Turbo-charged cracking comes to long passwords

August 27, 2013 – 1:45 PM

For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It’s an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets.

Until now, ocl-Hashcat-plus, the Hashcat version that can use dozens of graphics cards to simultaneously crack huge numbers of cryptographic hashes, has limited guesses to 15 or fewer characters. (oclHashcat-lite and Hashcat have supported longer passwords, but these programs frequently take much longer to work.) Released over the weekend, ocl-Hashcat-plus version 0.15 can generally accommodate passwords with lengths of 55 characters. Depending on the hash that’s being targeted and the types of cracking techniques being used, the maximum can grow as high as 64 characters or as low as 24. The long sought-after improvement targets one of the last remaining defenses people employ to make their passwords resistant to cracking.

“This was by far one of the most requested features,” Jens Steube, the lead Hashcat developer who also goes by the handle Atom, wrote in the release notes for the new version. “We resisted adding this ‘feature’ as it would force us to remove several optimizations, resulting in a decrease in performance for most algorithms. The actual performance loss depends on several factors (GPU, attack mode, etc.), but typically averages around 15 percent.”

As leaked lists of real-world passwords proliferate, many people have turned to passwords and passphrases dozens of characters long in hopes of staying ahead of the latest cracking techniques. Crackers have responded by expanding the dictionaries they maintain to include phrases and word combinations found in the Bible, common literature, and in online discussions. For instance, independent password researcher Kevin Young recently decoded one particularly stubborn hash as the cryptographic representation of “thereisnofatebutwhatwemake.” Such cracks are known as “offline attacks” because they target the hashes leaked as a result of a database compromise, allowing the person who recovers the hashes to try an unlimited number of guesses until the correct plaintext passwords are found. Once the underlying credentials are revealed, a hacker can use them to compromise the online account they secure.

Yiannis Chrysanthou, a security researcher who recently completed his MSc thesis on modern password cracking, was able to crack the password “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1.” That’s the fictional occult phrase from the H.P. Lovecraft short story The Call of Cthulhu. It would have been impossible to use a brute-force attack or even a combined dictionary to crack a phrase of that length. But because the phrase was contained in this Wikipedia article, it wound up in a word list that allowed Chrysannthou to crack the phrase in a matter of minutes.

Source:
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/

Hackers Target Java 6 With Security Exploits

August 27, 2013 – 8:11 AM

Warning to anyone still using Java 6: Upgrade now to Java 7 to avoid being compromised by active attacks.

That alert came via F-Secure anti-malware analyst Timo Hirvonen, who reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6 following the recent publication of related proof-of-concept (POC) attack code. The Java runtime environment (JRE) bug (CVE-2013-2463), was publicly revealed when Oracle released Java 7 update 25 in June 2013, which remains the most recent version of Java.

“PoC for CVE-2013-2463 was released last week, now it’s exploited in the wild,” tweeted Hirvonen. “No patch for JRE6 … Uninstall or upgrade to JRE7 update 25.” He added,”At least [the] Neutrino exploit kit seems to have added [an] exploit for [the vulnerability].”

The Neutrino crimeware kit was first spotted in March 2013, when it was identified as the source of a series of attacks that were exploiting Java vulnerabilities to install ransomware on victims’ PCs, freezing them until users paid a fine that was supposedly being levied by the FBI and other law enforcement agencies. According to security vendor AVG, Neutrino exploit kit attacks have spiked in the last few days.

Source:
http://www.informationweek.com/security/vulnerabilities/hackers-target-java-6-with-security-expl/240160443

Orbit Downloader hacked, turns users into DDoS bots

August 23, 2013 – 5:03 AM

Denial of service attack capabilities have been found in popular media program Orbit Downloader.

The Windows program integrated into web browsers and was downloaded more than 1.5 million times from website Softpedia and 18,000 times last month alone from rival Softonic. It was still available for download on these sites.

But Eset researchers led by Aryeh Goretsky said the program appeared to have been compromised since late 2008 – infecting users December last year – with a script that turned user machines into zombie nodes for distributed denial of service (DDoS) of service attacks.

“Given the age and the popularity of Orbit Downloader means that the program might be generating gigabits or more of network traffic, making it an effective tool for DDoS attack,” Goretsky said in a post.

“Sometime between the release of version 4.1.1.14 and version 4.1.1.5, an additional component was added to orbitdm.exe, the main executable module for Orbit Downloader.

Source:
http://www.scmagazine.com.au/News/354448,orbit-downloader-hacked-turns-users-into-ddos-bots.aspx

Court rules that IP cloaking to access blocked sites violates law

August 20, 2013 – 5:08 AM

Disguising an IP address or using a proxy server to visit Web sites you’ve been banished from is a violation of the Computer Fraud and Abuse Act, a federal judge has ruled.

U.S. District Court Judge Charles R. Breyer for the Northern District of California issued the ruling Friday in a copyright infringement lawsuit between Craigslist and data harvester 3Taps. The dispute began in July 2012 when Craigslist sent a cease-and-desist letter to apartment listing app PadMapper, claiming it was violating the site’s terms of service by scraping apartment rental information from the online classifieds site.

PadMapper complied and took the listings down before 3Taps provided a workaround. Craigslist soon filed a copyright claim against 3Taps and PadMapper, which displays and links listings, found on Craigslist and other services, on a Google map. 3Taps countersued, claiming that Craigslist was trying to create a monopoly by squeezing out competition in the growing market.

Craigslist blocked the Internet Protocol addresses associated with 3Taps, but the data harvester continued to scrape data off Craigslist by concealing its identity with different IP addresses and proxy servers. Craigslist argued that the 3Taps’ subterfuge violated the CFAA, which prohibits the intentional access of a computer without authorization that results in the capture of information from a protected computer.

Source:
http://news.cnet.com/8301-1023_3-57599275-93/court-rules-that-ip-cloaking-to-access-blocked-sites-violates-law/

Visualization of Information Security

August 19, 2013 – 7:33 PM

Here is the picture that I often reference when talking about information security.

security