Reusable Security

You've all heard me complain/stress out about writing my dissertation, so now that it's done of course I'm going to post it online. My PhD. dissertation, "Using Probabilistic Techniques to Aid in Password Cracking Attacks" is available for download from my tools page here . A lot of it is going to look fairly familiar if you've seen my talks or been reading this blog, which makes sense since my dissertation is a summary of what I've been up to for the last three years. Here's a quick breakdown of what's in it: Chapter 1: Overview + background info The need for password cracking General terms and techniques Obtaining the datasets, and basic statistics about the datasets A quick survey of common password hashes and popular password cracking tools Chapter 2: Brute Force Attacks 95% of it I've talked about on this blog before The remaining 5%, which I really should post an entry on, is a comparison of a targeted brute force attack against a pure Ma...

*Comic courtesy of http://www.phdcomics.com/ Well, it looks like after three years of work, I did it . I'm still putting some last minute touches on my dissertation but once that's finalized I'll post a copy. The crazy thing is that after going through all of that, I'm actually more motivated to do research. So that leads us to this blog. Don't worry, it's not going away. In fact one of my prerequisites for any new job I get is that I need to be allowed to keep on updating here. As far as posts go, I'm going to be shifting away from brute force attacks and start talking about dictionary attacks instead. I know, I've maintained this blog for over a year and I'm only getting to that now... Let me explain: 1) I'm lazy 2) My main area of study has been designing new ways to represent how people create passwords using probabilistic context free grammars. At it's heart this approach is an improvement to standard dictionary based attacks, though I...

Saturday: Started out at Hacker vs. Disasters , but I bailed on the first speaker and instead went to the talk by Joe Grand on hacking parking meters . It just further reinforced my belief that society functions because there are not many talented bad guys. Or I should say, the effort to hack these systems outweighs the cost of using them legitimately. Still the ability to frame other people is scary. Also, you can buy ANYTHING on E-Bay. Then went back to Hacker vs. Disasters to see Renderman talk. Didn't learn much but had a great time. Favorite quote: "Most people will be absolutly useless in a disaster. Actually that's not true. They are mostly made of meat..." Of course I went to the Mythbusters talk . I was blown away by how good a speaker Adam Savage was, along with the great topic "Failure". Like everything else in his life, Adam's failures truely were epic, and I think they need to show a copy of that speach to every kid in Intermediate/High Scho...

It hardly seems like Defcon 17 was only a week ago. Right now it alternately feels like I just got back from it, or it happened a million years ago . Ok, I admit it. That link has nothing to do with this post, defcon, or even the idea of "a million years ago", but I stumbled across it in my Google search for something more appropriate and I thought I should share. Librarian hackers: need I say more? As I was saying, Defcon 17 occurred at some point in the past. I won't detail the parties that went on, though there were a few . The exception I will mention is the Toxic BBQ which was held on Thursday. Having skipped it the last two years due to various reasons, most of which involved the words "108 degrees", "outside", "off-site", and "laziness", I was truly amazed at how fun this event was. It also was the one event where you could relax, drink a few beers, (making sure to drink plenty of water as well - let me reference that 10...

I'm working on completely redoing my tools page so hopefully I'll be able to start posting some new dictionaries, password cracking programs and scripts sometime this weekend. Enough site news, on to the post! I've talked previously about cracking password lists from phpbb.com and the finnish78k list. Now I would like to discuss another list that I've been working on. Back in March, a site called " Web Hosting Talk " was compromised via a flaw in their backup server . The attacker then distributed a list containing user information, (usernames, e-mail addresses, and password hashes), to several file sharing sites. I wasn't able to obtain a copy of this list, (and trust me, I tried), but I'm actually pretty happy about that as it means WHT was able to yank most copies of it offline quickly. What I wasn't happy about was the "advice" WHT gave their users regarding changing their passwords... "Passwords are hashed with salt. It would b...

I think I've made as many posts this month as I have readers ;)  I just want to remind the four or five of you that your input really matters to me. If there is something you want me to look into or you disagree with a post, please let me know.

Sorry for the long delay between postings. Between the IEEE Security & Privacy conference and moving back up to D.C. for the summer my computer time has been limited. Well enough whining from me.  On to the data! With character frequency analysis, I normally divide it up into three sections, first letter analysis, last letter analysis and overall analysis, (I probably should do middle as well, but I've found it closely mirrors overall analysis). There are a couple of reasons for this distinction: 1) They do vary quite a bit.  People tend to capitalize the first letter much more often than any other letter. Also people tend to put numbers at the end of passwords. You get the idea. 2)While I like using Markov models, (they track the conditional probability of letters appearing together, for example if you have a 'q' the next letter will almost always be a 'u'), they can be a pain sometimes to set up. In that case using letter frequency analysis  greatly helps when...

First an explanation, For a little over a month I've been cracking passwords from two different lists. Phpbb.com: You may have heard of it from this posting on darkreading . Here is some background. The site got hacked via a 0-day attack, (by that I mean there was no patch available,) against their forum software. The hacker weaponized a proof of concept exploit posted on Millw0rm and then used various other escalation attacks to gain full control over the site. I guess what I'm trying to say was the attacker wasn't your regular script kiddie. Here is where things get a little convoluted. Phpbb.com had close to 400,000 user accounts on it, but there were in the process of switching users over to a more secure password hash. The problem was, they were doing it in such a way that the user would have to log in again before their password hash was changed. So about 100,000 users were protected by the stronger hash, and the remaining 259,000 users only had their passwords protec...

I ended up writing my own password cracker, since John the Ripper does not do well with auditing large password lists. Looking through JtR's code was interesting because it's fairly shocking to find out that A) The guesses per second it displays in its status updates are only loosely related to reality to put it nicely, B) It doesn't use binary search to check to see if it cracked a password or not. I'll admit my password cracker currently is a quick and dirty implementation , (aka I put it together this weekend), and there is a lot of room for improvement . Still I'm finally able to make guesses fairly quickly which has been a godsend. Seeing the newly cracked passwords flash across my screen is proof enough. In a couple of days I should have enough passwords cracked where I can post a detailed analysis of them. *Edit: I want to specify that this custom password cracker is different from the one I mentioned previously. That one only generates password guesses but...