The rise of cryptocurrency miners

Cryptocurrency is one of the newest forms of currencies. Cryptocurrencies usually rely on P2P Networks (Peer-to-Peer) in order to manage transactions, funds and accounts across the globe. Most cryptocurrencies rely on blockchain technologies to do this.

Bitcoin is the most well-known and widely used cryptocurrency right now. Bitcoin was partially based on the gold mining industry. Whenever the amount of gold being found decreases, the price increases. Bitcoin operates in the same way.
The rate of inflation for Bitcoin drastically increased in 2017, going from around $880 USD in January to $14,758 USD in December. Because of this, cryptocurrency miners have been the weapon of choice in 2017 for financially motivated cyber-criminals (with ransomware also).

Cryptocurrency miners work by solving difficult maths problems on a user’s machine, while in return, they gain a certain amount of cryptocurrency (0.001 BTC for example). The more maths problems being solved, the harder they become for everyone to solve.

These miners take up a considerable amount of system resources, causing electricity usage to rise and device performance to fall. Many security companies will classify bitcoin miners as Potentially Unwanted software, since many users don’t actually know that they are installed on their computer.

In mid 2017, web browser based miners became popular, because they can easily be planted in the background of a webpage, without any user interaction. An example of this is Coinhive. Coinhive is a JavaScript library that performs Monero cryptocurrency mining using the resources of the user that visits the website.

coinhive

Coinhive JavaScript

I predict that in 2018, JavaScript cryptocurrency miners will be used more often than traditional miners by criminals. In addition, I expect Adblocker Extensions in the future to block these malicious scripts as they take up considerable system resources.

Command Execution using the Windows 10 Search Bar

This is not a vulnerability or a security bug. This is a legitimate Windows 10 feature that is often overlooked by businesses and/or corporations. It allows you to run CMD Prompt commands and/or Powershell scripts from the Windows 10 Search Bar.

OK, so let’s start with some basic commands for the Windows 10 Search Bar. This will launch command prompt:

cmd.exe

Users should be able to type these commands into the Windows 10 Search Bar, with a result that says “Run Command” showing up.

This will launch command prompt and do the tree command on the C drive:

cmd.exe /K "tree C:/"

This will do the same, but it will save the output to “C:/output_cmd.txt”:

cmd.exe /K "tree C:/ > C:/output_cmd.txt"

Now, if you have set a Group Policy to block the command prompt for standard users, the commands above should not have executed. OK,  Let’s bypass the Group Policy, run the tracert command and save the output to a file:

cmd.exe /C "tracert google.com > C:/traced.txt"

The ‘/C’ in the command above simply tells the command prompt to run the command in console mode. The Group Policy does not govern commands that are executed in console mode, therefore the command should be executed, even for standard users.

If the command fails, try changing the command to save the output to a directory which is not protected. (Such as your documents or a USB drive)

Using this method, standard users can now launch Powershell also:

cmd.exe /C "powershell.exe"

This especially becomes a problem on RDP servers, where in some cases, users are all connected to the same machine, allowing them to launch Powershell commands that apply to all users connected to the RDP server at that moment in time:

cmd.exe /C "PowerShell -Command "Get-Process" > C:/get_process.txt"

It is worth mentioning that it is possible to do this using Notepad++ as well.

When on Notepad++, simply press the F5 button, type in your command, then press run.

If your computer has Python installed, you can also do this using Python:

from os import *
system("cmd.exe /C "PowerShell -Command "Get-Process" > C:/get_process.txt"")

Or alternatively:

import os
os.system("cmd.exe /C "PowerShell -Command "Get-Process" > C:/get_process.txt"")

Keep in mind that in order for the commands to work in Python, you need to escape any characters that may cause a syntax error.

The power of this ability should not be underestimated. It is possible that a malicious actor (possibly even an APT) could use this technique in targeted attacks to sabotage, damage and/or gain unauthorised access to computer systems / networks.

Don’t buy passwords! Generate your own!

The security researchers reading this may think that the title of this blog post is an obvious statement, but business entrepreneurs might not.

A few years ago, a service called “Diceware Passwords” was created. Recently, it has gained a reputation as a way to receive “cryptographically secure” passwords.

The general concept of this service is that someone will create a password by rolling a dice a few times and then picking the numbered words out of a dictionary.

In this blog post, I am going to go through some of the ridiculous claims that are on their website and why they are incorrect/misleading.


I sell strong, secure passwords.

First of all, buying passwords from someone and then using them is a very bad idea. Not only do they have the password, but it is probably already in thousands of password databases – Ready to be used by attackers across the world.

I use a proven methodology called Diceware to build long, strong, memorable passwords using strings of words from the dictionary.

Using strings from dictionaries in your passwords is a bad idea. They can easily be cracked and your accounts can easily be broken into by brute force attacks if you use words from the dictionary.

Even passphrases that have been modified by substituting letters with symbols and/or numbers can easily be defeated by password crackers that introduce “mutations” to passphrase combinations. An example of a password cracker that does this is HashCat.

Basically, a high entropy password is a long password.

In computer security, entropy is a term used to refer to the overall randomness of a piece of data.

