 All right, good afternoon everyone, 3 p.m. and it's my pleasure to introduce Uku-San. Thank you. Hello everyone, welcome to my, by the way, can you hear my voice in the back side? It's okay, great. Welcome to my talk named Generating Personalized Worklist with Natural Language Processing by Analyzing Tweets. Let me introduce myself first. I'm Uku-San. I'm usually doing researches and writing tools which are about offensive side of security. I'm currently working for Tier Security. You can find detailed information on my website and you can follow me on Twitter if you are interested in. In this presentation, I will start by talking about password guessing attacks. Then I will explain why reducing the word this size is crucial for password guessing. After that, we will see how can we generate word lists based on target's personal topics. Finally, I will demonstrate the Rodeolo tool which does that job. Passwords are our main security mechanism for the digital account since the beginning of the Internet. Because of that, passwords are main targets for the attackers. Of course, there are lots of different ways to gather a target's password. For example, the attacker can prepare a phishing website to trick targets into entering their credentials to a rogue website. Or an attacker can conduct a password guessing attack through brute forcing. Password guessing attacks are usually described in two main categories. They are offline and online attacks. Offline password guessing attacks are usually conducted against captured hash or encryption keys. For example, for hash cracking, attacker calculates some password hash and compares with the target hash. There are two variables which affects the success other than the password complexity. They are hardware resources and the type of phishing algorithm. More hardware resources are providing us speed, therefore increases the chance of success. The other thing is, of course, phishing algorithm. For example, cracking an MD5 phish will be faster than cracking a Bcrypt one. However, online password guessing attack is something different. In online password guessing attack, attacker sends username password combination to a service like HTTP, SSH, et cetera, and tries to identify the correct combination by checking the response from those services. There are lots of different variables which affects the chance of success. For example, our connection speed, server bandwidth, also server can block our IP address or log target's account, et cetera. There are lots of counter-measurements. Online attacks and hardware resources has no positive correlation, therefore it's much, much harder than offline attacks. Most of the web applications have password complexity rules where users have to use at least one number, upper-level characters and, of course, special character. Therefore, reducing the brute force size, brute force pool to an acceptable size is very important for the attackers. Instead of brute forcing all combinations, actually we can make some smarter choices. For example, we can try the most common passwords. If it doesn't work, we can make some smarter combinations. To reduce the combination pool, Haschke team created a technique called mask attack. The main idea is people are choosing their passwords with similar patterns. They are not pure gibberish data. Therefore, we can define a pattern which is called mask and we can do brute force with its boundaries. Let's say our target password is Yulia1984. With the brute force approach, we need to brute force all nine characters with all of our char sets. The formula is 9 over 62, which is a very, very big number. For the mask attack, since we define the pattern, we don't need to brute force everything. For example, the first characters can be only upper-letter. There are 29 choices. The total amount of combinations are way smaller than the pure brute force technique. It's around 200 billions. But of course, it's still too much for the online attacks. We usually can't send 200 billions requests to web application and check its response. But of course, pure brute force attack and mask attacks are not the only way for password guessing. There's also science fiction method based on smart guessing. For example, on Sherlock's Hand of Baskerville episode, Sherlock Holmes was checking the personal stuff of the target and we're guessing the password in just one shot. So we can talk about the third method now. It seems very unrealistic, but in theory, it's possible to find Yulia1984 password in less than three shots. We just need to have some Sherlock Holmes skills. Let's assume that target is posted at Tivit and we are a Sherlock Holmes candidate. We can make following deductions. Target's outer name is Yulia and the target loves her so much since he or she Tivit's about her. And the target's favorite author is George Orwell, whose most popular book is 1984. So combine them together. The answer is Yulia1984. Is this that simple? We will come back to this later. So according to some researchers, which are conducted by Carnegie Mellon University, most of the people are choosing words from their hobbies, sports, movies, et cetera for their passwords. This means that most of the user passwords are contains meaningful words and they are related with the password owner. So in theory, we can become a Sherlock Holmes on password guessing. We can actually prove that people are mostly using meaningful words for their passwords. When we analyze leaked MySpace and Ashley Medicine passwords lists and generate most used masks, we can see that almost 95% of those passwords are formed by sequential alphabetic characters. So