Archive for the ‘Password’ Category
Coming up on this week’s on TechSNAP…
Have you ever been curious how hackers pull off massive security breaches? This week we’ve got the details on a breach that exposed private data of 35 millions customers.
Plus MySQL.com spreads custom malware tailored just for your system, and the details are amazing!
On top of all that, we’ll share our insights are setting up the ultimate network file server!
Direct Download Links:
Subscribe via RSS and iTunes:
- Between July 18th and 25th, SK Telecom’s systems were compromised, and all of their customer records (35 million customers) were compromised. The records included a wealth of information, including username, password, national ID number, name, address, mobile phone number and email address.
- The attack was classified as an Advanced Persistent Threat, the attackers compromised 60 computers at SK Telecom in total, biding their time until they could compromise the database. Data was exchanged between the compromised computers at SK Telecom, and a server at a Taiwanese publishing company that had been compromised by the attackers at an earlier date.
- The attack was very sophisticated, specifically targeted, and also seems to indicate a degree of knowledge about the the target. The well organized attackers managed to compromise the software updates server of another company (ESTsoft) who’s software (ALTools) was used by SK Telecom, then piggyback a trojan in to the secure systems that way. Only computers from SK Telecom received the malicious update.
- The attackers send the compromised data through a number of way points before receiving it, masking the trail and the identities of the attackers. A similar pattern was seen with the RSA APT attack, the attackers uploaded the stolen data to a compromised web server, and once they had removed the data from there, destroyed the server and broke the trail back to them selves.
- Proper code signing, or GPG signing could have prevented this
- Original BBC Article about the attack
- The Directory Services command allows users to search for data about other users on the machine. This is the intended function.
- The problem is that the search results for the current user also include sensitive information, such as the users’ password hash. You are authorized to view this information, because you are the current user.
- However, any application running as that user, could also gain that information, and send it back to an attacker.
- Using the hash, an attacker could perform an offline brute force attack against the password. These attacks have gotten more common and less time consuming with the advent of better parallel computing, cloud computing and high performance GPGPUs.
- My bitcoin mining rig could easily be converting to a password hash cracking rig, especially now that the current value of bitcoin is sagging. If there were a big enough market for cracking hashed passwords, there are now a huge number of highly specialized machines devoted to bitcoin that could be easily switched over.
- The tool can also allow the current user to overwrite their own password hash with a new one, without the need to provide the current plain text password. This means that rather than spend time cracking the password, the attacker could just change the current users password, and then take over the account that way.
- These attacks would require some kind of exploit that allowed the attack to perform the required actions, however we have seen a number of flash, java and general browsers exploits that could allow this.
- The current recommended work around is to chmod the dscl command such that it can only be used by root
- Additional Article
- The MySQL.com front page was compromised and had malicious code injected in to it.
- The code (usually an iframe) caused a java exploit to be executed against the visitor. The exploit required no interaction or confirmation from the user. This type of attack is know as a ‘drive by infection’, because the user does not have to take any action to become infected.
- Two different trojans were detected being sent to users, Troj/WndRed-C and Troj/Agent-TNV
- Because of the nature of the iframe attack, and the redirect chain the attackers could have easily varied the payload, or selected different payloads based on the platform the user was visiting the site on.
- There are reports of Russian hackers offering to sell admin access to mysql.com for $3000
- Detailed Analysis with malicious source code, video of the infection process
- Article about previous compromise
- When the previous compromise was reported, it was also reported that MySQL.com was subject to a XSS (Cross Site Scripting) attack, where content from another site could be injected in to the MySQL site, subverting the browsers usual ‘Same Origin’ policy. This vulnerability, if not repaired, could have been the source of this latest attack.
Continuing our Home Server Segment – This week we are covering file servers.
