Passwords & Security#Finse2011<br />Per Thorsheim<br />CISA, CISM, CISSP-ISSAP<br />securitynirvana.blogspot.com<br />
Disclaimer<br />My presentation, as well as anything I say, do, show, demonstrate, give away or try to sell you is my pers...
About me<br />Valid certifications:<br />Certified Information Systems Auditor<br />Certified Information Security Manager...
Passwords^11, June 7-8, Bergen<br />Prof. Frank Stajano (Cambridge)<br />Prof. KirsiHelkala (Gjøvik)<br />Simon Josefsson(...
Examples<br />
Sony Playstation Network<br />70+ million accountscompromised<br />#PSNunavailable for 3 weeks<br />Playstation store unav...
#PSNPassword Reset<br />Playstation<br />Online (web)<br />
PS3 Policy #1 Revealed<br />Playstation<br />Online (web)<br />
PS3 Policy #2 Revealed<br />Playstation<br />Online (web)<br />
Web Password Reset CAPTCHA<br />Playstation<br />Online (web)<br />
#PSNPartial CC Data Stored<br />Playstation<br />Online (web)<br />
PS3 vs Web – Policy Comparison<br />Playstation<br />Online (web)<br />
#PSNPassword Reset<br />Playstation<br />Online (web)<br />
#PSN – There’s more!<br />
Sony BGM Greece<br />
Bergen Bompengeselskap AS<br />
Login (https)<br />
I Forgot My Password!<br />
Which Language Sir?<br />
E-mail received:<br />
Or: License Number + Tag ID…<br />
Breaking in – online attacks<br />
Todo List<br />Weneed:<br />Usernames and/or usernamealgorithm at targetcorp<br />Windows domain (if applicable)<br />Acco...
Online Password Attacks<br />Ncrack<br />THC Hydra<br />Medusa<br />http://www.thc.org/thc-hydra/network_password_cracker_...
Possible targets found:<br />Potential targets:<br />Webmail.ntnu.no<br />Webmail.inbox.com<br />Webmail.nr.no<br />Webmai...
Offline Password Attacks<br />
Got Hash?<br />SQL Injection Attacks:<br />SQL injection is a code injection technique that exploits a security vulnerabil...
Hashkiller.com<br />
Cracking Passwords<br />
Offline password cracking<br />A widenumberoftools& techniquesavailable:<br />Rainbowtables<br />Dictionary attacks<br />V...
RainbowTables (wikipedia)<br />A rainbow table is a precomputed table for reversing cryptographic hash functions, usually ...
RainbowTablesavailable:<br />Freerainbowtables.com (99.9% hitrate)<br />LM/NTLM, MD5, SHA-1, HALFLMCHALL<br />CPU/GPU gene...
lm_lm-frt-cp437-850#1-7_20000<br />Windows LM passwordslength 1-14<br />566Gb (1400+ files) tableset;charsetcoverage:<br />
ntlm_mixalpha-numeric#1-8_40000<br />Windows NTLM Mixalpha_numeric_1-8<br />453Gb, covers A-Z,a-z,0-9<br />
Hybrid Rainbowtables<br />ntlm_hybrid2(alpha#1-1,loweralpha#5-5,loweralpha-numeric#2-2,numeric#1-3) <br />is currently bei...
Hybrid attacks<br />John the Ripper (JtR)<br />www.openwall.com/john/<br />Hashcat family (lite, plus, ocl)<br />Hashcat.n...
Bruteforce<br />Bruteforcing is increasingly hard to do;<br />Graphics Processing Units (GPUs) to therescue!<br />
PasswordStatistics<br />Time to show some cool/interesting/boring numbers!<br />
Password Resets<br />
Storing passwords<br />«I’musing MD5, so I’m safe.»<br />Response from web applicationdeveloperafter I talkedabout storing...
Thomas Ptacek<br />Enough With The RainbowTables: WhatYouNeed To KnowAboutSecurePasswordSchemes<br />http://chargen.matasa...
Lastpass.com<br />Source: http://blog.lastpass.com/2011/05/lastpass-security-notification.html<br />
Chris Lyon<br />“SHA-512 w/ per User Salts is Not Enough”<br />http://cslyon.net/2011/05/10/sha-512-w-per-user-salts-is-no...
BypassingPassword Security<br />
BypassingPassword Security<br />Microsoft Windows Pass-the-Hashattacks<br />Microsoft Windows Pass-the-Ticketattacks<br />...
