Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
A password hash generated using algorithms like MD5, BSD, SHA1 or other default hashing algorithm is said be a weak hash, since there are known attacks. Its important to using a hashing algorithm like SHA-2 ( SHA-224, SHA-256, SHA-384, SHA-512 ) since till date there are no known attacks. On a UNIX based operating system , passwords are hashed and stored in either /etc/passwd or /etc/shadow file. If the /etc/shadow file is missing on the system, it can be generated by running the command pwconv, which will move the password hashes from /etc/passwd to /etc/shadow and then place character 'x' as a placeholder in passwd file - indicating that the password hash is stored in shadow file.

Linux/Unix systems must employ password hashes using the SHA-2 family of algorithms or FIPS 140-2 approved successors. Use of unapproved algorithms may result in weak password hashes, which are more vulnerable to compromise. Check /etc/passwd and /etc/shadow file for password hashes. Typically /etc/passwd file looks like:

The hash will always begin with a 3 letter identifier - indicating the hashing algorithm. Format of password hash will be "$id$salt$hashed", where $id is the algorithm used. Below table should help :

Alogrithm usedHashed value starts with
BSDi_
MD5$1$
Blowfish$2$, $2a$, $2x$ or $2y$
NT Hash$3$
SHA1$4$
SHA2 (256 or 384 bits)$5$
SHA2 (512 bits)$6$

Typically /etc/shadow file looks like :
 So the easiest way to find out weak password hashes is by analyzing the first 3 characters of the password placeholder field as shown above. You can use a simple shell script to detect this. Before doing this you need to know about some special characters which are never present in a password hash string. Below are the important character sequences:

"NP" or "!" or null - No password, the account has no password.
"LK" or "*" or "*LK*" - the account is Locked, user will be unable to log-in
"!!" - the password has expired

Our shell script should skip such password hashes and only report those which are actual hashes using weak hashing algorithms. Read the files /etc/passwd and /etc/shadow line by line and use the below code to analyze the hash.

#!/bin/sh
algoname="SHA-2"
while read line
do
    checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
    if [ -n "$checkline" ]
    then
           algo=`echo $checkline | cut -c 1-3`
           # 'x' means password hash is stored in /etc/shadow file
           if [ $algo = 'x' ]
           then
                  continue
           fi
           if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
           then
                  accname=`echo $line | cut -d':' -f1`
                  echo "User $accname is not using $algoname hashing algorithm."
           fi
    fi
done </etc/passwd


while read line
do
    checkline=`echo $line | cut -d':' -f2 | grep -v "NP" | grep -v "LK" | grep "^[0-9a-zA-Z./\$][^\*]"`
    if [ -n "$checkline" ]
    then
           algo=`echo $checkline | cut -c 1-3`
           if [ ! $algo = '$5$' ] && [ ! $algo = '$6$' ]
           then
                  accname=`echo $line | cut -d':' -f1`
                  echo "User $accname is not using $algoname hashing algorithm."
           fi
    fi
done </etc/shadow

No output from the above script means, all users on the system are using SHA-2 based password hashing algorithm. You can modify the parameters in RED to detect other algorithms also.

Quickly find out the weak password hashes on a unix box

Feb 3, 2013
Cryptographic hashes are used for passwords on UNIX operating systems. These cryptographic algorithms need to be strong enough so that they are not compromised.  With the current rate of growth in computer's processing power, time to crack a password is reducing. Use of such algorithms may result in weak password hashes which are more vulnerable to compromise. Most Linux operating systems use MD5 algorithm for cryptographic hashing, which has been severely compromised. Obviously this does not mean MD5 is insecure for password hashing but in order to reduce the chances of  vulnerabilities a more secure and robust algorithm which has no known weaknesses ( like SHA-256  or SHA-512) is recommended.

 So the question is, can we increase the security with the existing hashing algorithms like MD5 ? The answer is yes ... There is something known as "rounds" - a parameter associated with almost every password hashing algorithm.

For example, rounds=85000 means, your computer must compute 85000 hashes every time you log in. This will impose a restriction that an attacker has to compute 85000 hashes for each password he is trying to compromise against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 85000. Most modern computers will take less that 1 second to compute 85000 hashes. If you do not specify the rounds option, the system will use the default value for the algorithm used.
MD5 - default 4096 rounds , SHA256 or SHA512 - default 5000 rounds. Technically the rounds can be shown as :

key = hash(password)
for 1 to 85000 do
key = hash(key)

How to specify rounds option for password hashing ?