Some possible solutions:
- Roll Your Own (UNIX)
- Linux or FreeBSD Based
- Install Samba for SMB Server (allow windows and other OS machines to see your shared files)
- Setup FTP (unencrypted unless you do FTPS (ftp over ssl), high speed, doesn’t play well with NAT, not recommended)
- Configure SSH (provides SCP and SFTP) (encrypted, slightly higher cpu usage, recommended for Internet access)
- Install rsync (originally designed to keep mirrors of source code and websites up to date, allows you to transfer only the differences between files, rather than the entire file) (although it is recommended you do rsync over SSH not via the native protocol)
- Configure NFS (default UNIX file sharing system)
- Build your own iSCSI targets (allows you to mount a remote disk as if it were local, popular in virtualization as it removes a layer of abstraction. required for virtual machines that can be transferred from one host to another.
- Roll Your Own (Windows)
- Windows provides built in support for SMB
- Install Filezilla Server for FTP/FTPs (Alternative: CyberDuck)
- There are some NFS alternatives for windows, but not are not free
- There is an rsync client for windows, or you could use cygwin, same goes for SSH. Similar tools like robocopy and synctoy
- FreeBSD Based. Provides: SMB, NFS, FTP, SFTP/SCP, iSCSI (and more)
- Supports ZFS
- Chris’ Previous Coverage of FreeNAS:
- FreeNAS, IN DEPTH
- FreeNAS Vs. HP MediaSmart WHS
- FreeNAS vs Drobo
- To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework
- The NSA Wants Its Own Smartphone
- New Mac OS X Trojan Imuler Hides Inside Malicious PDF
- IBM Seeks Patent On Retailer-Rigged Driving Routes
- Anonymous Goes After the Pepper Spray Cop’s Personal Info
How many times have your credentials been leaked online? Think your safe? Chris thought he was. In today’s episode he’ll find out how many times his information has been leaked online, and we tell you how you check for your self.
Plus we’ll cover how to build your own layered spam defense, and why you probably want to leave that USB thumb drive, on the ground!
Direct Download Links:
Subscribe via RSS and iTunes:
- Groupon’s Indian subsidiary Sosasta.com accidentally published an SQL dump of it’s users table, including email addresses and passwords. The file was indexed and cached by google, so even once it was taken down, it was still visible.
- This raises the question as to why the passwords were ever stored in plain text, instead of as salted hashes
- Does the North American version of Groupon also store user passwords in plain text?
- Leaked data was found by a security researching using a google search query for “filetype:sql” “password” and “gmail”
- Once Sosasta was notified of the issue, they started sending out emails to their customers recommending that they change their password. This is definitely the wrong approach, the passwords were leaked, in plain text. All accounts should have had their passwords forcibly reset and a password reset email sent to the customer. Otherwise, customers may have their account compromised before they can change their password, and customers who no longer use the service will have their personal information exposed.
- a “Highly sophisticated cyber attack” was used to compromise the database of the forums for Bioware’s Neverwinter Nights.
- Stolen data included username, password, email, and birth date
- How many users were effected was not specified
- EA says no credit card information was in the stolen database
- Sega was also compromised, 1.29 million customers had their data exposed via the website of the European unit’s “Sega Pass” website.
- Again, username, password, email and birth date were exposed, but it appears that no financial information was leaked.
TechSNAP reminds you: use a different password for every service. We know it’s hard, but cleaning up behind an identity thief is worse.
- 60% of Government or Contractor employees who found a USB stick or CD on the ground outside their office plugging the device in to their computer.
- 90% of the employees installed the software if it had an official looking logo on it.
- This is reminiscent of the StuxNet worm, which targeted isolated computers that were not on the Internet. It is believed that they were infected via a hardware device containing the payload.
- 15% of iPhones could be unlocked in fewer than 10 tries using the most common pin codes
- The most common first character in a pin number is 1
- The most common second character is 2
- The values 1980 through 2000 make up a huge portion of the top 100 pin codes, meaning if you know or can guess a users date of birth, you can increase your chance of cracking their code
- Other popular codes include repeating digits or patterns, such as 2222 or 1212, or lines drawn on the input screen, such as 2580, 0852 or 1241
- Another popular value is 5683, which didn’t seem to fit any pattern until you realize that is spells ‘love’ with standard phone letter substitution.
