Friday, November 8, 2013

Adobe user database leak

While the media has been talking abuzz about Adobe data leak, the figure is staggering 153.9 million user ids.

To be exact, the number is : 153,989,523 email addresses! That’s right! it is ~154 Million user ids!

Think of a spammer who can get hold of such data? Though nothing much can be done about the exposed emails, it is advised to change the password of the Adobe ids to something more secure and not used across any of the sites.

If one has been using the same password (which most do! :( ) across multiple sites, it is strongly advised to change the password as soon as possible because it is only a matter of time that the Adobe’ encryption keys are hacked. Though for a security researcher, it would be an apple for analyzing all the passwords, but even without the encryption key, using the password hint, a list of top used passwords (really crappy list which has been advised for ages to forgo.) which still brings the quirks of security.

Humans are inevitably the weakest, weakest link in the security chain. Be whatever the system, cryptography, perimeter security, application security, host security and what not, if one use a crappy, easy to use password, it is matter of nanoseconds before everything gets compromised. We (collectively) for some reason, cannot or do not want to follow the advice of using some common passwords. Be it laziness or because of the importance of target system, but tend to follow a similar pattern for secure and protected, high sensitive system because when a habit is formed, it becomes routine and human mind gets accustomed to it!

After all we are humans. With different ethnicity, language, culture and relationships, but united in the cause of using crappy passwords! When will we learn? I am strongly saying the day will never come. Believe me, in the case of my entire security career which has spanned across two decades, I have seen the same passwords even followed by various device manufacturers, application makers, using as at the default root level / admin level accounts, hoping we the humans will change it after we start using (which we don’t).

The internet is spewed with articles, suggestions, algorithms, advices on choosing a strong password and yet we fail again and again and forever!

Will the world change and by when? Answers is: in 123456 years probably!

Sunday, October 13, 2013

Do not trust Chinese routers, especially D-LINK – As they contain backdoor!

A group of researchers found a backdoor in a set of D-LINK routers. Well, not a news but expected and good to be uncovered. Does it call for a deeper inspection of other brand routers? Better of with the open firmware like DD-WRT or OpenWRT or TOMATO! At least you know what you are loading on to the device.

The discovered backdoor can bypass the authentication step and land directly to the admin interface!

Pretty nifty isn’t? That’s what a backdoor is for.

Method to access: Just change the User Agent string of your browser to “xmlset_roodkcableoj28840ybtide” which is actually a reverse of “editby04882joelbackdoor_teslmx”.

Nice huh?

“edit by 04882 joel backdoor _teslmx”

One of the very few backdoors which actually spelt backdoor! :)

How to change the User Agent? It is very simple for non-IE browsers. Check in the configuration settings for Agent by typing about:config in the address bar.

If there is an option, you could change it and restart the browser for the new string to take effect. To check if it changes, use Netcat, start a listener on the local interface using “nc –vvns 127.0.0.1 –Lp 888” at the DOS prompt and type “http://localhost:888” and you can see the request on the command prompt window. You can check the User Agent string value and see if it has been changed according to the above setting.

Else check for some plug-in which can be used to change the User Agent string of the browser to what you want text!

More info about the backdoor and affected devices from http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

More and more of such news is actually taking away the trust on device manufacturer whether they are Chinese or not!

Well, like wise Intel who have a embedded SIM enabled on the processor for remote access, software manufacturers having hidden backdoors, etc,.

It is nice to see some researchers burning mid night oil to uncover snake oil products (what else to call ‘em?) and legitimate products which such nonsensical backdoors. But when it comes to hardware it is pretty much out of reach for any one to have a look at it to understand what it does when a specially crafter instruction / packet or a command is sent. It is actually scary to know what lies between the multi layered PCBs and components and what they are capable of. One could still argue, being a layman we might not have to worry about such things because of the information value we hold, but think about a top secret facility or a government or some one having a high value research data, it is pretty scary on what to trust. Ultimately, mate, anything electrical / electronical should not be trusted. No matter if it is a connected or disconnected device, powered on or in off state. Just don’t trust it!

I may be paranoid, but it goes with the saying of you know who:

“A computer switched off, unplugged, buried under ground in an unknown location on earth cannot remain safe! Then how our devices can be???”

And I don’t want to open another can of worms with the recent PRISM happenings as some things are better left not discussed. Beware!! it is not being promiscuous!! But just like that! Many more to go before the EOW!

Tuesday, February 12, 2013

Password creation – Tips and Myths

Not all use complex password. Us humans tend to use simple (read very simple) words for passwords (such as password) for most non critical logins, gets deep into our system of using passwords and becomes a habit (which is pretty hard to break). This causes lots of unwanted issues when the third party system (which obviously we trust) leaks the passwords or the hashes (any type. Strength is not a problem). Some advocates state that a hashing should be used with a salt, but does not really improve the security if the database gets compromised and the salt values are known to attacker.

Most of the common password cracking aka brute forcing tools has an option to specify the salt to check. It really does not improve any security if the user uses “password” as the password. The top passwords list is tried first to crack the so obvious accounts within seconds and a larger dictionary is employed for the rest. With the advent of CUDA / OpenCL the time to brute has reduced leaps and bounds. I have written a password cracker in CUDA which can crack some hashes like NTLM at a whopping hashes per second. Though it is used only for private use, I am sure more such tools like HashCat / oclHashCat which are available freely can be employed by any one who has a decent hardware or it can be rented from the cloud.

What really secures the password? Okay. Do not say the answer is the Google Ring! I will not use it! Instead the following might be of some help. Though I might not be the expert (disclaimer!!!), I have been following what I am going to preach.

Not all passwords with special characters are safe if it is less than 14 characters. Common, a 14 character key space is not strong enough even if it employs special characters. Believe me, there are only a few special characters which most people use! :D. Armed with a little background on the frequency analysis, the keyspace gets drastically reduced lowering the security of the so called complex password.

A simple method of using longer, totally unrelated (but meaningful to you) sentences make a very good password. And it exceeds the common character limitation which you will find in a normal complex password. Multiply that by the number of sites for which you have use a unique password, only a tool like LastPass can offer some help! Even a sentence like “Attendingevening.school” can be a good password which is not forgotten, can be typed easily and offers a pretty decent security. Also, typing such passwords on to the mobile device is very easy! believe me!

Also always check out the password’s strength using some online tool like PasswordMeter!

Placing a random dot between words makes a lot of sense and improves the security. Really you don’t have to worry above the bla bla bla password policies and will still conform to most of the commonly used policies (Unless you are in a super special sterile environment!). I hope it makes a difference!

Be sure to checkout the Password Info graphic from ZoneAlarm! A pretty interesting read too on what not to use!