Tag Archive for hack

LinkedIn Compromise of Passwords is Real

Multiple sources in the security field have reported today that LinkedIn was hacked and the list of password hashes posted on a forum.  I can also add myself to @ErrataRob findings confirming that my password was on that list.

At this time files posted on the forum have been taken down and LinkedIn has now confirmed that “some” of the user passwords are real.

Here is a small excerpt from the dump:

000000a9e52942d6121a0f715579d6f0db7f010b
000000a9f9cbef14ad6ff3dc215a4bbd5ecc9b14
000000a98e4982e25513643a071cb69b4c675938
000000a900fe3ba92a09e66f865763f0f25f81b9
000000a99de50e4f92d9d08deeb002aa0a21aa7a
000000a97cab1b45b83a18b044a6ca2811deb538
000000a9c381d625e055755dc4dc8841c7786233
000000a9f0aa2ca70847911bcc972f52d222430b

These passwords are encoded using a cryptographic hash function called SHA-1. A hash function is a one-way mathematical function that takes an arbitrary block of data and returns a fixed-size bit string.

In order to retrieve the password from this SHA-1 string, hackers use an attack known as a Rainbow Tables attack, which consists of calculating the hashes for the passwords; so once you get the hash to do a reverse lookup of the hash you have previously calculated and get the password. These tables of passwords and their hashes are widely available on the Internet including http://www.onlinehashcrack.com/

If your password is simple, its pretty likely that your hash is already stored on a rainbow table.

So I calculated my SHA-1 hash by using the following command on my laptop.

echo -n ‘mypassword’ | openssl sha1

This command  calculates the one-way SHA1 hash for my password.

I then stripped the first 6 characters from the hash and looked it up in the combo_not.txt file that contained the compromised list of passwords.

YCombinator has a post that explains what the meaning of the initial “0”s mean within the hashes and the reason why I deleted the first 6 characters.

So the LinkedIn hack is real and you need to change your password NOW. If you happen to use that password for other websites, change those too and do not use that password again.

How could have LinkedIn prevents this:

Not only were the access controls that LinkedIn had in place prove to be insufficient, but they apparently had no detective controls to alert them that the breach occurred judging by their public responses and the silly statements that no evidence of breach had been found.

Furthermore LinkedIn could have made the password information useless if a technique called ‘salting‘ had been used on the stored hashes. This is common of web applications as many store users passwords as a hash in the database.

It would help LinkedIn’s reputation to be as forthcoming as they can with what they know as they know it.

UPDATE: Link to mirror forum here.

Conficker Gets Ready To Strike

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

[ad]

http://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
http://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
http://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Reblog this post [with Zemanta]

Safeguard Against Random Password Hacks

Partial map of the Internet based on the Janua...
Image via Wikipedia

A great tool I ran across to protect your server from random password attacks which I have been receiving recently from China.

Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful attempts to access the server and then it updates the IPtables rules to reject those IP addresses for a period of time which is defined by you. It can also be configured to notify you if once these events occur.

Its no high-end Intrusion Prevention System, but it does the job.

Fail2ban comes preconfigured to detect and block attacks to ports 22 (ssh), 25 (SMTP) and 80 (http). Instructions on installing on CentOS are detailed below as well as adding functionality for ProFTPD.

I love package management as opposed to compiling because its clean and easy to maintain, so we will need to subscribe to repositories to install Fail2ban.

* Update the system

yum update

* Install DAG’s GPG key

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

* Verify the package you have downloaded

rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm

Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the package and trust Dag then it should be safe.

* Download and Install the package

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm

This will add a yum repository config file and import the appropriate GPG keys. At this point, you can set the priority of the RPMForge repository, and also of the CentOS repositories if you have not done so yet.

