Security Now 304
Topic: Your questions, Steve's answers
Recorded: 8 June 2011
- 1 Security Now 304: Q&A 119
- 1.1 World IPv6 Day! -- TODAY!
- 1.2 Security Updates
- 1.3 Security News
- 1.4 Attacks & Breaches
- 1.5 Questions & Answers
- 1.5.1 Question [ 01 ] - Shaul in Israel (@shaulliv), a 3rd year geography student at BGU and an avid Ubuntu user... writes: @SGgrc just watched last #securitynow, in the next show can you please talk about how the new quantum computer will affect cryptography and passwords?
- 1.5.2 Question [ 02 ] - Daniel J. Summers (@DanJSum) in Albuquerque, New Mexico: @SGgrc Your “hash on the client” comment got me thinking; is there a good way to have a "secret" salt on the client? Would secret matter?
- 1.5.3 Question [ 03 ] - Sergey Romanov in Minneapolis suggests: Using ALL 255 ASCII characters in passwords (try Alt+137) !!!!!!
- 1.5.4 Question [ 04 ] - Jerod Lycett in Duncannon, PA asks: Please keep Perfect Passwords, it is still useful even not as passwords!
- 1.5.5 Question [ 05 ] - Dave Andersen in Grass Valley, CA says: USB prophylactic achieved!
- 1.5.6 Question [ 06 ] - Lynne in Maine has thoughts about “best passwords ever”
- 1.5.7 Question [ 07 ] - Javi Harris in Iowa wonders How to get started as a kid?
- 1.5.8 Question [ 08 ] - Thomas Kingston in Longmont, Colorado loved last week's haystacks episode:
- 1.5.9 Question [ 09 ] - Brian Drake in Gallatin, Tennesee wonders about Password Haystacks:
- 1.5.10 Question [ 10 ] - Jonathan Simon is concerned about long but low entropy passwords
- 1.5.11 Question [ 11 ] - Curtis in Sayreville, NJ needs a Secure Hard Drive Eraser
- 1.5.12 Question [ 12 ] - Mark Hull in Charlotte, NC brings us the Double Header TIPS of the Week!
- 2 Sponsors
- 3 Production Information
Security Now 304: Q&A 119
World IPv6 Day! -- TODAY!
No fancy Google Logo? :(
Abode Flash Updated: Fixes the recent 0-day FLASH flaw Out-of-band fix for a zero-day vulnerability in its Flash Player. Cross-site scripting (XSS) flaw affects Flash Player versions 10.3.181.16 and earlier on Windows, Mac, Linux and Solaris and versions 10.3.185.22 and earlier for Android. A fix was previously pushed out to address the Flash flaw in Google's Chrome browser.
RSA to replace 40 MILLION tokens "Open Letter to RSA SecurID Customers" http://www.rsa.com/node.aspx?id=3891 Art Coviello said in an interview: RSA is offering to provide security monitoring or replace SecurID tokens for virtually every customer we have." In a letter to customers Monday, RSA Security openly acknowledged for the first time that intruders had breached its security systems at defense contractor Lockheed Martin using data stolen from RSA. http://steve.grc.com (March 17th) In addition to Lockheed-Martin and L3 Communications, Fox News reported that Northrop Grumman had also been attacked with stolen RSA credentials.
Microsoft's Safety Scanner: Downloaded 420,000, found and removed malware from 20,000 machines. 7 of the top 10 threats found were Java-based exploits. SANS' editor Eugene Schultz: "I believe Microsoft's reported infection rate is too low. Users who do not have a clue concerning how to secure their systems almost certainly have high infection rates. These users are not aware of Microsoft's Safety Scanner, let alone of how to download and run this tool, but more sophisticated and security-aware users are. Microsoft's statistics thus in all likelihood apply almost entirely to the latter group.]
"Certificate Patrol" Firefox add-on: Certificate exchanged. Mostly harmless (docs.google.com) *.google.com Old certificate issued 28 days ago. New certificate issued 13 days ago.
Attacks & Breaches
Endless Sony Breaches @SimonZerafa: http://hassonybeenhackedthisweek.com/ Attack #13: Monday June 6th - Sony's European website for professional broadcasting equipment. The attacker of the website said that he just used standard injection techniques for SQL in order to access the database where he got information of usernames, plain text passwords, mobile numbers, and emails for around 120 users in another attack Sony had previously experienced. The person to blame seems to a Lebanese hacker known by the name Idahc, and he is the same one behind the attacks on the Canadian Sony Ericsson site that took place in May 2011. “I was bored and I play the game of the year: `hacker vs. Sony’”, he said.
PBS site breached: SANS: PBS said hackers broke into the network's website and posted a phony story falsely claiming deceased rapper Tupac Shakur was alive and well and living in New Zealand. The group LulzSec may have attacked PBS because of a Wikileaks story.
From the Twitterverse @andronicus (Andrew Skretvedt) So, I'm staring at 26 USD/BTC! If you're still holding 50, how does it feel to have $1300 of value? (I spent mine back at 35 cents!)
@muoncapture (Michael Boleman in Mobile Alabama) Tried the MS Sweeper root kit detector/removal tool mentioned on last SN episode. Doesn't work on a TrueCrypted HD. :(
@xino (Joe, in Wisconsin) What was the max range of the portable dog killer? Portable Dog Killer, Mark II:
Questions & Answers
Question [ 01 ] - Shaul in Israel (@shaulliv), a 3rd year geography student at BGU and an avid Ubuntu user... writes: @SGgrc just watched last #securitynow, in the next show can you please talk about how the new quantum computer will affect cryptography and passwords?
Question [ 02 ] - Daniel J. Summers (@DanJSum) in Albuquerque, New Mexico: @SGgrc Your “hash on the client” comment got me thinking; is there a good way to have a "secret" salt on the client? Would secret matter?
Question [ 03 ] - Sergey Romanov in Minneapolis suggests: Using ALL 255 ASCII characters in passwords (try Alt+137) !!!!!!
Steve, I think I already know the solution for stronger passwords that you going to talk about next week! And I agree, this will change many passwords of Security Now listeners! I've been listening for SN for more than a year now, and just as you are, I like Assembly language that I used to practice my programming skills with many years ago on my 8088 processor (MK-88 with 256k RAN (Belarus version of IBM PC)). Since then, with invention of virtual memory addressing in 386 and advancement of scripting languages, I've lost interest in programming as a profession.
So let me put it in one sentence:
Use the whole range of 255 ASCII characters when creating your passwords!
For example, in Windows based PCs do so by pressing [(hold ALT) + (1)+(3)+(7) = Ã« ].
This way instead of entropy limited only to the number of characters available on the keyboard, which is only about 26+26+10+32 (typeable characters)=94, one can use all 8 possible bits of 255 ASCII character range and thus achieve maximum entropy per character entered.
Try to guess "}Ã‰Ã â—‹â†“"#7Ã®" instead of "sdfe3rh". First one seems to be harder. Don't you agree? Using this password scheme represents a small difficulty for smart phones and Linux because ASCII characters are not simply typed using such operating systems; but I'm sure apps are written to do it.
Steve, if guessed right your "ground breaking" solution or if you find my idea interesting, can I have a copy of a SpinRite sighed by author?
Question [ 04 ] - Jerod Lycett in Duncannon, PA asks: Please keep Perfect Passwords, it is still useful even not as passwords!
There is a use for Perfect Passwords which you may have overlooked, but which I use it for: salt. If you use SHA512 10000 times, it still won't prevent a determined hacker, the important thing is of course an unguessable salt. If you use a known clear text, such as turtle, as a password, and then gain access to the hashes, you would simply have to figure out how many times they hash, and what the salt is. If the number of times they hash is known (companies like to brag about how many times they hash), then all you have to do is run an attack to find out the salt. I use Perfect Passwords to generate the salt for everything I do. Even if you plan on removing it, please leave the salt generator up for everyone.
Question [ 05 ] - Dave Andersen in Grass Valley, CA says: USB prophylactic achieved!
This is in response to the listener who was concerned about using a USB flash drive after it was connected to an infected computer.
This got me wondering if there are any USB flash drives with write-protect switches. It turns out, there are; though not in great proliferation! I found this site which seems to be trying to collect a list of them:
Seems like a great tool for the purpose of having a maintainable toolkit which is protected from infections, and fits in your pocket (unlike a CD/DVD).
Question [ 06 ] - Lynne in Maine has thoughts about “best passwords ever”
First the pleasantries: I've been listening to SN for several years and have gradually ratcheting up my security with your suggestions (LastPass, NoScript, Certificate Patrol, to name a few). I really appreciate your going into the nuts and bolts of how things work so I can make informed decisions about security.
I just finished listening to episode 302 and the password revelation which you would be sharing with us next week. I'm now very curious if it's at all like what I've been doing for years. I'm a network engineer for a major cable ISP and am responsible for coming up with the enable passwords for routers, switches, etc. Here's what I do:
- come up with an 8-12 word phrase I can easily remember - take the first letters of the words of that phrase
- make various substitutions such as zero for the letter "o", "3" for "e", $ for S, etc. - mix up the capitalization - add punctuation
This has the advantage of being memorable (though some of my co- workers may disagree), but I dare any brute-force attack to succeed in anything like a reasonable amount of time.
Just curious if this will be anything like what you came up with. Anxiously awaiting episode 303.
Question [ 07 ] - Javi Harris in Iowa wonders How to get started as a kid?
Hey guys. let me start with this. when i first started listening i had no clue what any of this "security" was. i almost gave up, but itunes insisted that i had subscribed to your podcast. so with a great deal of patience i have slowly started to really understand all of the topics you cover!
what really got me interested is how easy it is to be safe and even easier it is to be unsafe. i didn't realize that a simple change of your password could make a huge change.
all of this crazy hashing and salting passwords still sometimes makes me dizzy but i think i have the overall concept. i will be forever a listener and i hope to learn a lot more.
Oh, before my question, did i mention i was 16? now to my question:
what can we as teens do to make our computers more secure. we don't have a bunch of money or the resources most adults do. do you have anything i could start looking into to learn more about security? as the future to computer security i think it would be nice to know what we can do. well i'll let you guys get back to saving the world. but before i do. one last thought. (i realize ive been going on for a while) Maybe you could have a little segment of the show were you teach something new to beginner security experts or something along those lines. just an idea. thank you so much for having an amazing show and keep on getting the word out to people. i've changed my perspective of internet security and i hope many more kids like me can to. see you guys!!!
Question [ 08 ] - Thomas Kingston in Longmont, Colorado loved last week's haystacks episode:
I've been listening to Security Now! since episode 1 (crazy isn't it) and I must say episode 303, Password Haystacks, is by far my favorite. While I agree 100% that password length + a combination of all four character types (lower & upper case, number, & special character) in a padded style is far superior in password strength than shear entropy, there appears to be a few examples within your Brute Force Password "Search Space" Calculator that don't match up with this logic.
Case in point - many websites will give you a limit on the number of characters your password can be. In an example of a website that allows 32 characters, filling in 32 a's (aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa) in your calculator yields an offline attack scenario of 6.29 trillion trillion centuries. Is that correct?
Seems unreasonable to me so I figured it best to pass along the finding as people may be "encouraged" to use something like this after seeing the calculators results. Anyhow, great job as always and I really appreciate all that you and Leo do.
Question [ 09 ] - Brian Drake in Gallatin, Tennesee wonders about Password Haystacks:
As someone who has been using "leetspeak" to create passwords for a couple of years now, I was happy to learn by using your "Haystack" tool that this yields passwords which would take 1.66 hundred centuries to crack. The problem that I have ran into using this method, however, is that a disturbing number of websites simply will NOT allow you to use anything other than numbers and letters for your password and many of those same sites have a restriction on how long your password can be. This kind of makes it difficult to use your method (and in some cases, there's no choice in using a different company if you discover that they only allow you to have weak passwords, my university only allows weak passwords for some reason).
Do you have any suggestions as to what one can do in those cases or how we can get organizations to adjust their password requirements? (And while we're at it, would it be too much trouble to get people to put the password requirements beside every box where you have to enter them in? Its a pain to punch in a password and have the system reject it for some unspecified reason, so you keep trying until you realize that it doesn't like the "special characters" you've been typing in.)
Question [ 10 ] - Jonathan Simon is concerned about long but low entropy passwords
How robust are long but low entropy passwords against new bruteforce attacks that re-order the guessing so that it is not in alphanumeric order but rather in low-entropy to high-entropy order? That is, if the algorithm tries passwords that would, for example, be compressible to smaller passwords (or that contain dictionary words) earlier than true high entropy (in the Shannon sense) passwords? Thanks, Jonathan
Question [ 11 ] - Curtis in Sayreville, NJ needs a Secure Hard Drive Eraser
Hey Steve. I have a few hard drives that I need to erase. I mean erase erase. I've heard that there are programs out there that will write over the existing data and do a set amount of passes. What program, if any, do you use or recommend for this? Thanks for an awesome podcast!
Question [ 12 ] - Mark Hull in Charlotte, NC brings us the Double Header TIPS of the Week!
I have been a listener since the beginning, I just wanted to comment on the easy way to remember the PIE (Pre-Internet Encryption) acronym. When sending things to the cloud or sky it is easy to remember "PIE in the sky"!
Also, when doing troubleshooting on machines that might be infected, I use a USB to SD adapter ... with the SD's "Lock" set to read-only position. This allows me to put my tools on the card from my PC when unlocked and then use the tools without fear of being compromised.
I also would recommend a copy of any standalone virus fighting utilities like Clamwin portable on the SD card.
Thanks for all the good work and great information, you guys are great entertainment driving into work.
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|