June 2011

BlackHat 2011 USA

I wanted to congratulate Ivan and Nicolas our winners of the SecuriTeam Secure Disclosure free entry and travel expenses to BlackHat Briefings 2011 (USA).

I hope to see the rest of our researchers there, I will be posting more details on our drink-o-party that is scheduled to occur during those two days.

Follow my twitter @nrathaus, or email me at noamr[]beyondsecurity@com for more details.

Thoughts on a riot

I’m from Vancouver.  So, even though I’m not a hockey fan, after the Canucks were the best in the league in the regular season (and by a record-breaking margin), it was disappointing that they didn’t win the Stanley Cup.

It was much, much more disappointing to wake up the next morning, and find that there had been a riot.  Particularly when, after the 1994 riot, the city had planned well (well, maybe), and had had such a great time with the Olympics and the six previous games.

The disaster was somewhat mitigated by the spontaneous cleanup crews the next morning, and the “Love Wall.”  (And, you’ve undoubtedly seen “The Kiss.”)

The riot was rendered more disastrous by the subsequent social media vigilanteism.

Actually, riots and social media have a lot in common.  In both cases, they seem to be driven by people wanting to get “in on the action.”  What actually creates a riot in a city, or “viral” in social media, doesn’t seem to be predictable, although, in both cases, lots of people are willing to explain, after the fact, why they should have been foreseen.  (Stereotypical black swans, in both cases.)  A wonderful piece in the Vancouver Sun notes that the same blame placement; on hooligans, outsiders, and a new technology; was used to explain the Paris riot of 1789.

In fact, that idea of “outsiders” seems to run through almost all of the articles and opinion pieces spawned by the riot.  Canucks fans say “it wasn’t us,” residents of Vancouver say “it wasn’t us,” and people who don’t live in Vancouver say “we didn’t have a riot: it wasn’t us.”  (I remember flying into Chicago and landing in the midst of a riot.  They burned quite a few cars, trucks, and buses, and had quite widespread looting.  In that case it was because the Bulls had won.)

Every time I read that kind of thing, I am reminder of what Alexander Solzhenitsyn wrote, quite some time ago, in “The Gulag Archipelago”: “If only it were all so simple!  If only there were evil people somewhere insidiously committing evil deeds, and it were necessary only to separate them from the rest of us and destroy them.  But the line dividing good and evil cuts through the heart of every human being.  And who is willing to destroy a piece of his own heart?

Commoditizing Pay-Per-Install

We all know, I guess, about the professionalization of Internet crime and the diversification of the underground economy, but measuring it isn’t so easy.

ESET’s Aleksandr Matrosov and Eugene Rodionov have alluded to it in several papers and presentations with particular reference to TDSS, and we consolidated some of that material into an article (actually the first of a series of three articles on TDSS) that talks about the Dogma Millions and GangstaBucks affiliate models used in that context.

However, a paper on Measuring Pay-per-Install: The Commoditization of Malware Distribution by Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson, is based on a measurement study implemented by infiltrating four PPI service providers: LoaderAdv (of which GangstaBucks is one of the brands), GoldInstall, Virut, and Zlob. The authors assert that 12 out of the top 20 malware families tracked by Fire Eye between April and June 2010, twelve were using PPI services to buy infections.

Lots of other interesting data there, too. Hat tip to Aleks for bringing it to my attention.

ESET Senior Research Fellow

Simple passwords are the solution

ZDNet has a nice piece on why cheap GPU’s are making strong passwords useless. They are right, of course (though it’s pretty much been that way for 20 years, since the need for /etc/shadow) but they missing the obvious solution to the problem.

The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible. We know how to do that, we just have to overcome a generation-old axiom about trivial passwords being easy to break (they are not, if you only get very few tries).

It’s not just cheap GPUs. Complex passwords are also the problem. Simple passwords are the solution.

World’s first “Decode the Race car” Challenge!!

So I haven’t written for a while, and that’s mainly because setting up your own security consultancy takes a lot more time that I would have imagined, but hey, it’s been a fun ride so far.

So while everyone else is off writing about Sony, I figured that I’d lighten the mood here with something that I think is such a great idea. The guys at Secure Racing have a challenge coming up, which sounds like it’s going to be great fun, and it’s such a novel idea as well.

So taken directly from the Secure Racing website, here is all the information about the challenge coming up on the 19th June at Brands Hatch.

“Secure Racing, the Information Security industry’s motorsport team, has laid down a challenge to anyone with a flair for code-breaking or a passion for cryptography.

At the team’s first race on 19th June at the Brands Hatch circuit in Kent, the Secure Racing Aston Martin will feature a hidden coded message somewhere within its livery and decals. The question is – can you find it and decipher it?
This is the first time a motorsport team anywhere in the world has offered a competition like this on their car. Developed by the Threats and Vulnerabilities Team at PWC, it forms the basis of a competition for anyone who wants to test their mettle and win fantastic prizes. Anyone can enter.

One week after the race, one winner and nine runners up will be drawn at random from the first 100 correct answers that we receive. Later this year, the lucky winner will get to jump in the Secure Racing Aston Martin Vantage GT4 to experience the exhilarating speed of getting around a circuit alongside a professional race driver. The winner will also get tickets to join the team at the Silverstone British GT Championship round and, along with the nine runners up, they will also receive complimentary membership to the Secure Racing members club – the details of which will be announced on race day.
Anyone who attends the Brands Hatch race on 19th June will have a chance to get up close and personal with our Aston and therefore have the best chance of spotting and cracking the code. For those that can’t make it, we will be posting pictures of the car on our website a couple of days after the race so you can take part.
Those who find and crack our code should email their answer to richard.moss@secureracing.co.uk
Ladies and gentlemen – the fun begins here. Start your engines, the Secure Racing story is about to begin.
Discounted admission tickets available exclusively for Secure Racing fans at: www.motorsportvision.co.uk/secracing