LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘hacked’ Category

Stuffed War Stories | TechSNAP 33

without comments

post thumbnail

Microsoft’s flawed code signing infrastructure puts your machine at risk, find out how.

A batch of great audience submitted questions, and we share a few IT war stories!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

 


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

   
Subscribe via RSS and iTunes:

   

Show Notes:

AT&T customer data targeted in attack

  • The attackers used automated scripts to attempt to determine if phone numbers were linked to AT&T online accounts
  • Attempts were made against approximately 1 million of AT&Ts 100 million customers
  • The attackers appeared to already have a database of usernames and passwords, and were attempting to use brute force to link those credentials to phone numbers, in order to gain access to the accounts
  • AT&T appears to lack any type of Intrusion Detection System, or automated defences that block an IP address after many failed login attempts. The millions of attempts were likely not launched from a single IP address, but it still should have been blocked well before 1 million accounts had attempts against them
  • AT&T does not believe attackers were able to gain access to any accounts, but they are still investigating

South Korea blocks young games after midnight

  • The so called Cinderella law blocks users under the age of 16 from accessing online games after midnight
  • The articles are unclear about exactly how this is accomplished, but it appears it is enforced by the online gaming sites themselves, and teens using accounts created with their parents identities are not blocked
  • In South Korea, most websites require you to enter your national ID card number. Comments on sites cannot be left anonymously (previously covered on TechSNAP 23 )
  • Is this a sign of the level of censorship we can look forward to in the future?

RSA 512bit SSL certificates abused in the wild

  • SSL Certificates signed by a few authorities (which have since had their trust revoked) have had their private keys factored
  • Once you poses the private key for an SSL certificate, you can use it to pretend to be that site, and use any other capabilities that the certificate has
  • It was originally thought that the private keys were merely stolen by malware, but it seems that factoring RSA 512 has become somewhat trivial, taking only a matter of days or weeks with a reasonable cluster of modern machines. With malware authors having access to large botnets, or cloud computing platforms like Amazon EC2, these certificates can no longer be considered safe
  • A number of other vulnerable certificates were identified, many coming from DigiNotar, the certificate authority that was compromised by attackers and has since has its trust revoked and gone out of business.
  • Most all SSL certificate authorities require at least a 2048bit RSA key for new certificates
  • A normal HTTPS SSL certificate only has the ability to sign outbound messages, encipher symmetric keys, and to verify its identity as a TLS Client or Server.
  • The problem with the certificates issued by the Digisign Server ID CA, is that they lacked the basic key usage definitions and constraints. This allowed the certificates to be used for any purpose, including signing software. The certificates also lacked a properly defined CRL (Certificate Revocation List), so they could not be revoked.
  • The factored certificates were used to code-sign malware to remove or lessen the warnings given by windows when the code is executed
  • The compromised certificates have been used as far back as March 2010, and Microsoft did not act until recently, revoking the trust in the CA. Microsoft will still accept 512bit certificates without proper use definition or constraints.

Feedback:

Q: Do you guys trust Internet aggregator services?
A: It depends on the level of security they employ. Most of these sites are not very forthcoming with details on how they secure your data, or even how they work. A better solution would be something like OAuth to allow you to grant only certain permissions to each specific site, and allow you to easily revoke a sites access to your accounts.

Q: SSH on Port 2222?
A: Using a different port does reduce the number of attacks from automated bots, but it will not stop anyone targeting you specifically. The solution is always to use a protection system such as DenyHosts, SSHGuard or Fail2Ban. Also, if it makes sense in your setup, disable password authentication entirely, and only use SSH keys. Note: you should still use DenyHosts to prevent an aggressive botnet from bogging down your SSH server so legitimate users cannot log in. This used to happen to one of my servers that had 250 ip addresses, the bots would attack each ip at the same time, creating 1000 ssh connections at once.

Q: Why not just one boot loader to rule them all?

