A little Alliteration is good for writing effect every now and then; why not apply this to passwords? I don’t mean to write out an alliterative phrase and turn it into a password or passphrase (though you could, I guess); what I mean is to use a pattern that makes it easy for you to remember the password, but still results in a very strong, un-guessable one. Here’s an example of a very strong password: 19[-[Phrase]-]60.
This one is very weak: %6*Some*Phrase*6%. Can you see why? Too many repetitions of characters. Change it slightly, %6!Some*Phrase!6%, and it becomes very strong.
The trick is to come up with a pattern that means something to you. By no means should you use the patterns I suggest—use something that will be easy for you to remember.
I’ll leave it to you to analyze the two examples and let you come up with your own. Remember, the bad guys read these blogs, too.
The Sydney Morning Herald reports, “Hackers break into police computer as sting backfires:”
An Australian Federal Police boast, on the ABC’s Four Corners program, about officers breaking up an underground hacker forum, has backfired after hackers broke into a federal police computer system.
Well, if you read the article, you’ll see that they use the term “broke into” rather loosely. It wasn’t much of a break-in as one of the hackers wrote on a forum post:
The hacker wrote ‘I couldn’t stop laughing’ on seeing that the federal police’s server was running Windows, which is known among hacker communities for being insecure. Police had also ‘left the MYSQL password blank’.
No password! Absolutely ridiculous. These are the police, people responsible for security on many levels, and they don’t even put a password on their database? Unbelievable.
People, come on; there’s only one thing worse than having a weak, easily guessable password and that’s having no password at all. I can see why the hacker was in stitches; stupidity is often funny, especially when exhibited by people who should know better.
Let me repeat Golden Rule of Computer Security #1: The best security measures are completely useless if you invite attackers into your PCs or networks.
No better invitation than an open door, is there?
Linux proponents often gloat over the seeming lack of security vulnerabilities in the Linux kernel when compared to Microsoft Windows; Windows proponents counter saying that Linux is just enjoying “security through obscurity.” Seems the Windows people may be justified to some degree as reports of a Linux vulnerability puts most versions of the Linux kernel built in the last eight years at risk of complete takeover.
According to The Register, “The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn’t always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine.” This means that it’s trivial for an attacker to put code in the first page and that code will get executed with kernel privileges. You can read a full rundown of the vulnerability at the CR0 Blog.
All Linux kernel 2.4 and 2.6 versions since May 2001 are affected. The vulnerability has been patched, but “this is the second time in less than a month that a serious security vulnerability has been reported in the Linux kernel. In mid July, a researcher alerted Linux developers to a separate "NULL pointer dereference" bug that put newer versions at risk of complete compromise,” according to The Register.
There’s no question that Microsoft has ongoing security issues; it’s no surprise that Linux is beginning to show the same. The only difference lies in the attack surface; Microsoft is still the biggest target. As Linux continues to gain market share, however, we’ll be seeing more researchers focusing their attention on the Open Source OS; as they do, they’ll find more and more vulnerabilities there, too.
There’s a technology called “secure coding” that still hasn’t been fully developed, much less implemented on a grand scale; until programmers fully get this concept, we’re saddled with insecure OS’s and applications.
There’s a vulnerability affecting Gmail accounts that was recently announced by security researcher Vincente Aguilera Diaz. You can read the posting on the Full Disclosure security list which contains complete details on how a Gmail authentication attack is accomplished and how it can be automated.
Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.
Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa, 12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.
Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.
If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.
A botnet that uses Twitter for command and control? You bet. Jose Nazario over at Arbor Networks apparently found one: “Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run.” The bots connect to the Twitter account using an RSS feed, allowing them to receive the tweets in real time without having their own accounts on Twitter. Pretty slick.
The tweets themselves are base64 encoded and when Nazario translated one of them, it was clear the encoded tweet was sending links to the bot.
Oddly enough, there’s no mention of this at http://status.twitter.com, but the account in question (well, one of them, at least—there are probably more), https://twitter.com/upd4t3, has been suspended, so it appears that Twitter security folks are on the ball.
It’s that day of the month again and this time Microsoft has patched 19 security holes, 15 of which have a “critical” rating. The good news is that none of the vulnerabilities affect Windows 7. As usual, a bunch of the flaws stem from ActiveX controls, probably the worst thing Microsoft’s developers ever came up with (with the possible exception of Microsoft Bob).
At least one of the vulnerabilities, MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908), is currently being actively exploited on the Internet; exploit code for MS09-043 – Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) has been posted publicly.
Get those patches installed ASAP!
Speculation abounds over who was responsible for the DDoS attacks that affected Twitter–and to a lesser degree, Facebook and LiveJournal–this past Thursday.
Various sources, including CNN and CNet, suggest that a Georgian blogger with accounts under the name “Cyxymu” (a town in the Republic of Georgia) on the services was targeted. The date of the attack coincides with the one year anniversary of the Russia-Georgia conflict.
Other sources, including The Register suggest that a JoeJob was the main source of the attack. Joejobs are spam messages designed to induce someone to click on a link in the hopes that enough people will do so, thereby harming the site being linked to.
Still others blame a conventional DDoS attack using botnets, but Arbor Networks‘ analysis actually shows a drop in traffic volume hitting Twitter during the alleged DDoS attack, leaving doubt that this method was used.
I’ve also seen reports blaming hackers angry at Twitter for becoming more popular than IRC, a vigilante trying to point up the danger of botnets, and cyber-terrorists.
