Show Notes:

Attacker claims to have broken in to Sony PSN again, Sony denies claim

• Attackers have pasted 3000 password hashes and email addresses from an alleged list of 10 million
• The official Playstation twitter account has denied the claim
• Most of the password hashes appear to be the phpBB modified version of the openwall phpass hashing system, although some appear to be raw SHA1 hashes
• This specific hashing algorithm suggests that the passwords are not from PSN, but from a forum database
• However, since the Sony network might use a single-signon system, it may be possible that these passwords are the same as ones on the PSN network
• Others have suggested it is just data from the previous attack last year

Blizzard admits Battlenet was compromised

• This week the security team at Blizzard discovered unauthorized access to their internal servers
• Information that is known to have been accessed includes:
  • Email Address
  • Answer to security question
  • Cryptographic verifiers for account passwords
  • Information relating to Mobile and Dial-In Authenticators
• Blizzard does not believe at this time that any payment information (credit card numbers, billing addresses, real names) were taken
• Battlenet uses the Secure Remote Password protocol (SRP), which is designed to allow remote users to authenticate in such a way that an network eavesdropper would not be able to retrieve the user’s password, or perform an offline dictionary attack against it
• The need for such a protocol has long been obviated by SSL/TLS, which provider stronger protection against eavesdroppers, and also prevents attacks that involve altering the messages or spoofing the identity of the endpoint
• This might have made sense when battlenet was originally introduced, SSL was too costly in terms of performance
• Using a standard password cryptographic hashing algorithm, even just md5crypt would likely have been more secure (obviously bcrypt would have been better) as far as a compromised database. Maybe they will transition to something better now

• One blogger who took the time to read the official SRP whitepaper written by the protocol author has gone so far as to request a retraction or clarification from Blizzard President Mike Morhaime.

  “Blizzard is incorrect in claiming that SRP ‘is designed to make it extremely difficult to extract the actual password’ after the verifier database is stolen,”

• Jeremy Spilman, the founder of a company called TapLink, wrote in a blog post titled “SRP Won’t Protect Blizzard’s Stolen Passwords,”
• However: a Battle.net 2.0 emulator suggests that at least some of the hashed Blizzard’s passwords were generated with an SRP implementation that uses a 1024-bit modulus, rather than the 256-bit modulus described in the whitepaper. The tweak makes password cracking take about 64 times longer than it would using the lower-bit setting.
• Why hacked Blizzard passwords aren’t as hard to crack as company says
• Additional Coverage: PCMag
• Additional Coverage: Gamespot

Feedback:

• Raymii created a Security Question Answers Generator Page!
  • Violates rule #3 of a security question, the answers are not ‘memorable’
  • Randomly generated answers are technically not stable or definitive either
  • Relies on you remembering or storing the answer, in case you fail to remember or store your password… (the secret answers should not be stored, or stored as security as the original password itself, since they can be used in place of, or to reset the password)
  • Cool site, decent random password generator ala XKCD
• White Spiral from the chatroom wrote in with a number of suggestions for security questions
  • Your questions are not very applicable to average users (none of my ex-girlfriends had bad breath)
  • Questions related to sex pose numerous problems, including offending customers, or causing an unpleasant work environment for support employees who must ask these questions over the phone
  • User generated questions require more database resources, but likely solve the problems of applicability
  • Most users are likely worse at coming up with their own questions than the site will be
• Jim emails in and suggests: why not use pictures of people you know! The first question might be their name and the second question may be the location.
  • You can’t use this type of security question over the phone
  • There may be privacy issues with storing pictures of 3rd parties on behalf of the customer (what if the database gets hacked, and now pictures of me uploaded by someone else are leaked)
  • I may not be able to remember the location the picture was taken in a few years

• Peter suggests committing a lot of crimes , and confessing one to each company that requires a security answer

• Q: I did bad-do I have to give up my internet license?

• Q: Configuration management automation?
  • BSDMagazine’s January issue has a how-to for deploying Puppet on FreeBSD, the steps would be very similar on any linux distro

Question for a future episode:

Sr. SysAdmins and Techs, what would you like your Jr. co-workers to know or learning more about before joining the work force?

Round-Up:

• BBC Olympics Coverage – Visitor & Data throughput statistics
• Wikileaks gets $37K in donations via Bitcoin
• Saudi Arabia’s National Oil Company Kills Network After Cyber Attack