there is a high problem that these are meaningful words. Let's try to prove that they are actually contains meaningful words. So what is a meaningful word? We can say that a letter sequence is a meaningful English word if it's listed in an English lexicon. For those who are not familiar with the NLP context, lexicon means that the complete set of meaningful units in a language. We used Stanford's wordnet lexicon for this job. Our analysts showed that almost 40% of those word lists are included in wordnet lexicon. Hence, they are meaningful English words. Now we need to apply post tagging, which means part of speech tagging to these words to understand what kind of words they are. Post tagging is a process to find a words class. They are eight different part of speeches in English language. For example, I learned them in English lessons. For example, for those who are not familiar with those, for example, there are nouns like table chair. There are verbs like eating, going, et cetera. So we analyze those words with the help of Python's NLTK library. And results show that most of these words are singular noun. So let's recap what kind of facts that we have so far. First, our analyzes show that people are using meaningful words for their passwords. And the second, from the research conducted by various of universities, we know that passwords are mostly based on personal topics. So Sherlock Holmes' method is legit in theory. But can it be done in practice? What Sherlock Holmes did was analyzing personal topics of the target. Then he combined them in his mind and came up with a candidate password. But how can we do it in real life? To achieve this, we need information about the target and algorithm which extracts good password candidates from that information. We need a data source just like Sherlock Holmes had. We needed source where we can find hobbies and other interest areas of the targets. And actually, we all know that kind of source. It's Twitter, of course. In Twitter, people tend to write posts about their hobbies and other interest area mostly. Since there's a character limitation for each tweet, users need to write things more focused. And this makes things easier for us because we don't need to deal with large gibberish texts. So let's use Twitter as a data source and try to build our personalized wordless generation algorithm. First of all, we need to gather tweets from target via Twitter's API. Then we need to get rid of unnecessary data. But how do we know if a word is necessary or unnecessary? Since we're trying to find personalized things, we can remove stop words since everybody are using them. For example, we can remove things like I, my, she, et cetera from the tweets. Secondly, as you recall, our research showed that people are mostly using nouns for their passwords. We can remove any verbs. For example, we remove suggest words from the tweets. As you can remember from the previous slides, leaked words were mostly formed by nouns. So we can apply post-tagging to the rest of the words to detect most used nouns and proper nouns. For this tweet, nouns are doubter and outer. Proper nouns are George Orwell and Yulia. Sometimes users are combining two meaningful words for their passwords. But of course, they are not like two random words. They have a kind of semantic similarity. We also need to combine similar words. We used WordNet's pet similarity algorithm for detecting semantic similarity of the words, which are extracted from the tweets. Pet similarity algorithm gives us a score between 0 and 1, and we are combining two words if their score is greater than 0.12. In the example shown in the slide, we will combine cat-tag and flamethrower with each other. Researchers have also found that some of the most used semantic teams in past passwords are locations and years. For this syrup, we will send the extracted nouns to Wikipedia and parts related years and cities from them. In this example tweet, we sent George Orwell to Wikipedia and it's returned us words like London, 1984, et cetera. So the last step is combining all of our data. From the example tweet, we got George Orwell word, we sent it to Wikipedia, and it returned us 1984 words. Beyond that, we also had Yulia as a proper noun. So when we combine all of our data, we will have the correct password Yulia in 1984 in somewhere. So instead of millions of combinations, we could correct this password in less than 20 or less steps. So it's just like Sherlock Holmes did. So to automatize all processes, I coded a tool named Rodeola. It's written in Python and most based on NLTK library. It follows the algorithm that I described in the previous section. With a given Twitter handle, it can automatically compile a personalized word list with elements such as nouns, proper nouns, cities, years related to them. Currently, it only supports English language, but I will finish the Turkish and German support soon. You can use Rodeola in three different modes. In the base mode, Rodeola takes a Twitter handle as an argument and generates personalized word lists without any fancy stuff. For example, when you give Elon Musk username, it will generate passwords like Tesla, car, SpaceX, boring machine 2018, et cetera. In the regex mode, a user can generate additional strings with the provided regex. These generated strings will be appended prefix or suffix to the words. For this mode, Rodeola takes a regex value as an argument. Regex value defines the string placement. With the regex shown in the slide, it will generate passwords like Tesla root 01, Tesla root 02, and it goes like this. In the mask mode, user can provide Hashcat