RSA’s Distributed Credential Protection: Yeah They Are Overselling it a Bit.

RSA recently announced their new Distributed Credential Protection (DCP) product which they proudly tout as a “revolutionary” way to secure user credentials. But looking closer (especially at that $160,000 per license price tag), I’m not so sure this product will do much to protect anyone’s credentials.

But let me say this first, the technology itself is absolutely brilliant. Without getting into the details of threshold cryptography (there’s an excellent article by Peter S. Gemmell on page 7 of this PDF), what it does is allow you to split up a secret into any number of parts but you only need a specified number of parts to reproduce the data.

“…let me say this first, the technology itself is absolutely brilliant”

It’s kind of like how you see nuclear missile launches in movies: two people have to insert and turn their keys at the same time to initiate the launch. But threshold cryptography is even more advanced, it would be like handing out 5 keys but you only need any 2 of them to fire the missile. What makes the technology so cool is that it gives you redundancy, integrity, and secrecy but no single piece is useful for obtaining the secret. This technology has many uses in cryptography (it would be perfect for Bitcoin) but I think that RSA’s claim that it will revolutionize password protection is greatly overstated.

The problem is that yes, you are splitting up credentials into multiple parts but all of those parts are components of the same system. It would be like handing both missile launch keys to the same person. Yes, someone would have to steal both keys, but if they can steal one from you couldn’t they just steal the other?

Now one of the claims RSA makes is that if you suspect that an attacker has compromised one of the databases, you can immediately randomize and rescramble the pieces so when they grab the second database the data is useless. So yeah if you happen to catch an attack right after an attacker grabs the first bundle of data but before they grab the second bundle, and you are able to immediately identify all points of intrusion and lock out the attacker so they can’t go back in and re-grab the first bundle, then yes this will work. What are the chances of that happening? Slim to none.

Splitting the databases into two locations is not particularly helpful because both must be accessible to the web server, which is usually the point of entry in these types of attacks, and therefore if an attacker can access one database they can likely access them both. Again, it’s like handing both keys to the same person.

The thing is that RSA’s DCP product is addressing the wrong problem with the wrong solution. The reason most companies get their data leaked is because they have poorly secured their public-facing servers and applications and that they don’t follow best practices for storing user credentials. Both of these problems already have solutions and any organization would be better off spending their money on some code audits and pen-testing.

The fact is that if you have problems with hackers getting into your databases, I think you will still have problems even after shelling out $160,000 for DCP. If you don’t have that problem because you have proper security controls and practices already in place, chances are you don’t even need DCP.

To be fair I have to mention that I have not seen or reviewed this implementation in depth so I could in fact be completely wrong with my criticisms. Perhaps this system could be deployed in such a way that it is much more resilient than I am supposing. And certainly RSA acknowledges that this product is just one layer in a multi-layered defense-in-depth strategy. But I still come back to the fact that you are giving both keys to the same person.

What I would like to see is this technology implemented in a much smarter manner. For example, distributing credentials across multiple distinct trust authorities. For example, it would be a great way to overcome many of the weaknesses and distribution issues we see with SSL certificates. Having multiple holders of a secret not only better protects the secrets but upholds integrity in the case a small number of authorities are compromised. This technology could be helpful for preventing insider attacks and would be useful if you have your servers at third-party data centers that you may not completely trust. There are also some legal advantages with having databases distributed across multiple jurisdictions. And hey, if this technology prevented just one attack, in the absence of other attacks it would probably be worth the expense.

There are many other areas that could greatly benefit from threshold cryptography, but splitting credential storage within an organization is probably not one of them. The concept of a black box authentication appliance (although this is vm-based) is a great direction to be going, considering how many organizations simply don’t implement credential storage correctly, but they seem to be overselling (and overpricing) what this product really can accomplish.

 

 

6 New Password Rules

Considering the increasing attention passwords have been getting lately, I thought it was about time we sit down and establish some new rules to define exactly what is a password. After all, so much of our personal lives, finances, and identities rely on these obscure jumbling of letters, numbers, and punctuation.

1. Password, 1234, letmein, and anything else that you see on this common passwords cloud are not passwords.

Recently I took my son over to a friend’s house and when we got there we found he lived in a gated community that required a PIN to enter. My son was about to call his friend when I told him, “I got this.” I reached over and entered 1234 and the gate promptly swung open. Yeah my son was very impressed at my hacker skills, but the fact is that 1234, 12345, or even 12345678 are not strong enough to be considered passwords.

