del.icio.us
blinklist
digg
Facebook
Furl
ma.gnolia
Newsvine
Pownce
reddit
StumbleUpon
Technorati
Twitter
Allan will build the case for abandoning the password, the Skype flaw that will shock you,
And we discuss picking the right server OS, when to RAID or not to RAID, and a BIG batch of your questions, and our answers.
All that and more on this week’s TechSNAP!
Thanks to:
Use our code tech495 to get a .COM for $4.95, or go20off5 to save 20% on your entire order!
Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- An article by Mat Honan, the Wired writer who had his entire online existence destroyed earlier this year
- An attacker wanted to steal the twitter handle @mat, and so started by trying to do a password reset on twitter.
- This directed the attacker to Mat’s gmail account
- When trying to initiate a password reset set on the gmail account, he was directed to Mat’s Apple account
- The attacker called Apple and using information about Mat from Twitter, Facebook, Google etc, he managed to reset the password for Mat’s Apple account
- Using the Apple account, the attacker was able to disable and remotely wipe Mat’s Apple devices (iPhone, iPad and Macbook)
- Once the attacker was in control of the Apple account, he was able to reset the password for the Gmail account
- Then to reset the password for the Twitter account
- Watch TechSNAP 70 for the full story
- In this followup article we get an even closer look at what happened, and an in-depth analysis of other recent happenings
- A lot of the problems discussed in the article are not weaknesses in passwords specifically, but in the people and systems that use them
- Authentication Bypass – When an attacker finds a way to access an account or service without needing the password at all. We have seen this with Dropbox, Oracle and others in past episodes of TechSNAP, or the recent case with Skype, where it failed to properly authenticate you before allowing you to reset account, we’ll cover that later in this episode.
- Brute Force – Accounts for services like POP3, FTP, SSH, and SIP are under constant attack, all day, every day. Attackers attempt to compromise the accounts in order to gain access for various reasons, from using the initial password as a stepping stone to gain access to more sensitive accounts, to using your machine to scan for yet more weak passwords, or as a source of spam. Attackers are constantly attempting common username and password combinations against every public facing server on the internet, using apps such as DenyHosts, Fail2Ban or SSHGuard to protect these servers is a must.
- Database Compromise – Services such as Sony PSN, Gawker, LinkedIn, Yahoo, eHarmony, LastFM and others had their databases compromised, and their lists of passwords dumped online. Often these passwords were hashed (MD5, SHA1, SHA256), but not always. Even a hashed password is little protection, it doesn’t immediately disclose your password, but with tools like Rainbow Tables and GPU accelerated cracking, these hashes were quickly cracked and the plain text passwords posted online. Hopefully more services will start using properly secure Cryptographic Hashes (sha512crypt, bcrypt) that take tens of thousands of times more computational power for each attempt to crack a password. Some algorithms like bcrypt are also, thus far, immune to GPU acceleration, actually taking longer on a GPU than a CPU.
- Disclosure – People often share their passwords, I don’t know how many facebook accounts have been ‘hacked’ by friends or ex’s because you willingly gave them your password, or you gave them the password to something else, and they used one of the other techniques described here to gain access to something you didn’t mean for them to have access to.
- Eavesdropping – Someone could be listening on the wire (or in the air in the case of wireless or mobile data connections) and see your password as it goes between your computer and the remote service. Most services now login over SSL to prevent this, but older services such as FTP (still very popular for web hosting, where your password may be shared with the web hosting control panel that has access to reset your email password) are not encrypted.
- Exposure – This is when you accidently give away your password, it happens on IRC at least once a week, someone attempts to enter the command to identify, but prefixes it with a space or something and ends up displaying their password to the entire chat room. Users will also sometimes accidentally enter their password in the username field, or their credit card number in the field that is for the ‘name as it appears on the card’, which causes it not to be treated with the same level of security.
- Guessing and Inference – When people base their password on birthdays or pet’s names, they become easy to guess. If you compile a largish list of keywords about a person, including bands and songs they like, their family and friends names, important dates, sports teams etc, and run it through an app like John The Ripper, which will make variations of those passwords, including l33t speak transformations, adding numbers and symbols, are are likely to get a fairly high success rate. In addition to guessing, there is inference, if you know that Bob’s password for gmail is: bobisgreat@gmail then you can probably guess that his password for facebook is: bobisgreat@facebook. If there is a pattern or ‘system’ to your passwords, once someone compromises ONE of those passwords, they have a much greater chance of compromising them all.
- Key Logging – When an attacker, using hardware or software, is able to record the keys you type in your keyboard, thus capturing your password as you input it. Apps like LastPass may seem to help with this, but they usually use an OS API to simulate typing the keys to remain compatible with all applications. Clipboard scanners can also often catch passwords.
