Computer Webinar: Detecting Advanced Threats and Malware

NitroSecurity is offering the following free webinar (info from site):

Detecting Advanced Threats and Malware with Content Aware SIEM

Date: Thursday, October 28, 2010
Time: 2:00 p.m. ET/11:00 a.m. PT

While many organizations have deployed security information and event management (SIEM) solution to meet regulatory compliance requirements, high performance SIEM solutions can do much more. By correlating events, logs, and network flows SIEMs can uncover a range of diverse “low and slow” attacks.

With threats moving rapidly “up the stack,” content aware SIEMs can integrate database session and application layer data to detect dangerous botnets, hidden payloads and covert communications channels.

In this presentation we’ll cover technologies, techniques and best practices for effective threat detection and timely incident response using high performance SIEM systems.


Putting the Cyber in Cyber Warfare

Analyzing the security field for a while now, I have seen the naysayer comments about cyber warfare. In a real war, you can’t kill with Denial of Service attacks. Or, you can’t shut down the power grid through the internet.

Well, putting all the fluff aside, how would cyber attacks be used in war time?

Right now we just see a lot of cyber espionage, nation states stealing information from other nations. Not that this is a little thing that can just be ignored. According to Sun-Tzu in the Art of War, “Thus it is said that one who knows the enemy and knows himself will not be endangered in a hundred engagements.”

But what most people don’t realize is that in a military conflict, cyber warfare is just another tool in the tool chest. It will be folded in with other forms of electronic warfare.

On the Military channel a while back they interviewed a Commando Solo pilot. He mentioned that during Desert Storm, they completely owned Iraq’s communication, radar, SAM and advanced warning systems. They were able to hide American troop movement by removing them from their systems, and placing fake decoy units into the system.

Electronic warfare specialists coordinated with Special Forces ground troops to subvert every form of Iraqi communication. An Iraqi officer would pick up the phone and a Special Forces operator would answer.

It got so bad, that Iraqi’s no longer trusted radio and phone communication to troops, so they started hand writing commands and delivering them in vehicles. The US responded by simply blowing up the vehicles.

Systems do not have to be connected to the internet to be susceptible to cyber warfare. Many modern communication systems run on TCP/IP, the same protocol that the internet uses. When TCP/IP was created, security was not a big concern, so phone systems based on TCP/IP are just as susceptible to the same protocol level vulnerabilities as computer systems.

Also, systems not connected to the internet are still vulnerable to cyber warfare if someone walks into the facility and installs a virus or a back door into the system. Or, if a USB drive infected with SCADA attacking Stuxnet is plugged into a computer inside the isolated network…

The Russians combined cyber warfare tactics with physical warfare during the Russia-Georgia conflict.

When utilities and communication systems go down during a large natural disaster, chaos ensues. We are one of the most technologically advanced nations in the world, yet look how long it took to get aid to New Orleans during Katrina.

When communication systems and utilities go down during a military conflict the outcome is very deadly indeed.

Cracking 14 Character Complex Passwords in 5 Seconds

There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly.

But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives.

Apparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast?

One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds. So, how long would a long complex password hold up to the SSD based cracking technology?

Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer. So,  I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker. The results were stunning.

Let’s start out with an easy one. Here is the Administrator password hash from the machine:


And putting this into Objectif’s tool we get this response:

Password: Empty password…
Time: 2 seconds

Administrator didn’t set a password, that’s not good…

Okay, that wasn’t 14 characters, let’s try a hard one.

How about this one:

Hash: 17817c9fbf9d272af44dfa1cb95cae33:6bcec2ba2597f089189735afeaa300d4

And the response:

Password: 72@Fee4S@mura!
Time: 5 Seconds

Wow! that took only 5 seconds and that is a decent password.

Let’s try a few more:

Hash: ac93c8016d14e75a2e9b76bb9e8c2bb6:8516cd0838d1a4dfd1ac3e8eb9811350
Password: (689!!!<>”QTHp
Time: 8 Seconds

Hash: d4b3b6605abec1a16a794128df6bc4da:14981697efb5db5267236c5fdbd74af6
Password: *mZ?9%^jS743:!
Time: 5 Seconds (Try typing that in every day!)

And Finally:

Hash: 747747dc6e245f78d18aebeb7cabe1d6:43c6cc2170b7a4ef851a622ff15c6055
Password: T&p/E$v-O6,1@}
Time: Okay, this one really pushed it to the limits, it took a whole 11 seconds to crack!
(* Ran it through a second time later on and it got it in 3 seconds!)

Very impressive, it took only five to eleven seconds in this test to crack 14 character complex passwords. I was able to create a password that Objectif’s site couldn’t decode; it was using characters from the extended ASII set. But, unfortunately, I could not log into the XP system using it either.  🙂

Want to see how a password would do without having to exploit a system and dump the password hashes? Objectif allows you to put a password in and it will convert it for you. Then you can place the hash into the cracker and see how it does.

Granted, these are Windows LM Hashes and not the more secure Windows 7/ Server 2008 NTLM based hashes. But, I believe that with cracking speeds increasing, relying on passwords alone may no longer be a good security measure. Many companies and government facilities are moving away from using just passwords to dual authentication methods. Biometrics and smartcards are really becoming popular in secure facilities.

And if the rumors are true, it looks like Microsoft may include facial recognition authentication in the next version of Windows. Time to dust off the old Web Cam…


Curious how long Windows 7 NTLM can hold up to password hash attacks? Check out “NTLM Passwords: Can’t Crack it? Just Pass it!

or prefer just Pulling Passwords in Plain Text instead of having to crack them? Check out Mimikatz.

Chinese Hackers, Russian Cyber Crime and American Apathy

A couple years ago, I used to spend a lot of time on government related blogs just stunned to hear about America’s slow movement in securing critical infrastructure and government systems.

I feel that the American government, like a huge ship, takes a long time to turn. Signs look good that the ship is starting to turn though. At the government level at least.

The next huge hurdle is businesses and even home users…

We as a nation are facing very dedicated international hackers, including Chinese state sponsored hackers and Russian crime syndicates. I was watching a security video featuring David Kennedy (Social Engineering Toolkit creator, Former military intelligence) and he made some interesting comments about Chinese hackers.

He mentioned that China was known to just take software created by others and implementing it as their own. Even the “Great Firewall of China” was found to have “borrowed” code in it.  He then asked the audience how many security guys that they had protecting their networks at their places of employment. One said 2 another said 15.

David mentioned something that really puts the whole Chinese hacker thing into prospective. You have 2 to 15 guys protecting your network; they have the manpower to task 1,000 hackers to penetrating your system if you have something they want. Who is going to win that battle?

Also, I have heard that many of the Russian hackers are out of work IT workers that could not find jobs. They have turned to hacking to make money.  These guys are no joke; they are top tier programmers and system engineers using their skills to crack networks.

Unfortunately, many American businesses and home users don’t focus on securing their systems, or simply don’t care. Meeting corporate budgets so the CEO can get a big bonus or allowing peer to peer software so managers can download movies is of greater concern. Until something happens of course.

But apathy is not always the case. Many American business owners and home users have been misinformed. They think that if they have a firewall and anti-virus that they are safe. Some businesses do not even have policies about system usage or online safety. Yet, they are an integral link to American infrastructure.

Our government is waking up to online threats, now it is time for businesses and even home users to come along side and provide a united front in protecting America’s digital borders.