Showing posts with label passwords. Show all posts
Showing posts with label passwords. Show all posts

Monday, 20 October 2014

Android Security Hardening Cheats Part-2

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS benchmark down to the most critical steps for your devices, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.


How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective device.
CIS - Reference number in The Center for Internet Security (CIS) benchmark, if applicable.
UT Note - The notes after each checklist provide additional details about the step for the university computing environment.
Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include category II or III data, all steps are recommended, and some are required (denoted by the !).

Supported devices

Supported devices include any that can run Android 4.0 and later. Some security settings and options may not be available on older devices.

Checklist

All items marked with a ! are mandatory to be considered compliant with the Minimum Standards governing the use of Category I data.
Step
To Do
CIS
UT Note
Cat I
Cat II/III


Basic Security



1

Update operating system to the latest version
1.1.1
!
 !
2

Do not root the device
!

3

Do not install applications from third party app stores
1.1.17
!

4Enable device encryption1.1.15§!
5Disable 'developer options'1.1.16§!!
6Use an application/service to provide remote wipe functionality3.2§!
7Enable Android Device Manager§
8Erase all data before return, repair, or recycle1.1.11§!!
Authentication Security
9Set a PIN and automatically lock the device when it sleeps1.1.2§!!
10Set an alphanumeric password1.1.3§
11Set auto-lock timeout1.1.4§!!
12Disable 'make passwords visible'1.1.14§
13Erase data upon excessive passcode failures§!
Browser Security
14Show security warnings for visited sites1.2.2§!!
15Disable 'Form auto-fill'1.2.3§
16Do not automatically remember passwords1.2.7§
17Disable browser plug-ins1.2.6§
18Turn on Do Not Track§
Network Security
19Turn off Bluetooth when not in use1.1.9§
20Disable Network Notification1.1.6§!
21Forget Wi-Fi networks to prevent automatic rejoin1.1.5§

Additional Security Settings1



22Turn off Location Services1.1.8§
23

Use a third party application to password protect applications with sensitive data
§


24Limit the number of text (SMS) and multimedia messages (MMS) saved1.1.18 - 1.1.19§
25Disallow cookies in Chrome browser1.2.4§
26Disable JavaScript in Chrome browser1.2.1§
27Use TextSecure to encrypt SMS messages§

Footnote

1 These security settings are proactive in nature, but are intended for devices where there exists a very high need for security, as they may negatively impact the user experience and interfere with the functionality and utility of many applications.

