A Practical Guide to Cybercrime

Richard Clayton

Recorded at GOTO 2017


Get notified about Richard Clayton

Sign up to a email when Richard Clayton publishes a new video

[Music]
what I'm going to talk about is I'm
going to give you a quick plug for our
cybercrime Center I'm going to talk
about ransomware business email
compromised DDoS extortion and then the
very wonderful topic of passwords I know
I've been looking at bad things on the
internet for over 20 years and my
approach to this but as an academic is
data driven which is jargon for I
collect lots of data and I count things
and the data though which I get I get
from industry under various forms of
non-disclosure agreement what basically
happens is I go to conferences I go to
trade shows I talk to people who have
data I drink with beer with them in the
bar till two o'clock in the morning and
after you've drunk beer with people for
a couple of years in the bar until two
o'clock in the morning they think you're
a jolly good chap and they give you lots
of data and then you can count it and
I've had some helpless of really smart
people my co-authors and on all of these
papers but we're beginning to realize
that this is how everybody does
cybercrime research and everybody in
this field has their own data sets which
they obtained under NDA or collected in
various ways and as a result nothing can
be reproduced
nobody can check check my calculations
if you come to me you say that's a
really interesting paper
Richard could I have a copy of your data
so that I can do some more work on it
and I will say to you but I got it under
NDA and they'll say to me well tell me
who you signed the NDA with and I won't
drink beer with them until two o'clock
in the morning and they will send NDA
with me and then I can look at your data
oh I'm terribly sorry I will say rod
insists that I never mention his name
when and I'm not allowed to tell you who
gave me the data so you can't actually
check that when I counted things I had
ended up right this doesn't really look
like science and it's not just my data
his everybody is
really science so what we're doing in
Cambridge is I have five years of
funding from the government Research
Council and a six and a half of us
mainly computer science but I've a
criminologist and the Hoff is a
psychologist and our Roach's data-driven
will etcetera
there's mission statements on here what
we're really doing is we're going back
to all the people who gave us data and
saying wouldn't you like to give us the
data in such a way that we can share it
with other academics we'll take in the
data we'll callate it and make it into
useful data sets and then supposing your
machine learning person and you want to
research phishing you've got a really
good idea about how to detect phishing
websites then you can come to me and I
will give you a data set or phishing
websites you won't have to spend two
years drinking beer until two o'clock in
the morning because I can give you the
data tomorrow you won't have to learn
how to straight phishing websites and
collect off collect the webpages because
they're only up for a few hours you
don't have to learn any of that stuff at
all you could just get a data set off me
and you could be doing machine learning
tomorrow morning plus I can give that
data to somebody else who is doing
machine learning and then we can compare
the results and see which method is
better by using the same data for two
different techniques doesn't that look a
little bit more like science doesn't
that look a little bit more useful now
we can't make the data open we can't
make it public data for all sorts of
reasons including the fact that the
people who give it to us actually sell
it for other people they give it to me
for free because I'm a good chap and
they drink beer with me till two o'clock
in the morning but everybody else has to
pay for it so we can't make it open data
but we can make it available to other
academics so that's what we're trying to
do in Cambridge and it's not competition
I'm really old right of my career this
is going to be the last job I have in my
career so I don't actually care about
how many papers we write in Cambridge
yes I have really first class
people there they're doing first-class
work but at the end of five years when I
go cap in hand asking for money in order
to keep this sense of running in the
future what I'm going to be talking
about is not how many papers we wrote in
Cambridge but how many academic papers
are we cause to be written across the
whole of the world because we have a new
way of making data available to
academics so they can really study
cybercrime and in the end that's why we
get funding is because academics can
help us understand the mechanisms and
the what's behind cybercrime so that we
can do better at at deterring so that's
where I'm coming from if you're an
academic that's where you go in order to
get hold of the data and now I'm going
to talk about some real cybercrime now I
am talking about this from the point of
view of defenders if you're an attacker
in the audience make notes because this
tells you how to do your job better
ransomware is basically a program which
you run you click on something and the
program encrypts all of the data on your
hard disk and you have to pay money for
the decryption key in order to get your
data back again now back in 1989
