Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren
On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial damage Compromise can come many sources Phishing, brute forcing, malware, password re-use 2
On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial damage Compromise can come many sources Phishing, brute forcing, malware, password re-use 3
Password re-use from data breaches Site A’s usernames and passwords exposed… …then attacker uses leaked credentials on unrelated Site B > 40% of users reuse passwords; 25% usually use only one [1] [1] Das, Anupam, et al. "The tangled web of password reuse." Symposium on Network and Distributed System Security (NDSS). 2014. 4
Natural & valuable target: email accounts Most sites have email address Natural to try password on email Email accounts are valuable https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ 5
6
We have no idea how many sites are compromised This work: getting more insight into compromise prevalence 7
Detecting site compromise Publicly known compromises are attacker- or site-identified But what about when - attackers are quiet, and - sites cannot or will not help? 3rd party detection may expose additional compromises 8
Tripwire Technique for 3 rd -party compromise detection using password re-use attacks 9
Tripwire : detecting compromise via re-use attacks 1. Partner with a major email provider Create many distinct email accounts to act as honeypots A@ PW1 Email B@ Provider PW2 C@ PW3 10
Tripwire : detecting compromise via re-use attacks 2. Register for accounts on services you want to monitor Unique email per site, password shared between them A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 11
Tripwire : detecting compromise via re-use attacks 3. Monitor email accounts for login A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 12
Tripwire : detecting compromise via re-use attacks 3. Monitor email accounts for login A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 🍰 @ PW3 13
Tripwire : detecting compromise via re-use attacks 3. Monitor email accounts for login Email logins indicate compromise of corresponding site A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 🍰 @ PW3 14
Tripwire : our contribution Proof of concept implementation & study ~2300 sites under measurement; prototype crawler Fresh compromises detected 19 compromises over 24 months; only one previously public Large and small sites affected Largest site has ~50m users; >100m users impacted across Today’s plan: Registration , Compromises , Disclosure 15
Ethical considerations We did not receive consent from sites under measurement (doing so may compromise integrity and is impractical) We believe that technical burden on sites is low (created few accounts, accounts unused, rate-limited) We have obscured compromised sites’ identities (limits reputational damage from involuntary inclusion) We consulted our group’s & institution’s counsel 16
Generate Create email Register on Monitor UNs / PWs accounts websites accounts Tripwire Process 17
Generate Create email Register on Monitor UNs / PWs accounts websites accounts Full identity created e.g. full name, address, phone, mother’s maiden name, etc. Plausible usernames AngryNeighbor1234 Two types of passwords - “Easy to crack” Website1 - “Hard to crack” QpFAiy5BfB 18
Generate Create email Register on Monitor UNs / PWs accounts websites accounts Multiple accounts with differing PW strengths allows inference of breach severity Only accounts with easy passwords accessed? Breach contained well-hashed passwords. Accounts with hard and easy passwords accessed? Plain text or weak hashing. 19
Generate Create email Register on Monitor UNs / PWs accounts websites accounts Send usernames and passwords to email provider Provider creates matching email accounts Availability of username used as proxy for global availability 20
Generate Create email Register on Monitor UNs / PWs accounts websites accounts Automated crawler registers for accounts Best effort! Developers try to make this process hard to automate! Skips ineligible, confusing, or non-English sites e.g. can not support sites that require a credit card, fails complicated CAPTCHAs. 21
Generate Create email Register on Monitor UNs / PWs accounts websites accounts Crawler provided URL and identity URLs from Alexa rankings; crawled approximately top 30k PhantomJS-based, Javascript-capable crawler Load page → Find registration → Fill form → Email verification If succeeds, registers again with additional identity (with different password type) 22
Generate Create email Register on Monitor UNs / PWs accounts websites accounts Email provider monitors ALL created accounts for logins Reports back all successful logins events Provider does not know what accounts have been used Provider only has list of all usernames >100k unused email accounts– none were ever accessed Strong evidence that email provider was not breached 23
Sites Monitored Of ~30k sites considered ~45% are not in English ~20% fail to load or are otherwise ineligible Crawler succeeds on ~20% of eligible sites: 2,300 sites total So, what did we find? ~1% of sites measured were compromised! 24
Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 25
Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 BitcoinTalk.org 26
Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 BitcoinTalk.org used salted sha256_crypt 27
Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 Hard Passwords Accessed 28
Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 Alexa < 500 in home country 29
Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 Same company; >30m users 30
Login Activity More than 1750 distinct account accesses Most via IMAP, but also SMTP, POP, web and mobile API Most accounts are not abused– little indication to user ~25% used for spam; one password changed 31
A (2) B (83) C (27) D (99) ( (22) CRPSrRPLsHG 6LtH ) (119) G (243) H (90) I (152) J (11) K (4) / (9) 0 (570) 1 (23) 2 (1) 3 (3) 4 (27) KDrG 5 (77) HDsy 6 (6) 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 1/17 DDtH
Recommend
More recommend