 

2. If you google your password and get more than 10,000 results, it is not a password.

It’s really simple, if your password shows up that many times in Google, your password is not a password it is a dictionary or common wordlist word.

3. If your password is 8 characters or less, it is not a password.

An 8-character password just isn’t strong enough these days to be considered a password. Most 8-character passwords consist of a dictionary word or name with a couple numbers added to the end. These are incredibly easy to crack and will not stand up to a brute force attack no matter what type of encryption used. If your password is 8 characters long, you might have a PIN, but it certainly is not a password, which is probably why banks seem to love limiting password length to 8 characters. I recently explained just how much of a difference there is between an 8-character password and a 10-character password, but maybe this would illustrate it better:

8 Character Password

This is the equivalent of an 8-character password

6 Character Password

This is the equivalent of a 6-character password

 

 

 

 

 

 

 

 

 

 

4. If you use it on multiple sites, it is no longer a password.

Considering the huge number of passwords hacked and dumped on the internet every single day, I would hope that most of us have learned that you simply cannot reuse the same passwords on multiple sites. You are better off never even considering using the same passwords everywhere because it is easy to fall into that habit.

Just to illustrate why this is such a big deal, there are people such as me who collect passwords. Here is a list of all the passwords I have for the username bonehead. Now if I know that there is a user named bonehead on a web site, I can try all of these passwords and chances are surprisingly good that one of these passwords is correct. Why is this such an effective technique? Because everyone reuses their passwords on multiple sites.

5. If a password is older than 3 years, it has expired and is no longer a password

I know some of you get really attached to your passwords, but it is time to start using a password manager and changing those very old Hotmail and PayPal passwords.  You wouldn’t eat 3-year old food, so don’t use a 3-year-old password.

6. If you tell someone your password, it is no longer a password

Certainly sometimes it is necessary to share an account, but there is no excuse for telling someone your personal passwords, and this includes writing them down and sticking them on your monitor. If you have trouble doing this, one trick is to set your password as some phrase that reveals some highly personal or embarrassing fact you would never tell anyone–problem solved!

So come on people, we really can make passwords that really are passwords. Passwords don’t need to be totally random and they don’t always have to have numbers, capitals, and punctuation, but they do need to be long, unique, and secret!

 

 

 

 

Despite the Hyperbole, Flame is Kind of Lame

We have all been hearing quite a bit of hyperbole concerning the sophistication of the Flame malware.  It’s hard to find any headline about the malware that doesn’t involve the adjectives massive, sophisticated, elaborate, impressive, or scarey. But is Flame as revolutionary as everyone claims? To me it looks amateurish.

Part of the curiosity that surrounds Flame is that it doesn’t fit the profile that antivirus companies are used to analyzing–which is part of the reason it has gone undetected for so long. Instead of a tiny piece of code that stealthily accomplishes a single task, Flame is a bloated and unencrypted general purpose spying toolkit. Yes the authors apparently had access to some an exclusive and possibly large knowledge base, but overall there’s really nothing new about turning on a microphone, exploiting old vulnerabilities, and subverting Windows features such as Autorun.

It’s just not that impressive as far as features go. In fact, 10 years ago it really wouldn’t have been that impressive.

What sticks out to me is that despite its breadth and apparent sophistication, one thing it doesn’t look like is something written by an experienced hacker. This thing makes hardly any attempt to conceal itself or prevent reverse engineering of it’s code. This means that once discovered the whole thing is completely useless. Even worse, it also means that any hacker or enemy can likely reverse engineer it enough to use it right back at the authors.

And then there’s stuff like a hard-coded password, an easily-discoverable network of command & control servers, and the use of CRC’s to ensure data integrity. Then there’s the query string it sends back to the command & control servers:

UNIQUE_NUMBER=xxxxxxxxxx&PASSWORD=LifeStyle2&ACTION=x&FILE_NAME=x&FILE_SIZE=xxxxx&CRC=xxxxxxxxx

Seriously, does that look like something a hacker would write? No, that is something written by a 40-something US programmer who lives in the suburbs (who also happens to use some variant of the password LifeStyle2 on every account he owns).

