Lockerware Part 2: Combatting the Threat Using Email Best Practices

February 5, 2014 By Austin Story Leave a Comment

In my last post I explained how lockerware was a new type of virus that encrypts a users data and gives them an option to pay a ransom to get it back. This post will be dedicated to the three options that this new persistent threat presents: ignore it, cure it or pro-actively avoid it.

I will combine ignoring and curing together because they are related and simple. Ignoring the threat can be done by just doing business as usual; continue to download all or most attachments from email, click on internet and email links without scrutiny and install random software from the internet. Following this route will surely get some form of Lockerware on your system. Once infected you can either just erase all your data and start fresh or pay several hundred or thousand dollars for the criminals to unlock your data so that you can use it.

A pro-active strategy is probably where most people want to be, however it will involve sacrificing some convenience for the extra security.

First, have a solid backup strategy in place. This strategy will be different for consumers vs businesses, however the common element is to have 3 copies of your data. The first is the data itself. The second is a backup copy that is stored onsite on a separate drive, preferably in a separate area of the building. The third is a backup copy that is stored far enough away that a local/regional disaster would not whipe out all data.

Second, be critical of the things you receive in email. Email is similar to a postcards because the sender could easily forge where it is coming from. So in email, it is trivial for a hacker to set their email as being from “Bank of America”. This trick is particularly bad because users have a tenancy to grant trust to email from respected sources like Bank of America or the FBI that they would not to other sources. This trust usually causes users to ignore the common preventative steps that I recommend at the end of this article.

Hackers also use email content to trick people. The most common method is through clickable links. People get links all the time that may say something like “watch this super cute cat video” but the truth is that the link that is sent can be programmed to say one thing but send users who clicks it to a completely different site. In English, that means that if you click cat video link, it could actually send you to a malicious website. Even worse that site could contain a virus that your phone or computer could download and run automatically.

A great real world example of these email tricks is from a friend that is paid to test banking security. During his last test he was able to hack a Bank President through email links. He was able to do this by researching the President on facebook. He discovered the the President was a member of a quilting club. Using that knowledge, he crafted an email that appeared to be from the quilting organization that had a link to a new membership information file. By clicking the seemingly trusted link, the President unintentionally put her entire organization at risk. Luckily though, it was just a drill and an opportunity to improve security.

So how do you avoid being fooled through email? Here are the guidelines that I recommend.

1. If you did not ask for or expect the file, don’t open it, ever
2. Don’t believe the return address…just because it says it is from your bank or friend does not mean that is who actually sent it
3. Even if the email is from your friend, assume that the contents are malicious and scrutinize the content
4. If you have to visit an email link, copy it to your clipboard and past it into your browser
5. If you have to download something from email, scan it with you anti-virus before opening it

By following the steps above you will avoid a good portion of the bad things that are sent through email.

Lockerware: The New Era of Viruses and Ransomware

January 9, 2014 By Austin Story Leave a Comment

Over the past several years we have saw the evolution of bad software that can get on people’s computers. When these things were first created they were mostly malignant and the result of curious people that were just wanting to poke around at the internet.

Over time this type of activity has evolved into crime syndicates using software that will spy on users, send spam email, collect banking credentials and grant bad guys access to computers so that they can use it hack other computers. The more techsavvy of you will recognize these systems as Botnets, Zombie Farms, Zues Banking Trojans and Spambots.

However, we recently experienced a game changer. A new set of software is making criminal upwards of millions of dollars per month in a completely untraceable way. This software is called Lockerware. The pioneer of Lockerware is called Cryptolocker and was first detected in early 2013. It works by using military grade security to scramble the files, documents, pictures and other data on a computer using a key, this is called encryption. It then sends the key off of your computer and will only release the key to undo the damage if a ransom of 300-2000 so dollars is paid using untraceable virtual currency. Users know they have it when they get a popup that says “Your files are encrypted, pay us $1000 in 96 hours or we will delete the key.” A timer then begins to count down to zero. If you pay the random they give you the key and you get your documents back, otherwise they are gone forever unless you had a solid backup in place.