UT Note: Addendum

This list provides specific tasks related to the computing environment at The University of Texas at Austin.
Please be aware that the exact process for activating security features will vary from device to device and between versions of the operating system.  The instructions here are provided for reference only and will not be applicable to all handsets.  It is recommended that users follow the instructions contained in the operating manual for their device where possible.
1
Update operating system to the latest version
Android devices ship with various versions of the operating system, determined by both the selected carrier and handset manufacturer. New versions of the Android operating system frequently address security vulnerabilities in addition to providing bug fixes and adding new features. Not all devices will support the most recent version of Android and not all carriers will make upgrades available for all handsets, even ones that are capable of running the newer software. Upgrade to the latest available and supported version for your device.
For high security environments, plan on replacing devices every 2-3 years in order to stay current on operating system releases. Additionally, consider using only Nexus devices, which are supported by Google directly instead of a mobile carrier, in order to ensure that operating system updates are actually made available to you.
2
Do not root the device
Rooting an Android device often takes advantage of known vulnerabilities in the operating system to disable the security controls that prevent users and applications from performing actions such as executing privileged commands, interacting with the hardware at a low level, modifying and deleting necessary system files, and removing carrier and manufacturer installed applications, for example. Once these security controls are bypassed, any application has the ability to break out of its sandbox and act maliciously (perhaps unintentionally). Installers for rooting Android devices typically add a Superuser application which is used to specify the  applications that have the ability to elevate their privileges, however this is another security control that must be managed and monitored by the end user. Unlike iOS devices, rooting is not required to sideload applications.
You should understand that by rooting your device, you are taking on increased responsibility for securing your device and protecting yourself from malicious software. Devices used with Category I data should not be rooted.
3
Do not install applications from third party app stores
Google manages applications distributed through the Google Play store and has the ability to remove malicious applications both from the store when discovered and directly from any devices that have installed the applications from the Google Play store. Installing applications from other sources is riskier since you have no way of knowing how the stores are managed and whether or not the applications available in it can be trusted to not be malicious in nature.
To disable application installation from unknown sources:
  1. Press the Menu button
  2. Tap System settings.
  3. Tap Security.
  4. Scroll to Device administration.
  5. Uncheck Unknown sources.
4
Enable device encryption
When enabled, Android uses your passcode or password to generate an encryption key that is then used to encrypt the device. This passcode/password is then required every time the device is powered on. This protects the data stored on the device from unauthorized access in the event that it is lost or stolen. The encryption process may take an extended amount of time, depending upon the amount of storage in the device. The device needs to remain plugged in and the encryption process should not be interrupted.
To encrypt a device:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Security.
  5. Scroll to Encryption.
  6. Tap Encrypt [device].
  7. Tap Encrypt [device] again.
  8. Enter lock screen passcode or password when prompted.
  9. Tap Continue.
  10. Tap Encrypt [device].
5
Disable 'developer options'
Android provides a number of features that allow developers to interact with the device through the built-in USB power/data port to change its behavior, read and modify local storage, and issue commands. When enabled, it is possible to completely control a device through this interface. These features should be enabled only as needed and only for the duration required for testing.
To disable developer options:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to System.
  4. Tap Developer options.
  5. Uncheck USB debugging.
  6. Uncheck Stay awake.
  7. Uncheck Mock locations.
6
Use an application/service to provide remote wipe functionality
The intent with this is to ensure that if the device is lost, the data can be erased remotely.  There are a couple of ways to accomplish this with Android:
  • Austin Exchange Messaging Service provides this functionality to synchronized devices.  Device wipes can be requested by the Exchange server administrator or initiated by the account holder through Outlook Web Access under Options > Mobile Devices.
  • Google Play provides this functionality through the free Android Device Manager service.
  • Many third party applications provide this functionality. Some options include Norton Mobile Security, Wave Secure, Lookout, Security Shield, and Theft Aware. The exact feature set of each application varies; some do much more than just provide remote wipe functionality. At a minimum, users should look for the ability to lock the device remotely, wipe the device remotely, and wipe the device after too many failed unlock attempts when evaluating products for this requirement.
7
Enable Android Device Manager
Android Device Manager is a free service provided by Google that allows users to track and remotely lock or erase an Android device. A free Google account is required to use this service. If a device is lost or stolen, having this service enabled may allow the owner to find and recover the device with the assistance of the University Police Department (UTPD). Even if recovery of the device isn't possible, the ability to remotely erase may protect any sensitive data that was stored on it.
