Posts

Password Presentation - P@ssw0rds

In my last post I provided a template business case that InfoSec people could use to justify increasing the minimum password length while also reducing the frequency of enforced password changes. The reasoning being that if users are not forced to regularly change their passwords then they will be more inclined to select complex passwords that are difficult for an attacker to guess or crack (but still easy for them to remember). This is a sound business case but, to really make the point, wouldn’t it be great to also provide empirical evidence that with the default password policy users are actually using weak passwords!? With some technical knowledge, password hashes can be dumped from a domain controller and subjected to a cracking attack. Chances are, that in domain with a default password policy, many users’ plaintext passwords will be revealed within a reasonable amount of time. Metrics can then be derived, such as the percentage of passwords that were successfully cracked

The Business Case for Increasing Minimum Password Lengths

I love getting root. I also love looking for other people getting root. What I don’t love doing is telling how they can stop other people from getting that sweet sweet root. I know I’m not alone but unfortunately this is what gets many InfoSec folks paid. InfoSec folks have to explain to lay people how to make things more secure in a way that is easy to understand. For many this doesn’t come easily. Your root can be the sweetest root, but if you can’t explain to others why and how it needs to be fixed then you’ve arguably failed as an InfoSec professional.  I’ve recently been in this situation. I’ve needed to justify to senior leadership increasing the minimum password length for Active Directory domain from the default 8 characters to 14. This was a tough sell because users don’t like long passwords. They’re considered harder to remember and a pain to have to enter every time they want to log in. To make this seemingly bitter pill easier to swallow, I also recommended that the maxi

CAPTCHA, if you can

“ S hould the United Kingdom remain a member of the European Union?” or “A ddylai'r Deyrnas Unedig ddal i fod yn aelod o'r Undeb Ewropeaidd?”, in Wales. This was the question asked of UK citizens on the 23rd of July, 2016. Those who wished to leave the European Union (EU) were in the majority, with a 52 - 48 split. With such a slim majority, many who wished to remain in the EU found ways to express their displeasure. One of the ways they did this was to sign an online petition calling for the UK Government “to implement a rule that if the remain or leave vote is less than 60% based a turnout less than 75% there should be another referendum.” Despite the poor wording [1] , the petition managed to attract nearly 4,000,000 signatures within only four days - the largest amount ever received. Reports surfaced that the large number of signatures may have been the result of fraud , and shortly thereafter approximately 77,000 were removed . How did this happen, and what could ha

MWR Hackfu Challenge 2013

Image
This year I entered the MWR Challenge 2013 and won a place at Hackfu! Unfortunately, I was unable to attend due to a scheduling conflict, but I did still get a free T-shirt. I had a blast completing the challenge, and thought I'd share my solution. There is a great narrative that accompanies these challenges, but I'll not mention that here so as to not give away any spoilers! Challenge 1 You're given a zip file that contains an image file and a text file explaining how the image file can be mounted. The mounted image file contains a TrueCrypt volume and a text file stating that the password to this volume is very secure - unlike the password for the previous (now deleted) TrueCrypt volume, which was "password1". Using Autopsy, a GUI for TSK (The Sleuth Kit), it was possible to recover deleted files on the image. A file called old-zip was recovered. This zip file contained a TrueCrypt volume called truecrypt-volume-old. This volume can then be mounted

BSides London 2013 Challenge 5

Image
Another BSides London 2013 challenge! I didn't enter as I had already managed to get my hands on a ticket at the time this one was released. I did, with the help of some colleagues, complete the challenge to fill some spare time I had at the weekend. There was no back story associated with this challenge. You were simply provided with a PDF document , and told to follow the clues until you came across a secret code, a subject line and an email address to which these could be sent . I should also add that although this post shows the most direct route to the final answer, we did find ourselves following a few red herrings and banging our heads against a few proverbial brick walls. Stage 1: The text of the PDF document give clues as to how to complete this stage. Within the seemingly random text is this string: guvfgrkgvfwhfgnqvfgenpgvbasebzgurernypunyyratr When decoded using ROT13 this becomes: th istextisjustadistractionfromtherealchallenge There is also thi

BSides London 2013 Challenge 3

Image
Determined to win a ticket to Security BSides London 2013 and undeterred by my previous failure , I completed the third challenge posted by MWR Labs. I wasn't successful, but I learnt a little about hacking Android apps and decided to share my answer so that others might learn something too. The premise of this challenge is that you are hired by BigCorp to assist in acquiring evidence to prove that an employee is guilty of attacking their IT systems. They have discovered that the employee is using an Android app called Evil Planner, and they want you to find any vulnerabilities that might allow them to access and decrypt any incriminating information stored within the app. Ultimately, the IT wizards at BigCorp will use any vulnerabilities to compromise the employee's device to install a piece of custom malware to extract and decrypt data stored within the Evil Planner app. Below is my submission: The .apk file containing the app was downloaded from the MWR website  and