The statement is true if your password uses totally random characters in random combinations (such as aW%CNVs^E{jlLOG% ). However, passwords created from words in the dictionary do not have high entropy, as they only use standard letters and use no symbols or numbers.

Diceware is a good method for passwords that you really want to be secure – such as the passwords for e-mail and financial accounts.

I really wouldn’t use passwords created using a dictionary for financial accounts.

dictionary_passwords

The claims above are misleading. They assume that attackers are simply enumerating through every possible password combination. As I said earlier, attacks that use dictionary words and introduce mutations can easily crack these passwords much quicker. Eight words are not “completely secure” and will not take until 2050 to crack if you use a Dictionary Attack.


How can you create secure passwords?

You can create strong, secure, random passwords by using this Python script I made below:

# This script generates random passwords
# Created by iFuzion77
import random
pslist=["[","]","¬","¦","€"," ","!",""","#","$","%","&","'","(",")","*","+",",","-",".","/","0","1","2","3","4","5","6","7","8","9",":",";","<","=",">","?","@","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","{","\","}","^","_","`","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","{","|","}","~","á","é","í","ó","ú","Á","É","Í","Ó","Ú","ñ","Ñ"]
for x in range(50):
    output = ""
    stringlength = random.randint(30,75)
    for y in range(stringlength):
        output += random.choice(pslist)
    print(output)

This script took about five minutes to make. Furthermore, the passwords generated by this do not use any dictionary words, making it resistant to dictionary attacks. The script is also free!


How should I store my passwords?

Use a password manager. Some good options are 1Password, Keepass, LastPass and Kaspersky Password Manager.

Never store your passwords in a unencrypted text document, since a piece of malware could easily retrieve these and send them to an attacker.


One more thing…

To those of you saying “give her a break!” – The problem is that people actually listen to the advice on creating passwords given on that website. Moreover, they even buy and use the passwords that somebody else created, which is bad!

Watch out for IP Grabbers

About 2 months ago I was the victim of a social engineering attack that leveraged an IP Grabber. These tools are designed simply for script-kiddie level cyber espionage and usually give the attackers the following information:

  • IP Address
  • Internet Service Provider
  • User-Agent
  • Location
  • Information about the victims machine
  • Information about the victims network
  • Cookies of the victim

These types of websites may also install spying software and/or Remote Administration Tools onto the victim’s computer. It is important therefore that you make sure that your computer is fully updated and that you have an Internet Security suite installed.

The IP Grabbers that I was able to retrieve from the social engineering attack can be seen here.

Users should avoid links to unknown websites and avoid shortened links like goo.gl and bit.ly – Even if your friend or family member sent you it 🙂

The Irony of Password Security Requirements

So occasionally organisations like to choose stupid password requirements for signing up to services. This is fairly annoying if you are someone like me who uses totally random passwords from a password generator. Many websites/organisations set arbitrary rules for using passwords, and many of them are either stupid and/or misleading. So I am going to discuss some of them and why they are stupid.

Limiting the number of characters you can use

Ok, so this idea isn’t actually that bad if websites choose a large limit (such as 100 or 256), but when organisations limit you to 8/10/12 characters and claim it is for “security reasons”, I don’t think they know what they are doing.

length

By limiting the number of characters to such a low number, they increase the risk of accounts being breached by attackers through brute force attacks, since the number of combinations required for the attacker to try is much lower. It also lowers the number of entries needed in a rainbow table to crack password hashes if the website gets hacked. This is an even bigger issue than you think, since many people today still use the same passwords for various websites and services and/or still use the same passwords from several years ago, which then allows an attacker to use the original cracked credentials on other services.

Limiting the type of characters you can use

Once again this idea isn’t bad unless they unnecessarily ban the use of standard keyboard symbols like [ ] { } @ ‘ # ~ ! ” £ $ € ^ & * ( ) – _ = + | < > ? / , . : ;

Banning the use of non-standard characters like Unicode control characters or other non-standard characters is generally accepted, but when organisations ban the use of any of the standard symbols in passwords, it may suggest that they have a SQL Injection risk or they are not doing any type of input sanitation. Once again this lowers the security of their users, as they will use passwords that are easy to guess like ‘password1’ or ‘qwerty123’. This also makes people more likely to use dictionary words in their passwords, which significantly lowers the amount of combinations needed to try in order to gain access to an account.

Limiting the types of combinations you can use

Many websites when you go to the logon page say “The password must start with a letter and end with a number”. This just makes users use predictable passwords like “mydog123456” or “football14”. I’m not even going to explain why this is bad, because anyone with any common sense should know why this practice is bad.

“Using your e-mail address as your password is sufficient security”

OK, this one is stupid, but some organisations genuinely believe that you don’t need any passwords. They say that the email is just fine! Unfortunately this creates a situation where anyone can login to your account, and in the case of Strawberrynet, anyone could login to your account using just your email and they could see your home address, phone number, date of birth and other personal information.

Not allowing users to use rude words in their passwords

I’m just going to link this article about Virgin Media.

Summary

This blog post was meant to show why many of the popular password security requirements used by companies are quite bad, why they are misleading to users and why they actually lower the security of their users.