1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    12,293
    Location:
    Melbourne
    whereas practical experience as a ransomware operator might just get you a security job if you changed the colour of your hat.

    possibly not at one of your former victims, though.
     
    Last edited: Jul 4, 2021
  2. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    16,082
    Location:
    Canberra
    maybe leave that bit off your resume.
     
  3. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,410
    Location:
    Briz Vegas
    BuzzPuppy likes this.
  4. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,815
    Location:
    Brisbane
    Geez they're still having string format issues?
     
  5. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,168
    Location:
    NSW
    https://www.theregister.com/2021/07/06/kaspersky_password_manager/

    OUCH:

    Nonetheless, the lack of randomness meant that for any given password character set, the possible passwords created over time are limited enough they can be brute-forced in a few minutes. And if the creation time of an account is known – something commonly displayed in online forums, according to Donjon – that range of possibilities becomes much smaller and reduces the time required for bruteforce attacks to a matter of seconds.

    "The consequences are obviously bad: every password could be bruteforced," the Donjon team wrote. "For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes."

    11 years of passwords can be cracked in MINUTES!!! thats a shitshow of a bug kaspersky.
     
  6. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    16,082
    Location:
    Canberra
    #russian hackers
     
  7. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,410
    Location:
    Briz Vegas
    If you allow 315619200 password attempts to a singular account endpoint to happen in a single day, then you deserve to be compromised. 11 years ago Krapersky was probably correct in believing that was good enough, but processor power moved forward 5 generations.
     
    richard0296 likes this.
  8. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,815
    Location:
    Brisbane
    I can't say I agree there, if they delivered a product that has predictable password generation that's not good at any point in time.
     
  9. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,410
    Location:
    Briz Vegas
    Krapersky probably had non technical product managers making a call they didn't understand, pretty common back then, and a everyday occurrence these days.
     
  10. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,815
    Location:
    Brisbane
    No doubt, but doesn't change my perspective, which was that you thought 11years ago they were correct in thinking that what they used was an appropriate model, a stance I don't agree with.
     
  11. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,410
    Location:
    Briz Vegas
    Nope my point was the number of attempts to crack was probably acceptable risk, then as compute power increased the product remained static to the number and thus the number is easily circumvented with brute force today! Password hashing has to continue to evolve because compute continually improves, like people still believing MD5 is acceptable for anything today!

    PS - Still using 256bit SSH keys? ;)
     
  12. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,815
    Location:
    Brisbane
    Are you confusing cracking and brute forcing here, they're two different things. Brute forcing be guessing via repeated attempts and cracking being an offline attack against a hashed value.

    A known and predictable PRNG means that you can not only brute force (so guess) what would at a glance seem to be an effectively impossible to brute force password, but you can also crack any offline hashes too fairly easily. A 12 length full charset password even know is exceedingly unlikely to be broken if truly random with any offline attempt at cracking. Obviously random <> Password123!

    I mean consider a SHA512 with a huge number of rounds, my box you get maybe 2000kH/s, very practical if you have a known wordlist! Effectively impossible otherwise for anything that's not in known wordlists
     
  13. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    10,271
    Location:
    Sydney
    how do they know what RNG and combination was used? you cant know this without source code.
    Code:
    seed = systemTimeSeconds;
    init rand(seed);
    for(int i = 0;i<len;i++)
    {
    p[i] = (int) (32+ rand.next() * ??); // << this combination section also needs to be known
    }
    
    its pretty hard to make a real random without some proprietary mix in the source code. unless you use system crypto libs.

    anyway even a shitty programmer would at least consider milliseconds, not seconds. so thats even more weird that they are 1000x even more shitty.
     
    Last edited: Jul 7, 2021
  14. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,410
    Location:
    Briz Vegas
    https://donjon.ledger.com/kaspersky-password-manager/
    The Krapersky PM issue is its predictive.
    The problem with this generator is that it is not a CSPRNG. Knowing a few of its ouputs (624 in that case) allows to retrieve its full state, and to predict all the values it will generate, plus all the values it has already generated (see Berlekamp-Massey or Reeds-Sloane algorithms).

    So the brute force attack would be using a know dictionary of passwords, per client.
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    46,357
    Location:
    Brisbane
    I get the joke here, however it reminded me that I stumbled across this wonderful article a couple of weeks back (and since have seen it reposted today which triggered my memory):

    https://doublepulsar.com/the-hard-t...tle-with-new-rules-and-it-hasn-t-a93ad3030a54

    The native Americans have a saying: "Pray to God, but swim away from the rocks". This article ends on the same punchline - we need to stop just blaming Russia for ransomware, and everyone needs to be less shit at basic IT hygiene.

    And as someone else said to me yesterday, a better name for "Ransomware gangs" is "technical debt collectors". That, my friends, is a perfect summary.
     
    Last edited: Jul 7, 2021
    wazza, 2SHY, bcann and 1 other person like this.
  16. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,410
    Location:
    Briz Vegas
    Software never goes to plan.
    linus.jpg
     
  17. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    16,082
    Location:
    Canberra
    the problem hasn't existed for 10+ years, that was just an example use case in the article, it was a problem deployed in a 2019 update.

    but in any case usage of a non-cryptographically secure PRNG is a critical design flaw at best, or an outright backdoor at worst (hence my #russian hackers comment). Wouldn't be the first time a state based actor deliberately put in flawed security into products/standards.

    NSA has done it* for a PRNG too https://en.wikipedia.org/wiki/Dual_EC_DRBG


    *not confirmed as a back door, but it's a big fat unknown, that's been deliberately chosen and it's unclear why those particular values must be used, when any values can be securely used.
     
  18. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    46,357
    Location:
    Brisbane
    Printnightmare patches are out. Chris from accounts will be relieved they can continue printing emails to throw in the recycling immediately, again.

    https://isc.sans.edu/diary/rss/27610
     
  19. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,945
    Location:
    Brisbane
  20. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,168
    Location:
    NSW

Share This Page

Advertisement: