Tag Archive: Security



Anyone who knows me probably knows this is one of my biggest pet peaves. I see this happening everyday, but from a large site like LinkedIn.. shame on you. As all of you probably know by now, a post was made to a Russian site of more then 6.5 million passwords from LinkedIn attempting to crack the SHA-1 hashed passwords.

Now for all of you who have gotten into encryption / decryption of sensitive data, I am sure you understand the problem here with just hashing a password with SHA-1 encryption without salting. If a hacker is able to determine the algorithm used to hash the password, then the rest is fairly easy. The simpler passwords can be uncovered fairly quickly, leaving the more difficult ones which when broadcasted to a hacker community, will take no time to be uncovered as well.

Salting a password is a process of adding in random bits into a hashed password. This makes it much more difficult for an attacker to decrypt because they would need to not only be able to hash their dictionary passwords, but then they would have to try each of those passwords with a variations of salts. This can fill up their data and computing power quite fast creating a very expensive and difficult task for a hacker. They would need a large budget along with tons of storage space and computing power to be able to break down a salted and encrypted password. Where as with just a SHA-1 encrypted password, an attacker would only have to Hash each password trial once and compare it to the value of the encrypted password they have. Once the value is not matched they can just move on to the next dictionary hashed value instead of salting variations of the same password.

So as you can see that the time and expense to decrypt salted passwords can be astronomical and even a deterrent for a hacker attempting to grab hold of your data. Now with all the problems these days with information being leaked or stolen, you would think that a site like LinkedIn would have been more mindful of the world we live in and not assume that the password obscurity they are using is “Good Enough”. If in fact the hackers have usernames that are tied to these passwords, then the truth of it is most people re use their usernames and passwords. So if a hacker grabs your information for one site, then they could potential try to use that same combination on other sites you may visit. Thinking that the breach that has happened to LinkedIn is focused solely on that site, is ignorant. Don’t fool yourselves, change your passwords everywhere you use it.

My recommendation to you is to alter your passwords. Try not to reuse a password many times. Come up with a methodology of using your passwords so that if you have to reuse them then you can derive a system of which passwords you use where. This will make it more difficult for someone to attempt to reuse your password to gain access to more of your personal information.

Advertisements

Welcome everyone. I hope all the information on this blog intrigues and informs all those out there trying to stay on top of our fast moving field of computing. One of the things i have been trying to stay on top of is what the latest is out in the hacker community. Good admins cannot be complacent and think their networks are secure and out of harms way. Hackers today are some of the most intelligent and innovative thinkers out there. They will find a way into anyones network if they desire to. Our job is to be up on the latest exploits so that we can readily identify a breach if and when it happens, and by doing this you mitigate your risk and exposure.

One of the new trends out there that i have talked about before is social engineering. The art of exploiting and convincing someone to do something that allows an attacker to have access to your PC or network. Now i know growing up i always thought hackers were socially inept people who stayed in their mothers basements, punching out code and playing video games. However i have been proven wrong, today some of the easiest ways into a system is by using the person who owns it. By preying on the ignorance of the owner of the PC or network, hackers can gain access and have a field day at your expense.

We all would like to think that we are smarter then just opening a door and letting a stranger in, but fact is a lot of us do just that. Obviously we would not just let someone in that calls up or emails and asks for access, but what if that call or email looked official or put a scare into you where you reacted quickly without thinking. This is what social engineering is about. Have you ever received an email from what looked like your bank, saying that your account will be closed down unless you click on the link and verify your information?. Many of us have received them and many of us have read it and gotten so scared that it would happen so you just clicked on the link and gave all your information away on how to get into your bank account. That is scary in and of itself. Now I have read these emails before and stepped back and laughed thinking “who would fall for this?”. Well believe me, many people do.

The latest out there now is starting to happen in Columbia where people are receiving emails from what claims to be the transportation authority. The email claims that the person has committed infractions and provides links for the user to click on. So it builds up the fear in the person to make an otherwise irrational decision and click on the links provided in the email in order to “view” the details of the infraction. In reality what they are clicking on are files that are attached, that once they are clicked on they will install themselves onto your PC then connect back to a botnet and provide information to the hacker. See the link provided here by ISC a leader in security on the web. https://secure.dshield.org/diary.html?storyid=13309

Gone are the days of the standard brute force attacks or attempting to get in to a system from the outside. Why do all that hard work when you can just get the person to open a door for you and let you in?. This is certainly a much easier thing to do sometimes. Especially when people do not know about these scams. Please protect yourselves, ask questions, get involved in the communities out there and educate yourselves. The information is free and extremely valuable. It could save you and your information.


Microsoft has released an advisory stating that an inside source has found vulnerabilities for 23 different areas within Microsoft applications.

I thought I would post this to give everyone a heads up out there, this appears to be a significant find. I give kudos to their staff for being diligent in trying to secure their application portfolios. This is not an easy thing to stay on top of and manage to enhance your portfolio in the process.. So finally this being a rare occurrence, but thank you Microsoft for getting this right.

Below is the link to the article in which you will find the story. Check it out!.

http://www.zdnet.com/blog/security/microsoft-patches-23-windows-flaws-warns-of-risk-of-code-execution-attacks/12001?tag=nl.e589


A good friend of mine today showed me that you can teach an old dog new tricks. When you have been in the game a while you would like to think that you know just about all there is to know about a programming language. Then someone comes along and shows you something that is amazing. How did I not know this?. The two things you can do is 1 deflect and act like you knew it all along or 2 you can accept the fact that someone out there might have a good idea that is useful and admit you don’t know everything. Well i digress, the point of this was to teach all of you that no matter how long you have been in the game, be open to learning something from someone, it is ok. Trust me they won’t think you are an idiot for not knowing, they may think better of you for admitting you don’t know everything.

So on to the point. What I learned today was that using CFHTTP which is the equlivalent of opening your browser and going to a URL, you can invoke a CFC method as long as the access=”remote” in your cffunction

EX:


<cfhttp url="http://192.168.0.0/test/test.cfc?wsdl" method="post">
   <cfhttpparam name="method" value="methodname" type="formfield">
   <cfhttpparam name="methodarg" value="#arg1#" type="formfield">
</cfhttp>

I am looking at this example amazed. Understnding the potential security implications this can have. Essentially anyone can open a web browser and pass the method name with the arguments to a CFC in your directory and this will execute your CFC from an unknown user.

ColdFusion has made it so easy for developers to implement code and make remote calls, that they opened up a can of worms that could lead to serious issues. These days many hackers have the patience to figure out the holes in our systems. It is our job to ensure that they are not the ones that test out and find exploits in our code. This means closing the gaps. Be thorough not complacent with making sure that your application from top to bottom is balanced between being secure and yet very easy to use. This proves to be a very valuable lesson. Be very careful with allowing remote access to your CFC’s. If you need to allow remote access, make sure you validate your data and authenticate it before allowing it to be executed.

I would like to open up the lines and ask for comments on this. Let me know your experiences with this.

%d bloggers like this: