Firewall Fun | TechSNAP 421

Wes Payne — Fri, 24 Jan 2020 00:15:00 +0000

Show Notes: techsnap.systems/421

The post Firewall Fun | TechSNAP 421 first appeared on Jupiter Broadcasting.

I Know Your Password | TechSNAP 61

chris — Thu, 07 Jun 2012 17:50:30 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s a simple thing but everyone keeps messing it up, bad password storage practices many popular sites had their password databases leaked online this week, we’ve got the details!

Plus how the Flame malware impersonated Windows Update, and another batch of audience questions!

All that and more, on this week’s TechSNAP.

All that and so much more, in this week’s episode of, TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer:

$1.99/mo economy hosting for 3 months – special offer!
Code: 199tech
Expires: June 30, 2012

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Fill out my Wufoo form!

Flame Took Advantage of Windows Update

Iran has sustained 185 Flame virus infections, followed by 95 in Israel and the Palestinian Territories, 32 in Sudan and 29 in Syria
A Flame module called Gadget possesses man-in-the-middle functionality which enabled it pass crafted update packages to other computers on the same network
One specific package was called WuSetupV.exe and was signed with a certificate issued by the “Microsoft Enforced Licensing Registration Authority CA”, a sub-CA of Microsoft’s root authority
The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language
Most victims were running 32-bit editions of Windows 7, with a sizeable 45 per cent running XP. Flame does not work on the 64-bit edition of Windows 7
The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft
Microsoft still uses MD5 fingerprints on its certificates, according to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates | TechSNAP 37 MD5 was Deprecated for Root and Subordinate CAs in Dec 2010, SHA256 or better is required for all certificates issued after Dec 31, 2013. SHA1 is only allowed until more browsers support SHA256 or better
Microsoft has already confirmed that Flame developers were able to issue valid Microsoft certificates
Flame’s operators used a number of fake identities to register their domains. According to Kaspersky, server locations included Germany, the Netherlands, the UK, Switzerland, Hong Kong and Turkey
Although the Flame toolkit does not appear to have been written by the same programmers who wrote Stuxnet and DuQu, it does share a few interesting things with Stuxnet
Stuxnet is believed to have been written through a partnership between Israel and the United States, and was first launched in June 2009
Researchers say the compilation date of modules in Flame appear to have been manipulated by the attackers, perhaps in an attempt to thwart researchers from determining when they were created

“Whoever created it was careful to mess up the compilation dates in every single module,” Gostev said. “The modules appear to have been compiled in 1994 and 1995, but they’re using code that was only released in 2010.”
+ Iran’s Computer Emergency Response Team announced on Monday that it had developed a detector to uncover what it calls the “Flamer” malware on infected machines and delivered it to select organizations at the beginning of May

