May 282013
 

 random-numbers

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99″ and “7c6a180b36896a0a8c02787eeafb0e4c” are the MD5 hashes for “password” and “password1″ respectively. (For more details on password hashing, see the earlier Ars feature “Why passwords have never been weaker—and crackers have never been stronger.”)

While Andersons 47-percent success rate is impressive, its miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds.

MORE:  Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Ars Technica.

 

 


 

May 082013
 

random-numbers

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

“This is the first time I’ve seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx,” Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars. “Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users computers.”

Previously, Cdorked was known to infect only sites that ran on Apache, which remains by far the Internet’s most popular Web server application.

MORE: Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too | Ars Technica.

 

 


 

Mar 052013
 

evernote

Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.

The scrutiny of Evernote’s security comes two days after Evernote officials disclosed a breach that exposed names, e-mail addresses, and password data for the service’s 50 million end users. Evernote blog posts published over the past few years show that the company protects passwords and sensitive user data with encryption algorithms and schemes that contain known weaknesses. That is prompting criticism that the company’s security team isn’t doing enough to protect its customers in the event that hackers are able to successfully compromise the servers or end-user phones.

The chief complaint involves Evernote’s use of the MD5 cryptographic algorithm to convert user passwords into one-way hashes before storing them in a database. Use of MD5 to store passwords has long been frowned on by security experts because the algorithm is an extremely fast and computationally inexpensive way to convert plaintext such as “password” into a unique string of characters such as “5f4dcc3b5aa765d61d8327deb882cf99.” MD5 makes an attacker’s job of cracking the hashes much easier by allowing billions of guesses per second, even on computers of relatively modest means.

By comparison, the use of slow algorithms such as bcrypt, which Twitter uses to protect its passwords, adds considerable time and computing requirements to the task of converting the hashes into the underlying plaintext passwords. Even when hashes are generated using cryptographic salt to add randomness—as Evernote says it does—MD5 is still considered a poor choice.

READ MORE:  Critics: Substandard crypto needlessly puts Evernote accounts at risk | Ars Technica.

 

 


 

Feb 112013
 

random-numbers

The U.S. is under attack, a recently released national security document has claimed.

China is the top cyberthreat to the U.S., the National Intelligence Estimate (NIE) claims, according to the Washington Post, which obtained information related to the report from unidentified individuals. The NIE, which comes from all U.S. intelligence agencies, says that China has been intensifying attacks on U.S. businesses to identify data that will help the country gain economically, according to the Post.

Over the past five years, the Chinese have focused their efforts on businesses operating in finance, technology, and aerospace, among others, according to the Post.

MORE:  U.S. target of sustained cyber-espionage campaign | Security & Privacy – CNET News.

 

 


 

Nov 192012
 

Some simple housekeeping can make a world of difference to the likelihood of your site getting hacked. Kim Crawley has the tricks

WordPress is the most popular content management system (CMS) on the web. Developed with PHP, and powered by mySQL databases, WordPress is used by an astonishing 8.5 per cent of all websites. Web-delivered malware and website cracking are becoming increasingly common, and with such a large percentage of web content using WordPress as a CMS, any security vulnerabilities in WordPress’ coding or framework could affect millions of websites.

This article will explain how you can best protect your WordPress site from malware and cracking, without having deep security knowledge.

via 10 simple ways to secure your WordPress site | Feature | .net magazine.

 

 

 

Sep 122012
 

Don’t listen to the voices in your head, advises frontend developer Nick Jones. Here he explains how he got stuck creating his personal site and learned to trust his instincts instead

There’s this fallacy of a right way and a wrong way to design and code. If you spend enough time looking for it or reading about it, you’ll end up paralysed. It happened to me. But in early 2012, five years after the launch of the iPhone, I decided it was time to suck it up and create a modern website for myself. What follows are my doubts about making narrowdesign.com.

Responsive?