I actually got one of the AIDS Trojan
disks in the post in the UK they've got
hold of the one of the computer
magazines distribution lists and they
sent me a five and a quarter inch floppy
in the post which had a program on it
which I took one look at the description
of the program decided I'm not going to
run this if you did run it then it's
encrypted all of your hard disk and then
you were supposed to make a donation to
an AIDS charity and then you get your
data back he was really badly done
because are they stored all of the
cripton keys on the hard disk as well so
it really wasn't very threatening from
1996 as and some fine academics worked
out how to do it properly using public
keys so that you actually have to pay
them the ransom we saw a burst of
activity back in 2005 2006 but the thing
really hit the headlines for ransomware
was 2013 when cryptolocker came along
and crypto lockers innovation was that
they asked for the payments in Bitcoin
which meant that previously if you were
going to pay via sort of gift cards or
by making a PayPal donation or whatever
then it was really easy for the police
because they could just follow the money
butwe bitcoin is a bit harder to follow
the money and the people who wrote
cryptolocker put lots and lots of effort
into their customer support alright if
you payed if you pay default
cryptolocker then they would knock
themselves out sending you eat swapping
emails with you helping you understand
how to be able to decrypt your data
holding your hand all the way through
exemplary customer support and the
reason they did that was because then
anybody who paid would tell all their
friends if you pay you'll get your data
back which is a very strong
recommendation and lots of people paid a
lots of people want their data back
including lots the police departments
who write and after the success of
cryptolocker
who made couple of million dollars then
we saw lots and lots of variants
hundreds and hundreds of them lots of
your any any given day of lots of your
email spam are that thing you don't
click on is the in fact ransomware but
much of it doesn't work properly so you
paid you wouldn't be able to decrypt it
because they because they've messed up
their code because the bad guys are
worse at writing code than the good guys
and that's really saying something and
somebody is just badly designed so you
don't have to pay anyway go and have a
look at no more ransom dog where various
families of ransomware there are
actually tools for unlocking all of the
stuff because they're as competent as
the AIDS guy in terms of actually
producing a system where you have to pay
so how do we avoid ransomware well you
use a sophisticated anti-spam system I'm
sorry your copy of spammers
in which you've been running since 1998
will not cut it anymore you need fancy
machine learning systems and so forth if
you're getting your email through Google
Yahoo Hotmail whatever then they're
running lots of very fancy machine
learning and lots of this stuff is
filtered out vessel if you're using
something not as good as that then
ransomware will get through you can run
some antivirus and the problem is with
antivirus is that the criminals tweak
their malware until the antivirus
doesn't detect it and then they ship it
so and then the antivirus would catch up
over the next day or two so if you're
really slow at answering your email then
antivirus is a good solution otherwise
he doesn't help you the slightest you
could not click on attachments with a
bit of training the main thing about
training is that she explains the risks
to people and and how to actually spot
slightly more suspicious emails than
otherwise but it doesn't really help
because lots of people's jobs is
receiving documents and clicking on them
so telling them not to click on them is
not very good advice really what you can
do is not give everybody in your company
access to every single every single
share every single disk file which you
own I if you can't you may have to read
some some data from the rest of the
company you don't necessarily have to
write it and if you can't write it the
Ransom work which you click on can't
write so if the account encrypted either
and if you have a database don't put it
on the open Internet my people who have
MongoDB my Sikh or whatever systems
without passwords on the open Internet
the bad guys scan the internet and find
them and then they encrypt them and then
they send you around somewhere demand a
demand for money the problem is there's
quite a lot of people doing this so your
MongoDB database which is sitting out on
the Internet as soon as it's people
spotted we all get encrypted and it'll
get encrypted ten times
for breakfast and you'll get 10 demands
to get your MongoDB database back again
you're gonna have to pay all 10 people
so there's have some practical thinking
about ransomware ransomware is a
business continuity issue it's the same
threat to your data as me pouring a
glass of water over this laptop it's the
same threat as a rogue employee who
doesn't like you
deleting lots of files on the Friday
afternoon or a Friday evening because
they know they're going to be at sacked
on Monday morning it's the same threat
as your building burning down it's the
same threat as your death data center
being flooded has already said asking
people not to click is not a good
