

Play-by-play on the phpbb.com hack - slackerIII
http://erratasec.blogspot.com/2009/02/importance-of-being-canonical.html

======
tptacek
I'm surprised that Robert Graham, who is not ignorant of computer security,
has mired his password recommendations in the 1980s. These are the same weak
recommendations your Unix manuals would have given you 10 years ago.

What you should be doing is using bcrypt, tuned to take several hundred
milliseconds per crypt. /usr/share/dict/words --- a pitiful dictionary ---
with even the most basic set of permutations will take _weeks_ to test a
_single password_ under this regime. Bcrypt is free and available for every
major web platform. I didn't write it; the guys who did, David Mazieres and
Niels Provos, are much smarter than me.

Computer science has solved the brute force problem on passwords, and we
should stop dithering and adopt the solution.

------
mixmax
_The second thing is to fix the password problem. They should force users to
create more complex passwords when they log in._

Seen from a security perspective this adds to the overall security of the
site, however most users simply find an easy password that fits the bill.
blink182, 123456qwerty, qwerty! - which is almost as easy to bruteforce or
keep in a rainbow table as normal dictionaries.

You should be aware, however, that password requirements detract from the user
experience. When users pick a password for a new account they are at the most
crucial part of a website: The sign-up. This is where you can lose people that
were otherwise ready to sign up.

So it's a trade-off. If your site holds credit card numbers, or other vital
information a certain minimum requirement for passwords is certainly in place,
but if your site is something like HN, where no valuable information is held,
you should probably just let users pick whatever password they like. Worst
case they will lose a few comments and some karma.

~~~
patio11
_Worst case they will lose a few comments and some karma._

I think the worse case is actually substantially worse -- call it an identity
escalation attack. I think a huge number of Internet users are vulnerable to
it:

a) Use any means you please to compromise the password on a low-security site,
such as HN.

b) Use the same login credentials at other low-security sites, such as
Facebook and Twitter. These compromises are valuable in their own right, but
what you are really looking for is the email address.

c) After you have their email address, compromise it using variations on the
same password you already know.

d) You can now read their email. Search for "statement", and identify which
bank they bank with. Go to bank and try logging in with their email and
password. That probably just worked. If not, click "lost password", supply
email address and their security question (you have their Facebook already or
can in seconds, how hard will it be to find their mother's maiden name or
middle school?), and enjoy.

e) For added fun, look for other high-value accounts whose security is
premised on the email user being authorized, such as brokerages (a tough
target due to strong institutional controls, like banks) and GoDaddy (a
successful compromise would cost me FAR more than what I have in my bank
account).

The worst part? You can automate large portions of this attack (given a list
of usernames and password, writing a script to try them at a dozen or a
hundred popular services is child's play) and outsource the rest right up
until the "compromise bank account" portion.

------
smoody
Thanks for posting the link. I found this particular tidbit especially useful:

"The first is to create 'canary' accounts. Create accounts that have e-mail
addresses, like "something-really-long-xyz-123@gmail.com". This account is not
going to get any spam e-mail. When it does get its first spam, you'll know
that it came from your database."

~~~
tptacek
The problem with this advice is that it is not particularly useful.

In the event that your canary account receives a spam message, you will have
gained one piece of data: that at some point in the months since you installed
the account, it is _likely_ that someone exploited a problem that exposed a
table column in your database.

Now what?

You don't know what the bug was. You don't know how far-reaching the damage
is. You don't know when the event occurred. There is, in fact, almost nothing
actionable about this information at all.

You might be telling yourself two things:

* That, upon learning of the possible breach, you will lock down the security of your code and your site. Of course, think for two more seconds and realize this is ass-backwards; if you can reasonably lock down your site, you might as well do it before you burn your whole database.

* That, upon learning of the breach, you can get all your users to change passwords. Which, of course, you will never do, because you will be taking an enormous reputational hit over circumstantial evidence, and for the purposes of seeding your database with a couple thousand new passwords for the same attacker to steal.

People like this "canary" and "honey token" stuff because it's fun. But it's
not valuable.

~~~
slackerIII
If I called you and said, "Hey, would you like me to tell you your site has
been cracked?", would you really say "no"? I would argue that the cost of
adding a canary is similar to the amount of time that phone call would take.

I'm guessing that after that call, you'd go through your logs and attempt to
find out how the site was cracked. Then, if you find some anomalous behavior,
you might be able to isolate the component that was being exploited and fix
it. Maybe you wouldn't find it, but maybe you would.

~~~
tptacek
What's your point? Sure. Set up a canary account. It won't hurt you. But the
only way it will help is if your monitoring regime is already so good that it
works with or without the canary.

------
slackerIII
The original (first person) story is here, but the erratasec post adds a lot:
<http://hackedphpbb.blogspot.com/2009/01/place-holder.html>

------
ieatpaste
I'm going to check milw0rm constantly now and try to avoid/update services.
The Google Chrome and VNC vulnerabilities look particularly bad.

~~~
slackerIII
They've got a twitter account: <http://twitter.com/milw0rm>

------
pj
How much more productive would the world be if it didn't have to worry about
hackers breaking into our sites?