- This means that if you know the users birthday and relationship status, you can increase your chance of cracking their pin code just by applying a little statistical analysis. If you can shoulder surf them, and further reduce the pool of possible codes, you can almost guarantee success.
- Users tend to reuse passwords, if you guess their phone password, there is a good chance that is also their ATM pin. Either way, the exact same techniques can be applied to ATM, Voicemail and other pin codes.
Bonus props this week to:
Q: (Bob) How did Chris and Allan meet
A: Chris and Allan first met in April 2009 when Jupiter Broadcasting moved their IRC chat to GeekShed.net. In January 2010 Allan won a closed beta invite to Star Trek Online during a STOked trivia contest on IRC. During the ramp up to open beta, JupiterColony.com was receiving so much traffic that it was suspended by the web host, and was moved to ScaleEngine.com. Later on, Allan guest hosted a few episodes of the Linux Action Show while Bryan was away, and they went so well that Chris and Allan decided to start their own show.
Q: (Leon) How do you handle spam filtering on your servers?
A: For my web hosting customers, we use 4 main mail servers (running Exim with mail time SpamAssassin). The four mail servers ensure that incoming mail is always received, even if one or more of our servers is down at any time. These servers automatically run the incoming mail through the SpamAssassin scoring system, and if the spam score exceeds a specific threshold, then the mail is automatically rejected at SMTP time (so no bounce message is generated, an error is returned to the original sending server, this prevents misdirected bounces from spammers using forged from addresses). If the spam score is borderline, we do ‘grey listing’, temporarily rejecting the spam so it will be retried in a little while, this gives the DNS blacklists we use time to catch up, and most spammers never bother with retries. If the spam score is low enough then the mail is accepted. Once mail has arrived at one of our edge servers, it is then queued and sent on to our mailbox server, where it is sorted and delivered to the actual mailboxes of our users. SpamAssassin is run on the mail again, and users-specific settings determine what happens to the mail. Spam can be flagged (subject prefix, messages added as attachments to protect outlook from preview attacks) or directed to a spam folder.
Netflix shares insight on it’s cloud infrastructure
Netflix transitions to high availability storage systems
Researchers say Massive Botnet is Indestructible
DropBox CEO: Lone hacker downloaded data from ‘fewer than a hundred’ accounts
Spamming Becoming Financially Infeasible
LinuxCoin – Bitcoin Live Linux CD – LOVES IT!
Article: Buying lunch with bitcoin – Submitted by Angela
Chris’ early bitcoin farm
Chris’ cheap and low power miner hardware.
Article: Bitcoin Comes Out Swinging off the Ropes
We’ve got the details of an FBI raid that knocked several popular sites off-line.
The WordPress plugin repository was compromised, and backdoors were added to a few popular plugins, and we’ll share the details.
Plus Dropbox’s shockingly bad security issue this week, and we’ll cover why you always want a little salt with your passwords!
All that and more, on this week’s TechSNAP!
Direct Download Links:
Subscribe via RSS and iTunes:
- At 1am on Tuesday the FBI raided the Virginia, USA data center of Swiss web hosting company DigitalOne.
- DigitalOne’s website was still offline late Wednesday
- DigitalOne does not have any staff on-site, and relies on remote hands from the data center operator, CoreSite. DigitalOne was not aware of what the problem was until hours later when the data center contracted them and passed along the name of the agent in charge and a phone number for DigitalOne to contact the FBI.
- When requested DigitalOne had given the FBI information on the IP address they inquired about and told them the exact location of the server. However the FBI seized 3 entire racks of servers rather than only the server they were after.
- There are rumours that this raid was related to an investigation in to LulzSec
- A number of services like Pinboard and Instapaper were effected.