solution but do they actually need a
copy of word can you give them WordPad
instead do they actually need the
scripting enabled in PDFs right if your
Adobe Reader has JavaScript enabled turn
it off and the real fix for a ransomware
is backups but the backups can't be
online because otherwise the ransomware
can go and encrypt those backups as well
and they're preferably off-site the
reason I recommend off-site backups is
partly because if the building burns
down then they're probably alright but
the really important reason is whilst
you could drive to go and pick up the
backups and you're driving back to the
office you'll be thinking about what
you're going to do and it might just
possibly occur to you in the time as
you're driving back to the office you'll
be a really good idea to make sure
you've got rid of all them got rid of
all the malware before you load up the
backups and have them re-- encrypted as
well alright so thinking about what
you're going to do is input is an
important when dealing with backups in
an emergency situation as having the
backups in the first place and basically
you don't have a backup unless you've
tested that it works
and you've restored a file from it on a
regular basis and it's come back okay
all right lots of backup systems say yes
I've written the backups and when you go
and try and read them you can't read
them all right and basically if you
don't practice you'll be really slow the
real threat ransomware
is not that your data gets encrypted but
your data isn't available for one or two
days because you're learning how to do
restores learn how to do restores
beforehand you'll be in much better
shape so now I'll talk about business
email compromise and the important one
of these really is the expensive one is
the fake invoice so I worked on a on a
case where I actually provided expert
evidence to a tribunal on this some
people in Indonesia who mined coal sold
coal to a company in Thailand who made
cardboard boxes they burnt the coal to
drive off the water from the wood pulp
in order to make carpet of cardboard
boxes and since they made a lot of
cardboard boxes they needed a lot of
coal so they arranged they signed a
contract to buy three boatloads of
co-linear from Indonesia and the first
shipment turned up was going to turn up
in middle of March so at the end of
February the people in Indonesia sent an
invoice the people in Thailand and they
were multinational company so they
wanted the money paid to a bank in
Hamburg and 12 hours later they sent
another email saying sorry were we're
having a bit of trouble with our banking
in Hamburg could you actually pay it to
our bank in West London instead so they
carried on swapping email about the
shipment of coals of dispute about the
calorific value there was this dispute
about the timing of the unloading and so
forth and eventually the coal turned up
at the Harbor Inn in Thailand to be
unloaded and the people in Indonesia
said
but you haven't paid us yet and the
people in Thailand said we're having a
bit of trouble with our bank you'll be
all right in a moment and the people in
Thailand so the people in Indonesia were
didn't want to delay the unloading
because they've delayed in the past when
there being a problem with the bank and
and weeks as to who was gonna pay the
extra money for the ship which had sat
around four to six hours instead of
unloading so they said no why unload the
coal they're good for it and at that
point an email turned up from the bank
showing that the money had been paid to
the two West London and the people in
Indonesia said why did you pay the money
to a bank in West London we want it paid
trouble communicating with each other
for about for several days because email
didn't seem to work anymore and they
ended up having to use Gmail accounts
and bring each other up because it
turned out that writer back at the
beginning somebody in Lagos and I know
it was Lagos because I looked at the
headers somebody in Lagos had sent the
second invoice which was completely
fraudulent but they had sent it from a
domain name which looked like them that
multinational but hadn't a in it rather
than an O and when the people in
Thailand had replied the email had been
delivered to the people in Indonesia but
instead of having a dot th domain name
it had the dot T V domain name and for
the following three weeks they had
swapped email because in business you
just replied to the previous email you
get these long email chains and the man
in Lagos had been copying cutting and
pasting between the two things the whole
time and once they have the money they
stopped cutting and pasting and that's
why the that's why the email
communication broke down after the fraud
was discovered in fact it took them most
of a week to work out it was a fraud and
not a mistake and that was you know it's
a funny story
and a man-in-the-middle attack and it
really worked and that was three million
dollars 90% of the costs of a boatload
of coal
I've seen other cases involving a
million dollars worth of palm oil and
the FBI reckoned that this has cost
about three billion dollars since
January 2015 this is big business fake
invoices being replaced right at the
bottom of all of this is at compromise
of an email system so that the
fraudsters can see the real invoice and
then they can make a copy of it and
change the bank details are less
