Moxie Marlinspike and David Hulton's Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate presentation from Defcon is now a reality. If you want to crack a MS-CHAPv2 PPTP authentication handshake (like the one I use when I connect to IPREDator, the secure proxy I favor), they'll exhaust all of the DES keyspace for you for a mere $20, usually in less than a day.

Basically, MS-CHAPv2-based VPNs should now be considered insecure and not fit for purpose. Plus Moxie and David can brute force all of DES for $20. Yowza.

A Week Of Discounted Cracking

For this week (9/23/2012), we will be offering deeply discounted MS-CHAPv2 cracking jobs by reducing the price from $200 to $20. This means that any PPTP VPN connection or intercepted MS-CHAPv2 WPA Enterprise wireless credentials can be cracked and decrypted with a 100% success rate for only $20.

The one major caveat is that an influx of additional jobs might increase the pending queue depth and cause MS-CHAPv2 jobs to take slightly longer than ususal, but we'll see how it goes.

Cheaper MS-CHAPv2 Cracking (via Hacker News)

Dan Goodin's Ars piece on the state of password security is a must-read overview of the way that the password cracking landscape has changed in surprising ways. It's not just that computers have gotten faster -- it's the confluence of several factors, including: more sites that require passwords, which encourages password re-use; sites that use weak password hashing, unsalted hashing, or no hashing at all; and titanic dumps of real-world passwords that provide insight into how users choose their passwords. Put them all together and you get a situation like the LinkedIn dump, where 90 percent of the encrypted passwords were extracted in short order -- and where many of those passwords could be used to take over other user accounts, thanks to password re-use.

The RockYou dump was a watershed moment, but it turned out to be only the start of what's become a much larger cracking phenomenon. By putting 14 million of the most common passwords into the public domain, it allowed people attacking cryptographically protected password leaks to almost instantaneously crack the weakest passwords. That made it possible to devote more resources to cracking the stronger ones.

Within days of the Gawker breach, for instance, a large percentage of the password hashes had been converted to plaintext, a feat that gave crackers an even larger corpus of real-world passwords to inform future attacks. That collective body of passwords has only snowballed since then, and it grows ever larger with each passing breach. Just six days after the leak of 6.5 million LinkedIn password hashes in June, more than 90 percent of them were cracked. In the past year alone, Redman said, more than 100 million passwords have been published online, either in plaintext or in ciphertext that can be readily cracked.

"Now, it's like once a quarter you get another RockYou," Redman said.

In the RockYou aftermath, everything changed. Gone were word lists compiled from Webster's and other dictionaries that were then modified in hopes of mimicking the words people actually used to access their e-mail and other online services. In their place went a single collection of letters, numbers, and symbols—including everything from pet names to cartoon characters—that would seed future password attacks.

"So it's no longer this theoretical word list of Klingon planets and stuff like that," Redman said of the RockYou list. "It's literally 'dragon' and 'princess' and stuff like that, and [the list] may crack 60 percent of a newly compromised website. Now you have 60 percent of the work done and you haven't done any thinking at all. You've just used your previous knowledge."

I wrote a novella about where all this stuff ends up, called Knights of the Rainbow Table, for Intel's Tomorrow Project. I don't believe sf writers predict the future, but I sure feel like that one predicted the present.

Why passwords have never been weaker—and crackers have never been stronger

Patrick Ball sez, "Lots of people in the world depend on electronic security. That means it has to be seriously strong, and I have been worrying that lots of folks -- esp media folks -- are eager for easy-to-use shortcuts, even if those shortcuts aren't actually secure. CryptoCat is one such shortcut, as was Hushmail, and I believe neither are adequate for the hard case of protecting human rights information. There are solid security solutions, though we have a long way to go to improve user interfaces and overall user experience."

Any host-based system that delivers the encryption engine to you each time you log in, and in which your keys reside on the server, you are never secure against the host (there’s new research on this called “host-proof hosting,” but it’s a long way from being ready to use in real applications). That means that if the host attacks you, or they fail to protect themselves, your encrypted data will be available to them. Remember that the host might attack you because someone evil has taken control of the host. If you are the hypothetical dissident in the Middle East, your government might contract a hacker to break into the CryptoCat server, Hushmail, or other host-based server, and thereby get access to all your data. Or they could bribe an employee at a host-based service. Again: in host-based security, all your security rests on your personal trust for the people at the host, and their ability to protect the server. There’s no real security in a technical sense.

