Either basically every account you have is locked out (which means you'll have to unlock them), or none of them are (in which case, the attacks continue).

I have seen that type of attack, also common is a more exhaustive attack on users like "root" or "admin" Not too difficult to deal with

What you CAN do is rate limit login attempts, and only allow remote login for the accounts that actually need it. If many people need remote login, it may be best to make all of them start the session with a shared rare username and password, and have them escalate to their own credentials after the session is started. This way the shotgun botnet attacks(try 10 common passwords for 10 thousand potential usernames) will fail because they don't even know which username to attack, and if the attackers figure out that credential, they're still stuck in a sandbox long enough to plug the leak. (good rate limiting on the escalated login is important too, and if you run into issues here, you probably have bigger security problems than a russian botnet owner.) And the brute force single username remote attacks fail because they didn't use the sandbox login. That said, the weak link for any security system is the user, but at least you know where to look when someone breaks in.

a small clipping from my own log(I only have 1 user enabled for ssh login):

Code: Select all

sshd[21710]: Invalid user nagios from 222.186.29.69
sshd[21712]: Invalid user prueba from 222.186.29.69
sshd[21714]: Invalid user ftpuser from 222.186.29.69
sshd[21716]: Invalid user ftpuser from 222.186.29.69
sshd[21718]: Invalid user sdnmuser from 222.186.29.69
sshd[21720]: Invalid user webadmin from 222.186.29.69
sshd[24990]: reverse mapping checking getaddrinfo for woman22.ru.64.28.46.in-addr.arpa [46.28.64.213] failed - POSSIBLE BREAK-IN ATTEMPT!
sshd[24993]: reverse mapping checking getaddrinfo for woman22.ru.64.28.46.in-addr.arpa [46.28.64.213] failed - POSSIBLE BREAK-IN ATTEMPT!
sshd[24995]: reverse mapping checking getaddrinfo for woman22.ru.64.28.46.in-addr.arpa [46.28.64.213] failed - POSSIBLE BREAK-IN ATTEMPT!
sshd[30027]: Invalid user bin from 219.140.165.85
sshd[30031]: Invalid user zt from 219.140.165.85
sshd[30033]: Invalid user bin from 219.140.165.85
sshd[30035]: Invalid user bin from 219.140.165.85
sshd[34707]: Invalid user oracle from 123.142.109.156
sshd[34709]: Invalid user test from 123.142.109.156
sshd[34739]: Invalid user bin from 206.57.116.2
sshd[34749]: Invalid user bin from 206.57.116.2
sshd[34767]: Invalid user msr from 206.57.116.2

TranquilFury · Postby **TranquilFury** » Thu Jan 12, 2012 6:08 am UTC

OH WOW, im glad Iooked at that log, it helped me figure out that PID>2^16 caused that kernel panic. Perhaps I should restart more often.

J Thomas · Postby **J Thomas** » Thu Jan 12, 2012 11:54 am UTC

Yakk wrote:The 'best' remote attacks involve botnets attacking nearly random targets, never attacking the same site twice, and rarely attacking the same user twice.

Sure, you don't get to exhaustively search a password space, but at the scales I just described, you don't care.

And all of the "lock out an account if someone tries too often" jazz doesn't do anything against the above attack. Either basically every account you have is locked out (which means you'll have to unlock them), or none of them are (in which case, the attacks continue).

Thank you! So the goal is not to get the password for a specific user of a specific site, but to get a password for a random user at a random site.

This does not seem particularly valuable to me, but I guess if you already have the use of a whole lot of other people's computers and you can't think of anything useful to do with them, then this approach would give you the occasional random present.

J Thomas · Postby **J Thomas** » Thu Jan 12, 2012 12:45 pm UTC

TranquilFury wrote:What you CAN do is rate limit login attempts, and only allow remote login for the accounts that actually need it. If many people need remote login, it may be best to make all of them start the session with a shared rare username and password, and have them escalate to their own credentials after the session is started. This way the shotgun botnet attacks(try 10 common passwords for 10 thousand potential usernames) will fail because they don't even know which username to attack, and if the attackers figure out that credential, they're still stuck in a sandbox long enough to plug the leak.

