BlackHat 2011 USA

I wanted to congratulate Ivan and Nicolas our winners of the SecuriTeam Secure Disclosure free entry and travel expenses to BlackHat Briefings 2011 (USA).

I hope to see the rest of our researchers there, I will be posting more details on our drink-o-party that is scheduled to occur during those two days.

Follow my twitter @nrathaus, or email me at noamr[]beyondsecurity@com for more details.

Thoughts on a riot

I’m from Vancouver.  So, even though I’m not a hockey fan, after the Canucks were the best in the league in the regular season (and by a record-breaking margin), it was disappointing that they didn’t win the Stanley Cup.

It was much, much more disappointing to wake up the next morning, and find that there had been a riot.  Particularly when, after the 1994 riot, the city had planned well (well, maybe), and had had such a great time with the Olympics and the six previous games.

The disaster was somewhat mitigated by the spontaneous cleanup crews the next morning, and the “Love Wall.”  (And, you’ve undoubtedly seen “The Kiss.”)

The riot was rendered more disastrous by the subsequent social media vigilanteism.

Actually, riots and social media have a lot in common.  In both cases, they seem to be driven by people wanting to get “in on the action.”  What actually creates a riot in a city, or “viral” in social media, doesn’t seem to be predictable, although, in both cases, lots of people are willing to explain, after the fact, why they should have been foreseen.  (Stereotypical black swans, in both cases.)  A wonderful piece in the Vancouver Sun notes that the same blame placement; on hooligans, outsiders, and a new technology; was used to explain the Paris riot of 1789.

In fact, that idea of “outsiders” seems to run through almost all of the articles and opinion pieces spawned by the riot.  Canucks fans say “it wasn’t us,” residents of Vancouver say “it wasn’t us,” and people who don’t live in Vancouver say “we didn’t have a riot: it wasn’t us.”  (I remember flying into Chicago and landing in the midst of a riot.  They burned quite a few cars, trucks, and buses, and had quite widespread looting.  In that case it was because the Bulls had won.)

Every time I read that kind of thing, I am reminder of what Alexander Solzhenitsyn wrote, quite some time ago, in “The Gulag Archipelago”: “If only it were all so simple!  If only there were evil people somewhere insidiously committing evil deeds, and it were necessary only to separate them from the rest of us and destroy them.  But the line dividing good and evil cuts through the heart of every human being.  And who is willing to destroy a piece of his own heart?

Commoditizing Pay-Per-Install

We all know, I guess, about the professionalization of Internet crime and the diversification of the underground economy, but measuring it isn’t so easy.

ESET’s Aleksandr Matrosov and Eugene Rodionov have alluded to it in several papers and presentations with particular reference to TDSS, and we consolidated some of that material into an article (actually the first of a series of three articles on TDSS) that talks about the Dogma Millions and GangstaBucks affiliate models used in that context.

However, a paper on Measuring Pay-per-Install: The Commoditization of Malware Distribution by Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson, is based on a measurement study implemented by infiltrating four PPI service providers: LoaderAdv (of which GangstaBucks is one of the brands), GoldInstall, Virut, and Zlob. The authors assert that 12 out of the top 20 malware families tracked by Fire Eye between April and June 2010, twelve were using PPI services to buy infections.

Lots of other interesting data there, too. Hat tip to Aleks for bringing it to my attention.

ESET Senior Research Fellow

Simple passwords are the solution

ZDNet has a nice piece on why cheap GPU’s are making strong passwords useless. They are right, of course (though it’s pretty much been that way for 20 years, since the need for /etc/shadow) but they missing the obvious solution to the problem.

The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible. We know how to do that, we just have to overcome a generation-old axiom about trivial passwords being easy to break (they are not, if you only get very few tries).

It’s not just cheap GPUs. Complex passwords are also the problem. Simple passwords are the solution.