“security” via n8xja in Google Reader 2012-12-09 19:00:11

Welcome to Radeon City, population: 8. It’s one of five servers that make up a high-performance password-cracking cluster.
Jeremi Gosney

A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It’s an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft’s LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.

The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

Read 10 remaining paragraphs | Comments

“security” via n8xja in Google Reader 2012-12-09 19:00:11

Welcome to Radeon City, population: 8. It’s one of five servers that make up a high-performance password-cracking cluster.
Jeremi Gosney

A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It’s an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft’s LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.

The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

Read 10 remaining paragraphs | Comments

“security” via n8xja in Google Reader 2012-11-07 17:40:42

Enlarge / A figure from the patent that has been asserted against Intel, Google, and hundreds of other companies providing SSL and TLS on their websites.
Google

An unknown company’s four-year campaign to sue hundreds of companies for offering encryption on their websites shows no signs of abating, with Intel, Yelp, and MovieTickets.com being targeted in the past month, court records show.

The patent infringement complaints, which have also named Google, Apple, eBay, and Expedia, claim that Marshall, Texas-based TQP Development is entitled to royalties for the companies’ use of the secure sockets layer and transport layer security protocols. Together, SSL and TLS form the basis for virtually all encryption used to authenticate websites and to encrypt data traveling between them and end users. The lawsuits assert US Patent No. 5,412,730, which is titled “Encrypted data transmission system employing means for randomly altering the encryption keys.”

Court records indicate that TQP has sued hundreds of companies since 2008. At least 100 of those organizations have been named in the past 12 months, indicating that the campaign is only gaining steam. A variety of them, including one against Apple, were later dismissed after reaching confidential settlements. A separate case, filed against TD Ameritrade, was dismissed on August 28, two weeks before a jury trial was scheduled to begin.

Read 5 remaining paragraphs | Comments

“security” via n8xja in Google Reader 2012-11-02 18:40:51

Developers of Mozilla’s Firefox browser are experimenting with a new security feature that connects to a specified set of websites only when presented with a cryptographic certificate validating the connection is secure.

A beta version of the open-source browser contains a list of sites known to deploy the HTTP Strict Transport Security mechanism that requires a browser to use the secure sockets layer or transport layer security protocols when communicating. HSTS is designed to provide an additional layer of security by mandating the channel is encrypted and the server has been authenticated using strong cryptography.

But there’s a chicken-and-egg problem with HSTS. “Man-in-the-middle” attackers, who are positioned in between a browser and website, have the ability to prevent browsers from receiving the server code that enforces the additional protection. That makes it possible for HSTS to be circumvented by the very types of people the measure is designed to thwart.

Read 3 remaining paragraphs | Comments

“security” via n8xja in Google Reader 2012-11-01 15:00:39

A publicly viewable server status on one site exposes user passwords to the world.
Dan Goodin

More than 2,000 websites—some operated by Fortune 500 companies, game sites, and retail outlets—are exposing system status information that can be used by attackers to compromise Web servers or customer accounts, a recent research project found.

Sites such as staples.com, cisco.com, and axtel.mx run the popular Apache webserver application with a feature known as server-status enabled, according to Daniel Cid, CTO of Web security firm Sucuri. He scanned more than 10 million websites and found 2,072 that left the status page wide open.

The pages display the number of processes running on a Web server, the status of various Web requests, and other data that can be invaluable to site administrators. But the same data—which can also include the full URL they’re visiting—can also be helpful to attackers who want to compromise the customers or users visiting the site. Site admins have long been admonished to keep those pages from being visible to the outside world unless they have a good reason for doing otherwise and have thought through the decision carefully.

Read 4 remaining paragraphs | Comments

“security” via n8xja in Google Reader 2012-10-31 14:43:43

Enlarge / A list of the the 10 network operators with the highest number of open DNS resolvers, as measured by CloudFlare. Over the past three weeks, third-party attackers have been abusing them around the clock in an attempt to knock a website offline.
CloudFlare

A company that helps secure websites has compiled a list of some of the Internet’s biggest network nuisances—operators that run open servers that can be abused to significantly aggravate the crippling effects of distributed denial-of-service attacks on innocent bystanders.

As Ars recently reported, DDoS attacks have grown increasingly powerful in recent years, thanks in large part to relatively new tools and methods. But one technique that is playing a key role in many recent attacks isn’t new at all. Known as DNS amplification, it relies on open domain name system servers to multiply the amount of junk data attackers can direct at a targeted website. By sending a modest-sized domain name query to an open DNS server and instructing it to send the result to an unfortunate target, attackers can direct a torrent of data at the victim site that is 50 times bigger than the original request.

Engineers at San Francisco-based CloudFlare have been shielding one customer from the effects of a DDoS attack that has flooded it with 20 gigabits-per-second of data around the clock for three weeks. While attacks of 100Gbps aren’t unheard of, that’s still a massive attack even large botnets are generally unable to wage.

Read 13 remaining paragraphs | Comments

“security” via n8xja in Google Reader 2012-10-18 11:19:39

Picture Passwords allow users to log in to Windows 8 accounts without entering a passcode.
Microsoft

New features designed to make it easier to log into Windows 8 accounts allow encrypted passwords to be converted into plaintext in some cases, security researchers said.

The features, which allow people to sign in with a picture-based password and four-digit personal identification number, are intended to provide a less-cumbersome alternative to entering a password each time users want to access their account. Once people have set up a password for an account, they can use pictures or PINs to log in from then on.

But the added convenience comes at a cost. According to security experts who have tested the features in developer pre-releases of the upcoming Microsoft operating system, the features cause Windows 8 to store passwords using encryption that can be reversed. Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives. The latest version of Windows Password Recovery, a password-cracking package sold by Russia-based Passcape Software, claims to do just that.

Read 7 remaining paragraphs | Comments

Secret account in mission-critical router opens power plants to tampering

A Magnum 6K Managed Ethernet Switch sold by GarrettCom.

GarrettCom

The branch of the US Department of Homeland Security that oversees critical infrastructure has warned power utilities, railroad operators, a…

Secret account in mission-critical router opens power plants to tampering

A Magnum 6K Managed Ethernet Switch sold by GarrettCom.

GarrettCom

The branch of the US Department of Homeland Security that oversees critical infrastructure has warned power utilities, railroad operators, a…