I see!

Not to mention, having a login format different from everybody else means they have to do something specific for your site, and if they're hitting sites at random they might not bother with special treatment for yours.

So you could send users an obfuscated web page which has extra name and password fields which are not actually visible. Only bots will use them. The cost is a slightly bigger message to every user, every time. It would be hard to estimate how much this adds to password protection because it only weeds out some kinds of brute force attacks. It would be easier to look at the cost in bandwidth, and at the absolute number of attacks detected this way, and the cost in time of checking the extra fields versus the time saved by discarding login attempts immediately.

Anything you do to require individual attention to your site from people who do mass attacks will reduce the likelihood of successful attacks. And the more insignificant your site is, the better it works.

elasto · Postby **elasto** » Thu Jan 12, 2012 2:30 pm UTC

J Thomas wrote:Thank you! So the goal is not to get the password for a specific user of a specific site, but to get a password for a random user at a random site.

This does not seem particularly valuable to me

Actually, it's potentially extremely valuable because of two factors:
(a) A lot of people (most?) use the same password everywhere and
(b) A lot of people (most?) only use one email address.

Once a hacker has a random user at RandomSite the following sequence of events might take place:
- He goes to the user settings and finds out the user's email address
- He logs into the email account because they used the same password
- He finds that the user has a financial account at FinancialSite
- The user wasn't totally dumb as they have a different username and password there - but no matter:
- The username is found stored in email history
- The password he can't identify, but, no matter, there's still a trick he can pull... Back to RandomSite
- He looks in user settings again and sees the user has given his DOB and a security question: "Childhood pet's name" Answer: "Tiddles"
- Back to FinancialSite and click on 'lost/forgotton password'
- FinancialSite requests his DOB and the name of his childhood pet as authentication and then duly sends a password reset url to his email account
- One password reset later and he's logged into FinancialSite to do whatever he can there

I dunno, that was all off the top of my head so I'm sure someone who makes a living from doing this has all sorts of ways to leverage it.

Needless to say I have five tiers of passwords and five different email accounts so one layer getting compromised won't affect any of the others, but I'm probably not the norm on the net (and nor are most people on xkcd I'm sure!)

willpellmn · Postby **willpellmn** » Thu Jan 12, 2012 4:30 pm UTC

Wow, this thread is still going huh? In that case I'll ask what I never got around to asking when I printed this out and pinned it to my cubicle, what's with the "bits of entropy", and how did Randall decide that a common word has 11 of them while a number has three? I assumed it was the number of possibilities counted in binary, but why you'd call that "entropy" I don't know.

Yakk · Postby **Yakk** » Thu Jan 12, 2012 4:36 pm UTC

https://en.wikipedia.org/wiki/Entropy_% ... _theory%29

The short answer is that it turns out that Entropy is a measure of information.

How many digits are there from 0 to 9? How many bits does it take? How about for 3 digits? See how a digit is about 3 bits of information?

There are ~2k common words. So it takes ~11 bits to describe which common word you are using. (If your selection isn't uniformly random, you can huffman encode your "which word is it" and get the average number of bits of entropy below 11 bits.)

J Thomas · Postby **J Thomas** » Thu Jan 12, 2012 5:53 pm UTC

elasto wrote:
J Thomas wrote:Thank you! So the goal is not to get the password for a specific user of a specific site, but to get a password for a random user at a random site.

This does not seem particularly valuable to me

Actually, it's potentially extremely valuable because of two factors:
(a) A lot of people (most?) use the same password everywhere and
(b) A lot of people (most?) only use one email address.

Once a hacker has a random user at RandomSite the following sequence of events might take place:
- He goes to the user settings and finds out the user's email address
- He logs into the email account because they used the same password

Mistake #1 by that user. If he needed a second brute force search on that specific user's email address then he'd face the problem I posed.

- He finds that the user has a financial account at FinancialSite

Mistake #2 by that user. I delete that sort of thing, I save copies if I think I may need them.

- The user wasn't totally dumb as they have a different username and password there - but no matter:
- The username is found stored in email history

I think that's still Mistake #2.

- The password he can't identify, but, no matter, there's still a trick he can pull... Back to RandomSite
- He looks in user settings again and sees the user has given his DOB and a security question: "Childhood pet's name" Answer: "Tiddles"

This is a valid concern. There are a limited number of security questions in use and not a whole lot you can do about it. My bank for example lets me choose one or two of six security questions, so I chose two I hadn't use before. But that's real limited.

- Back to FinancialSite and click on 'lost/forgotton password'

- FinancialSite requests his DOB and the name of his childhood pet as authentication and then duly sends a password reset url to his email account
- One password reset later and he's logged into FinancialSite to do whatever he can there

The user at least gets to see that something has happened, but that's bad and it looks like it only took 2 basic mistakes from the compromised user.

I dunno, that was all off the top of my head so I'm sure someone who makes a living from doing this has all sorts of ways to leverage it.

At this point I start to question the business model. To make a living, this guy is maintaining a collection of hacked computers that do random brute-force password attacks. When they succeed he spends some personal time getting into the victim's financial accounts. He needs a way to transfer the money without getting tracked down. What he gets when he wins is money from a random person, who on average will not have much money. Why doesn't he get caught when they trace the money? Ah! Because he lives in a nation which needs foreign exchange, which protects him. So the opportunities open up at the rate of new technology, while the enforcement limps along at the rate of international diplomacy.

And to him even fairly small amounts of money seem like a lot. He gets most of his profit from the occasional jackpot, the random user who has money but has no security.

That would imply that he should put his attention onto the sites that are more likely to have such people. Xkcd is a poor choice. Heritage Auctions might be a very good one. People who buy antiques at high prices definitely have money and they are more likely to be old and computer-unskilled.

You don't fish for whales in a rain barrel. But Sea World has a higher ratio of whale:water than the open ocean does.

Yakk · Postby **Yakk** » Thu Jan 12, 2012 6:53 pm UTC

Someone gets an email or an offer to transfer cash. They agree, then money is transferred into their account, and they are to western union 80% of it to some other nation. They do this.

The money is actually transferred from some schmuck who lost their password to a scammer, so it looks legit on the side of the person who gets the money. The money is probably eventually tracked down, and the person who took the money transfer job is liable for the lost money, but the scammers get the cash.

In general, what you really do is do one of these steps, and sell the results to another criminal who does another step with the compromised email account/computer/etc.

elasto · Postby **elasto** » Fri Jan 13, 2012 12:06 pm UTC

J Thomas wrote:At this point I start to question the business model ... He gets most of his profit from the occasional jackpot, the random user who has money but has no security.

Not really. There will be multiple people specialising here. One person will have taken control of tens of thousands of unsuspecting home pc's which do all the work for him. It takes him no effort at all to do what he does beyond crafting the virus itself. These bots will be constantly sending him lists of hundreds of usernames/passwords and the guy will sell the list on the black market for x cents each. His income is pretty much guaranteed. The next person will refine the lists, selling the ones he can process for x+y cents each, giving him a pretty much guaranteed income too. And so on down the chain. Let's say one person has a great scam he can do for anyone who's a member of SpecificWebsite; He just buys the names and passwords for that one website from the bot owner and doesn't buy the rest.

Eventually these lists will be used for countless scams. Heck, simply the email addresses are valuable to sell on for people to spam to. The viruses may also be grabbing the infected computers' usernames, passwords and financial info etc or they may wish to extend their longevity by not engaging in such revealing behaviour.

One way of getting money pretty safely is the way Yakk listed. Another way is by buying expensive items and conning some sap into letting them get delivered to his house for him to send on overseas - leaving him to be the fall guy when the police eventually turn up. There are tons of ways information can be exploited including using it offline: I remember someone a few years back managing to get a member of the UK cabinet's driving licence reissued - with the scammer's picture on it and sent to the scammer's house. Once you have someone else's ID with your picture and address on it the potential for seriously profitable ID theft - taking out large amounts of credit in the form of cards and loans - comes into play. This wasn't a fake driving licence you understand, it was real.

(The 'scammer' did it to the member of the government to make a point - how easy ID theft was to achieve. He handed the driving licence over to the police as soon as he was issued it.)

J Thomas · Postby **J Thomas** » Fri Jan 13, 2012 6:55 pm UTC

elasto wrote:There will be multiple people specialising here. One person will have taken control of tens of thousands of unsuspecting home pc's which do all the work for him. It takes him no effort at all to do what he does beyond crafting the virus itself. These bots will be constantly sending him lists of hundreds of usernames/passwords and the guy will sell the list on the black market for x cents each. His income is pretty much guaranteed.

This suggests a distinct subculture. If I wanted to buy a list of passwords I would have no idea where to go. I would likely wind up getting scammed, or worse I would buy from a police plant.

This subculture would face risks of infiltration and legal penalties etc which would give them random unpredictable costs, unless they are in nations which tolerate them.

The next person will refine the lists, selling the ones he can process for x+y cents each, giving him a pretty much guaranteed income too. And so on down the chain. Let's say one person has a great scam he can do for anyone who's a member of SpecificWebsite; He just buys the names and passwords for that one website from the bot owner and doesn't buy the rest.

Eventually these lists will be used for countless scams. Heck, simply the email addresses are valuable to sell on for people to spam to. The viruses may also be grabbing the infected computers' usernames, passwords and financial info etc or they may wish to extend their longevity by not engaging in such revealing behaviour.

One way of getting money pretty safely is the way Yakk listed. Another way is by buying expensive items and conning some sap into letting them get delivered to his house for him to send on overseas - leaving him to be the fall guy when the police eventually turn up. There are tons of ways information can be exploited including using it offline: I remember someone a few years back managing to get a member of the UK cabinet's driving licence reissued - with the scammer's picture on it and sent to the scammer's house. Once you have someone else's ID with your picture and address on it the potential for seriously profitable ID theft - taking out large amounts of credit in the form of cards and loans - comes into play. This wasn't a fake driving licence you understand, it was real.

It shouldn't work to target a cabinet member with a brute force attack. Maybe it does, but it shouldn't. So what did he do? Go to the x+y guy and buy it?

"I want a password for a high british official."
"Okeh dokeh, I have a cabinet member for 10 quid."
"Ten quid? Isn't that pretty high?"
"Da. But I can vait till somebody vish to blackmail him, how much vud dey pay? You vant a Parlement membah? I haf 59 ov dem for 5 quid each."
"Ten quid it is."

You're making me want to insist that my wife and children give up Windows, so I guess this conversation is not totally useless.

Yakk · Postby **Yakk** » Fri Jan 13, 2012 7:33 pm UTC

J Thomas wrote:This suggests a distinct subculture.

No, it describes an existing distinct subculture. What is being described is something that currently exists.

The details are almost certainly "off", but this isn't a "what if" scenario. It is a "what is" scenario.

elasto · Postby **elasto** » Sat Jan 14, 2012 1:46 am UTC

J Thomas wrote:This suggests a distinct subculture. If I wanted to buy a list of passwords I would have no idea where to go. I would likely wind up getting scammed, or worse I would buy from a police plant.

This subculture would face risks of infiltration and legal penalties etc which would give them random unpredictable costs, unless they are in nations which tolerate them.

I would have no idea where to go either. But such subcultures do exist just as there are people trading child-porn on closed, encrypted networks.

See this article (spoilered for length)

Spoiler:

It shouldn't work to target a cabinet member with a brute force attack. Maybe it does, but it shouldn't. So what did he do? Go to the x+y guy and buy it?

No, he did it through pure, old-fashioned social engineering - making phone calls and tricking institutions into revealing what to them was innocent, useless information. But every time he got a piece of 'innocent, useless information' it enabled him to call a different institution (or even simply the same institution over and over) and get something more relevant until eventually he was able to pull the whole thing off. My point was merely that information discovered online (eg by gaining access to email) could short-cut the process and so potentially has offline value as well - though admittedly it'd usually be too time-consuming to make use of it this way.

You're making me want to insist that my wife and children give up Windows, so I guess this conversation is not totally useless.

Well... That would certainly make it less likely your computer would get a virus - although a patched Windows 7 plus Windows Firewall and MSE is a pretty secure combo these days. Changing OS wouldn't make any difference to the topic of this thread, though, which is using multiple, secure passwords on the net - which hopefully you and your family already practice.

J Thomas · Postby **J Thomas** » Sat Jan 14, 2012 3:31 am UTC

snip interesting details showing how organizations that compromised millions of computers managed to make millions of dollars....

elasto wrote:
J Thomas wrote:You're making me want to insist that my wife and children give up Windows, so I guess this conversation is not totally useless.

Well... That would certainly make it less likely your computer would get a virus - although a patched Windows 7 plus Windows Firewall and MSE is a pretty secure combo these days. Changing OS wouldn't make any difference to the topic of this thread, though, which is using multiple, secure passwords on the net - which hopefully you and your family already practice.

Yes. And my machine is the only one that gets financial transactions, except my wife uses a debit card to order pizza. If her computer gets compromised, there goes that debit card.

You described basicly small-time operations that weren't accomplishing much and which got caught, that each had millions of computer. Presumably they got lots of those with worms etc and not with brute force password attacks. So I want my kids' computers to be set up so that each reboot restores them to a pristine state from read-only media, with nothing saved except bookmarks and passive data. I can't do that with Windows in a reasonable time.

elasto · Postby **elasto** » Sat Jan 14, 2012 4:30 am UTC

J Thomas wrote:You described basicly small-time operations that weren't accomplishing much and which got caught, that each had millions of computer. Presumably they got lots of those with worms etc and not with brute force password attacks.

Your definition of 'small-time operations' is interesting given how many millions of dollars each made. What, does only Goldfinger attacking Fort Knox count as big time to you? :p

But, yeah, the article I linked was mainly to demonstrate that there is a thriving and highly lucrative criminal subculture in existence where stolen information is freely bought and sold - since you seemed to imply it would be hard for such a subculture to persistently resist law enforcement. In fact, it's way easier and safer to make a million dollars through a botnet click fraud than it would be to make a million dollars robbing a bank (case in point heh). As with all criminal endeavours, greed is probably the major difference between getting caught and getting away with it - well, that and getting sloppy and complacent; Stay smart and under the radar and you're probably golden. Either way, though, making money fraudulently online has never been bigger business than it is today.

The article didn't directly go into the purposes distributed and offline password attacks could be put to but such articles can be found easily too.

So I want my kids' computers to be set up so that each reboot restores them to a pristine state from read-only media, with nothing saved except bookmarks and passive data. I can't do that with Windows in a reasonable time.

To be honest that's probably a bit too paranoid. But you could still do that in Windows through a Windows VM, say, or outside Windows by having an OS run from a DVD.

With Windows 8 you can virtually do what you're looking for though:

Rejoice, all ye faithful! Microsoft, in its infinite wisdom, will provide push-button Reset and Refresh in Windows 8. Reset will restore a Windows 8 PC to its stock, fresh-from-the-factory state; Refresh will reinstall Windows 8, but keep your documents and installed Metro apps intact.

That’s right: When your aged mother phones up to complain about her slow, broken, and malware-infested computer, instead of schlepping over there with a Windows install disk, you can just tell her to click “Refresh.” Refreshing keeps network settings, BitLocker settings, drive letter assignments, and personalizations (lock screen image, desktop wallpaper, etc.) Only Metro apps are preserved, however; Desktop apps, due to their third-party installers and other caveats are not easy to save — plus, due to the restrictive permissions placed on Metro apps, it’s probably a Desktop app that is causing a computer to misbehave in the first place. File associations, Windows Firewall settings, and Display settings are not preserved during a Refresh.

