Sri Lanka clamps down on social media in the wake of Easter massacres. Authorities suspect an Islamist group, but no terrorist organization has so far claimed responsibility. CIA intelligence is said to have the goods on Chinese security services’ hold over Huawei. Marcus Hutchins, also known as MalwareTech, and famous as the sometime hero of the WannaCry kill-switch, has taken a guilty plea to charges connected with the distribution of Kronos banking malware. Joe Carrigan from JHU ISI on password research from WP Engine.
Dave Bittner: [00:00:03] Sri Lanka clamps down on social media in the wake of Easter massacres. Authorities suspect an Islamist group, but no terrorist organization has so far claimed responsibility. CIA intelligence is said to have the goods on Chinese security services' hold over Huawei. Marcus Hutchins, also known as MalwareTech and famous as the sometime hero of the WannaCry kill switch, has taken a guilty plea to charges connected with the distribution of Kronos banking malware.
Dave Bittner: [00:00:38] It's time to take a moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day, you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:40] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 22, 2019. Sri Lankan authorities have shut down most social media in that country in an effort to prevent the spread of inflammatory rumor or disinformation. The restrictions follow a series of apparently coordinated suicide bombings that killed Christians at worship in Batticaloa, Colombo and Negombo and others, including guests staying at tourist hotels at five other sites in Colombo. Police have arrested 24, but no group has claimed responsibility.
Dave Bittner: [00:02:19] Agence France Presse reports that Sri Lankan security authorities issued an alert over a week ago warning police that chatter collected from various intelligence sources suggested the likelihood of jihadist actions by Nations Thowheeth Jama'ath (ph), or NTJ, during the Christian holy week. It remains unclear whether that group organized the bombings. CNN says almost 300 are dead; about 500 are wounded.
Dave Bittner: [00:02:46] NTJ had previously distinguished itself mostly by defacing Buddhist statues in the majority Buddhist nation. Sri Lanka had gone through a lacerating civil war from 1983 to 2009, but the opposing sides were defined ethnically and geographically with the predominantly Hindu Tamils - a bit more than 11% of the population - seeking an independent state among the northern rim of the island. The majority Sinhalese, with about 75% of the population, are predominantly Buddhist. A coordinated campaign of lethal violence on the parts of jihadists is something new. Muslims make up less than 10% of the country's population, slightly more than Christians. Authorities concluded this morning that the NTJ was in all likelihood responsible and have taken a number of its adherents into custody for questioning. They've also found quantities of explosives - for the most part, detonators - in the possession of the group.
Dave Bittner: [00:03:45] The police and intelligence services think there's a fairly high probability that the bombers received assistance from like-minded international jihadist groups. Reuters quotes experts who see ISIS or al-Qaida in the attack's methods. Sri Lanka's defense minister attributed the massacres to followers of religious extremism. Investigation continues. A presidential commission has been appointed to look into the massacres. It's likely to also look inward at what some critics are calling an intelligence failure.
Dave Bittner: [00:04:16] The clamp down on social media is a preventative reaction. Social media has spread violent contagion elsewhere in South Asia over the past year. And various figures in the NTP have romped pretty freely across YouTube, in particular in recent months.
Dave Bittner: [00:04:32] The Times of London reported Saturday that the CIA shared intelligence with Five Eyes partners, establishing Huawei's significant funding by Chinese security services. The Times treats this as significant, which suggests their sources see investment amounting to control, not simply purchase of goods and services; more significant, for example, than what The Washington Post notes in an unrelated editorial about Microsoft's AI research cooperation with a Chinese military university. While one might question the wisdom of a U.S. company working with a Chinese defense research establishment on any number of grounds, they might include the risk of sensitive technology transfer, IP theft, providing technology that might be used in ongoing repressive measures and so forth, but it would seem a stretch to say the least to say that Microsoft had come under the sort of control Huawei is thought to be subject to. Thus it would be interesting to learn more of the nature of the funding Huawei received.
Dave Bittner: [00:05:34] Marcus Hutchins, sometime hero of WannaCry's kill switch, pleaded guilty to U.S. federal charges involving making and selling malware for, quote, "surreptitious interception of wire, oral or electronic communication" - end quote. Hutchins, also known by his white hat name MalwareTech, was apparently already a person of interest to the U.S. FBI for some time before he came to fame for stumbling across WannaCry's kill switch and recognizing that kill switch for what it was. He was arrested in the U.S. while on a kind of post-WannaCry victory lap through the conference circuit in the U.S.
Dave Bittner: [00:06:12] The crime to which he has allocuted - as they say on "Law & Order" - involved the creation and sale of the Kronos banking malware, designed to harvest account credentials. Hutchins apparently began his malware entrepreneurial career in his teens. He says he's outgrown that phase and that he now knows better. And no doubt, he does. This may well be another instance of that sadly familiar online disinhibition that grips so many when they use the internet. Mr. Hutchins, a British subject, now faces sentencing. The two counts in his guilty plea each carry a maximum sentence of five years.
Dave Bittner: [00:06:53] I'd like to take a moment to thank our sponsor, Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyberthreats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both. You decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, visit scs.georgetown.edu/cyberwire. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.
Dave Bittner: [00:07:53] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. He's also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:08:02] It's good to be back, Dave.
Dave Bittner: [00:08:03] You've got an interesting story to share with us here today. This is about passwords. What do we got here?
Joe Carrigan: [00:08:08] Right. This one comes from WP Engine, who did a little bit of research. And if you go to wpengine.com/unmasked, you can find this incredibly interesting article in here.
Dave Bittner: [00:08:20] Yeah, these folks do WordPress hosting.
Joe Carrigan: [00:08:23] Right. What they did was they went out and they got a hold of a couple of old breaches. And they started analyzing the breaches and seeing if they could pull out matching passwords, if they could generate matching passwords. So all these passwords were plain text passwords that have already been cracked. But what they did was they looked at the information, and they tried to do some correlation and figure out how easy it was to generate a password that would match. So they aren't actually doing any hashing.
Joe Carrigan: [00:08:51] And one of the things they say in this report is that Hashcat - they talk about Hashcat being able to perform 300,000 hashes a second depending on how your password is hashed...
Dave Bittner: [00:09:01] Right.
Joe Carrigan: [00:09:01] ...The limit to Hashcat is really how much money you have to spend on hardware. So if you can buy a bunch of GTX 1080 Ti's and put them into a machine, that can crack way more than 300,000 passwords a second.
Dave Bittner: [00:09:14] Well, couldn't you also buy that service from, like, AWS or - they have GPUs...
Joe Carrigan: [00:09:19] Yeah, yeah they do.
Dave Bittner: [00:09:19] ...For sale, right? Yeah.
Joe Carrigan: [00:09:21] They have GPU processing for sale. You can probably run Hashcat on that as well.
Dave Bittner: [00:09:24] Yeah.
Joe Carrigan: [00:09:24] I have never tried it. I used my own GPUs to do this. But it - Hashcat is a remarkable tool. You should look into it. A couple of things - there is no difference in the quality of passwords between men and women, that we're all equally bad at it.
Dave Bittner: [00:09:40] OK, phew (laughter).
Joe Carrigan: [00:09:43] Right. If you're going to add a number at the end of your password, that really doesn't make it any more secure. Can you guess the No. 1 number that was added at the end of a password to make it different?
Dave Bittner: [00:09:56] Well...
Joe Carrigan: [00:09:57] The No. 1 password...
Dave Bittner: [00:10:00] Yeah, the number - the number one...
Joe Carrigan: [00:10:02] Number one, right.
Dave Bittner: [00:10:02] The number one - oh, and it was the number one.
Joe Carrigan: [00:10:04] There you go. It's number one.
Dave Bittner: [00:10:05] (Laughter) OK.
Joe Carrigan: [00:10:07] So if you take your password, and put a one after it, that essentially doesn't make any difference, right?
Dave Bittner: [00:10:12] Because so many people do that.
Joe Carrigan: [00:10:14] Right. Twenty-three percent of passwords that end in a number end in the number one.
Dave Bittner: [00:10:18] Wow. OK. I'll just choose two.
Joe Carrigan: [00:10:21] Right, yeah, that 6.72 passwords end in the number two.
Dave Bittner: [00:10:26] So this method is not effective.
Joe Carrigan: [00:10:29] It is not effective. Absolutely not affected...
Dave Bittner: [00:10:31] Yeah.
Joe Carrigan: [00:10:32] ...Effective. Now, they talk about this concept called password entropy, right...
Dave Bittner: [00:10:35] Right.
Joe Carrigan: [00:10:36] ...Which is essentially a measure of how good your password is. And they say that a password with an entropy of 60 or greater is actually less common than a password with an entropy of zero to five. So a lower number is worse, right? So a password with an entropy of zero to five would be something that you could crack in a matter of seconds...
Dave Bittner: [00:10:55] Oh.
Joe Carrigan: [00:10:55] ...Right? And a password with entropy of greater than 60 would be something that you could crack in years.
Dave Bittner: [00:11:01] Wow, OK.
Joe Carrigan: [00:11:02] So it's much more common to find passwords you can crack in a second than it is to find passwords that take forever to crack.
Dave Bittner: [00:11:09] Right. Right. OK. I guess that's not surprising.
Joe Carrigan: [00:11:11] That is not surprising. Do you think that you're clever by using keyboard patterns to generate passwords because, you know, that's going to be a hard password that's kind of difficult to remember?
Dave Bittner: [00:11:21] A random string of numbers by walking down the keyboard.
Joe Carrigan: [00:11:24] Right. Yeah, it's not really random at all. It's terribly predictable, just like almost everything humans do.
Dave Bittner: [00:11:29] (Laughter) Right, right.
