[IS&T Security-FYI] Newsletter, May 2, 2008

Fri May 2 17:43:33 EDT 2008

In this issue:
1. Passwords With A Twist
2. Security Evangelists

---------------------------------
Passwords With A Twist
---------------------------------

Raise your hand if you use the same password on multiple websites.

Okay...   Now raise your hand if you use the same password on a
low-security (CNN, joes-flowers.com) website AND use that same password
on a high-security website (PayPal, eBay).  It definitely happens;
probably too much.

Attackers love to quietly break into sites that don't have a big (if
any) security infrastructure, swiftly snag a list of all the usernames
and their corresponding passwords and then turn around and try them at
high-security e-commerce sites.  They don't need many to hit - just a
few - for it to pay off.

Any professional application developer knows that when you set your
password in their application, they will not store it plain text.  They
use what's called a hash function to compute a representation of your
password and only store the representation.  These hash functions are
one way (you can't ever get the password from its hash) and unique (two
different passwords won't ever create the same hash).  This is exactly
why you can't call the helpdesk and say, "I've forgotten my Kerberos
password.  Can you tell me what it is?"  They simply can't.  The only
thing that's stored is the hash.  When you type your password, it gets
churned through an algorithm and turned into a hash.  That hash is then
compared with the hash in the database and, if they match, then you're
logged in.  Not all people who are asking you to set a password are
professionals; they may not know about hash functions and that they
shouldn't be storing your password in plain text.

So, back to our problem of multiple passwords and varying degrees of
website trust.  First solution: don't use the same password at
joes-flowers.com and PayPal.  If you have done that, go ahead and change
the password at your high-security site right now.  I'll wait...

Another solution: a little Firefox extension called PwdHash.  Now, to be
clear, I'm not advocating running out and installing this extension
(I've been using it for a few months now) just because I mentioned it;
it's not for everyone and doesn't always work as expected (due to
websites having varying requirements for passwords, their complexity and
what characters they allow).  However, it illustrates a good way of
thinking of the problem.  PwdHash takes your password and combines it
with the domain name of the site you're setting a password on.  That
combination is then hashed and that's whats sitting in Joe's server at
joes-flowers.com.  When you want to login to joes-flowers again, you
type your password at the Firefox extension, it sees what domain you're
giving your password to, computes the hash and submits that - which
matches what joes-flowers.com has for you.  If an attacker breaks into
Joe's server and gets your "password", they've now just gotten a
representation - the hash - of your password that's unique to
joes-flowers.com and which is guaranteed to not work at PayPal.

The technique isn't foolproof, and there are some kinks, but, overall,
this is a pretty good way of thinking about passwords.  What
authenticates you should be unique to that service and, even better,
should only be a representation of your password - not some word sitting
in plain-text on Joe's server (sorry Joe).

---------------------------------
Security Evangelists
---------------------------------

Between incident handling, incident response, security research, keeping
up with trends and latest exploits, listening for outbreaks in the wild,
developing tools, bolstering intrusion (and extrusion) detection,
malware analysis and... I'm sure I'm forgetting something... one of the
most important things a security professional can do is _educate people_.

We can have all of the safeguards in the world in place, but without
strong user education the rate of compromises would be ever increasing.
 While some of the security landscape is peppered with fascinating
technical feats and interesting tricks, almost all of the time the way
an attacker gets in is by exploiting a person.  Security is as much a
social challenge as it is a technical challenge.

We see this social challenge all the time - a few weeks ago Security FYI
had a blurb about people giving away their passwords for chocolate.
Chocolate!?!  I wonder if they'd have given their password away for $1
cash money.  Probably not; perceived value is an odd thing.  But it
doesn't stop there - I remember reading a few years ago that someone
scattered a slew of USB memory keys in a parking lot.  A very high
percentage of those people brought the keys into the _bank_ where they
worked and, of course, plugged them right into their workstations.  By
very high percentage I mean 100%.  Into a bank.

So, I thank all of you reading this for taking an interest in being
educated in the ways of security.  The technical security stuff we do is
fascinating but, in the end, some aspects of it can be rather easily
toppled by people...  but you're probably not going to be one of them.

-- 
Mike Halsall
Information & Network Security Analyst
IT Security Support, IS&T
MIT
(617) 253-0243

PGP Fingerprint: A8F6 D77D 3AFF 0050 700C 4E3E C674 E4B8 9E62 D0E6