Network Benchmarking | TechSNAP 66

Network Benchmarking  | TechSNAP 66

Our tools to benchmark and monitor your network.

Plus: Formspring leaks your password, Microsoft finally kills off old certificates and how to steal a BMW in a few seconds!

All that and more, in this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:


Show Notes:

Formspring detects intrusion – 420,000 hashed passwords leaked

  • Formspring was alerted when password hashes were posted on a hacking forum
  • After determining that the hashes were in fact from their site, administrators shut the service down
  • The attackers managed to compromise a development server at FormSpring, and then was able to access the production database, and gain access to customer information
  • Formspring used SHA256 hashes with a random salt
  • While this is better than a plain SHA256 without a salt, it is still not very strong
  • SHA hashes are designed to be calculated very quickly, because that is what you want in a hashing algorithm
  • Cryptographic hashing algorithms, like SHA256crypt on the other hand, is ‘adaptive’, it use a variable number of ‘rounds’ of the hashing algorithm to slow the process down, to make cracking the passwords more expensive. SHA256crypt defaults to 5000 rounds (hash of the hash of the hash…), and this value can be adjusted over time, to keep pace with faster CPUs and GPUs
  • So while the random salts make the Formspring passwords immune to rainbow tables (thus making even the more trivial passwords require brute forcing, unlike the LinkedIn passwords), they can still be cracked with tools such as John the Ripper, and the cracking can be accelerated with GPUs
  • Formspring came to this same realization and as part of the mandatory password reset for all users, new passwords will be stored using the adaptive cryptographic hashing algorithm bcrypt
  • There have been no reports of any accounts being compromised, although the news has triggered a wave of trend-jacking phishing attacks, malicious emails to users directing them to the wrong place to reset their formspring password

Microsoft revokes 28 of its own certificates because they are insecure

  • In the wake of the Flame malware, which used a forged Microsoft certificate for code signing and to impersonate Windows Update, Microsoft has revoked other certificates that may be susceptible
  • In order to prevent this from happening again, Microsoft is revoking trust in all certificates that do not meet their current security standards
  • We assume this means revoking certificates with insufficient key strength and certificates generated with MD5 hashes
  • Microsoft also released its Certificate Updater application, which was released previously as an optional update to help mitigate the Flame malware, but with this update is not marked as ‘Critical’, which will see it be installed on the majority of updated Windows machines

One of Stuxnet’s spreading mechanisms hits kill switch

  • Three years after Stuxnet was originally seeded, one of the main spreading mechanisms has shut itself off
  • Spreading of the malware via Windows .lnk files spread via USB sticks has stopped after reaching the cutoff date specified in the Stuxnet source code
  • The three known variants of Stuxnet were seeded on 2009–06–23, 2009–06–28 and 2009–07–07
  • This is not the first time Stuxnet has expired some of its capabilities, spread via the MS10–061 exploit stopped on 2011–06–01, and the MS08–067 exploit checks for dates before January 2030

Court case reveals inner workings of IPP International IP Tracker, a BitTorrent tracking software

Web exploit figures out what OS victim is using, customizes payload

  • The exploit uses ‘TrustedSec’s Social Engineering Toolkit’ to generate a signed .jar file that is embedded in compromised websites via the applet tag
  • If the user allows the .jar file to run, it detects the OS of the machine, and performs a different action
  • The Social Engineering Toolkit is open source software
  • In this case, the attackers used the toolkit as a basis for their malware downloader, it downloads and runs a different exploit depending on the OS of the victim
  • This exploit targets Windows, Mac and Linux users, with a custom malware payload for each
  • All three exploits appear to be targeted at giving the attacker a shell on the machine, so they can perform whatever actions they wish
  • Additional Link


Round Up:

Question? Comments? Contact us here!