Pass-the-Hash / Pass-the-Ticket<br />Windows Credentials Editor v1.2:<br />http://www.ampliasecurity.com/research.html<br ...
Passware Kit Forensic<br />vs Microsoft Bitlocker:<br />Live memory dump from target system usingFirewire, utilizingDirect...
CorporateAndroid Security<br />Android devices: no hardware encryption<br />Nitro software – softwareencryption<br />Buton...
CorporateiOS Security<br />
CorporateiOS Security<br />AES hardware deviceencryption is good, but..<br />iTunes configurationissues<br />Frequentupdat...
Elcomsoft, Tuesday, May 24th:<br />http://www.prweb.com/releases/iPhone/forensics/prweb8470927.htm<br />
PasswordUsability<br />
NorSIS / nettvett.no (Norway)<br />
PasswordUsability<br />Minimum/Maximum Length<br />Complexityrequirements<br />PasswordHistory<br />ChangeFrequency<br />L...
Usabilityvs Security<br />Minimum/Maximum Length<br />Complexityrequirements<br />PasswordHistory<br />ChangeFrequency<br ...
Recommendations<br />
My User Recommendation:<br />Use a normal sentence as yourpassword.<br />Change it whenyouthink it is necessary.<br />
My Policy Recommendation:<br />Use a normal sentence as yourpassword.<br />It must be changedevery 13 months.<br />
Technical Recommendation<br />Has to be a little more complexthentheprevious slides, but;<br />Do NOT tell your end-users ...
DynamicPreventionofCommonPasswords<br />Somewebsites have static lists of «forbidden» (common) passwords<br />Can be found...
DynamicPreventionofCommonPasswords<br />My suggestion:<br />A custom DLL for Windows. It receives a usersrequestedpassword...
Thankyou!<br />And do not forget: Passwords^11, June 7-8, UiB, Bergen. <br />2 days, onlyaboutpasswords.<br />
Upcoming SlideShare
Loading in...5
×

Passwords & security

1,577

Published on

This is my presentation from Finse 2011, a 3.5 hour presentation on passwords. The audience is PhD students & professors, mostly within crypto, access control, biometrics and similar areas.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,577
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Passwords & security"

  1. 1. Passwords & Security#Finse2011<br />Per Thorsheim<br />CISA, CISM, CISSP-ISSAP<br />securitynirvana.blogspot.com<br />
  2. 2. Disclaimer<br />My presentation, as well as anything I say, do, show, demonstrate, give away or try to sell you is my personal stuff & opinions.<br />My employer have chosen not to be a part of this in any way, as such my employer cannot and will not be held liable. My opinions does not necessarily reflect that of my employer, our customers or partners.<br />Etc etc.<br />
  3. 3.
  4. 4. About me<br />Valid certifications:<br />Certified Information Systems Auditor<br />Certified Information Security Manager<br />Certified Information Systems Security Professional<br />Information Systems Security Architecture Professional<br />ITIL v3 Foundations<br />Passwords^10 conference in December 2010<br />Videos: http://ftp.ii.uib.no/pub/passwords10/<br />
  5. 5. Passwords^11, June 7-8, Bergen<br />Prof. Frank Stajano (Cambridge)<br />Prof. KirsiHelkala (Gjøvik)<br />Simon Josefsson(Head of R&D, Yubico)<br />Bendik Mjaaland (Accenture)<br />John Arild M. Johansen (CSO, Buypass)<br />Erlend Dyrnes(CSO, Nextgentel)<br />Chris Lyon(Mozilla)<br />James Nobis(Freerainbowtables.com)<br />DmitrySklyarov(Elcomsoft)<br />
  6. 6. Examples<br />
  7. 7. Sony Playstation Network<br />70+ million accountscompromised<br />#PSNunavailable for 3 weeks<br />Playstation store unavailable for 4 weeks<br />New firmware: v3.61<br />All passwords must be changed<br />
  8. 8. #PSNPassword Reset<br />Playstation<br />Online (web)<br />
  9. 9. PS3 Policy #1 Revealed<br />Playstation<br />Online (web)<br />
  10. 10. PS3 Policy #2 Revealed<br />Playstation<br />Online (web)<br />
  11. 11. Web Password Reset CAPTCHA<br />Playstation<br />Online (web)<br />
  12. 12. #PSNPartial CC Data Stored<br />Playstation<br />Online (web)<br />