To enable Android Device Manager:
  1. Press the Menu button.
  2. Tap System settings.
  3. Tap Security.
  4. Scroll to Device administration.
  5. Tap Device administrators.
  6. Check Android Device Manager.
  7. Tap Activate.
8
Erase all data before return, repair, or recycle
In order to prevent an unauthorized person from being able to recover sensitive information from the device, the disk should be erased before it is out of your physical control. Note that for this method of erasing a device to be secure, meaning that the data is not forensically recoverable, encryption may need to be enabled on the device first (see control 4 above). This will vary based upon the specific device.
To erase a device:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Backup & reset.
  5. Tap Factory data reset.
  6. Check "Erase SD card" unless the SD card will be disposed of separately from the device.
  7. Tap Reset phone.
  8. Enter the passcode if requested.
  9. Tap Next.
  10. Tap Erase everything.
9
Set a PIN and automatically lock the device when it sleeps
Setting a PIN prevents casual unauthorized access to a device. A PIN (or a password) is more secure than a pattern as patterns can be trivially observed by people around you and there have been cases of using the fingerprint smudges on devices to derive lock-screen patterns. While setting a PIN you can also configure the device to immediately require that you enter the PIN after the device sleeps. This will prevent the device from being unlocked after sleeping from inactivity without entering the PIN first. Since a 4 digit PIN only has a maximum of 10,000 possible combinations, we recommend that users select a longer PIN.
To set a PIN:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Security.
  5. Tap Screen lock.
  6. Tap PIN.
  7. Tap in a PIN.
  8. Tap Continue.
  9. Enter the same PIN again.
  10. Tap OK.
  11. Tap Automatically lock.
  12. Tap Immediately.
  13. Check Power button instantly locks if not already checked.
10
Set an alphanumeric password
In addition to the PIN and pattern options for authentication, Android also supports the use of alphanumeric password. For high security applications, it is recommended that a complex alphanumeric password be used instead of a PIN or pattern.
To enter an alphanumeric password:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Personal.
  4. Tap Security.
  5. Tap Screen lock.
  6. Tap Password.
  7. Type in a complex password.
  8. Tap Continue.
  9. Enter the same password again.
  10. Tap OK.
  11. Tap Automatically lock.
  12. Select Immediately.
  13. Check Power button instantly locks if not already checked.
11
Set auto-lock timeout
This option automatically locks the device after it has been inactive for the specified amount of time.
To enable:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Device.
  4. Tap Display.
  5. Tap Sleep.
  6. Tap 2 minutes.
  7. Press the Back button.
  8. Scroll to Personal.
  9. Tap Security.
  10. Confirm that Automatically lock is set to "2 minutes after sleep."
12
Disable 'make passwords visible'
This feature controls whether passwords are displayed as they are entered. Disabling this feature increases security by making it harder for people in close physical proximity to learn your passwords by observing you interact with your device.
To hide passwords as they are entered:
  1. Press the Menu button.
  2. Tap System settings.
  3. Tap Security.
  4. Uncheck Make passwords visible.
13
Erase data upon excessive passcode failures
Refer to control 6 above. Android does not natively provide this functionality, but there are a number of third party applications, some of which were mentioned earlier, which can. Since excessive passcode failures typically indicate the device is out of your physical control, having the device automatically erase may protect the confidentiality of information stored on the device.
14
Show security warnings for visited sites
This feature will warn you of common security problems, such as invalid or expired SSL certificates, affecting the web sites you visit. These warnings could indicate that communications between your computer and the site's server are not secure, meaning that data sent to the site could be intercepted. Caution should be exercised when using sites that generate security warnings with this feature.
To show security warnings for sites:
  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Check Show security warnings.
15
Disable 'Form auto-fill'
Date entered into web forms may be stored so that, upon subsequent visits to the page, the form can be auto-completed. While this may be convenient, it also may result in the storage of sensitive information, such as passwords and credit card numbers, locally on the device. Additionally, automatically filling in web forms could result in the unintentional disclosure of sensitive data to unauthorized people.
To disable the 'Form auto-fill' functionality:
  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Scroll to Form data.
  6. Tap Clear form data.
  7. Tap OK on the confirmation dialog.
  8. Uncheck Remember form data.
  9. Press the Back button.
  10. Tap General.
  11. Uncheck Form auto-fill.
16
Do not automatically remember passwords
Refer to control 14 above. Passwords entered into forms are automatically stored so that they can be auto-filled upon subsequent visits to the site. This not only results in the local storage of user credentials entered via the web browser, but having the browser automatically fill forms using this data may result in the unintentional disclosure of the data to a unauthorized person.
To prevent the browser from remembering passwords:
  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Scroll to Passwords.
  6. Tap Clear passwords and tap OK on the confirmation dialog.
  7. Uncheck Remember passwords.
17
Disable browser plug-ins
Chrome supports plug-ins that allow developers more control over sites or enable richer user experiences, such as Flash. Historically, the security of such plug-ins has been very poor and they have been and remain a very commonly exploited vector for infection by malware. Plug-ins should only be enabled for trusted sites and disabled when not in use.
To disable plug-ins in Chrome:
  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Advanced.
  5. Tap Enable plug-ins.
  6. Select Off.
18
Turn on Do Not Track
The Do Not Track option instructs Chrome to send a specific header in web requests that indicates the your preference not to be tracked by the websites you visit. Many sites have opted to honor this preference so there is some small privacy benefit from enabling it. It is important to note, however, that this feature is strictly voluntary and web sites are under no obligation to honor it. There are no guarantees that any specific web site will now, or, in the future, continue to, obey this header.
To turn on Do Not Track:
  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy.
  5. Tap Do Not Track.
  6. Select On.
19
Turn off Bluetooth when not in use
Disabling Bluetooth reduces the remote attack surface of devices and may also prevent you from unintentionally connecting to unknown Bluetooth services and devices. Bluetooth should be enabled only when it is actively being used.
To turn off Bluetooth:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Wireless & networks
  4. Slide the Bluetooth switch to Off.
20
Disable Network Notification
By default, Android devices will automatically present a list of detected wireless networks from an icon in the status bar that users may attempt to connect to when no networks that have previously been connected to are available. The issue is that anyone can run a wireless hotspot and, joining a poorly configured or insecure network could allow a malicious user on that same network to intercept, capture, and alter any network traffic sent by a user. In fact, many attackers will intentionally run wireless networks in popular, crowded areas, like airports and coffee shops, hoping to lure unsuspecting users into connecting. If this feature is disabled, you must manually search for and select a wireless network to join. This may reduce the risk of inadvertently joining a similarly named yet untrusted network (e.g. “defualt” instead of “default”).
To disable network notifications:
  1. Press the Menu button.
  2. Tap System settings.
  3. Tap More... if present.
  4. Tap Wi-Fi settings.
  5. Tap the Menu icon and choose Advanced.
  6. Uncheck Network notification.
21
Forget Wi-Fi networks to prevent automatic rejoin
By default, an Android device will remember and automatically rejoin networks that it has previously associated with. The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined. Additionally, if previously joined network has a common SSID, such as “default” or “linksys”, it is very probable that the device will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it.
To forget a remembered or connected Wi-Fi network:
  1. Press the Menu button.
  2. Tap System settings.
  3. Scroll to Wireless & networks.
  4. Tap More... if present.
  5. Tap Wi-Fi.
  6. In the Wi-Fi settings, locate the Wi-Fi network.
  7. Tap and hold down on the entry for the network you wish to forget.
  8. Tap Forget.
22
Turn off Location Services
Location Services allows installed applications and visited websites the ability to request your current location. Once access is granted to an application, the application may request the data again at any time with no further notification to users.
To turn off Location Services:
  1. Tap globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Scroll to Location.
  6. Uncheck "Enable location."
  7. Press the Home button.
  8. Press the Menu button.
  9. Tap System settings.
  10. Scroll to Personal.
  11. Tap Location services.
  12. Uncheck Google's location service.
  13. Uncheck GPS satellites.
23
Use a third party application to password protect applications with sensitive data
Some options for this include App Lock, App Protector Pro, and Protector.  These applications allow for a separate password to be required to launch specific applications.  This may be useful to secure applications that store sensitive data so they cannot be accessed even if the device is found unlocked. If supported by your device, encryption is a much stronger and more secure approach to protecting data however (see control 4 above).
24
Limit the number of text (SMS) and multimedia messages (MMS) saved
For high security environments, limiting the number of SMS and MMS messages saved per conversation thread may reduce the likelihood and scope of information disclosure in the event the device is lost or compromised.
To limit the number of messages saved:
  1. Tap Message icon.
  2. Press Menu button.
  3. Tap Settings.
  4. Check Delete old messages.
  5. Tap Text message limit.
  6. Scroll to 100.
  7. Tap Set.
  8. Tap Multimedia message limit.
  9. Scroll to 20 messages.
  10. Tap Set.
 25
Disallow cookies in Chrome browser
While this setting does have the beneficial effect of disallowing third party tracking cookies, it is overall not recommended for most users as cookies are heavily utilized by typical modern web applications. Using this feature selectively, though, may provide a sort of limited privacy mode in Chrome.
To disable cookies:
  1. Tap the globe Browser icon.
  2. Press the Menu button.
  3. Tap Settings.
  4. Tap Privacy & security.
  5. Tap Clear all cookie data.
  6. Tap OK.
  7. Uncheck "Accept cookies."
26
Disable JavaScript in Chrome browser
Ideally JavaScript should only be available when browsing trusted websites. In high security environments, it may make sense to disable JavaScript as a method of hardening the browser against malicious web sites. This is not recommended for most users as JavaScript is heavily utilized by typical modern web applications.
To disable JavaScript:
  1. Tap the globe Browser icon.
  2. Press the menu button.
  3. Tap Settings.
  4. Tap Advanced.
  5. Uncheck JavaScript.
27
Use TextSecure to encrypt SMS messages
The application TextSecure available in the Google Play store can encrypt SMS and MMS messages in transit and at rest on the device. This helps secure your communications with others from interception and alteration. Also, just like limiting the number of messages saved (from control 24 above), this can reduce the likelihood and scope of information disclosure in the event the device is lost or compromised.
Posted by at No comments:
Labels: , , , , , , , ,

Sunday, 25 August 2013

External Security Assesment is important for all Network and applications

The most common solution to external network security assessments is scan, scan, scan…and then scan some more

One of the most common vulnerability assessment activities for all companies of all sizes is an external scan, typically targeting internet-facing websites. Because we service the vulnerability assessment and penetration testing needs of large enterprises, we know “you know” that scanning external-facing network resources is important, and an obvious high priority. But we also challenge you to understand that scanning alone is not enough, unless all you really want is a checkmark for an audit of one kind or another.

A complete job of assessing the hardness of your external network includes multiple steps. Here are four of the main steps that you should be familiar with:

  1. Anonymous information gathering to discover all Internet-facing assets a hacker could identify as potential entry-points into your network
  2. Scanning of your internet-available network access points and web servers for known vulnerabilities (non-credentialed)
  3. Verifying scan-result findings through in-depth manual pen testing attack techniques (both credentialed and non-credentialed)
  4. Providing deeply informed remediation guidance and advisory services for identified/verified vulnerabilities

Why is BriskInfoSec approached to discuss external vulnerability assessment work with large enterprises?

BriskInfoSec is approached by our large enterprise clients to assess the security of their external-facing network assets for many reasons, but chief among them are dissatisfaction with their own internal tools, their present provider, and/or their own internal team’s ability to effectively manage all of their external testing work efficiently over time in a consistent and professional manner. These kinds of situations frequently result in an assignment for someone in a company’s security staff to search out alternatives; which then open up an opportunity for BriskInfoSec to present our highly-disciplined, in-depth approach to assessing the security of their external-facing network assets as compared to their present approach.


What do these companies discover when comparing BriskInfoSec approach to external security testing with their own present approach?

Because BriskInfoSec is driven by an across-the-board corporate culture that’s passionate about delivering the highest-value findings and recommendations possible, we do more than the basic steps, we do all the steps on your behalf; and then even more than that. If you assign mid-to-low-level-importance projects to others, fine, we see that frequently. But if you have a set of high-value software assets or critical points-of-entry into your network, working with BriskInfoSec always begins with an education about scanning versus penetration testing:

  • Scanning and penetration testing are not the same thing, no matter how much the marketing folks working for the scanning tools manufacturers and scanning service providers make it sound that way
  • Scanning is never enough, it is only an initial step in the entire assessment process
  • Just the scanning step alone done effectively needs multiple scanning tools and multiple over-lapping scans run against the same resources in order to accomplish a thorough job of the scanning step
  • Scanning the same resources  with different tools (as just recommended) naturally returns different results in different data formats
  • Correlating and normalizing all this desperate scanning data requires special technology: like our proprietary CorrelatedVM™ platform that’s used by all of our pen testers and available (in part) to you through our CorrelatedVM Portal at no additional cost
  • Scanning identifies potential vulnerabilities, and the different scanners may recommend different remediation actions – but BriskInfoSec’s CorrelatedVM platform fixes that problem as it correlates and normalizes all the scanning data from multiple scanning products and multiple rounds of scanning into the best set of recommended remediation actions
  • Potential vulnerabilities identified by the initial scanning effort need to be verified by experts to eliminate false positives, and to thoroughly analyze the remainder, while also probing for any unidentified vulnerabilities the scanners could not find – this is work that only an expert pen testing company like BriskInfoSec can deliver 
In-depth pen testing to final reporting of findings and recommendations is what sets BriskInfoSec apart, and why we are given the critical responsibility of assessing the security of your most high-value/high-risk external-facing network assets.

The power of CorrelatedVM comes at no cost to you and provides real benefits that only BriskInfoSec can deliver

CorrelatedVM™, our proprietary vulnerability assessment and pen testing management platform, will be utilized for your external network penetration testing service when you hire BriskInfoSec. The CorrelatedVM platform and your complimentary access to its SaaS-based customer portal set our deep-dive pen test work and customer-facing deliverables light years apart from all other pen test services. This one-of-a-kind, powerful platform has been continually enhanced and used exclusively by BriskInfoSec’s elite team of pen test consultants on every pen test engagement for over a decade now.


Once you see our team in action with the CorrelatedVM platform, and what CorrelatedVM can offer your organization in the way of automating and disciplining your external vulnerability assessment efforts, you’ll realize how it solves presently unsolvable problems that will profoundly benefit all of your vulnerability management programs going forward.


Contact us for conduct external security testing against your applications and Network with affordable price info@briskinfosec.com


Posted by at No comments:
Labels: , , , , , , , , , ,

Wednesday, 5 June 2013

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”









In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.
Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.
The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")
While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn't disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.
The Ars password team included a developer of cracking software, a security consultant, and an anonymous cracker. The most thorough of the three cracks was carried out by Jeremi Gosney, a password expert with Stricture Consulting Group. Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate. Jens Steube, the lead developer behind oclHashcat-plus, achieved impressive results as well. (oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in this article used.) Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two AMD Radeon 6990 graphics cards. A third cracker who goes by the moniker radix deciphered 62 percent of the hashes using a computer with a single 7970 card—also in about one hour. And he probably would have cracked more had he not been peppered with questions throughout the exercise.
The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."
A screenshot showing a small sampling of cracked passwords.
As big as the word lists that all three crackers in this article wielded—close to 1 billion strong in the case of Gosney and Steube—none of them contained "Coneyisland9/," "momof3g8kids," or the more than 10,000 other plains that were revealed with just a few hours of effort. So how did they do it? The short answer boils down to two variables: the website's unfortunate and irresponsible use of MD5 and the use of non-randomized passwords by the account holders.

Life in the fast lane

"These are terrible passwords," radix, who declined to give his real name, told Ars just a few minutes into run one of his hour-long cracking session. "There's probably not a complexity requirement for them. The hashing alone being MD5 tells me that they really don't care about their passwords too much, so it's probably some pre-generated site."
Like SHA1, SHA3, and most other algorithms, MD5 was designed to convert plaintext into hashes, also known as "message digests," quickly and with a minimal amount of computation. That works in the favor of crackers. Armed with a single graphics processor, they can cycle through more than eight billion password combinations each second when attacking "fast" hashes. By contrast, algorithms specifically designed to protect passwords require significantly more time and computation. For instance, the SHA512crypt function included by default in Mac OS X and most Unix-based operating systems passes text through 5,000 hashing iterations. This hurdle would limit the same one-GPU cracking system to slightly less than 2,000 guesses per second. Examples of other similarly "slow" hashing algorithms include bcrypt, scrypt, and PBKDF2.
The other variable was the account holders' decision to use memorable words. The characteristics that made "momof3g8kids" and "Oscar+emmy2" easy to remember are precisely the things that allowed them to be cracked. Their basic components—"mom," "kids," "oscar," "emmy," and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.
What's more, like the other two crackers profiled in this article, radix didn't know where the password list was taken from, eliminating one of the key techniques crackers use when deciphering leaked hashes. "If I knew the site, I would go there and find out what the requirements are," he said. The information would have allowed radix to craft custom rule sets targeted at the specific hashes he was trying to crack.

Anatomy of a crack

The longer answer to how these relatively stronger passwords were revealed requires comparing and contrasting the approaches of the three crackers. Because their equipment and the amount of time they devoted to the exercise differed, readers shouldn't assume one cracker's technique was superior to those of the others. That said, all three cracks resembled video games where each successive level is considerably harder than the last. The first stage of each attack typically cracked in excess of 50 percent of the hashes, with each stage that came later cracking smaller and smaller percentages. By the time they got to the latest rounds, they considered themselves lucky to get more than a few hundred plains.
True to that pattern, Gosney's first stage cracked 10,233 hashes, or 62 percent of the leaked list, in just 16 minutes. It started with a brute-force crack for all passwords containing one to six characters, meaning his computer tried every possible combination starting with "a" and ending with "//////." Because guesses have a maximum length of six and are comprised of 95 characters—that's 26 lower-case letters, 26 upper-case letters, 10 digits, and 33 symbols—there are a manageable number of total guesses. This is calculated by adding the sum of 956 + 955 + 954 + 953 + 952 + 95. It took him just two minutes and 32 seconds to complete the round, and it yielded the first 1,316 plains of the exercise.
Beyond a length of six, however, Gosney was highly selective about the types of brute-force attacks he tried. That's because of the exponentially increasing number of guesses each additional character creates. While it took only hours to brute-force all passwords from one to six characters, it would have taken Gosney days, weeks, or even years to brute-force longer passwords. Robert Graham, the CEO of Errata Security who has calculated the requirements, refers to this limitation as the "exponential wall of brute-force cracking."
Enlarge / Brute-force cracks work well against shorter passwords. The technique can take days or months for longer passcodes, even when using Amazon's cloud-based EC2 service.
Rob Graham, Errata Security
Recognizing these limits, Gosney next brute-force cracked all passwords of length seven or eight that contained only lower letters. That significantly reduced the time required and still cracked 1,618 hashes. He tried all passwords of length seven or eight that contained only upper letters to reveal another 708 plains. Because their "keyspace" was the sum of 268 + 267, each of these steps was completed in 41 seconds. Next, he brute-forced all passwords made up solely of numbers from one to 12 digits long. It cracked 312 passcodes and took him three minutes and 21 seconds.
It was only then that Gosney turned to his word lists, which he has spent years fine tuning. Augmenting the lists with the "best64" rule set built into Hashcat, he was able to crack 6,228 hashes in just nine minutes and four seconds. To complete stage one, he ran all the plains he had just captured in the previous rounds through a different rule set known as "d3ad0ne" (named after its creator who is a recognized password expert). It took one second to complete and revealed 51 more plains.
"Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes," Gosney explained in an e-mail. He continued:
And because I can brute-force this really quickly, I have all of my wordlists filtered to only include words that are at least six chars long. This helps to save disk space and also speeds up wordlist-based attacks. Same thing with digits. I can just brute-force numerical passwords very quickly, so there are no digits in any of my wordlists. Then I go straight to my wordlists + best64.rule since those are the most probable patterns, and larger rule sets take much longer to run. Our goal is to find the most plains in the least amount of time, so we want to find as much low-hanging fruit as possible first.
Cracking the weakest passwords first is especially helpful when hashes contain cryptographic salt. Originally devised to thwart rainbow tables and other types of precomputed techniques, salting appends random characters to each password before it is hashed. Besides defeating rainbow tables, salting slows down brute-force and dictionary attacks because hashes must be cracked one at a time rather than all of them at once.
But the thing about salting is this: it slows down cracking only by a multiple of the number of unique salts in a given list. That means the benefit of salting diminishes with each cracked hash. By cracking the weakest passwords as quickly as possible first (an optimization offered by Hashcat) crackers can greatly diminish the minimal amount of protection salting might provide against cracking. Of course, none of this applies in this exercise since the leaked MD5 wasn't salted.
With 10,233 hashes cracked in stage one, it was time for stage two, which consisted of a series of hybrid attacks. True to the video game analogy mentioned earlier, this second stage of attacks took considerably longer than the first one and recovered considerably fewer plains—to be exact, five hours and 12 minutes produced 2,702 passwords.
As the name implies, a hybrid attack marries a dictionary attack with a brute-force attack, a combination that greatly expands the reach of a well-honed word list while keeping the keyspace to a manageable length. The first round of this stage appended all possible two-characters strings containing digits or symbols to the end of each word in his dictionary. It recovered 585 plains and took 11 minutes and 25 seconds to run. Round two appended all possible three-character strings containing digits or symbols. It cracked 527 hashes and required 58 minutes to complete. The third round, which appended all four-digit number strings, took 25 minutes and recovered 435 plains. Round four appended all possible strings containing three lower-case letters and digits and acquired 451 more passwords.
As fruitful as these attacks were, Gosney said they were handicapped by his use of a single graphics card for this exercise.
"For example, you'll notice that when I was doing hybrid attacks, I appended 2-3 digits/special but then only did digits with length 4," he explained. "This is because doing digits/special for length 4 would have taken a really long time with just one GPU, so I skipped it. Same with when I started appending lower alpha/digits, I only did length 3 because length 4 would have taken too long with just one GPU."
No doubt, Gosney could have attacked much larger keyspaces had he used the monster 25-GPU cluster he unveiled in December. Because the graphics cards in the five-server system scale almost linearly, it's able to harness almost all of their combined power. As a result, it can achieve 350 billion guesses per second when cracking password hashes generated by Microsoft's NTLM algorithm. And it could generate similar results when going up against MD5 and other fast hash functions.
The remaining hybrid attacks in stage two continued in the same vein. By the time it was completed, he had cracked a total of 12,935 hashes, or 78.6 percent of the list, and had spent a total of just 5 hours and 28 minutes doing it.
One of the things Gosney and other crackers have found is that passwords for a particular site are remarkably similar, despite being generated by users who have never met each other. After cracking such a large percentage of hashes from this unknown site, the next step was to analyze the plains and mimic the patterns when attempting to guess the remaining passwords. The result is a series of statistically generated brute-force attacks based on a mathematical system known as Markov chains. Hashcat makes it simple to implement this method. By looking at the list of passwords that already have been cracked, it performs probabilistically ordered, per-position brute-force attacks. Gosney thinks of it as an "intelligent brute-force" that uses statistics to drastically limit the keyspace.
Where a classic brute-force tries "aaa," "aab," "aac," and so on, a Markov attack makes highly educated guesses. It analyzes plains to determine where certain types of characters are likely to appear in a password. A Markov attack with a length of seven and a threshold of 65 tries all possible seven-character passwords with the 65 most likely characters for each position. It drops the keyspace of a classic brute-force from 957 to 657, a benefit that saves an attacker about four hours. And since passwords show surprising uniformity when it comes to the types of characters used in each position—in general, capital letters come at the beginning, lower-case letters come in the middle, and symbols and numbers come at the end—Markov attacks are able crack almost as many passwords as a straight brute-force.
"This is where your attack plan deviates from the standard and becomes unique, because now you're doing site-specific attacks," Gosney said. "From there, if you start hitting upon any interesting patterns, you just start chasing those patterns down the rabbit hole. Once you've fully exploited one pattern you move on to the next."
In all, it took Gosney 14 hours and 59 minutes to complete this third stage, which besides Markov attacks included several other custom wordlists combined with rules. Providing further evidence of the law of diminishing returns that dictates password cracking, it yielded 1,699 more passwords. It's interesting to note that the increasing difficulty is experienced even within this last step itself. It took about three hours to cover the first 962 plains in this stage and 12 hours to get the remaining 737.
The other two password experts who cracked this list used many of the same techniques and methods, although not in the same sequence and with vastly different tools. The only wordlist used by radix, for example, came directly from the 2009 breach of online games service RockYou. Because the SQL-injection hack exposed more than 14 million unique passwords in plaintext, the list represents the largest corpus of real-world passwords ever to be made public. radix has a much bigger custom-compiled dictionary, but like a magician who doesn't want to reveal the secret behind a trick, he kept it under wraps during this exercise.

Killing hashes

Like Nate Anderson's foray into password cracking, radix was able to crack 4,900 of the passwords, nearly 30 percent of the haul, solely by using the RockYou list. He then took the same list, cut the last four characters off each of the words, and appended every possible four-digit number to the end. Hashcat told him it would take two hours to complete, which was longer than he wanted to spend. Even after terminating the run two after 20 minutes, he had cracked 2,136 more passcodes. radix then tried brute-forcing all numbers, starting with a single digit, then two digits, then three digits, and so on (259 additional plains recovered).
He seemed to choose techniques for his additional runs almost at random. But in reality, it was a combination of experience, intuition, and possibly a little luck.
"It's all about analysis, gut feelings, and maybe a little magic," he said. "Identify a pattern, run a mask, put recovered passes in a new dict, run again with rules, identify a new pattern, etc. If you know the source of the hashes, you scrape the company website to make a list of words that pertain to that specific field of business and then manipulate it until you are happy with your results."
He then ran the 7,295 plains he recovered so far through PACK, short for the Password Analysis and Cracking Toolkit (developed by password expert Peter Kacherginsky), and noticed some distinct patterns. A third of them contained eight characters, 19 percent contained nine characters, and 16 percent contained six characters. PACK also reported that 69 percent of the plains were "stringdigit" meaning a string of letters or symbols that ended with numbers. He also noticed that 62 percent of the recovered passwords were classified as "loweralphanum," meaning they consisted solely of lower-case letters and numbers.
This information gave him fodder for his next series of attacks. In run 4, he ran a mask attack. This is similar to the hybrid attack mentioned earlier, and it brings much of the benefit of a brute-force attack while drastically reducing the time it takes to run it. The first one tried all possible combinations of lower-case letters and numbers, from one to six characters long (341 more plains recovered). The next step would have been to try all combinations of lower-case letters and numbers with a length of eight. But that would have required more time than radix was willing to spend. He then considered trying all passwords with a length of eight that contained only lower-case letters. Because the attack excludes upper case letters, the search space was manageable, 268 instead of 528. With radix's machine, that was the difference between spending a little more than one minute and six hours respectively. The lower threshold was still more time than he wanted to spend, so he skipped that step too.
So radix then shifted his strategy and used some of the rule sets built into Hashcat. One of them allows Hashcat to try a random combination of 5,120 rules, which can be anything from swapping each "e" with a "3," pulling the first character off each word, or adding a digit between each character. In just 38 seconds the technique recovered 1,940 more passwords.
"That's the thrill of it," he said. "It's kind of like hunting, but you're not killing animals. You're killing hashes. It's like the ultimate hide and seek." Then acknowledging the dark side of password cracking, he added: "If you're on the slightly less moral side of it, it has huge implications."
Steube also cracked the list of leaked hashes with aplomb. While the total number of words in his custom dictionaries is much larger, he prefers to work with a "dict" of just 111 million words and pull out the additional ammunition only when a specific job calls for it. The words are ordered from most to least commonly used. That way, a particular run will crack the majority of the hashes early on and then slowly taper off. "I wanted it to behave like that so I can stop when things get slower," he explained.
Early in the process, Steube couldn't help remarking when he noticed one of the plains he had recovered was "momof3g8kids."
"This was some logic that the user had," Steube observed. "But we didn't know about the logic. By doing hybrid attacks, I'm getting new ideas about how people build new [password] patterns. This is why I'm always watching outputs."
The specific type of hybrid attack that cracked that password is known as a combinator attack. It combines each word in a dictionary with every other word in the dictionary. Because these attacks are capable of generating a huge number of guesses—the square of the number of words in the dict—crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down. Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.
"The combinator attack got it! It's cool," he said. Then referring to the oft-cited xkcd comic, he added: "This is an answer to the batteryhorsestaple thing."
Photograph by imgs.xkcd.com
What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."
The ease these three crackers had converting hashes into their underlying plaintext contrasts sharply with the assurances many websites issue when their password databases are breached. Last month, when daily coupons site LivingSocial disclosed a hack that exposed names, addresses, and password hashes for 50 million users, company executives downplayed the risk.
"Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one," CEO Tim O'Shaughnessy told customers.
In fact, there's almost nothing preventing crackers from deciphering the hashes. LivingSocial used the SHA1 algorithm, which as mentioned earlier is woefully inadequate for password hashing. He also mentioned that the hashes had been "salted," meaning a unique set of bits had been added to each users' plaintext password before it was hashed. It turns out that this measure did little to mitigate the potential threat. That's because salt is largely a protection against rainbow tables and other types of precomputed attacks, which almost no one ever uses in real-world cracks. The file sizes involved in rainbow attacks are so unwieldy that they fell out of vogue once GPU-based cracking became viable. (LivingSocial later said it's in the process of transitioning to the much more secure bcrypt function.)
Officials with Reputation.com, a service that helps people and companies manage negative search results, borrowed liberally from the same script when disclosing their own password breach a few days later. "Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access," a company e-mail told customers.
Both companies should have said that, with the hashes exposed, users should presume their passwords are already known to the attackers. After all, cracks against consumer websites typically recover 60 percent to 90 percent of passcodes. Company officials also should have warned customers who used the same password on other sites to change them immediately.
To be fair, since both sites salted their hashes, the cracking process would have taken longer to complete against large numbers of hashes. But salting does nothing to slow down the cracking of a single hash and does little to slow down attacks on small numbers of hashes. This means that certain targeted individuals who used the hacked sites—for example, bank executives, celebrities, or other people of particular interest to the attackers—weren't protected at all by salting.
The prowess of these three crackers also underscores the need for end users to come up with better password hygiene. Many Fortune 500 companies tightly control the types of passwords employees are allowed to use to access e-mail and company networks, and they go a long way to dampen crackers' success.
"On the corporate side, its so different," radix said. "When I'm doing a password audit for a firm to make sure password policies are properly enforced, it's madness. You could go three days finding absolutely nothing."
Websites could go a long way to protect their customers if they enforced similar policies. In the coming days, Ars will publish a detailed primer on passwords managers. It will show how to use them to generate long, random passcodes that are unique to each site. Because these types of passwords can only be cracked by brute force, they are the hardest to recover. In the meantime, readers should take pains to make sure their passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern.
The ease these crackers had in recovering as many as 90 percent of the hashes they targeted from a real-world breach also exposes the inability many services experience when trying to measure the relative strength or weakness of various passwords. A recently launched site from chipmaker Intel asks users "How strong is your password?," and it estimated it would take six years to crack the passcode "BandGeek2014". That estimate is laughable given that it was one of the first ones to fall at the hands of all three real-world crackers.
As Ars explained recently, the problem with password strength meters found on many websites is they use the total number of combinations required in a brute-force crack to gauge a password's strength. What the meters fail to account for is that the patterns people employ to make their passwords memorable frequently lead to passcodes that are highly susceptible to much more efficient types of attacks.
"You can see here that we have cracked 82 percent [of the passwords] in one hour," Steube said. "That means we have 13,000 humans who did not choose a good password." When academics and some websites gauge susceptibility to cracking, "they always assume the best possible passwords, when it's exactly the opposite. They choose the worst."


Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)