This means that Hushmail is no more secure than any other email service, like Gmail. In fact, Gmail might be more secure than Hushmail, if we think that Gmail has better personnel screening and more skillful engineers protecting their servers against malicious attacks than Hushmail does (many experts do believe this). By the same logic, CryptoCat is no more secure than Yahoo chat.

At Benentech, we’ve been working with human rights data for over twenty years, and providing secure software for ten. Martus has been downloaded by users in more than 100 countries. We’ve learned that, unfortunately, security is hard, and people who tell you that it’s easy or that there are shortcuts are probably fooling you — and maybe themselves. Our best efforts have all come from building security into the applications we already want to use, like Martus, which has security built into a database. For both email and chat, there are real security solutions (GPG and Pidgin/OTR). They’re a little harder to use, but their security is real.

When It Comes to Human Rights, There Are No Online Security Shortcuts (Thanks, Patrick!)

Quinn DuPont writes in with "A cracking challenge to cryptanalyse a William Gibson poem ('Agrippa', written in 1992). The winner will receive a copy of every William Gibson book published. Project is academic (non-commercial)."

Gibson's poem is a beautiful work, and it came on a floppy disk that erased itself after displaying the poem's text a single time. Of course, it was cracked almost immediately (..f. all DRM, ever) but that wasn't really the point. The challenge site includes a System 7 emulator, an image of the floppy, some of the sourcecode for the app (which was apparently written in Lisp?!), and more.

Based on the pioneering work of Alan Liu and his team at The Agrippa Files, working in collaboration with Matthew Kirschenbaum at the Maryland Institute for Technology in the Humanities and the Digital Forensics Lab, a a bit-for-bit copy of this application has been recovered, along with numerous archival documents.

The first person to successfully crack the code will win a copy of every William Gibson book ever published (except Agrippa). Every runner-up will have their name (if provided) posted on this website. To win you must submit a technical description of your cryptanalysis below, under Creative Commons usage rights (the results of which will be used to further research on Agrippa). The technical description should explain what kind of encryption is used (if any), how it functions, and how it was reversed or cracked (and what the key is, if there is one). Should there be no encryption at all (a possibility), or should the application merely “scramble” or “destroy” the data, this must be technically demonstrated or proved. Since the plain text is known, the cryptanalysis is purely for fun and academic curiosity, and thus the description should provide technical details.

Cracking the Agrippa Code (Thanks, Quinn!)

In early celebration of the Turing centenary this week, Ars Technica's Matthew Lasar has a lovely list of seven of Alan Turing's habits of thought, including this one: Be Playful.

There was something about Turing that made his friends and family want to compose rhymes. His proud father openly admitted that he hadn't the vaguest idea what his son's mathematical inquiries were about, but it was all good anyway. "I don't know what the 'ell 'e meant / But that is what 'e said 'e meant," John wrote to Alan, who took delight in reading the couplet to friends.

His fellow students sang songs about him at the dinner table: "The maths brain lies often awake in his bed / Doing logs to ten places and trig in his head."

His gym class colleagues even sang his praises as a linesman: "Turing's fond of the football field / For geometric problems the touch-lines yield."

Turing's favorite physical activity, however, was running, especially the long-distance variety. "He would amaze his colleagues by running to scientific meetings," Hodges writes, "beating the travelers by public transport." He even came close to a shot at the 1948 Olympic Games, a bid cut short by an injury.

The highly productive habits of Alan Turing

(Image: Alan Turing in 1927, Sherborne school archives)

In the wake of a series of very high-profile password leaks, Brian Krebs talks to security researcher Thomas H. Ptacek about the best practices for securing passwords. The trick isn't to merely hash with a good salt -- you must use a slow password hash that takes a lot of work, so that making rainbow tables is impractical.

