
Bitcrypt broken - pedro84
http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt-broken
======
jewel
This is one reason why I tell people to have both offsite backups (in case of
fire, theft, etc.) and _offline_ backups. There are a lot of us that are just
one SSH worm away from having all of our files destroyed.

I've been thinking about ways to create an offline-equivalent backup, so that
it can be automated. One way would be to have a computer that is only
connected via serial cable, which only accepts new files to be backed up. (No
ability to delete via the serial cable.)

~~~
mjn
A pretty low-tech system I saw in use in the '90s, without having to go all
the way to serial cables, was just FTP with delete/overwrite disabled, to a
machine with no other network services running. You dump a snapshot and FTP it
to the backup host over your local ethernet. The FTP server accepts new files,
but doesn't allow deletions or modifications of previously uploaded files
(lots of FTP servers have this option, in order to be able to create a public
"anonymous upload" folder without people overwriting each others' uploads). If
you ever need to retrieve the backups, you physically log in on the backup
machine and do something from there.

This does rely on the FTP implementation being solid (vsftpd seems like a
reasonable choice).

~~~
jewel
That is a good idea. I have considered having a network service like that, but
I'm a little too paranoid. I want something that will survive heretofore
unseen events, like a 0-day remote root exploit in the Linux kernel networking
stack.

If such a remote root exploit exists, and the person that discovers it decides
to write something like the Code Red worm from 2001, and also decides to have
the worm erase all block devices, I'd currently lose every file I have and all
of my backups, even though they are geographically dispersed. It's possible
that even services like S3 and Dropbox would be wiped in such an event.

Once again, I realize I'm unusually paranoid in this regard, but I really
don't want to lose my stuff.

~~~
tachion
Not everything is running on Linux you know, and therefore not everything is
prone to the 0 day remote Linux kernel exploit. Get yourself other backup
layers on other operatying systems, like Tarsnap, that runs FreeBSD, and you
should get another level of security.

------
pedro84
Ransomware crypto fail:

    
    
      The number has 128 digits, which could indicate a (big)
      mistake from the malware author, who wanted to generate
      a 128 bytes key.
      Finally, we simply deal with RSA-464 encryption, which
      can easily be broken on a standard PC in a matter of hours.

~~~
ChuckMcM
Another reason why you shouldn't do your own crypto, leave it to the experts.
:-)

~~~
marcosdumay
Looks like the virus writer did live it to the experts. But then, he entered
the wrong number at a function call.

~~~
ChuckMcM
Is that like "Hey I got the 'Professional' model of this camera because I want
my pictures to be professional." :-)

------
CharlesMerriam2
Every article on security ends with:

* Update your anti-virus software * Apply all software updates * Pick a hard password

Rarely do these matter: ransomware, Target, etc., are exploits unrelated to
these defenses. Why do we push them so hard? Does anyone feel safer and more
righteous from advocating this security theatre?

~~~
itchitawa
Indeed. Or even "don't click on suspicious emails or visit suspicious
websites" which are actually always harmless. How about simply "don't run a
program you don't trust" and we wouldn't need virus scanners at all.

~~~
TrainedMonkey
That would exclude me from using dominant majority of the software I use
daily.

~~~
itchitawa
Or at least cause you to consider the risk of loss compared to the value of
using the software while not panicking when you receive a spam email with a
suspicious looking xls file attached.

------
nwh
Malware aside, it's annoying that people still think Bitcoin payments come
"from" an address. It's not something you can rely on or expect in Bitcoin,
and certainly shouldn't be used to identify payments by a client. A unique
address per payment requested is the proper, expected method.

~~~
BlackDeath3
>Malware aside, it's annoying that people still think Bitcoin payments come
"from" an address.

Do you mind clarifying?

~~~
nwh
Sure. You essentially can't rely on a particular wallet sending from an
address they know about, or even from an address they can control.

The classic example is of a service using a shared wallet like Coinbase does.
Coinbase maintains control of the keys of every piece of Bitcoin their clients
own, and they have an external database that contains a record of how much
Bitcoin they are holding on behalf of their clients. This allows them to keep
the vast majority of the funds offline where they are invulnerable to attack.
This system means that the "from" address is likely never correlated to the
sender, and they have no control of where they send "from". Relying on a
client to provide this information usually ends in disaster, as does sending
refunds to an address you were sent "from".

Even for the reference client Bitcoin-QT addresses are disposable and almost
never linked. Change from one transaction is sent to an entirely new address
which done invisibly from the users perspective. There's more information
about that on the wiki, change addresses in themselves are quite confusing.

[https://en.bitcoin.it/wiki/Change](https://en.bitcoin.it/wiki/Change)

------
Tegran
Malware author probably uses a multitude of wallets, but the one shown in that
screenshot has received a few actual payments:

[https://blockchain.info/address/1HKCHx1RFhNHuF3NxLviHdrjNFzJ...](https://blockchain.info/address/1HKCHx1RFhNHuF3NxLviHdrjNFzJbCTvrC)

~~~
wbillingsley
It always seems a little odd to me that bitcoin is associated with criminal
enterprise. Surely with the transaction record public, it's rather easier for
the police to "follow the money" than with cash etc?

~~~
aroch
You can "follow the money" electronically, but unlike bank transfers there's
no physical connection. Going from imaginary point 1 to imaginary point 2
doesn't really tell you anything.