Q: How do I get started in Tech Support?

War Story

Administering a Windows Server with your eyes closed

When ScaleEngine first started, we were in a much smaller local data center. One of the disadvantages to this data center was that they did not provide KVM Carts, in order to work on a server, you had to remove it from the rack, and take it over to a little desk in the corner with a monitor and keyboard, but no network connection. At our new data center, we have KVM carts we can take over to our rack to work on servers without disconnecting them. If we need to disassemble the server, they provide a nice large quiet work area with ample power, ethernet drops and free coffee.

I had just built two new Windows 2008 R2 servers for one of our clients, and had installed them in the rack. Got them up and running, and they were serving their websites fine. However, I was not able to connect via Remote Desktop. How had I forgotten to enable remote desktop…

I really did not feel like waiting for the server to shutdown (windows servers take an extremely long time to shut down, partly because they overwrite the entire swap file for security reasons), then removing the server from the rack again, waiting for it to boot up, change the settings, shutdown etc.

So, I grabbed our spare USB keyboard and connected it to the server in the rack. Balancing the keyboard on my left hand, while typing with only my right, with no monitor. I waited 30 seconds for windows to detect the keyboard, and then entered control+alt+delete to open the login prompt. I heard the drive start ticking as it loaded the desktop, so I gave it a few minutes. Once I was logged in, windows+r to open the run prompt, and started cmd.exe. Then I issued the following commands which I had arduously looked up on my old cell phones very limited browser.

netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
netsh firewall add portopening TCP 3389 RDesktop enable any

I issued each command twice, in case I might have made a typo, even though I was typing as carefully as I could, and slowly as I was doing it with one hand on an unsteady keyboard. Then to test it, I used pocketPutty on my cell phone, to SSH into one of my servers, and use netcat to see if port 3389 was open. It was. So I repeated the same procedure on the second windows server and again verified it via my cell phone before packing up and leaving the data center.

And that, is how I administered a pair of windows servers, with my eyes closed.

Round Up:

STOP SOPA! | TechSNAP 32

without comments

post thumbnail

The Internet is facing its greatest challenge yet, we explain why the fight against online piracy has taken a turn towards Internet censorship.

PLUS – Steam and NASA were hacked this week, find out how bad the fallout is, and why Private browsing mode, might not be that private!

All that and more, on this week’s episode of TechSNAP!

Thanks to:
GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

  

New special offer:  techsnap11  $1.99 per month Economy Hosting for 3 months! – Expires Dec 31st 2011.


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

   
Subscribe via RSS and iTunes:

   

Show Notes:

Romanian hacker accused of breaking into NASA

  • Authorities of the Romania Directorate for Investigating Organized Crime and Terrorism (DIICOT) have arrested a 26 year old who is accused to breaking in to multiple servers at NASA
  • The authorities claim that the attacker destroyed protected data and restricted access to it, resulting in a loss of over $500,000
  • Charges against Robert Butyka include:
  • obtaining unauthorized access and causing severe disruptions to a computer system
  • modifying, damaging and restricting access to data without authorization
  • possession of hacking programs
  • “Through criminal activity, the accused severely affected the operation of computer servers by introducing, modifying and damaging electronic data and restricting access to it,” DIICOT said in a statement.
  • He is to be tried in Romania, as there has been no extradition request.

Valve: Hackers Accessed Steam Users’ Encrypted Passwords, Credit Cards

  • Attackers managed to gain access to the user database
  • The database contained: username, email address, hashed and salted password, game purchase history, billing address, and encrypted credit card data.
  • Valve had not yet determined if the database had been copied or viewed
  • Valve originally believed that only the user forums had been compromised, but during the investigation it was determined that the compromised extended to all user data
  • Valve reports that they have not noticed an increase in login attempts and have not received any reports of misused credit cards. This suggests that the data was either not taken, or is sufficiently protected to delay its use.
  • If the database was taken, I would expect to see a spear phishing attack, using the name, username and email address of the users to ask them to ‘reset’ their steam password.
  • All forum accounts will require a password reset, however valve is not forcing a password reset on all steam accounts.

