multi-factor – Jupiter Broadcasting

Restores are Everything | TechSNAP 168

chris — Thu, 26 Jun 2014 14:45:11 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A company known for backup shuts down after their AWS account gets hacked, the Hedge fund thats under attack, how far you can get with a little cab data…

Your questions, our answers, and much, much more!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Company shuts down after their AWS account compromised, all customer data deleted

Code Spaces, a source code hosting and backup service has ceased doing business
On June 17th the company came under a DDoS attack, which is apparently business as normal for them
Later, they found messages in their Amazon Web Services portal, urging them to contact a hotmail address
When contacted, the attacker demanded a large ransom
When Code Spaces attempted to change their passwords in the AWS control panel, additional administrator accounts added by the attacker were used to delete all EC2 virtual machines, S3 stores and EBS volumes in the account before all accessed could be revoked
The most embarrassing part of the situation is the text on the original Code Spaces website:
“Backing up data is one thing, but it is meaningless without a recovery plan, not only that [but also] a recovery plan—and one that is well-practiced and proven to work time and time again,” “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.”
It is not clear what the Code Spaces backup strategy was, but it seemed to involve the same Amazon account
In general, the idea with an “offsite” backup is to separate it from a failure of the primary. If you keep the backups for your database beside the database server and your office burns down, what good are the backups
What if Amazon suffered a catastrophic data loss? or what if your account is compromised?
The backups should have at least been in a different Amazon account that was very strictly controlled, or better yet, stored in some other service
It is still unclear how the account was compromised, but it seems likely that Code Spaces was not making use of the Amazon’s Multi-Factor Authentication service, which offers either a mobile phone app, or two different types of hardware authenticators (key fob and credit-card style)

Poorly anonymized NYC Taxi data, de-anonymized

Under an Open Data initiative, the New York City Taxi & Limousine Commission released the anonymized GPS logs of all taxi trips in 2013 (173 million trips)
Chris Whong got a hold of this data and did some interesting stuff with it
When he was done with it, he posted the data for everyone
Developer Vijay Pandurangan took a look at the data and noticed that the medallion and hack numbers appeared to simply be MD5 hashes
In particular, the driver with ID# CFCD208495D565EF66E7DFF9F98764DA appeared to have an impossibly large number of trips
Turns out, that is the MD5 hash of “0”, cases where the data was unavailable
Realizing that the data was only anonymized using MD5, and knowing the structure of a drivers license # (5-7 characters, with specific characters being numbers or letters), he was able to brute force all 24 million combinations in only 2 minutes using a single CPU
Once this was done, he had the original un-anonymized data
Using other websites, it is possible to link the medallion and hack numbers to the owners names
Original Post
Additional Coverage – Ars Technica
To prevent this, there are a number of approaches, the fastest but weakest is a ‘secret key’. Instead of md5(hack#) just do md5(SUPERLONGSECRETKEYhack#), as long as the attacker doesn’t know the secret key, and it is long enough to make guessing it impractical, the data would remain anonymized
Another option is to use the md5 hash of the encrypted form of the value. However this eventually just relies on a secret key as well. However, if the data never needs to be anonymized, a very strong key can be used, and that key can then be destroyed, making decryption impossible.

Hackers attack hedge fund for monetary gain

BAE systems, a British defense contractor that also specializes in cyber security, was called in to investigate after computers at a hedge fund were hacked
The attackers somehow infiltrated the HFT (High Frequency Trading) system, and injected delays of several hundred microseconds into the order entry system
This causes the Hedge Fund to miss out on profits it could have made on the trades
It is suspected, that the attackers capitalized on this to make those profits themselves
“Hedge funds “really have inadequate cybersecurity as a whole” and the attacks threaten to undermine the systems used globally for high-speed trading, said Tom Kellerman, chief cyber security officer for Trend Micro Inc. ”

Feedback:

Round Up:

The post Restores are Everything | TechSNAP 168 first appeared on Jupiter Broadcasting.

Perfect Passwords | TechSNAP 11

chris — Thu, 23 Jun 2011 23:38:50 +0000

We’ve got the details of an FBI raid that knocked several popular sites off-line.

The WordPress plugin repository was compromised, and backdoors were added to a few popular plugins, and we’ll share the details.

Plus Dropbox’s shockingly bad security issue this week, and we’ll cover why you always want a little salt with your passwords!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

TechSNAP has a new Sub-Reddit, submit links and questions for the show, and vote away!

