Not Sharing The Secret | TechSNAP 156

Not Sharing The Secret | TechSNAP 156

Researchers develop a new way to protect your passwords after they’ve been stolen, the little credit card scam making big money…

Then it’s a great batch of your questions, a rockin round up, and much much more!

On this week’s TechSNAP.

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Researchers are NYU develop PolyPassHash, hard to crack password store

  • PolyPassHash is designed to make it significantly harder to crack users’ passwords in the event the password database is leaked
  • The system uses SSSS (Shamir’s Secret Sharing Scheme ) which is a system for dividing a secret key (in this case used to encrypt the password database) into many pieces, and requiring only a specific number of those pieces to be combined to return the key
  • In the wikipedia example, the secret key is divided into 6 parts and the algorithm defined such that 3 of the parts must be combined in order to return the secret
  • The SSSS algorithm is extensible, it allows the number of pieces that the secret is divided into to grow as long as the threshold (the number of pieces required to decrypt) is key fixed
  • The SSSS algorithm is also flexible, allowing for some people (say the system administrator) to have more than 1 share
  • In the Python reference implementation the threshold is set to 10
  • This means that 10 pieces of the secret are required in order to decrypt the password file
  • Each regular user’s password is 1 share of the secret, so when that user provides the correct password, 1 share is available
  • In the reference implementation, there are 3 administrator users, each of who’s password is 5 shares of the secret, meaning the correct passwords for any 2 of the administrators will be able to decrypt the password database
  • Currently PolyPassHash uses just the SHA256 of the users’ password and a random salt, rather than using sha256crypt() which does more than 1 SHA256 round on the password, and uses different mixes of the password and salt
  • The drawback with PolyPassHash is that after a reboot, it is not possible for anyone to login until a sufficient number of users have entered the correct password to return the required number (the threshold) of shares to decrypt the password hashes
  • There is a proposed solution to this, involving shortening the SSSS key such that some of the hash (the last few bytes) are not encrypted, and using that to authenticate the first few users until sufficient users have successfully logged in to decrypt the password database
  • This compromises the security of the passwords because part of the plain hash is leaked, and it also means that an incorrect password could allow a user to login after a reboot before the threshold has been met
  • PolyPassHash also has support for thresholdless accounts (accounts that do not have any shares), in order to protect larger systems (like Facebook or Gmail) where an attack may have compromised enough accounts to have sufficient shares to decrypt the entire database. In this case, only administrator (or maybe power user) accounts would have shares
  • PolyPassHash also has support for other authentication systems, including things like biometrics, ssh keys, and smart cards, but also external systems like OAuth or OpenID (thresholdless accounts)
  • In the case of SSH keys, instead of a password, the share of the SSSS is encrypted with the public key, and the user uses their SSH private key to decrypt the share
  • New users cannot be added until the threshold has been reached, since the secret is required to generate a new share of the secret
  • Research Paper

Who is behind sub-$15 credit card scam

  • A service called ‘BLS Web Learn’ has been identified as being behind a scam that charged numerous credit and debit cards small fees of less than $15
  • The scam centers around small charges that appear on your credit card bill, usually for small random amounts such as $9.84, $10.37, or $12.96
  • The line item includes a toll free number (as most charges do), and you are encouraged by your bank to call this number and try to identify the charge and resolve any issues with the seller directly, rather than filing a chargeback
  • In this case, since the card holder never ordered anything or authorized the charge, the service refunds the small amount
  • They make their money off all of the people who don’t notice the small charge
  • Unlike many scams, because they maintain the assertion that they are a legitimate business, and refund the charge when a cardholder complains, they do not rack up a large number of chargebacks, and their account with the credit card processor is not red flagged or shut down
  • Krebs have investigated a similar case before, which appeared to be based in Malta
  • The name of the ‘online learning’ company, and the credit card processor are different, but the scam seems very much the same
  • The payment processor, BlueSnap, lists its offices in Massachusetts, California, Israel, Malta and London. Interestingly, the payment network used by the previous scam, Credorax, also lists offices in Massachusetts, Israel, London and Malta



Question? Comments? Contact us here!