Reset is obviously very useful if you want to sell an old computer — or if you just want to perform the standard Six Month Windows Dekluge. Both Reset and Refresh are surprisingly quick, too: Reset takes six minutes, and Refresh takes eight minutes (compared to a baseline of 25 minutes using a system image backup tool). When Resetting, you have the option of performing a “thorough” wipe of your documents and settings, which takes a little longer to perform — 24 minutes, according to Microsoft (in reality it will take longer) — but it will prevent the next owner of your computer from discovering the details of your sordid affairs. These very quick speeds are achieved by using the same data migration tech as the Windows 8 upgrade engine, incidentally. Reset and Refresh can be performed either from inside Windows (pictured above), or at boot using the new Windows Recovery Environment (below).

In true Microsoft, One OS To Rule Them All style, though, the Redmondites have also added a hard disk imaging/ghosting tool to Windows 8, ala Norton Ghost or Acronis True image. By using a tool called recimg.exe, you can define what image will be used by Refresh. In other words, you can install all of your normal Desktop apps and games — Photoshop, Steam, and so on — configure all of your tweaks and personalizations, run recimg.exe… and then when you Refresh, your computer will be cleaned up and also ready to go immediately. Neat.

At this juncture we have to point out that both Reset and Refresh are very tablety features, though given Windows’ innate malware magnetism, the same features will be very welcome on the desktop as well. Android, iOS, and Windows Phone 7 all support a Reset function — and through iCloud, Google’s cloud services, and Windows Live, resetting a phone is almost painless. Windows 8, if it wants to succeed on tablets, must have the same functionality as iOS and Android and then some.

Run on a SSD, Reset and Refresh will probably only take 1-2 minutes. Barely more than some older PCs boot up in now...

J Thomas · Postby **J Thomas** » Sun Jan 15, 2012 3:49 am UTC

elasto wrote:
J Thomas wrote:You described basicly small-time operations that weren't accomplishing much and which got caught, that each had millions of computer. Presumably they got lots of those with worms etc and not with brute force password attacks.

Your definition of 'small-time operations' is interesting given how many millions of dollars each made. What, does only Goldfinger attacking Fort Knox count as big time to you? :p

I was surprised at the small estimated profits.

Zeus. Estimated 3 million computers infected. They sold a kit for say $3000. Did people pay $3000 to infect on average 1000 computers? Then the sellers of the kit made about $3 million off kit sales. 90 mules were caught for about $70 million. If that's all there was, that's about $23 per infected computer.

Cutwail infected many millions of machines, with a profit of less than $4.1 million/year.

An Estonian gang had 4 million computers with $14 million profits and then they were caught.

If I had a million computers connected to the net, I hope I'd find something to do with them that was worth more than $4/computer/year fraudulently clicking on ads to make websites look more popular than they are.

But, yeah, the article I linked was mainly to demonstrate that there is a thriving and highly lucrative criminal subculture in existence where stolen information is freely bought and sold - since you seemed to imply it would be hard for such a subculture to persistently resist law enforcement. In fact, it's way easier and safer to make a million dollars through a botnet click fraud than it would be to make a million dollars robbing a bank (case in point heh). As with all criminal endeavours, greed is probably the major difference between getting caught and getting away with it - well, that and getting sloppy and complacent; Stay smart and under the radar and you're probably golden. Either way, though, making money fraudulently online has never been bigger business than it is today.

Of course, the way you know you're smart and under the radar is you haven't gotten caught yet. The anthropic principle at work. It's dangerous to tell other criminals just what you're doing so they can get good statistics about what works. We could get a lower limit for average half-life by looking at the ones who got caught and how long they lasted, if we thought the published cases were representative of the ones who got caught but remained unpublished.

So I want my kids' computers to be set up so that each reboot restores them to a pristine state from read-only media, with nothing saved except bookmarks and passive data. I can't do that with Windows in a reasonable time.

To be honest that's probably a bit too paranoid. But you could still do that in Windows through a Windows VM, say, or outside Windows by having an OS run from a DVD.

With Windows 8 you can virtually do what you're looking for though:

Run on a SSD, Reset and Refresh will probably only take 1-2 minutes. Barely more than some older PCs boot up in now...

