By now, most people know that you should have a complex password of at least 8 characters that are composed of upper case, lower case, numbers, punctuation marks and ,as Dilbert said, doodles, sign language and squirrel noises. Your password requirements are so secure that it would take a Beowulf cluster 10,000,000 years to crack. Your users know that if they write down their passwords on a post-it-note, they will be shot. Are your passwords secure?
The problem with a “good password” is that it is extremely difficult to remember. Passwords that are used daily can be easily remembered after a few days. Passwords that are used infrequently can be a point of vulnerability.
Unfortunately, password aging systems do not consider the frequency of use or the number of unsuccessful login attempts prior to a successful login. Sure, you can reset the error count before lockout after x number of minutes but, it treats all accounts equally. An attacker could come in “low and slow” by limiting password attempts to every 3 minutes.
If your password aging rules dictate that all passwords must be changed every 30 days, the password that is only used every two weeks will expire at the same interval as the password that is used 5 times per day. A better method for password aging systems would be to consider the number of times a password is used and maintain a counter of unsuccessful logins before a successful login in addition to a maximum password lifetime. How would this be an improvement?
If you have a complex password that is only used once every two weeks, you will probably need to write it down somewhere that is (hopefully) secure. If you don’t write it down, you may forget your password, requiring a password reset. Password resets are the unsung vulnerability in password management. Many organizations do not properly authenticate the person requesting a password reset, reset passwords to a default value, or send the new password to the user in an insecure method. Social engineering can often bypass the “authorized password requestor” list. Are your passwords really secure?
Thanks to Mubix for his posting on ZDNet, below you will find a link that describes all of the latest tools that were presented at Defcon 16. Use them at your own discretion and make sure you have permission if using them on an enterprise network! As Mubix has no control over the ZDnet posting, you can visit his site and keep up-to-date on the latest happenings.
In case you don’t have a television, radio, or even the Internet, which means you wouldn’t be reading this. One of the greatest cyber crimes of all time has finally come to a halt, or so they think…
Eleven people in the US city of Boston have been charged with credit card fraud. The US authorities say the suspects stole the data from more than 40 million credit cards.
The hackers obtained the information by installing software in computers and databases of banks and major store chains. They also drove through residential districts with a laptop to hack into personal computers with wireless connections.
Prosecutors speak of the biggest credit card swindle in US history. The suspects, who have US, Estonian, Ukrainian, Belarus and Chinese nationalities, allegedly embezzled tens of millions of dollars.
So while I’m sitting at DEFCON 16 enjoying a “free” bar tab, I wonder if I’ll see it show up my own credit card since I could quite possibly be funding one of these parties and not even know until it’s too late. Oh well, that’s what the fraud department is for right…
As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity. Props to alexkirk from the #snort channel for hooking us up!
Implement at your own risk! Simply cut and paste as it looks pretty nasty below:
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”DNS large number of NXDOMAIN replies - possible DNS cache poisoning”; byte_test:1,&,3,3; classtype:misc-attack; reference:cve,2008-0087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-020.mspx; reference:cve,2008-1447;
reference:url,www.microsoft.com/technet/security/bulletin/MS08-037.mspx; threshold: type threshold, track by_src, count 1000, seconds 30;)
So unless you’ve been living under a rock for the past couple of years, you should be quite familiar with the term “rainbow tables” and know how unbelievably awesome these are. A fellow colleague and I were in a pinch the other day and had no way of cracking an md5 hashed password as we simply didn’t have access to a set of rainbow tables, nor did we have time to wait for 0phcrack and JTR to brute force it. So we stumbled across a free site that has over 1.6 million known hashes available.
The site is called Hash Mash and it simply allows you to plug in the md5 and just hit decrypt or create an md5 using the encrypt tab. Rainbow tables work unbelievably fast and has helped many people in my situation as well as the forensics field. However be aware that if the password is encrypted then you will run into some issues that will require a higher level of understanding in order to break the encryption, for starters, knowing the original encryption algorithm being used. Be sure to check this site out for all of your “ethical” cracking needs.
**If you are in the position to download rainbow tables for offline use then you can visit the Shmoo Group and download them there too. Happy cracking [|:) <-my interpretation of a white hat.
