passwords & security

65
Passwords & Security #Finse2011 Per Thorsheim CISA, CISM, CISSP-ISSAP securitynirvana.blogspot.com

Upload: per-thorsheim

Post on 12-May-2015

1.591 views

Category:

Technology


7 download

DESCRIPTION

This is my presentation from Finse 2011, a 3.5 hour presentation on passwords. The audience is PhD students & professors, mostly within crypto, access control, biometrics and similar areas.

TRANSCRIPT

  • 1.Passwords & Security#Finse2011
    Per Thorsheim
    CISA, CISM, CISSP-ISSAP
    securitynirvana.blogspot.com

2. Disclaimer
My presentation, as well as anything I say, do, show, demonstrate, give away or try to sell you is my personal stuff & opinions.
My employer have chosen not to be a part of this in any way, as such my employer cannot and will not be held liable. My opinions does not necessarily reflect that of my employer, our customers or partners.
Etc etc.
3. 4. About me
Valid certifications:
Certified Information Systems Auditor
Certified Information Security Manager
Certified Information Systems Security Professional
Information Systems Security Architecture Professional
ITIL v3 Foundations
Passwords^10 conference in December 2010
Videos: http://ftp.ii.uib.no/pub/passwords10/
5. Passwords^11, June 7-8, Bergen
Prof. Frank Stajano (Cambridge)
Prof. KirsiHelkala (Gjvik)
Simon Josefsson(Head ofR&D, Yubico)
Bendik Mjaaland (Accenture)
John Arild M. Johansen (CSO, Buypass)
Erlend Dyrnes(CSO, Nextgentel)
Chris Lyon(Mozilla)
James Nobis(Freerainbowtables.com)
DmitrySklyarov(Elcomsoft)
6. Examples
7. Sony Playstation Network
70+ million accountscompromised
#PSNunavailable for 3 weeks
Playstation store unavailable for 4 weeks
New firmware: v3.61
All passwords must be changed
8. #PSNPassword Reset
Playstation
Online (web)
9. PS3 Policy #1 Revealed
Playstation
Online (web)
10. PS3 Policy #2 Revealed
Playstation
Online (web)
11. Web Password Reset CAPTCHA
Playstation
Online (web)
12. #PSNPartial CC Data Stored
Playstation
Online (web)
13. PS3 vs Web Policy Comparison
Playstation
Online (web)
14. #PSNPassword Reset
Playstation
Online (web)
15. #PSN Theres more!
16. Sony BGM Greece
17. Bergen Bompengeselskap AS
18. Login (https)
19. I Forgot My Password!
20. Which Language Sir?
21. E-mail received:
22. Or: License Number + Tag ID
23. Breaking in online attacks
24. Todo List
Weneed:
Usernames and/or usernamealgorithm at targetcorp
Windows domain (if applicable)
Account lockout policy
FQDN to webmail service
Online passwordcracker
Somepasswords(statisticsareyourfriend!)
(Google is yourfriend)
And patience
25. Online Password Attacks
Ncrack
THC Hydra
Medusa
http://www.thc.org/thc-hydra/network_password_cracker_comparison.html
26. Possible targets found:
Potential targets:
Webmail.ntnu.no
Webmail.inbox.com
Webmail.nr.no
Webmail.uib.no
Webmail.unik.no
Webmail.uia.no
Webmail.uni.lu
27. Offline Password Attacks
28. Got Hash?
SQL Injection Attacks:
SQL injectionis acode injectiontechnique that exploits asecurity vulnerabilityoccurring in thedatabaselayer of anapplication. The vulnerability is present when user input is either incorrectly filtered forstring literalescape charactersembedded inSQLstatements or user input is notstrongly typedand thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
Source: Wikipedia
29. Hashkiller.com
30. Cracking Passwords
31. Offline password cracking
A widenumberoftools& techniquesavailable:
Rainbowtables
Dictionary attacks
Various hybrid/logicalattacks
Bruteforce
Time is on your side!
32. RainbowTables (wikipedia)
Arainbow tableis aprecomputedtable for reversingcryptographic hash functions, usually forcracking passwordhashes. Tables are usually used in recovering theplaintextpassword, up to a certain length consisting of a limited set of characters. It is a form oftime-memory tradeoff, using less CPU at the cost of more storage. Properkey derivation functionsemploysaltto make this attack infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm byMartin Hellmanthat used the inversion of hashes by looking up precomputed hash chains.
33. RainbowTablesavailable:
Freerainbowtables.com (99.9% hitrate)
LM/NTLM, MD5, SHA-1, HALFLMCHALL
CPU/GPU generation, CPU cracking (for now)
Project-rainbowcrack.com
LM/NTLM, MD5, SHA-1 (CPU/GPU)
Cryptohaze.com
MD5, NTLM
(Full US charset, chainlength 200k, GPU only!)
34. lm_lm-frt-cp437-850#1-7_20000
Windows LM passwordslength 1-14
566Gb (1400+ files) tableset;charsetcoverage:
35. ntlm_mixalpha-numeric#1-8_40000
Windows NTLM Mixalpha_numeric_1-8
453Gb, covers A-Z,a-z,0-9
36. Hybrid Rainbowtables
ntlm_hybrid2(alpha#1-1,loweralpha#5-5,loweralpha-numeric#2-2,numeric#1-3)
is currently being finished by freerainbowtables.com
With more to come!
37. Hybrid attacks
John the Ripper (JtR)
www.openwall.com/john/
Hashcat family (lite, plus, ocl)
Hashcat.net
Cain & Abel
www.oxid.it

