[opensuse] Ubuntu Forum hacked
The Ubuntu Forum was hacked a couple of days ago- http://ubuntuforums.org/announce.html which led to a discussion about how secure Linux actually is. A question arises in my mind is: how vulnerable are our mailing lists/forum(s) seeing as how openSUSE MLs are also using vBulletin (an earlier version than the Ubuntu one, BTW). More discussion led to this URL- http://www.ubuntu.com/usn/ With regards to this last URL, how does openSUSE fair? I just looked at the archive for opensuse-security mail list (and subscribed to it) but for the month of July only see some fixes to what appear to be apps from 'third parties'. Is openSUSE 'watertight'? :-) BC -- Using openSUSE 12.3, KDE 4.11.0 & kernel 3.10.1-3 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel Corsair "Vengeance" RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX550Ti 1GB DDR5 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 23/07/13 15:46, Basil Chupin wrote:
The Ubuntu Forum was hacked a couple of days ago-
http://ubuntuforums.org/announce.html
which led to a discussion about how secure Linux actually is.
A question arises in my mind is: how vulnerable are our mailing lists/forum(s) seeing as how openSUSE MLs are also using vBulletin (an earlier version than the Ubuntu one, BTW). More discussion led to this URL-
With regards to this last URL, how does openSUSE fair? I just looked at the archive for opensuse-security mail list (and subscribed to it) but for the month of July only see some fixes to what appear to be apps from 'third parties'.
Is openSUSE 'watertight'? :-)
BC
Correction to the above: I meant to write "as how openSUSE forum(s) are also using vBulletin....". Sorry about that. BC -- Using openSUSE 12.3, KDE 4.11.0 & kernel 3.10.1-3 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel Corsair "Vengeance" RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX550Ti 1GB DDR5 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----Original Message----- From: Basil Chupin <blchupin@iinet.net.au> To: opensuse@opensuse.org Subject: Re: [opensuse] Ubuntu Forum hacked Date: Tue, 23 Jul 2013 15:50:04 +1000 On 23/07/13 15:46, Basil Chupin wrote:
The Ubuntu Forum was hacked a couple of days ago-
http://ubuntuforums.org/announce.html
which led to a discussion about how secure Linux actually is.
A question arises in my mind is: how vulnerable are our mailing lists/forum(s) seeing as how openSUSE MLs are also using vBulletin (an earlier version than the Ubuntu one, BTW). More discussion led to this URL-
With regards to this last URL, how does openSUSE fair? I just looked at the archive for opensuse-security mail list (and subscribed to it) but for the month of July only see some fixes to what appear to be apps from 'third parties'.
Is openSUSE 'watertight'? :-)
BC
Correction to the above: I meant to write "as how openSUSE forum(s) are also using vBulletin....". Sorry about that. -----Original Message----- Hi Basil, Don't think a lot of people _here_ can tell you about the (security-)backgrounds of the openSUSE-forums... With linux/bsd in general, the weakest link remains PEBKAC: If you don't apply, or even disable, security measures, or don't keep your system up-2-date, you deliberately increases the always remaining risc. Regarding sles/opensuse, openbsd specifically, they have a better reputation regarding security. Having said that, i am aware that certain packages (mainly web CMS's) have a history of also increasing the risk of being defaced ;-) If you publically use powerful tools (ploone, joomla, typo, java, etc ) you have to follow their security announcements constantly, or it will be used against you.... hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 23 Jul 2013 09:39:28 +0200, Hans Witvliet wrote:
Don't think a lot of people _here_ can tell you about the (security-)backgrounds of the openSUSE-forums...
