Moontanman Posted September 22, 2008 Report Share Posted September 22, 2008 symbols being letters? numbers? special characters (like +_)(&* ...etc?) pirated means not updated, which means that you are probably already owned, just dont know about it, or you are not owned, but owning you is very simple. And aol has tried putting spyware in a multitude of their products :) such is life... aahahahahahahahahahahahahahahaahahahahaahhaahahahahahahahaahhaahahahahahahahaha:)hahahahahahahaahahhaahahahahahahahahahahahahahahahahahahahahaheheyou won't even know you did it ;) read a little about XSS ;) (i even had a blog post on it) comodo is the best in windows world, right now.... just thought i'd tell you Ok, tell me how I could fall for a phishing scam and not know it? My password is letters and numbers, Do you have a link for that fire wall? Quote Link to comment Share on other sites More sharing options...
pgrmdave Posted September 22, 2008 Report Share Posted September 22, 2008 comodo firewall - Google Search I use ZoneAlarm, another free firewall (though to be fair, Alex probably knows much more about security than I do). How do they compare, Alex? zonealarm firewall - Google Search Quote Link to comment Share on other sites More sharing options...
alexander Posted September 22, 2008 Report Share Posted September 22, 2008 Comodo Free Firewall Software Download direct link I like the fact that Comodo, aside from just monitoring incoming and outgoing ports, also monitors access to some more sensitive areas of the machine, and that it monitors processes trying to call other processes. Comodo can be a pain in the butt to run, but it makes up in the level of security that it provides for your system... My password is letters and numbersat 8 characters a brute-force attack would probably take a couple of weeks, though it is much easier to just steal your authentication cookie :) Ok, tell me how I could fall for a phishing scam and not know it?read a little about it on my blog, here: SecurityEnthusiast, enthusiastic about important things in life Blog Archive XSS, Even The Common Sense Won’t Help (direct link to the page) then do a little research. Also search back through comp-sci, i mentioned XSS volnurabilities, and discussed threats of thereof before... Quote Link to comment Share on other sites More sharing options...
CraigD Posted September 23, 2008 Report Share Posted September 23, 2008 My password is letters and numbersat 8 characters a brute-force attack would probably take a couple of weeks, though it is much easier to just steal your authentication cookie :PYou should check your math on that estimate, alexander! A mixed-case alphanumeric password has 26+26+10=62 possible characters. [math]62^8 =218340105584896[/math], and [math]\frac{\log 0.5}{\log 62^8 -\log 62^8 -1} \dot= 151342179161560[/math]. There are 1209600 seconds in a 2 weeks, so to have a 0.5 probability of brute-forcing a 8 character mixed-case alphanumeric password in couple weeks, you’d have to randomly try about 125 million times a second. To have a 100% chance, you’d need to exhaustively (never repeating a guess) try about 180 million/sec, or 90 million/sec to have a 50% chance exhaustively. This assumes that yahoo or whatever service provider allows upwards of trillions of failed sign on attempts before locking the user account. I’m unaware of any regulation requiring the likes of yahoo not to, but strongly suspect they have s failed attempt lockout policy of some kind. HIPAA compliance (used by healthcare providers) requires at least a lockout after at most 6 failed attempts, while SOX (used by damn near any large business these days that wants good credit) sets it at 10. Even if the lockout is as short as 5 min after 10 failed attempts, this pushes the time to reach 0.5 probability of success for an exhaustive brute-force attack to 218340105584896 /2 *30 /86400 /365.25 =~ 104 million years, 208 million years for assured success. Assuming all the characters from SP (32d) to ~ (126d) are permitted, there are 95 possible characters in a mixed-case alphanumeric+punctuation password, increasing all of the above try and time requirements by a factor of [math]\left(\frac{95}{62}\right)^8 \dot= 30[/math]. Quote Link to comment Share on other sites More sharing options...
pgrmdave Posted September 23, 2008 Report Share Posted September 23, 2008 I had been wondering about those numbers...thanks Craig. Quote Link to comment Share on other sites More sharing options...
