Show Notes:

Check out Michael Dominick’s Code Journal App

Moxie Marlinspike release new analysis and tool for cracking MS-CHAP-V2

• MS-CHAP-V2 (Microsoft Challenge Handshake Authentication Protocol version 2) is responsible for authenticating the remote user and defining the encryption for the entire VPN session
• The new tool allows the cracking of those encrypted VPN and WiFi sessions, and can also allow the attacker to gain access to those networks using your credentials disclosed by a decrypted session
• MS-CHAP-V2 was introduced in Windows NT 4.0 SP4, and via updates for Windows 95 and 98
• Due to the way MS-CHAP-V2 works, and the fact that it uses NTHash and DES, it is far less secure than it was designed to be
• For example, the riseup.net VPN service gives users a 21 character password out of a 96 character keyspace, resulting in a possible key size of approximately 138 bit
• However the MD4 hash limits the key space to only 128 bits
• Furthermore, because DES only uses a 7 byte key, the keyspace is only 2^56 + 2^56 + 2^56 = 2^57.59
• However because the MD4 output only provides 16 bytes, when split into 3 blocks of 7, this leaves the last 5 bytes of the 3rd DES key as 0s, reducing the key space to only 2^56 + 2^56 + 2^16, and because each of the three DES blocks are separate, they can be cracked concurrently, basically reducing the key space to a single DES of 56 bits (just comparing against three different cipher texts for each attempt)
• The chapcrack tool will analyze a packet capture of a VPN or WiFi handshake, and generate a token that includes the DES ciphertext and MD4 hash of the user’s password
• This token is then fed into Merlinspike’s cloudcrack.com service and the DES encryption is cracked using the Pico Computing FPGA (each FPGA is 40 cores at 450mhz, and the system runs 48 FPGAs). In a worse case scenario, a DES key would take approximately 23 hours to crack (meaning half of all keys would be cracked in under 12 hours). The EFF’s Deepcrack machine built in 1998, cost $250,000 and took an average of 4.5 days to crack a single DES key
• Marlinspike recommends that all users and providers immediately stop using PPTP and consider all traffic via PPTP unencrypted and unprotected (including the password you use to login to the VPN service)
• Enterprise networks using WPA2 with MS-CHAP-V2 should immediately switch to something else (although IPSEC-PSK should also be avoided due to its vulnerability to dictionary attacks)
• Marlinspike recommends using a VPN based on certificates (such as OpenVPN or IPSEC in Certificate mode)
• GitHub Repository
• ThreatPost coverage
• Previous Analysis:
  • Bruce Schneier: Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MS-CHAPv2)
  • Jochen Eisinger: Exploiting known security holes in Microsoft’s PPTP Authentication Extensions (MS-CHAPv2)

Elections Ontario confused compression with encryption after losing info on 2.4 million voters

• The information included:
• full name
• gender
• birth date
• address
• any elector information updates provided during the last writ period
• The information may also have included whether or not the person voted in the October 2011 General Election
• USB sticks were used to carry data back and forth between the main office and the satellite office
• Staff members using the USB sticks did not understand what encryption was
• Some were apparently under the impression that putting the files in a .zip was the same as encrypting them
• After the data breach, new USB sticks were purchased that had an encryption capability, but it was never configured or used (were the staff under the impression that the encryption just magically worked?)
• Original Data Breach Report

Microsoft Azure cloud suffer European outage

• At 11:00 UTC on 2012–07–26 the Microsoft Azure cloud for the western Europe sub-region experienced an unexplained outage for more than 2.5 hours
• Microsoft updated the Azure dashboard with the news of the outage, and then again 2 hours later saying they were still investigating, then finally at 13:33 UTC they posted that the issue has been resolved
• No explanation for the outage has been given, saying only “We apologize for any inconvenience this outage may have caused our customers. The duration of the service interruption was approximately 2.5 hours and was resolved at 6:33 AM PDT. Customers who have questions regarding this incident are encouraged to contact Customer Service and Support.”
• The previous widespread outage was on February 29th, when the Azure cloud suffered from a Leap Day Bug
• The Azure cloud western Europe sub-region is powered by a data center in Amsterdam, while the Northern Europe sub-region is hosted in Dublin

Feedback:

• Traci asks: How do you pick a dedicated server provider?
  • How diverse is their network/transit?
  • Do they operate their own AS (Autonomous System)? Or are they just a reseller?
  • Location?
  • Do they post pricing for buying additional bandwidth (if they don’t, this is usually a bad sign)
  • Do they only sell ‘unmetered’ packages? (this is also bad, usually means they are overselling)
  • Do they offer an SLA? Hardware SLA covers how quickly they promise to replace failed components such as PSU and HDD. Power and Network SLA cover remedies for outages
  • Do they use quality server hardware, or repurposed desktops? (less expensive hardware can be attractive, but should be avoided for more critical tasks). Allan prefers, and finds that most providers use SuperMicro hardware. Dell/HP/Fujitsu are also popular but more expensive
  • Do they offer Out-of-Band Management (such as IPMI)?
  • Do they offer FreeBSD? (if they have IPMI or KVM w/ Virtual Media, I can install FreeBSD myself)

• What’s involved in administering a dedicated server?

• Q; I would like to know more about TarSnap. I hear it talked about and I hear it is good.

• Time Warner Hijacking my DNS?

• Raspberry PI Router Success

• Bitcoin update

• Do we trust hushmail?

• Enigmail :: Add-ons for Thunderbird

Round-Up:

• Cybersecurity Act fails to pass in the Senate
• Ubisoft assassinates Uplay flaw, denies DRM rootkit
• Dropbox confirms it got hacked, will offer two-factor authentication
  • Security update & new features – The Dropbox Blog
• Startup claims 80% of facebook ad clicks it paid for were from bots
• HP offering $20 per month credit to their Open-Stack based cloud

The post Most VPNs Insecure | TechSNAP 69 first appeared on Jupiter Broadcasting.