Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Hacking Team used shockingly bad passwords", via ZDNet


  • Please log in to reply
15 replies to this topic

#1 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 12 July 2015 - 06:01 PM

One of the biggest hacks of the year -- not just in scope and size, but impact -- is over. As reporters and interested parties sift through the debris of the attack that left Hacking Team crippled, a big question remains.

How was someone able to walk in and swipe what appears to be the company's entire cache of corporate data?

The company used weak passwords.


Hacking Team used shockingly bad passwords

Looks like all it took was one bad P4ssword to bring the company to a downfall.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#2 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:08:09 PM

Posted 16 July 2015 - 10:03 PM

you'd think they would use encrypted values to protect their data....


they call me te java mayster


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,738 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:39 PM

Posted 16 July 2015 - 10:49 PM

qwerty is a perfectly good password and easy to remember.

 

Memo to self.

Change all passwords to 1234 abc, Now that's security.



#4 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:08:09 PM

Posted 17 July 2015 - 03:32 AM

type qwerty in here NickAu..you won't get very far with the computer https://howsecureismypassword.net/


they call me te java mayster


#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,738 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:39 PM

Posted 17 July 2015 - 03:50 AM

I use GRC Haystack

https://www.grc.com/haystack.htm?id=1

 

I just tried my BC login password

 

https://howsecureismypassword.net/

It would take a desktop PC about 5 quintillion years to crack your password

 

GRC haystack.

 

Search Space Depth (Alphabet): 26+10+33 = 69 Search Space Length (Characters): 21 characters Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)
418,
958,574,787,112,743,276,
396,255,521,521,606,769  Search Space Size (as a power of 10): 4.19 x 1038
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 1.33 hundred trillion trillion centuries Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.33 million trillion centuries Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.33 thousand trillion centuries

 



#6 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:08:09 PM

Posted 17 July 2015 - 04:04 AM

lol it takes 70 sextillion years to crack mine (ill be sitting here for a long time)


they call me te java mayster


#7 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 17 July 2015 - 05:19 AM

Since qwerty is one of the most popular password, I'm sure it's one of the first that is being tried by bruteforcers/crackers. So when it comes to take, I think that all the mathematics behind it becomes useless. It's like abc123 or password.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:08:09 PM

Posted 17 July 2015 - 08:52 PM

I know!!!! Let's use the best password ever!!! 234bcd!!! they'll never guess that!


they call me te java mayster


#9 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 17 July 2015 - 08:54 PM

Pretty sure that most password crackers/bruteforcers start their attack with a compiled list of the worst and most popular passwords, it would make sense. So in that case, it doesn't matter how "strong" mathematically talking a password is, it'll be cracked in a mere amount of seconds.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:08:09 PM

Posted 17 July 2015 - 09:01 PM

especially if it tries 100000000000 passwords per second


they call me te java mayster


#11 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 17 July 2015 - 09:12 PM

You would require an insane amount of hardware for that. Depending on what kind of password needs to be cracked, the response time of the server, the method used, etc. it's way lower, but still pretty high. Oh, and depends on the hardware you have and the method used.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:08:09 PM

Posted 17 July 2015 - 09:33 PM

yeah I guess so, and it wold only be used on big companies like Microsoft, because why would you spend the money trying to crack your neighbors password


they call me te java mayster


#13 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 AM

Posted 17 July 2015 - 09:35 PM

Password cracking is more frequent than you would think. There's something called "wardriving" than can involve password cracking and yes, it's basically cracking your neighbor's password. I'm surprised that they didn't have more secure passwords, even if they were written on a piece of paper (assuming it would be a really long and complex password) it would have been more secure.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:08:09 PM

Posted 17 July 2015 - 09:43 PM

that, I would have to agree with


they call me te java mayster


#15 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:39 PM

Posted 19 July 2015 - 10:00 PM

Since qwerty is one of the most popular password, I'm sure it's one of the first that is being tried by bruteforcers/crackers. So when it comes to take, I think that all the mathematics behind it becomes useless. It's like abc123 or password.

CryptoParty. https://cryptoparty.org
Download the Handbook. https://www.cryptoparty.in/documentation/handbook and 9.1.1 Password length and complexity: To protect your passwords from being guessed, length and complexity are important.

Mathimatical Complexity, or Complexity Theory. http://mathworld.wolfram.com/ComplexityTheory.html

You would require an insane amount of hardware for that. Depending on what kind of password needs to be cracked, the response time of the server, the method used, etc. it's way lower, but still pretty high. Oh, and depends on the hardware you have and the method used.

If the "Hacking Team used shockingly bad passwords" where was Hacking Team's intrusion detection system?

(1) allowing only 5-10 login attempts, before their intrusion detection system blocks the account and red flagged an intrusion attempt.

(2) managed to login and copy over 400 Gb of data without any internet traffic monitoring or red flags?
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users