Over the weekend, Gawker Media was hacked, providing an encrypted password list (among other things) to the hackers. A group calling themselves Gnosis has taken credit for the hack and released a package full of server information, notes on the hack, Gawker Media site source code and worst, everyone’s passwords.
Judging by the statement made by the hackers, it looks like someone at Gawker pissed them off. I was actually planning another post about web security before this happened, but that will wait for another day as it has to do with different perils of having online accounts.
Here’s the email Gawker Media sent out today:
This weekend we discovered that Gawker Media’s servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you’re a commenter on any of our sites, you probably have
several questions.
We understand how important trust is on the internet, and we’re deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We’re
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we’re doing to fix things.
This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.
We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
information and will continue to do so in the coming days and weeks.
Gawker Media
How Does This Affect You?
If you’ve never commented on a web property in the Gawker Media network, you may not have anything to worry about. If you have, on the other hand, your password on that site has been compromised and you should think about where else you used that password and change it on all sites. In the quoted text above, Gawker points us to a post on Life Hacker full of answers. Of course, to minimize the effects of future hacks on Gawker or any site, it’s best to have a strong password (see below) and use different passwords for different sites. As an example, you wouldn’t want to use the same password on Gawker that you use for online banking.
Is Your Password Strong Enough
Surprisingly, too many people have passwords that are easy enough to crack or even just guessable. Without a doubt, the absolutely worst password you can use for any account is the word, “password”. Regardless, of the nearly 1.3 million accounts compromised, 1,959 had “password” as their passwords. Even if it’s not guessed by a hacker, the simplest brute force attack can crack this password in no time. So how do you know if your password is strong enough?
I built a quick and easy password strength test site to help you test your password. This may be helpful but you can also get by with some quick password tips. To understand them, you should know a little about how a brute force attack works. Typically a script runs that tries one password after another until one works. A simple script might first try every word in a dictionary file. This is just a file full of known real words like “gamer”, “puppy”, or maybe, “password”. Failing that, it would start going through every character combination from aaa, aab, aac, for example, through to larger guesses like 9999999. A more time-consuming attack might make use of characters like $%!, etc. but this takes far longer. Having to check for upper vs lower case takes a lot longer as well. From this, we can assume that you can make your password stronger by making it longer and including numbers, mixed case, and special characters. By this logic, “Chr1Stm@s!!%” is a far more secure password than “christmas”.
Even if you were not affected directly by this, take this as a reminder to audit your password habits and make changes if needed. A little effort now can save you a lot of future headache.
There are many reasons a PDF might be locked. The author may want to prevent unauthorized editing, or in the case of a magazine, the publisher may want to prevent readers from printing the online version. I honestly rarely have a need for this kind of thing, but it does come up, so when Eltima Software asked if I wanted to review a copy of their software, Recover PDF Password, I agreed. They also offered up a couple more free licenses to my readers, so read to the end to find out how to get a free license or cash.
How it works
Like many password crackers, Recover PDF Password uses a “brute force” method to guess at a password. By this, I mean that it tries every combination over and over again until one matches. One thing I liked was that I could choose to exclude some of the more complete searching options like special characters ($%^&*, etc), numbers, or upper case letters to name a few. This speeds up the search incredibly at the risk of missing the correct password completely if it has one of these characters. To give you an idea of the speed difference, imagine you’re lucky enough to know that the password is six characters in length. To just try searching with the lower case alphabet, (if my math is right) the software has to try up to 308,915,776 possible character combinations (26 * 26 * 26 * 26 * 26 * 26). If you add in 26 upper case alpha + 10 numeric + 28 special characters, you get 90 characters total and 90 * 90 * 90 * 90 * 90 * 90 makes 5.31441e+11 (531,441,000,000) possible combinations to try. That’s about 1,720 times more than just lowercase alpha characters. Having the option to pick and choose is a big plus. Remember, too, that this is if you’re lucky enough to know the password length and it’s only six characters. The problem with cracking passwords is a matter of the time it takes, and this program does in hours what it would take you a lifetime to do on your own.
What I think is missing is the ability for the software to try dictionary words first. A good password will be a combination of upper and lower case alpha characters, special characters, and numeric digits, but let’s face it… too often, the password is merely “password” and a large portion of the rest are dictionary words. Using the method above, it might take 19 billion or so tries, give or take a billion, to conclude that the password is “password”. Trying all the 8-character words from a dictionary file would take somewhere in the tens of thousands of guesses. This is a feature I’d really like to see in any password cracking tool, as it should be used as a first pass, just in case.