important but still damaging form of
attack is sometimes called CEO fraud or
president fraud what happens is that
you're you come to a conference like
this and your Accounts Department gets
an email from you saying please pay the
supplier I forgot before I left to tell
you about this before I left the
conference don't bring me up my phone's
turned off because I'm in sessions all
morning but it's really important we pay
this by the end of the day please play
20,000 euros to the supplier and often
you see look-alike the mains here as
well or very similar sorts of Gmail or
Yahoo or whatever account name email
names this this is not three million
dollars but equally twenty thousand
euros is very damaging for many small
businesses so how can we avoid these
sorts of fraud well if you talk to
techies they will say well let's let's
check the incoming email for look-alike
domains yes you can do that it's a bit
complicated to do you can apply Demark
you can check whether or not the email
has been forged whether or not the
deccan signatures on the email pass but
the bad guys can set up look-alike
domains and set SPF and DKIM and get it
right and they're probably better at it
than you are you can flag email where
the reply to is different from the
that's a useful thing to do because
you'll pick up all sorts of strange
things if you do that you could set your
email client so it displays the bit in
the angle brackets for your email
address that's very useful
many of the mail systems are starting to
change to that by default for you but
it's still a problem on mobile because
the tends not to be room on the screen
to show you that detail and besides
which as the story with the O's in the
A's explains it can be very difficult to
spot the that the things have been
changed
labeling email that comes from outside
the company is useful because if your
CEO is going to normally uses the
internal mail system and suddenly the
email turns up from outside labeling
that is quite useful you can mess around
with things like PGP and s/mime these
are all techniques Aleutians they don't
work so practical thinking about
business email compromised first of all
agree about the bank what bank accounts
are going to be used of the first day
when you sign the contract don't have
the contract say pay so my nominated
bank account have the contracts say
exactly which bank account is going to
be used if you're going to buy a house I
agree with your lawyer on the first day
where the my bank accounts are going to
be used for transferring the money
because otherwise that twenty thousand
euros may make a difference between so
you'll stand with living for many years
and then having agreed their bank
account don't allow it to be changed by
email insist that people write real
letters on real pieces of paper and sign
them at the bottom or turn up in person
and talk to the lawyer again in order to
change the details most of the time you
never need to change the details right
but you certainly don't need to be able
to change of my email if you really must
allow people to change the details by
email then check it out a band by which
I mean go to the filing cabinet
look up the person's phone number and
ring them up and say say did you send
this email did you really want to change
the bank account don't do what one one
of the ones are that I've consulted on
did which is they got the email with the
change of details on and they promptly
replied to it and said are you sure and
the criminals said yes all right so
don't use the phone number from inside
the email go to the filing cabinet and
share these stories with your peers I
talked about this at dinner parties
because people don't know this fraud
goes on and if you've heard of it you
might actually you might actually be
able to spot it when it's happening to
you and do something about it you might
be able to complain to your lawyer when
you're buying a house you haven't we
haven't agreed
no you're just shaking house to walk out
the door and you'll say but we haven't
agreed the bank account all right you
probably need a new lawyer but you could
agree the bank account at that point but
the really important thing you need to
do on all of this is you need to empower
your accounts Department to say no no
purchase order no payment and pay your
accounts person a bonus when they spot
the fraud and pay your accounts depart
Accounts Department a bonus when they
stand up to the CEO even when it really
is the CEO okay no purchase order no
payment follow procedures and this goes
away it's when people try to be helpful
and shortcut that you get this fraud now
you may get an email like this this is a
DDoS extortion email it says we are a
modder collective or lizard squad or
fancy bear or whatever and it says your
your network it's going to be ddosed if
you don't pay us ten Bitcoin five
Bitcoin or 100 Bitcoin or you know
however much they think you're good for
all right if you don't pay immediately
we'll put up the price this is not a
joke I'll distract I
attacks are extremely powerful go off
and Google us if you pay we won't tell
anybody you paid it's all Bitcoin it's
anonymous I am so and they're
threatening you and what happens next
nothing like that
in the past there have been people
called Armada collective and yes in the
past they did do d-- doses after this
but most of the ones you see now are