Running Tinycore Linux on an old computer I average 40 seconds for reboot using the quick POST. It restores all the code from read-only media. But say I use Firefox and somebody finds a new vulnerability in that. If it takes the Tinycore people a month to update their version of Firefox and I don't do it myself, my system is open for that month. The more people who use it and who publish updates, the less that problem arises. But then there's the chance that volunteers might put backdoors into software they release to that community, and if it gets past the guys who watch for that then it could infect a lot of others.

"Mother Nature always sides with the hidden flaw."

elasto · Postby **elasto** » Sun Jan 15, 2012 4:55 am UTC

J Thomas wrote:I was surprised at the small estimated profits.

Zeus. Estimated 3 million computers infected. They sold a kit for say $3000. Did people pay $3000 to infect on average 1000 computers? Then the sellers of the kit made about $3 million off kit sales. 90 mules were caught for about $70 million. If that's all there was, that's about $23 per infected computer.

I think we can safely assume the majority of criminals don't get caught. For example, I imagine most of the criminal operations making use of Zeus kits got away with it. Here's a couple of stats just from random Googling:

Online Fraud Cost Merchants $4 Billion in 2008
Nearly one in eight UK surfers were a victim of online fraud in the last year, with personal losses averaging £875

If I had a million computers connected to the net, I hope I'd find something to do with them that was worth more than $4/computer/year fraudulently clicking on ads to make websites look more popular than they are.

Well. The more money you try to make from each individual computer - the more greedy you are - the more likely to get caught you are, obviously. Not all criminals want to become instant multi-millionaires. The smart ones know that's unnecessarily risky and choose to just have a comfortable life with a much reduced chance of getting caught.

It's dangerous to tell other criminals just what you're doing so they can get good statistics about what works. We could get a lower limit for average half-life by looking at the ones who got caught and how long they lasted, if we thought the published cases were representative of the ones who got caught but remained unpublished.

All true. However, we can know the overall level of fraud and work backwards too - and thereby derive the ratio of caught to not caught.

Running Tinycore Linux on an old computer I average 40 seconds for reboot using the quick POST. It restores all the code from read-only media. But say I use Firefox and somebody finds a new vulnerability in that. If it takes the Tinycore people a month to update their version of Firefox and I don't do it myself, my system is open for that month. The more people who use it and who publish updates, the less that problem arises. But then there's the chance that volunteers might put backdoors into software they release to that community, and if it gets past the guys who watch for that then it could infect a lot of others.

True, it's always possible to make yourself safer - but at some point your time would be better spend lowering other risks in your life. It's like how government and society obsesses about making flying safer when you're far more likely to get killed on the drive to the airport.

Just do the basics right and you'll cut your risks by, like, 99.9%, as well as greatly minimise your losses
- keep your system patched
- use a secure browser, firewall and virus checker
- have a variety of secure passwords and change them every so often - perhaps after an OS reinstall
- only use online banking which has two-stage, physically-generated authentication
- have a savings account and a current account, and only keep the amount in your current account that you need for outgoings
- use a pre-paid payment card and only top it up the amount you need to spend, so if it becomes compromised your losses are minimal

At that point your greatest fear is probably old-fashioned ID theft, so make sure you regularly review your credit rating too.

J Thomas · Postby **J Thomas** » Sun Jan 15, 2012 11:38 am UTC

elasto wrote:
J Thomas wrote:I was surprised at the small estimated profits.

Zeus. Estimated 3 million computers infected. They sold a kit for say $3000. Did people pay $3000 to infect on average 1000 computers? Then the sellers of the kit made about $3 million off kit sales. 90 mules were caught for about $70 million. If that's all there was, that's about $23 per infected computer.

I think we can safely assume the majority of criminals don't get caught. For example, I imagine most of the criminal operations making use of Zeus kits got away with it.

Yes, and I was surprise at the small scale. If the Zeus guys made 1000 sales that isn't so much money for them. But if they made more sales, that says most of the users didn't do much. It sounds kind of MLM. A few people work hard at making money with the kits they bought, and lots of them fail at it and don't get their investment back.