  13. 13. PS3 vs Web – Policy Comparison<br />Playstation<br />Online (web)<br />
  14. 14. #PSNPassword Reset<br />Playstation<br />Online (web)<br />
  15. 15. #PSN – There’s more!<br />
  16. 16. Sony BGM Greece<br />
  17. 17. Bergen Bompengeselskap AS<br />
  18. 18. Login (https)<br />
  19. 19. I Forgot My Password!<br />
  20. 20. Which Language Sir?<br />
  21. 21. E-mail received:<br />
  22. 22. Or: License Number + Tag ID…<br />
  23. 23. Breaking in – online attacks<br />
  24. 24. Todo List<br />Weneed:<br />Usernames and/or usernamealgorithm at targetcorp<br />Windows domain (if applicable)<br />Account lockout policy<br />FQDN to webmail service<br />Online passwordcracker<br />Somepasswords(statisticsareyourfriend!)<br />(Google is yourfriend…)<br />And patience… <br />
  25. 25. Online Password Attacks<br />Ncrack<br />THC Hydra<br />Medusa<br />http://www.thc.org/thc-hydra/network_password_cracker_comparison.html<br />
  26. 26. Possible targets found:<br />Potential targets:<br />Webmail.ntnu.no<br />Webmail.inbox.com<br />Webmail.nr.no<br />Webmail.uib.no<br />Webmail.unik.no<br />Webmail.uia.no<br />Webmail.uni.lu<br />
  27. 27. Offline Password Attacks<br />
  28. 28. Got Hash?<br />SQL Injection Attacks:<br />SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.<br />Source: Wikipedia <br />
  29. 29. Hashkiller.com<br />
  30. 30. Cracking Passwords<br />
  31. 31. Offline password cracking<br />A widenumberoftools& techniquesavailable:<br />Rainbowtables<br />Dictionary attacks<br />Various hybrid/logicalattacks<br />Bruteforce<br />Time is on your side!<br />
  32. 32. RainbowTables (wikipedia)<br />A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Proper key derivation functions employ salt to make this attack infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm by Martin Hellman that used the inversion of hashes by looking up precomputed hash chains.<br />
  33. 33. RainbowTablesavailable:<br />Freerainbowtables.com (99.9% hitrate)<br />LM/NTLM, MD5, SHA-1, HALFLMCHALL<br />CPU/GPU generation, CPU cracking (for now)<br />Project-rainbowcrack.com<br />LM/NTLM, MD5, SHA-1 (CPU/GPU)<br />Cryptohaze.com<br />MD5, NTLM <br />(Full US charset, chainlength 200k, GPU only!)<br />
  34. 34. lm_lm-frt-cp437-850#1-7_20000<br />Windows LM passwordslength 1-14<br />566Gb (1400+ files) tableset;charsetcoverage:<br />
  35. 35. ntlm_mixalpha-numeric#1-8_40000<br />Windows NTLM Mixalpha_numeric_1-8<br />453Gb, covers A-Z,a-z,0-9<br />
  36. 36. Hybrid Rainbowtables<br />ntlm_hybrid2(alpha#1-1,loweralpha#5-5,loweralpha-numeric#2-2,numeric#1-3) <br />is currently being finished by freerainbowtables.com<br />With more to come!<br />
  37. 37. Hybrid attacks<br />John the Ripper (JtR)<br />www.openwall.com/john/<br />Hashcat family (lite, plus, ocl)<br />Hashcat.net<br />Cain & Abel<br />www.oxid.it<br />…<br />And many, many more!<br />
  38. 38. Bruteforce<br />Bruteforcing is increasingly hard to do;<br />Graphics Processing Units (GPUs) to therescue!<br />
  39. 39. PasswordStatistics<br />Time to show some cool/interesting/boring numbers!<br />
  40. 40. Password Resets<br />
  41. 41. Storing passwords<br />«I’musing MD5, so I’m safe.»<br />Response from web applicationdeveloperafter I talkedabout storing passwords in cleartextbeing a bad idea.<br />
  42. 42. Thomas Ptacek<br />Enough With The RainbowTables: WhatYouNeed To KnowAboutSecurePasswordSchemes<br />http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html<br />
  43. 43. Lastpass.com<br />Source: http://blog.lastpass.com/2011/05/lastpass-security-notification.html<br />
  44. 44. Chris Lyon<br />“SHA-512 w/ per User Salts is Not Enough”<br />http://cslyon.net/2011/05/10/sha-512-w-per-user-salts-is-not-enough/<br />
  45. 45. BypassingPassword Security<br />
  46. 46. BypassingPassword Security<br />Microsoft Windows Pass-the-Hashattacks<br />Microsoft Windows Pass-the-Ticketattacks<br />Forensictoolkits<br />Passware – «bypassing» Microsoft Bitlocker<br />ElcomsoftEPPB<br />Smartphone (in)security<br />
