Security optimize

ZF05 gives us one more reason to use unique passwords

Some big names in the security conference circuit have fallen victim to security breaches. Learn from their mistakes.

You may have heard, from articles such as Real Black Hats Hack Security Experts on Eve of Conference, that the security on Dan Kaminsky's and Kevin Mitnick's professional Websites was cracked. As the Wired article put it:

Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky's site.

Kevin Mitnick is notable as the most wanted computer criminal in US history at the time of his arrest in 1995. Since getting out of the hoosgow, he has become a computer security consultant and author, capitalizing on his ill-earned fame.

Dan Kaminsky is a security researcher and the penetration testing Director for IOActive. He is most recently notable for his extremely well marketed work on DNS cache poisoning, and his talk on the subject at the Black Hat Briefings conference last year. He also showed evidence that the infamous Sony rootkit had infected more than 568 thousand computers.

The compromise of the security of these two big names in security circles is only the tip of the iceberg, however. In a text file left behind as a calling card of sorts, the perpetrator of these compromises and many more shares opinions, facts, and previously secure data harvested from a number of servers, complete with mockery of the bone-headed security gaffes that allowed some of these security cracks. The document, mirrored at sucuri.net, takes the form of a newsletter titled Zero For 0wned 5, the fifth in an irregularly "published" series -- abbreviated ZF05.

After the intro, ZF05 shares information about compromises of quite a few Websites, opines about the state of the security industry in general, "Pwnie Awards" as a sort of booby-prize for people who are particularly reviled in the eyes of the ZF05 author(s), and even some choice words for the "Anti-sec" perpetrator.

Amongst all these bits of interesting news (all of it bad for someone), what most caught my eye was the cracking of PerlMonks user password security -- mostly because it's the only site listed as compromised in the ZF05 newsletter where I have an account, though I haven't really frequented the site in a while. It turns out that user passwords are stored in a database in plain text, rather than hashed. In the words of ZF05:

There is a really simple reason we owned PerlMonks: we couldn't resist more

than 50,000 unencrypted programmer passwords.

That's right, unhashed. Just sitting in the database. From which they save

convenient backups for us.

Believe it or not, there is actually debate at perlmonks about whether or not

this is a good idea. Let's just settle the argument right now and say it was

an idea that children with mental disabilities would be smart enough to scoff

at. We considered patching this for you but we were just too busy and lazy.

I'm sure you can figure it out yourselves.

This isn't a bad set of passwords, either. Programmers have access to

interesting things. These Perl guys are alright, just a little dumb apparently.

A lot of them reuse. You can explore them yourselves, I really do not want to

point out anyone in particular.

The key take-away from this, of course, is that you should never reuse a password between sites. Get yourself a good password manager application; you should only really have to memorize a handful of strong passwords, and store the rest in your password manager.

Other lessons can be gleaned from the ZF05 commentary, too, of course, and much of it can make for an entertaining read.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

10 comments
ps.techrep
ps.techrep

Wrong, what ZF05 does is give users one more reason to question the need for extensive personal information during the registration process on most public sites, and the requirement by too many sites that passwords be non-complex. It's ludicrous that half the banking sites in the country don't establish a basic https session before allowing a user to to enter an account name. It's criminally negligent that they insist on customers using simple alphanumeric passwords and user names. Where the current "systems" (if you can call the total absence of any form of uniform standards for site security, user names and passwords), is that no matter what users do, websites, not users, are still the most vulnerable point of attack. Users could use unique account names and passwords for each site, but sites can't be trusted to maintain security of the linked email addresses and other personal information. A conscientious user would have to use a throwaway email account and random specious personal information to compensate for poor site security, something that would preclude using web access for transactions that truly need security such as banking. It would be trivial to generate a site-by-site complex password and user name based on the site name with an algorithm that used a user generated question and answer plus a complex 6 digit personal code, but no matter what users do, they can't compensate for bad security management by the organizations with which they do business.

apotheon
apotheon

When you share passwords across sites, all it takes is bad security at one site for your login data at several sites to be compromised.

pandu
pandu

I feel you. I always feel a shudder on my spine whenever I realized that a site won't accept a long complex password. Always makes me think twice, even thrice.

Neon Samurai
Neon Samurai

Why, oh why, oh why does TR not provide https for the login prompt? These days a ssl cert is not enough of an expense to justify it's absense if a website is taking username and password input; heck, any form input should be through https. But for the love of Baud.. can anyone ask the site admin staff and return a reason that we still have cleartext login prompting on TR?

Neon Samurai
Neon Samurai

first time I've seen someone pull a good zinger back off that one.. cheers

Sterling chip Camden
Sterling chip Camden

Please, no religion here. All good abaudists talk about bps now instead.

Neon Samurai
Neon Samurai

I consider my forum website logins pretty low security. If someone pops my account the worst they can do is post under my name and see what minimal unpublished information I am required to provide. I still itch a little every time I see that red coloured password field though. For a technology website that has such a focus on providing security related information; it should be a little embarrassing for the site admins. (I know.. if some of the writers where involved on the admin side, it would be a non-issue.. such is the biz)

apotheon
apotheon

1. Never use a password at TR anywhere else. It's transmitted in clear text. 2. Never log into directly from an untrusted network. At minimum, use an encrypted proxy to connect via a trusted network. 3. Never entrust anything really important to your TR account, because (again) your password at TR is transmitted in clear text.