alexander Posted September 23, 2008 Report Share Posted September 23, 2008 first of all, most bruit force tools work using threads, thats one, second is that it tries more common passwords first, then after completing dictionary attack, it starts the regular bruit force, i said a couple of weeks, because the way that it generates passwords, it is likely that within a couple of weeks, your password should be cracked. I have cracked my test environment passwords in anywhere from 2 hours, to over 3 weeks... And yes, threads are your friends in that case, the more threads your hardware can support, the faster the crack... (you are forgetting it's not a hardware lock) This assumes that yahoo or whatever service provider allows upwards of trillions of failed sign on attempts before locking the user account.After spoofs and email take overs and resets, brute force is the next leading cause of myspace account take overs... besides, as i said someone is likely to use other means of getting your information, by installing a key logger, or by monitoring your local traffic, i mean there are probably over a hundred ways to take over an email account, most of which would wield faster results. And AOL is probably not the only place he uses that password, thus, it may be much simpler to get his password from else-where and then simply use it to get access to email... Quote Link to comment Share on other sites More sharing options...
alexander Posted September 23, 2008 Report Share Posted September 23, 2008 Many web-based giants have not implemented a lockout policy... and as i said, chances are that password is not just being used for email, thus there may be much easier places to get the password... Quote Link to comment Share on other sites More sharing options...
pgrmdave Posted September 23, 2008 Report Share Posted September 23, 2008 Well, I did just try to log into my yahoo account many times with the wrong password, and never got locked out. Quote Link to comment Share on other sites More sharing options...
CraigD Posted September 23, 2008 Report Share Posted September 23, 2008 first of all, most bruit force tools work using threads …To make the roughly 100 million tries/second typically necessary to brute force an 8 character alphanumeric password almost certainly would require not at least multiple treads on a single collection of CPUs, more likely multiple collections of CPUs. Even if you can manage this – not very hard if you have the hardware, which is not very hard to have – there’s a real issue of network bandwidth limitations. A TCP/IP packet has at least 56 bytes + payload, typically 512. A typical http signon dialog (eg: aol.com’s one, without getting the unnecessary graphics) is about 15 KB. So, even if a collection of hosts will accept unlimited sign on attempts at unlimited speed, the bandwidth requirement is a minimum of between about 75 and 410 Mbit/s, typically 12000 MBits/s, which is equivalent to 49, 264, and 7740 T1 lines. A T1 line costs about $400/month these days, which put the cost of our brute force attack (to the source and target host owner, of course, not necessarily the hacker) between US$18,000 and $3 million. What I’m getting at here is that brute force attacks over a network requiring on the order of a trillion attempts are not easy or affordable, regardless of how you code them.… second is that it tries more common passwords first, then after completing dictionary attack, it starts the regular bruit force, i said a couple of weeks, because the way that it generates passwords, it is likely that within a couple of weeks, your password should be cracked.As alexander notes, a sensible cracking approach begins with a dictionary attack. However, based on the numbers above, I don’t see the sense in trying a brute force attack if the dictionary attack fails. In short, faced with a truly random password, even one of fairly modest keyspace size, brute force over a present-day network isn’t sensible, or possibly even doable.I have cracked my test environment passwords in anywhere from 2 hours, to over 3 weeks... And yes, threads are your friends in that case, the more threads your hardware can support, the faster the crack... (you are forgetting it's not a hardware lock)If you can manage to run a cracking attack locally – on the target server – a brute force attack for modest keyspace passwords is practical. If you can get onto the target server and access some user account database, however, it’s questionable why you’d need to do this. After spoofs and email take overs and resets, brute force is the next leading cause of myspace account take overs...For the reasons above, my guess is that the “brute force” in this claim is actually a dictionary attack. Not many myspace users, I’d guess, bother with long, random passwords – for the most part, the damage of having your myspace account hacked is not very great. I’m curious, alexander, about the source of your myspace account takeovers and the security policies of web giants. :confused: Where are you getting all this stuff? I’m pretty sure not from a simple google of a phrase like “AOL lockout policy” besides, as i said someone is likely to use other means of getting your information, by installing a key logger, or by monitoring your local traffic, i mean there are probably over a hundred ways to take over an email account, most of which would wield faster results. My point, exactly! Unless it’s tiny (eg: 3 alpha, keyspace size [math]26^3 = 140608[/math]), brute forcing a password is one of the least practical intrusion methods I can imagine. Countermeasures to it are trivial – for example, a 0.01 second pacing (not letting it happen any faster than 0.01 s) on password validation, while unnoticeable to a human user, effectively kills any attack that needs to perform millions of trys/second. As secure shell-type protocols (eg: sftp, ssh) become more ubiquitous (it’s reasonable, these days, to refuse to do business with any site that doesn’t show a little locked lock in you browser when you’re signing on), network traffic monitoring becomes less effective for data (including password) theft. Keystroke loggers – including the low-tech approach of shoulder surfing, with or without telescope ;) – are potentially unbeatable. There are little hardware versions of the little devils that can be snuck onto your keyboard cord, and how many people perform a thorough inspection of all their cords before using a machine? However, to get a keystroke logger, software, hardware, or human, on a box, you’ve got to get to the box, virally or physically, so we’ve at least some hope that we’re not likely to be overrun by them. :) Quote Link to comment Share on other sites More sharing options...
CraigD Posted September 23, 2008 Report Share Posted September 23, 2008 Well, I did just try to log into my yahoo account many times with the wrong password, and never got locked out.Either that indicates that there is no number-of-failed-signon-attempts lockout for yahoo accounts, or the number is higher than you tried (eg: 200). I've no guess which is the case. There’s at least 1 good reason to set a number-of-failed-signon-attempts lockout number higher than a human can conveniently reach: to prevent malicious people knowing your ID from locking you out of your account by intentionally unsuccessfully attempting to log on with it. If you set the number to something that an attacker can’t manage within the lockout’s expiration time, even a determined attacker can’t keep even one person locked out of his account. For example, pacing logon attempts at 0.25 sec, number of failures at 1500, and the expiration time at 5 min, an attacker can’t deny you 75 second every 5 minutes in which you can log on. With such slow pacing, however, you likely needn’t have a number-of-failures lockout policy at all – in the above scenario, all the lockout does is make the effective attempt rate 0.45 tries/sec, rather than 0.25. A better approach is to trigger some human attention to large numbers of failed signon attempts, and for that human to go after the source IP address. Unless your attacker has a true anonymizer server between you and him (most of the publicly available ones, like the one rubico used, aren’t truly anonymous, keeping in-out IP address logs that an admin will turn over to a legitimate inquirer), the admin can track the attacker down, and, like, say nasty things to her/him (or, as is often appropriate, her/his parents). In the mid ‘90s, I spent a lot of design meeting time on this threat, eventually doing nothing about it. In the decades since then, with a population of about 10,000 users, and a everlasting lockout after 5 failed attempts, there’ve been no reports of anyone attempting the attack. At least within my enterprise, people are nicer than worst-case scenario consideration can lead you to expect. freeztar 1 Quote Link to comment Share on other sites More sharing options...
alexander Posted September 24, 2008 Report Share Posted September 24, 2008 My point, exactly! that's what i said in like my first reply... Point being that brute force, while being perhaps the slowest of the attacks, is still a widely used, with libraries of common passwords, etc, and then, but rarely, an actual brute force, though you see less of them, i still hear stories of bruting from my isp friends ;) I’m curious, alexander, about the source of your myspace account takeovers and the security policies of web giants. Where are you getting all this stuff? I’m pretty sure not from a simple google of a phrase like “AOL lockout policy”hehe :):) Craig, i'm not saying that brute is an easy way, i am not denying the fact that it may take a loong time, i have a friend who took 4 months to crack a pass on his own account with 2 machines... it depends where in the general place of passwords the pass falls. Besides, if i really needed a pass, personally, i'd use the other 100 methods of getting it, prior to trying brute... unless its a hash, like a wep key or wpa (1 or 2) :D regarding T1, my cable is about 8.5 times faster, and when fios finally gets here... the damage of having your myspace account hacked is not very great.problem is, people are lazy and use the same password everywhere... so once you have that password, you get email and other access as well, and that is something i try to educate people about... Quote Link to comment Share on other sites More sharing options...
pgrmdave Posted September 24, 2008 Report Share Posted September 24, 2008 Heh, joined a website once to get paid taking surveys (didn't pay much, but it was fun to take the surveys). After a month, I noticed that the URL for the surveys included my usernumber, so I decided to see what would happen if I changed the number. Lo and behold, I managed to be logged in as somebody else, with access to all their information (including some VERY personal information in previous surveys they'd taken). Over the course of three months (after removing all my information from the site) I alerted the owners about it. They still haven't fixed it. Quote Link to comment Share on other sites More sharing options...
alexander Posted September 24, 2008 Report Share Posted September 24, 2008 hehe, sounds about typical for such companies Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.