Archive for IT / Computers

Cheap GPUs Are Rendering Strong Passwords Useless

6 Jun, 2011  No Comment

Source: http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack?

Think again!

Jon Honeyball writing for PC Pro has a sobering piece on how the modern GPU can be leveraged as a powerful tool against passwords once considered safe from bruteforce attack.

Take a cheap GPU (like the Radeon HD 5770) and the free GPU-powered password busting tool called ’ighashgpu‘ and you have yourself a lean, mean password busting machine. How lean and mean? Very:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours.

What’s the solution? Well, Honeyball doesn’t know, and neither do I to be perfectly honest. What I do know is that this is a warning, and one that we need to take seriously. Unless we’re willing to move onto 15-16 characters, mixed-case/symbols random password (which will end up on Post-It Notes), passwords will soon only offer protection against honest people.

[UPDATE: Take a look at this - whitepixel 2 running with 4 x HD 5970 cards (8 x GPUs) capable of 33.1 billion MD5 password hashes/sec.

Via: SimonZerafa of PC-Technical]

Share

Department of Homeland Security Seizes More Domains

28 Nov, 2010  No Comment

Source: http://yro.slashdot.org/story/10/11/27/1910232/DHS-Seizes-75-Domain-Names

Many readers have sent in an update to yesterday’s story about the Department of Homeland Security’s seizure of torrent-finder.com, a domain they believe to be involved in online piracy. As it turns out, this was just one of dozens of websites that were targeted by Immigration and Customs Enforcement.

“In announcing that operation, John T. Morton, the assistant secretary of ICE, and representatives of the Motion Picture Association of America called it a long-term effort against online piracy, and said that suspected criminals would be pursued anywhere in the world. ‘American business is under assault from counterfeiters and pirates every day, seven days a week,’ Mr. Morton said. ‘Criminals are stealing American ideas and products and distributing them over the Internet.’”

The TorrentFreak article we discussed yesterday has been updated with a list of the blocked sites.

Many readers have sent in an update to yesterday’s story about the Department of Homeland Security’s seizure of torrent-finder.com, a domain they believe to be involved in online piracy. As it turns out, this was just one of dozens of websites that were targeted by Immigration and Customs Enforcement. “In announcing that operation, John T. Morton, the assistant secretary of ICE, and representatives of the Motion Picture Association of America called it a long-term effort against online piracy, and said that suspected criminals would be pursued anywhere in the world. ‘American business is under assault from counterfeiters and pirates every day, seven days a week,’ Mr. Morton said. ‘Criminals are stealing American ideas and products and distributing them over the Internet.’” The TorrentFreak article we discussed yesterday has been updated with a list of the blocked sites.
Share

US Government Seizes Torrent Search Engine Domain

26 Nov, 2010  No Comment

Source: http://yro.slashdot.org/story/10/11/26/1450257/US-Government-Seizes-Torrent-Search-Engine-Domain

Voulnet writes with this excerpt from TorrentFreak:

“This morning, visitors to the Torrent-Finder.com site are greeted with an ominous graphic which indicates that ICE has seized the site’s domain. ‘My domain has been seized without any previous complaint or notice from any court!’ the exasperated owner of Torrent-Finder told TorrentFreak this morning. ‘I firstly had DNS downtime. While I was contacting GoDaddy, I noticed the DNS had changed. GoDaddy had no idea what was going on and until now they do not understand the situation and they say it was totally from ICANN,’ he explained. Aside from the fact that domains are being seized seemingly at will, there is a very serious problem with the action against Torrent-Finder. Not only does the site not host or even link to any torrents whatsoever, it actually only returns searches through embedded iframes which display other sites that are not under the control of the Torrent-Finder owner.”

Share

Do you really need antivirus software?

24 Nov, 2010  No Comment

Source: http://www.zdnet.com/blog/bott/do-you-really-need-antivirus-software/2685

Do you need antivirus software on your PC?
If you’re not sure of the answer to that question, then the short answer is yes. The longer answer is that security software is only one piece of what should be a simple, straightforward, and systematic approach to your PC’s health. I’ll outline my recommendations in this post. If you’re visiting the family over the holidays, you might want to take my list along with you.

But first, let me rant a bit. It’s no secret that I dislike the security software industry. In one of my very first posts here, nearly four years ago, I called it a “protection racket” and said, “I can already see the beginnings of an ‘arms war’ among security software companies, with ads and whisper campaigns based on fear.” Back in 2005, I wrote a post arguing, “The security software industry wants you to be afraid.”

