Archive for the ‘password hashing’ Category
Reality rained on Amazon’s Cloud recently as aspects of their EC2 hosting service suffered major outages. We look at the many issues facing cloud computing.
Plus we dig into the iPhone location tracking story, and brainstorm a few possible solutions to a potentially necessary evil.
Then we’ll look at How HBGary wrote backdoors for the government, and exactly how the recent RSA security hack actually happened, and why it’s still a major issue!
iTunes & RSS Feeds:
Topic: iPhone GPS History and new IP geolocation techniques
- Why does this data need to be stored for more than an hour?
- Who else can read this data?
- Why does this data follow you between devices?
- Can this data be used against you in court?
Topic: Hashed Passwords and why they are important
A new data retention law in France proposed to force all websites to keep the name, address, telephone number and plain text password for it’s users. This would include e-commerce sites, webmail providers, and online video hosts. This would effectively outlaw the practice of hashing passwords. Using cryptographic hashes is standard practise for a reason, it is secure.
Allan on hashing and passwords:
All modern secure websites use ‘hashing’ to store passwords, an irreversible one-way ‘encryption’ (not actually encryption, but you get the idea). This means that the website does not actually know what your password is, it just uses the same algorithm on the password you attempt to login with, if the hash matches the one in the database, you have entered the correct password. Hashing algorithms are deterministic, meaning the same input always generates the same output. This is both a critical part of the system, as well as a potential vulnerability. If two users have the same password, they will have the same hash. To combat this, and to make techniques such as rainbow tables more difficult, secure hashing algorithms use a salt, some amount of randomness added to the password to make it more unique, and harder to brute force, this bit of randomness is stored as part of the hash, because the plain text of the randomness is needed to compare the attempted password.
- Data retention is evil. The government does not have the right to force other people to collect data on you.
- the onus is on ISPs and in this case Individual websites to pay for warehousing all of this data in case the french government or law enforcement ask for it.
- Secure password hashing is imperative to security. The main reason some of the major security compromises of the past few years, such as gawker, thepiratebay, and more were not far worse, was due to the hashing of the passwords in the stolen databases.
- If, for example, the database for a web forum is hacked, if it does not use any security, then all of the passwords are in plain text and ripe for the picking. If regular hashes are used (MD5, SHA1, SHA256/512) then brute force or a rainbow table can be used to retrieve the plain text passwords, this can require a lot of time and resources depending on the strength of the passwords that were used. If secure salted hashing algorithms are used, (MD5, SHA256/512, Blowfish) then only brute force is an option, and the algorithms beyond MD5 are adjustable, allowing for a trade off between performance and security, as well as allowing the algorithms to scale as computers get faster and brute force becomes less improbable.
- The law is being opposed by Google, Facebook, eBay, Dailymotion and many other major online brands.
Topic: Today Reality rained on Amazon’s Cloud
You need to consider using more than 1 provider if you want to achieve high availability in the cloud. This is where portability is important, being able to easily move in and out of different cloud providers. Many cloud systems attempt to lock you in, using non-standard systems that are highly specialized to their own service.
- Brought down a huge list of sites, including reddit, fourshare, quora, hootsuite, and about.me
- Latency on EBS volumes, which are the data store backing EC2 instances
- Internet connectivity issues on EC2 instances (unreachable at times)
- Effected multiple ‘availability zones’ across the US-EAST-1 region (degraded high availiabilty)
- Increased error rates on API calls
- Extreme delays launching and stopping EC2 instances (billing implications, you are billed for each hour or partial hour that an instance is running)
- Cause: “A networking event early this morning triggered a large amount of re-mirroring of EBS volumes in US-EAST-1. This re-mirroring created a shortage of capacity in one of the US-EAST-1 Availability Zones”
- Issues have been ongoing for more than 12 hours
- Amazon has no direct support for users, outside some extremely large consumers who pay extra for professional services
- Does amazon have an SLA?
- Effecting other services such a Relational Database Service
- Last issue was March 17th when a router suffered a partial failure and nearby routes did not detect the issue and kick in to failover
Amazon servers take down Reddit, Foursquare, and more
Amazon’s Cloud Crashed Overnight, And Brought Several Other Companies Down Too
Amazon Outage Shows Limits of Failover ‘Zones’
HBGary’s engineering team working with defence contractor General Dynamics (5th largest defense contractor in the world, used to make the F-16) was tasked with creating malware and/or root kits that could surreptitiously infect a computer via USB, Firewire, PCMCIA, or Wifi. The end goal being that an operative could infect a computer from near by, or with only brief physical access to the machine. Like is a spy movie, just walk up to the laptop, plug in the usb, wait a few seconds, remove it, walk away, instantly owned. This was ‘Task B’. Later, ‘Task C’ involved exploiting the preview pain in MS Outlook with a specially crafted email.
HBGary claimed to have unreported 0-day exploits for:
- VMWare ESX/ESXi
- Windows 2k3
- Solaris 10
Topic: RSA Servers hacked, SecurID suffers reduced security
RSA confirmed on Friday that the attack that compromised the company’s high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.
- Malware payload sent to groups of employees at RSA
- At least one employee retrieved the email from their spam folder and opened it
- The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)
- Used the Poison Ivy remote administration tool
- Collected the data on an RSA staging server using stolen credentials and privilege escalation
- Attacker then transfered the data (password protected rar files) via FTP to an external compromised dedicated server at a hosting provider. Then the files were removed from the staging server and the compromised external server
It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files (making it sound as if files are encrypted separately to each users key), but in another says that they’re only ‘prohibited’ from doing so. (because dropbox uses a single key that they control for all encryption, making it mostly worthless)