News and other tidbits that Chad Cloman finds interesting enough to share
Chad’s News previously mentioned the DNS security hole now known as the Kaminsky Bug. The linked article has more information about the discovery and revelation of the bug.
Link: http://www.wired.com/…
(via Slashdot)
Chad’s News has previously discussed the use of graphics cards to solve problems that can be broken into pieces and processed in parallel. Elcomsoft has jumped on this wagon and added GPU processing to its Distributed Password Recovery software, specifically for the WPA and WPA2 wireless formats (among others). According to this article, using two high-end graphics cards will decrease the computation time by a factor of 100. The linked article doesn’t give actual times for breaking encryption, but it does imply that brute force attacks can be successful—the web site says, “Recover the most complex passwords and strong encryption keys in realistic timeframes.”
Home users probably do not need to worry about people hacking into their wireless networks with this tool, because it should take significant resources to successfully break the encryption. I see it being used for things like industrial espionage, government spying, homeland security, crime forensics, etc.
The core lesson of this article is that it’s getting easier for a determined attacker to discover passwords and encryption keys. So beware.
Link: http://www.elcomsoft.com/…
(via Engadget)
Update: Ars Technica has specific information on the actual amount of time required to crack a password. For eight-character, lowercase, non-dictionary words, we’re looking at about a week.
These days, nearly every network adapter has an associated number called a MAC address. This number is (almost always) unique and is defined in the network card hardware—making it permanent and unchangeable. Thus one aspect of wireless network security is to only allow access to devices with specific MAC addresses. And while this is a good practice, it will not keep out a determined hacker. Despite what I wrote above, MAC addresses can be easily spoofed at the operating system level. The linked article explains how to do it in Windows. This is another reason why there is no such thing as total network security without encryption (and even then, it has to be the right type of encryption).
Link: http://www.online-tech-tips.com/…
(via Lifehacker)
Vice-presidential candidate Sarah Palin’s Yahoo! email account was taken over by a hacker. Authorities believe the hacker was able to find enough information about Mrs. Palin in the public domain that he could ask for a password reset and answer the “secret questions.” Unfortunately for him, however, he wasn’t as good at covering his tracks as he was at hacking.
Link #1: http://news.bbc.co.uk/…
(via Kim Komando)
Link #2: http://www.computerworld.com/…
(via Kim Komando)
The linked article just reinforces the fact that there is no privacy on the internet. Should you want to transfer sensitive information over an internet connection, make sure it’s encrypted. (Although if you live in the UK, that may not be sufficient. Even here in the USA, with the 5th amendment, the government is trying to force a criminal defendant to disclose his encryption passphrase.)
Link: http://blog.wired.com/…
(via Slashdot)
In an update to this Chad’s News post, the exploit is now “in the wild”. There is a “DNS Checker” test to determine whether or not your DNS servers are vulnerable. If so, complain loudly and frequently to your ISP. Since this exploit also requires a client-side update (e.g., your personal PC, Mac, etc.), it would also be a good idea to make sure you’ve installed the appropriate update.
Link: http://arstechnica.com/…
Update #1: According to this article, Apple has not created patches for its operating systems. The article also briefly explains how the exploit works. I don’t think the lack of patches for OS X is that big of a deal—there can’t be that many people/companies that use Macs as DNS servers.
Update #2: Apple has released patches.
Update #3: Turns out that even with the patches, this problem can still be exploited. This is bad, because if your ISP’s DNS servers are hacked, there is nothing you can do about it and you most likely won’t even know it’s happened.
Earlier this year a security researcher found a previously unknown and far-reaching security hole in the Domain Name System (DNS). As far as I can tell, it’s not a bug in a specific DNS implementation but rather an issue with the actual DNS specification. It’s a form of DNS cache poisoning, which is pretty much impossible for the end user to detect or guard against and which we’ve discussed previously here at Chad’s News. Yesterday, a large coalition of vendors released a simultaneous patch for all of their products. Details about the vulnerability are sparse, as the security experts are waiting a month before giving out the specifics. What I found surprising was that both the DNS servers (usually hosted by ISPs) and the DNS clients (e.g., end-user PCs) require patches.
It’s recommended that everyone apply the appropriate updates. For Windows users, this means doing a Windows Update. But be careful. The Microsoft DNS patch conflicts with the ZoneAlarm firewall and will block all internet access if you have both installed at the same time. The exploit does not yet exist in the wild, so it will probably be okay to delay the updates for a few days while Microsoft and ZoneAlarm get their act together.
Link: http://securosis.com/…
(via Slashdot)
The linked article lists the top 10 most common passwords. I remember that, some time ago, there was a virus that used a dictionary attack, with only a few hundred common passwords. Despite the limited number, it was surprisingly successful.
Ransomware is malicious software that encrypts your computer files, say via a virus, and then demands you pay money to get them unencrypted. There’s a new strain of a virus that’s doing this, and it’s in the wild. Fortunately the encryption key is only 1024 bits, which means it’s susceptible to a brute-force algorithm (see a related Chad’s News article).
Link: http://blog.washingtonpost.com/…
(via digg)
We spend so much time and energy dealing with hackers attempting to take over our computers that it’s easy to forget about the physical theft of server hardware. As the linked article asks, “How secure is your data center?”
You’ve seen CAPTCHAs, even if you’re not familiar with the word. They’re those pictures with distorted words that you have to enter when registering or posting on some sites. It’s supposed to ensure that it’s a real, live human performing the input, instead of some sort of ‘bot. Well, the ‘bots are getting good at reading CAPTCHAs—so good that they can average one valid guess per minute on Windows Live Hotmail. This makes CAPTCHAs fairly useless, and I expect to see them get phased out for something better (whatever that may be). Chad’s News uses an arithmetic entry for anonymous comment submission, but even this has not stopped some spammers.
Link: http://arstechnica.com/…
Adobe has posted a fairly important update to its Flash player. You can download it from this link. (I’m not totally sure about this, but it appears that Firefox users on Microsoft Windows may need to install it twice: once under Firefox and once under Internet Explorer.)
