Valletta - BruCON 2013 - CobraDroid - Hooking Android Applications
PANIC Project - BRUCon 2012 Presentation
-
Upload
biosshadow -
Category
Technology
-
view
63 -
download
1
Transcript of PANIC Project - BRUCon 2012 Presentation
Disclaimer
● Views and Opinions shared here are our own and not our employers, past, present, or (obviously) future.
We would like to Thank
● Travis McCrea - Designer of our website● Justin Elze - sysadmin and ideas● Ashleigh Baumgardner - stats advice● Mike Kelly of Spiderlabs - access to leaks● Anyone who provided data and cracked
passwords for us.
The Beginning
● May 2011 - Idea born as a blog post● September 2011 - "announced" at Brucon
2011 Lightning Talks as multi-part project
But...
● It's still quite useful● Unique as a leak clearinghouse● We can work around some of the issues
The Project in 4 Bullet Points
● Automate Collection of Leaks via Pastebin and Twitter
● Clean and remove all data that is not emails or passwords
● Enter the data in a centralized database● Run analytics on the database to find
interesting patterns
The process
● Collecting leaks● Cleaning the passwords● Importing the data● Run Analysis● Find patterns● ???● Profit?
Collecting Passwords
● Data collected via Twitter API and scraping Pastebin
● Plan to add the top 5 leak pastebins● And eventually as many as we can find
Cleaning The Data
● Leaks contain information that is private and/or unneeded by the project (address, full names, and phone numbers)
● We remove all data besides passwords, hashes, and emails
Automation is key
● There is a LOT of data to go through● Script ALL the things!● Profit ???● The problem is non-standard dumps
Importing Data
● Handcrafted CSV files● Rake task to introduce them to rails env● Calculate leak-specific stats
Run Analysis and Find patterns
● Analysis run en masse and leak by leak● We let the data tell the story
Tools for finding leaks
● PasteLert http://bit.ly/PS9uYh
● PastEnum http://bit.ly/e95kmE
● PasteMon http://bit.ly/x4DS0H
● PasteGrep http://bit.ly/PmUtNk
● Pine Siskin http://bit.ly/QElc8f
???
● Automate bruteforcing○ Dedicated server or EC2○ GPU goodness with oclhashcat
● Add more leak sources● An interactive dataset viewer● More data, faster
??? contd.
● IRCbot to find links dropped by Anonymous and other similar groups
● Reports - quarterly for anyone to use to help your their company or clients
Data
● Most interesting attribute is "strength"● How hard is it to crack?
○ Length○ Presence in dictionary○ Complexity of character set
Calculating Strength
● First crack at it: complexity ^ length● Strength value is far unmanageably large● log(complexity ^ length)
○ Still monotonically increasing with strength○ Log lets you graph it nicely
Top Twenty!12345678912345678
123456password11111111
01234567890123123123
abc123qwerty
88888888welcome
12345111111monkeyprincesslifehackiloveyousunshine
n/a
How to help/contact us
Jacob @biosshadow / [email protected]
Benson @bensonk42 / [email protected]
Matt @undeadsecurity / [email protected]
How You can Help the Project
● Requests○ Features○ Analytics
● Notify us of leaks, big and small● Help with our code - Github pull requests are welcome