~~~
dllthomas
But some transactions are ultimately linked to the physical world, and that
gives a window through which more can be pinned down over time. Operating from
_just_ the blockchain doesn't tell you very much, but combined with other
things it's a lot more informative than cash movements. You're never leaking
_less_ than you think.

~~~
ifross
Bitcoin mixers can make it almost impossible for people to follow bitcoin
transactions, providing that the number of coins in the mixer far exceeds the
amount you are trying to mix.

~~~
dllthomas
Again, you're never leaking _less_ information than you think. I also expect
that using bitcoin mixers will be prosecutable under AML laws in the medium
term, if they aren't already.

------
dreamfactory2
Isn't this the kind of thing the NSA should be spending their time and our
money on?

~~~
Groxx
Is it a risk to national security?

~~~
einhverfr
Once they are hit, they will think so....

------
goldenkey
Could it be the author made it crackable because he wanted to be able to help
anyone recover their files if there was some mishap? Just a thought.

~~~
eric_h
It seems unlikely to me that the author wanted to help anyone.

------
wyager
>So, things were clear: the cybercriminal wants 0.4 Bitcoin, which made about
260 Euros at the time of infection, but only 89 Euros at the time of writing
(Once again this shows how unreliable the Bitcoin money is, but that is
something else).

Sigh. The author is using the MtGox price. Mtgox is one of the smaller Bitcoin
exchanges these days. Due to their legendary incompetence, they got hacked a
while back and disabled Bitcoin withdrawals. As a result, their "Bitcoin"
trading price fluctuated from 1/2 to 1/6th that of other exchanges. The
current market value of Bitcoin on _all_ other exchanges is actually 400+
euros right now.

~~~
Guvante
To be fair to the author, not six months ago MTGox was the place to look for
the price of Bitcoins.

------
dewiz
Is it just me, or a random new aes pwd for each file makes perfect sense?
Otherwise once you brute force one file you could decrypt all the other ones.

~~~
Strom
Brute forcing properly implemented AES isn't possible.

~~~
dewiz
I don't understand what you're saying. Brute force is always possible.
Succeding is only a matter of time. Suppose you find the password for one of
those files, then you would be able to decrypt all your ransom data. When it
comes to recovering your data, you might be ready to have a brute force
running for long long long time 😊

~~~
spiffytech
Technically, if the universe went on forever, yes, you could brute force AES.
However, with a well-chosen key (i.e., 256 random bits, and not merely a
weaker password that was expanded into a 256-bit key), the odds are pretty
decent that all life in the universe will end before you guess the key.

A listener to Security Now wrote in to episode 340 with this for perspective:

    
    
        I took 256-bit encryption and assumed that the only way to crack it was, as we
        currently believe, a brute-force attack against the 256-bit key. ... So let's
        say the tricksy government has a secret algorithm that somehow allows them to
        weaken the strength to one trillionth of the original. That's a good number,
        one trillionth. And let's say they had a computer that can try 100 trillion
        guesses per second. And let's say this computer was one cubic millimeter in
        size, and let's say they build a cracking complex the size of the entire Earth
        made out of these one cubic millimeter crypto cracking computers. If I did my
        math right, it would still take 34 trillion years to crack.
    

I've double-checked the math, that's how long it takes to exhaust the 256-bit
keyspace, even in an unreasonably-generous scenario. You could halve that time
to get the average time it takes to find any given 256-bit key, since you
won't, on average, have to search the entire key space.

We trust AES 256 because, as long as the algorithm is sound, it is actually
impossible to brute-force in any useful time frame, for even insane
definitions of "useful". Even in some scenarios where the algorithm _isn 't_
sound, as above, it's still impossible.

The author of BitCrypt didn't use AES 256, however. They used AES 192, which
is drastically weaker. According to the same calculations, it would take
0.00067 _days_ to brute-force an AES 192 key. With a planet-sized cracking
machine, impossibly fast computers, and a substantially weakened algorithm.

However, it gets better - the author of BitKeeper didn't actually choose a
256-bit key, they chose a 16-character password that was expanded into a key,
and _that 's_ what we can crack to decrypt an individual BitCrypt file. In our
hypothetical (yet unrealistic) scenario, this can be done in under a second.

So: brute-forcing well-implemented AES (good key, good key length) is
impossible, no matter how you slice it. Brute forcing AES with a questionable
key length is still impossible with anything remotely resembling the
technology we'll see in our lifetimes.

Brute-forcing a file encrypted by low-quality malware is absolutely possible,
as the article shows :)

------
mml
nb: crashplan will encrypt & back up your stuff locally & remotely (in
multiple locations) and keep a version history, which pretty much nips this
sort of crap in the bud.

(not affiliated with those guys, just a happy user)

------
rackoons44
That's why you have online and offline backups.

------
whogothacked
an Amazing tech system ...

------
gwern
> So, things were clear: the cybercriminal wants 0.4 Bitcoin, which made about
> 260 Euros at the time of infection, but only 89 Euros at the time of writing
> (Once again this shows how unreliable the Bitcoin money is, but that is
> something else).

Fail.

~~~
ZoFreX
Could you expand your comment a little beyond "Fail." to explain to those of
us who aren't totally clued up on BitCoin what is wrong with that statement?

~~~
retroafroman
The cash value of Bitcoin declined since last fall, meaning the hacker is
making less 'real' money now, if they try to trade the Bitcoin for cash. By
hardcoding the asking amount of 0.4 Bitcoin, they are susceptible to the many
ups and downs of the Bitcoin/$ ratio.

~~~
gwern
That's pretty bad, yes, but I was more irked by the author using a blatantly
wrong and meaningless price.