- Man-in-the-Middle – An attack that intercepts your traffic and pretends to be the service you are trying to connect to, allowing it to capture your password, even if it was encrypted. SSL/TLS was designed to prevent Man-in-the-Middle attacks by verifying the identity of the remote server, however with Certificate Authority being compromised and issuing false certificates and tools such as SSLStrip to trick you into not using SSL, it is still possible for your communications to be intercepted.
- Phishing – Emails meant to look like they are from an official source, whether is be eBay, PayPal or your bank, prompt you to login on a page that looks like the legitimate one, but is not. Once you enter your details, the attackers have all they need to know to compromise your real account. Combine this with the weak DKIM keys from a few weeks ago, a compromised Certificate Authority and a man-in-the-middle DNS attack, and you have no way of knowing that when you entered https://www.paypal.com in to your browser, you actually ended up on an attackers site instead.
- Reply Attack – When an attacker is able to capture you authenticating in some secure manner, but is able to resend that same information and authenticate as you later, without ever knowing your password
- Reuse – Using the same password on multiple sites means that when one of them is compromised, they all are. I keep telling you, use lastpass.
- Secret Questions – So, when you setup that new account and it prompts you for some secret questions/answers, consider carefully what you put down. You’re going to need to be able to remember it later to regain access to the account (or some accounts ask them when they suspect you are logging in from a different computer), but if they are simple ones that someone could look up via google or facebook (remember, the attacker could be someone you know, so your privacy settings on facebook might not be enough), then it isn’t good enough.
- Social Engineering – In the case of the Mat Honan compromise, the weakest link turned out to be AppleCare Support, they very much wanted to be helpful and allow him to recover his accounts, the only problem was, the caller was not Mat Honan, but the attacker, to managed to guess and trick his way through the security questions and gain control of the Apple and Amazon accounts.
- See some old Blog post by Allan for more reading at [GeekRoundTable] ](https://www.geekrt.com/read/88/Myths-of-Password-Security/) and AppFail
- These issues are endemic across the entire internet, and it is important that you be aware of them and take steps to protect yourself as best you can
- A comparison of two major password dumps has shown that half of all passwords were used on both sites, the problem of password reuse is growing rather than shrinking
- Having a long and strong password is important, but you have to consider the other ways someone could compromise your account, the weakest link is the most likely avenue of attack
- If you have the option, you should enable two-factor authentication, adding one more step makes the attackers job that much harder, but remember, this doesn’t mean you are immune, RSA and Blizzard authenticators have been compromised in the past when their seed values were stolen from the central databases.
- An attacker found a way to bypass the authentication in skype’s password reset system, and take over any target account for which the email address was known
- The Instructions
- Register for a new account, using the email address of the victim
- Login to Skype using that new account
- Initiate a password reset for the victim’s account
- Skype will email the victim a password reset token, but the token will also pop up in the skype client for all accounts that use that email address, allowing the attacker to get the token
- Use the token to reset the password of the victim account
- Login to the victim’s account and remove their email address and add your own (one that no one knows) and you now own that account
- Skype disabled the password reset system a few hours later, then fixed the issue and re-enabled the password reset system. Tokens are no longer displayed in logged-in skype clients. This makes sense, and I question why it was ever the other way around, because if you are logged in, you are unlikely to have forgotten your password (unless it was saved I guess).
- Skype’s Reaction
- NextWeb Coverage
- NextWeb Followup
- Which server OS should I use?
- Home Server Hardware Swap
- SHODAN search
- Keeping FreeBSD Up to Date?
- Why did Allan decide to use hardware RAID with ZFS?
- Why would MD5 security be important to verifying a download?
- Multi-Master MySQL backups
- Origin Accounts Hacked – Maybe Change Your Password
- StackExchange podcast talks more about hurrican sandy and the effort to keep the Peer1 datacenter online
- Google declares Flash is now ‘fully sandboxed’ in Chrome for Windows, Mac, Linux and Chrome OS
- Google reveals seven years of evolving data-center strategy
- NSA Outs Top-Secret Report That Missed the Future of Supercomputing
- Hardcoded passwords leave Telstra routers wide open
- CyanogenMod’s domain hijacked by community member, now using .org
- Adobe’s Connectusers.com site was compromised via SQL injection, 150k user accounts and plain MD5 hashes leaked
- Blizzard sued over the cost of Battlenet Authenticators
- Researchers scan public malware infection forums (such as BleepingComputer) and find HJT and DDS logs from computers running SCADA software
- Critical Vulnerabilities in Call of Duty: Modern Warfare 3 and the Cryengine3 could compromise the systems of both gamers, the game servers, and the game companies
- NASA to have all laptops encrypted before the end of the year, and laptops containing sensitive information no longer allowed to leave it’s facilities