Topic: FBI raids data center and takes 3 entire racks

At 1am on Tuesday the FBI raided the Virginia, USA data center of Swiss web hosting company DigitalOne.
DigitalOne’s website was still offline late Wednesday
DigitalOne does not have any staff on-site, and relies on remote hands from the data center operator, CoreSite. DigitalOne was not aware of what the problem was until hours later when the data center contracted them and passed along the name of the agent in charge and a phone number for DigitalOne to contact the FBI.
When requested DigitalOne had given the FBI information on the IP address they inquired about and told them the exact location of the server. However the FBI seized 3 entire racks of servers rather than only the server they were after.
There are rumours that this raid was related to an investigation in to LulzSec
A number of services like Pinboard and Instapaper were effected.

Topic: WordPress.org gets hacked, plug-ins compromised

WordPress.org is not sure exactly what happened
Plug-in repository compromised
Malacious code was found in commits to popular plugins like W3 Total Cache, AddThis and WPTouch
WordPress took the prophylactic step of forcing all users to reset their passwords to prevent any further compromised code from being pushed out.

Topic: Adobe patches two 0-day exploits in 9 days

Adobe issued a second ‘out of band’ security update for Flash player in only 9 days due to another exploit
Reportedly, one of the 0-day exploits was being used to steal users’ gmail passwords
The vulnerability was listed as critical, as it might allow an attack to take complete control of a system
Nightmare scenario is a trusted page is compromised and flash malware is inserted
Make sure you update to the latest version of Adobe Flash

Topic: Dropbox goes passwordless, for 4 hours

A flaw at dropbox allowed users to login with any password, and access the account
This means anyone who knew your email address could have accessed your account and files. They could have authorized additional devices so they can continue to access your files even once this flaw was fixed.
Dropbox claims less than 1% of users logged in during that time (seems low)
Official Notice from Dropbox
If dropbox used proper encryption with one key per user, files could not be accessed without the correct password. However this security measure would take away a lot of the ‘easiness’ of dropbox that people are so fond of.

Topic: Bitcoin currency exchange compromised

The major bitcoin currency exchange MtGox had it’s database compromised and was taken offline when a large number of fraudulent trades were made, swinging the market.
The compromised account sold all of it’s coins, forcing the market price down, then bought them all back, and tried to cash out
Accounts that had not been used recently, had not had their passwords upgraded from the original unsalted md5 hash to the standard FreeBSD crypt() md5 salted hash.
MtGox managed to get a hold of someone at google and google forced all users with gmail accounts at MtGox were forced to reset their passwords
Once MtGox is back up, they plan to switch to SHA-512 salted hashes.
MtGox claims that the computer of a 3rd party auditor who had read-only access to the database was compromised, and then insecurely hashed passwords were cracked and those accounts were then used by the attackers.

Q: (Keith) Can you explain salted hashing and two factor authentication in more detail?
A: Some websites, especially older forums and bespoke software, will store your password as a plain md5 or sha1 hash. These can easily be broken by a rainbow table, and can also be brute forced rather quickly using GPUs. To protect passwords against rainbow tables, modern password hashing algorithms use a ‘salt’. A salt is just some random characters added to the password to make it better. In the FreeBSD crypt() MD5, the default is 8 base64 characters. This means that the rainbow table would have to include those extra 8 possible characters to be able to crack the password. Also, the salt is different for each account, so that means a separate rainbow table would be required for each user, and that two users with the same password won’t have the same hash. What many people don’t realize when they try to implement their own password hashing using regular md5, is that the FreeBSD crypt() md5 does 100 rounds of hashing, not just one. This was sufficiently slow when ti was design, but is much less so now. That is why other algorithms, like SHA-512 and Blowfish have become more popular. On top of having larger salts (16 and 22 characters respectively), they use an adjustable number of rounds of the hashing algorithm. This allows the administrator to decide on a performance/security trade off that best fits their needs.
Lecture notes by Allan on how Password Hashing Works

To answer the other part of your question, multi-factor authentication means using more than one way to confirm the user is who they claim to be. Two-factor authentication just means using 2 of the 3 factors to confirm the users identity, rather than just one. The three types are:

Something you know (username/password, secret question, pin #)
Something you have (ID card, security token, RFID, Cell phone)
Something you are (Fingerprint, Retina Scan, Signature, Voice sample)

So, the typical ATM card system, is who factor authentication, something you have (bank card) and something you know (pin number), however, the pin number is not a very strong authenticator. As we’ve seen in recent weeks, even a security token can be compromised, and some forms of attack like the ZeuS trojan, just wait until you authenticate to perform their attack.