Angry Birds and Security

In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.

Clearly, there is room for improvement in terms of both offense and defense.

The Pigs

Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:

1) Preparation

The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.

2) Planning

Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.

3) Sacrificial Hierarchy

It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.

Common flaw of pig-based construction
A more secure design


 The Birds

The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.

1) Reduce Scope

First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.

2) Improved Retaliation

Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.

3) Agility

Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.

In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.

Improved Attack Method Adapted To Environment


Conclusion

Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.

Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.

And while this post is all fun and games, make sure to check out Sophos’ Naked Security blog post about Android malware posing as the Angry Birds Space game. As Graham writes, “The Trojan horse, which Sophos detects as Andr/KongFu-L, appears to be a fully-functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code.”

In the Chicago area? Visit us at ForenSecure.

RJS Smart Security will be at ForenSecure in Wheaton, Illinois this Thursday and Friday (19th and 20th). To quote ForenSecure’s website, “This multi-track, technical conference attracts 200+ professionals for an intensive one-and-a-half day schedule that includes discussion and debate over forensics, security, data/information governance, cyber crime and security, ethical hacking, eDiscovery, cloud forensics, steganography, policy and compliance, privacy, wireless security, cloud computing, and identity theft.”

ForenSecure'12

At 10:50am on Thursday, our very own Adam Johnson will be presenting Mobile Devices: Security Through Monitoring and Control. If you’re interested in learning about the current landscape of the mobile industry and the relatively misunderstood security risks associated with this new technology, this is the perfect session for you. Adam brings a wealth of information to this topic based upon his many years in the mobile industry prior to joining RJS.

If you aren’t in the Chicago area, but are still interested in Adam’s mobile device security presentation, shoot us an email and we’ll send you the slides.

Register for ForenSecure.

Password Security and Schools

For those who don’t know, when attackers successfully breach a system, they often share the information they find publicly on the internet. For those on the illegal side of Information Security, this awards them the satisfaction of adding another notch on the scoreboard and further shames those who have poor security. For people like me on the legal side, we receive the ability to gather passwords used in the real world and analyze commonalities, variations and patterns. For this reason, I have several automatic searches that notify me when certain information gets leaked.

Recently, I was alerted to a situation that occurred at the George Washington Middle School in Ridgewood, New Jersey. I won’t link to the actual leaked data, but suffice to say it contains enough administrative information to access their systems. I did not verify this to the point of logging in, but it certainly looks correct and the leak has already been plugged, thus illustrating the sensitivity of the information revealed. Besides the data mentioned above, the leak also contained usernames and passwords for 246 sixth graders.

You’d think with 246 young students, you’d see 200, perhaps even 225 unique passwords, right? And if default passwords were created for them by a network administrator, you’d hope all 246 were unique. When analyzing the data, however, there were only 34 unique passwords. 34!

Here they are:

  • glasses = 13 (5.28%)
  • finish = 12 (4.88%)
  • button = 12 (4.88%)
  • dinner = 12 (4.88%)
  • oranges = 12 (4.88%)
  • apples = 12 (4.88%)
  • letter = 12 (4.88%)
  • stormy = 12 (4.88%)
  • gentle = 11 (4.47%)
  • cupcake = 11 (4.47%)
  • winter = 11 (4.47%)
  • butter = 11 (4.47%)
  • carpet = 11 (4.47%)
  • joyful = 11 (4.47%)
  • summer = 10 (4.07%)
  • middle = 10 (4.07%)
  • friday = 10 (4.07%)
  • person = 10 (4.07%)
  • football = 10 (4.07%)
  • people = 10 (4.07%)
  • soccer = 10 (4.07%)
  • butter32 = 1 (0.41%)
  • butter27 = 1 (0.41%)
  • dinner20 = 1 (0.41%)
  • letter38 = 1 (0.41%)
  • summer17 = 1 (0.41%)
  • summer83 = 1 (0.41%)
  • winter34 = 1 (0.41%)
  • apples74 = 1 (0.41%)
  • letter28 = 1 (0.41%)
  • Password = 1 (0.41%)
  • summer22 = 1 (0.41%)
  • letter48 = 1 (0.41%)
  • winter64 = 1 (0.41%)

Note the right hand column. Those are the passwords that are truly unique. This means that of 246 passwords, only 13 of them are not like the others. Of those 13, only one wasn’t based on the shared list. And even that one was the always original “Password.”

In all the analyses I’ve done, this is by far the worst.  There are a handful of possible scenarios here. Ignoring the possibility this is completely fabricated (the usernames of the children make that seem somewhat unlikely), this is either a set of passwords that were generated for children or by children. Given how evenly matched the passwords are in distribution, it seems more likely there was a list of 21 “default” passwords that were generated and then the students were asked to change them. Given the passwords on the right hand column, it seems as though the instructions were “add two numbers to the end of your password to make it secure.”  The password of “Password” matches a username of “Username,” so it’s probably a header or a default value and can be ignored.

So, what’s wrong here?

First, selecting passwords in this way means if someone knew their password and wanted to try to get into other accounts, they’d be able to get into at least 9 other accounts and possibly as many as 14 … and that’s with doing no work at all. If you look at word pairs you get summer/winter, apples/oranges and soccer/football. This raises the number of breached accounts with inside knowledge to 25. Now, if you decided to attack this system with a default word list, it would take about a day to get hits on most of these. If you had a list of usernames, you could easily gain access to every account on this list in a day.  In some systems, it would take as little as a minute to crack each account.