Private Browsing may not be as private as advertised

  • Private Browsing mode stops the browser from recording history, and isolates your cookies, not sending cookies from regular browsing mode, and removing the new cookies when you leave private mode.
  • Research has found that many plugins do not respect private mode, especially Adobe Flash, which has its own separate cookie system. This means a site that you visited in private mode, could read those cookies even in regular mode, and vice versa . Flash has since been fixed, make sure you upgrade.
  • Chrome and Internet Explorer have taken to automatically disabling plugins in private mode

Feedback:

  • Roger Writes… 3 Questions for you guys…
  • Allan does use windows, for gaming, and for doing the podcast
  • For a list of the advantages of ZFS, you should watch the ZFS episode of TechSNAP. For the other file systems, really you can only compare them against another file system. UFS has advantages over ext2/3, specifically with its ability to store millions of files in a single directory.
  • For checking your email over 3G/4G, you should still use SSL in your phone’s mail client.
  • Arturo writes… Degree or Certs?

Round Up:

SOPA Box:

Written by chris

November 17th, 2011 at 9:50 pm

Ultimate Home Router | TechSNAP 23

without comments

post thumbnail

Exploits are in the wild that can take down critical infrastructure equipment, and some highly trusted sites were attacked this week and used against their own visitors.

Plus – We’ll tell you how to build the ultimate home router, that can do more than many Enterprise grade systems, with the press of a few buttons – and for FREE!

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Italian hacker publishes 10+ 0 day SCADA exploits with proof of concept code

  • SCADA (Supervisory Control and Data Acquisition) are Industrial control systems
  • The Stuxnet worm targeted the specific SCADA system used by the Iranian centrifuges
  • These exploits could cause serious disruption if the systems are not properly protected from external access
  • SCADA systems are used to control numerous important industrial systems including water and sewage treatment, dams and power plants, as well as manufacturing automation systems.
  • In January 2000, the remote compromised of a SCADA system was responsible for pumping sewage into a nearby park and contaminated an open surface-water drainage ditch.
  • News Article

Official uTorrent website compromised, users download spyware

  • On or before Tuesday September 13th, the Official uTorrent.com website was compromised, and on the 13th, the attackers replaced the download files with spyware.
  • Users who downloaded uTorrent on the 13th instead received a scareware fake anti-virus package called ‘Security Shield’
  • The scareware told them they were infected with malware and demanded payment to remove it
  • Any users who downloaded uTorrent between 12.20 and 14.10 BST likely received the malware instead of uTorrent.
  • In this case, the attack was fairly obvious, but a similar hack against popular software distribution points could have resulted in the stealth infection of 1000s of systems via the auto-update feature built in to most modern applications.
  • This is always the nightmare security situation, when legitimate trusted sites are compromised and start to distribute harmful content.

Funny Virus Pic – Google+


BIOS rootkit found in the wild

  • The virus can infect most any computer with an Award BIOS (very popular, used in most all Motherboards that I own).
  • The virus dumps a copy of the BIOS, and then adds an ISA ROM that will rewrite the MBR (Master Boot Record) on the hard drive at each bootup.
  • The MBR virus then rootkits winlogon.exe to take over control of the system
  • The rootkit then prevents modification of the MBR, making it harder to remove the virus
  • Even if the MBR is repaired, it is reinfected at the next boot by the BIOS portion of the virus
  • The rootkit also downloads a trojan and allows the system to be remotely controlled.
  • This attack is related to the attack we discussed in a previous episode of TechSNAP where a researcher was able to infect the battery in a MacBook with a virus. If the virus was similar to this one, it would add an additional layer of complexity, if the BIOS could be reinfected from the battery.
  • Details from Symantec

TWiT.tv compromised, malicious iframe injected, loads Java malware

  • The popular TWiT.tv page was compromised and a snippet of malicious code was added, an iframe that directed users’ browsers to a page that attempted to use Java and PDF exploits.
  • Google’s safe browsing started blocking the site. Firefox and Google Chrome users will be presented with a warning before visiting the site.

