OK let me preface this by saying this: I absolutely hate password
hints and secret questions. Generally speaking anything you put in there
can be found by friending someone on facebook, a quick google or simply
guessing. They are the epitome of a bad idea, sure they have some use.
If you forget your password the hint if constructed correctly could
remind you and only you, however most people don't understand this.
If
it is a secret question an answer, where the question is predefined
such as mothers maiden name, it can take a few guesses (smith anyone),
or a quick google.com search and you will have it. Everything else is
trivial, and this was how Sarah Palin's yahoo email account was
humorously compromised back in 2008.
Forgetting all that, adobe gave us another insight as to why it is bad.
I
know a lot has been said about adobe, including the excellent (although
conservative number of users impacted) article by Brian Krebs here.
But there is something else that needs to be learnt from this breach.
Sure
your password hint could be terrible but maybe the web application logs
someones IP when they go to that for later alerting etc if a bad guy
does compromise the account. But what if the DB gets walked, and all
those juicy password hints or secret questions and answers are stored in
plain text... then you have a problem even if you correctly store you
passwords (which adobe didn't).
So lets say you do
correctly store your password as a per-user salted sha1+ hash, good, but
now you allow users to have a password hint like adobe. When someone
has their password hint as their password in another language then they
fail very quickly. For example (this is not a real entry, but made to
look like one from the adobe breach);
78114563-|--|-notreal@fakedomain.com-|-BsscHGd8aIjiwxG2CaWrHSw==-|-Gato x3|--
If we forgive the obviously non-hashed password in the 4th column, we see
in the last column the password hint is simply Gato x3, or you know
maybe Cat typed out three times. So even if this entry had an
irreversible hashed password, the hint would give it all away if the DB
where accessed.
Maybe they should instead store their hint as a reversible encrypted string
with an individual key for each user. This would mean the server when
the user wants to use their password hint would look up the key from the
internally accessible internal key server for the username and decrypt
the hint. It would mean if the db is walked via an SQL injection or
direct attack they aren't necessarily going to get the keys to decrypt
the password hint. For a secret question and answer, you should salt and
hash the answer and if you are using user defined questions you should
encrypt those too just to reduce what is leaked...
Using an encrypted password with the same decryption key for all users or using an unsalted hash means that the resulting password string whether it is BsscHGd8aIjiwxG2CaWrHSw== or 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 will be the same across all users meaning if you break one you break them all. The same goes for your "password hint" or "secret question and answer", should people take my advice and start encrypting them.
Of course all of this only works if you care about security. If you aren't
going to hash your passwords. Or worse store them in plain text as Cupid Media did, then you probably don't care about users password hints, and will probably store them in plain text.
Realistically no-one has any excuse now, google authenticator for two factor has been
open sourced, OpenID, SAML can be used to authenticate you to a central
store and then you are done, like UbuntuForums did, post their breach, move to UbuntuOne the openID provider. People like adobe should really switch to
one of these, to reduce their authentication load. The users should be forced at these central providers to
2-factor auth. If you forget your password at one of these central
providers then you have a convoluted way to retrieve it via out of band
identification, via either partnership with a bank or other multi-vendor approach, eg go into these news agencies and show 100 points of ID to get your password reset.
My point I am trying to make
is this, if it is used for authentication it should be encrypted,
preferably and sufficiently strong hash (SHA1 or greater) that is salted. Nothing but the username and row ID of
your authentication table should be plain text. It is only a matter of
time before these passwords in the 10gb adobe database are broken and
the key used to decrypt them is found, if it hasn't happened already.
Add these ~130million adobe accounts with the 42million from the Cupid Media and I think we should
declare this month, change password November, I know the few sites that used the same password as my account on adobe have now all been changed, have yours? If you use the same password everywhere, then now is the time to look at keepass or lastpass to store your single use passwords in a manner that allows for your protection. Heck even Google's Chrome and Firefox have built in password managers with cloud sync and encryption, so there really is no excuse.