So no one expects sixth graders to be security geniuses, but sad to say, habits get set early. Assuming the right hand column contains passwords that people changed, only 12 students changed their passwords as instructed. If we assume they were given instructions, this means we can expect 4.88% of people to follow directions. If personal experience indicates anything, sixth graders are even more likely to follow directions than adults, so in an average organization, we can assume less than 5% of people will follow best practices … and they’ll probably do the bare minimum required of them.

Now take a minute and think what this would have looked like if the following changes were made to the system:

  • Users are assigned completely random passwords
  • The system required passwords to be at least 12 characters long.
  • The system required passwords to have a mix of upper case, lower case, numbers and punctuation

What would happen?  First, the student would probably write his or her password down somewhere. Now that code is as safe as a locker and/or the student’s resistance to bullying.  Maybe there’s a better way.

What if the system were set up to allow users to register themselves and had a password complexity rule. Suppose it had to hit a specific score of something like 100, where the scoring worked this way:

  • base starts at 0
  • Upper case character base+10
  • Lower case character = base+10
  • Number = base+10
  • Punctuation = base+10
  • Space character = base+10
  • Score = base * length of base

If someone wanted to use a basic word like “winter,” the system wouldn’t accept the password. “Zoologists” on the other hand, would be accepted. If you wanted something shorter, you could go with “like2″ to obtain your required score of 100 (a base of 20 * 5). This is the basic idea of password scoring. You could decide for yourself what metrics to use, but by raising the threshold score and weighting various characters differently, people are driven to select their own passwords.

Using the rules above, suppose you wanted a specific score of 1000. “Jooxiepa8da X1Zaode!” would work, but so would “Ask not what you can do for your country.”  Which is easier to remember?

This is how you generate passwords to meet an arbitrary security threshold that are easy to remember and hard to crack. Since people don’t follow directions (5% change rate) and write down hard things to remember, this is one of the best systems you can implement. Sure, multifactor systems are better, but I don’t think sixth graders would be very good at keeping track of their magic “log me on” device. So instead of teaching them horrible password security from an early age, maybe we should implement a system that understands that humans, of whatever age, are human.

In fact, maybe we should do this in business too.

Filed under: Technical Advice

Tags: ,

Mac Backdoor Trojan embedded inside Boobytrapped Word Documents

This is a repost of a blog entry initially reported by Sophos’ Graham Cluley at the award-winning Naked Security blog. Sophos is a Platinum Partner of RJS Smart Security.

The folks at AlienVault discovered an interesting new Mac malware attack this week.

A backdoor Trojan horse, which would allow a remote hacker to access your Mac computer without your knowledge and potentially snoop on your files and activity, has been discovered hidden inside a boobytrapped Word document.

The targeted attack relies upon a critical security vulnerability discovered in Microsoft Word back in 2009, which allowed remote code execution (MS09-027).

In a nutshell, if you open the boobytrapped Word document, a Trojan horse gets dropped onto your Mac opening a backdoor for remote hackers. Furthermore, a decoy document called file.doc is also dumped onto your drive.

Dropped decoy Word document

The nature of the decoy document, which claims to be about Human Rights abuses in Tibet by the Chinese, is sure to raise some eyebrows.

Inevitably there will be speculation that this attack is related to ‘Ghostnet’, the alleged campaign by China to spy via the internet on pro-Tibet organisations, including the Tibetan government-in-exile and the private office of the Dalai Lama.

If that’s the case, then it would seem that ‘Ghostnet’ is now targeting Mac users inside organisations sympathetic to Tibet and banned Chinese groups.

And don’t be fooled into thinking that you are protected by Mac OS X itself, which will ask for an administrator’s username and password to install software. You won’t see any prompt for credentials when this malware installs, as it is a userland Trojan.

Neither the /tmp/ nor /$HOME/Library/LaunchAgents folders on Mac OS X require root privileges – meaning that software applications can run in userland with no difficulties, and even open up network sockets to transfer data.

Mac malware hex dump

Sophos anti-virus products detect the malformed Word documents asTroj/DocOSXDr-A and the Mac backdoor Trojan horse as OSX/Bckdr-RLG. The servers that the malware attempts to communicate with have been categorised by Sophos as malware repositories since at least 2009.

Once again, Mac users need to remember to not be complacent about the security of their computers. Although there is much less malware for Mac than there is for Windows, that is going to be no compensation if you happen to be targeted by an attack like this.

If you’re not already doing so, run anti-virus software on your Macs. If you’re a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

Sophos + Assessments = Success!

While we prefer to keep our success stories anonymous for security reasons, we still like to share with you these positive experiences as you may identify with these problems and ultimately, their solutions.

We recently completed a project with a Minnesota-based healthcare company who needed consulting advice and an upgraded product. They specifically asked for our security expertise on two projects: 1) their anti-virus solution was not effective and difficult to manage and 2) they needed to make sure they were HIPAA compliant.

To combat the first issue, we implemented Sophos Anti-Virus because of its excellent overall protection. We especially like this product because it provides ease-of-management for network administrators of all skill levels, as well as intuitive control for devices and data.

For the second issue, we conducted an internal resource audit as well as vulnerability assessments for their network and web portal. In these assessments, numerous patch management issues were discovered. The customer was able to effectively eliminate the security holes and address future compliance policies with our simple step-by-step remediation report.

Each customer we work with is unique, but if you’re in the healthcare industry and have worries regarding HIPAA, we have a firm grasp of the often confusing rules. We’re happy to offer you a free one-hour security review that will assist you in learning whether you are HIPAA-compliant or could use a little help.