To my knowledge, I'm probably the only one outside TAG who understands the configuration pretty well (I used to manage the NNTP servers - alongside the guys who managed the web forums - before the openSUSE forums were created, and the configuration is more or less the same as it was at the time I did) :) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 23/07/13 17:39, Hans Witvliet wrote:
-----Original Message----- From: Basil Chupin <blchupin@iinet.net.au> To: opensuse@opensuse.org Subject: Re: [opensuse] Ubuntu Forum hacked Date: Tue, 23 Jul 2013 15:50:04 +1000
On 23/07/13 15:46, Basil Chupin wrote:
The Ubuntu Forum was hacked a couple of days ago-
http://ubuntuforums.org/announce.html
which led to a discussion about how secure Linux actually is.
A question arises in my mind is: how vulnerable are our mailing lists/forum(s) seeing as how openSUSE MLs are also using vBulletin (an earlier version than the Ubuntu one, BTW). More discussion led to this URL-
With regards to this last URL, how does openSUSE fair? I just looked at the archive for opensuse-security mail list (and subscribed to it) but for the month of July only see some fixes to what appear to be apps from 'third parties'.
Is openSUSE 'watertight'? :-)
BC
Correction to the above: I meant to write "as how openSUSE forum(s) are also using vBulletin....". Sorry about that.
-----Original Message----- Hi Basil, Don't think a lot of people _here_ can tell you about the (security-)backgrounds of the openSUSE-forums...
With linux/bsd in general, the weakest link remains PEBKAC: If you don't apply, or even disable, security measures, or don't keep your system up-2-date, you deliberately increases the always remaining risc.
Regarding sles/opensuse, openbsd specifically, they have a better reputation regarding security.
Having said that, i am aware that certain packages (mainly web CMS's) have a history of also increasing the risk of being defaced ;-) If you publically use powerful tools (ploone, joomla, typo, java, etc ) you have to follow their security announcements constantly, or it will be used against you....
hw Right, and thanks for the info. I am glad that openSUSE has a better reputation re security.
BC -- Using openSUSE 12.3, KDE 4.11.0 & kernel 3.10.3-1 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel Corsair "Vengeance" RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX550Ti 1GB DDR5 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Basil Chupin said the following on 07/29/2013 09:34 AM:
Right, and thanks for the info. I am glad that openSUSE has a better reputation re security.
Sadly it doesn't seem to work out that way :-( I had lunch last week (does Sushi count as lunch?) with a Ubuntu user who mentioned this. I thought he was Linux-savvy since he's been using Linux for a long while and keeps coming up with ideas about things to do with it. But he seemed unable to differentiate between (a) a Ubuntu specific list as opposed to something like this one, and (b) the security of a list as opposed to the security of Linux and Linux based network enabled applications in general. While I expect this confusion on the part of journalists and the mass media as part of the headline-driven shock-horror style of reporting that seems to be the norm this day, I was very surprised to find this view on the part of someone I thought better able to differentiate the use-cases. But wtf, he was an executive type not a programmer type. So what can we expect of the Moe Sixpack who buys his consumer electronics at Wal-Mart, best Buy or Costco? -- We know not where our dreams will take us, but we can probably see quite clearly where we'll go without them. - Marilyn Grey -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2013-07-23 a las 15:50 +1000, Basil Chupin escribió:
Correction to the above: I meant to write "as how openSUSE forum(s) are also using vBulletin....". Sorry about that.
openSUSE forums use a different password backend than ubuntu's. It uses Novell's identification system as used for bugzilla, wiki, etc. - -- Cheers Carlos E. R. (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iF4EAREIAAYFAlHuT5sACgkQja8UbcUWM1yAEgD/cFSvS1DCe3oN2z22t15tfiFE g08VbYE3Z/9LK9bpqhsA/iAcxVwT2C42tPXhVXFB3+ht2+SEd2hABziUiuF3SWdS =BPAO -----END PGP SIGNATURE-----
On Tue, 23 Jul 2013 15:46:56 +1000, Basil Chupin wrote:
The Ubuntu Forum was hacked a couple of days ago-
http://ubuntuforums.org/announce.html
which led to a discussion about how secure Linux actually is.
A question arises in my mind is: how vulnerable are our mailing lists/forum(s) seeing as how openSUSE MLs are also using vBulletin (an earlier version than the Ubuntu one, BTW). More discussion led to this URL-
With regards to this last URL, how does openSUSE fair? I just looked at the archive for opensuse-security mail list (and subscribed to it) but for the month of July only see some fixes to what appear to be apps from 'third parties'.
Is openSUSE 'watertight'? :-)
Because we integrate with NetIQ Access Manager, user passwords aren't stored in the vBulletin database. I know the systems used on the back- end, and while I wouldn't describe any system as 100% hack-proof, this one would require some pretty specialized knowledge and access to the identity servers (which are not in the same network). eDirectory is on the back-end, and even if one were to grab the database, it's not a traditional database and the structure is *very* unusual (gives it very high performance for millions - or billions - of identities), so one would have to have knowledge of the internals of the engine. So our passwords are extremely secure. *This* is the advantage of the authentication system we have in place. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/23/2013 9:05 AM, Jim Henderson wrote:
eDirectory is on the back-end, and even if one were to grab the database, it's not a traditional database and the structure is *very* unusual (gives it very high performance for millions - or billions - of identities), so one would have to have knowledge of the internals of the engine.
So security by obscurity then? In reality, you get nothing on me from hacking OpenSuse's mail servers that you couldn't get from the headers of every email, except a password that is unique to OpenSuse. Its not like anything of value is store here. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 23 Jul 2013 10:57:52 -0700, John Andersen wrote:
On 7/23/2013 9:05 AM, Jim Henderson wrote:
eDirectory is on the back-end, and even if one were to grab the database, it's not a traditional database and the structure is *very* unusual (gives it very high performance for millions - or billions - of identities), so one would have to have knowledge of the internals of the engine.
So security by obscurity then?
No, having looked at the engine myself pretty closely, the engine itself also uses very secure algorithms. I wasn't intending to imply that obscurity was the only thing that was there. The data stored in the database (particularly the passwords) are stored using either a well-known strong one-way hash (I forget which one offhand or I'd say), or strong symmetrical encryption algorithms. Far stronger than anything the default vBulletin authentication scheme uses. At a very high level, the structure is *kinda* like XML, but binary (there is a derivative called "XFLAIM" that's more like XML). It's a directory service, and back in the mists of ancient time, when NDS (eDirectory's predecessor) was created, the engineers understood that databases and directories are two different types of data uses, and they designed and leveraged a system that was optimized for directory operations. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
The burning question I have, are they *hosted* on a Windows Server ? -- Duaine Hechler Piano, Player Piano, Pump Organ - Tuning, Servicing & Rebuilding (314) 838-5587 / dahechler@att.net / www.hechlerpianoandorgan.com Home & Business user of Linux - 13 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 23 Jul 2013 13:32:29 -0500, Duaine Hechler wrote:
The burning question I have, are they *hosted* on a Windows Server ?
No, they're hosted on SLES. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jul 23, 2013 at 2:20 PM, Jim Henderson <hendersj@gmail.com> wrote:
The data stored in the database (particularly the passwords) are stored using either a well-known strong one-way hash (I forget which one offhand or I'd say), or strong symmetrical encryption algorithms.