I am doing a CTF for some peeps, thought I'd put this here to be searchable.. these are the real sums of these phrases;
2D579CD75056723657B8FA68FA6626C245CD362030159965EFBDF41DA2D67ADF:redherring
86DB5B1C2D9C1854FE5B80318FBC806C53EDD2C5DBABAFA42CC909A867AE3E21:RedHerring
BC1A7086C334A3C3E2AC638DF4C82A58DEBC6CF2DAF05C4B1D17E9896BC69908:red herring
Or check it here; https://passwordsgenerator.net/sha256-hash-generator/ or on your bash shell with echo -n redherring | sha256sum
Showing posts with label exfiltration. Show all posts
Showing posts with label exfiltration. Show all posts
Monday, 25 November 2013
Thursday, 19 January 2012
Easy data exfiltration
I had this thought last night as I was falling to sleep, and I realise it has probably already been talked about but I will explain how easy it is to do and how hard it is for existing detections to detect.
So my idea is basic data exfiltration via DNS lookups. Say you are sitting on an internal machine, you logged on as a local user through some exploit via boot disk or what not. You probably don't have internet access and you can't install a tunnelling tool, you don't want to set off the local HIDS of the machine by plugging in an unknown USB stick, so what do you do?
Well if you already have a DNS server running on a server you control, pre-setup for something like DNS tunnelling, or just legitimately resolving your own domains. Now your existing DNS server you need to turn on verbose logging for one of your subdomains, this is pretty easy to do on BIND or even in Windows's DNS server. Then simply encode from the local machine anyway you want, or if you can't encode it don't and just do an nslookup data.sub.mydomain.com, bear in mind the whole lookup can't be longer than 255 characters and the subdomain can be 63 characters tops, if you need to use some special characters then you will need to either encode in base32 or use some system in your head.
Mitigation: Do your client machines really need to resolve every site, surely they are going through a proxy or application aware firewall that can do the DNS lookups for them. The issue of course with this is most networks now use DNS to resolve internal services, and usually the DNS servers that service these requests are allowed to go to the internet in some way, and the proxies or firewalls refer back to these internal DNS servers as they would also point to resources the proxies need like authentication. The only suggestion then is to more finely split your DNS server infrastructure up. Specific internal DNS servers that are allowed to do lookups to both the internal DNS servers and the wider internet, but the only device internally that is allowed to these is the proxy server. Of course depending on the way your proxy server works it may not wait for the client to be authenticated before it does a lookup so the lookups could simply be proxied through the compromised machines web browser that is connected to the proxy.
So my idea is basic data exfiltration via DNS lookups. Say you are sitting on an internal machine, you logged on as a local user through some exploit via boot disk or what not. You probably don't have internet access and you can't install a tunnelling tool, you don't want to set off the local HIDS of the machine by plugging in an unknown USB stick, so what do you do?
Well if you already have a DNS server running on a server you control, pre-setup for something like DNS tunnelling, or just legitimately resolving your own domains. Now your existing DNS server you need to turn on verbose logging for one of your subdomains, this is pretty easy to do on BIND or even in Windows's DNS server. Then simply encode from the local machine anyway you want, or if you can't encode it don't and just do an nslookup data.sub.mydomain.com, bear in mind the whole lookup can't be longer than 255 characters and the subdomain can be 63 characters tops, if you need to use some special characters then you will need to either encode in base32 or use some system in your head.
Mitigation: Do your client machines really need to resolve every site, surely they are going through a proxy or application aware firewall that can do the DNS lookups for them. The issue of course with this is most networks now use DNS to resolve internal services, and usually the DNS servers that service these requests are allowed to go to the internet in some way, and the proxies or firewalls refer back to these internal DNS servers as they would also point to resources the proxies need like authentication. The only suggestion then is to more finely split your DNS server infrastructure up. Specific internal DNS servers that are allowed to do lookups to both the internal DNS servers and the wider internet, but the only device internally that is allowed to these is the proxy server. Of course depending on the way your proxy server works it may not wait for the client to be authenticated before it does a lookup so the lookups could simply be proxied through the compromised machines web browser that is connected to the proxy.
Subscribe to:
Posts (Atom)