style mask values for the world this generation. So in this example, we used mask in which first character is upper letter, second one is lower letter, and the third one is upper letter again. If you don't have any Twitter API or you want to use another data source, you can bring your own data. Rodeola provides you two different options. In the first one, you can provide a text file to Rodeola which contains lots of harvested texts. In the second one, you can provide a URL list and Rodeola harvests text from these URL automatically and will build the personalized word list right away. You can download and try the tool from our GitHub page by yourself. Okay, so demo time. To make this demo, I will get a Twitter handle from the audience volunteer and we'll pass it to Rodeola and we will check its results altogether. So is there anyone who are actively using Twitter in English and willing to share the username with me? Yes, sir, but let me open up my terminal first. Okay, I'm all yours. A, B, A, V, E, E, K, yep. D, E, E, S, this one. Okay, let's see what we will have got. Now it's downloads to bits from that Twitter handle. Probably it will download like 2,500 because it's Twitter's API limitation. I hope I have a internet connection right now. Mm-hmm. Weird. All right. DevCon Wi-Fi is not working. Are there anyone who are using DevCon Wi-Fi right now? Is it not working? Sorry? The Wi-Fi? Yeah. Weird. Actually, it was working for like three days and it just stopped in the middle of the day and it was not working. It was not working. It was working for like three days and it just stopped in my presentation. Anyway, but I want... It can stop me, you know. I will use my hotspot. Sorry? DevCon open. No, it's rogue Wi-Fi, right? All right. Come on. Yep. Now we have a working Wi-Fi. Come on, man. No, internet? Yeah. Great. I hope we can find your password and you have lots of tweets, sir. Sorry? Actually, it can't do that at this moment. It just downloads like 2,000 tweets. Actually, it will complete in a second, probably. Yeah, good idea. Actually, it downloads faster but because of my internet connection it's a little bit slow. Now, okay. Now it analyzes the downloaded tweets and we'll get like most used nouns, proper nouns and we will see them in a second. Okay. So, most used nouns are... Wow. Giants. Let's hope... Let's go giants. So, is there like a sport team or something? Yeah. Yeah. United. Manchester United. NFL. So, does this make sense to you? Yes. Great. Now... Okay. Now it sent those words to Wikipedia and parsed related locations and years from them and let's see what kind of passwords we have. So, I don't know. Actually, now I don't know the reason but it couldn't parse related years it should have probably because of my connection or something. So, sir, is your password listed in this word list? Could you please take a look again? No? All right. So, of course, it will be a miracle to create a password with this method to a DEF CON attendee. All right. So, let's turn back to the slide again. All right. Anyway, I can stop the mirror. Anyway, so as a conclusion, since people tend to use words from their hobbies, movies, sports, et cetera, for their passwords, users should not be able... should not use these words for their passwords since we can create some kind of accurate word list with given data. Beyond that, any actor that has much more data about that person will have an ability to create more accurate word lists for the target people. So, people should avoid using those kind of e-times in their passwords and should use password manager with random passwords. So, that's all I have today. Thank you for coming for listening. So, are there any questions? Yes, please, sir. What kind of list? Yeah, yeah, of course. They are leaked MySpace and HL Medicine word lists. So, when you analyze them with the pack tool, you can find it on GitHub. You will see the same statistics. So, yeah, please. Yeah, currently you can't do that, but in future I will do that. Because since it's some kind of experimental project, I didn't want to limit, you know, password length. Yeah, please. Yeah. To be honest, zero. Yeah, of course. I couldn't crack any, like, for example, my friends are using mostly, you know, complex passwords, et cetera, and I couldn't crack any of these passwords. But when you try it on your, for example, mother or, you know, some older person or some not ungeek person, it may work. So, hmm, but I need to know the real identity of the target. So, I need to get, like, their hobbies, their something and, like, cross-check with all of them. But if only I know the correct real identity of the MySpace word lists, probably your method will be work. But actually it can be done in HL Medicine word lists. Probably their real identity is already revealed. Maybe I can check them, yeah. Please. Good idea, actually, I haven't talked about that. Yeah, good idea. So, there's, as far as I can see, there's no question. Yeah, there's a question. I used Python's NLTK library mostly. Sorry? I only know Python support. Probably it only has Python support. So, wasn't that your answer? Only Python. Only English. Yeah, actually, I think it's kind of supports French or Spanish, but they are not strong as English one. So, you need, if you are working on a different language, you need to find some local implementation for the NLP stuff. Actually, each language has own website. So, for example, for Turkish language, I can download some items from university websites, but I didn't research about other language. But there is no single place that you can download everything. Okay, so that's all. Thank you.