Posts by grindandstack

Password Management

May 16th, 2018 Posted by Uncategorized 0 thoughts on “Password Management”

The venerable XKCD said it best, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

During my time working directly with clients in a technical capacity, the complaints I hear most often always revolve around passwords and password management. People know they shouldn’t write them down. They know they shouldn’t use the same ones for different services. Some companies believe that forcing password changes at regular intervals leads to better security, when it just leads to people writing them down or choosing shorter, weaker passwords

What makes a good password? How do bad guys attempt to guess passwords? What are the best ways to keep up with all your passwords and still protect yourself?

Let’s take a deep dive on passwords and see if we can find the answers to these questions and maybe protect our online accounts and identities a little bit better.

For starters, let’s work on our nerd vocabulary.

Character set: Is your password made up of entirely lower-case letters from the English alphabet? Each digit in your password has 26 possibilities, in other words your password has a character set of 26. What about upper and lower-case letters from the English alphabet? 52 possibilities for every character. Are you a security guru and use a mix of upper-case, lower-case, numbers, and symbols? We’re up to 95 possibilities per character!

Search space: A five-character password made up entirely of numbers has a search space of 5^10…five characters, each with 10 possibilities. A five-character password made up of numbers, upper and lower-case letters, and special symbols has a search space of 5^95…five characters with 95 possibilities for each character. Because of this password complexity increases exponentially with each character added. A six-character password is exponentially bigger than a five-character password.

Entropy: Lack of order or predictability. Words that appear in a dictionary have low entropy. Using your listed business phone number as your Wi-Fi password is low entropy.

When it comes to how easy or difficult it is for a bad guy to guess your password there are several factors. Length, character set, and the likelihood that it exists in a dictionary or rainbow table.

Length is straightforward. The longer your password, the longer it takes for a bad guy to discover it by guessing every combination, otherwise known as a brute-force attack. Length is the most important variable by far.

Consider the following two passwords:



The first uses all available character sets, giving each character 95 possibilities. The second uses only lowercase letters; 26 possibilities each. The first password has just under eight billion possible combinations and the second has just over two hundred-billion. Length trumps everything.

Most people scratching their chin trying to think of a new password will go for what seems to be complexity over length, as length is considered diametrically opposed to memorability. This doesn’t need to be the case.

S3cuRep@s$! is a reasonably strong password. It used the entire character space and is nine characters long. It also requires you to memorize what letters you’ve substituted for numbers and special characters and requires some finger contortion. At one hundred-trillion guesses a second it would take just under two years for a computer to guess. Given Moore’s law that computing power doubles every eighteen months, in five years it would likely only take several months to guess that password.

Now consider Ilovespringtime1! It’s easy to type and would take over 13 billion centuries to guess at one hundred-trillion guesses a second. The best part? You’ve already memorized it.

Password Managers

Password Managers (or vaults) provide a way to store all of your passwords behind one master password. The premise is that you only need to memorize one password and that will grant access to all of your stored passwords. Furthermore, these managers have the ability to generate ultra-secure random passwords for you and since you won’t need to memorize them, they can be quite long. Good password managers also have options to allow you to sync your passwords across devices, indicate how strong your current passwords are, and log you into sites and services automatically.

There are some downsides. Forgetting your master password can lose you access to all of your passwords. Secure password managers cannot provide your password to you if you forget it. If you have a weak master password, getting compromised will give the bad guy access to all of your passwords.

Some excellent password managers are; LastPass, KeyPass, Dashlane, 1Password, and RoboForm 8.

Creating good passwords

There are many formulas to help you create and remember passwords while still allowing you to have strong, unique passwords for every site you visit. Here’s my favorite:

  1. Start with a strong base password – Let’s use Ilovespringstime!
  2. Now use the address of the website you’re visiting to provide some unique characters. Let’s count the number of characters in the site’s address, excluding the domain (.com, .net, etc.) and add that to the end of the password.
    1. g. If we’re creating a password for our password would be Ilovespringtime!8
  3. Now to add a little more uniqueness – Take the first and last letter of the address and add it to the end of the password as well.
    1. g. Our completed, mostly unique password for Facebook would be Ilovespringtime!8fk

This might seem like overkill at first glance but consider the following, this password is easy to remember and extremely secure. Once you memorize your base password, you’re able to discern the rest simply by looking at the web address and remembering your formula.

