Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking Securing systems

Yvan Cartwright, Web Security Ensuring optimum encryption Depending on how your server is configured you may have several encryption possibilities. Standard routines include: –Standard DES (2 character salt) –Extended DES(9 character salt starting with _) –MD5 (12 character salt starting with $1$) –Blowfish(16 character salt starting with $2$) Think of the salt as an indicator of password randomness. Bigger salt = harder to hack.

Yvan Cartwright, Web Security Using different routines in PHP How can we check using PHP which encryption routines are available? Simple. The server will set one or more of the following variables to 1 if it is available: –CRYPT_STD_DES –CRYPT_EXT_DES –CRYPT_MD5 –CRYPT_BLOWFISH

Yvan Cartwright, Web Security Generating encrypted passwords In order to encrypt a password we can use the crypt() function in PHP. Without specifying a salt, PHP will default to Standard DES. We can easily create our own PHP function that will generate a random salt of any desired length.

<?php function makeSalt($salt_length) {$salt = ""; for($char = 0; $char < $salt_length; $char++) {$salt = $salt. chr(rand(40,126)); } return $salt; } ?> By placing the code above on our page, we can simply call it and send it the length of salt we want it to create. The call to rand() gives us characters including numbers, letters and most special characters.

$user = $_POST['myusername']; $pass = $_POST['mypassword']; if (CRYPT_STD_DES == 1) { $salt = makeSalt(2); echo(" Standard DES salt: ". $salt); $standard_des_pass = crypt($pass, $salt); } if (CRYPT_EXT_DES == 1) { $salt = "_". makeSalt(8); echo(" Extended DES salt: ". $salt); $extended_des_pass = crypt($pass, $salt); }

if (CRYPT_MD5 == 1) { $salt = makeSalt(8); $salt = substr($user, 0, 8). substr($salt, -(8-strlen($user))); $salt = "$1$". $salt. "$"; echo(" MD5 salt: ". $salt); $user_salted_pass = crypt($pass, $salt); } if (CRYPT_BLOWFISH == 1) { $salt = makeSalt(12); $salt = substr($user, 0, 12). substr($salt, -(12- strlen($user))); $salt = "$2$". $salt. "$"; echo(" Blowfish salt: ". $salt); $user_salted_pass = crypt($pass, $salt); }

Yvan Cartwright, Web Security Good passwords A good rule of thumb is that the more characters an encryption routine generates, the harder it is to break. However, this rule is useless if the password –is too short (less than 8 characters) –is a word that can be found in a dictionary –does not contain any numbers or special characters

Yvan Cartwright, Web Security Encryption in action Password = rasmuslerdorf Standard DES: l.3StKT.4T8M Extended DES: _J9..rasmBYk8r9AiWNc MD5: $1$rasmusle$rISCgZzpwk3UhDidwXvin0 Blowfish: $2a$07$rasmuslerd nIdrcHdxcUxWomQX9j6kvERCFjTg7Ra So, how do we go about cracking these passwords? A good first approach is to do a dictionary hack...

Yvan Cartwright, Web Security Dictionary hacking The process of dictionary hacking is as follows: 1.Get the next word in the dictionary. 2.Encrypt it using the same salt as the next user. 3.Is the encrypted dictionary word the same as the user’s encrypted password? If yes then we’ve hacked their password! 4.If not and we have other users then goto 2. 5.Else if we have other dictionary words goto 1. 6.Else the password wasn’t one of the words in our dictionary. Creating a program that performs this task is easy...

Yvan Cartwright, Web Security Making it difficult for the hackers So, as far as hacking is concerned, provided that we don’t use a dictionary word as our password we’re safe yes? No... A non-dictionary password means that we have to do a brute-force approach. This means that we have to go through every possible combination of possible passwords until we find a match.

Yvan Cartwright, Web Security Brute-force hacking Brute-force hacking can take a long time! If the characters we can use to make a password consist of all letters and numbers (a total of 62 characters in total) then we can easily deduce how many ‘keys’ we have to check. 4 characters = 62 4 = keys 6 characters = 62 6 = keys 8 characters = 62 8 = keys

Yvan Cartwright, Web Security Brute-force hacking With the processing speeds of modern PCs, even this number of keys is crackable. Even if you make the passwords longer then it is possible using clusters of PCs spread across the globe and using the Internet to break the task down into more manageable chunks. However, using the same encryption strength as most modern browsers, it could take hundreds to thousands of years to break a decent password.

Yvan Cartwright, Web Security Uncrackable passwords For speed reasons, most hacking programs only use a subset of characters in their brute-force key generators. The following table contains a list of special characters that are not used. Using any of these characters in your own passwords should render them uncrackable! Note: in order to use these characters you need to press the ALT key followed by the combination given using the numeric keypad.

Yvan Cartwright, Web Security Feet of clay A security system is only as good as its weakest component. There are several steps that a systems administrator must go through to make a hackers job harder. Most of these are easy to accomplish although the specific details are not given here as this would be a module in its own right. Briefly, the steps are:

Yvan Cartwright, Web Security Securing systems Ensure that the operating system is up to date and contains the latest security patches before connecting to the network. Do not upgrade to a new operating system until it has been tested over the course of several months. Run a good anti-virus program and keep it up to date. Determine the role of any computer connected to the Internet and ensure that only those services required are permitted to run on it. Administrator passwords should be very strong.

Yvan Cartwright, Web Security Securing systems Only use the administrator account when necessary. Use different passwords for administrator or root and general user accounts. Force new users to change their passwords when they first login. Disable or delete old or unused accounts that belong to people who no longer need access. Disable Telnet and FTP. Use SSH instead. Drop any connection to a server if a login is failed 3 times (takes time to make a connection).

Yvan Cartwright, Web Security Securing systems Make sure to configure all installed software, disable all unused features and be sure to limit the availability of any features that are enabled. Install a software or hardware firewall to protect individual services. Restrict access to services to within the company’s IP addresses. Maintain good physical security. Do not run anonymous FTP on any server with sensitive or “not public” data. Make frequent backups of systems and data.