War Story:

  • At approximately 4:00 PM facility local time on Sunday, September 11, 2011, the Seattle 1 data center experienced an unexpected service interruption. It was determined that the cause of the issue was a malfunction in one of the edge routers servicing the facility.
  • The device was rebooted to correct the issue and we proceeded to work with the device manufacturers TAC (Technical Assistance Center) to determine the cause of the issue and proper resolution to avert any future problems.
  • At 6:20 PM facility local time, the same issue occurred again, and the device was again rebooted.
  • To prevent any future unexpected service interruptions, it was decided that the best course of action would be to replace the device with the standby device available at the facility.
  • At approximately 7:00 PM facility local time, we began the process of replacing the faulting device with a new one. The old device was removed and the new device was put in its place.
  • Once powered on the replacement device alerted us to a number of errors within the switch fabric modules that were causing inter-line card communication to not work properly.
  • We again contacted the device manufactures TAC, and at approximately 8:30 PM, we decided with the TAC that the best option was to replace the switch fabrics in the replacement device with the switch fabrics from the old device.
  • Once this was completed the device was restarted but produced the same errors.
  • The issue was then escalated to tier 2 support at the device manufactures TAC.
  • We concluded that the issue was likely a problem somewhere within the replacement device’s chassis, and proceeded to replace the chassis with the one from the old device.
  • Upon doing so, we began getting a different set of errors, this time with the management modules communication to the line cards.
  • At approximately 4:30 AM facility local time, the matter was escalated to tier 3 support at the device manufactures TAC. At this time, we also dispatched our head network technician to the facility from Phoenix with a spare device which is stored at our office in the event of issues such as this one.
  • At approximately 6:30 AM facility local time, the TAC tier 3 technician concluded that the likely cause of the issue was an electrical problem either within the switch fabric modules or the replacement device chassis which resulted in improper current being sent to various parts of the device and damaging several of the sensitive electronic components in the line card, forwarding engines and switch fabrics. Because the electrical subsystem within the device had potentially caused damage to all of the switch fabric modules that we had available at the facility, we were advised that we should power down both devices and not use either of them any further until a full diagnostic of the electrical sub-system could be completed by the manufacturer.
  • At approximately 12:00 PM our head network technician arrived at the Seattle airport, and by 1:00 PM was at the facility with the replacement device from our Phoenix office.
  • At approximately 2:00 PM our head network technician completed the installation of the replacement device from our Phoenix office and service was fully restored.
  • Total time offline: 19 hours 8 minutes.

Feedback:

  • A few questions about home servers
    Q: crshbndct I’ve built a spare computer out of some spare parts and I want to use it as a home server. I’d like to use it as a router, a DNS server, a caching server, and maybe also throttle the usage of my servers. What should I use?
    A: Chris and I both love pfSense, it is a FreeBSD based router appliance. You can basically turn any computer with 2 network cards into a Router/Firewall, with DHCP, DNS/DDNS, VPN (IPSec, PPTP, OpenVNP), VLANs, Captive Portal, Traffic Shaping and Graphing. It has a web interface similar but more expansive than what most people are already used to from a normal off the shelf home router.

Next Week: RAID types, what they are and some use cases for each.

Round-Up:

Bitcoin-Blaster:


Bitcoin Value: 34,196,260 USD

Written by chris

September 15th, 2011 at 9:16 pm

Leaky Authentication | TechSNAP 12

without comments

post thumbnail

How many times have your credentials been leaked online? Think your safe? Chris thought he was. In today’s episode he’ll find out how many times his information has been leaked online, and we tell you how you check for your self.