Links

LinkedIn leaks 6.4 million password hashes

A list of 6.4 million SHA–1 hashes, proported to be passwords from the popular business social networking site Linkedin.com was posted on a Russian password cracking forum
The list is deduplicated, meaning each hash is listed only once, meaning more than 6.4 million passwords were compromised
The list that I managed to download had a lot of the hashes prefixed with 5 or 6 0s, apparently marking them as already having been brute forced
An analysis of a number of permutations of the word linkedin, shows that almost every obfuscation was present on the list
Research has shown that the name of the site is one of the most common passwords, so this suggests that the list is actually from LinkedIn
A number of users at hackernews found their obscure/random passwords on the list of hashes, further suggesting that the list is legitimate
Using plain SHA–1 hashes to store passwords is extremely insecure, a cryptographic hashing algorithm with a salt should be used
I managed to download a 10GB rainbow table of SHA1 hashes, and check every 1–7 character mixed case alpha numeric password using my nVidia GTX 560 Ti, in only 220 seconds
A rainbow table for longer passwords is impractical due to the amount of storage required
Salted hashes cannot be attacked by rainbow tables because the salt basically extends the length of the password, and because crypt() based hashing algorithms run the hash multiple times
MD5-crypt uses an 8 character salt and loops 100 times, SHA256/SHA512-crypt uses a 16 character salt and by default loops 5000 times (adjustable between 1000 and 100 million), and Bcrypt uses a 22 character salt and 16 loops (adjustable as powers of two between 4 and 31)
Consider the following key spaces, and assume you had access to the cracking power of the ENTIRE bitcoin mining network (10 Terahashes per second) (Disclaimer: these numbers are probably wrong, just an example for reference)
- 8 character password, mixed case alpha numberic: (26+26+10)^8 = 218,340,105,584,896 = 21.8 seconds to try every possible password
- 8 character password, all 7-bit ascii characters: 127^8 = 67,675,234,241,018,881 = 6767 seconds to try every possible password (less than 2 hours)
- 8–12 character password, alphabetical only: 26^8 + 26^9 + 26^10 + 26^11 + 26^12 = 99,246,106,575,066,880 = 9924 seconds (less than 3 hours)
- 8 character mixed case alpha numberic password, with 8 character salt, 100 rounds = 62^16 * 100 = 4,767,240,170,682,353,345,026,333,081,600 = 15,116,819,414 years
Official LinkedIn Response
LinkedIn claims that they now salt passwords, so if you change your password, it will be updated and stored more securely
LinkedIn would be able to update to the stronger hashing algorithm without requiring users to change their password, by computing the new hash the next time each user logs in
LastPass – LinkedIn Password Checker

Cloudflare hacked via its voicemail

Cloudflare is a cloud based WAF (Web Application Firewall) and Global Load Balancer
An Attacker found four separate security vulnerabilities and chained them together in order to take over the account of a single Cloudflare user
The attacker was basically in control of the entire cloudflair infrastructure approximately 30 minutes
The attacker first exploited weak security at AT&T to redirect voicemail from the Cloudflare CEO to a mailbox setup by the attacker
The attacker next took over the CEOs personal Gmail account by tricking Google’s password reset system in to leaving the pin number in the voicemail box by a specially crafted voicemail greeting
A flaw (since fixed) in Google’s Enterprise Apps system, allowed the attacker to by-pass the two-factor authentication system when resetting the password for the CEOs Corporate Gmail, having the password send to the CEOs Personal Gmail compromised earlier.
An internal policy at Cloudflare had all password reset emails BCCed to administrators (ironically, this was done for debugging and to watch for suspicious password reset requests)
Once the attacker had compromised a Google Enterprise Apps admin account, he reset the passwords for the other admins, and initiated a Cloudflare password reset for the targetted customer
A copy of the password reset was sent to the administrator email, which the attacker now controlled, giving them access to the target users Cloudflare account
The attacker redirected all traffic to the target site to twitter
Official Incident Report w/ Updates
Official Followup

MD5-Crypt no longer considered secure

Poul-Henning Kamp (also known as PHK), who wrote the MD5-crypt implementation used in most all devices since 1995, says that it should no longer be considered secure
Commercial off-the-shelf video cards can crack MD5 hashes are rates in excess of 1 million hashes per second
PHK says he will not write a new password hashing algorithm, because he is not a cryptographer
His recommendation is to actually mix a number of algorithms, rather than using just a single algorithm
He also recommends that each site implement their own variation of the algorithm, to ensure against ‘class breaks’
FreeBSD 9 already supports Bcrypt, and SHA256/512 based password hashing
Arch Linux and a few others uses SHA256 by default now

Feedback:

ProjectMorris writes in disapointed with LinkedIn
Matthias writes… SID Cloning is Not a Problem
David writes in with… Another idea on local passwords
Slight correction to Thursday’s great episode over Firefox password saving

Round up:

The post I Know Your Password | TechSNAP 61 first appeared on Jupiter Broadcasting.

Windows Update – Jupiter Broadcasting