Here's a couple of stats just from random Googling:

[url=http://www.practicalecommerce.com/articles/996-Chart-of-the-Week-Online-Fraud-Cost-Merchants-4-Billion-in-2008]

$4 billion is not very much, though they say it was well over 1% of online sales. A related link also said that 30% to 50% of online credit card fraud was either customers who had complaints about their purchases and delayed payment, or customers who were committing fraud themselves by falsely claiming they were hacked.

Online Fraud Cost Merchants $4 Billion in 2008[/url]
Nearly one in eight UK surfers were a victim of online fraud in the last year, with personal losses averaging £875

That one is shocking. If I lost that much I'd hesitate to do another online transaction.

If I had a million computers connected to the net, I hope I'd find something to do with them that was worth more than $4/computer/year fraudulently clicking on ads to make websites look more popular than they are.

Well. The more money you try to make from each individual computer - the more greedy you are - the more likely to get caught you are, obviously.

I hope I could find something to do with a million computers that wasn't illegal apart from using somebody else's computer time.

Not all criminals want to become instant multi-millionaires. The smart ones know that's unnecessarily risky and choose to just have a comfortable life with a much reduced chance of getting caught.

I guess I'm paranoid. If I'm controlling a million computers then no matter how hard I try to hide, some smart person can make those computer point at me -- if he's willing to make the effort. And he might find me as a side effect of looking for somebody more important. If I have those skills and I just want a comfortable life, why take those risks? I can't depend on arrest statistics to calculate the odds -- when the victims are big businesses and credit card companies they might impose penalties and disincentives which do not involve the legal system.

It's dangerous to tell other criminals just what you're doing so they can get good statistics about what works. We could get a lower limit for average half-life by looking at the ones who got caught and how long they lasted, if we thought the published cases were representative of the ones who got caught but remained unpublished.

All true. However, we can know the overall level of fraud and work backwards too - and thereby derive the ratio of caught to not caught.

Yes, which leaves me thinking that the examples you gave of caught ones that made millions versus the total of billions, made them look small-time. But now I remember that on the one side the estimates were for profits, while on the other side the estimates were for losses. So for example if an online merchant accepts a bad credit card, then Mastercard or Visa will charge him $20 to $35 for doing it on top of taking the money back. And online credit card thieves are likely to make lots of fairly small purchases. So for this particular fraud 10% or more of the money might go to the credit card companies.

True, it's always possible to make yourself safer - but at some point your time would be better spend lowering other risks in your life. It's like how government and society obsesses about making flying safer when you're far more likely to get killed on the drive to the airport.

Sure. But if you get killed driving to the airport nobody loses a $200 million airliner. For your insurance company it's a predictable expense. When the airline's insurance company loses a plane that's a big deal for them.

Just do the basics right and you'll cut your risks by, like, 99.9%, as well as greatly minimise your losses
- keep your system patched
- use a secure browser, firewall and virus checker
- have a variety of secure passwords and change them every so often - perhaps after an OS reinstall
- only use online banking which has two-stage, physically-generated authentication
- have a savings account and a current account, and only keep the amount in your current account that you need for outgoings
- use a pre-paid payment card and only top it up the amount you need to spend, so if it becomes compromised your losses are minimal

All good advice.

At that point your greatest fear is probably old-fashioned ID theft, so make sure you regularly review your credit rating too.

Thank you for explaining this. It looks like a central problem is that lots of people with insecure systems wind up giving away their computers to people who lack imagination. So those computers get used for negative-sum games like brute force random password attacks. The whole system suffers the overhead of processing those attacks and on average the payoff is low for the attackers while the cost can be high for the victims. So I want to put more emphasis on protecting my children's computers than I have. They have no sensitive data and aren't networked to mine, so I gave them antivirus stuff and taught them about passwords and helped them with visible problems, and didn't worry about it. But that's socially irresponsible.

Exkakx · Postby **Exkakx** » Wed Jan 18, 2012 12:29 am UTC

My school computer password is now "correcthorsebatterystaple"

Yakk · Postby **Yakk** » Wed Jan 18, 2012 2:35 am UTC

As one from a very short list of very famous passwords, the approximate entropic strength of "correcthorsebatterystaple" is under 10 bits.

Who is online