Plus we’ll cover how to build your own layered spam defense, and why you probably want to leave that USB thumb drive, on the ground!

Sneak peek: Next week we’re going to be talking about the future of Cyber Warfare in our special episode #13. Please send us any stories, suggestions or questions you have so we can include them for next week.


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Thanks to the TechSNAP Redditors!

 


Topic: Groupon India leaks SQL database, plain text passwords

  • Groupon’s Indian subsidiary Sosasta.com accidentally published an SQL dump of it’s users table, including email addresses and passwords. The file was indexed and cached by google, so even once it was taken down, it was still visible.
  • This raises the question as to why the passwords were ever stored in plain text, instead of as salted hashes
  • Does the North American version of Groupon also store user passwords in plain text?
  • Leaked data was found by a security researching using a google search query for “filetype:sql” “password” and “gmail”
  • Once Sosasta was notified of the issue, they started sending out emails to their customers recommending that they change their password. This is definitely the wrong approach, the passwords were leaked, in plain text. All accounts should have had their passwords forcibly reset and a password reset email sent to the customer. Otherwise, customers may have their account compromised before they can change their password, and customers who no longer use the service will have their personal information exposed.

shouldichangemypassword.com – Check your address

Submitted by: refuse2speak


Topic: EA Forums hacked, Sega Database Compromised

  • a “Highly sophisticated cyber attack” was used to compromise the database of the forums for Bioware’s Neverwinter Nights.
  • Stolen data included username, password, email, and birth date
  • How many users were effected was not specified
  • EA says no credit card information was in the stolen database
  • Sega was also compromised, 1.29 million customers had their data exposed via the website of the European unit’s “Sega Pass” website.
  • Again, username, password, email and birth date were exposed, but it appears that no financial information was leaked.

TechSNAP reminds you: use a different password for every service. We know it’s hard, but cleaning up behind an identity thief is worse.

Submitted by: Raventiger


Topic: US Government Study shows alarming attack vector

  • 60% of Government or Contractor employees who found a USB stick or CD on the ground outside their office plugging the device in to their computer.
  • 90% of the employees installed the software if it had an official looking logo on it.
  • This is reminiscent of the StuxNet worm, which targeted isolated computers that were not on the Internet. It is believed that they were infected via a hardware device containing the payload.

Topic: Research reveals that pin numbers are predictable

  • 15% of iPhones could be unlocked in fewer than 10 tries using the most common pin codes
  • The most common first character in a pin number is 1
  • The most common second character is 2
  • The values 1980 through 2000 make up a huge portion of the top 100 pin codes, meaning if you know or can guess a users date of birth, you can increase your chance of cracking their code
  • Other popular codes include repeating digits or patterns, such as 2222 or 1212, or lines drawn on the input screen, such as 2580, 0852 or 1241
  • Another popular value is 5683, which didn’t seem to fit any pattern until you realize that is spells ‘love’ with standard phone letter substitution.
  • This means that if you know the users birthday and relationship status, you can increase your chance of cracking their pin code just by applying a little statistical analysis. If you can shoulder surf them, and further reduce the pool of possible codes, you can almost guarantee success.
  • Users tend to reuse passwords, if you guess their phone password, there is a good chance that is also their ATM pin. Either way, the exact same techniques can be applied to ATM, Voicemail and other pin codes.

Feedback:

Q: (Bob) How did Chris and Allan meet
A: Chris and Allan first met in April 2009 when Jupiter Broadcasting moved their IRC chat to GeekShed.net. In January 2010 Allan won a closed beta invite to Star Trek Online during a STOked trivia contest on IRC. During the ramp up to open beta, JupiterColony.com was receiving so much traffic that it was suspended by the web host, and was moved to ScaleEngine.com. Later on, Allan guest hosted a few episodes of the Linux Action Show while Bryan was away, and they went so well that Chris and Allan decided to start their own show.