Seems no one really knows for sure at this point.
On Thursday morning, I decided to check my Twitter account and was greeted by a “Network Timeout” error. I tried several more times and finally gave up, thinking I’d just try later. I thought nothing more about it until I heard the news item on a local radio station that Twitter had been DDoS’d. This was confirmed at http://status.twitter.com:
We are defending against a denial-of-service attack, and will update status again shortly.
Update: the site is back up, but we are continuing to defend against and recover from this attack.
Update (9:46a): As we recover, users will experience some longer load times and slowness. This includes timeouts to API clients. We’re working to get back to 100% as quickly as we can.
Update (4:14p): Site latency has continued to improve, however some web requests continue to fail. This means that some people may be unable to post or follow from the website.
As of late yesterday morning communication with the API and SMS was still down.
As usual, there always seems to be some humor in these situations. Here’s a comment by John Pescatore of SANS Institute from the SANS News Bites:
[Editor’s Note (Pescatore): Wow, 2 hours without tweets! That’s like a
car drive to the shore without anyone in the back seat saying "Are we
there yet? I see a rock. Is that a seagull? I like saltwater taffy.
Shaquille Oneal is really tall. Are we there yet?" the entire trip.]
This is simply idiocy—or gross negligence—of the highest degree. In the last week, more than a dozen US Representatives’ websites were defaced by hackers who posted digital graffiti on the home pages. The graffiti read, “H4ck3d by 3n_byt3 @ Indonesia H4ck3rs” (see screen shot). There was not other damage to the sites.
The method used to break in? Password guessing. The hackers compromised the site administration passwords at Web design and hosting firm GovTrends of Alexandria, VA which provides Web hosting for about 100 House sites. Not all were affected.
According to GovTrends founder Ab Emam, passwords assigned to member offices were never changed. Now, it’s typical for a Web hosting company to assign default admin passwords, but those passwords should be strong. In this case, they weren’t. “Most of these passwords could be guessed, they were obvious,” Emam said. “That’s been changed, and each of these sites is now required to have strong passwords.”
Really? Should have been required all along. There’s simply no excuse for this. I have written numerous articles over the years about how to generate strong, un-guessable passwords and I’m not the only one: a Google search brings up 61,800 results for that term. Will they ever learn?
(In all fairness, I have to report that there is some question as to whether password guessing was actually the cause of the breach. This article by Brian Krebs has been updated to suggest that SQL injection may have been the method.)
No matter; there’s no excuse for that, either.
I’ve heard this phrase bandied about in Linux forums and in the occasional blog post, but it’s something I never considered relative to the security of Windows boxes. There’s an awful lot of research on the subject and it boils down to this: The larger the attack surface, the more insecure the system. Makes sense, but just what is an attack surface? Thanks to a research paper, Measuring a System’s Attack Surface, Pratusya Manadhata and Jeannette M. Wing, CMU Technical Report CMU-CS-04-102, January 2004, we have a concise definition:
A system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage.
This means that any applet, any built-in feature, any module, any application, probably contains multiple attack vectors. Moreover, certain applications like Internet Explorer are attack vectors in and of themselves. When I started to look into this, I found that some folks over at the Microsoft Developer Network had put together a discussion along with a handy list of Windows attack vectors:
- Open sockets
- Open RPC endpoints
- Open named pipes
- Services running by default
- Services running as SYSTEM
- Active Web handlers (ASP files, HTR files, and so on)
- Active ISAPI Filters
- Dynamic Web pages (ASP and such)
- Executable virtual directories
- Enabled Accounts
- Enabled Accounts in admin group
- Null Sessions to pipes and shares
- Guest account enabled
- Weak ACLs in the file system
- Weak ACLs in Registry
- Weak ACLs on shares
Bear in mind that any of these can be subject to multiple vulnerabilities and many of them have been connected with specific vulnerabilities. However, the attack vector itself does not necessarily indicate a system vulnerability, per se. Think of these as things an attacker would try to compromise; for example, attempting to logon to a system as Guest. If the Guest account is enabled, that’s a vulnerability; if the Guest account is disabled, it’s merely a vector for attack.
So, how can we use this information in our workaday world? First, realize that the OS itself is the basis of all of the above items. Next, realize that any program, web application, widget, gadget, what have you, is going to utilize one or more of them. Finally, get the concept of “default unnecessary.” Windows comes with many built-in (read default) features, services and applications—many of them completely unnecessary in the enterprise.
We shrink the desktop attack surface by building our desktop image in three stages:
- We clean up the OS by removing ALL unnecessary features, tools, and applications. A good place to start is all the stuff in the Accessories folder. And who ever uses Microsoft Backup, or Character Map, or Tour Windows XP? You get the idea.
- Given a stripped-down image, we next install ONLY those applications and tools that are absolutely necessary for the user to perform her job. Ideally, we avoid mainstream applications and utilities as much as possible and go with those that are not as widely used (security through obscurity) and therefore not as subject to attack. For example, if PDF isn’t used in the enterprise for purposes other than reading manuals, why use Adobe Reader? Foxit Reader or any of the Open Source apps will work.
- Finally, disable all services and uninstall all protocols that aren’t required by the OS or necessary applications. The first things that come to mind here are UPnP and the SSDP Discovery Service and the Net.tcp Port Sharing service.
That will give us a clean desktop setup with a significantly lower attack surface; come to think of it, you should probably go check the servers, too.
If I’ve missed anything, let me know.