One thing is clear, Flame wasn’t built for destruction or financial theft. This is a spying toolkit plain and simple. The list of targets and the fact that it seems to be interested in AutoCad documents quickly points back to one likely suspect country.

One thing is also clear, this wasn’t written by a hacker. I would guess that some well-funded US agency paid some private consulting firm (which employs a bunch of 40-something suburbanites) millions of dollars to write up the ultimate hacker’s toolkit and Flame is what they got instead.

Nonetheless, the fact that it probably wasn’t written by an experienced hacker is what allowed it to go so long being undetected. Ironically it’s lack of evasion techniques let it evade detection.

 

93% of the Top 10,000 in the LinkedIn List

I would like to welcome LinkedIn to the not-so-exclusive club of major web sites that have experienced major password leaks. Like any other major leak it is hard to visit any forum or tech blog without seeing some mention of it. And like any other leak my inbox is starting to fill up with press requests for comments.

But what is interesting here is that there’s nothing interesting here. It’s the same thing we have seen so many times in the past and surely will continue to see.

One thing that highlights this, brought up to me by blogger Johnvey Hwang, is that 93% of the passwords in my Top 10,000 passwords list appear in the LinkedIn hashes dump. Here it is in his words:

I was curious as to what percentage of the most common passwords were present in this dump, as a proxy for gauging the password choices for a supposedly more professional population. A quick search led me to security guy Mark Burnett, who maintains a list of the top 10,000 most used passwords across the internet. He admits to some skew caused by a significant amount of sourcing from adult websites, but I don’t think it really matters.

The fact that such a large number of the LinkedIn passwords appear on the top 10,000 list certainly does help validate my data but more importantly it shows that despite all we have learned, very little has ever changed.

Here are some other interesting facts Johnvey discovered about the list:

  • 7,142 of the most common passwords were present
  • 546 of the most common passwords were not present
  • 2,312 of the most common passwords were too short for LinkedIn’s 6 character minimum

I think that 93% is an amazing number, yet again, the biggest story here is that nothing really has changed.

 

Sidenote:

I personally have three LinkedIn accounts that I maintain. None of those three passwords appear on the list. Apparently the list is not complete, but the question now is what criteria put those particular passwords on the list.

This is Why You Test Your Regular Expressions

Regular expresssions are an extremely powerful strategy for filtering and sanitizing, but they can also be very complex. And although any programmer knows that when you have complexity you must test your code, I am surprised how often programmers fail to test their regular expressions. Every regular expression should be fully tested for both positive and negative matches. Even regex experts can easily make crucial mistakes.

Here is a good case in point: once I was reviewing the code for an application and noticed that the programmer had hard-coded an IP address restriction to only allow admin access from localhost. The regular expression he wrote to match the IP address was this:

/127.*/

Now while on the surface it was good forethought to even consider restricting access to localhost, the fatal flaw here is the .* part because with a regular expression, the period matches anything and the asterisk matches zero or more appearances of that character. So in other words, .* will also match nothing.

That, combined with the fact that there are no anchors in the regex, means that an IP address ending with .127 will also match. At the time I ran across this code, I managed a class C network and therefore changed my IP address to x.x.x.127 and was able to successfully connect to the remote admin page.

In this case, the proper regular expression should have been something like this:

^127\.

Or, if you wanted to be extremely specific you could use this:

/^127.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b$/m

My Password is 4.hub.route.edu.

Password security has always been a hot issue but events in the last few years have made it an even more pressing issue to a greater number of people. When I hear receptionists in a doctor’s office sharing strategies for creating secure passwords I know this is now beyond the realm of network administrators and security professionals.

But one thing I have noticed is that many people don’t truly understand why one password can be so much stronger than another so I thought I would walk through the process of cracking a password. In this case, I decided to use as an example the very password that (until I wrote this) I use for the admin account on this blog.

So like I said in the title, my password is 4.hub.route.edu.

That isn’t the best password I have come up with but it is still fairly strong. It is 15 characters long, contains a number, letters, and some periods. It took me just a couple logins to actually memorize that password. The word components are fast to type because we are trained to type in whole words. And there are four parts, each one ending with a period. The repetition of the period helps the memory process.

Chances are that no one would be able to go to my admin page (which itself is protected by a different password) and just guess that, no matter how much they knew about me and no matter how many of my other passwords they knew because I have never used that password anywhere else. As of writing this article, I can do a Google search for “4.hub.route.edu” and there will be no results.