These guys have made a TON of money. An estimated 3% of users pay the ransom and around 12,000 new infections are reported per week ( that would amount to 360,000 dollars at 1000 per paid infection). At hundreds of thousands of dollars in profit per week, it is probably not a surprise that a half dozen variations of Lockerware have been reported. What you wouldn’t expect is that a 23 year old developer has recently released a $100 toolkit that people can buy that includes the code to create Lockerware. Furthermore, the next logical step in the evolution of this type of software will be for the software to be smart enough to spread on its own across the internet. This is the equivalent of some aweful virus like ebola becoming air-borne and WHEN it happens there will be alot of people and companies that lose access to their data.

To prepare for this upcoming evolution in virus software people have a 3 choices going forward. They can Ignore & Cure it or Prevent it.

In my next article I will address steps that the every day computer user can take to prevent Lockerware from getting on their computers.

Pattern Lock Passwords…Not as many choices as you would think

November 10, 2013 By Austin Story 3 Comments

Phones currently give the option of using a 9 dot pattern to unlock the phone. Although this is not perfect, it is better than nothing. However, I was thinking the other day, most people use the same password, I wonder how many use the same pattern. Furthermore, how many possible patterns are there given a number of dots? I will be addressing the later question in this post and will collect input from readers to determine the former.

The pattern I will be using is the common 3 rows of 3 dots. I will number the dots from left to right. The top will be 1, 2, 3. The middle row 4, 5, 6 and bottom 7, 8, 9. I will also be calling a single continuous swipe amongst many numbers a route. So swiping from 1 to 5 to 7 would be a route.

I started to look at the number of possibilities for a pattern. The way the algorithm works, you can route between 2 and 9 non repeating dots. So I could route from 1 to 2 and that would be valid. I could also route 1 to 5 to 9. For you non-mathheads out there, this is known as a Factorial problem (which is delimited with an !, so 9! means 9 factorial). So for the number of choices with 2 dots, I have 9! but I only get 2 choices. All those possible 2 digit combinations are in the picture below.

So for 2 choices we have 9! with 2 choices. 9 * 8 = 72 choices.

However, after thinking about the problem, I realized that I could NOT select 1 to 9. Why? Because 5 is in the way of 1 to 9. So this immediately removes many choices. Not only could I not route 1 to 9, I could also not route these; 9 to 1, 1 to 3, 6 to 4, etc. It has been a LONG time since my discrete match course, but I couldn’t figure out a way to remove these consecutive patterns in a formula, so I graphed it in excel and highlighted in red all of the ones that would not be possible. The impossible choices are highlighted in red.

As you can see, by removing the impossible choices, we have reduced our possible combinations by 16 total (which is also 22%) from 72 to 56.

I would also add that their is another subset of choices, those are the “inconvenient” choices. These include all routes that involve moving from a corner to an opposite side middle dot or vice versa, for instance 1 to 6. To successfully do this you have to weave your finger between the 2 and 5 dot while routing from 1 to 6. In a world where convenience is king, I thought it important to consider these as unlikely and do a different data set on them. I highlighted the inconvenient routes in yellow.

Now with highlighting the 16 inconvenient choices, we have chopped off another 22% off the original set and the number of convenient combinations is 40, which is nearly half of our original 72.

I tallied up the number of possible and inconvenient choices in the table below. To read the table, the top row is your first dot choice, and the rows below represent the total number of Next Choices. So if you start with 1, you have 8 total choices, but 3 of those are impossible and 2 are inconvenient, leaving you with 5 total choices with impossible removed and 3 total choices with impossible and inconvenient removed.

[table caption=”Table of Possible Routes” width=”600″ colwidth=”250|50|50|50|50|50|50|50|50″ colalign=”left|left|left|left|left|left|left|left|left”]
X,1,2,3,4,5,6,7,8,9
Total Choices,8,8,8,8,8,8,8,8,8
Impossible Choices, 3,1,3,1,0,1,3,1,3
Inconvenient Choices, 2,2,2,2,0,2,2,2,2
Total Choices – Impossible Removed,5,7,5,7,8,7,5,7,5
Total Choices – Impossible and Inconvenient Removed,3,5,3,5,8,5,3,5,3
[/table]

At this point, the math is beyond my ability. However, I do recognize some patterns with the graph and in the palindrome of the numbers above. Either way, I brute forced this by whipping up a couple of quick ruby recursive function that determined the number of good, impossible and inconvenient permutations. I will put the in my github account here. If you need help understanding the code please leave a comment.

