He sold cracked passwords for a living – now he’s serving 4 years in prison
Credit to Author: Paul Ducklin| Date: Fri, 13 May 2022 15:31:56 +0000
What does the word Glib mean to you?
Does it make you think of a popular programming library from the GNOME project?
Do you see it as a typo for glibc
, a low-level C runtime library used in many Linux distros?
Do you picture someone with the gift of the gab trying to sell you a product of a type you don’t need with a quality you wouldn’t accept anyway?
In this article, it turns out to be the first name (in Latin script, anyway) of a convicted cybercriminal called Glib Oleksandr Ivanov-Tolpintsev.
Originally from Ukraine, Tolpintsev, who is now 28, was arrested in Poland late in 2020.
He was extradited to the US the following year, first appearing in a Florida court on 07 September 2021, charged with “trafficking in unauthorized access devices, and trafficking in computer passwords.”
In plain English, Tolpintsev was accused of operating what’s known as a botnet (short for robot network), which refers to a collection of other people’s computers that a cybercriminal can control remotely at will.
A botnet acts as a network of zombie computers ready to download instructions and carry them out without the permission, or even the knowledge, of their legitimate owners.
Tolpintsev was also accused of using that botnet to crack passwords that he then sold on the dark web.
The trouble with zombies
Zombie networks can typically be ordered around by their so-called botherder in many different ways.
Co-opted computers can be controlled individually, so each can be set to a different task; groups of zombies can each be assigned one of a set of tasks; or all the zombies can be harnessed simultaneously.
(Don’t forget that the tasks that crooks can and do launch on infected computers include spying on their owners to log keystrokes, take screenshots and identify interesting files, followed by uploading any and all interesting information collected during the data gathering phase.)
When all the bots in a botnet co-operate on the same task, the botherder ends up with what is essentially a massively distributed “cloud supercomputer” that can split up one time-consuming project, such as trying to crack a million different passwords, into hundreds, thousands or even millions of subtasks.
Password cracking is a computer science problem that is sometimes referred to in the jargon as embarrassingly parallel, because the algorithmic process involved in cracking the password hash 499a5cb2 7ca65c36 d239ebce 7af641e5
is entirely independent of cracking, say, 800e8536 0c6997fa 909bb9f5 d0fabe46
.
In contrast, in applications such as modelling river flows or making weather forecasts, each computer or node in the network needs to share intermediate results with its neighbours, and they with theirs, and so on, to model the highly dynamic nature of fluids and gases.
This makes the processor interconnections in most supercomputer applications at least as important as the raw computing power of each processor node in the system.
But password cracking in its simplest form can trivially be sliced up into as many sub-tasks as you have processor cores available.
Each processing node needs to communicate with the botherder just twice – once at the start to receive its part of the password list to work on, and once at the end to send back a list of any successful cracks.
Quite literally, the problem scales linearly, so that if it would take you 100 years to crack 1,000,000 passwords on your own computer, then it would take only one year using 100 computers; just over a month with 1000; and under an hour if you had 1,000,000 computers at your disposal.
How big is your botnet?
The US Department of Justice (DOJ) doesn’t say how big Tolpintsev’s botnet was, but does say that he ran a dark web password forum known simply as The Marketplace, and claimed to add about 2000 newly-cracked usernames and passwords to his “sales stock” every week.
If we assume that many, if not most, of Tolpintsev’s illegally-acquired passwords were cracked from password databases stolen from various cloud services, then it’s reasonable to assume that many of the new passwords added to his online catalogue each week came from a randomly chosen pool of users.
In other words, we’re assuming that those 2000 new passwords probably weren’t the logins of 2000 users who all happened to work for the same organisation.
Instead, he probably gave potential password purchasers the chance to buy access to accounts associated with large numbers of different companies. (A cybercriminal doesn’t need a password for every user in your network to break in – one password on its own might be enough for a beachhead inside your business.)
We’re also guessing that Tolpintsev had sources beyond his botnet, because the DOJ’s press release claims that he had a total of 700,000 compromised accounts for sale, including 8000 in the US state of Florida alone, which is presumably why Florida was chosen for his trial.
The DOJ says that the servers for which Tolpintsev claimed to have access credentials…
…spanned the globe and industries, including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.
Tolpintsev pleaded guilty in February 2022.
He’s now been sentenced to four years in prison, and ordered to pay up $82,648 that the DOJ could show he’d “earned” by selling on the passwords he’d cracked.
What to do?
Tolpintsev’s ill-gotten gains, at just over $80,000, may sound modest compared to the multi-million dollar ransoms demanded by some ransomware criminals.
But the figure of $82,648 is just what the DOJ was able to show he’d earned from his online password sales, and ransomware criminals were probably amongst his customers anyway.
So, don’t forget the following:
- Pick proper passwords. For accounts that require a conventional username and password, choose wisely, or get a password manager to do it for you. Most password crackers use password lists that put the most likely and the easiest-to-type passwords at the top. These list generators use a variety of password construction rules in an effort to generate human-like “random” choices such as
jemima-1985
(name and year of birth) ahead of passwords that a computer might have selected, such asdexndb-8793
. Stolen password hashes that were stored with a slow-to-test algorithm such as PBKDF2 or bcrypt can slow an attacker down to trying just a few passwords a second, even with a large botnet of cracking computers. But if your password is one of the first few that gets tried, you’ll be one of the first few to get compromised. - Use 2FA if you can. 2FA, short for two-factor authentication, usually requires you to provide a one-time code when you login, as well as your password. The code is typically generated by an app on your phone, or sent in a text message, and is different every time. Other forms of 2FA include biometric, for example requiring you to scan a fingerprint, or cryptographic, such as requiring you to sign a random message with a private cryptographic key (a key that might be securely stored in a USB device or a smartcard, itself protected by a PIN). 2FA doen’t eliminate the risk of crooks breaking into your network, but it makes individual cracked or stolen passwords much less useful on their own.
- Never re-use passwords. A good password manager will not only generated wacky, random passwords for you, it will prevent you from using the same password twice. Remember that the crooks don’t have to crack your Windows password or your FileVault password if it’s the same as (or similar to) the password you used on your local sports club website that just got hacked-and-cracked.
- Never ignore malware, even on computers you don’t care about yourself. This story is a clear reminder that, when it comes to malware, an injury to one really is an injury to all. As Glib Oleksandr Ivanov-Tolpintsev showed, not all cybercriminals will use zombie malware on your computer directly against you – instead, they use your infected computer to help them attack other people.
When it comes to cybersecurity, you can’t sit around on the sidelines taking a shrug-your-shoulders-and-see-what-happens approach.
As we’ve said before many times, if you aren’t part of the solution, then you are part of the problem.
Don’t be that person!