PANIC Project - BRUCon 2012 Presentation

PANIC ProjectOne Year Later

Disclaimer

● Views and Opinions shared here are our own and not our employers, past, present, or (obviously) future.

Who We Are

● biosshadow - Fearless leader● Benson - Resident code monkey● Matt - Security guy

We would like to Thank

● Travis McCrea - Designer of our website● Justin Elze - sysadmin and ideas● Ashleigh Baumgardner - stats advice● Mike Kelly of Spiderlabs - access to leaks● Anyone who provided data and cracked

passwords for us.

How this project started

Brucon 2011

The Beginning

● May 2011 - Idea born as a blog post● September 2011 - "announced" at Brucon

2011 Lightning Talks as multi-part project

Limitations

● Inherent sample bias● Incorrectly entered data● Hoax leaks● Unable to share data

But...

● It's still quite useful● Unique as a leak clearinghouse● We can work around some of the issues

(more on this later)

The Project in 4 Bullet Points

● Automate Collection of Leaks via Pastebin and Twitter

● Clean and remove all data that is not emails or passwords

● Enter the data in a centralized database● Run analytics on the database to find

interesting patterns

The process

● Collecting leaks● Cleaning the passwords● Importing the data● Run Analysis● Find patterns● ???● Profit?

Collecting Passwords

● Data collected via Twitter API and scraping Pastebin

● Plan to add the top 5 leak pastebins● And eventually as many as we can find

Cleaning The Data

● Leaks contain information that is private and/or unneeded by the project (address, full names, and phone numbers)

● We remove all data besides passwords, hashes, and emails

Automation is key

● There is a LOT of data to go through● Script ALL the things!● Profit ???● The problem is non-standard dumps

Importing Data

● Handcrafted CSV files● Rake task to introduce them to rails env● Calculate leak-specific stats

Run Analysis and Find patterns

● Analysis run en masse and leak by leak● We let the data tell the story

Tools for finding leaks

● PasteLert http://bit.ly/PS9uYh

● PastEnum http://bit.ly/e95kmE

● PasteMon http://bit.ly/x4DS0H

● PasteGrep http://bit.ly/PmUtNk

● Pine Siskin http://bit.ly/QElc8f

???

● Automate bruteforcing○ Dedicated server or EC2○ GPU goodness with oclhashcat

● Add more leak sources● An interactive dataset viewer● More data, faster

??? contd.

● IRCbot to find links dropped by Anonymous and other similar groups

● Reports - quarterly for anyone to use to help your their company or clients

Profit?

● No plans to monetize anything● All donations, monetary or otherwise, go

into the project

Data

● Most interesting attribute is "strength"● How hard is it to crack?

○ Length○ Presence in dictionary○ Complexity of character set

Calculating Strength

● First crack at it: complexity ^ length● Strength value is far unmanageably large● log(complexity ^ length)

○ Still monotonically increasing with strength○ Log lets you graph it nicely

Top Twenty!12345678912345678

123456password11111111

01234567890123123123

abc123qwerty

88888888welcome

12345111111monkeyprincesslifehackiloveyousunshine

n/a

How to help/contact us

Jacob @biosshadow / [email protected]

Benson @bensonk42 / [email protected]

Matt @undeadsecurity / [email protected]

How You can Help the Project

● Requests○ Features○ Analytics

● Notify us of leaks, big and small● Help with our code - Github pull requests are welcome

Thanks!

Final Questions?