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is. If people don't know, a rainbow attack is: Take every possible 3-letter password and encrypt it, then save the encrypted version in a database. Then if you can steal a password database full of encrypted passwords, just do a simple database lookup to find the equivalent 3-letter password. All 3-letter passwords cracked in one fell swoop. Repeat for 4-letter, 5-letter, etc. Rainbow tables can be found pre-built for lots of encryption technologies with 8, 9, 10 or more chars, so no matter how strong the encryption is, short passwords are susceptible to rainbow table attacks. Another problem is the millions of passwords stolen from companies like linked-in. Assume you are a bad guy and you have a database of 20 million unencrypted passwords that have been used by real people. When you build your rainbow tables you might decide: I'll build a table of every possible 7 char or shorter password and also every 8+ char password in my database of 20 million real passwords. I repeat, strong encryption solutions don't prevent rainbow table based attacks UNLESS you use long passwords that nobody else has ever used and been stolen (or decrypted). The decrypted issue is important, because let's assume you use the password "Iloveobamamorethanlife", that's a 22 char password which should be safe, but if someone else used the same password on a system with a weak password, then if it got hacked and the passwords cracked, then it might be in the bad guys database of 20 million known real passwords. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 23 Jul 2013 23:14:32 -0400, Greg Freemyer wrote:
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is.
It is if you salt the password, which eDirectory has done for years. Rainbow tables are rendered completely useless by salting the password with an effective algorithm. There are a number of ways to apply salt to a cryptographic function. You could design, for example, a three-way hash that uses the username, password, and (say) the length of the username to generate a hash. I know some older systems do something similar to this to make the hashes less predictable. Others incorporate some sort of time element in (though I've not looked closely at how that actually works). But longer passwords certainly are better for defending against brute force attacks. There /are/ multiple ways to attack a cryptographic system - brute force, dictionary attacks, rainbow tables, and direct attacks on the cryptographic algorithms used are just a few. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2013-07-24 a las 04:48 -0000, Jim Henderson escribió:
On Tue, 23 Jul 2013 23:14:32 -0400, Greg Freemyer wrote:
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is.
It is if you salt the password, which eDirectory has done for years.
Mmmm... very interesting. :-) - -- Cheers Carlos E. R. (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iF4EAREIAAYFAlHvrJ0ACgkQja8UbcUWM1wRewD/YJ0xvw9POGpgiGikB4fiuzio 5770f6sFDA/bCv5qEZ8A/0Yrz4TbeGSyZorm1fQIUoc2lbZwq0OnUtQYu/Rp8jGZ =wZ29 -----END PGP SIGNATURE-----
Jim Henderson wrote:
But longer passwords certainly are better for defending against brute force attacks. There/are/ multiple ways to attack a cryptographic system - brute force, dictionary attacks, rainbow tables, and direct attacks on the cryptographic algorithms used are just a few.
I get my WiFi passwords from www.grc.com. The keys I get are 64 random character alpha-numeric strings. Years ago, I used to us "ps aux|grep md5sum". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jul 24, 2013 at 12:48 AM, Jim Henderson <hendersj@gmail.com> wrote:
On Tue, 23 Jul 2013 23:14:32 -0400, Greg Freemyer wrote:
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is.
It is if you salt the password, which eDirectory has done for years.
Rainbow tables are rendered completely useless by salting the password with an effective algorithm.
Jim, I should know the answer to this, but if that is true why can so many systems be attacked via rainbow tables? My multiple choice answers (guesses): - They didn't setup a salt value at all - Often in mass produced software like MS Windows, a single salt value is used for the entire install base, so the bad guys can build a rainbow table on one box, but use it millions of places. - Other Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 24 Jul 2013 09:07:49 -0400, Greg Freemyer wrote:
On Wed, Jul 24, 2013 at 12:48 AM, Jim Henderson <hendersj@gmail.com> wrote:
On Tue, 23 Jul 2013 23:14:32 -0400, Greg Freemyer wrote:
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is.
It is if you salt the password, which eDirectory has done for years.
Rainbow tables are rendered completely useless by salting the password with an effective algorithm.
Jim,
I should know the answer to this, but if that is true why can so many systems be attacked via rainbow tables?
My multiple choice answers (guesses):
- They didn't setup a salt value at all
- Often in mass produced software like MS Windows, a single salt value is used for the entire install base, so the bad guys can build a rainbow table on one box, but use it millions of places.