There are numerous stories online about someone’s password being discovered by a security flaw in some website and then the bad guys took that password and tried all the usual spots, Amazon, BofA, Wells Fargo, etc., etc… Having unique passwords for at least any website or app that is tied to your personal and financial information is extremely important.

IoT Leads to New and Interesting Breaches.

May 16th, 2018 Posted by Uncategorized 0 thoughts on “IoT Leads to New and Interesting Breaches.”

An unnamed North American casino had its high-roller database stolen. An interesting but not uncommon story in the modern world of cybersecurity. Let’s ratchet the quirkiness up a notch; the hackers breached the network through a networked thermostat in a fish tank located in the Casino’s lobby. This latest hack calls back into question the inherent insecurity associated with the drastic increase in Internet-connected devices.

The statistics are staggering. The IoT industry is holding steady at 19.2% compound annual growth. IoT usage in industrial manufacturing is expected to reach nearly one trillion dollars by 2020. The number of IoT devices currently in use is estimated at thirty-one billion. That number is expected to rise to over seventy-five billion by 2025.

These connected devices drastically expand the attack surface, and unlike traditional networked devices, security is often an afterthought if addressed at all.  Thermostats, refrigerators, light bulbs, smart speakers, picture frames…these single or narrow-use devices are churned out at competitive prices, and if we’ve learned anything over the last decade it’s that security is hard.

Robert Hannigan ran the British government’s digital-spying agency, Government Communications Headquarters, from 2014 to 2017 and recently spoke at the WSJ CEO Council Conference in London, “With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem… I saw a bank that had been hacked through its CCTV cameras because these devices are bought purely on cost.”

Calling for stronger regulations, he added, “It’s probably one area where there’ll likely need to be regulation for minimum security standards because the market isn’t going to correct itself,” he said. “The problem is these devices still work — the fish tank or the CCTV camera still work.”

A Week in the Life of a Ransomware Infection

April 30th, 2018 Posted by Uncategorized 0 thoughts on “A Week in the Life of a Ransomware Infection”

A Cautionary Tale

From a security perspective, there are two types of business owners; those that have experienced a ransomware outbreak in their business, and those that haven’t. Conversations with either group are drastically different. People who’ve had the misfortune of being at the mercy of a ransomware virus will tell you how surprisingly disruptive it is to their business continuity. Even with up-to-date backups and a highly responsive IT staff/company, some downtime is unavoidable. Under less favorable conditions that downtime can extend to days and even weeks.

Can’t my data just be decrypted? There has to be a workaround.

If you were given two very large prime numbers it would be relatively easy to find the product of those numbers. However, if you were given a massive number and asked to find the two numbers that when multiplied together, equal the original…well that is a far more difficult task. One that even modern computers cannot solve efficiently. Encryption is impossible to shortcut.

How did this virus get in?

Most likely from one of two ways. Hands down, the majority of ransomware infections come from malicious attachments in emails. These emails are designed to encourage people to open them. A shipping manifest from FedEx, past-due invoice or resume are the most common examples of subterfuge. The other less common but potentially more damaging means of ingress is a weakness in your network’s perimeter that has been put in place to accommodate a third-party, usually a payment processor.

What follows is a dramatized version of events from a fictitious ransomware outbreak. While it may seem like saber rattling, the remediation of some outbreaks go better, but many go a lot worse.

Monday Morning

Something isn’t right. Spreadsheets and documents refuse to open. Line-of-business applications give a vague error before quitting. A call is placed to IT support. A short while later they call back. It’s ransomware. All the files and folders on the server have been encrypted and there are instructions in a text document regarding how to properly contact the bad guys so that you can pay the ransom without their identity being revealed. Not to worry, there’s an external hard drive plugged into the server and all your data gets backed up there. Unfortunately, that’s been encrypted or deleted as well.

Monday Afternoon

As difficult as it may be to come to terms with, the realization that the cheapest way to get back up and running is to pay the ransom and hope that the anonymous person on the other end of the line will provide the software necessary to decrypt. The TOR browser is downloaded and the journey on to the dark web begins. Once contact is made the negotiations begin. Originally the attacker wants $10,000 worth of Bitcoins, but eventually, $5,000 is agreed upon.

Tuesday Morning

Most Bitcoin exchanges require account verification before large sums of Bitcoins can be purchased. This could take upwards of 72 hours. A lucky break was caught and a friend who invests in Bitcoin is willing to sell off $5,000 without any exchange fees tacked on. Contact is made again with the hackers, henceforth known as Ivan, and the Bitcoin is sent over.

Tuesday Afternoon

A decrypter is received from Ivan and work begins on decrypting every file and folder on the server.

Tuesday Night

The decryption software continues to run but it appears to be skipping random files.

Wednesday Morning

The decryption process has finished but there are still many encrypted files left over. The entire process is started over, hoping for better results this time. Meanwhile, every old external hard drive and thumb drive is scoured for usable data. Losing a year or two of data is better than losing it all.

Wednesday Afternoon

No luck – the software is skipping files and folders wholesale. Attempts are made to reconnect with Ivan in hopes that he is both willing and able to help with this.

Thursday Morning

Ivan responds. The news isn’t good. He thinks the software detected that the files were attempted to be decrypted without paying the ransom and has purposely sabotaged the data. In a last ditch effort he provides another decryption tool. This one seems to be working better than the last one but still skips files randomly. Nothing to do but wait and hope.

Thursday Afternoon

The second decrypter has conked out. Back to the dark web to reach out to Ivan again. Miraculously he is still responding. He does have a reputation to maintain after all. He takes a deeper dive through his records and realizes that the virus spread through the network so quickly that different ones were competing to encrypt files. The significance of this is that each one requires a different decryption key. So far he’s handed over two. Turns out you need twenty-two more. The good news is this will probably work. The bad news is each decrypter takes twelve or more hours to run and the server can only handle a few running concurrently.

Friday Morning

IT worked through the night targeting mission critical data with the twenty four decrypters. After four days of downtime business resumes, albeit at a reduced capacity. Some critical data was not recovered. Even though it was decrypted, the process has corrupted it beyond repair.

 Monday Morning – Week Two

Business is back to full capacity. Although attempts were made over the weekend, some data will never be recovered.  Hopefully what was lost is not bound by any form of compliance or retention laws.

How to avoid being in this situation in the first place

The first key ingredient is some form of encrypted off-site backup. Every business should have a current copy of their data somewhere in the cloud. In the above scenario, the business owner would have thumbed their nose at the ransom demands while his backups were being restored. The business would have been back up and running Tuesday morning at full capacity with no data loss.

The second piece of the puzzle is to force third-party vendors to be more secure when connecting to your network. This often means the use of a secure, encrypted, VPN connection. Some companies agree without issue while others try to push back because adding extra steps adds time. If a vendor refuses, try to replace them. This might seem like a drastic step, but the alternative could be a week or more of downtime and data loss.

Blockchain 101

April 23rd, 2018 Posted by Uncategorized 0 thoughts on “Blockchain 101”

What is Blockchain?

Blockchain is a resilient, distributed, and decentralized digital ledger of transactions. It allows digital information to be distributed but not copied. Traditionally, central authorities were needed as an arbiter of trust between parties wishing to transact online. The blockchain makes it possible for peers to guarantee transactions in an automated, secure fashion. In short, blockchain makes possible the digital equivalent of cash exchanging hands.

Where did it come from?

