A computer capable of cracking strong passwords by brute force in minutes
December 8, 2012
Internet security researchers have built a new super computer capable of guessing very strong passwords by brute force in just a few minutes instead of days.
Jeremi Gosney demonstrated a new system running the HashCat password cracking software across a cluster of five powerful servers equipped with 25 AMD Radeon CPUs at the Passwords 12 conference in Oslo, Norway.
Gosney’s new application means that even strong passwords protected by weak one-way encryption algorithms, notably the one used in Microsoft's LM and NTLM, are very vulnerable and should be discarded at once.
A 14-character Windows XP password hashed using Lan Manager can be cracked from its hash value in just six minutes. LM splits a 14-character password into two seven-character strings before hashing them, which means it's a lot less secure than an eight character password hashed with other encryption models.
Brute forcing an eight-character password would take 5.5 hours, Security Ledger reports. The attack could be run against leaked password hashes but not by login methods directly.
Since data breaches are by no means rare, this is not much of a barrier against misuse, and something that system admins rapidly need to address.
Services such as WPA Cracker and Cloud Cracker, a cloud-based platform for penetration testers, have already shown that older encryption algorithms and shorter passwords are hopelessly insecure. Gosney's research further underscores that point.
This means that what was once considered safe passwords and safe encryption technology isn't anymore, and now companies, governments and organizations all over the world need to treat information technology security as a going concern, and should always be on the lookout for security breaches on their networks.
In other internet security news
Security researchers have discovered a whole new list of security vulnerabilities in industrial control software from many leading manufacturers, including Siemens, General Electric, Schneider Electric, ABB/Rockwell and a few others.
The unpatched security holes are all server-side and remotely exploitable by hackers, according to ReVuln, a new internet security research firm based in Malta.
SCADA systems are used to monitor and control industrial processes, infrastructure, and facility-based processes such as those of the Iranian nuclear plant attacked by the Stuxnet virus in July 2010.
No technical details were issued, so the claims of unpatched security flaws can't be independently verified at this time. Rather than reporting the flaws to vendors, ReVuln is offering to sell details of its discoveries to potential customers, a spokesman for the firm said.
"We sell our 0-day vulnerabilities to our 0-day feed customers. Vendors who want to improve their security can request one of our consulting services."
The most obvious customers for details on SCADA exploits, particularly in the wake of Stuxnet, are government agencies. ReVuln said it only accepts "trusted customers from reputable countries only".
Like others in the emerging field of exploit-brokering, ReVuln avoids simply reporting security bugs to vendors as part of a vulnerability disclosure process. It also had little interest in bug-bounty programs of the type pioneered by the likes of Google and Mozilla, that are now gaining wider acceptance among IT vendors and others, such as PayPal.
"We don't work for free," a ReVuln spokesman explained. "We had several personal experiences in the past where vendors didn't even say thanks for reporting an issue, or they try to underpay your research with bug-bounty programs that are not worth reporting issues to them."
ReVuln's website states the the start-up specializes in "software and hardware assessment including vulnerability research for offensive and defensive security", which would appear to place the firm in the same category as exploit intelligence services firms such as Vupen Security.
Vupen, which bills itself as a "leading provider of defensive & offensive cyber security intelligence for government", recently claimed it was sitting on a nasty Windows 8 exploit which it declined to share with Microsoft.
ReVuln said that instead of comparing it with Vupen, it makes more sense to compare with to firms that buy vulnerabilities and report them to the vendors.
"There are several other companies outsourcing vulnerability research and reporting issues to the vendors after selling weaponized exploits to their customers. Their business model works because most of the people selling vulnerabilities to such companies are not aware of the real market value of the information they are selling, so they accept to sell their work for a very little amount of money," the spokesman told us.
"On our side, we don't buy vulnerabilities and all our research is made by our internal team, moreover we do not disclose vulnerability information to vendors."
Last week, Russian developer Positive Technologies said that about 40 percent of SCADA software systems “available from the internet” were hackable. The claim came just weeks after the balloon went up about flaws in CoDeSys, a popular development environment for industrial control systems, used by a whole bunch of well-known SCADA software manufacturers.
Kaspersky Lab, the Russian security firm that has been applauded for its research into Stuxnet and other SCADA security isuues, recently announced it was developing an operating system designed to make industrial control systems less vulnerable to the sort of attacks ReVuln boasts it has discovered.
The volume of SCADA vulnerabilities being uncovered makes ReVuln claims, which would have been considered fanciful two years ago, more than credible - even though they remain unproven.
Last week, ReVuln said it had discovered a remote code vulnerability in the CryEngine 3 game engine and a server-side bug involving Call of Duty: Modern Warfare 3 that might lend itself towards running denial of service attacks against game servers.
ReVuln's paper on the Call of Duty bug explains the issue in some depth while a video of the game engine vulnerability is far less forthcoming, other than classifying the exploit as arising from a heap spray vulnerability.
"The security hole in CryENGINE 3 is an example of 0-day vulnerability affecting the server-side part of games using game engines," a ReVuln spokesman explained. "Basically by exploiting such a hole, it's possible to compromise remote servers, and get complete control over them. We also discovered a 0-day vulnerability in Call Of Duty: Modern Warfare 3, which can be exploited to take down all the online servers at once.
"Please note that we didn't provide any public exploit or proof-of-concept code," he added. The start-up said its security research covers many different fields, positioning its interest in looking at the security as far from a hobby or side-project.
"Games have a huge market, and there is interest from game companies in game security to improve their level of security," ReVuln explained.
In other internet security news
A new Linux malware and rootkit has been discovered late yesterday that security researchers say is designed to inject iFrames and viruses into specific websites and then push traffic to malicious sites that then propagate the malware even further.
News of the rootkit has circulated for the past few days after an anonymous user of the Full Disclosure mailing list posted about it online. Since then, researchers at Kaspersky Lab and CrowdStrike have looked into the malware and shared their findings.
Originally designed for 64-bit Linux systems, it specifically targets kernel version 2.6.32-5-amd64, which is the latest kernel used in the 64-bit Debian Squeezy Linux flavor.
"The rootkit at hand seems to be the next step in iFrame injecting cyber crime operations, driving traffic to exploit rootkits," says George Wicherski, senior security researcher at CrowdStrike. "It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail," he added.
According to CrowdStrike, the malware doesn't appear to be a modified version of any known malware, and appears to be the work of an intermediate-level programmer. It is believed that it could be the work of a Russian software contractor.
"The malware ensures its startup by adding an entry to the /etc/rc.local script: insmod /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko," says Martha Janus of Kaspersky Lab. "After loading it into memory, the rootkit uses one of two methods to retrieve kernel symbols and write them to the /.kallsyms_tmp file:
"Then it extracts the memory addresses of several kernel functions and variables and stores them in the memory for later use," she says.
In order to hide files and the startup entry, the rootkit hooks a number of kernel functions, including: vfs_readdir, vfs_read, filldir64 and filldir.
"The TCP code will then later retrieve data from that buffer and encapsulate it in a TCP packet for transmission," he adds.
"Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely," he adds. "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely."
Janus further speculates in her analysis that the malware is still in the initial development stage due to the presence of debugging information and some of the functions do not seem to be fully working or implemented as of now.
"So far, in most of the drive-by download scenarios we've seen, an automated injection mechanism is first implemented as a simple PHP script," Janus states. "In the case described above, we are dealing with something far more sophisticated-- a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before," he said.
"This rootkit, though it's still in the initial development stage, reveals a new approach to the drive-by download scheme and we can certainly expect more such malware in the future," he added.
In other internet security news
BSD software developers say that hackers broke into two of its FreeBSD project servers using a stolen SSH authentication key, with admin login credentials that appear to have belonged to one of the developers.
The lead project developer behind the open-source operating system has launched a full-fledged investigation into the security breach and has taken a few of the servers offline during his probe. However, early indications are that the damage might have been far worse than was initially thought.
None of the so-called base repositories - stores of core components such as the kernel, system libraries, compiler and daemons were hit, however. And only servers hosting source code for third-party packages were exposed by the attack, which was detected on November 11 and announced on Saturday, November 17, following a preliminary investigation.
The intrusion itself may have happened as far back as September 19, according to the lead developer. On November 11, an intrusion was detected on two servers within the FreeBSD.org cluster. The affected machines were taken offline for analysis, and probably won't be reconnected until sometime next week.
Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precautionary gesture. "We have found no evidence of any modifications that would put any end user at risk. However, we do urge all BSD users to read the report available on our site and decide on any required actions themselves. We will continue to update you as further information becomes known. We do not currently believe users have been affected given current forensic analysis," read a FreeBSD statement on their site.
"And no Trojanized packages have been uncovered, at least as yet. But FreeBSD users have been urged to carefully check third-party packages installed or updated between September 19 and November 11 nonetheless, as a precaution," it continued.
The FreeBSD.org team has promised to tighten up security, in particular by phasing out legacy services such as the distribution of FreeBSD source via CV Sup, in favor of the more robust Subversion, freebsd-update, and portsnap distribution methods. The hack was "not due to any vulnerability or code exploit within FreeBSD", according to the BSD developers.
The whole incident raises some embarassing and troubling questions since it seems that the unknown attackers behind the hacking attempt managed to steal both SSH (remote administration) key file and passwords from a developer.
Analysis of the attack can be found in an informative blog post by Paul Ducklin of Sophos. Attacks on open-source repositories are far from unprecedented. Kernel.org was suspended for a month in July 2011 following a much more serious malware attack and a server compromise.
Then in August 2011 another breach on the MySQL.com website left visitors exposed to malware that could infiltrate said MySQL databases.
But perhaps the most similar attack to the FreeBSD hacking attempt occurred in 2009, with a breach against the Apache Software Foundation, also facilitated by the misuse of SSH keys.
In other internet security news
The U.S. Transportation Security Administration (TSA) has taken yet another bad doze of publicity with the recent discovery that its questionable security system allows passengers in its PreCheck system to choose their own security status, and thus compromising other security features.
The TSA's PreCheck system allows some frequent fliers willing to pay $100 for a background check to skip some of the onerous security checks, like taking off shoes and unpacking laptops or toiletries. PreCheck customers are still subject to more intensive searches on a randomized basis, however.
Aviation blogger John Butler discovered that the barcode information used for the boarding passes of Precheck fliers wasn't encoded, and could be read by a simple smartphone app. It contained the flier's name, flight details, and a number, either a 1 or a 3, with the latter confirming the passenger was cleared for lesser screening.
Ordinarily, it would be a relatively simple task to just scan the issued boarding pass, decode it, and then change the security setting if you are planning to bring something suspicious aboard, or even change the name on the ticket to match a fake ID.
But after placing the new information into a barcode, and a couple of minutes of cut and paste, the new boarding pass would work as normal, Butler explained, and that's where all the issue lies.
"The really scary part in all of that is both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don't check against the real time information," he said. "So the TSA document checker will not pick up on the alterations."
This means that, as long as their boarding pass has a 3 on it, they can always use the Pre-Check line. But the agency that appears to devote so much time to irradiating fliers, fondling vibrators, promoting the homosexual agenda, or just plain stealing fliers' belongings doesn't seem to have thought of that.
The TSA only deems it necessary to have barcode readers for checking the data itself against the presented ID, not the accuracy of the boarding pass itself. And simply encrypting the data would also work as well, so how come they didn't think of that?
According to the TSA's vision statement, the agency strives to "continuously set the standard for excellence in transportation security through its people, processes, and technology." Really? Wow!
In other security news
According to a new study recently released, on average, hackers exploit security vulnerabilities in software for about ten to eleven months before the full details of the security issues surface to the public.
Researchers from Symantec say that these zero-day attacks, so called because they are launched well before security firms and industry vendors are even aware of the vulnerabilities per se, are more prevalent and more potent than previously believed.
Overall, zero-day exploits are often closely guarded secrets and the simple reason is that they can be very valuable to potential hackers. However, once the details of the exploited security flaws emerge in public, application developers and system admins alike can rapidly get to work to mitigate or halt the attacks dead in their tracks.
But in today's imperfect cyber world, this comes at a huge price-- it also tips off the world that these security vulnerabilities also exist in systems.
Case in point-- Leyla Bilge and Tudor Dumitras, both of Symantec Research Labs, identified no less than eighteen zero-day attacks between January 2008 and December 2011, and eleven of them were previously undetected.
Source: Security Ledger.
You can link to the Internet Security web site as much as you like.