After april 8th 2014 Microsoft will no longer support Windows XP. Microsoft will publish no new security pathches for vulnerabilities and Security Essentials will only provide new malware signatures for a short while. Windows XP will be orphaned. By Microsoft. But many consumers and companies still use XP systems. They will be at risk. Because XP will not be orphaned by criminals. Vulnerabilities in newer Windows versions will be patched, but since all Windows versions since NT are related, chances are that a vulnerability in a more recent version is a vulnerability in XP too. While it will be fixed in Vista, 7 and 8 and will no longer be a vulnerability in those systems, such a vulnerability will still exist in XP and will be exploited by criminals. From april 8th this will be bad luck for XP users. At least for consumers. Most consumers will run a fully patched XP system, since Microsoft advises you to. So, for consumers to move to a more recent operating system is the only way to stay secure. But so far consumer pc's are not a big problem.
But there is an even bigger risk and it is not even a new risk: Enterprises and other organisations running XP systems. Those organisations have a serious problem. If they still run XP, then they have a change management problem. Commercial support for XP ended long time ago, meaning that they gambled that they would not need any support.
And we may have a big problem with that. In professional surroundings most workstations are managed centrally, from an update server. Patches are not downloaded directly from the Microsoft servers, but these organisation distribute patches in releases after they tested the patches. And such a process may take a while. Many companies roll-out new releases once in a while, two or three month intervals are common. Changing more frequent is often seen as a risk, because these (unsupported) systems better not be touched. Never change a winning team...
Will these systems be at risk after april 8th? Sure. Are they at risk now? You bet. If a company is still running XP at this moment, chances are that older patches have not been applied either. Stay away from organisations running XP, the problem is bigger than you imagined.
donderdag 27 maart 2014
woensdag 26 maart 2014
Complex passwords? As easy as 1-2-3
A
few posts back I promised you an new and easy method for
composing complex passwords that are, nevertheless easy to remember.
First
some background to password complexity.
Why do
we need complex passwords in the first place?
We
don't.
There
are two real reasons, we are told, why need complex passwords.
The
first one is that a complex password is more difficult to remember,
thereby reducing chances of password leakage. But at the same time
creating the Post-It note problem of people writing down the
password.
The
second is that a complex password takes more time to attack using
brute force password cracking techniques, but it doesn’t
in itself prevent the use of dictionary based password cracking
techniques. A dictionary based attack compares the hashed password in
a password file to a words in a dictionary that are hashed using the
same hashing algorithm.
If the hash of a word in a dictionary is the same as the hash in a
password file, then the corresponding word is the password. A clever
cracking tool subsequently tries several permutations
of the word, by replacing lower case letters by upper case letters or
numbers or symbols, 'P@ssw0rd' will be
discovered just as quick as 'password'.
That way using leetspeak
doesn't make password more secure that regular speak. If a word is
not in the dictionary, another technique is required: just trying out
all combinations to see is a hash resembles a hashed password of the
target account. And in all simplicity that means that the longer the
password, the more time it costs to crack it.
This
leads to 2 simple conclusions.
- First: if a cracker uses an English language dictionary, he will not find my Dutch language word, meaning that will have to resort to a brute force attack...
- Second: for a brute force attack the password '1234567890' is just as complex to crack as '6Gr*7jgkhi'. It will probably be found faster because clever cracking tools will know this too and will use this kind of 'semi-dictionary' cracking words too, but in a sense: if a word is not in a dictionary, brute force requires a lot more time if the password is longer.
Proof
of this principle:
The old
Windows OS uses the lanman hashing algorithm. A password was broken in
2 7-byte segments, that were hashed separately. The hash of a 7
character password was enlarged to a 14 character password by adding
a 7 character long Null string hash. If not more than 7 characters
were used, the second hash was always the same. So, although the
hashed password was 14 characters long, when the password was not
longer that 7 characters, cracking the first 7 characters was enough
to guess most passwords. If an 8th character was used, brute forcing
the complete 14 character password was required.
In effect, this is
the reason why many password policies prescribe the use of minimal 8
characters.
This
results in a few simple rules:
Use
long words that are not in a (regular) dictionary... German speaking
people have an advantage here...
Use
non-words that are long enough to make brute forcing a lengthy
operation but that are easy to remember.
My
advise:
Use
your telephone number, but use leetspeak backward.
Example:
phone number 01 234 567 89 consisting of only numbers.
Just
exchange a few numbers to letters/characters in such a way that you
feel comfortable with. A '0' can be an O (oh), or Z (for zero) or N
(for Nul), in lower case or upper case, your choice.
So,
this simple example may result in NE2D4vzZ8n or zOt3f5sse9. You just
need to remember the order of hashing, but you don't need to remember
the password, just remember the phone number used.
The
entered password may look familiar if you know the algorithm used,
but to a password cracking tool these passwords look all very
different (all MD5 hash examples):
0123456789
> 84D89877F0D4041EFB6BF91A16F0248F2FD573E6AF05C19F96BEDB9F882F7882
NE2D4vzZ8n
> 4DB3EA7E7894603A00091C8AABA25556B0366CF4C7045CF5B862477B44357040
zOt3f5sse9
> 4A384192BB6933877D9B7E29993DE7AF1EBC191DE6C30289F13F084EFD332B1B
Compare
that with:
password
> 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
If a
cracker can get at your hashed password, the cracker has no way of
knowing how you defined your password. Make it as easy as you can.
We
don't need complex passwords. And in a future post I will expand on
this some more.
Abonneren op:
Posts (Atom)