* Test with this command:

yum check-update

* Update the system

yum update

* Install Fail2ban

yum install fail2ban

* Configure Fail2ban by editing and adding to /etc/fail2ban.conf

maxfailures = 3 (the default is 5)

ignoreip = 127.0.0.1 <the_server_IP> <network_you_want_excluded/24>

* Enable E-Mail Notification

[MAIL]
# Option:  enabled
# Notes.:  enable mail notification when banning an IP address.
# Values:  [true | false]  Default:  false
#
enabled = true

to = <your_email_address>

* Add ProFTPD functionality

[proftpd]
enabled = true
logfile = /var/log/secure
fwstart = iptables -N fail2ban-proftpd
iptables -I INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
fwend = iptables -D INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd
fwcheck = iptables -L INPUT | grep -q fail2ban-proftpd
fwban = iptables -I fail2ban-proftpd 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-proftpd -s <ip> -j DROP
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = Maximum login attempts|no such user found|Failed password

* Set it to startup automatically with the system

chkconfig –levels 235 fail2ban on

* Start Fail2ban and walk away

/etc/init.d/fail2ban start

[ad]

Reblog this post [with Zemanta]

Step by Step In Dealing With Conficker

This will turn out to be a “trojan horse” literally if actions are not taken to prevent it from spreading within the corporate network.

Below are step by step instructions on mitigating the risk of the threat that “Conficker”/”Downandup” poses.

Symptoms

============

Symptoms to help you determine if you are infected

  • Account lockout policies are being tripped
  • Automatic Updates, Background Intelligent Transfer Service, Windows Defender and Error Reporting Server Services are disabled
  • Errors related to SVCHOST
  • Domain Controllers are slow to respond to client requests
  • Network congestion
  • Various security related websites are not accessible including Windows Update.

For further details see the Microsoft Malware Protection Center write up for Win32/Conficker.b. or the Sekiur writeup here.

Solution

=========

Ideally you want to not only automate the removal of the “Conficker”/”Downandup” worm from a large number of computers but also take steps to minimize the risk of them being infected again.

The following script will attempt to remove the “Conficker”/”Downandup” worm and prevent further infection by taking the following steps:

  1. Install patch KB958644 for MS08-067 if not installed
  2. Attempt to remove the “Conficker”/”Downandup” worm
  3. Enable Hidden Setting
  4. Delete all scheduled tasks
  5. Stop and disable services. (lanmanserver, schedule)
  6. Run MSRT – Malicious Software Removal Tool
  7. Install Autorun hotfix if not installed
  8. Install KB950582 for vulnerability MS08-038
  9. Re-enable TCP Receive Window Auto-tuning on Windows Vista and Windows Server 2008
  10. Remove Hidden Setting
  11. Enable Automatic Updates, Background Intelligent Transfer and Error Reporting Services
  12. Restart
  13. Install patch KB958644 for MS08-067 and restart

You will need to download the following files and batch script and drop them into the NetLogon share.

  • Getver.exe – contained in ConfickerClean-v10.3.zip here ==>  and script to remove “Conficker”/”Downandup” locally here ==> .
  • SC.EXE – contained in ConfickerClean-v10.3.zip
  • REG.exe – contained in ConfickerClean-v10.3.zip
  • windows-kb890830-v2.6.exe – x86 version of MSRT, available here.
  • windows-kb890830-x64-v2.6.exe – x64 version of MSRT, available here.
  • sleep.exe – contained in ConfickerClean-v10.3.zip
  • Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
  • Place all 3 updates in the Netlogon directory.
  • Security update MS08-038 for Windows Vista and Windows Server 2008 – http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
    This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to autorun, same as the one listed above in KB953252.

Now you will proceed to create and push a Group Policy to the domain.

  1. Edit the <domain.com> values in the script.
  2. Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\\scriptsfolder (aka, Netlogon share).
  3. Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the script runs under the machine account.
  4. Link the GPO with the Startup Script to the OU and Groups where you want it to apply.

Note:

Its not recommend you use this on DC’s or critical servers, those should be cleaned manually so that the services disabled below do not need to be left disabled for an extended period of time.

FAQ:

Why disable the Server service?

This is due to Weak Passwords which the malware attempts to exploit. The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question mark or exclamation point.

Why disable the Task Scheduler service?

This is because the malware creates several AT jobs that run every hour to reinfect the system.

Why install MS08-067?

This is the main attack vector of the malware.

Why disable Autorun?

This is because the malware drops a binary file called Autorun.inf on all removable drives.

[ad]

Sources:

All credit to Microsoft Support Engineering