It’s just human nature the more enthusiastic someone speaks about something the more it seems to stick around in your mind. This is how I would describe a recent talk on Password Cracking given by Robert Imhoff-Dousham at Defcon this year. I won’t recap his entire presentation which you can review for yourself but I will touch on a few key points which may affect many of the current policies and practices being used out in the real world today.
“Passwords must contain 8 characters and include upper case and numbers”
This ‘rule’ is often used by many websites, corporate domains, and networking devices. But as is the case with many information security standards by the time it is adopted by the masses it is already weakened or outdated. Another point of human nature is we usually take the path of least resistance, even more so when we are dealing with something uncomfortable. For most average people this could include working on computer systems. So let’s take a closer look at this rule and how that would apply.
Let’s see Password1…
While most users are hopefully wise enough not to use such an obvious word most would do the following. Use an uppercase letter as the first letter, it’s easier to remember that way since that’s the way we write. Use a number as the last character, because after all AOL only had the username “StickyBuns234” available for me.
So me as an attacker can simply modify my method of brute force to test for these specific rules, thus reducing your 8 character passwords to 6.
Well it’s brute so it would take you years to actually get this cracked right?
With the advancement of both the GPU and cloud computing markets this is no longer the case. Let’s take GPU brute forcing for example. If we take a newer 8 core GPU and use a rainbow cracking tool or a multihashing tool and pump up to 8000+ streams at the operation. Using a brute force calculator we can see that with 1 box w/4gpu’s we would require ~240 hours. Now if we spread this out across 4 boxes w/4gpu’s each we bring our time down to 2.5 days. Double the boxes and cut the time to crack in half again. Now these numbers are based on a true complex 8 character password. If users are using the flawed methods mentioned above they really have something closer to a 6 Character password depending on my table/dictionary files.
So depending on how valuable your password or passwords in general are to me. I may be able to scale a small server farm just to break user passwords (see the presentation for a cool shopping list showing a $50k 40GPU super cracking server that will eat your password up in less than 140 seconds).
Coincidentally adding just 1 or 2 characters to your required password policy can make this attack vector almost non existent again (well maybe not from the 40gpu super server).
Creating secure passwords can be as simple as coming up with a memorable phrase instead of just a word or two. Here is a great video on how to perform this task. Also remember NEVER use the same password on multiple sites, it makes it much easier to steal all your gold pieces..
One of the good things about long airport layovers are the chances you finally get to catch up on your reading. Which is what it finally took to crack open my last issue of Wired magazine. I must say I was quite amused to find an article outlining the love/hate relationship between AT&T and Apple. Since I have never been an Apple fan I usually just tune out most news related to them which may explain why many of the details in the article was new to me. The tale ends up being a good example of a “FAILationship” and the fact that it starred two of my favorite US corporations just made it that much more comical. Read the article Here
Meanwhile, no matter how frustrated AT&T got with Jobs, it had little choice but to stand by him. It would have been devastating to lose the iPhone after investing billions of dollars and endless reputational capital. And so the relationship carried on, dysfunctional and loveless though it was. Divorce, at least for the time being, was not an option.
Sometimes carrying around a laptop to conduct wireless recon can be a pain.
Today I will show how with your rooted Android & a couple free programs from the Android marketplace you can begin doing some real wireless recon.
Install:
To start search for and install the following 5 programs.
1) Droidwall
2) WiFi Analyzer
3) Shark for Root
4) Shark Reader
5) Network Discovery
Some other useful tools: ssh client, file manager w/SMB, RDP client, Wireless Tether,
Android Webserver, FTP client & server
Setup:
Once all programs are installed we setup our Droidwall like so
Continue doing this for Network Discovery and other programs
you wish to use during your recon fun.
Action:
We launch our WiFi Analyzer
Using the signal strength meter we find a good access point to visit.
Then we launch our Shark to eat up the packets out there.
Eventually we will end up with some data to read.
We can use Shark Reader now or a desktop later to read the data.
We can also use our Network Discovery tool to find devices
and services running on the target network.
Some more advanced techniques using some of the additional tools mentioned above could be to launch phishing attacks in areas requiring users to login thru a web based portal.
When looking for cool spots to capture some traffic try your networks, coffee shops, airports, campuses, hotels, etc…
Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here
As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.
Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh
Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!
I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.
I must apologize for the lack of updates.
Between work and other projects my hacking research has suffered.
BUT! Rest assured the security pimp is still pimpin’
I’m just doing it in another fashion at the moment.
My first home studio album will be released next month..
Hopefully still with enough time to give my hacking skills a week or 2 to prep up for Blackhat & Defcon this year ..
Find out more about my musical project Here
With all the disease scare going on lately.
Just a reminder to clean out those Doritos chip lined keyboards every once in a while.
Keyboards Are Disgusting
Curtis & Kenneth Wiltshire were arrested & charged with identity theft using stolden data.
A former employee at the Federal Reserve Bank of New York and his brother were arrested Friday on suspicion of obtaining loans using stolen identities.
Having seen some pretty shabby excuses for IT analysts thru the years somehow I suspect this may just be the tip of the iceberg ..
RSA researcher Ari Juels sat down with SearchSecurity.com to discuss various topics. One of which was the constrained capabilities of RFID (like wireless bar codes), and how it affects the security posture needed to secure these devices.
But, in fact, it’s possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags — those are an optional security mechanism — and even the privacy feature on the tags, what’s called the “kill” function, a self-destruct feature that’s meant to protect consumer privacy. We’ve shown ways the tags can be commandeered for authentication.
Since it is Earth Day it is a good day to review a new website which helps show how green your neighborhood is (or is not). This new website UrbanEcoMap.com will have the ability to show the carbon levels in a given zip code. Currently the city of San Francisco is the only city supporting this project, but hopefully more cities will follow suit after this project goes live in 29 days.
Read More Here …
Or find out about more IT & Carbon Reduction projects Here …
My experiments writing, publishing and marketing on the web
Investigating the disappearance of the B:/ drive...
Information Security through my eyes
Hack The Planet
Tips and Tricks for Information Security
Ramblings of an IT Ops and Security Manager
Information security tips and tricks for both home and business users