My tests
First, I downloaded Recover PDF Password. The download took about a half hour, but I tried again (twice) later, and it came down in around 14 seconds both times. Then, I grabbed a random (locked) PDF from the web. I first tried with all the options on and was getting nowhere after a day. I decided to start over, telling it to try anything with lowercase characters and numbers from three to four characters in length. That went pretty quickly, eliminating all possibilities. Next, I moved on to 5-6 characters, which took a lot longer, as expected, due to the exponential growth in combinations to try. The program eliminated all 5-character combinations and then, about a third of the way through the alphabet, it recovered a 6-character password for me. The total search took 19 hours, 50 minutes, 28 seconds, and used about 50% cpu and 25MB of RAM pretty consistently.
After thinking about my wish that a dictionary file be used for the first pass, I decided to try a PDF with a password of “password” just for kicks. I grabbed one from Adobe’s site and set Recover PDF Password loose on it, trying only lowercase alpha characters and only with a length of 8. After about five minutes, it was estimating 100-108 days remaining.
Conclusions
First of all, it does what it says, so that’s good. At the $39.95 price for a personal license, it’s also within reach of anyone needing to recover a password on a PDF without breaking the bank. The down side is that a good password will take a very long time to crack, but that’s going to be true for any program, I guess. I’d love to see a dictionary file used, but it won’t make a difference for a secure password. The software is solid and complete with useful options to help save time and it’s worth the purchase as long as you can let it run in the background for a while.
UPDATE: Eltima Software tells me that they are now working on implementing the request for use of a dictionary file. That’s great news.
Get a free license
Want to try it out yourself or just have it handy for when you really need it? Eltima Software gave me two licenses to give away to readers. All you have to do to try for one is tweet with “http://Lnk.gd/ej” and “@joetech” and you’ve earned an entry. If someone re-tweets your tweet, you get another entry for every RT. Just to spice things up a little, I’ll throw in $20 (via PayPal) to a third winner. I’ll draw three twitter users at random from those who have entered. To collect, I have to be able to send you a direct message, so make sure to follow @joetech in case you win.
Yesterday, I wrote about getting paid to hack. Part of what I talked about was computer forensics. Earlier in the day, I was presented with an opportunity to practice my own IT security skills. Below, I’ll explain what happened to my client, how an employee of mine and I found the source of the problem and what we did to fix it.
Discovering a problem
A client called, complaining that the content management system we built for them was not working properly, so one of the developers took a look at the code and immediately alerted me to a problem. When he looked at the code, he discovered two extra lines at the end. The lines were similar to the following and existed at the bottom of every index.php file in the site:
My first thought was that someone hacked in and changed the files. What about the rest of the server? This is where you get that sick feeling in your stomach and hope it’s not as bad as it could be. I emailed my wife and told her I’d be unavailable via phone/email/etc. for the next few hours.
Finding the cause
Tracking down the source of a hack or code injection like this can often be tricky. How tricky it is depends on your individual skill set, past experiences, and the complexity of the problem, itself. This one turned out to be easy, partially because I’ve done this before and know many of the places to look, but mostly because it wasn’t really a hack. Not locally, anyway. One of my developers and I sat down in my office and I started looking at the hacked files. Using the following command (from the client’s web root), I displayed a list of all files that were modified that day:
ls -laR |grep "Apr 24"
What it returned was a list of the index files I was already aware of. Good. I then ran the same command on other sites to be sure this was isolated and it was. Next, I checked “last” to see who’s been logging into my server:
last |grep [client username redacted] |grep Apr
Last shows all the recent logins from SSH, FTP, etc. Immediately, I noted a large number of FTP connections for the client site I was investigating, which looked suspicious. I headed to my FTP log files and grepped my “secure” log files for “Incorrect”:
grep Incorrect /var/log/secure*
Your system may use something other than “Incorrect” to indicate a bad login and your “secure” log file location may vary. This grep showed only a few bad attempts, which is fairly normal and not what I expected to see if the account had been brute-forced. I moved on to the FTP log file to see what transfers were made. You’ll need to find your own FTP log location if you don’t know where it is already.
grep "Apr 24" xferlog*
I did this mostly to confirm that I was on the right track, but it uncovered even more oddness. Here’s a bit of what I saw:
Fri Apr 24 11:17:32 2009 0 [ip redacted] 4289 /var/www/vhosts/[domain redacted]/httpdocs/index.php a _ o r [username redacted] ftp 0 * c
Fri Apr 24 11:17:38 2009 2 [ip redacted] 4402 /var/www/vhosts/[domain redacted]/httpdocs/index.php a _ i r [username redacted] ftp 0 * c
Fri Apr 24 11:17:51 2009 0 [ip redacted] 2836 /var/www/vhosts/[domain redacted]/httpdocs/admin/index.php a _ o r [username redacted] ftp 0 * c
Fri Apr 24 11:17:56 2009 0 [ip redacted] 2949 /var/www/vhosts/[domain redacted]/httpdocs/admin/index.php a _ i r [username redacted] ftp 0 * c
For each index file that had the iframe HTML added to the end, there was a download and then an upload five or six seconds later. The speed indicated that it was a script and the fact that it was all done via FTP indicated that if there was a compromised computer somewhere, it was remote and my server was safe.