But the real risk isn’t someone being able to keep trying to guess my password via the admin page, the real risk is someone finding a new 0-day exploit that allows them to dump the users table in my database and get the hash of my password (which happens to be $P$9YCJ/QwbFcgbo7OtfWGYYE8sVJBxtF/). If someone can get your hash, they can now try millions of password combinations without you ever knowing it.

Cracking a password hash is a lot like trying keys in a lock. A hash is a string of characters derived from your password that is calculated in such a way that it is nearly impossible to work backwards to discover the original password so it is relatively safe to store. When you log in to a system, it will run the password you enter through this same complex formula and the result should be the same.

So when I first created my password on this blog I entered 4.hub.route.edu. WordPress ran it through these formulas and came up with the hash $P$9YCJ/QwbFcgbo7OtfWGYYE8sVJBxtF/ which it saved it in the database. The next time I log in, I enter my 4.hub.route.edu password, WordPress runs the same formula on that password and it comes up with $P$9YCJ/QwbFcgbo7OtfWGYYE8sVJBxtF/ which matches the hash it has stored so it knows that I am using the correct password even though WordPress never stored my actual password. Now what is special about these formulas is that it is extremely rare that any two passwords will create the exact same hash (a concept known as collision).

So if someone is able to obtain my hash, they can’t directly get my password from that, but they can try millions or even billions of different passwords and run each one through the formula until they find one that produces that exact same hash. It is a lot like having a lock, you can’t easily create a key from it but you can try a bunch of keys until you find the one that works.

Now when it comes to passwords there are actually hundreds of trillions of possible passwords someone might choose. Even with a cluster of powerful computers it could take decades to try every possible password. Fortunately for hackers, most people aren’t that clever with their passwords. There are a number of strategies they use that can drastically reduce the number of passwords you need to test to crack a password. Below is that strategy

1. Hash Lookup

First, an attacker will check to see if someone else has cracked the password before, using either a local database or an online database such as onlinehashcrack.com or hash-database.net or one of the hundreds of other similar sites. In the past few years there have been many large sites that have been hacked and their passwords leaked. If you password was ever one of these, chances are it will appear in one of these databases. Likewise, if you select a common password that others may also be using, it also might be on this list.

In the case of WordPress, the hashes are created using PHPASS but for the sake of this example, let’s just assume they use MD5 hashes like many other systems use. The MD5 hash for my password 4.hub.route.edu is 7914881ba9b78fa307db6ef0db675e29. You can search any online databases for my hash and you will not find it listed anywhere (at least at the time of writing). If your password is one that you have never used before and others likely have not used, you should be safe (try googling one of your passwords, you may be surprised how many results you get).

If your password hash does not appear in one of these databases, there are also rainbow tables which are massive databases of precomputed hashes consisting of every possible password up to 8-10 characters in length, depending on the algorithm. If your password is less than eight characters long, your password surely will be cracked at this stage. However, you will not find 7914881ba9b78fa307db6ef0db675e29 in any of those databases so I am safe so far.

The lesson here is to never use a password less than ten characters long. Never use the same password on multiple systems. Don’t try to be clever with your password, that never works (NCC-1701 is a very common password).

2. The Word List

Since most passwords consist of dictionary words or something similar, checking every word in a dictionary or a specialized wordlist http://svn.isdpodcast.com/wordlists/ is a quick way to find a weak password. Most hackers will use lists of the most common passwords such as this because chances are very high that someone will be using one of those passwords. It normally doesn’t take more than a minute to go through even a gigantic list of words.

In my case, even a Google search for my password turns up nothing so even if you had the massive list of words that Google has indexed you still wouldn’t be able to crack my password.

Considering this, you can see why so many systems simply probihit any password that is a dictionary word.

3. Rules and Patterns

If a dictionary or wordlist check fails, the next step is to try some of the common (albeit innefective) tricks people use to make a password more complex. If you asked me what I thought was the most common password pattern I would say a proper noun (such as a name) followed by 2-3 numbers. So it would be smart for a hacker to take each word in a wordlist and add ever possible number from 1 through 999. If that doesn’t work, you could try reversing each word or doing simple substitutions like using the number 3 instead of the letter e. It really does not take much effort for a cracking program to try hundreds of different patterns.