I have deeply mixed feelings about antivirus software, especially when it’s part of a big security suite that tries to protect you from every imaginable form of online threat. The companies that sell you that software have an interest in keeping you afraid, and so they publish countless studies proving how dangerous the online world is.

They also have a vested interest in proving that you haven’t wasted your subscription dollars on their product, so they need to occasionally (or continually) pop up messages and alerts and reminders to show you exactly which threats they’ve blocked. Even when those “threats” are trivial or nonexistent.

Just how dangerous is it out there? Here’s what you need to know:

  • No computing environment is immune. Every platform can be exploited by an attacker. This month’s Mac OS X v10.6.5 and Security Update 2010-007 included well over 100 fixes to critical security vulnerabilities, many of which could lead to arbitrary code execution. These are exactly the same types of vulnerabilities that Windows malware writers take advantage of. Fortunately for Mac (and Linux) users, their worldwide market share is small enough that malware writers simply haven’t bothered with them. If you use OS X on a Mac, I don’t think you need to install security software, but that recommendation could change someday if Apple’s platform continues to grow in popularity and attracts enough attention from bad guys.
  • Good behavior alone is not enough to protect you from attacks. Visiting porn sites and downloading pirated software puts you at a much higher risk of infection, but even legitimate web sites can be compromised, and seemingly innocent results in a search engine can lead to hostile sites.
  • Antivirus software is one layer among several. Depending on the type of threat, it can be very helpful, even if you consider yourself an expert PC user. But it is not a magic bullet, and it is no replacement for a well-rounded approach to security.
  • No antivirus software is perfect. It is literally impossible for any security product to identify every possible threat, especially when malware writers are constantly updating their products to avoid detection. Most of the leading antivirus programs can identify and block the overwhelming majority of threats you’re likely to encounter online. The fact that they can’t reach 100% protection is why security software is only one part of a layered security strategy.
  • Many types of malware are installed voluntarily. Among the most common threats are Trojans, which spread via social engineering. The job of a malware writer is to convince you to run his innocent-sounding program, which secretly does something other than its stated purpose. It might claim to be a new video playback plugin (like the one I saw last week) but actually turns out to be a program that hides on your PC and steals passwords or sends spam. Social engineering explains how an entire class of malicious fake antivirus programs made it onto the top 10 malware list for the first half of this year.
  • Malware writers make their living exploiting unpatched systems. One of the top 10 threats found and removed from Windows PCs in the first half of this year was Win32/Conficker. The vulnerability that Conficker exploits was blocked by a Microsoft patch released in October 2008. In fact, that’s true of most of the top PC malware variants found in the wild. Four of the entries on the top 10 list for 2010 are based on vulnerabilities that were identified and patched in 2007 or 2008, and none of the others could have been installed without explicit user interaction on a fully updated copy of Windows.
  • It’s not just Windows that needs patching. Some of the most effective malware vectors these days are coming through vulnerabilities in products like Adobe Flash and Reader, in the Java runtime, and in Microsoft Office. In most cases, the vulnerabilities were patched quickly by the software maker, but if you didn’t apply that update, you remain vulnerable. Ironically, most of these exploited programs are cross-platform; in theory, malware authors can add code to their PDF or Java exploits that target Macs or Linux PCs. So far, they haven’t done that.
  • Attacks via zero-day exploits are rare. Zero-day exploits get a lot of publicity, but they rarely have a widespread impact. The worst variants of these attacks are the ones aimed at specific companies, like the targeted wave of attacks against Adobe, Google, and other high-profile companies in early 2010. And even those only succeeded because they exploited unpatched systems using an outdated browser.

HardForum Discussion: http://hardforum.com/showthread.php?t=1563906

Since the last time I had an anti-virus discussion on HardForum (at least 6 if not more months ago), it is evident through the overall replies in the thread that either (1) a lot of people have realized that anti-virus software is really not as beneficial and core-critical as they originally thought it was, or (2) a lot of the people who participated in the last discussion I was in who were extremely-for anti-virus software are not participating in this discussion. I think this is good though because it goes to show that at least some people are thinking and evaluating situations for themselves.

So what would be the “right” way?

Absolutely I wouldn’t be able to tell you because I am not God. However, I think there is a better-than-norm way of securing oneself; I would not recommend this to any amateurs or computer illiterate folks because they are simply not tech savvy enough (and for this crowd I would recommend “the norm” way of things of simply just having an anti-virus program installed and running).

