How an epic blunder by Adobe could strengthen hand of password crackers | Ars Technica

Via Dan Goodin on Ars Technica, 2013-11-01

Four weeks ago, Adobe disclosed a sustained hack on its corporate network that threatened to spawn a wave of meaner malware attacks by giving criminals access to the raw source code for the company’s widely used Acrobat and ColdFusion applications. Now, researchers are warning the same breach could significantly strengthen the password crackers’ collective hand by revealing a staggering 130 million passcodes used over the years by Adobe customers, many of them from the FBI, large corporations, and other sensitive organizations.

That’s because Adobe engineers used reversible encryption to scramble the passwords contained in a 9.3-gigabyte file that’s now available online. Surprisingly, they flouted almost universally recognized best practices that call for stored passwords to be protected by bcrypt or another one-way cryptographic hashing algorithm.  …

That’s not at all the way the passwords for the 130 million active and inactive Adobe accounts are protected. They were scrambled using standard symmetric encryption. If crackers are able to figure out the key or keys that encrypt the data, they will have instant access to every single plaintext user password in the list.

How an epic blunder by Adobe could strengthen hand of password crackers | Ars Technica

Even stranger than the passwords being decryptable by Adobe, and now others who can use a variety of exploits against those encryptions, is that the attacked system was a backup designated for decommissioning.   And that presumably idle data, sitting around vulnerable to insider exploits, was not encrypted in total, regardless of the individual records having encryptions of passwords.

Advertisements
Posted in nfoWorks, Privacy and Security, trust | Leave a comment

Sometimes, worrying about man-in-the-middle attacks is not just paranoia

I have a friend who is seriously concerned about man-in-the-middle attacks on his communications.  He uses digital signatures on all of his e-mails. I generally reciprocate, and I will again once Outlook 2013 on Windows 8 stops crashing when I try to sign outgoing e-mails.  (The workaround is to run Outlook 2013 as Administrator.  I do not routinely do that, ever, especially since I can no longer force all e-mail viewing as plaintext by default and the junk mail filter is not working.)

Unfortunately, man-in-the-middle attacks are alive and well and are not merely used to interfere/eavesdrop-on e-mail as much as to redirect nearly all of our Internet connection-setups through a malicious DNS server in a way where

  • we won’t notice
  • a counterfeit destination service can be substituted for one that is important to us and for which secure, private access is critical
  • and while it may lead to identity theft, it can also be used for selective, un-noticed surveillance of traffic to particular destinations.

If you operate your computer and access the internet from behind a residential router (whether Wi-Fi or a wired LAN that some of us have), even if it is only for one or two computers/Kindles/smartphones), there is an active Man-in-the-Middle exploit that uses a poisoned web page to take control of your router just enough to change the DNS server that is used to resolve non-numeric internet addresses – all of those http://www.example.com thingies.  That puts a rogue DNS server quietly in the middle of almost all of your web accesses and those of your desktop/laptop/tablet/smart-phone applications when connected to the Internet via your home Wi-Fi or wired connection. 

Jakob Lell has published a splendid analysis of the current attack and how it works. 

Without suffering through the details, there are some simple and valuable mitigations:

  1. Whenever you use your browser to directly access the administrative interface of the router that bridges your devices to the Internet, have no other tabs open in your browser and always close your browser when done.  Also, do not let your browser retain the administrative password to your router.
  2. Change the administrative password to your router.  Never use the default password (often none) that the router is set with at the factory.
  3. If you know how, check that the DNS addresses that your router will use are those specified by your Internet Service Provider and none others.
  4. Finally, if you or your family IT expert knows how to do it properly, have your router set to issue IP addresses to your computer(s) that are not in the 192.168.1.y family but are ones reserved for local use and are not routed on the public Internet.  It is best to avoid setting the router for addresses of itself and your connected devices in any 192.168.x.y series altogether.

Are we having fun yet?

Posted in Computers and Internet, nfoWorks, Privacy and Security, trust | Leave a comment

Blocked on Blogging

Recently, I completed a number of arrangements to have more attention on a few projects that I consider the most important work for my continued vocation. 

That includes attention to my web sites, where I’ll be investing renewed attention, and my blogs, which need revitalization.

Although I have begun, I notice I’m not blogging about it.

That’s especially true at nfoCentrale Status

I know what the problem is in that case.  Although that blog tracks my activities and captures techniques to be reapplied elsewhere, the blog is not great as a reference.  The categories are out of hand and the archives are difficult to browse.  Then I let the setup fall into neglect, so now it is even more work to revitalize.

