A few months back, I registered on the WinAmp forums because I was experiencing some bugs with the music player. Just a few days ago, I found the following email in my inbox:

“Hello,

My name is Geno Yoham and I am the General Manager of Winamp. First, thank you for your support of Winamp. The Winamp Team is dedicated to providing you with the best possible media player experience so it gives us great pain to notify you that we have recently experienced a security breach of our user forums database.

We have confirmed that your email address was exposed as a result of this attack. We have not confirmed but must assume that other Winamp Forums user account detail, including your forums username, date of birth, time zone preference and encrypted paWinssword (not your clear text or unencrypted password) was exposed. The Winamp Forums are now secure, but because we value your privacy we would like to notify you of the incident and encourage you to immediately change your password as a precautionary measure. If you have used your Winamp forums password across other web sites, please change the password on those web sites as well.

We apologize for any inconvenience this has caused and want to assure you that we are taking steps to ensure that your information remains secure as a part of our ongoing commitment to protecting your privacy.

If you have any questions, please contact: support@winamp.com. We have also set up an FAQ atforums.winamp.com for answers to common questions you may have related to this incident.

Geno Yoham

Winamp”

Well, great. I remember registering on the forums with the same password I use for a good number of other sites on the net and I used my primary email address for the forums – and I’m sure many others did the same. Now a hacker has a full list of emails and associated encrypted passwords. By simply hashing generated passwords and seeing if they match any user’s encrypted password, the attacker could identify passwords, linked to emails, as well as the date of birth, and can gain access to many different email accounts and who knows what else. Discovering passwords is a lot easier when you have a list of thousands of potential accounts to crack, and I’m sure many used the same password to log-in to their email account. And if even they use a different password for their email, many sites, like facebook, use an email address as the username to log-in, which can lead to even more problems.

I guess this is just a reminder of how insecure the internet is and how vulnerable your information is online. Although it would be best to use different passwords for every registration on the internet, it may be too cumbersome. Fortunately there are a good number of programs that take can care of the problem for you. A great (and free) tool is roboform (http://www.roboform.com/), which acts as a secure password manager. It automatically generates strong passwords when you register for a website and remembers them so you don’t have to. It even securely backs up your passwords and can sync with your phone, other browsers, etc. As for your email, it would be good to have a dedicated spam email address or you can use temporary email accounts like mailinator.

It’s due Thursday night. The schedule was right. The homework page itself was mistaken. Sorry for any confusion.

Security companies are not invincible, and they can fall prey to security attack like any other company or individual. They have humans that work there, and as such, these humans do not always practice good security practices. If you are in this class and you are not following the events that have unfolded with respect to HBGary Federal and Anonymous, you should be. The events that have unfolded brought to light a number of interesting perspectives and details that don’t often show themselves to the public.

One of the interesting items that came out of this event was the anatomy of their attack. The initial attack that got Anonymous into HB Gary Federal’s network is not unusual. In fact, this is a pretty standard MO that I have had to use during the course of a pen-test for organizations in the past. Find one vulnerability, gain access, mine as much pertinent information as possible, dump users and hashes, crack the passwords, and then identify other hosts and assets in the network. Then re-use the information I have on those hosts. In general, it takes only a few short steps to own the network.

The first vulnerability they found was SQL injection in a public facing web application. The silly part is the development of the application was outsourced, and there was no validation into the security of the application. This vulnerability was not the nail in the coffin though. The next major vulnerability were weak passwords and password reuse. Aaron Bar used a weak 6-letter password that was cracked using Rainbow Tables, and the nail in the coffin was his privileged (e.g. administrator) access to the e-mail appliance. This gave them access to the email of all the users on the appliance through password resets. There were some other elements too such as an unpatched server and social engineering, but the over all damage resulted from a poor over sight and security evaluation of outsourced work and then a poor choice of passwords by executives in the company.

I hope that all of you take time to read over and review the following article, because it serves as a very educational episode.

Anonymous speaks: the inside story of the HBGary hack

Researcher’s at the University of Minnesota have come up with a bot net attack that could theoretically take take a large portion of the internet. It is a scalable distributed denial of service attack that exploits the way routers send ouf BGP updates(border gateway protocol). It basically involves using the botnet to have send out a ton of BGP updates saying that a given router is dead, causing the other routers connected to it to have to recalculate the route for packets. As more and more routers are affected, the amount of computation each router has to do would sky rocket, causing each router to have more updates than it could handle. Apparently the attack is unlikely because the people malicious people with the technical knowledge to do it would be motivated by profit and have little interest in a DoS attack. Here’s the link to the article: link

Hey everyone,

If you have not started Lab 2 already you are going to be in a world of pain, so get started. Apart from that, Dan recommended a paper for us (us as in grad students, not you) to read. I am actually enjoying what I am reading, and I think it is pertinent to what we discussed in class today. If you have time and you are interested in current web security research, take a look at this paper

D. Akhawe, A. Barth, P. E. Lam, J. C. Mitchell, and D. Song. “Towards a Formal Foundation of Web Security.” In Proc. of the 23th IEEE Computer Security Foundations Symposium (CSF 2010).

Also, the streaming links for ShmooCon are posted. If you are interested, the conference is happening over the weekend, and you can watch from the comfort of your own home.

If you have any questions, feel free to email the TAs. Have a good weekend.

~dso

Homework 1 is posted.  Due 1/25/2011.

If you have free time, you should listen to Dan Bernstein Talk about securing the Internet:  27C3 Talk by Dan Bernstein: High-speed high-security cryptography: encrypting and authenticating the whole Internet. The talk was very interesting.  He talks about DNSSEC, why it is broken, how to break it, and why its is not feasible.  He then goes on to introduce his research and explains how encrypting almost all communication between a server and a client is feasible.  I enjoyed the talk.  Also, ShmooCon is happening next weekend (Jan 28- 30), and they have talks streaming live.  There was someone in class who asked  who got payed to break stuff.  This is a good opportunity to find out who, why, and how.  The Shmoo Group has not posted the live video details, but I imagine they will show up here when they are made public: ShmooNews.

Cheers.

I accidentally had the file where the output from the survey form goes marked as read-only. Unsurprisingly, I have no information on any of you. Please fill out the form one more time. Thanks.

Just fill out this convenient form. Once we have this, we’ll set up your accounts on the blog and the campus Subversion server, which we’ll use for you to submit your work.

Attention Comp327 students: make sure you subscribe to this blog.  This is where you’ll find class announcements, assignments, and everything else.