And many, many more!
38. Bruteforce
Bruteforcing is increasingly hard to do;
Graphics Processing Units (GPUs) to therescue!
39. PasswordStatistics
Time to show some cool/interesting/boring numbers!
40. Password Resets
41. Storing passwords
Imusing MD5, so Im safe.
Response from web applicationdeveloperafter I talkedabout storing passwords in cleartextbeing a bad idea.
42. Thomas Ptacek
Enough With The RainbowTables: WhatYouNeed To KnowAboutSecurePasswordSchemes
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
43. Lastpass.com
Source: http://blog.lastpass.com/2011/05/lastpass-security-notification.html
44. Chris Lyon
SHA-512 w/ per User Salts is NotEnough
http://cslyon.net/2011/05/10/sha-512-w-per-user-salts-is-not-enough/
45. BypassingPassword Security
46. BypassingPassword Security
Microsoft Windows Pass-the-Hashattacks
Microsoft Windows Pass-the-Ticketattacks
Forensictoolkits
Passware bypassing Microsoft Bitlocker
ElcomsoftEPPB
Smartphone (in)security
47. Pass-the-Hash / Pass-the-Ticket
Windows Credentials Editor v1.2:
http://www.ampliasecurity.com/research.html
Scenario description:
Eve just started in Alices company. Bob, thedomainadminguy, givesyouyour brand newlaptop, ready to use. You have localadminrights. Bobslogincredentialsarecached on your computer. Extract, send credentials (username + hashvalue), getaccess.
48. Passware Kit Forensic
vs Microsoft Bitlocker:
Live memory dump from target system usingFirewire, utilizingDirect Memory Access. Search dump, getdecryption keys, getaccess
Remove disk from hibernated computer. Physicalmemory is written to disk, parts of it unencrypted. Searchand finddecryption keys, mount volume, getaccess.
Video demonstration:
http://ftp.ii.uib.no/pub/passwords10/Passware_at_Passwords10.mp4
49. CorporateAndroid Security
Android devices: no hardware encryption
Nitro software softwareencryption
Butonly for Microsoft Activesync data
(Mail, Calendar, Contacts)
Samsung Galaxy S II
Hardware deviceencryption
90% of all MS Activesyncpoliciessupported
Not even Microsoft doesthat!
50. CorporateiOS Security
51. 52. 53. CorporateiOS Security
AES hardware deviceencryption is good, but..
iTunes configurationissues
Frequentupdates(Quicktime + Safari + iTunes)
Backuppasswordprotection
Hardware Device has passwordprotect flag
Withoutpasswordprotection:
Device-specificencryption key is used to protectkeychain
Almost all other data availableunencrypted in backup
54. Elcomsoft, Tuesday, May 24th:
http://www.prweb.com/releases/iPhone/forensics/prweb8470927.htm
55. PasswordUsability
56. NorSIS / nettvett.no (Norway)
57. PasswordUsability
Minimum/Maximum Length
Complexityrequirements
PasswordHistory
ChangeFrequency
Lost Password (Password Reset)
Reauthentication (BankID)
Single Sign-On
58. Usabilityvs Security
Minimum/Maximum Length
Complexityrequirements
PasswordHistory
ChangeFrequency
Lost Password (Password Reset)
Reauthentication (BankID)
Single Sign-On
Usepassphrases / implement support for it!
Length = complexity
Patterndetection
Windowofopportunity
VERY hard to do in real-life environments!
Dearmom
Goodidea, but
59. Recommendations
60. My User Recommendation:
Use a normal sentence as yourpassword.
Change it whenyouthink it is necessary.
61. My Policy Recommendation:
Use a normal sentence as yourpassword.
It must be changedevery 13 months.
62. Technical Recommendation
Has to be a little more complexthentheprevious slides, but;
Do NOT tell your end-users or othersabouttheactualrulesimplemented!
Provideuseful feedback whenpasswordsarerejected
Do 100% technicalimplementationofwritten policy
SSO: store passwordhashes at thestrongest system
63. DynamicPreventionofCommonPasswords
Somewebsites have static lists of forbidden (common) passwords
Can be found & documented (Twitter)
Does not providebettersecurity
Easilycircumvented (blocking bad passwords is hard!)
64. DynamicPreventionofCommonPasswords
My suggestion:
A custom DLL for Windows. It receives a usersrequestedpassword. Checkagainstrules (length, complexity, historyetc).
If OK, thenhash and store hashwithcounter= 1
DLL config has a thresholdvalue
Any given passwordcanonlyexist on X accounts at the same time
65. Thankyou!
And do not forget: Passwords^11, June 7-8, UiB, Bergen.
2 days, onlyaboutpasswords.