The Art of Invisibility

CHAPTER ONE

Your Password Can Be Cracked!

Jennifer Lawrence was having a rough Labor Day weekend. The Academy Award winner was one of several celebrities who woke one morning in 2014 to find that their most private pictures—many of which showed them in the nude—were being splashed about on the Internet.

Take a moment to mentally scan all the images that are currently stored on your computer, phone, and e-mail. Sure, many of them are perfectly benign. You'd be fine with the whole world seeing the sunsets, the cute family snapshots, maybe even the jokey bad-hair-day selfie. But would you be comfortable sharing each and every one of them? How would you feel if they suddenly all appeared online? Maybe not all our personal photos are salacious, but they're still records of private moments. We should be able to decide whether, when, and how to share them, yet with cloud services the choice may not always be ours.

The Jennifer Lawrence story dominated the slow Labor Day weekend news cycle in 2014. It was part of an event called theFappening, a huge leak of nude and nearly nude photographs of Rihanna, Kate Upton, Kaley Cuoco, Adrianne Curry, and almost three hundred other celebrities, most of them women, whose cell-phone images had somehow been remotely accessed and shared. While some people were, predictably, interested in seeing these photos, for many the incident was an unsettling reminder that the same thing could have happened to them.

So how did someone get access to those private images of Jennifer Lawrence and others?

Since all the celebrities used iPhones, early speculation centered on a massive data breach affecting Apple's iCloud service, a cloud-storage option for iPhone users. As your physical device runs out of memory, your photos, new files, music, and games are instead stored on a server at Apple, usually for a small monthly fee. Google offers a similar service for Android.

Apple, which almost never comments in the media on security issues, denied any fault on their end. The company issued a statement calling the incident a "very targeted attack on user names, passwords, and security questions" and added that "none of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."¹

The photos first started appearing on a hacker forum well known for posting compromised photos.² Within that forum you can find active discussions of the digital forensic tools used for surreptitiously obtaining such photos. Researchers, investigators, and law enforcement use these tools to access data from devices or the cloud, usually following a crime. And of course the tools have other uses as well.

One of the tools openly discussed on the forum, Elcomsoft Phone Password Breaker, or EPPB, is intended to enable law enforcement and government agencies to access iCloud accounts and is sold publicly. It is just one of many tools out there, but it appears to be the most popular on the forum. EPPB requires that users have the target's iCloud username and password information first. For people using this forum, however, obtaining iCloud usernames and passwords is not a problem. It so happened that over that holiday weekend in 2014, someone posted to a popular online code repository (Github) a tool called iBrute, a password-hacking mechanism specifically designed for acquiring iCloud credentials from just about anyone.

Using iBrute and EPPB together, someone could impersonate a victim and download a full backup of that victim's cloud-stored iPhone data onto another device. This capability is useful when you upgrade your phone, for example. It is also valuable to an attacker, who then can see everything you've ever done on your mobile device. This yields much more information than just logging in to a victim's iCloud account.

Jonathan Zdziarski, a forensics consultant and security researcher, told Wired that his examination of the leaked photos from Kate Upton, for example, was consistent with the use of iBrute and EPPB. Having access to a restored iPhone backup gives an attacker lots of personal information that might later be useful for blackmail.³

In October 2016, Ryan Collins, a thirty-six-year-old from Lancaster, Pennsylvania, was sentenced to eighteen months in prison for "unauthorized access to a protected computer to obtain information" related to the hack. He was charged with illegal access to over one hundred Apple and Google e-mail accounts.⁴

To protect your iCloud and other online accounts, you must set a strong password. That's obvious. Yet in my experience as a penetration tester (pen tester)—someone who is paid to hack into computer networks and find vulnerabilities—I find that many people, even executives at large corporations, are lazy when it comes to passwords. Consider that the CEO of Sony Entertainment, Michael Lynton, used "sonyml3" as his domain account password. It's no wonder his e-mails were hacked and spread across the Internet since the attackers had administrative access to most everything within the company.

Beyond your work-related passwords are those passwords that protect your most personal accounts. Choosing a hard-to-guess password won't prevent hacking tools such as oclHashcat (a password-cracking tool that leverages graphics processing units—or GPUs—for high-speed cracking) from possibly cracking your password, but it will make the process slow enough to encourage an attacker to move on to an easier target.

It's a fair guess that some of the passwords exposed during the July 2015 Ashley Madison hack are certainly being used elsewhere, including on bank accounts and even work computers. From the lists of 11 million Ashley Madison passwords posted online, the most common were "123456," "12345," "password," "DEFAULT," "123456789," "qwerty," "12345678," "abc123," and "1234567."⁵ If you see one of your own passwords here, chances are you are vulnerable to a data breach, as these common terms are included in most password-cracking tool kits available online. You can always check the site www.haveibeenpwned.com to see if your account has been compromised in the past.

In the twenty-first century, we can do better. And I mean much better, with longer and much more complex configurations of letters and numbers. That may sound hard, but I will show you both an automatic and a manual way to do this.

The easiest approach is to forgo the creation of your own passwords and simply automate the process. There are several digital password managers out there. Not only do they store your passwords within a locked vault and allow one-click access when you need them, they also generate new and really strong, unique passwords for each site when you need them.

Be aware, though, of two problems with this approach. One is that password managers use one master password for access. If someone happens to infect your computer with malware that steals the password database and your master password through keylogging—when the malware records every keystroke you make—it's game over. That person will then have access to all your passwords. During my pen-testing engagements, I sometimes replace the password manager with a modified version that transmits the master password to us (when the password manager is open-source). This is done after we gain admin access to the client's network. We then go after all the privileged passwords. In other words, we will use password managers as a back door to get the keys to the kingdom.

The other problem is kind of obvious: If you lose the master password, you lose all your passwords. Ultimately, this is okay, as you can always perform a password reset on each site, but that would be a huge hassle if you have a lot of accounts.

Despite these flaws, the following tips should be more than adequate to keep your passwords secure.

First, strong passphrases, not passwords, should be long—at least twenty to twenty-five characters. Random characters—ek5iogh#skf&skd—work best. Unfortunately the human mind has trouble remembering random sequences. So use a password manager. Using a password manager is far better than choosing your own. I prefer open-source password managers like Password Safe and KeePass that only store data locally on your computer.

Another important rule for good passwords is never use the same password for two different accounts. That's hard. Today we have passwords on just about everything. So have a password manager generate and store strong, unique passwords for you.

Even if you have a strong password, technology can still be used to defeat you. There are password-guessing programs such as John the Ripper, a free open-source program that anyone can download and that works within configuration parameters set by the user.⁶ For example, a user might specify how many characters to try, whether to use special symbols, whether to include foreign language sets, and so on. John the Ripper and other password hackers are able to permute the password letters using rule sets that are extremely effective at cracking passwords. This simply means it tries every possible combination of numbers, letters, and symbols within the parameters until it is successful at cracking your password. Fortunately, most of us aren't up against nation-states with virtually unlimited time and resources. More likely we're up against a spouse, a relative, or someone we really pissed off who, when faced with a twenty-five-character password, won't have the time or resources to successfully crack it.

Let's say you want to create your passwords the old-fashioned way and that you've chosen some really strong passwords. Guess what? It's okay to write them down. Just don't write "Bank of America: 4the1sttimein4ever*." That would be too obvious. Instead replace the name of your bank (for example) with something cryptic, such as "Cookie Jar" (because some people once hid their money in cookie jars) and follow it with "4the1st." Notice I didn't complete the phrase. You don't need to. You know the rest of the phrase. But someone else might not.

Anyone finding this printed-out list of incomplete passwords should be sufficiently confused—at least at first. Interesting story: I was at a friend's house—a very well-known Microsoft employee—and during dinner we were discussing the security of passwords with his wife and child. At one point my friend's wife got up and went to the refrigerator. She had written down all her passwords on a single piece of paper and stuck it to the appliance's door with a magnet. My friend just shook his head, and I grinned widely. Writing down passwords might not be a perfect solution, but neither is forgetting that rarely used strong password.

Some websites—such as your banking website—lock out users after several failed password attempts, usually three. Many sites, however, still do not do this. But even if a site does lock a person out after three failed attempts, that isn't how the bad guys use John the Ripper or oclHashcat. (Incidentally, oclHashcat distributes the hacking process over multiple GPUs and is much more powerful than John the Ripper.) Also, hackers don't actually try every single possible password on a live site.

Let's say there has been a data breach, and included within the data dump are usernames and passwords. But the passwords retrieved from the data breach are mere gibberish.

How does that help anyone break into your account?

Whenever you type in a password, whether it is to unlock your laptop or an online service—that password is put through a one-way algorithm known as a hash function. It is not the same as encryption. Encryption is two-way: you can encrypt and decrypt as long as you have a key. A hash is a fingerprint representing a particular string of characters. In theory, one-way algorithms can't be reversed—or at least not easily.

What is stored in the password database on your traditional PC, your mobile device, or your cloud account is not MaryHadALittleLamb123$ but its hash value, which is a sequence of numbers and letters. The sequence is a token that represents your password.⁷

It is the password hashes, not the passwords themselves, that are stored in the protected memory of our computers and can be obtained from a compromise of targeted systems or leaked in data breaches. Once an attacker has obtained these password hashes, the hacker can use a variety of publicly available tools, such as John the Ripper or oclHashcat, to crack the hashes and obtain the actual password, either through brute force (trying every possible alphanumeric combination) or trying each word in a word list, such as a dictionary. Options available in John the Ripper and oclHashcat allow the attacker to modify the words tried against numerous rule sets, for example the rule set called leetspeak—a system for replacing letters with numbers, as in "k3v1n m17n1ck." This rule will change all passwords to various leetspeak permutations. Using these methods to crack passwords is much more effective than simple brute force. The simplest and most common passwords are easily cracked first, then more complex passwords are cracked over time. The length of time it takes depends on several factors. Using a password-cracking tool together with your breached username and hashed password, hackers may be able to access one or more of your accounts by trying that password on additional sites connected to your e-mail address or other identifier.

In general, the more characters in your password, the longer it will take password-guessing programs such as John the Ripper to run through all the possible variations. As computer processors get faster, the length of time it takes to calculate all the possible six-character and even eight-character passwords is becoming a lot shorter, too. That's why I recommend using passwords of twenty-five characters or more.

After you create strong passwords—and many of them—never give them out. That seems painfully obvious, but surveys in London and other major cities show that people have traded their passwords in exchange for something as trivial as a pen or a piece of chocolate.⁸

A friend of mine once shared his Netflix password with a girlfriend. It made sense at the time. There was the immediate gratification of letting her choose a movie for them to watch together. But trapped within Netflix's recommended-movie section were all his "because you watched…" movies, including movies he had watched with past girlfriends. The Sisterhood of the Traveling Pants, for instance, is not a film he would have ordered himself, and his girlfriend knew this.

Of course, everyone has exes. You might even be suspicious if you dated someone who didn't. But no girlfriend wants to be confronted with evidence of those who have gone before her.

If you password-protect your online services, you should also password-protect your individual devices. Most of us have laptops, and many of us still have desktops. You may be home alone now, but what about those dinner guests coming later? Why take a chance that one of them could access your files, photos, and games just by sitting at your desk and moving the mouse? Another Netflix cautionary tale: back in the days when Netflix primarily sent out DVDs, I knew a couple who got pranked. During a party at their house, they'd left their browser open to their Netflix account. Afterward, the couple found that all sorts of raunchy B-and C-list movies had been added to their queue—but only after they'd received more than one of these films in the mail.

It's even more important to protect yourself with passwords at the office. Think of all those times you're called away from your desk into an impromptu meeting. Someone could walk by your desk and see the spreadsheet for the next quarter's budget. Or all the e-mails sitting in your inbox. Or worse, unless you have a password-protected screen saver that kicks in after a few seconds of inactivity, whenever you're away from your desk for an extended period—out to lunch or at a long meeting—someone could sit down and write an e-mail and send it as you. Or even alter the next quarter's budget.