Joe Carrigan: [00:11:29] And this report shows you 20 different patterns, including one that's actually generated just by pressing the digits two through nine on your keyboard.
Dave Bittner: [00:11:40] On your mobile device.
Joe Carrigan: [00:11:41] On your mobile keyboard, right - on your mobile device.
Dave Bittner: [00:11:43] Yeah.
Joe Carrigan: [00:11:44] So I mean, that one looks like it's secure because it's ADGJMPTW.
Dave Bittner: [00:11:50] Right. So if you look at it on a regular keyboard, it looks random.
Joe Carrigan: [00:11:52] Yeah.
Dave Bittner: [00:11:53] But on a mobile device, you're just walking...
Joe Carrigan: [00:11:54] Mobile device is 23456789.
Dave Bittner: [00:11:57] ...Walking along. OK. Silly humans.
Joe Carrigan: [00:11:59] Right. I love these kind of reports. The most used base password phrase - No. 1, still password.
Dave Bittner: [00:12:08] Of course it is.
Joe Carrigan: [00:12:08] It's still just password. Then they break it down by nouns, verbs and colors.
Dave Bittner: [00:12:13] As I was happy to see that names and usernames that David is on there, but Joe is not.
Joe Carrigan: [00:12:19] That's right. The article starts - I love - in the middle of this article, they have, like, lists of different kinds of password parts. Right?
Dave Bittner: [00:12:28] Right.
Joe Carrigan: [00:12:29] And it starts with saying - name your favorite superhero, pick a number between 1 and 10, and then pick a color. Right? So if that's how you're generating your passwords, then you're generating passwords that are easy to guess because I can take a very limited set of lists and start trying to crack these passwords just by appending them together. And the fact that you're putting a number between them, I know you're going to pick a number between 1 and 100, probably.
Dave Bittner: [00:12:53] Right.
Joe Carrigan: [00:12:53] Right? So that's where I'm going to start guessing. But more importantly than that, I have to say this again, Dave...
Joe Carrigan: [00:13:00] ...You should not be generating your own passwords. You should be using a password manager to do that for you. If you were to ask me what my password to Facebook is, I don't know what my password to Facebook is. My password manager knows that. And it's a 20-character, randomly generated password that would take years to crack.
Dave Bittner: [00:13:17] Yeah. I thought it was interesting. One of the things in this article is they went through some high-profile folks...
Joe Carrigan: [00:13:22] Right.
Dave Bittner: [00:13:23] ...And tracked what the entropy of those passwords would be and how long it would take to crack them. Some of them take tenths of a second. Some of them take hours or longer.
Joe Carrigan: [00:13:33] Right.
Dave Bittner: [00:13:34] But the longest - the strongest password of the bunch belonged to a GitHub developer. It's basically what you describe. It's these, you know, 20-character-long, just random string of characters that have absolutely no meaning or no association with anything.
Joe Carrigan: [00:13:47] Right.
Dave Bittner: [00:13:47] And it had an entropy of 96. The weakest was a senior manager at a major tech company. And it was 123456. Like you said, it's probably for a throwaway sign-up or something like that...
Joe Carrigan: [00:13:59] Right.
Dave Bittner: [00:13:59] ...Because who would be so...
Joe Carrigan: [00:14:01] Silly.
Dave Bittner: [00:14:02] Yes. Thank you, Joe. Thanks for saving me there. I was thinking of another S word. But yours is much better. Yours is much better, yeah.
Joe Carrigan: [00:14:09] Yes, don't do that. Use a password manager. Use a password manager. Use a password manager. And another way you can increase your strength is by using multi-factor authentication.
Dave Bittner: [00:14:17] Once again, you know, everybody thinks they have a system.
Joe Carrigan: [00:14:20] Right.
Dave Bittner: [00:14:20] Everybody thinks they're being clever.
Joe Carrigan: [00:14:22] No, your system stinks.
Dave Bittner: [00:14:23] Yeah (laughter).
Joe Carrigan: [00:14:24] Let me tell you that right now. Your system is not as good as randomly - or pseudo-randomly - picked letters by a computer.
Dave Bittner: [00:14:30] Yeah. And thanks to this article, I mean, you've got the data to prove it.
Joe Carrigan: [00:14:32] Right, absolutely.
Dave Bittner: [00:14:33] All right. Well, yeah, I recommend folks check this out. It's an interesting article. So Joe, thanks for bringing it to our attention. Great having you on the show.
Joe Carrigan: [00:14:42] It's my pleasure, Dave.
Dave Bittner: [00:14:47] And that's The CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at thecyberwire.com. Thanks to all of our sponsors for making The CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:15:05] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:15:34] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell. Our staff writer is Tim Nodar; executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
Georgetown University School of Continuing Studies Master's in Cybersecurity Risk Management is offered on campus and online. Gain hands-on practice developing and executing strategies, policies, and safeguards to manage cybersecurity risks across an enterprise. Learn more at scs.georgetown.edu/cyberwire.