For example, a dictionary word may be “password” so a rules-based attack my try PASSWORD, dRowssap, P@SSW0RD, p@ssW0rd, dr0Wss@p, passwordpassword, @ssW0rdp, dp@ssW0r, p@9sW0rd, 1p@ssW0rd, p@$$W0rd, ppp@ssW0rd, 1p@ssW0rd, and thousands of other variants of the word. Depending on the number of rules and the size of the wordlist, this step may take only five to ten minutes and will crack a great number of passwords.

If an attacker has sufficient processing power, another effective strategy is to try two dictionary words together with various delimiters between them (such as dashes or periods). If you had a wordlist of 100,000 words and tried every combination of two words that means you would have ten billion possible combinations. Trying different delimiters between the words would make it a little bit harder but not much.

You probably wouldn’t want to try three-word combinations because that would take you up to a quadillion (1,000,000,000,000,000) possible combinations which would not be an effective strategy. In the case of my password there is a number and three other words that would likely appear in a dictionary but testing for four-word combinations would mean there are 100 quintillion (100,000,000,000,000,000,000) possible passwords, so the odds are my password would still be pretty safe.

The lesson here is that a strong password is not a matter of being clever, it is a matter of beating the numbers. Passwords should always contain three or more words or other sequences.

4. Brute Force

If a password hash doesn’t show up in a database or hasn’t been cracked before, does not show up in a list of common passwords or dictionary words (even after trying hundreds of common variants), the only method left is to simply brute-force the password. This means trying every possible combination of letters until you find the password. It would be like trying to crack a simple bicycle lock, you would start with 000 and try 001, 002, 003, and so on until you got to 999.

In the case of passwords you would need to try every combination of lowercase letters, uppercase letters, numbers, and punctuation symbols. In other words, imagine a bicycle lock where each dial contains abcdefghijklmnopqrstuvwxyz ABCEDFGHIJKLMNOPQRSTUVWXYZ0123456789`~!@#$%^&*()_-+={[}]|:;"'.?/ and there are eight or more dials. This is why so many systems require that you use a variety of characters because using different types of characters is like making each dial larger. And making your password longer is like adding more dials.

 

 

Now brute-force attacks are much smarter nowadays using techniques such as mask-based attacks. These types of attacks basically use knowledge about passwords to make the brute-force process much smarter. For example, if you look at this chart http://xato.net/img/UpperCaseLettersLarge.jpg you will see that uppercase letters are very likely to show up in position 1 but are extremely rare after position 8. Knowing this, it would be more effective to not even bother looking for uppercase letters after the first few characters. Now if you look at the distribution of all character sets in this graph http://xato.net/img/CharacterDistributionByPositionLarge.jpg you can see that much can be done to optimize the brute-force process. Nevertheless, these rules become less and less effective the longer and more complex your password gets.

The big secret here is if you can force a hacker to have to use a brute-force attack and you have a password that is at least 15 characters long, chances are that you have won. Eventually computing power will catch up so that even 15 characters might be enough but the good thing is that these numbers grow exponentially so a 16-character password is almost 100 times stronger than a 15-character password and a 17-character is more than 9,000 times stronger!

So What Makes a Password Strong?

Your password must be something very unique and one that you have never used before. In fact it should be so unique that if you did a Google search for it, there would never be any results. You can’t just take a word and dress it up a bit, you need 3-4 words or other sequences to make a password strong. And finally it has to be long. It helps to throw in some numbers and pumctuation but most importantly it has to be long.

Review of Kevin Mitnick’s Ghost in the Wires

Continue reading “Review of Kevin Mitnick’s Ghost in the Wires” »

Playboy Tells Kevin Mitnick’s Story

Coming next month in Playboy Magazine: Chasing Mitnick. According to the magazine, “For two years hacker
par excellence Kevin Mitnick eluded the FBI. Now that he has served his sentence, Playboy lands the exclusive story of the man The New York Times called cyberspace’s most wanted.”

Now anyone that reads any article about Kevin knows that this piece will either be greatly exaggerated in his favor or greatly exaggerated not in his favor, but either way greatly exaggerated. And if there’s an opportunity to comment on the article, there will be hundreds of trolls eager to do their usual Kevin-bashing or Kevin-is-so-boring-now or I-hacked-Kevin-Mitnick comments. Continue reading “Playboy Tells Kevin Mitnick’s Story” »