I have a solution for that.  It takes effort.  I will capture the important how-to techniques in web subfolders (what I call folios) so that there is an easy way to catalog and maintain the procedures and important clippings in an useful-to-me organization that I can always have access to.  That access is on the site and on my mirror of the site and in my source-code control system and system backups.  These provide mutual backups.  (My commitment to have the site and the blog serve static pages is part of that assurance.)

Besides nfoCentrale Status and Spanner Wingnut, the only functioning blog for non-development purposes is Orcmid’s Live Hideout on WordPress.  That blog is a stop-gap, created when Windows Live blogs were discontinued, strictly as an interim location until I manage to revive the intended permanent locations for those posts.  That has been delayed for a very long time.

There’s more coming.  It will be interleaved with other activities.  The ant is moving the mountain, one grain of sand at a time.  The ant is very determined.

Posted in Blog Development, Golden Geek, nfoWorks | Leave a comment

Improving Hashes Doesn’t Improve Passwords

Yesterday, an effort to produce a new Password Hashing Algorithm was announced.  Dennis Fisher describes the initiative in his 2013-02-15 Kaspersky threatpost article, “Cryptographers Aim to Find New Password Hashing Algorithm.”  Here’s my comment.

First, the article suggests that the NIST competition to choose a new cryptographic hash algorithm to be standardized as SHA-3 has not concluded.  NIST selected KECCAK as the basis for SHA-3 last year.   KECCAK has many applications and it will be a while before the its application in an SHA-3 will be standardized (in an anticipated FIPS 180-5).  See the 2013-02-06 presentation, “Keccak and the SHA-3 standardization.”

There’s also a remark concerning the ability to attack PBKDF2 easily.  PBKDF2 is an iterative, salted key-transformation procedure that can be based on a chosen PRF for the transformation.  It is typical for PBKDF2  to conduct a large number of HMAC-SHA1 iterations.  Other MACs can be used.  The idea is to raise the work factor to make brute force attack on the password infeasible.  The problem with PBKDF2-derived hashes as a password authentication approach is not the ease of attack but the imposition of that work factor on server-side authentication procedures.

So long as the password-based authentication procedure is required to be efficient and economical, the problem is not the hash.  The problem  is the password choice and the poor security that allows the hash to become known.   Once the hash is disclosed, adversaries have the same efficiency advantage, and all the time and resources they need, to discover the password.    Improving the hash does little to mitigate this serious problem.   New password protocols are required.

I’ve gathered my considerations on what is required to confine the consequences of hash disclosure.  The particular framework for minimizing password discovery is not important, it is the considerations that I believe apply to any such effort: “AuthzN Password-Independent Keys.”

Posted in nfoWorks, trust | Leave a comment

All Your SD-Card Belong to Us

2013-01-09: Household visitor, Bella the Cat

After attending a Geek Dinner last night, I wanted to import the photos from my SD Card into my Windows photo folders for editing and posting to Flickr.  Naturally, there were some cat pictures accumulated on my camera also.

Unfortunately, Windows 7 claimed that the SD Card needed to be formatted.

I didn’t do that.  I put the SD Card back in my Nikon D80 and the 15 pictures were there.

And Windows 7 still declared that the SD Card needed to be formatted.

I fired up Quadro, my Windows XP SP3 Tablet Computer, and used its SD Card slot.  No problem.  There I used Windows Live Photo Gallery to extract the photos from the SD Card, transfer them to my photo collection on Windows Home Server, and delete the images from the SD Card.  It was all fine.

Just for laughs, I put the emptied SD Card in the slot on my Windows 7 desktop system.  It was all fine and Windows Live Photo Gallery opened up automatically and offered to import any pictures from the SD Card. 

Now, the only other thing that I had done before that last step was to upgrade Skype 6.0 to Skype 6.1, the one being promoted as the integrated replacement for Windows Messenger (previously removed, though).

Any sufficiently-advanced technology, when broken, is indistinguishable from infection by poltergeists.

Posted in Computers and Internet, In My World, Orcmid's Lair, Photography | Leave a comment

The Great Social Security Scare-Off: Why?

This arrived in my postal mail a few days ago:

Today, 36 percent of the federal budget is consumed by Social Security and Medicare, a growing cost shouldered by the shrinking population of younger Americans.”

There were other numbers being bandied about.  I bet readers of this, having heard repeated statements about the cost of “entitlements” and the proportion of older Americans accept this without challenge.

What I find most discouraging about the above statement, completely lacking in any description of its basis and terminology, is that it is made by AARP Bulletin editor Jim Toedtman in his “The Magic of the Fountain of Youth” opinion piece.  There is no such “budget.”

