ICIW2008: Characterizing Malware Writers can Computer Attackers in Their Own Words

Dr. Thomas J. Holt, University of North Carolina, Charlotte

• digital crime markets
• problem is increasing
• also becoming more complex
• criminological research
• little research has been done
• few studies have explored malware and hacker community in their own words
• online resources
• blogs
• forums
• this study focuses on Russia & China
• not using their real handles
• data & methods
• qualitative analysis
• identify 2 via snowball samples
• qualitative analyses of open source materials online
• linguists involved
• RUSH
• malware writer and hacker in Moscow
• skilled individual
• possible emotional problems
• RUN
• close associate of RUSH
• skilled hacker
• CS major at a Moscow university
• may have minor health issues
• loves his cat
• Black Hat Gang
• both RUSH and RUN belong
• no stated political or financial agenda
• provide a justification for their activities
• rush & ru seem to have dif levels of productivity
• have worked together
• SAINT
• Chinese national in Jinzhou
• does not specify his motives but gives Chinese perspective
• actions are somewhat contrary to his words
• young student but doesn't enjoy school
• likes girls & posts comments about love & relationships
• SNAKE
• associate of SAINT
• difficult to gage his skill level
• may be a script kiddie
• is a student
• may also have emotional issues though no specific reasons given
• Hack Crew
• SNAKE & SAINT are members
• covert security technology group
• criteria for membership
• roles listed for members
• SNAKE is a cracker
• SAINT is a hacker/cracker
• not clear how skilled group is as a whole
• Discussion
• all extremely interested in tech
• variation in skill levels
• justify what they do as education
• some evidence of depression & substance abuse
• variation in information provided
• public & private resources needed to get mroe info
• further research needed

ICIW2008: Establishing the Human Firewall: Improving Resistance to Social Engineering Attacks

Jamison Scheeres, Air Force Institute of Technology

• what is social engineering
• techniques to manipulate people
• also shoulder surfing
• also dumpster diving
• trick someone into doing something
• huge threat in today's environment
• red teams say SE is 100% effective
• current defensive techniques are not effective
• research
• successful SEs are not caught
• classification issues
• ethical issues in deceiving subjects
• psychological triggers
• authority
• reciprocation
• strong affect (phishing)
• overloading (buffer overflow for humans)
• deceptive relationships
• integrity/consistency
• principles of persuasion
• authority
• consistency
• liking
• reciprocity
• scarcity
• social proof
• resistance to persuasion
• inoculation theory
• self-efficacy
• forewarning
• "dispelling the illusion of invulnerability" (2002, Sagarin)
• methodology
• compared psych triggers to principles of persuasion
• determine relationship between illegitimate persuasion & social engineering
• military vulnerable to authority due to strict hierarchy of authority
• conclusions
• strong relationship between principles and triggers
• illegitimate persuasion = social engineering
• been trying to install resistance in the wrong way
• solution is to demo to the individual they are personally vulnerable
• security people must social engineer their people
• future research
• develope measurement
• compare/validate various means of resistance training

The unintended consequences of large-scale storage

Jeff Atwood over at Coding Horror has posted about something called Rainbow Tables. Now, I don't want to turn this blog into a discussion of encryption so let me boil it down for you.

Windows passwords are stored in an encrypted format known as "hashes". When you enter your password, Windows encrypts it for you and compares it to the stored hashed version. If it matches, you're let in. If it doesn't you're not. There's no way to decrypt the hashed version of your password in any reasonable amount of time, if at all, and is therefore considered a secure method of storage.

The problem now is that you can get a database of pre-hashed content. Known as rainbow tables, these are basically a table with just two columns, first column, a word (or other combination of letters) and in the second, the matching hash. Now, if you have a hash, you can look it up in the table and see what the original password is. In other words, it's not decrypting the hash, its hashing all possible passwords in advance.

This is such a simple hack. So, why is it coming to light now. Well, the problem is large-scale portable storage. In the past, tables such as these were considered to big to bring to the computer you're trying to hack. But these days, a 1GB flash drive would allow you to carry a rainbow table that covered all conceivable passwords between one an 14 characters in length, containing just English letters. Here's Jeff's chart showing example storage requirements:

If you're suddenly not worried about a Rainbow Table measuring 64BG I've got a 500GB portable USB hard drive I'd like to show you.

Here's the bottom line, in Jeff's example, the password "Fgpyyih804423" (one that's probably a hell of a lot stronger than any password you use) was broken in just 160 seconds using a rainbow table.

Lowest SAT score ever.

Dude takes the SAT and answers every question incorrectly, on purpose. What a way to hack the system.