(INTERNAL DIALOGUE) You know nothing about ‘responsive web design’. You have no business making a responsive site for yourself or anyone else. It’s too new and untested. You aren’t capable of pulling it off. You’re not even a real programmer. In the event that you do pull it off, you’ll immediately wish you hadn’t. Something new will replace it by this time next year. You’ll look stupid for jumping on the bandwagon with every SEO expert and web guru who now drop its name. Remember what happened with microsites?

MORE:  I cannot design or code a responsive website | Opinion | .net magazine.

 


Sep 112012
 

In his statement, Wagner said that at “no time was any customer data at risk or were any of our systems compromised.” He also apologized to customers for the mishap and thanked them for their patience

What exactly caused the outage, however, is still unclear, and Wagner didn’t offer much in the way of specifics:

We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again.

MORE:  Go Daddy: Sorry about the outage. And no, it wasn’t a hack | Security & Privacy – CNET News.

 


Aug 292012
 

Last week’s feature explaining why passwords are under assault like never before touched a nerve with many Ars readers, and with good reason. After all, passwords are the keys that secure Web-based bank accounts, sensitive e-mail services, and virtually every other facet of our online life. Lose control of the wrong password and it may only be a matter of time until the rest of our digital assets fall, too.

Take, for example, the hundreds of millions of WiFi networks in use all over the world. If they’re like the ones within range of my office, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found wasn’t encouraging.

First, the good news. WPA and WPA2 use an extremely robust password-storage regimen that significantly slows the speed of automated cracking programs. By using the PBKDF2 key derivation function along with 4,096 iterations of SHA1 cryptographic hashing algorithm, attacks that took minutes to run against the recent LinkedIn and eHarmony password dumps of June would require days or even weeks or months to complete against the WiFi encryption scheme.

What’s more, WPA and WPA2 passwords require a minimum of eight characters, eliminating the possibility that users will pick shorter passphrases that could be brute forced in more manageable timeframes. WPA and WPA2 also use a network’s SSID as salt, ensuring that hackers can’t effectively use precomputed tables to crack the code.

That’s not to say wireless password cracks can’t be accomplished with ease, as I learned firsthand.

MORE:  How I cracked my neighbor’s WiFi password without breaking a sweat | Ars Technica.

 


Oct 112011
 

Aaron Barr believed he had penetrated Anonymous. The loose hacker collective had been responsible for everything from anti-Scientology protests to pro-Wikileaks attacks on MasterCard and Visa, and the FBI was now after them. But matching their online identities to real-world names and locations proved daunting. Barr found a way to crack the code.

In a private e-mail to a colleague at his security firm HBGary Federal, which sells digital tools to the US government, the CEO bragged about his research project.

“They think I have nothing but a heirarchy based on IRC [Internet Relay Chat] aliases!” he wrote. “As 1337 as these guys are suppsed to be they don’t get it. I have pwned them! :)”

But had he?

via How one man tracked down Anonymous—and paid a heavy price.

Sep 062011
 

A well known security firm warns that the number of compromised digital security certificates from DigiNotar, a Dutch certificate authority outfit owned by VASCO Data Security International, has doubled in size over the past week from 250 false SSL certificates to 531. False certificates have now been issued for Facebook, Google, Tor, Skype, Mossad, CIA, MI6, Twitter, and several other high profile sites.

“This is really bad news. As DigiNotar is a ‘root’ certificate, they can assign authority to intermediaries to sign and validate certificates on their behalf,” security firm Sophos explains. “It appears the attackers signed 186 certificates that could have been intermediate certificates. These certificates masqueraded as well-known certificate authorities like Thawte, Verisign, Comodo, and Equifax.”

According to Sophos, computers users of IE and Safari on Windows 7/Vista/2008/2008R2 and/or Chrome and Firefox on all platforms are immune from exploitation, so long as you’re rocking a fully patched browser and OS. Things aren’t as peachy for Apple users.

via Maximum PC | Hackers Issue Rogue SSL Certificates for CIA, MI6, and Mossad; Apple Stands Pat.