donderdag 27 maart 2014

More XP trouble than you imagined

After april 8th 2014 Microsoft will no longer support Windows XP. Microsoft will publish no new security pathches for vulnerabilities and Security Essentials will only provide new malware signatures for a short while. Windows XP will be orphaned. By Microsoft. But many consumers and companies still use XP systems. They will be at risk. Because XP will not be orphaned by criminals. Vulnerabilities in newer Windows versions will be patched, but since all Windows versions since NT are related, chances are that a vulnerability in a more recent version is a vulnerability in XP too. While it will be fixed in Vista, 7 and 8 and will no longer be a vulnerability in those systems, such a vulnerability will still exist in XP and will be exploited by criminals. From april 8th this will be bad luck for XP users. At least for consumers. Most consumers will run a fully patched XP system, since Microsoft advises you to. So, for consumers to move to a more recent operating system is the only way to stay secure. But so far consumer pc's are not a big problem.

But there is an even bigger risk and it is not even a new risk: Enterprises and other organisations running XP systems. Those organisations have a serious problem. If they still run XP, then they have a change management problem. Commercial support for XP ended long time ago, meaning that they gambled that they would not need any support.

And we may have a big problem with that. In professional surroundings most workstations are managed centrally, from an update server. Patches are not downloaded directly from the Microsoft servers, but these organisation distribute patches in releases after they tested the patches. And such a process may take a while. Many companies roll-out new releases once in a while, two or three month intervals are common. Changing more frequent is often seen as a risk, because these (unsupported) systems better not be touched. Never change a winning team...

Will these systems be at risk after april 8th? Sure. Are they at risk now? You bet. If a company is still running XP at this moment, chances are that older patches have not been applied either. Stay away from organisations running XP, the problem is bigger than you imagined.

woensdag 26 maart 2014

Complex passwords? As easy as 1-2-3

A few posts back I promised you an new and easy method for composing complex passwords that are, nevertheless easy to remember.

First some background to password complexity.

Why do we need complex passwords in the first place?
We don't.

There are two real reasons, we are told, why need complex passwords.
The first one is that a complex password is more difficult to remember, thereby reducing chances of password leakage. But at the same time creating the Post-It note problem of people writing down the password.

The second is that a complex password takes more time to attack using brute force password cracking techniques, but it doesn’t in itself prevent the use of dictionary based password cracking techniques. A dictionary based attack compares the hashed password in a password file to a words in a dictionary that are hashed using the same hashing algorithm. If the hash of a word in a dictionary is the same as the hash in a password file, then the corresponding word is the password. A clever cracking tool subsequently tries several permutations of the word, by replacing lower case letters by upper case letters or numbers or symbols, 'P@ssw0rd' will be discovered just as quick as 'password'. That way using leetspeak doesn't make password more secure that regular speak. If a word is not in the dictionary, another technique is required: just trying out all combinations to see is a hash resembles a hashed password of the target account. And in all simplicity that means that the longer the password, the more time it costs to crack it.

This leads to 2 simple conclusions.

  • First: if a cracker uses an English language dictionary, he will not find my Dutch language word, meaning that will have to resort to a brute force attack...
  • Second: for a brute force attack the password '1234567890' is just as complex to crack as '6Gr*7jgkhi'. It will probably be found faster because clever cracking tools will know this too and will use this kind of 'semi-dictionary' cracking words too, but in a sense: if a word is not in a dictionary, brute force requires a lot more time if the password is longer.

Proof of this principle:
The old Windows OS uses the lanman hashing algorithm. A password was broken in 2 7-byte segments, that were hashed separately. The hash of a 7 character password was enlarged to a 14 character password by adding a 7 character long Null string hash. If not more than 7 characters were used, the second hash was always the same. So, although the hashed password was 14 characters long, when the password was not longer that 7 characters, cracking the first 7 characters was enough to guess most passwords. If an 8th character was used, brute forcing the complete 14 character password was required.
In effect, this is the reason why many password policies prescribe the use of minimal 8 characters.

This results in a few simple rules:
Use long words that are not in a (regular) dictionary... German speaking people have an advantage here...

Use non-words that are long enough to make brute forcing a lengthy operation but that are easy to remember.

My advise:

Use your telephone number, but use leetspeak backward.

Example: phone number 01 234 567 89 consisting of only numbers.
Just exchange a few numbers to letters/characters in such a way that you feel comfortable with. A '0' can be an O (oh), or Z (for zero) or N (for Nul), in lower case or upper case, your choice.
So, this simple example may result in NE2D4vzZ8n or zOt3f5sse9. You just need to remember the order of hashing, but you don't need to remember the password, just remember the phone number used.

The entered password may look familiar if you know the algorithm used, but to a password cracking tool these passwords look all very different (all MD5 hash examples):
0123456789 > 84D89877F0D4041EFB6BF91A16F0248F2FD573E6AF05C19F96BEDB9F882F7882
NE2D4vzZ8n > 4DB3EA7E7894603A00091C8AABA25556B0366CF4C7045CF5B862477B44357040
zOt3f5sse9 > 4A384192BB6933877D9B7E29993DE7AF1EBC191DE6C30289F13F084EFD332B1B

Compare that with:
password > 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8

If a cracker can get at your hashed password, the cracker has no way of knowing how you defined your password. Make it as easy as you can.

We don't need complex passwords. And in a future post I will expand on this some more.