It is amazing how much belief has been captured on the road from “Social Security will not be there for you” to “Entitlements [Social Security] are killing the economy and drowning us in debt” or words to that effect.  No matter that Social Security and Medicare have nothing to do with the deficit, their urgent reduction/elimination is to be traded against increased revenues by taxation.

Members of Congress, including card-carrying liberals, also fall for this, lumping Social Security and Medicare disbursements as if they are part of a single overall budget.  It is apparently too difficult, or inconvenient, to emphasize that contributions to those funds, and their disbursements, are by different arrangements.   Such is the power of this cloak of fear and anger on the conventional wisdom.

It is time to find a heavy dose of Bill Clinton’s remedy: arithmetic.

A good place to start is your own (or any hypothetical) “tax receipt”.  The White House provides an on-line calculator determining the separate contributions to Social Security, Medicare, and Income Tax.  It is your income taxes that go into anything resembling revenues that are apportionment among government expenditures.  Social Security and Medicare deductions do not go into that pot.  Since the government is currently spending more than it receives, it is not clear how much of the apportionment is from debt, not revenues.

The available tax receipt is for 2011; 2012 should not be much different.  The only way that Medicare and Social Security can show up in those expenditures is if it is necessary for the government to cover a shortfall beyond what those programs have available for their disbursements.  That has not happened for Social Security.  It is unclear what the Medicare portion is in the 2011 “tax receipt.”

That does not mean there is no cause for concern.  I’ve read that 2012 is the first year that payments from the Social Security trust fund exceeded new contributions to the fund.  Social Security is not directly funded by annual receipts.  It is backed by a trust fund that is only now beginning to be reduced by the discrepancy between payments and new contributions.   The expiration of reduced payments on December 31 may improve matters for 2013.  But it is the case that the trust fund could be depleted sometime after 2030 if no remedies are put in place.  

There are various remedies for preserving the health of Social Security that do not involve surrender to the ideological desire to eliminate it.  One appraisal is in Samir S. Soneji’s New York Times  opinion piece.   Go past the scary title to the available numbers and the prospective remedies. 

Medicare is more complicated, because the rate of increase of medical-care costs is overwhelming the ability of the program to cope.   There is a separate trust fund that banks contributions against future need.  There are measures for short-term relief, including provisions in ObamaCare, but the rate of increase in costs is daunting.

For both of these programs, it is important to look at the long term and be clear-headed about the opportunities for preserving the promise of these important social programs.  Clarity starts with looking at the actual numbers and the factual state of affairs. 

Enhanced by Zemanta
Posted in Civil Society and Democracy, Orcmid's Lair | Leave a comment

RSS: Blogs as Publishing

Browser Pull-Down Menu Showing Feeds at a Site

I much prefer full-content blog feeds.  I want to be able to use my feed reader to see what the article is.  I can then delete it, flag it, or simply let it sit there until my attention comes back to where the feed sits in my blog collection.   I also know that I can use full-text searching in my feed collection when I am looking for something I remember having noticed in the past.

I treat blogs as feeds into a compilation of clipped blog articles that is at my fingertips and with organization at my whim.

It takes very special circumstances (such as a blog on security issues) to have me willingly subscribe to a feed that has only titles and, at best, short summaries.

Blog pages, especially aggregation blogs, often defeat my quest for a full-content feed of an individual contributor whose topics align with my interests.  The browser button that indicates a feed is available rarely provides the full-content feed that I am interested in, sometimes providing an empty feed.  I have to search the page for other feed sources.

What I failed to notice is that, at least since Internet Explorer 8, the feed-presence button is a pull-down, and there are feeds available for matters that I had never noticed before (such as Bing search-result pages).  

I have now found that (based on a very small sample), Atom feeds are more likely to provide full content than genuine RSS feeds, and when both are available, what is delivered can be different.  I don’t know if this is a quiet agreement or happenstance.  I certainly feel served, now that I know there may be more options than I thought.

It was particularly satisfying to discover this on encountering a blog that is about publishing and the world of digital publishing, including blogging.  I was finding it ironic that the blog itself lacked a full-content feed.  I’m delighted to learn that I simply didn’t know to seek further.

[I’ve promised myself to begin blogging regularly, perhaps daily.  I find this level is an aid to unlocking my writing.  Today though, I find I have been subscribing to blog feeds like crazy, not exactly a move in the right direction.  I’m not clear why that just happened.  It put me at 892 feeds being monitored with 3,892 unread articles.  I think I may be in need of an intervention.]

Enhanced by Zemanta
Posted in blogs, Orcmid's Lair, Professor von Clueless | Leave a comment