Although blockchain saw its first effective use with the advent of Bitcoin, its roots can be traced back to 1976 in a paper titled New Directions in Cryptography1 written by Whitfield Diffie and Martin Hellman (Yep, those guys2), where they postulated the idea of a distributed ledger. Obviously certain things were required for this idea to come to fruition; a vast network of interconnected computers with enough computing power to crunch away at the complicated calculations required to validate the blocks (transactions) in a blockchain. Fast forward to 2009 and conditions are right for a real world application. Enter Bitcoin. Part of the brilliance of using blockchain to create digital currency is the ability to build in a financial incentive for users that are willing to use their computing power to validate the blockchain. Voluntarily validating Bitcoin transactions has the possibility of producing a percentage of a Bitcoin as compensation. This has given rise to the term miner and people building special purpose computers solely for the sake of high-performance mining.

An interesting aside, electricity usage for machines mining Bitcoin is expected to top forty two terawatts this year. That puts it just behind Peru in terms of energy demand.

How do cryptocurrencies use Blockchain?

Bitcoin and alternative currencies like Ethereum and Litecoin all utilize blockchain technology a bit differently. In the case of Bitcoin, a new block in its blockchain is created roughly every ten minutes. That block verifies and records new transactions that have taken place. In order for that to happen, mining computers provide a proof-of-work; a calculation that creates a hash which verifies the block and the transactions it contains. Several of those confirmations must be received before a bitcoin transaction can be considered effectively complete. This provides resiliency as multiple independent entities all verify each transaction. The entire blockchain is maintained in this way. This means that no single entity can control the market or manipulate the blockchain’s history without controlling 51% of all mining computers. A feat reasonably assumed to be impossible. This is a vital component, because it certifies everything that has happened in the chain prior, and it means that no one person can go back and change things. It makes the blockchain a public ledger that cannot be easily tampered with, giving it a built-in layer of protection that isn’t possible with a standard, centralized database of information.

What is the future of Blockchain?

It’s definitely too early to tell, but the possibilities are vast. Blockchains could drastically improve identity management online, reducing identity theft. Blockchain could also help secure the woefully unsecured Internet of Things as well as networking in general. Blockchain technology could be used to distribute social welfare in developing nations, and even completely disrupt the election process.

In the Cyber Security world (and others), non-repudiation is a huge deal. Blockchain could complete the trifecta, slotting in with digital signatures and cryptography.



Memcached DDOS Attack Reaches 1.7 Terabits

April 16th, 2018 Posted by Uncategorized 0 thoughts on “Memcached DDOS Attack Reaches 1.7 Terabits”

There’s a new DDOS attack in town and it’s a doozy. This amplification attack takes advantage of unsecured (misconfigured) Memcached servers and the return-on-investment is staggering. Sending a forged request to a susceptible Memcached server on port 11211 will trigger a response to the intended target that has been amplified by a factor of 51,000. The result is the largest sustained denial of service attacks in history. GitHub successfully withstood a 1.3 Terabit-per-second attack and several days later an unnamed company in the United States was buffeted by a 1.7 Tbps attack.

According to Wikipedia, “Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read.” The Memcached software is free and open-sourced and runs on Linux, OS X, and Windows, with wide spread adoption over the last decade.

Usually, these types of servers are used internally, disconnected from the public internet and only accessible within a trusted network to improve performance. But it appears a lot of people have been leaving Memcached servers exposed to the open internet where they can be discovered and exploited by just about anyone.

Indeed, tools have already started cropping up enabling the ‘script-kiddies’ to also take advantage without understanding the underlying technology. One such tool, written in C, comes complete with a pre-complied list of 17,000+ vulnerable Memcached servers. Another, written in Python, leverages Shodan to search for and obtain a fresh list of vulnerable servers. Both tools automate the sending of spoofed UDP packets.

The original version of Memcached, created by Brad Fitzpatrick, did not support the UDP protocol. That functionality was added in 2008 by Facebook. The change was made without providing for mean to authenticate as developers falsely assumed that these servers would only run inside trusted networks. Later versions of the software eventually added authentication support for TCP but again left UDP out of the loop. That was, of course, until terabit-level denial of service attacks broadsided several sites last week. The open-source project was quickly updated to lock down the UDP port by default.

Similar to herd immunity, sites will not be safe from this attack until enough Memcached servers are patched or otherwise secured. A process that many experts predict will take quite some time.