  47. 47. Pass-the-Hash / Pass-the-Ticket<br />Windows Credentials Editor v1.2:<br />http://www.ampliasecurity.com/research.html<br />Scenario description:<br />Eve just started in Alices company. Bob, thedomainadminguy, givesyouyour brand newlaptop, ready to use. You have localadminrights. Bob’slogincredentialsarecached on your computer. Extract, send credentials (username + hashvalue), getaccess.<br />
  48. 48. Passware Kit Forensic<br />vs Microsoft Bitlocker:<br />Live memory dump from target system usingFirewire, utilizingDirect Memory Access. Search dump, getdecryption keys, getaccess<br />Remove disk from hibernated computer. Physicalmemory is written to disk, parts of it unencrypted. Searchand finddecryption keys, mount volume, getaccess.<br />Video demonstration: <br />http://ftp.ii.uib.no/pub/passwords10/Passware_at_Passwords10.mp4<br />
  49. 49. CorporateAndroid Security<br />Android devices: no hardware encryption<br />Nitro software – softwareencryption<br />Butonly for Microsoft Activesync data<br />(Mail, Calendar, Contacts)<br />Samsung Galaxy S II<br />Hardware deviceencryption<br />90% of all MS Activesyncpoliciessupported<br />Not even Microsoft doesthat!<br />
  50. 50. CorporateiOS Security<br />
  51. 51.
  52. 52.
  53. 53. CorporateiOS Security<br />AES hardware deviceencryption is good, but..<br />iTunes configurationissues<br />Frequentupdates(Quicktime + Safari + iTunes)<br />Backuppasswordprotection<br />Hardware Device has «passwordprotect» flag<br />Withoutpasswordprotection:<br />Device-specificencryption key is used to protectkeychain<br />Almost all other data availableunencrypted in backup<br />
  54. 54. Elcomsoft, Tuesday, May 24th:<br />http://www.prweb.com/releases/iPhone/forensics/prweb8470927.htm<br />
  55. 55. PasswordUsability<br />
  56. 56. NorSIS / nettvett.no (Norway)<br />
  57. 57. PasswordUsability<br />Minimum/Maximum Length<br />Complexityrequirements<br />PasswordHistory<br />ChangeFrequency<br />Lost Password (Password Reset)<br />Reauthentication (BankID)<br />Single Sign-On<br />
  58. 58. Usabilityvs Security<br />Minimum/Maximum Length<br />Complexityrequirements<br />PasswordHistory<br />ChangeFrequency<br />Lost Password (Password Reset)<br />Reauthentication (BankID)<br />Single Sign-On<br />Usepassphrases / implement support for it!<br />Length = complexity<br />Patterndetection<br />«Windowofopportunity»<br />VERY hard to do in real-life environments!<br />«Dearmom…»<br />Goodidea, but…<br />
  59. 59. Recommendations<br />
  60. 60. My User Recommendation:<br />Use a normal sentence as yourpassword.<br />Change it whenyouthink it is necessary.<br />
  61. 61. My Policy Recommendation:<br />Use a normal sentence as yourpassword.<br />It must be changedevery 13 months.<br />
  62. 62. Technical Recommendation<br />Has to be a little more complexthentheprevious slides, but;<br />Do NOT tell your end-users or othersabouttheactualrulesimplemented!<br />Provideuseful feedback whenpasswordsarerejected<br />Do 100% technicalimplementationofwritten policy<br />SSO: store passwordhashes at thestrongest system<br />
  63. 63. DynamicPreventionofCommonPasswords<br />Somewebsites have static lists of «forbidden» (common) passwords<br />Can be found & documented (Twitter…)<br />Does not providebettersecurity<br />Easilycircumvented (blocking bad passwords is hard!)<br />
  64. 64. DynamicPreventionofCommonPasswords<br />My suggestion:<br />A custom DLL for Windows. It receives a usersrequestedpassword. Checkagainstrules (length, complexity, historyetc).<br />If OK, thenhash and store hashwithcounter= 1<br />DLL config has a thresholdvalue<br />Any given passwordcanonlyexist on X accounts at the same time<br />
  65. 65. Thankyou!<br />And do not forget: Passwords^11, June 7-8, UiB, Bergen. <br />2 days, onlyaboutpasswords.<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×