As usual, I was unable to attend Blackhat/ Defcon yet again. But we did have an “official reporter” for CyberArms there this year. The only problem is a little Tornado decided to crash into our home city and screwed things up. We were without power and internet for 4 days!
Well, heck with the Tornado, here are at least some cool pics of the Defcon Badge Package:
So what does it take to reach cracking speeds topping 154 Billion hashes per second with multiple hashes?
How about the Cryptohaze Multiforcer network enabled password cracker program, 6 computers and 20 video cards?
“It was done entirely with AMD hardware, and involved 9×6990, 4×6970, 4×5870, 2×5970, and 1×7990 – for a total of 31 GPU cores in 6 physical systems. We had another 11 cards with 15 GPU cores left over – we didn’t have systems to put them in (mostly nVidia).”
The crazy fast speed was attained cracking 10 hashes! They were also able to obtain speeds of 139 B/s on 1000 NTLM hashes, 101 B/s on 1000 MD5, and 30 B/s on 1000 SHA1 hashes.
The computers where setup in 4 separate physical locations and the server was an Amazon EC2 m1.small node. The Multiforcer system code allowed all these systems to work together, OVER THE INTERNET!
The tool was created to help out pentesters who need to crack passwords, but can not submit hashes obtained to online cracking programs due to auditing agreement restrictions.
Pretty cool stuff, for more information check out the Cryptohaze Blog, downloads are available from Cryptohaze.com, or better yet check out lead developer BitWeasil’s talk, “Cryptohaze Cloud Cracking” at Defcon 20.
Richard Marcinko, founder of Seal Team Six believed in hard realistic training. “The more thou sweat in training the less thou will bleed in combat.”, was one of his favorite sayings. He wanted his training exercises to mimic what happens in real life. It seems that a recent contest at Defcon may have been taken from a page of Marcinko’s training manual.
According to an article on The Register, a two day social engineering contest was set up, where contestants called ten industry leading companies and tried to trick them to give up information about their internal network. Contest organizer Chris Hadnagy, Operations Manger of Offensive-Security (Well known for creating Backtrack 4) said, “We assumed that if we can make a person open up their browser, tell us the version of their browser they had, and then visit a website, in essence if we were malicious, terrible hackers, we could have driven them to a site that had some kind of malicious file on it and that most likely the person would have downloaded it and accepted the malicious file.”
Companies including Cisco, Microsoft, Apple, Pepsi and Coca-Cola were called dozens of times and only three times did the attacker strike out. Contestant Josh Michaels was very successful in obtaining information from BP Oil. According to the article:
“With just two phone calls, entrant Josh Michaels managed to dupe a computer support employee at BP into spilling details that could have proved crucial in launching a network attack against the global oil company. The information included what model laptops BP used and the specific operating system, browser, anti-virus and virtual private network software the company used.”
Michaels even tricked the employee into visiting a social engineering site. “That was scary,” Michaels said as he hung up the phone. Scary indeed, humans will always be the weakest link in security.
How do you defend against these types of attacks? This is very tough, because humans naturally want to help people in binds. Having and posting policy on giving out system information needs to be posted where employees can see it. Having documentation “employees” can be pointed to on an internally assessable only system will help too. Sometimes just saying that you need to check on something and asking for the suspicious caller’s phone number to call them back will end many social engineering attempts.