This past week I found myself conducting an Audit on some IT resources for a client. I was asked to attempt password recovery on some essential equipment, as well as to audit the security setup of the same equipment to determine the level of resistance to different Network threats.
The project, in addition to being enjoyable, was also highly enlightening. I find that whenever I “dig a little deeper” in to a Security topic, I always uncover very interesting (and sometimes terrifying) tidbits about the security, or lack of security, of the different systems and measures that most of us take for granted on a daily basis.
Exhibit A: Client X
Client X required password recovery (for reasons that are not relevant) on a piece of equipment that was extremely crucial to daily operations. What I discovered during this process was terrifying, and speaks in detail to the dangers of slack security measures on the part of IT Professionals
!
In processing this recovery (which was successful, by the way), I discovered that the carelessness of the personnel responsible for original configuration of this equipment allowed this critical piece of equipment to be unlocked in a matter of only a few hours (without previous experience on this type of equipment on my part). A seasoned “Hacker” or Security Expert could no doubt have performed the same procedure in under an hour.
The key weaknesses that contributed to the ease of entry included:
- Lack of Access Control Lists or Access Restrictions
- No mechanism to prevent or limit access to “Recovery” modes
- Lack of attention to critical security flaws inherit in the equipment
- Simple administrative account passwords (i.e. a single real-word password, without numbers, case change or symbols of any kind)
Before I proceed, let me establish a few things:
- In the defense of the parties responsible for this equipment, some amount of Physical Access (though VERY BRIEF) is required to carry out the exact method that I utilized to breach this equipment. HOWEVER – a skilled attacker could “probably” manipulate a few other protocol, design OR environment restrictions to bypass the need for physical access
- Eberly Systems maintains a VERY STRICT standard in regards to Security Auditing and Unauthorized Access of any kind – we will NEVER, under ANY CIRCUMSTANCES perform an Unauthorized attack or access attempt on any device or network.
Bypassing established security measures is sometimes as simple as finding a “loophole” in equipment or protocals that allows you to bypass Username and Passwords on a given piece of equipment. Other types of attacks require the procurement of “Password Hashes”.
Password hashes are passwords that have been encrypted and stored on equipment, and it is what allows your password to be verified when you enter it into any screen on your computer. Hashes utilize highly specialized Encryption Algorithms (such as MD5, SHA-1, DES, etc) to encrypt your original password, making it unreadable. In some cases, Passwords are processed through either Multiple Algorithms, or the same algorithm Hundreds (or even thousands) of time. The resulting “Hash” cannot be “unscrambled” – the only way to confirm a passwords accuracy is to do the process all over again – enter a password, the system runs the password through the same encryption process (using whatever established Algorithm and process it utilizes), and the resulting Hash is compared against the original. If it’s a match, access is granted. If it does not match, access is denied.
While this is very secure (again, Hashes cannot be “Unscrambled”), it is possible to “crack” Hashes if you can obtain the password hash. Utilizing special software, potential passwords are run through the same algorithm(s) that your target system utilizes, but at very high speeds – hundreds, thousands, or more per second.
The two types of Password Cracking attacks are “Dictionary” and “Brute Force”. Dictionary attacks utilize a pre-built “Dictionary List”, or list of common words in a given language. They will process this list at whatever speed the attacking system is capable of (based on Processor speed and other factors), until a match is found. More advanced Dictionary attacks allow the Dictionary words to be “mangled”, changing the case of some or all letters, adding numbers or symbols before or after the word, and other such things.
Brute Force attacks tend to be much lengthier. They involve specifying a “set” of characters (such as the letters a-z, A-Z, numbers 0-9, or Keyboard Symbols) and, starting at “a”, running through every possible combination of letters, numbers, cases, etc. Brute Force attacks on complex passwords are not viable on most systems – with todays sophisticated hash algorithms and a good password, a standard computer would take hundreds (or thousands) of years to go through EVERY possible combination of symbols, and find a matching Hash output. Obviously, by the time the system would complete this process, the password would have probably changed or become irrelevant.
However, if you have a simple password (let’s say, “password”), and an attacker gains access to your stored “Hash”, and , utilizing a standard Dictionary file of the English language on a modern Desktop PC, he could (theoretically) uncover your password (i.e. match the hash value) in as little as a half hour (depending on his Dictionary file, program of choice, and other factors). Scary, huh?
If you were to make even a few changes – for example, capitalize the “a”, and add a symbol (let’s choose “#”) at the end, your attackers dictionary attack would fail, and he would have to resort to either a Brute Force attack (which, for such a password and no further information, WOULD take quite a few years), OR a much more sophisticated Mangled Dictionary attack, which could still take a year or more.
If you go even further, and, ditching your original password, create a new “random” password (let’s make one up, say “R5&lk#fw”), the attacker would be 100% unable to crack the hash with a Dictionary attack, and would HAVE to resort to a brute force attack. On a modern Desktop computer, such an attack would likely take Thousands of years (which makes it “impossible” to crack for all intents and purposes).
Hmm… suddenly, it makes a bit more sense when your IT department or favorite Email Provider makes you change your password and add a few extra Symbols or numbers, doesn’t it?
The wrench in all of this is that some Hackers have a lot more “horsepower” behind them then a simple Desktop computer. If you are targeted by a Government or Organized Hacking Group, your Hash may become the target of the combined power of hundreds, thousands (or more) of Computers (CPU’s) – which means that the time to crack your password could go from 1000 years (using round numbers for example), to:
- 10 years on 100 Processors
- 1 year on 1000 Processors
- 1 month on 12,000 Processors
As you can see, you DON’T want to run cross ways of someone with the money or resources to leverage a Server Farm against your Password hash.
Now that you are thoroughly terrified, go change your passwords – and let me leave you with one last tidbit from a recent attack against “Gawker Media”, in which their entire database of User accounts and hashes was obtained and cracked by an organized hacking ring. The following data is provided thanks to DuoSecurity.com.
“As with any password dump, one of the most interesting outcomes is the most popular/common passwords chosen by users. The top 25 most common passwords from our cracking results were:
2516 123456
2188 password
1205 12345678
696 qwerty
498 abc123
459 12345
441 monkey
413 111111
385 consumer
376 letmein
351 1234
318 dragon
307 trustno1
303 baseball
302 gizmodo
300 whatever
297 superman
276 1234567
266 sunshine
266 iloveyou
262 f***you
256 starwars
255 shadow
241 princess
234 cheese
The vast majority (99.45%) of the cracked passwords were alphanumeric and did not contain any special characters or symbols.”
How many of my readers will be changing their passwords in the next week because of this information? I’m curious – let me know!