Q: (Leon) How do you handle spam filtering on your servers?
A: For my web hosting customers, we use 4 main mail servers (running Exim with mail time SpamAssassin). The four mail servers ensure that incoming mail is always received, even if one or more of our servers is down at any time. These servers automatically run the incoming mail through the SpamAssassin scoring system, and if the spam score exceeds a specific threshold, then the mail is automatically rejected at SMTP time (so no bounce message is generated, an error is returned to the original sending server, this prevents misdirected bounces from spammers using forged from addresses). If the spam score is borderline, we do ‘grey listing’, temporarily rejecting the spam so it will be retried in a little while, this gives the DNS blacklists we use time to catch up, and most spammers never bother with retries. If the spam score is low enough then the mail is accepted. Once mail has arrived at one of our edge servers, it is then queued and sent on to our mailbox server, where it is sorted and delivered to the actual mailboxes of our users. SpamAssassin is run on the mail again, and users-specific settings determine what happens to the mail. Spam can be flagged (subject prefix, messages added as attachments to protect outlook from preview attacks) or directed to a spam folder.

Send us your questions and feedback!


Roundup:
Netflix shares insight on it’s cloud infrastructure
Netflix transitions to high availability storage systems
Researchers say Massive Botnet is Indestructible
DropBox CEO: Lone hacker downloaded data from ‘fewer than a hundred’ accounts
Spamming Becoming Financially Infeasible

Bitcoin BLASTER:
LinuxCoin – Bitcoin Live Linux CD – LOVES IT!
Article: Buying lunch with bitcoin – Submitted by Angela
Chris’ early bitcoin farm
Chris’ cheap and low power miner hardware.
Article: Bitcoin Comes Out Swinging off the Ropes
MtGox Apologizes

 

Written by chris

July 1st, 2011 at 1:18 am

Perfect Passwords | TechSNAP 11

without comments

post thumbnail

We’ve got the details of an FBI raid that knocked several popular sites off-line.

The WordPress plugin repository was compromised, and backdoors were added to a few popular plugins, and we’ll share the details.

Plus Dropbox’s shockingly bad security issue this week, and we’ll cover why you always want a little salt with your passwords!

All that and more, on this week’s TechSNAP!


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

TechSNAP has a new Sub-Reddit, submit links and questions for the show, and vote away!


Topic: FBI raids data center and takes 3 entire racks

  • At 1am on Tuesday the FBI raided the Virginia, USA data center of Swiss web hosting company DigitalOne.
  • DigitalOne’s website was still offline late Wednesday
  • DigitalOne does not have any staff on-site, and relies on remote hands from the data center operator, CoreSite. DigitalOne was not aware of what the problem was until hours later when the data center contracted them and passed along the name of the agent in charge and a phone number for DigitalOne to contact the FBI.
  • When requested DigitalOne had given the FBI information on the IP address they inquired about and told them the exact location of the server. However the FBI seized 3 entire racks of servers rather than only the server they were after.
  • There are rumours that this raid was related to an investigation in to LulzSec
  • A number of services like Pinboard and Instapaper were effected.

Topic: WordPress.org gets hacked, plug-ins compromised

  • WordPress.org is not sure exactly what happened
  • Plug-in repository compromised
  • Malacious code was found in commits to popular plugins like W3 Total Cache, AddThis and WPTouch
  • WordPress took the prophylactic step of forcing all users to reset their passwords to prevent any further compromised code from being pushed out.

