InfoSec News

The Web is an insecure place and getting more insecure all the time. The latest threat, the Firesheep add-in for Firefox, is particularly dangerous because it is exceedingly simple to use. Someone with absolutely no hacking experience can grab your private login information to sites such as Facebook and Amazon, and then log in as you and do anything they want, as if they were you. The free Firefox add-in HTTPS Everywhere helps protect against that threat and other privacy invaders by effectively encrypting information when you visit certain Web sites.
This week was a busy one in IT news, with the European Parliament giving the OK to the controversial Anti-Counterfeiting Trade Agreement, SAP being slapped with a US$1.3 billion penalty because employees of its now-defunct TomorrowNow subsidiary stole corporate materials from Oracle, and Attachmate's plan to buy Novell for a whopping $2.2 billion. And those were just the biggest of the headlines -- there was plenty more as well.

Posted by InfoSec News on Nov 26

By Adrian Lane
Contributing Writer
Nov 23, 2010

[Excerpted from "Database Security: Oracle Offers New Tools To Counter
Threats," a new report posted this week on Dark Reading's Database
Security Tech Center.]

It’s not easy to secure any relational database, let alone...

Posted by InfoSec News on Nov 26

By Brian Prince

A Scottish man was sentenced today to 18 months in prison for spamming
out e-mails laced with malware and stealing data.

A 33-year-old Scottish man was sentenced today to 18 months in prison in
the U.K. for spamming out malware-infected e-mails and stealing data.

The sentencing today of Matthew Anderson of Drummuir,...
WordPress Register Plus 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities
Apple cut prices for selected models of the MacBook Air, MacBook Pro and iMac up to 8% in a repeat of last year's "Black Friday" sale, although some authorized resellers again beat Apple's discounts.

Posted by InfoSec News on Nov 26

By Elizabeth Montalbano
November 23, 2010

The Department of Homeland Security (DHS) has launched a new
cybersecurity center aimed at communicating more efficiently with state
and local governments about potential cybersecurity threats to critical
U.S. infrastructure.

The Multi-State Information Sharing and Analysis Center (MS-ISAC)...

Posted by InfoSec News on Nov 26

By Jaikumar Vijayan
November 23, 2010

Two former students at the University of Central Missouri (UCM) have
been indicted by a federal grand jury on charges of breaking into
university databases and of stealing and attempting to sell personal
data on about 90,000 UCM students, faculty, staff and alumni. Price for
the data:...

Posted by InfoSec News on Nov 26

By John Leyden
The Register
23rd November 2010

Security researchers have demonstrated how it might be possible to place
backdoor rootkit software on a network card.

Guillaume Delugre, a reverse engineer at French security firm Sogeti
ESEC, was able to develop proof-of-concept code after studying the
firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.

He used publicly...
MRCGIGUY FreeTicket 'contact.php' Multiple SQL Injection Vulnerabilities
Linux Kernel Unix Sockets Local Denial of Service Vulnerability
Re: [Full-disclosure] Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
[] URL XSS in Easy Banner Free
[] SQL injection Auth Bypass in Easy Banner Free
Re: NoScript ( < less ) - Bypass "Reflective XSS" through Union SQL Poisoning Trick (SQLXSSI)
Microsoft Outlook File Attachment Denial Of Service Vulnerability
In 1950 Bell Labs researcher, Richard W Hamming, made a discovery that would lay an important foundation for the entire modern computing and communications industries. He had invented a code for correcting errors in communication and the Hamming code was born. CIO Blast from the Past takes a journey through 60 years of information theory and discovers how the Hamming code legacy lives on today.
More than a third of American consumers planning to purchase a laptop in the next 90 days will buy from Apple, a market research company said this week.
Three men found guilty of being accessories to crimes against copyright law for their part in running The Pirate Bay have lost their appeal, while a fourth man still awaits trial.
(Warning, Long)
The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many cases the first and last line of defence. It is quite important to get it right.
Most of us know that when we turn on password complexity in Windows it is no guarantee that the user will select a decent password. After all Passw0rd is an 8 character password that will pass complexity checking in Windows and not many of us would argue that it is a decent password. Another element needs to be in place to get decent passwords, user awareness. When you analyse the passwords you can identify whether reasonable passwords are being used and hence determine whether user awareness training has worked, a refresher is needed or all is good. When cracking passwords you will also be able to determine patterns used by users, admin staff, service accounts, resource accounts, helpdesk etc. All useful information in determining the security posture.
I'll take you through the process that I've been using over the last year or so to examine passwords and get an idea of the security posture or issues within an organisation. Following that I'll take you through some sample outputs and what they show.
In a nutshell what we'll be doing is the following:

extract the userids and corresponding password hashes from AD
split all the different history passwords into separate files and get the total number of users for the files
for each file run a dictionary crack

count how many passwords were cracked
Record the result in a spreadsheet

For each file run a hybrid attack (dictionary plus numbers)

count how many passwords were cracked
Record the result in a spreadsheet

for each file run a brute force crack for a set amount of time (I use one hour).

count how many passwords were cracked
Record the result in a spreadsheet

Create the graph
Examine the results

Tools used: fgdump, pwdump, john the ripper, grep, favourite spreadsheet application.
Extract Userids and password hashes
Firstly the userids and passwords will need to be extracted from the Active Directory (AD). Feel free to use your favourite tool. I find fgdump does it for me and should it fail, pwdump will get the password hashes. As long as the output is in pwdump format it doesn't matter what you use, as long as you are comfortable using it in your environment and of course you have permission.
If uncomfortable using hacking tools on a production machine (I understand), select a non critical AD server. Alternatively what I've done in the past is to set up a new AD server on a VM. Allowed the account information to replicate. Then removed the new AD server from the network and ran the extract against that now non networked AD server.
As long as you end up with something similar to the following you should be OK






Chip :9985:1F53A128E5EF1E9F4A3B108F3FA6CB6D:F78444DB59D2398C368E67ECFB890BB4:::


Both fgdump and pwdump have help available so you should be OK to sort that out yourself. fgdump doesn't really provide you with much feedback as it is running, so you may want to keep an eye on the task itself (it hangs on occasion for me). Your AV may also have a bit of a problem with the either of these two programs. fgdump has an option to shut down the AV, you'll want to switch that option off. As always read instructions before you leap and do this only with permission.

Split all the different history passwords into separate files and get the total number of users for the file
We'll clean out the machine accounts first

grep -v '$' abcomp.pwdump abc-users
abc-users should now contain only user accounts.

Split each iteration of the password history into different files

grep -i history_0 abc-users abc-hist-0
Rinse lather and repeat for each of the histories (typically you will have at least 8, it depends on the site)

For the current password you remove all references to history so use -v

grep -iv history_ abc-users abc-hist-c

Count the totals

grep -c : abc-hist-?
using the ? will get all the files in one go

Results may look similar to the following:










The c version and the 0 version will have more users than the others. This will be because in every site there will be users whose passwords rarely, if ever change, e.g. service accounts or users with non expiring passwords. These are represented in the last two or three iterations depending on how many times their password has been changed. You can remove them, but usually their influence does not change the percentages much.

To record the results open you favourite spreadsheet/graphing tool. Create the columns: total, Dictionary, Dictionary %, Hybrid, Brute Force and % Brute Force. You will want to work with percentages in the graph in order to make fair comparisons. For the rows you can use anything, I usually go with: current, previous, -1, -2, -3, etc. to indicate previous passwords used.

Under total column put the results of the grep -c command
Now that we have the totals we can move on to the password cracking.

Dictionary crack
First of all rename the john.pot file to something else. This effectively blanks out passwords that you may have cracked on a previous exercise. The idea is to start afresh.

./john --format=NT --wordlist=password.lst abc-hist-? (using the ? will process all abc-hist-x files)

With john you can crack lanman as well as NT hash formats (plus others). I use --format=NT when I have to compare a number of sites and lanman hashes are unavailable for one or more of these. Using Lanman gives you more obvious results, when using NT hashes the differences are a little bit more subtle between a good and bad site. Another reason to use LanMan is because the whole password needs to be cracked before it will show as a valid guess. For sites where Lanman is disabled the --format=NT option will still give you results. I also use the default password.lst file which is fairly small. If your password is guessed it is truly lame. You can refer to your own words dictionary and tie it into the test.

Check the results
For each of the abc-hist-x files run the john command to show the results

./john --format=NT --show abc-hist-c

The results for each command will along these lines







22 password hashes cracked, 480 left
Record the xx password hashes cracked number in the spreadsheet under the dictionary column

Hybrid crack

./john --format=NT --wordlist=password.lst --rules abc-hist-?

Checking the results is exactly the same as above for the dictionary crack

./john --format=NT --show abc-hist-c

Record the results in the hybrid column

Brute force

./john --format=NT abc-hist-?

Leave this running for an hour or what ever time frame you decide. Just make sure that the next time you use the same period otherwise you are comparing apples with peanuts.
Repeat the checks using ./john --format=NT --show abc-hist-c
Record the results in the brute force column

Whilst the brute force is happening it will start scrolling passwords past the screen. Check these out and see if you can spot patterns in how the service desk resets passwords and how users are selecting passwords. If many users rotate their password through, then it is certainly time for education. e.g.

cassie33 (ssmith_history_7)

cassie34 (ssmith_history_6)

cassie35 (ssmith_history_5)

cassie38 (ssmith_history_2)

cassie37 (ssmith_history_3)

cassie36 (ssmith_history_4)

cassie39 (ssmith_history_1)

If you hit enter whilst the crack is going on it will tell you where it is up to and how long it has been running.
Once done hit ctrl-c to quit the crack and use./john --format=NT --show abc-hist-cto display the results. Record these in the column for brute force

And we are done, work out the percentages for each in the % column and get the chart drawn. You'll get something along the lines of the figures below.

Figure 1 - No password complexity

Figure 2 - Password complexity, good education initially, but needs a refresher

When using NT hashes the results will be less obvious than when using lanman hashes but the graphs are still telling. In figure 1 there is no password complexity in place. The dictionary line is above 0%. With the hybrid test it shows in the graph that users are using dictionary words and adding numbers. The brute force password test gets results for over 20% of passwords within one hour again indicating that password selection is not great. There is however a dip at the previous password point, which is when some education was done. The next graph is expected to look more like the first few data points in figure 2.
In figure 2 password complexity is enabled and users are educated. Something started going wrong a few password changes ago which may indicate some awareness training is needed to get the line back to where it started near the 0% line for all three tests.
The test is relatively simple to do, you have all the information above, and it gives a nice graph that can be shown to management (with explanation) showing that your hard work with respect to passwords is paying off. You'll also be able to identify issues with password selection for password resets, service accounts, privileged accounts etc. It provides you with additional information that you can use to help improve the security posture. The above takes about 90 minutes to do from start to finish and can largely be automated.
If you have some nice metrics that you create to measure effectiveness of controls in place in your organisation, let us know. Might be as simple as measuring the number of viruses sent out of an organisation by email (hopefully 0) to measuring the number of attacks dropped by the firewall, etc.
Mark H - Shearwater

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
I predicted more than two years ago that dual-screen laptops would dominate the category within five years. Halfway to the deadline, Acer this week unveiled a workable and exciting two-screen laptop.

Survey reveals Mainframe is alive and well
CENTREVILLE, USA: InfoSec, Inc. has released the results of its 2010 State of the Mainframe survey, which was conducted in July of 2010. ...

A reliable Taiwanese newspaper says Apple's next generation iPad will be out in the first quarter of 2011, complete with video calling, two cameras, new display and touch technology, and a USB port to connect easily to other devices.

Internet Storm Center Infocon Status