- Other
I don't know for certain, but I know not all crypto systems use salt values. It does increase the complexity of the algorithm, so I'd guess it's a trade-off of different features. I can tell you that for something like BitLocker (which is full disk encryption that comes with certain releases of Windows Vista, and all editions of Windows 7/8), they do use salt in the encryption algorithm. I was recently working on a project for a client where that was germane to the work I was doing. To my knowledge, Windows doesn't use a single salt value across all installations (that would kinda defeat the purpose, and while I know that liking Windows isn't a popular thing in Linux communities, perpetrating false information about Windows also isn't a goo thing to do, either. We can compare on the merits without making stuff up. ;) ) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Jim Henderson wrote:
To my knowledge, Windows doesn't use a single salt value across all installations (that would kinda defeat the purpose, and while I know that liking Windows isn't a popular thing in Linux communities, perpetrating false information about Windows also isn't a goo thing to do, either. We can compare on the merits without making stuff up.;) )
Like this? http://www.koreaherald.com/view.php?ud=20130719000708 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 24 Jul 2013 10:09:54 -0400, James Knott wrote:
Jim Henderson wrote:
To my knowledge, Windows doesn't use a single salt value across all installations (that would kinda defeat the purpose, and while I know that liking Windows isn't a popular thing in Linux communities, perpetrating false information about Windows also isn't a goo thing to do, either. We can compare on the merits without making stuff up.;) )
Like this? http://www.koreaherald.com/view.php?ud=20130719000708
Yeah, something like that. :) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jul 24, 2013 at 9:53 AM, Jim Henderson <hendersj@gmail.com> wrote:
On Wed, 24 Jul 2013 09:07:49 -0400, Greg Freemyer wrote:
On Wed, Jul 24, 2013 at 12:48 AM, Jim Henderson <hendersj@gmail.com> wrote:
On Tue, 23 Jul 2013 23:14:32 -0400, Greg Freemyer wrote:
If people use a relatively short password, a rainbow attack is not significantly slowed down by strong encryption, no matter how strong it is.
It is if you salt the password, which eDirectory has done for years.
Rainbow tables are rendered completely useless by salting the password with an effective algorithm.
Jim,
I should know the answer to this, but if that is true why can so many systems be attacked via rainbow tables?
My multiple choice answers (guesses):
- They didn't setup a salt value at all
- Often in mass produced software like MS Windows, a single salt value is used for the entire install base, so the bad guys can build a rainbow table on one box, but use it millions of places.
- Other
I don't know for certain, but I know not all crypto systems use salt values. It does increase the complexity of the algorithm, so I'd guess it's a trade-off of different features.
I can tell you that for something like BitLocker (which is full disk encryption that comes with certain releases of Windows Vista, and all editions of Windows 7/8), they do use salt in the encryption algorithm. I was recently working on a project for a client where that was germane to the work I was doing.
To my knowledge, Windows doesn't use a single salt value across all installations (that would kinda defeat the purpose, and while I know that liking Windows isn't a popular thing in Linux communities, perpetrating false information about Windows also isn't a goo thing to do, either. We can compare on the merits without making stuff up. ;) )
Jim
I can say with confidence that at least one form of Windows XP authentication is attackable via rainbow tables (LM - Lan Manager). That version actually breaks the maximum length 14 char password into 2 7-char pieces and keeps the 2 hashed tokens in the SAM (Security Access Manager) database. Because of the way they break it up, cracking the LM authentication system just requires cracking the maximum complexity of 2 7-char passwords. Rainbow tables exist for that authentication system, so a good hacker can crack those passwords in short order once they get the SAM database. You can get the LM hash rainbow tables for free from ophcrack: http://ophcrack.sourceforge.net/tables.php Notice the almost 100% success rate on that page for LM hashes (That's the Lan Manager authentication system hashes). They do restrict the character set of what is used to create the rainbow tables, so you can see they have a separate table for German characters. Then note that further down on the same page they have rainbow tables for Vista / Win7 systems (NT Hashes) Those don't have the 7-char segment issue, so successful rainbow table attack is lower. You can see they have free tables that will crack simple/low character count passwords. Then they sell more comprehensive rainbow tables for Vista / Win7 lower down on the page. Back to SALT. My question in part is why are there rainbow tables available for attacking Windows LM and NT based authentication systems if rainbow tables can be made useless by simply applying a SALT parameter. Is it that Microsoft uses a common SALT for all LM based systems and also uses a common SALT for all NT based authentication systems? fyi: I do have other places I can go ask this. I only asked it here because you implied rainbow table based attacks are easily overcome by using a SALT, whereas I know that rainbow table based attacks are heavily used by bad guys, so I felt an implied contradiction between what I knew and what you said. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 24 Jul 2013 12:59:24 -0400, Greg Freemyer wrote:
I can say with confidence that at least one form of Windows XP authentication is attackable via rainbow tables (LM - Lan Manager).
NTLM is a pretty old system, and certainly at least at one time, it was possible to use rainbow tables against it. I *think* there's a newer NTLM (NTLMv2 perhaps) that uses salt, but it's been a while since I looked into it. Keep in mind that Windows XP is also quite old - it's nearly out of support, but we're talking about pretty old technology here.
Back to SALT.
My question in part is why are there rainbow tables available for attacking Windows LM and NT based authentication systems if rainbow tables can be made useless by simply applying a SALT parameter. Is it that Microsoft uses a common SALT for all LM based systems and also uses a common SALT for all NT based authentication systems?
Using a common salt value would be the same as using no salt value. It wouldn't add anything to the strength of the algorithm. The point of adding salt to a crypto algorithm is to increase the size of a keyspace attack.
fyi: I do have other places I can go ask this. I only asked it here because you implied rainbow table based attacks are easily overcome by using a SALT, whereas I know that rainbow table based attacks are heavily used by bad guys, so I felt an implied contradiction between what I knew and what you said.
To clarify, what I mean is they're easily overcome by using an algorithm that uses a salt. If you have an entrenched mechanism (as with NTLM), modifying the underlying system components while providing backwards compatibility isn't really possible. that's how Lophtcrack (for example) attacked newer implementations - because the old NTLM mechanism was still in place. (That's called, IIRC, a "weakest (or 'weaker') sister" style attack). That's why you still see them around - they tend not to be used at all against systems that have no backwards compatibility requirements, because most modern crypto uses algorithms that are salted (unless there's no perceived need to, which is common also in things like forum software implementations - though honestly, I've not looked closely at the inbuilt authentication mechanism in vBulletin to know if they use a salted algorithm or not). Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jul 24, 2013 at 1:13 PM, Jim Henderson <hendersj@gmail.com> wrote:
On Wed, 24 Jul 2013 12:59:24 -0400, Greg Freemyer wrote:
I can say with confidence that at least one form of Windows XP authentication is attackable via rainbow tables (LM - Lan Manager).
NTLM is a pretty old system, and certainly at least at one time, it was possible to use rainbow tables against it. I *think* there's a newer NTLM (NTLMv2 perhaps) that uses salt, but it's been a while since I looked into it.
Keep in mind that Windows XP is also quite old - it's nearly out of support, but we're talking about pretty old technology here.
