by Ross Sivertsen | Nov 29, 2007 | Blog, Information Security
I didn’t quite get to finish my post yesterday, so I took a few
moments to do a bit of homework; here’s what I found, I decided to do a
real world test, and attempt to look up a few commonly occurring
passwords I’ve seen here in my organization; so I took ten proper names
and words and used them as reference material (I won’t list all of them
here, but as examples here are three):
– 72a97fb793d496318518aebc7e9298b2 -> the "serial" number for "cowboys" (I’m a Dallas Cowboys fan).
– dfeaf10390e560aea745ccba53e044ed -> "cisco"
– 9924a057edc46fa6c7ac87a7b1771d4f -> "altoids"
I generated the hash values, entered each of the values into Google
search, and the all knowing google returned the password for each. In
fact, out of the 10 "serial" numbers I entered, I found *7* passwords,
including at least 2 I wasn’t expecting to find because of uniqueness!
I don’t mind saying that this was a little frightening. Now here’s a
tip that will help at least minimize the probability of finding the
passwords in Google.
All of the words I used were proper names or words right out of the
dictionary (randomly selected). When I added a random number or
character, e.g. I added 20071001 to cowboys to come up with
cowboys20071001, (that hash value is 2810ea90c3101fadbaba8748f5b34902,
btw), I didn’t find the password, in fact, when I added random number
numbers or characters to any of the passwords, I didn’t find *ANY* of
them.
Adding randomness to passwords is a technique called "salting," and
is used to strengthen the security of passwords. Typically "salting"
occurs on the system side after the password is stored on the host
system, but you as a user cannot guarantee that the system "salts"
passwords prior to hashing them. Adding the randomness to your
passwords on your own, while not a panacea, goes a long way to
eliminating the risk of the kinds attacks listed in yesterday’s post.
— Excuse me, my password tastes a bit bland, would please pass the salt? —
by Ross Sivertsen | Nov 28, 2007 | Blog, Information Security
Link: Light Blue Touchpaper » Blog Archive » Google as a password cracker.
Just when you think it’s safe to go back in to the water… here’s an post I ran across via Slashdot, about using Google as a password cracker.
The Slashdot writer posts "A security researcher at Cambridge, trying to figure out the password
used by somebody who had hacked his website, ran a dictionary through
the encryption hash function. No dice. Then he pasted the hacker’s
encrypted password into Google, and Shazzam — the all-knowing Google
delivered his answer. Conclusion? Use no password any other human being
is ever likely to use for any purpose, I think."
So let me take a couple of minutes to talk about why this is important, and maybe decrypt (no pun untended) the geek speak.
Ok, so we use passwords to authenticate to systems of all sorts, right? You have ATM PINs, passwords for your Email, passwords for your online banking, right? So how do you know if those passwords are secure, and not stored somewhere where someone can get keys to your kingdom? Well, this is traditionally done like this; the passwords themselves aren’t stored on a typical system, but the "fingerprint" of the password is.
The way this works is through something called a one-way hash routine. This basically is a mathematical formula that creates a unique "serial number" from the text that was given to the formula, something like this:
(My Password as Text) -> (Magical Mathematical Hash Formula) -> (Unique Serial Number)
This is important because there is mathematically very little chance that the password text can be "guessed" from the number produced by the formula. And when I mean "very little chance" it means a 1 in the total number of stars in the universe chance of guessing the password, the formula is THAT secure. That’s why it’s called a one-way hash function, because as a practical matter, it can’t be reversed.
Okey dokey, so what does this mean in terms of this article? Well, we know that this formula is secure, so the only way to "guess" your password is through something called a "brute-force" attack, that basically means that I as a hacker will assume that you’re using a weak password; maybe a word in the dictionary, maybe your child’s name, maybe the name of your favorite football team, anything that can be easily guessed; then I just run through EVERY COMBINATION of EVERY WORD until I get a hit, and the system I’m hacking "unlocks."
Going through this process of guessing passwords can take a VERY LONG time (obviously). But what if I had a database of the most commonly occurring "serial" numbers and a cross-reference of the passwords that belong to them? Well, then I don’t have to try to reverse-engineer the password from the serial number using the hash formula, AND I don’t have to GUESS passwords until I "unlock" the system. I can just look up the "serial" number in a database and viola! suddenly I have the password.
"Wow," you might say, "that’s got to be a REALLY big database to contain the serial numbers and passwords for EVERY combination of common words, names, and phrases." That’s absolutely true, and who would have a collaborative database THAT large? Enter Google. Google is essentially the "Encyclopedia Gallactica" of the ENTIRE Internet web space. If it’s on the web, it’s in Google’s database, including the websites of hackers with this type of published information. The thing that makes Google such a powerful tool for you (presumably the good guys), is the very thing that makes it a powerful tool for the hackers (presumably the bad guys).
This is an interesting point, because the Google database is neutral, it really is, it isn’t "good" or "bad," it’s amoral. And it’s for THAT very reason, that YOUR password security is YOUR responsibility! Just like the FLICKR photos of your drunken adventure from college, Google probably has the serial number for the password you’re using for online banking at Citibank.
So how do we combat this? Well, there are a couple of things we can do:
First, use reasonably complicated passwords, I won’t go in to details here because I don’t want to give anybody any ideas, but using both letters and numbers are key.