Cleaning it all up
In this case, cleanup was easy. First, I backed up all the log files for further review just in case I need them. Then I changed the client’s FTP password. Finally, I pulled the latest (clean) versions of the affected index.php files from our subversion repository and uploaded them back to the site.
Preventing future occurrences
I wanted to find out exactly how someone who should clearly not have the client’s FTP credentials wound up with them. My theory was that the client’s computer had been compromised. I headed to arin.net and used their handy IP whois tool to see who the one prominent IP address from the log files belonged to. It turned out to be a COX IP registered to Atlanta, GA. We called the client and asked them if they had anyone there. They did not. The FTP logs also showed uploads, recently, of files documents that related to the client and looked to be legitimate, so we asked who uploaded them and conferenced him in. A couple questions quickly revealed that not only was the IP their local office computers, but the computers there had been “acting funny, randomly rebooting, etc.” for the last day or so. We sent their computer guy out to take care of the problem, which turned out to be a trojan.
Conclusions
First of all, this was a very easy problem to diagnose and fix. I’ve been on the bad end of some serious hacks and this was by no means a bad one. For the client, however, the day proved much more frustrating. The expense incurred from having the IT guy come out and the thought that it could have been much worse (like their site replaced with something untoward), should be a lesson to be very careful about what you download, what you click, and the sites you visit. The best policy is to only open or run things from sites and people you trust, and even then, use caution.
This guest post was written by Blair Mathis from LaptopLogic.com – your premier source for the latest laptop software news and best laptop accessories.
Computer passwords are like locks on doors – they keep honest people honest. If someone wishes to gain access to your laptop or computer, a simple login password will not stop them. Most computer users do not realize how simple it is to access the login password for a computer, and end up leaving vulnerable data on their computer, unencrypted and easy to access.
Are you curious how easy it is for someone to gain access to your computer? If so, read on to see the technique one might use to figure out your computer password.
Windows
Windows is still the most popular operating system, and the method used to discover the login password is the easiest. The program used is called Ophcrack, and it is free. Ophcrack is based on Slackware, and uses rainbow tables to solve passwords up to 14 characters in length. The time required to solve a password? Generally 10 seconds. The expertise needed? None.
Simply download the Ophcrack ISO and burn it to a CD (or load it onto a USB drive via UNetbootin). Insert the CD into a machine you would like to gain access to, then press and hold the power button until the computer shuts down. Turn the computer back on and enter BIOS at startup. Change the boot sequence to CD before HDD, then save and exit.
The computer will restart and Ophcrack will be loaded. Sit back and watch as it does all the work for your. Write down the password it gives you, remove the disc, restart the computer, and log in as if it were you own machine.
Mac
The second most popular operating system, OS X is no safer when it comes to password cracking then Windows.
The easiest method would be to use Ophcrack on this, also, as it works with Mac and Linux in addition to Windows. However, there are other methods that can be used, as demonstrated below.
If the Mac runs OS X 10.4, then you only need the installation CD. Insert it into the computer, reboot. When it starts up, select UTILITIES > RESET PASSWORD. Choose a new password and then use that to log in.
If the Mac runs OS X 10.5, restart the computer and press COMMAND + S. When at the prompt, type:
That’s it. Now that the password is reset, you can login.
Linux
Finally, there is Linux, an operating system quickly gaining popularity in mainstream, but not so common you’re likely to come across it. Though Mac and Linux are both based on Unix, it is easier to change the password in Linux than it is OS X.
To change the password, turn on the computer and press the ESC key when GRUB appears. Scroll down and highlight ‘Recovery Mode’ and press the ‘B’ key; this will cause you to enter ‘Single User Mode’.
You’re now at the prompt, and logged in as ‘root’ by default. Type ‘passwd’ and then choose a new password. This will change the root password to whatever you enter. If you’re interested in only gaining access to a single account on the system, however, then type ‘passwd username’ replacing ‘username’ with the login name for the account you would like to alter the password for.
Conclusion
There you have it – that is how simple it is for someone to hack your password. It requires no technical skills, no laborious tasks, only simple words or programs. The moral of the story? Encrypt your data to keep it safe. Don’t use only a password, but actually encryption, such as Blowfish or AES-128. There are a number of programs that can do this – TrueCrypt for Windows, or the native encryption found on Ubuntu, creating a disk image in Mac, etc.