Salting is not a new technique either. And XP may be old, but it also relatively common to be somewhere in a Windows network. You know, the one PC that has to run XP because the specialized app it runs doesn't support Win7, so a policy exception was granted for it. Or maybe it's embedded in a printer, but is joined to the domain for support purposes. Even Windows 2000 servers are common in larger Windows shops. Often sitting out in a test network or other area of disregarded servers. I don't believe with either of them (XP/2000) Microsoft supports a authentication system that is not easily attacked by rainbow table based attacks. If a network of 5,000 windows boxes has a few old XP / Windows 2000 machines on it, bad guys will target those boxes for exploitation. That grab the SAM file, then crack any local admin accounts and any locally cached domain accounts (via rainbow tables) then use those new credentials to move around the network. Cracked domain accounts are gret on their face and most orgs use the same local admin password on numerous machines, so a cracked local admin login/password off of a XP / Win2000 box may give you local admin access to systems with more sophisticated security. Greg Greg Freemyer Chief Technology Officer Intelligent Avatar Corporation (678) 653-4860 Greg.Freemyer@gmail.com http://www.linkedin.com/in/gregfreemyer CNN/TruTV Aired Forensic Imaging Demo - http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retriev... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 24 Jul 2013 13:44:11 -0400, Greg Freemyer wrote:
Salting is not a new technique either.
True, but it might also have been less common for performance reasons. Older hardware, slower performance - you know the story. :) Or as well, that salting was perceived to provide little additional value because hardware was so slow, and if you were doing 200 passwords a minute, you were doing *really* well. Now with GPU-based cracking systems, you can do millions of password tests an hour without breaking a sweat, so increasing the complexity of the algorithm and introducing that salt value becomes much more significant a barrier. It's always been about risk vs. performance. Slower systems = lower risk, and performance optimizations meant that eeking every last bit of performance out of an algorithm was important to overall system performance. Now that's not such a big deal. My smart phone has more processing power than my PC did 15 years ago.
And XP may be old, but it also relatively common to be somewhere in a Windows network. You know, the one PC that has to run XP because the specialized app it runs doesn't support Win7, so a policy exception was granted for it. Or maybe it's embedded in a printer, but is joined to the domain for support purposes.
Even Windows 2000 servers are common in larger Windows shops. Often sitting out in a test network or other area of disregarded servers.
I don't believe with either of them (XP/2000) Microsoft supports a authentication system that is not easily attacked by rainbow table based attacks.
If a network of 5,000 windows boxes has a few old XP / Windows 2000 machines on it, bad guys will target those boxes for exploitation.
That grab the SAM file, then crack any local admin accounts and any locally cached domain accounts (via rainbow tables) then use those new credentials to move around the network. Cracked domain accounts are gret on their face and most orgs use the same local admin password on numerous machines, so a cracked local admin login/password off of a XP / Win2000 box may give you local admin access to systems with more sophisticated security.
Sure, but that's neither here nor there when it comes to talking about how our forum authentication mechanism provides us greater protection than what the Ubuntu forums is. We're not really talking about the exploit ability of operating systems that were created over a decade ago, but rather how cryptographic techniques that are more common in newer implementations provide additional protection. :) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/24/2013 11:51 AM, Jim Henderson wrote:
On Wed, 24 Jul 2013 13:44:11 -0400, Greg Freemyer wrote:
Salting is not a new technique either. True, but it might also have been less common for performance reasons. Older hardware, slower performance - you know the story.:)
Or as well, that salting was perceived to provide little additional value because hardware was so slow, and if you were doing 200 passwords a minute, you were doing*really* well. Now with GPU-based cracking systems, you can do millions of password tests an hour without breaking a sweat, so increasing the complexity of the algorithm and introducing that salt value becomes much more significant a barrier.
It's always been about risk vs. performance. Slower systems = lower risk, and performance optimizations meant that eeking every last bit of performance out of an algorithm was important to overall system performance.
FWIW I remember SunOS 3.4 using salts in 1986 on Motorola 68010 CPU's. Was there ever a UNIX that didn't use salt? Regarding security on Windows, you have to remember that it started as a toy desktop-only operating system where security wasn't an issue. Microsoft's security posture generally lagged the environment in which their operating systems were being used. Also, whenever choices needed to be made between security and ease-of-use, security always lost. "Salt? Who needs no stinkin' salt!?" said the Borg... Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang said the following on 07/24/2013 03:16 PM:
FWIW I remember SunOS 3.4 using salts in 1986 on Motorola 68010 CPU's. Was there ever a UNIX that didn't use salt?
Certainly V7 UNIX at the end of the 70s used salting. Even the spate of 16-bit processors that came out in the mid to late 70s, the Z-8001/2, the 8086, the 68000, and few others, never mind the ones from the early 80s like the 16016 and 32032, with or without custom memory management and access control hardware, some of which I used and others I evaluated, following the new licensing conditions and of course "XENIX", all had salt since they were all V7 derived. (or at least all the ones I looked at.) Yes, by today's standards they were under powered. Some of them claimed to be as powerful as a PDP-11, if you pick the right PDP-11 and the right fragment of code ... but ... -- Good plans shape good decisions. That's why good planning helps to make elusive dreams come true. -- Lester R. Bittel The Nine Master Keys of Management -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 24 Jul 2013 12:16:58 -0700, Lew Wolfgang wrote:
FWIW I remember SunOS 3.4 using salts in 1986 on Motorola 68010 CPU's. Was there ever a UNIX that didn't use salt?
That's a good question; probably the very earliest versions didn't, but that's only a guess.
Regarding security on Windows, you have to remember that it started as a toy desktop-only operating system where security wasn't an issue. Microsoft's security posture generally lagged the environment in which their operating systems were being used. Also, whenever choices needed to be made between security and ease-of-use, security always lost. "Salt? Who needs no stinkin' salt!?" said the Borg...
Yep, history and backwards compatibility have created a lot of problems over the years. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----Original Message----- From: Greg Freemyer <greg.freemyer@gmail.com> Cc: opensuse@opensuse.org Subject: Re: [opensuse] Re: Ubuntu Forum hacked Date: Tue, 23 Jul 2013 23:14:32 -0400 <snip> I repeat, strong encryption solutions don't prevent rainbow table based attacks UNLESS you use long passwords that nobody else has ever used and been stolen (or decrypted). The decrypted issue is important, because let's assume you use the password "Iloveobamamorethanlife", that's a 22 char password which should be safe, but if someone else used the same password on a system with a weak password, then if it got hacked and the passwords cracked, then it might be in the bad guys database of 20 million known real passwords. <snip> -----Original Message----- OK Greg, It is only true for longer passwords. How about a 512 chars long randomly generated pwd? cryptographic cards are between 6 and 22 euro's That should even give our friends at the NSA a nice tea-break ;-) hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LNX.2.00.1307232026240.5519@minas-tirith.valinor> El 2013-07-23 a las 10:57 -0700, John Andersen escribió:
In reality, you get nothing on me from hacking OpenSuse's mail servers that you couldn't get from the headers of every email, except a password that is unique to OpenSuse. Its not like anything of value is store here.
Same as for the ubuntu forum that was attacked :-) The Ubuntu people have warned users because they know that some/many people use the same passwords for more things, even bank accounts. So once they know who you are they will try the password they got on other interesting sites. - -- Cheers Carlos E. R. (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iF4EAREIAAYFAlHuyuEACgkQja8UbcUWM1xGfwEAiYAppZuwB+ir1umJmvS1LgAo E20pHJdTth3D07fnLkwA/RZJSSkblWXXW4K0uCnAdwUwVxb6TCheZ85yR6e5d577 =ziCn -----END PGP SIGNATURE-----
Ooh...Ooh.....I know.....maybe it Microsoft's interference with teaching NSA to crack encrypted passwords !!!!!!!!!!! -- Duaine Hechler Piano, Player Piano, Pump Organ - Tuning, Servicing & Rebuilding (314) 838-5587 / dahechler@att.net / www.hechlerpianoandorgan.com Home & Business user of Linux - 13 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (10)
-
Anton Aylward -
Basil Chupin -
Carlos E. R. -
Duaine Hechler -
Greg Freemyer -
Hans Witvliet -
James Knott -
Jim Henderson -
John Andersen -
Lew Wolfgang