Flame Took Advantage of Windows Update

• Iran has sustained 185 Flame virus infections, followed by 95 in Israel and the Palestinian Territories, 32 in Sudan and 29 in Syria
• A Flame module called Gadget possesses man-in-the-middle functionality which enabled it pass crafted update packages to other computers on the same network
• One specific package was called WuSetupV.exe and was signed with a certificate issued by the “Microsoft Enforced Licensing Registration Authority CA”, a sub-CA of Microsoft’s root authority
• The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language
• Most victims were running 32-bit editions of Windows 7, with a sizeable 45 per cent running XP. Flame does not work on the 64-bit edition of Windows 7
• The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft
• Microsoft still uses MD5 fingerprints on its certificates, according to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates | TechSNAP 37 MD5 was Deprecated for Root and Subordinate CAs in Dec 2010, SHA256 or better is required for all certificates issued after Dec 31, 2013. SHA1 is only allowed until more browsers support SHA256 or better
• Microsoft has already confirmed that Flame developers were able to issue valid Microsoft certificates
• Flame’s operators used a number of fake identities to register their domains. According to Kaspersky, server locations included Germany, the Netherlands, the UK, Switzerland, Hong Kong and Turkey
• Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet
• Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009
• Researchers say the compilation date of modules in Flame appear to have been manipulated by the attackers, perhaps in an attempt to thwart researchers from determining when they were created

“Whoever created it was careful to mess up the compilation dates in every single module,” Gostev said. “The modules appear to have been compiled in 1994 and 1995, but they’re using code that was only released in 2010.”
+ Iran’s Computer Emergency Response Team announced on Monday that it had developed a detector to uncover what it calls the “Flamer” malware on infected machines and delivered it to select organizations at the beginning of May

Links

• The Kill List | Unfilter 3
• Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers
• Security Advisory 2718704: Update to Phased Mitigation Strategy
• Flame alleged to have infected systems via Windows Update
• Flame used a cryptographic collision with the Terminal Server certificates to sign code as Microsoft
  • playaspec explains the concept of a ‘cryptographic collision’
• Flame malware collision attack explained

---

LinkedIn leaks 6.4 million password hashes

• A list of 6.4 million SHA–1 hashes, proported to be passwords from the popular business social networking site Linkedin.com was posted on a Russian password cracking forum
• The list is deduplicated, meaning each hash is listed only once, meaning more than 6.4 million passwords were compromised
• The list that I managed to download had a lot of the hashes prefixed with 5 or 6 0s, apparently marking them as already having been brute forced
• An analysis of a number of permutations of the word linkedin, shows that almost every obfuscation was present on the list
• Research has shown that the name of the site is one of the most common passwords, so this suggests that the list is actually from LinkedIn
• A number of users at hackernews found their obscure/random passwords on the list of hashes, further suggesting that the list is legitimate
• Using plain SHA–1 hashes to store passwords is extremely insecure, a cryptographic hashing algorithm with a salt should be used
• I managed to download a 10GB rainbow table of SHA1 hashes, and check every 1–7 character mixed case alpha numeric password using my nVidia GTX 560 Ti, in only 220 seconds
• A rainbow table for longer passwords is impractical due to the amount of storage required
• Salted hashes cannot be attacked by rainbow tables because the salt basically extends the length of the password, and because crypt() based hashing algorithms run the hash multiple times
• MD5-crypt uses an 8 character salt and loops 100 times, SHA256/SHA512-crypt uses a 16 character salt and by default loops 5000 times (adjustable between 1000 and 100 million), and Bcrypt uses a 22 character salt and 16 loops (adjustable as powers of two between 4 and 31)
• Consider the following key spaces, and assume you had access to the cracking power of the ENTIRE bitcoin mining network (10 Terahashes per second) (Disclaimer: these numbers are probably wrong, just an example for reference)
  • 8 character password, mixed case alpha numberic: (26+26+10)^8 = 218,340,105,584,896 = 21.8 seconds to try every possible password
  • 8 character password, all 7-bit ascii characters: 127^8 = 67,675,234,241,018,881 = 6767 seconds to try every possible password (less than 2 hours)
  • 8–12 character password, alphabetical only: 26^8 + 26^9 + 26^10 + 26^11 + 26^12 = 99,246,106,575,066,880 = 9924 seconds (less than 3 hours)
  • 8 character mixed case alpha numberic password, with 8 character salt, 100 rounds = 62^16 * 100 = 4,767,240,170,682,353,345,026,333,081,600 = 15,116,819,414 years
• Official LinkedIn Response
• LinkedIn claims that they now salt passwords, so if you change your password, it will be updated and stored more securely
• LinkedIn would be able to update to the stronger hashing algorithm without requiring users to change their password, by computing the new hash the next time each user logs in
• LastPass – LinkedIn Password Checker

---

Cloudflare hacked via its voicemail

• Cloudflare is a cloud based WAF (Web Application Firewall) and Global Load Balancer
• An Attacker found four separate security vulnerabilities and chained them together in order to take over the account of a single Cloudflare user
• The attacker was basically in control of the entire cloudflair infrastructure approximately 30 minutes
• The attacker first exploited weak security at AT&T to redirect voicemail from the Cloudflare CEO to a mailbox setup by the attacker
• The attacker next took over the CEOs personal Gmail account by tricking Google’s password reset system in to leaving the pin number in the voicemail box by a specially crafted voicemail greeting
• A flaw (since fixed) in Google’s Enterprise Apps system, allowed the attacker to by-pass the two-factor authentication system when resetting the password for the CEOs Corporate Gmail, having the password send to the CEOs Personal Gmail compromised earlier.
• An internal policy at Cloudflare had all password reset emails BCCed to administrators (ironically, this was done for debugging and to watch for suspicious password reset requests)
• Once the attacker had compromised a Google Enterprise Apps admin account, he reset the passwords for the other admins, and initiated a Cloudflare password reset for the targetted customer
• A copy of the password reset was sent to the administrator email, which the attacker now controlled, giving them access to the target users Cloudflare account
• The attacker redirected all traffic to the target site to twitter
• Official Incident Report w/ Updates
• Official Followup

---

MD5-Crypt no longer considered secure

• Poul-Henning Kamp (also known as PHK), who wrote the MD5-crypt implementation used in most all devices since 1995, says that it should no longer be considered secure
• Commercial off-the-shelf video cards can crack MD5 hashes are rates in excess of 1 million hashes per second
• PHK says he will not write a new password hashing algorithm, because he is not a cryptographer
• His recommendation is to actually mix a number of algorithms, rather than using just a single algorithm
• He also recommends that each site implement their own variation of the algorithm, to ensure against ‘class breaks’
• FreeBSD 9 already supports Bcrypt, and SHA256/512 based password hashing
• Arch Linux and a few others uses SHA256 by default now

---

Feedback:

• ProjectMorris writes in disapointed with LinkedIn

• Matthias writes… SID Cloning is Not a Problem

• David writes in with… Another idea on local passwords

• Slight correction to Thursday’s great episode over Firefox password saving

Round up:

• Last.fm says passwords leaked
• Early reports that VUPEN was hacked & ~130 0-days were stolen
• Netflix announces FreeBSD & nginx Powered Open Connect CDN
• Firefox 13 now out with fresh home screen, SPDY support
• Hacker claims to have broken in to Mitt Romney’s hotmail

The post I Know Your Password | TechSNAP 61 first appeared on Jupiter Broadcasting.

]]>