Ptacek: The difference between a cryptographic hash and a password storage hash is that a cryptographic hash is designed to be very, very fast. And it has to be because it’s designed to be used in things like IP-sec. On a packet-by-packet basis, every time a packet hits an Ethernet card, these are things that have to run fast enough to add no discernible latencies to traffic going through Internet routers and things like that. And so the core design goal for cryptographic hashes is to make them lightning fast.

Well, that’s the opposite of what you want with a password hash. You want a password hash to be very slow. The reason for that is a normal user logs in once or twice a day if that — maybe they mistype their password, and have to log in twice or whatever. But in most cases, there are very few interactions the normal user has with a web site with a password hash. Very little of the overhead in running a Web application comes from your password hashing. But if you think about what an attacker has to do, they have a file full of hashes, and they have to try zillions of password combinations against every one of those hashes. For them, if you make a password hash take longer, that’s murder on them.

So, if you use a modern password hash — even if you are hardware accelerated, even if you designed your own circuits to do password hashing, there are modern, secure password hashes that would take hundreds or thousands of years to test passwords on.

The problem is that you really need to make this design decision from the start -- it's hard to retrofit once you've got millions of users.

How Companies Can Beef Up Password Security

Franklin Heath, a UK security consultancy, offers plans for printing and assembling your own papercraft Enigma machine, approximately like the ones that Alan Turing and the Polish cryptographers and co broke at Bletchley Park. Now all we need are papercraft bombes, and a papercraft Collosus, and several thousand papercraft young women to work on code intercepts through the night...

The instructions note: "Using low-tack 'removable' sticky tape can make it easier to swap round and reuse the rotors if you want to do that, but it's not essential."

If you seriously want to explore paper computing, a good followup project is the legendary CARDiac computer.

Enigma/Paper Enigma

Sergei Skorobogatov, a postdoc in the Security Group at the Computer Laboratory of the University of Cambridge has written up claims that reprogammable microchips from China contained secret back-doors that can be used to covertly insert code:

Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.

Key features of our technology:

* scans silicon/hardware for backdoors, Trojans and unexpected behaviour
* low cost
* very fast result turnaround time
* high portability
* adaptable - scale up to include many types of chip

Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.

Currently there is no economical or timely way of ascertaining if a manufacturer's specifications have been altered during the manufacturing process (99% of chips are manufactured in China), or indeed if the specifications themselves contain a deliberately inserted potential threat.

This block of text is undated, though it appears on a page whose last-modified date is reported as 14-05-2012. I couldn't find any further information on which chips were affected or the methodology used to discover the backdoors.

Hardware Assurance and its importance to National Security (via MeFi)

David Stutz has posted a small collection of obituaries for Alan Turing after he was hounded to suicide as a punishment for being gay. Here's my favorite:

“For those who knew him here [at Sherborne] the memory is of an even-tempered, lovable character with an impish sense of humour and a modesty proof against all achievement. You would not take him for a Wrangler, the youngest Fellow of King’s and the youngest F.R.S. [Fellow of the Royal Society], or as a Marathon runner, or that behind a negligé appearance he was intensely practical. Rather you recollected him as one who buttered his porridge, brewed scientific concoctions in his study, suspended a weighted string from the staircase wall and set it swinging before Chapel to demonstrate the rotation of the Earth by its change of direcction by noon, produced proofs of the postulates of Euclid, or brought bottles of imprisoned flies to study their “decadence” by inbreeding. On holidays in Cornwall or Sark he was a lively companion even to the extent of mixed bathing at midnight. During the war he was engaged in breaking down enemy codes, and had under him a regiment of girls, supervised to his amusement by a dragon of a female. His work was hush-hush, not to be divulged even to his mother. For it he was awarded the O.B.E. He also adopted a young Jewish refugee and saw him through his education. Besides long distance running, his hobbies were gardening and chess; and occasionally realistic water-colour painting.

In all his preoccupation with logic, mathematics, and science he never lost the common touch; in a short life he accomplished much, and to the roll of great names in the history of his particular studies added his own.” — The Sherbornian, Summer Term 1954

obituary quotations