just people trying it on hoping you'll
pay if you don't pay nothing happens if
you're very unlucky if you're a european
bank over the last couple of weeks then
you'll get a one hour DDoS against your
website if you take no notice nothing
else will ever happen so my practical
advice here on d-list extortion is under
no circumstances whatsoever pay if you
care that you get the one hour DDoS
against your website so your website is
not available for an hour then work that
out beforehand before you ever see one
of these emails and buy yourself a
service which will protect against these
attacks and get a guarantee of what of
the of the upside so that if isn't if he
goes down you can least claim on some
insurance or something alright basically
if you care about DDoS do something
about it because you need to run your
business properly if you don't care
about DDoS take no notice of these
emails it's useful if you get one of
these emails to share it share it with
your police with the police share it
with your trade body if your bank or
something like that because what they
will do is they will collect up all of
the shared emails and they will compare
them if all the Bitcoin wallets are the
same is definitely a fake all right the
whole point about a model collective was
they knew everybody got a different
Bitcoin wallet and they kept lots of
notes so that they would know who had
paid just by seeing if money had turned
up in their Vic
wallet so so it's useful here look at
that also if people do pay and don't is
really silly don't pay if people do pay
then if there's enough money flowing
around then bitcoin is a bit more
traceable than people imagine when they
if they don't actually understand how it
works and how to arrange that bitcoin is
not traceable so report it but do not
pay so I'm now going to talk about
passwords now this is the traditional
way of talking about passwords we say
suppose you have a safe and there's a
four-digit code on it there are 10,000
possible combinations how long does it
take to open the safe and you might be
lucky and getting on the first go you
might have to have 9999 failures and
then you open it but on average it takes
five thousand attempts to open this safe
so if it takes you ten seconds total
numbers it will take you thirteen hours
to open the safe on average if you have
six digits it will take eight weeks to
open the safe if instead of how naught
to nine you have a to Zed then it'll
take you twenty six days for open the
safe if it's six out four characters
it's 49 years if you have if you pick
from a to Zed brigades of their little
laser they're nought to nine you'll take
you 34 million years to open that safe
that's the traditional way of thinking
about passwords and brute force and the
suppliers to computer passwords because
what happens with your computer password
is that you type in your password and
then the Machine compares what you typed
in with the stored secret now if you
hold your passwords in plain text so you
can do a straightforward comparison that
you can send really good password
reminders you say I thought my password
and they on email you and tell it what
it tell you what it was it's really
helpful but this is not terribly secure
so dating all the way back to 1963
the suggestion was that you should use a
one-way hash so what you do is you hatch
the secret and then when the value turns
up you do another cryptographic hash and
you check for an exact match from 1991
they were using 25 rounds of the data
encryption standard more recently than
that people have used md5 sha-1 shell
t56 you name it may be used it because
the idea is that reversing these hashes
is impossible
that's why it's a cryptographic hash
cryptographic hash you can't reverse it
but you can brute-force it so you can do
the equivalent of twiddling the numbers
on the safe so if you go and buy
yourself an NVIDIA GeForce 8800 ultra
alright which I pick at random other
other Network other graphics cards are
available that will do 200 million md5 s
a second so if you have that eh-2-zed
little later said not to 9 length 8 then
instead of they taking 36 million years
and ten seconds each guess because
you're doing 200 million guesses a
second
you'll take you six on a six point three
days two on average to work out what was
the secret which produces this
particular md5 hash so really good
things
GPUs you can do that and of course if
you're going to do this that sort of
cracking you can paralyze it you can buy
lots of Nvidia etc and put them in lots
of different machines and each of them
will tackle one bit of the problem so if
you buy six point three graphic cards
can also dish out the tasks so if you
can't actually afford expensive graphic
cards like that you can actually you can
dish out tasks of different machines and
each of them can go at their own speed
and do stuff you can even do it at
random right you can dish it out the
whole of this audience here and get each
and say - instead of
each of them a little block and then
trusting them trusting everybody in the
audience to do have their own little bit
of the cracking you could just say for
everybody do it all at random because
somebody will get the right answer at
random at some point and it doesn't
matter if people cheat and don't
actually do the work
because something else will do the work
instead and it also avoids all the
