Inside Mirai the infamous IoT Botnet: A Retrospective Analysis

This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices. At its peak in September 2016, Mirai temporarily crippled several high-profile services such as OVH , Dyn , and Krebs on Security via massive distributed Denial of service attacks (DDoS) . OVH reported that these attacks exceeded 1Tbps—the largest on public record. What’s remarkable about these record-breaking attacks is they were carried out via small, innocuous Internet-of-Things (IoT) devices like home routers, air-quality monitors, and personal surveillance cameras. At its peak, Mirai enslaved over 600,000 vulnerable IoT devices, according to our measurements. Mirai represents a turning point for DDoS attacks: IoT botnets are the new norm. Note: This blog post was edited on Dec 6th 2017 to incorporate the feedback I received via Twitter and other channels. In particular, the link the previously largest DDoS attack reported was changed and...
Read more

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-theshelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the...
Read more

Unmasking the ransomware kingpins

This blog post exposes the cybercriminal groups that dominate the ransomware underworld, and analyzes the reasons for their success. This is the third and final blog post of my series on ransomware economics. The first post was dedicated to the methodology and techniques developed to trace ransomware payments from end to end. The second post shed light on the inner workings of ransomsphere economics. As this post is built on the previous two, I encourage you to read them if you haven’t done so yet, or to read them again if your memory needs refreshing. The findings presented in these posts were originally presented at Blackhat USA 2017, in a talk entitled “Tracking desktop ransomware payments end-to-end.” You can check out the slides here. Let’s look at the cybercriminal groups that dominate the ransomsphere. PC Cyborg – the precursor The first documented ransomware, the AIDS trojan , was unleashed in 1989 by the PC Cyborg cybercriminal group via floppy disks, way before most of us had even had the...
Read more

How to trace ransomware payments end-to-end

Over the last two years, ransomware has been all over the news. Hardly a week goes by without a report of a large ransomware outbreak or the emergence of a new ransomware family. Despite all this attention, very little is known about how profitable ransomware is and who the criminals are that benefit from it. To answer these questions and expose the inner workings of the ransomware economy, our research team at Google, in partnership with NYU , UCSD and Chainanalysis , has developed a new methodology and a set of technologies to trace bitcoin ransom payments at scale. Over the last 12 months or so we have applied it to hundreds of thousands of ransomware binaries from over 30 ransomware families. This large-scale tracing has enabled us to build up a precise picture of the ransomware economy and identify the key ransomware groups. This series of three blog posts summarizes the key findings of our large-scale study. By the end of the series you will have...
Read more

Attacking encrypted USB keys the hard(ware) way

Ever wondered if your new shiny AES hardware-encrypted USB device really encrypts your data - or is just a fluke? If you have, come to our talk to find out if those products live up to the hype and hear about the results of the audit we conducted on multiples USB keys and hard drives that claim to securely encrypt data. In this talk, we will present our methodology to assess "secure" USB devices both from the software and the hardware perspectives. We will demonstrate how this methodology works in practice via a set of case-studies. We will demonstrate some of the practical attacks we found during our audit so you will learn what type of vulnerability to look for and how to exploit them. Armed with this knowledge and our tools, you will be able to evaluate the security of the USB device of your choice.
Read more

How we created the first SHA-1 collision and what it means for hash security

In February 2017, we announced the first SHA-1 collision. This collision combined with a clever use of the PDF format allows attackers to forge PDF pairs that have identical SHA-1 hashes and yet display different content. This attack is the result of over two years of intense research. It took 6500 CPU years and 110 GPU years of computations which is still 100,000 times faster than a brute-force attack. In this talk, we recount how we found the first SHA-1 collision. We delve into the challenges we faced from developing a meaningful payload, to scaling the computation to that massive scale, to solving unexpected cryptanalytic challenges that occurred during this endeavor. We discuss the aftermath of the release including the positive changes it brought and its unforeseen consequences. For example it was discovered that SVN is vulnerable to SHA-1 collision attacks only after the WebKit SVN repository was brought down by the commit of a unit-test aimed at verifying that Webkit is immune to collision attacks. Building on the...
Read more
Page 1 of 212