Second, use passwords that are the maximum length available, if it’s 10 characters, use 10 characters, if it’s 50, use 50.
Third, change your passwords regularly.
Finally, use different passwords for different systems, this doesn’t eliminate the problem, but if your password is compromised it can help minimize the impact.
I know all of this sounds like a lot of work, but cyber-theft and identity theft is a real threat, and you’re really just protecting yourself. Can we eliminate the threat? No, not really, but with some amount of work, and a little diligence, you can minimize the risk.
"The price of freedom is eternal vigilance." -Thomas Jefferson.
by Ross Sivertsen | Oct 31, 2007 | Blog, Information Security
Link: Home Depot and Iron Mountain report missing data.
Ok, I was
looking in to Iron Mountain’s Live Vault online backup service when I ran across this story from searchsecurity.com.
Apparently,
in two separate incidents, home improvement Goliath Home Depot has lost
information, including social security numbers, on some 10,000 employees when
the notebook computer was stolen from the car of a company manager.
Then in a
separate incident, data protection megalith Iron Mountain lost a decade worth of data from the state of Louisiana,
including social security numbers, of almost every state college applicant for
the last decade.
In both
incidents, lax security practices were to blame including the lack of
encryption of the data lost. This brings us to the whole point of this post;
with the capacity of media (tapes, disk, USB drives, etc.) becoming almost
cavernous, the ability to transport multi-gigabytes of personal information for
entire organizations becomes trivial. I personally have a USB drive on my key
chain that has a capacity of 16GB.
This
entire large capacity media presents an enormous security risk for information
theft of people and organizations. The need for data encryption of media is
critically important. We can no longer rely on information being secure within
the organizational perimeter; the simple loss of a laptop, the loss of a USB
drive or backup tapes creates an opportunity for theft of identity and loss of
confidentiality.
This isn’t
about garrisoning the organization either; management of a PKI in most
organizations is difficult to manage. Pareto was right, and the 80/20 rule goes
a long way to mitigating risk. Solutions for removable media include simple
open source applications like TrueCrypt
(an great open source tool) that provides 256 bit AES
encryption, this application can be used for creating secured virtual disks on laptop
drives and USB drives.
For other
types of removable media, tapes and so forth, most backup tools, ArcServe, etc.
provide means of encryption of tapes.
You can
find more information of commercial and open source encryption software at this
Wikipedia
article.
by Ross Sivertsen | Oct 25, 2007 | Blog, Information Security
Link: Storm worm strikes back at security pros – Network World.
Ok, you saw me post an
article earlier that compute cycles on the Storm
Worm botnet network appear to be for sale. Now it appears that Storm Worm
network is fighting back against attempts to do reconnaissance on its internal
architecture.
In an article today posted
both on Slashdot
and Network
World, the worm can “figure out which users are trying to probe
its command-and-control servers,
and it retaliates by launching DDoS attacks
against them” notes Network World senior editor and story author Tim Greene.
When I read the story the
first time through, I got a cold chill down my spine. It’s not that things like
this haven’t happened before, but honestly, this is the first time I’ve seen
something as wide spread as a malicious botnet retaliating against users.
Flashes of Skynet from the Terminator
movies and Colossus: the Forbin Project
immediately came to mind.
This has more to do with what’s
next? Is it possible that we are too clever for our own good? I hate fear
mongering, I really do. We look around at the amount of state sponsored
terrorism in the world, and yes don’t be naïve, we do it too, building
technological infrastructures such as what we’ve been reading about here is positively
chilling.
by Ross Sivertsen | Oct 16, 2007 | Blog, Information Security
Link: Slashdot | Storm Worm Botnet Partitions May Be Up For Sale.
Holy BOTNET Batman!
Having JUST posted a message about the NVD from US-CERT, I’m trying
to get back to work and read this feed from Slashdot. It seems that Joe
Stewart, an information security research specialist with SecureWorks
has seen evidence that the massive Storm Worm botnet is being broken up
and the resulting compute cycles are up for sale to the highest bidder.
Not just for pimple faced teens anymore, this represents one of the
first trends of mercenary computing I’ve seen. The Storm Worm network
has been described as the worlds most powerful supercomputer in this
ZDNet article: (Storm Worm botnet could be world’s most powerful supercomputer).
So what does this mean? It means that this isn’t about hacking anymore,
cyber-terrorism is a real threat to government and commercial
enterprise.
by Ross Sivertsen | Oct 16, 2007 | Blog, Information Security
I’ve been following this for sometime… This is an important resource of information for keeping up on information relating the vulnerabilities of a variety of technological systems.
We have a pre-disposition to believe that Windows is the only real attack vector in our information infrastructure, but the reality is that, though it is a huge target, other systems sport vulnerabilities waiting to be exploited.
To that end you’ll see on the right hand side of the page, a new list of the recently found exploits as published by the DHS and NIST on systems vulnerabilities.
This is a difficult position, because I hate fear mongering, and hate being the one to shout "the sky is falling!" But if you saw the piece from Wired Science on PBS October 3rd, you’ll see there is some merit to being concerned. "Forewarned is forearmed" as the saying goes.