  1. One of the most important things is intelligence and maturity. Without it, not even the most secure Linux distribution will save you
  2. Secure your network and browsing experience
  3. Every month, or two months, or three months, or six months (at the most, and depending on how paranoid you are) you want to do a checkup just to make sure you are clean

That is how I roll (and successfully for the past 5-7 or so years since I gave up anti-virus software).

Share

Scheduling Defragment on NT AUTHORITY\SYSTEM

18 Aug, 2010  No Comment

I would write a script for this, but I don’t know enough to do it. If this is scheduled on <ComputerName>\Administrator, the scheduled task has to be updated every time the computer’s name is changed (specifically the user login Windows should use to run the task — it doesn’t update the username field if you change the computer name). This way no password is being used or potentially exposed (although the chances of that happening are probably none), and the task is essentially running almost like a Windows service by Windows.

Additionally, this will keep your machine or workstations defragmented (assuming you leave them on all night or let it run an all-nighter once a week). Using Diskeeper’s own network-based disk fragmentation analyzer, I have found that Microsoft’s built-in defragmenter works just as well as Diskeeper. The only advantage to Diskeeper would be that it defragments on the go, essentially eliminating fragmentation in the first place.

Open cmd.

(Type the following)
net start “Task Scheduler”

(Change 00:00 to CurrentTime+00:01 — this is in military time)
at 00:00 /interactive C:\WINDOWS\system32\cmd.exe

(Wait for a new cmd.exe to pop up, and type the following in the new cmd.exe)
schtasks /Create /RU “SYSTEM” /SC DAILY /TN “Defragment” /TR “C:\WINDOWS\system32\defrag.exe C:” /ST 00:00:00

Go to Start –> Control Panel –> Scheduled Tasks.

Right click on “Defragment” and select Properties.

Go to the Settings tab and uncheck “Delete the task if it is not scheduled to run again.

Change “Stop the task if it runs for” to 6 hours.

Check “Don’t start the task if the computer is running on batteries” and “Stop the task if battery mode begins.

Click on Apply and then OK.

Close the two cmd instances.

There is also a way to schedule it through your network on to other workstations using PsExec.

psexec \\NameOfRemoteComputer -u NetworkName\Administrator -p NetworkAdminPasswordHere -s schtasks /Create /RU “SYSTEM” /SC DAILY /ST 00:00:00 /TN Defragment /TR “C:\WINDOWS\system32\defrag.exe C:”

Share

Assembling a Lenovo G530 4446-24U Laptop

23 Jul, 2010  7 Comments

In this post I go through the steps for assembling a Lenovo G530 4446-24U laptop. This article is very image heavy. However, if you are looking for instructions on disassembling this laptop, you can find them at IBM Lenovo’s website here. Read the rest of this entry »

Share

Church Presentation Software

23 May, 2010  No Comment

Here is a list of software I found (I haven’t actually tried any of them, although I have heard and seen a couple of them in action before):

Logos Software is currently developing an online-based church presentation service called Proclaim ($???).

Audiovisual Presenter (freeware) though not quite like any of the programs in the above list but a little similar helps with organizing multiple PowerPoint’s and videos that will be used in a service. This program might be useful for those that use PowerPoint to project content during service.

Share

How I’d Hack Your Weak Passwords

31 Mar, 2010  No Comment

Source: http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Password Length All Characters Only Lowercase
3 characters
4 characters
5 characters
6 characters
7 characters
8 characters
9 characters
10 characters
11 characters
12 characters
13 characters
14 characters		 0.86 seconds
1.36 minutes
2.15 hours
8.51 days
2.21 years
2.10 centuries
20 millennia
1,899 millennia
180,365 millennia
17,184,705 millennia
1,627,797,068 millennia
154,640,721,434 millennia		 0.02 seconds
.046 seconds
11.9 seconds
5.15 minutes
2.23 hours
2.42 days
2.07 months
4.48 years
1.16 centuries
3.03 millennia
78.7 millennia
2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
  5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
  7. Mac users can use 1Password“>1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Demonstration video. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.

Share

DreamHost’s Unlimited Policy

15 Feb, 2010  No Comment

Source: http://www.dreamhost.com/unlimited.html

Share

Mastering Photoshop With Paths

19 Aug, 2009  No Comment

http://www.smashingmagazine.com/2009/08/18/mastering-photoshop-with-paths/

Share
« Older Entries Newer Entries »