PANIC Project: One Year Later

Transcript

1. PANIC Project One Year Later

2. Disclaimer • Views and Opinions shared here are our own

   and not our employers, past, present, or (obviously) future.

3. Who We Are • biosshadow - Fearless leader • Benson

   - Resident code monkey • Matt - Security guy

4. We would like to Thank • Travis McCrea - Designer

   of our website • Justin Elze - sysadmin and ideas • Ashleigh Baumgardner - stats advice • Mike Kelly of Spiderlabs - access to leaks • Anyone who provided data and cracked passwords for us.

5. How this project started Brucon 2011

6. The Beginning • May 2011 - Idea born as a

   blog post • September 2011 - "announced" at Brucon 2011 Lightning Talks as multi-part project

7. Limitations • Inherent sample bias • Incorrectly entered data •

   Hoax leaks • Unable to share data

8. But... • It's still quite useful • Unique as a

   leak clearinghouse • We can work around some of the issues (more on this later)

9. The Project in 4 Bullet Points • Automate Collection of

   Leaks via Pastebin and Twitter • Clean and remove all data that is not emails or passwords • Enter the data in a centralized database • Run analytics on the database to find interesting patterns

10. The process • Collecting leaks • Cleaning the passwords •

    Importing the data • Run Analysis • Find patterns • ??? • Profit?

11. Collecting Passwords • Data collected via Twitter API and scraping

    Pastebin • Plan to add the top 5 pastebin Sites • And eventually as many as we can find

12. Tools for finding leaks • PasteLert http://bit.ly/PS9uYh • PastEnum http://bit.ly/e95kmE

    • PasteMon http://bit.ly/x4DS0H • PasteGrep http://bit.ly/PmUtNk • Pine Siskin http://bit.ly/QElc8f

13. Cleaning The Data • Leaks contain information that is private

    and/or unneeded by the project (address, full names, and phone numbers) • We remove all data besides passwords, hashes, and emails

14. Automation is key • There is a LOT of data

    to go through • Script ALL the things! • Profit ??? • The problem is non-standard dumps

15. Importing Data • Handcrafted CSV files • Rake task to

    introduce them to rails env • Calculate leak-specific stats

16. Run Analysis and Find patterns • Analysis run en masse

    and leak by leak • We let the data tell the story

17. ??? • Automate bruteforcing o Dedicated server or EC2 o

    GPU goodness with oclhashcat • Add more leak sources • An interactive dataset viewer • More data, faster

18. ??? contd. • IRCbot to find links dropped by Anonymous

    and other similar groups • Reports - quarterly for anyone to use to help your their company or clients

19. Double Rainbow Tables

20. Profit? • No plans to monetize anything • All donations,

    monetary or otherwise, go into the project

21. Data • Most interesting attribute is "strength" • How hard

    is it to crack? o Length o Presence in dictionary o Complexity of character set

22. Calculating Strength • First crack at it: complexity ^ length

    • Strength value is far unmanageably large • log(complexity ^ length) o Still monotonically increasing with strength o Log lets you graph it nicely

23. Top Twenty! 123456789 12345678 123456 password 11111111 0 1234567890 123123123

    abc123 qwerty 88888888 welcome 12345 111111 monkey princess lifehack iloveyou sunshine n/a
24. None
25. None
26. None
27. None
28. None
29. None

30. How to help/contact us Jacob @biosshadow / [email protected] Benson @bensonk42

    / [email protected] Matt @undeadsecurity / [email protected]

31. How You can Help the Project • Requests o Features

    o Analytics • Notify us of public leaks, big and small • Help with our code - Github pull requests are welcome

32. Thanks! Questions?