- WordPress.org is not sure exactly what happened
- Plug-in repository compromised
- Malacious code was found in commits to popular plugins like W3 Total Cache, AddThis and WPTouch
- WordPress took the prophylactic step of forcing all users to reset their passwords to prevent any further compromised code from being pushed out.
- Adobe issued a second ‘out of band’ security update for Flash player in only 9 days due to another exploit
- Reportedly, one of the 0-day exploits was being used to steal users’ gmail passwords
- The vulnerability was listed as critical, as it might allow an attack to take complete control of a system
- Nightmare scenario is a trusted page is compromised and flash malware is inserted
- Make sure you update to the latest version of Adobe Flash
- A flaw at dropbox allowed users to login with any password, and access the account
- This means anyone who knew your email address could have accessed your account and files. They could have authorized additional devices so they can continue to access your files even once this flaw was fixed.
- Dropbox claims less than 1% of users logged in during that time (seems low)
- Official Notice from Dropbox
- If dropbox used proper encryption with one key per user, files could not be accessed without the correct password. However this security measure would take away a lot of the ‘easiness’ of dropbox that people are so fond of.
- The major bitcoin currency exchange MtGox had it’s database compromised and was taken offline when a large number of fraudulent trades were made, swinging the market.
- The compromised account sold all of it’s coins, forcing the market price down, then bought them all back, and tried to cash out
- Accounts that had not been used recently, had not had their passwords upgraded from the original unsalted md5 hash to the standard FreeBSD crypt() md5 salted hash.
- MtGox managed to get a hold of someone at google and google forced all users with gmail accounts at MtGox were forced to reset their passwords
- Once MtGox is back up, they plan to switch to SHA-512 salted hashes.
- MtGox claims that the computer of a 3rd party auditor who had read-only access to the database was compromised, and then insecurely hashed passwords were cracked and those accounts were then used by the attackers.
Q: (Keith) Can you explain salted hashing and two factor authentication in more detail?
A: Some websites, especially older forums and bespoke software, will store your password as a plain md5 or sha1 hash. These can easily be broken by a rainbow table, and can also be brute forced rather quickly using GPUs. To protect passwords against rainbow tables, modern password hashing algorithms use a ‘salt’. A salt is just some random characters added to the password to make it better. In the FreeBSD crypt() MD5, the default is 8 base64 characters. This means that the rainbow table would have to include those extra 8 possible characters to be able to crack the password. Also, the salt is different for each account, so that means a separate rainbow table would be required for each user, and that two users with the same password won’t have the same hash. What many people don’t realize when they try to implement their own password hashing using regular md5, is that the FreeBSD crypt() md5 does 100 rounds of hashing, not just one. This was sufficiently slow when ti was design, but is much less so now. That is why other algorithms, like SHA-512 and Blowfish have become more popular. On top of having larger salts (16 and 22 characters respectively), they use an adjustable number of rounds of the hashing algorithm. This allows the administrator to decide on a performance/security trade off that best fits their needs.
Lecture notes by Allan on how Password Hashing Works
To answer the other part of your question, multi-factor authentication means using more than one way to confirm the user is who they claim to be. Two-factor authentication just means using 2 of the 3 factors to confirm the users identity, rather than just one. The three types are:
- Something you know (username/password, secret question, pin #)
- Something you have (ID card, security token, RFID, Cell phone)
- Something you are (Fingerprint, Retina Scan, Signature, Voice sample)
So, the typical ATM card system, is who factor authentication, something you have (bank card) and something you know (pin number), however, the pin number is not a very strong authenticator. As we’ve seen in recent weeks, even a security token can be compromised, and some forms of attack like the ZeuS trojan, just wait until you authenticate to perform their attack.
LulzSec’s Primary tool? Havij v1.14 Advanced SQL Injection
FAKE: LulzSec supposedly claims its biggest coup yet: The entire UK 2011 Census
LulzSec Ring Leader Arrested
LulzSec-Exposed (counter hacking group) claims authorities are closing in
LulzSec teams up with Anonymous for Operation AntiSec