communication costs so random search is
quite a good way of doing parallel tasks
so the usual metric when we're talking
about cracking passwords this way is the
number of hashes you can do per dollar
and believe me these days you can do an
awful lot of hashes per dollar
alternatively you don't have to do the
parallelization that way what you can do
is you can try a small number of
passwords against many many accounts in
parallel because sometimes it doesn't
matter which password you crack just how
many you crack and if you haven't fixed
you haven't done the patch yet for your
your Linux system for the dirty Cal
vulnerability you crack any password and
you can promote yourself up to root all
right so cracking just one password may
be sufficient and you don't have to
correct all of them or any particular
one all right so that's parallel
cracking with fancy GPU cards in the
real world the way in which we crack
passwords is like that here we have
Richard one with an exclamation mark and
a one that's a really strong password
Libre that's the md5 so I can take that
md5 and I can run it against the most
powerful cracking system the planet has
and I can crack that password like that
because I fit it into Google and there
are five sites there all of which will
give you that the that md5 is the result
of hashing richard won with an
exclamation and a with an exclamation
mark
okay there's lots of these sites there
they're sometimes called
rainbow tables sites that's the in fact
not actually technically correct rainbow
tables are a way of reducing the storage
requirement for the sort of cracking
they're just straightforward hash sites
but there's quite a lot of them out
there
and particularly for md5 that is the way
the best way of cracking passwords on a
modern modern system we don't just in
order to protect ourselves against these
hash tables we salt the passwords so we
add a random value to the password and
then we hash that and what that means is
you can't get away with just one hash
table you need to ^ s the tables for
each password and for s bits in the salt
and there's no reason at all why you
can't use 32 or 64 bits of salt
so basically salting makes these hash
tables almost useless some usually what
you do is you store the salt in
clear-text right next to the pot the
hash password very occasionally for very
short salt lengths you might actually
drew for sit at a password validation
time but basically you store it there
that does mean that if people steal the
password file they get results as well
the modern trend is not to use things
like md5 sha-1 and so forth but to use
special function hash functions which
are designed to run really slowly even
on custom hardware or GPUs and the main
way in which that is done is by
arranging that they do lots and lots of
reads and writes of memory as part of
the action of the hash function because
much the slowest thing you could do can
do on your computer I big amounts of
memory has to go out to the real chips
that takes a long time and these and
these systems tend to be tunable so you
can select how many iterations you want
in order to give you the performance you
need if you're only out validating
passwords every 20 minutes you can
afford to spend quite a lot of time
validating each one and the names to
look for our hash functions like bcrypt
and argon 2i so what's the practical
thinking here about passwords well
before I can give you any practical
thinking about passwords you need to
understand your threat model right you
can't evaluate a security solution
unless you know what the threat model is
so you all have to ask yourself are the
attackers online the attackers or
offline attackers are they going to be
stealing my password file and then doing
the cracking on their own kit where they
can paralyze it as much as they want
right or do they have to turn up and
actually guess by presenting a guess to
your system are the attacks targeted or
untargeted does the attacker win if you
like if they crack a particular password
or do they win if they crack more than X
percent of your passwords or do they win
if they crack any password on your
system at all how much you're going to
impose on your users I can you make the
can you insist on a long password can
you insist on the use of lots of
different character sets and four
system house apply the password and
people just have to remember it
how much even impose on people and are
you attackers
local or remote by which I mean are you
protecting your password against your
little sister or against somebody in the
Ukraine because if you're protecting
your password against your little sister
then writing it down and putting in a
piece of paper in your wallet is not a
good solution because when you go and
have a shower
your little sister can read your
password but it's very difficult for
somebody in Ukraine to read a piece of
paper which is sitting in your wallet
and even if they muck you on the street
they come over especially from the
Ukraine and mug you in order to get the
piece of paper from your wallet you will
know that has happened and therefore you
can do something about it all right so
when we say do not write down passwords
that's really stupid advice the advice
is do not write down passwords on yellow
sticky notes and put them on the monitor
right
but write them down and put me your
wallet that's just great and the other
question to ask about passwords is why
aren't you using two-factor so the
latest advice on passwords coming out of
mists this year says forget all that
stuff about funny character sets worried
about length longer the better not eight
characters far too short
don't change the passwords every month
or every three months just because you
can I work with a large company I've
been working with them for seven years
they may insist I changed my password
every six months so my password now has
a 14 in it
everybody does that I'm sorry
it's true
it doesn't make anybody any safer right
the reason that you want to have the
only reason that you want to have change
your passwords on a time basis is
because you know the bad guys are
stealing your password every every three
months if you're possible if the bad
guys are finding your password every
three months you need a different fix
not changing passwords alright remember
that for offline attacks the limit is
how much money your attacker has or how
many how big a botnet they can build to
do all the cracking in parallel right
but online you get to set the limits so
make sure your system does set some
limits all right after n tries where n
is pops that's about five time it out no
more password guessing for a minute or
an hour or whatever all right better
than that is to make it exponentially
slower that's what my phone does if you
keep on getting your password wrong
because you're drugged
then after a while it's going to be five
ten minutes before you can only make
another guess which point it might occur
to you to wait until you're sober before
typing in the password and the limits
need to be if you're setting up a system
you need limits per account if somebody
is attacking one particular account and
also because they might be attacking all
of the accounts in parallel you need to
have limits per IP address and you might
just want to have limits per hour to
deal with a botnet in that if you just
if you normally only ever see 20
attempts to get to to log into your
system a day and suddenly you had a
thousand in the last 10 minutes and
possibly you're under attack and perhaps
you want to change change what your what
your stance is so what the criminals do
well if you give a criminal or password
fire off because
your system is insecure then they will
brute-force the passwords if the
passwords are not encrypted that doesn't
take very long if there's not salted
then it maybe they can just do a lookup
use Google in order to find out what the
passwords are otherwise they understand
that what people do is they replace O's
by zeros they replace eyes by
exclamation marks they change essays
into dollars and they stick numbers on
the end so they actually guess passwords
by taking a dictionary and they mangle
all of the words using those sort of
substitutions and then they guess those
so if you think you've made your
passwords secure by one of those
substitutions you have made very much
difference sorry all right
once they cracked a password they use it
everywhere so after your now you've
yukon shopping online for four trainers
and the people who sell trainers have
had their website hacked as a result of
which your login because of course you
had to have a username and a password in
order to go and buy some trainers
obvious your username and password is
now out in the wind and people can use
it and they will try logging into skype
they will try logging into banks they
will try logging into Facebook they were
try logging into your email account to
see whether or not you've used the same
password there and most people do
fortunately the good guys are also
collecting all of these password files
and they're also brute-forcing all of
the passwords and what they will then do
is they will go and check their systems
and if that password is being used on
their system with the same identifier
the same email address then they will
force the password change nothing wrong
with password changes what's wrong is
just doing it every three months no
matter what they will force password
changes and they may actually if they're
very clever
they will also arrange you can never use
that password on that system ever again
even if you're not using it at the
moment because many people have a small
set of passwords which they use all over
the place and they cycle those around
and you want to arrange that they don't
that password never works because it's
been compromised and to give you an idea
of how weak passwords really are in 2012
LinkedIn their database was compromised
and the good guys have been cracking
away had the LinkedIn data set and over
90% of the passwords for LinkedIn are
now known now that's not a very strong
result because LinkedIn I don't use a
very strong password on LinkedIn because
I don't care one way or the other about
it it's not my bank it's not my email
all right so we don't we don't all use
very strong passwords on LinkedIn but
even the people who thought they were
using strong passwords most of them
weren't so some inconvenient truths
about passwords if you're trying to
protect things if you see the wrong
password a couple of times and then the
right one that's the real human logging
in if the password is always right it's
come from a mobile phone if the password
is always wrong it's come from a mobile
phone which isn't configured correctly
all right you need to balance barring if
the bad guy comes along and does lots of
guesses you don't want to lock out the
real user because the real user will
come and shout at you if you get a key
logger onto your machine then it's game
over
everything you type is known to the bad
guys if a clear text word text password
file is compromised it is game over very
fast and even if it's salted and
encrypted remember LinkedIn it's pretty
much game over if you've lost your
password file every you must assume that
every all of those passwords are
compromised password managers are a good
way forward but if before you have a
favorite past take your favorite
password manager go and Google it with
the word security breach next to it and
you'll discover most of them have
problems so summarize what I've been
talking about I'd first of all had a
quick overview what we're doing
Cambridge in order to make it easier for
other academics to count things I talked
about ransomware back up your data
practice restoring it ransomware is a
business continuity issue I talked about
is to empower your accounts department
to say no and I know most of you think
your accounts Department says now all
the time anyway but these are say no to
an extortion attempt ignore it doesn't
matter if you really care about DDoS buy
a service to protect yourself and
passwords they need to be hashed and
salted change them only when you need it
and if you're a user use a long password
email and banking anywhere else and the
complexity all that stuff about 36
million years for open as safe
he's meaningless pay attention to the
way which passwords are actually
attacked because that's what really
matters all the cool stuff we do in
Cambridge we put on that blog want to
know more about the cybercrime Center
URL is there thank you very much
[Applause]
[Music]
the first one he was about the
attachments you were talking about in
the beginning so what do you think about
running attachments in science isolated
many containers that's a techie solution
yes that works it's difficult to to
achieve there are some products out
there which are attempting to do that if
you go and look at a grown-up company
like say Google you will find that they
have a big emphasis on pushing
everything into Google Docs because the
sort of thing which makes your copy of
word fall over and be compromised tends
not to compromise Google Docs so there
are some ways forward here in terms of
sandboxing and so forth but for most
people that's an awful lot of effort in
order to deal with it what you really
will need to know is you need to
understand your workflow understand when
you are going to get documents from your
co-workers what they're going to look
like and so forth and basically
understand that and if it's out of the
ordinary don't click on it then there's
a lot of questions coming in around
passwords here so somebody's asking as
developer if I've saved the hash
passwords and the algorithm is
compromised what should i do should I
ask all users to change the password and
hash it with another algorithm or and
wouldn't it be better to save passwords
using reversible cryptography the best
thing is to factor let's release
emphasize that you shouldn't be if
you're using your own special hash for
hashing passwords then you are in the
state of sin do not do that all right
producing hash functions so it's really
work is spectacularly difficult even the
NSA the reason it's sha-1 is because
they produce Sean nought first and it
didn't work I even the NSA can get these
things wrong so in general
we apply kirchoff's laws here basically
code becomes public many people here
deeply in favor of coke becoming public
you must expect your code to become
public is the secrets which you keep you
keep safe so just because how you hash
passwords has become available to the
world that's not a that's not a
compromise it's when your secrets become
available to the world because you
uploaded them to to github that's when
there's a problem and there are some
questions here around how to compose the
password so two people asked about the
dice dice where a method dice method I
think it's called and what somebody else
does it make much difference if real
words or made-up words are used in the
password length matters
basically most most people who guess
passwords will guess 10 50 or 5,000 of
them no more than that all right so
basically it's only if they're going off
to you offline that they're going to do
a full dictionary attack and then if you
have a couple of words you're basically
safe
do not use horse battery staple etc by
anything I tell you anything you've ever
seen written down as an example of a
password is inherently unsafe right so
just pick a couple of words I do not
pick a line from your favorite poem
right because all of the powers in the
world are available and people can try
that but to a large extent you're safe
provided that you're not in the first
500 most common passwords so providing
you're not using you know the easy way
of it if you're not using password one
two three four five six or password even
with zeros in it for the oh right you're
pretty much safe most of the time
and maybe the last question somebody's
asking for a recommendation for a good
two-factor authentication mechanism ah
hardware
lots of people use phones because but
they don't understand how insecure SMS