What you will notice with the results is that the impossible and inconvenient routes compound exponentially, meaning that the more dots we have, the quicker we lose possible good routes. The results are below.

[table caption=”Table of Possible Routes with Impossible Exceptions” width=”600″ colwidth=”50|50|300|300|300
” colalign=”left|left|left|left|left”]
Total Choices,Total Routes, Good and Convenient, Good but Inconvenient Routes, Impossible Routes
2, 72, 40 (55.56%), 56 (77.78%), 16 (22.22%)
3, 504, 160 (31.75%), 304 (60.32%), 200 (39.68%)
4, 3024, 496 (16.40%), 1400 (46.30%), 1624 (53.70%)
5, 15120, 1208 (7.99%), 5328 (35.24%), 9792 (64.76%)
6, 60480, 2240 (3.70%), 16032 (26.51%), 44348 (73.33%)
7, 181440, 2984 (1.64%), 35328 (19.5%), 146112 (80.53%)
8, 362880, 2384 (.66%), 49536 (13.65%), 313344 (86.35%)
9, 362880, 784 (.22%), 32256 (8.89%), 330624 (90.11%)
[/table]

http://www.stef.be/dev/javascript/patternlock/

But it gets more complicated than that. You CAN go from 1 to 9 if 5 is selected. So I added exceptions to our algorithm that tests for our impossible routes and then checks the preceding string to see if the dot that would allow the formally impossible string is present. So if the route were “52197”. We would see the “19” and then check the digits before that, since their is a “5” in “52” this route is actually possible. Here are the numbers after adding the new logic.

[table caption=”Table of Possible Next Choices” width=”600″ colwidth=”50|50|300|300|300
” colalign=”left|left|left|left|left”]
Total Choices,Total Routes, Good and Convenient, Good but Inconvenient Routes, Impossible Routes
ALL, 986400, 46128 (4.68%), 389203 (39.46%), 596912 (60.51%)
2, 72,40 (55.56%),56 (77.78%), 16 (22.22%)
3, 504,176 (34.92%),320 (63.49%), 184 (36.51%)
4, 3024,648 (21.43%),1624 (53.7%), 1400 (46.30%)
5, 15120,2040 (13.49%),7152 (47.3%), 7968 (52.7%)
6, 60480,5248 (8.68%),26016 (43.02%), 34464 (56.98%)
7, 181440,10448 (5.76%),72912 (40.19%), 108528 (59.81%)
8, 362880,15168 (4.18%),140704 (38.77%), 222176 (61.23%)
9, 362880,12360 (3.41%),140704 (38.77%), 222176 (61.23%)
[/table]

Conclusion

We find that we have less than 5% of the 986,400 dot patterns are in the subset of Good and Convenient, which is over 46,128 routes. Most phones will only give you 5 tries per 30 seconds so it would take over 64 hours to get through every permutation. To get through all Good but Inconvenient Routes it would take over 540 hours, which is a little less than 22 days.

So, although this is not anywhere close to a game changer, I suspect that this problem will end up being similar to passwords. For instance, although their are 8,153,726,976 possible 5 character passwords using 96 characters, the vast majority of them will be common ones like “12345”, “god” and “monkey”.

I suspect that we will find something similar with pattern swiping. For instance, most right handed people probably start with dot 1 because that is where the thumb is when you pick it up with your right hand. Left handed people will probably have the same tendancy with dot 3. Also, their will also probably be some motions that I did not capture in the inconvenient subsets I defined above.

I also suspect that most people will have a tendency to use a set number of dots, I don’t know what that it, but 4 or 5 seems like something that is convenient and long enough to make someone feel good about setting the swipe password.

Here soon, I will put up a swipe checker and collect data from people for a few months to see what we find.

The code can be accessed here https://github.com/Austio/DotPattern