Red Hat Enterprise Linux (RHEL)
/etc/pam.d/passwd
password required pam_unix.so sha512 shadow nullok rounds=85000

Oracle Solaris
/etc/security/crypt.conf
md5 crypt_sunmd5.so.1 rounds=85000

Suse Linux Enterprise Server (SLES)
/etc/default/passwd
CRYPT=SHA512
SHA512_CRYPT_FILES=85000

IBM AIX
/etc/security/pwdalg.cfg
sblowfish:
lpa_module = /usr/lib/security/sblowfish
lpa_options = cost_num=10

Note : In above case, if Blowfish algorithm used, number of rounds is to entered as 2^cost_num. So if you want 1024 ( 2^10 ) rounds , you should specify the setting as BLOWFISH_CRYPT_FILES=10. The valid value of cost_num is an integer between 4 and 31, inclusive.  While playing around with this setting, I entered value of cost_num as 31 , and when I tried to change password for root, the process was in progress for more than 4 hours .... I had to finally terminate it. Number of rounds for 2^31 = 2147483648 ( two billion one hundred forty-seven million four hundred eighty-three thousand six hundred forty-eight ). So the password hash will be generated after 2147483648 rounds, which requires more than 6 hours ... Next time the user tries to login to the system, he needs to wait for more than 6 hours for the hash to be computed and then match it with the one stored in /etc/shadow or /etc/passwd file .

Once the password hashing settings are changed, the existing passwords are not automatically re-hashed. In order to enforce this and close the vulnerability gap, you need to force the users to change the password.

Force users to change password on next login:
passwd -f <user-name>

Once the password is changed, the updated hash in the /etc/shadow or /etc/passwd file will look something like :
piyush:$6$rounds=85000$JG2mong9$dh/SPT6z07CkWWNorukiJtFeM/dd.H8YmFrodChTpa2zIgajkTVgCfnAusmYMBakFXKCusNr8wF8Ugk8ewmv3.:15 

The entire process of increasing rounds is known as "Key stretching" - which helps in making a weak password more secure to brute-force attacks, by increasing the time needed to test each key.

How to increase password hashing security on linux

Feb 1, 2013
"Warranty void if this seal is broken", that's a common line on any newly purchased electronic device. So if you open the device, its detected. Similar concept applies to world of "Passwords" on a computer. The characters of the plain text password are mixed in using different algorithms to create a hash which is kind of a signature for a stream of data. Another way to explain this according to wikipedia is, "A hash function is an algorithm that transforms (hashes) an arbitrary set of data elements into a single fixed length value (the hash)". So if the original password is "whoami8996" its hash value (using md5sum command on UNIX) is something like "5265638efece6f38bbdc858a5c396fb0", but if I change even one character from the password , its hash will change. These hashing algorithms are designed in such a way that no two different strings will have the same hash value. On Linux/UNIX operating systems you can look at a user's password hash in the /etc/passwd or /etc/shadow file.

This is how a user's account looks like in /etc/passwd file:

piyush:$1$Lq1yUo3c$GF7n.Lwjc0YVhHaYvnawQ1:500:500:piyush:/home/piyush:/bin/bash

Every field is separated by a colon " : " and the second field is the hash value of the user's password. Note: An x character instead of the hash indicates that encrypted password is stored in /etc/shadow file. One good thing about the hash is, its of same length for passwords of different lengths ( using the same algorithm to create a hashed value) . In above case MD5 algorithm is used to create the hash. How did I know that ??? Lets try to analyze the hash- $1$Lq1yUo3c$GF7n.Lwjc0YVhHaYvnawQ1.

Every hash has a unique identifier string, like $1$ at the start of the hash in above case indicates that the hash was created using MD5 algorithm. Below table provides the list of algorithms and their identifier strings :

Alogrithm usedHashed value starts with
BSDi_
MD5$1$
Blowfish$2$, $2a$, $2x$ or $2y$
NT Hash$3$
SHA1$4$
SHA2 (256 or 384 bits)$5$
SHA2 (512 bits)$6$

In the above table, algorithms are listed in the order starting with weakest (prone to attack or more vulnerable to compromise) to strongest ( no known attacks or require very long time to attack/compromise using methods like brute force ). Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password. So how do you update the hashing algorithm used ?

Detect hashing algorithm used :
#authconfig --test | grep hashing
Sample output: password hashing algorithm is md5
Another way to detect:
egrep "password .* pam_unix.so" /etc/pam.d/system-auth-ac | egrep "sha256" | egrep -v "^[ ]*#"
The above command needs to be altered according the linux distribution used. Below are some files to look for:
/etc/pam.d/common-password (Debian)
/etc/default/password OR /etc/default/passwd (SUSE/Novell)
/etc/pam.d/system-auth-ac (Red Hat Enterprise Linux - RHEL)
/etc/security/policy.conf (Oracle Solaris)
/etc/security/login.cfg (IBM AIX)
Update the hashing algorithm (RHEL only, for others try editing the files above):
#authconfig --passalgo=sha512 --update
The above update will be applicable only for those users who will change their passwords post the setting update. Existing users who have not changed their password, will still continue to use the previously set hashing algorithm. However we can enforce the users to change their passwords on next login by setting the password expiry age to 0 days for a required user.
Force user to change password:
#chage -d 0 user-name
OR
#passwd -f user-name

Update password hashing algorithm for Linux / Unix

Jan 11, 2013
Blocking USB ports should only disable the usage of mass storage devices like external hard disk drives,pendrives, flash memory, memory card readers,bluetooth devices,usb data cards and any such device in which information can be stored. Devices like usb mouse, keyboards should still work with the usb ports. These devices are differentiated as Human Interface Devices or HID.
Why to disable usb ports :
We need to disable USB ports to prevent unauthorized/confidential data transfers.