Topic: Adobe patches two 0-day exploits in 9 days

  • Adobe issued a second ‘out of band’ security update for Flash player in only 9 days due to another exploit
  • Reportedly, one of the 0-day exploits was being used to steal users’ gmail passwords
  • The vulnerability was listed as critical, as it might allow an attack to take complete control of a system
  • Nightmare scenario is a trusted page is compromised and flash malware is inserted
  • Make sure you update to the latest version of Adobe Flash

Topic: Dropbox goes passwordless, for 4 hours

  • A flaw at dropbox allowed users to login with any password, and access the account
  • This means anyone who knew your email address could have accessed your account and files. They could have authorized additional devices so they can continue to access your files even once this flaw was fixed.
  • Dropbox claims less than 1% of users logged in during that time (seems low)
  • Official Notice from Dropbox
  • If dropbox used proper encryption with one key per user, files could not be accessed without the correct password. However this security measure would take away a lot of the ‘easiness’ of dropbox that people are so fond of.

Topic: Bitcoin currency exchange compromised

  • The major bitcoin currency exchange MtGox had it’s database compromised and was taken offline when a large number of fraudulent trades were made, swinging the market.
  • The compromised account sold all of it’s coins, forcing the market price down, then bought them all back, and tried to cash out
  • Accounts that had not been used recently, had not had their passwords upgraded from the original unsalted md5 hash to the standard FreeBSD crypt() md5 salted hash.
  • MtGox managed to get a hold of someone at google and google forced all users with gmail accounts at MtGox were forced to reset their passwords
  • Once MtGox is back up, they plan to switch to SHA-512 salted hashes.
  • MtGox claims that the computer of a 3rd party auditor who had read-only access to the database was compromised, and then insecurely hashed passwords were cracked and those accounts were then used by the attackers.

Q: (Keith) Can you explain salted hashing and two factor authentication in more detail?
A: Some websites, especially older forums and bespoke software, will store your password as a plain md5 or sha1 hash. These can easily be broken by a rainbow table, and can also be brute forced rather quickly using GPUs. To protect passwords against rainbow tables, modern password hashing algorithms use a ‘salt’. A salt is just some random characters added to the password to make it better. In the FreeBSD crypt() MD5, the default is 8 base64 characters. This means that the rainbow table would have to include those extra 8 possible characters to be able to crack the password. Also, the salt is different for each account, so that means a separate rainbow table would be required for each user, and that two users with the same password won’t have the same hash. What many people don’t realize when they try to implement their own password hashing using regular md5, is that the FreeBSD crypt() md5 does 100 rounds of hashing, not just one. This was sufficiently slow when ti was design, but is much less so now. That is why other algorithms, like SHA-512 and Blowfish have become more popular. On top of having larger salts (16 and 22 characters respectively), they use an adjustable number of rounds of the hashing algorithm. This allows the administrator to decide on a performance/security trade off that best fits their needs.
Lecture notes by Allan on how Password Hashing Works

To answer the other part of your question, multi-factor authentication means using more than one way to confirm the user is who they claim to be. Two-factor authentication just means using 2 of the 3 factors to confirm the users identity, rather than just one. The three types are:

  • Something you know (username/password, secret question, pin #)
  • Something you have (ID card, security token, RFID, Cell phone)
  • Something you are (Fingerprint, Retina Scan, Signature, Voice sample)

So, the typical ATM card system, is who factor authentication, something you have (bank card) and something you know (pin number), however, the pin number is not a very strong authenticator. As we’ve seen in recent weeks, even a security token can be compromised, and some forms of attack like the ZeuS trojan, just wait until you authenticate to perform their attack.


Bitcoin Blaster:

AMD Announces new Fusion System Architecture – How will this effect bitcoin mining?
Symantec finds virus that steals your bitcoins

Lulz Roundup:

LulzSec’s Primary tool? Havij v1.14 Advanced SQL Injection
FAKE: LulzSec supposedly claims its biggest coup yet: The entire UK 2011 Census
LulzSec Ring Leader Arrested
LulzSec-Exposed (counter hacking group) claims authorities are closing in
LulzSec teams up with Anonymous for Operation AntiSec

Lightning Round:

Mozilla End-of-Life’s Firefox 4 – No more security updates
Google builds plugin to detect unsafe DOM operations like XSS


Download & Comment: