I’ve written in the past about how I use SAMINSIDE and Rainbow Tables to audit passwords. I also wrote how I disabled LANMAN hash storage and as a result the LANMAN Rainbow Tables attack wouldn’t be working anymore.
In the interim I’ve been using brute force attacks looking for 8 character passwords that consist entirely of lower alphas. I’ve also tried brute force attacks that tack numbers on to the end and make the first letter an upper case.
This week, I found a NTLM Rainbow Table for lowercase alphabetical passwords of length 1 through 8. While we now require stronger passwords than this, I thought it was worth trying out. The pre-calculated tables attack has been running for a couple of days. I’m pretty sure that the brute force attack for lower alphas of length 8 did not take this long.
Archive for December 2006
Password Cracking
F-Secure: postcard.exe spam run
F-Secure blogged this morning about a large scale spam run underway sending messages with the attachment postcard.exe and the subject “Happy New Year!”
I saw that at my site last night. Actually, I probably wouldn’t have even noticed all those detections, but I reenabled the filters on my blackberry so it doesn’t get filled up with all the phishing detection notifications.
And so this is Christmas
“And there were in the same country shepherds, abiding in the field, keeping watch over their flock by night. And, lo, the angel of the Lord came upon them, and the glory of the Lord shone round about them! And they were sore afraid … And the angel said unto them, “Fear not! For, behold, I bring you tidings o great joy, which shall be to all my people. For unto you is born this day in the city of David a Saviour, which is Christ, the Lord.”
“And this shall be a sign unto you: Ye shall find the babe wrapped in swaddling clothes, lying in a manger.” And suddenly, there was with the angel a multitude of the Heavenly Host praising God, and saying, “Glory to God in the Highest, and on Earth peace, and good will toward men.”
“That’s what Christmas is all about, Charlie Brown.” – Linus Van Pelt
Drudge, “Crisis of Confidence in Vista”
Matt Drudge should stick to what he does best; linking to other people reporting news and repeating rumors that reputable newspapers can’t publish without confirmation.
Where is the source for the information he posted today?
MSFT facing early crisis of confidence in quality of VISTA; security researchers, hackers find potentially serious flaws in system… Developing…
It is rather typical for anti-Microsoft people to talk them down new Microsoft releases while at the same time claiming that Microsoft has promised them to be bug free. Can we settle this now? Microsoft Vista will have better security than XP. Just as XP had better security than 2000 and 2000 was better than NT4. Does better mean bulletproof? There is no such animal.
What security flaws are in the news that would lead to this supposed “crisis of confidence.”
Is it the Windows Client/Server Runtime Server Subsystem (CSRSS) privilege escalation vulnerability? Reported here. A privilege escalation vulnerability means that a logged on user can gain higher rights than those already assigned. This is bad, but its not like a WMF vulnerability or a blaster vulnerability. The way most people currently use a computer, where everyone runs as admin ,this attack would not even be needed.
The metric for evaluating Vista isn’t when the first vulnerability is publicly announced. Vista will be evaluated based on the number of patches it doesn’t need that XPsp2 does. It will be evaluated on the number of patches in the first year, not the first month. It will be evaluated based on the severity of the patches.
Lets look at history, the other products developed under the security lifecycle have done great. Matt Drudge don’t hype vulnerabilities that you don’t understand.
– Update — Drudge now has a link to a New York Times article.
DoD Goes Plaintext
Due to an increased network threat condition, the Defense Department is blocking all HTML-based e-mail messages and has banned the use of Outlook Web Access e-mail applications, according to a spokesman for the Joint Task Force for Global Network Operations.
According to the article, they are converting all email to plaintext only. I wonder how they are accomplishing that?
While I agree putting OWA directly on the Internet is foolish, I think there are secure ways of doing that. Further providing users easy access to OWA encourages them to use an arguably more secure method of access than using a thick VPN client which offers full access to the internal network.
Soon the security folks will have us back to using smoke signals and carrier pigeons. Think about the man-in-the-middle attacks possible then.
Holy Cow, Sunbelt Doesn’t Pile on MS
Its posts like this that keep Sunbelt in the list of blogs I read regularly. In the post they explain why a recent security writers claim “IE7 is still the spyware writers dream” is actually hype.
The vulnerability is that if the bad guy has write access to your computer, he can get a dll run by IE7 because they are not requiring FQDNs to load a dll. While this might make it tougher to clean your computer, the bad guy must already have infected your computer to have write access. This is not like the WMF exploit or all the bad activeX controls that were in previous IE versions.
eEye: Big Yellow Worm Alert
eEye has sent out an email alert about a new worm they are calling Big Yellow attacking systems running versions of Symantec Antivirus and Symantec Client Security.
This is the same vulnerability that was patched by Symantec in June 2006. There were previous report of exploitation on EDU networks back in November. But according to eEye it is starting to gain some traction.
Check if you’re running a vulnerable version of SAV 10 or 10.1 here. And as always practice defense in depth by running a personal firewall, particularly when not on a private network.
Wired: “Myspace users not so dumb”
Bruce Schneier writes in Wired “myspace users are not so dumb”. In an analysis of 32k myspace passwords collected through phishing it was found that the passwords were better than studies of passwords used in a corporate environment.
Age is one reason for the difference in password quality. Myspace users tend to trend younger. Corporations are still filled with people who don’t want to have a voicemail password at all much less a four digit PIN.
81% of the passwords are alphanumeric, but 28 % were merely a dictionary with the addition of one number (most often “1″).
The bottom line though is these password were obtained through phishing. So while they may be educated about selecting a good password, the security awareness job isn’t done.
Student arrested in grade change hack
I saw this linked from Drudge.
A High School Class President, who also holds the student seat on the Broward County (FL)School Board has been charged with two counts of computer crime with intent to defraud, a second-degree felony.
As part of his School Board job, he was given a laptop in order to access job related email. He found the I.T. specialist had a sheet of username/password combinations on his desk. The student used the purloined passwords to access the counties system for tracking grades and modify grades for several students.
The obvious lesson is not leaving passwords on a sheet of paper on your office desk.
Don’t Practice Good Security? Here’s what can happen
Even today end users think security doesn’t affect them. “I’ve got nothing to hide,” they say. So they choose convenience over security. They don’t use any form of encryption on their wireless networks, and they disable the security software on their computer.
Here’s a story of a woman in Denver who learned a lesson about that after a visit from the police.
http://www.thedenverchannel.com/news/10486347/detail.html
