Formspring detects intrusion – 420,000 hashed passwords leaked

• Formspring was alerted when password hashes were posted on a hacking forum
• After determining that the hashes were in fact from their site, administrators shut the service down
• The attackers managed to compromise a development server at FormSpring, and then was able to access the production database, and gain access to customer information
• Formspring used SHA256 hashes with a random salt
• While this is better than a plain SHA256 without a salt, it is still not very strong
• SHA hashes are designed to be calculated very quickly, because that is what you want in a hashing algorithm
• Cryptographic hashing algorithms, like SHA256crypt on the other hand, is ‘adaptive’, it use a variable number of ‘rounds’ of the hashing algorithm to slow the process down, to make cracking the passwords more expensive. SHA256crypt defaults to 5000 rounds (hash of the hash of the hash…), and this value can be adjusted over time, to keep pace with faster CPUs and GPUs
• So while the random salts make the Formspring passwords immune to rainbow tables (thus making even the more trivial passwords require brute forcing, unlike the LinkedIn passwords), they can still be cracked with tools such as John the Ripper, and the cracking can be accelerated with GPUs
• Formspring came to this same realization and as part of the mandatory password reset for all users, new passwords will be stored using the adaptive cryptographic hashing algorithm bcrypt
• There have been no reports of any accounts being compromised, although the news has triggered a wave of trend-jacking phishing attacks, malicious emails to users directing them to the wrong place to reset their formspring password

Microsoft revokes 28 of its own certificates because they are insecure

• In the wake of the Flame malware, which used a forged Microsoft certificate for code signing and to impersonate Windows Update, Microsoft has revoked other certificates that may be susceptible
• In order to prevent this from happening again, Microsoft is revoking trust in all certificates that do not meet their current security standards
• We assume this means revoking certificates with insufficient key strength and certificates generated with MD5 hashes
• Microsoft also released its Certificate Updater application, which was released previously as an optional update to help mitigate the Flame malware, but with this update is not marked as ‘Critical’, which will see it be installed on the majority of updated Windows machines

One of Stuxnet’s spreading mechanisms hits kill switch

• Three years after Stuxnet was originally seeded, one of the main spreading mechanisms has shut itself off
• Spreading of the malware via Windows .lnk files spread via USB sticks has stopped after reaching the cutoff date specified in the Stuxnet source code
• The three known variants of Stuxnet were seeded on 2009–06–23, 2009–06–28 and 2009–07–07
• This is not the first time Stuxnet has expired some of its capabilities, spread via the MS10–061 exploit stopped on 2011–06–01, and the MS08–067 exploit checks for dates before January 2030

Court case reveals inner workings of IPP International IP Tracker, a BitTorrent tracking software

• Defendant’s motion to dismiss
• Declaration of forensic investigator
• Functional description of ‘International IPTracker’

Web exploit figures out what OS victim is using, customizes payload

• The exploit uses ‘TrustedSec’s Social Engineering Toolkit’ to generate a signed .jar file that is embedded in compromised websites via the applet tag
• If the user allows the .jar file to run, it detects the OS of the machine, and performs a different action
• The Social Engineering Toolkit is open source software
• In this case, the attackers used the toolkit as a basis for their malware downloader, it downloads and runs a different exploit depending on the OS of the victim
• This exploit targets Windows, Mac and Linux users, with a custom malware payload for each
• All three exploits appear to be targeted at giving the attacker a shell on the machine, so they can perform whatever actions they wish
• Additional Link

Feedback:

• Félim loves his new pfSense rig
• What is the best way to measure a firewall’s throughput?
• Depends what you want to measure (bytes/sec, packets/sec, dropped packets, etc)
• It is important to be able to tell what is ‘normal’, so some type of historical information is very useful
• Live throughput: nload
• Live Source/Destination: iftop
• Traffic patterns / by interface: routers2 / mrtg / rrdtool
• Bandwidth Benchmarking: iperf
• Other tools: ntop rtg darkstat

Round Up:

• BSDCan 2012 Highlight: Optimizing ZFS for Block Storage
• Android Forums hacked: 1 million user credentials stolen
• Dutch ISP finds 140,000 customers using default password ‘welkom01’
• SOPA IS BACK: Lamar Smith trying to quietly revive SOPA and cram it down the world’s throats
• New worm targets AutoCAD users, steals blueprints and designs
• Keyless BMW cars prove to be very easy to steal
• Icelandic court rules Credit Card processor must reopen wikileaks account
• Introducing BitTorrent Torque
• Microsoft Security Advisory (2719662): Vulnerabilities in Gadgets Could Allow Remote Code Execution
• Microsoft sponsored Android “security” report flawed : it’s a Yahoo app problem
• Hackers expose 453,000 credentials allegedly taken from Yahoo service