March 24, 2017 at 7:24 am
.. I applaud them for including "Security breached" in the subject as well as immediately changing everyone's passwords so old ones wouldn't work. ..
It's obvious that IT took the remediation lead on this one. Candor and quick resolution are not what I'd expect from executive management or legal.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 24, 2017 at 7:29 am
jay-h - Thursday, March 23, 2017 6:25 AMIn many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.
If the application allows millions (or even hundreds) of failed login attempts without resulting in a lockout or operational alert, then that itself a security flaw.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 24, 2017 at 7:36 am
Eric M Russell - Friday, March 24, 2017 7:29 AMjay-h - Thursday, March 23, 2017 6:25 AMIn many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.If the application allows millions (or even hundreds) of failed login attempts without resulting in a lockout or operational alert, then that itself a security flaw.
App lockouts are completely irrelevant if the data has been breeched and the hashed password list is sitting in someone's hands.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
March 24, 2017 at 7:45 am
Eric M Russell - Friday, March 24, 2017 7:29 AMjay-h - Thursday, March 23, 2017 6:25 AMIn many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.If the application allows millions (or even hundreds) of failed login attempts without resulting in a lockout or operational alert, then that itself a security flaw.
There was an interesting variant of this concept recently. Programs that tried to guess the 'security code' on credit cards were configured to attempt to use the same card on a multitude of sites at the same time. In a good number of cases, they got a hit before the card processor's software was able to identify and block the card.
...
-- FORTRAN manual for Xerox Computers --
March 24, 2017 at 8:13 am
GilaMonster - Friday, March 24, 2017 7:36 AMEric M Russell - Friday, March 24, 2017 7:29 AMjay-h - Thursday, March 23, 2017 6:25 AMIn many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.If the application allows millions (or even hundreds) of failed login attempts without resulting in a lockout or operational alert, then that itself a security flaw.
App lockouts are completely irrelevant if the data has been breeched and the hashed password list is sitting in someone's hands.
How is a hashed password useful to the hacker? The application login form shouldn't successfully authenticate using the password hash; it should rely upon the entry of the original clear text password and then create a hash from that which is then compared a hash on record. I guess it is possible to brute force a clear text code that matches a specific hash code, but that would require the hacker to know what exact hashing algorithm and salt the application is using.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 24, 2017 at 8:24 am
Eric M Russell - Friday, March 24, 2017 8:13 AMGilaMonster - Friday, March 24, 2017 7:36 AMEric M Russell - Friday, March 24, 2017 7:29 AMjay-h - Thursday, March 23, 2017 6:25 AMIn many cases like this, the attacker is not particularly interested in any specific password. Get the list, then hammer it with several million common passwords. Probably only a percentage will break, but that's enough to make the hack worthwhile.If the application allows millions (or even hundreds) of failed login attempts without resulting in a lockout or operational alert, then that itself a security flaw.
App lockouts are completely irrelevant if the data has been breeched and the hashed password list is sitting in someone's hands.
How is a hashed password useful to the hacker?
By recomputing the hashes and seeing which what matches the hash. Which, with a good dictionary (of which we have, due to all these password breeches), and a decent consumer-grade graphics card, can be done at the rate of a couple billion a second (for md5), a few million a second (for the SHA family), or slower for good algorithms like bcrypt.
See the first link I posted in this thread if you want the gritty details of how to actually do it.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 6 posts - 16 through 20 (of 20 total)
You must be logged in to reply to this topic. Login to reply