Mechanism to block USB ports on Windows :

Modify the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\" with value "start" and data = 4

How to enable/disable usb ports :

start = 3 means enable usb ports
start = 4 means disable usb ports

How to disable USB sticks and limit access to USB storage devices :

* Go to Start > Run
* Write regedit in Run box and press Enter
* Now select HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > USBSTOR
* Now double click on Start in the right panel and change its value from 3 to 4





Once this value is modified reboot the computer or restart the explorer.exe process from task manager (this will reload the latest value from registry).

Now try to connect a pendrive/mass storage device. Windows will not read it and thus we have successfully blocked the usb ports.

How Employers Disable USB Ports & How Employees Enable them again :

Lets validate if this was successful by doing another test. Consider that the registry value has been changed to 4 (disable USB storage devices) .
Now , shutdown the machine , connect the pendrive to the usb port and boot the machine.  (Note the pendrive connected has never been connected to this machine .... )
Once the login screen appears , don't login but wait for a minute or so.
The new device is detected by the USB port and is now accessible once you login.

This happens because , if no user is logged onto the machine yet , windows uses the OS Kernel or the SYSTEM user in background to install the new device.
This a hidden user on any windows machine and has a higher authority than the administrator.

Check the value of USBSTOR registry key mentioned above. Value of start has been reset back to 3.
Lets investigate more on how to make a fail-proof solution to block usb ports.

How can I prevent users from connecting to a USB storage device?

Here's a Secure Solution :


1. Change the registry value of USBSTOR from 3 (enable usb ports) to 4 (disable usb ports)
2. Deny full control to the SYSTEM user to access/reset this registry key.




Now try to break this ... let me know if you can break this solution ...

Well now the question arising are : "programmatically setting usb stick ACL ?" or "regedit usb pen drive disable hide"
If you want to do this programmatically , first step is very easy ... we can run regedit in silent mode on remote machines.For step 2 we need to use the subinacl.exe - a tool by Microsoft to set/unsetaccess control lists (ACL) remotely/locally.

CACLS command can be used to display or modify Access Control Lists (ACLs) for files and folders. We can also use cacls to block USB ports.

Run following commands on command prompt :

cacls "C:\Windows\inf\usbstor.inf" /E /D Users Administrators "Power Users" SYSTEM
cacls "C:\Windows\inf\usbstor.pnf" /E /D Users Administrators "Power Users" SYSTEM

How to Block USB Ports on Windows Endpoints

Mar 1, 2012
A cutting-edge cloud-based endpoint anti-malware solution integrated with Tivoli Endpoint Manager (TEM).IBM announced a major update to Tivoli Endpoint Manager for Core Protection (TEM-CP), an integrated anti-malware and firewall product for Windows and Mac computers.Note that TEM for Core Protection is the updated name for what was formerly referred to as the BigFix Core Protection Module (CPM).

IBM Tivoli Endpoint Manager for Core Protection

May 30, 2011
Steganography is the practice of hiding confidential or sensitive information within something that appears to be nothing out of the usual.Steganography is often confused with cryptography because the two are similar in the way that they both are used to protect important information.

If a someone views the object that the information is hidden inside of  , he or she will have no clue that there is any hidden information in it. As a result the person will not try to decrypt the information/object .That is the beauty of Steganography.

Steganography in depth

May 10, 2011
The art of detecting hidden messages in digital media like images , audio or video is known as Steganalysis.The goal of Steganalysis is to identify / detect suspected files and determine any secret or confidential information is hidden in them and if possible recover the information.

Steganography Detection Hardware Appliance

May 9, 2011
A steganography software tool implements digital steganography process, allowing users to insert and extract hidden data into images , audio , video and documents.

Tools for Steganography

May 7, 2011

Steganography is the art and science of hiding information by embedding messages within media like images.The main purpose of digital steganography is often to create a message that defies detection.

There are number of file formats in which data is redundant or some data is of little importance.Digital steganography exploits this fact and the hidden message does not cause noticeable changes to the file.It is used in graphics files, HTML, sound files, video, and text files, for example, but image files are favored and referred to as stego-images.

The Art of Hiding Information in the Digital World

May 6, 2011

Source : Verizon Wireless Security

Perimeter for Mobile Data Security - Essential Elements

Apr 16, 2011

Source : Verizon Wireless Security

Perimeter for Mobile Data Security - Essential Elements

+

Copyright 2016 Cubic Race Published By cubicrace.com