Archive for May, 2009

7 is still better than 8, but passphrases are best

I wrote up the below in response to a question on a newsgroup about the best password length. It’s an old topic, but still very relevant. See my original piece here: http://www.securityfocus.com/infocus/1319

For Windows minimum password length, the difference between 7 and 8 is computationally negligible these days. 8 characters creates two halves of a LanMan hash (which is still created by default, both on servers and workstations). Enforcing an eight character complex password means users will typically put the special character (*&^%$) as the last character. (And many users will only create the minimal length password.) That leaves the first seven characters as alpha-numeric – which can be cracked with a small character set in a password cracker. The eighth character is then the special character, which is the first character in the second LanMan hash – so it will crack instantly in password cracker. You’ve then compromised a complex password of 8 characters in a matter of minutes.

If the password minimum length is seven, most users will make theirs seven, which means the special character is within the first 7 (probably last, but that doesn’t matter) which means in order to crack the LanMan hash, you’d need to run the cracker with the entire character set (not just alphanumeric) over the entire 7 character range – which will take a long time. Using this analogy, a seven character complex password will usually be tougher to crack than an 8-12 character complex password.

If you insist upon using 8, then make sure to set the registry key on all desktops, servers, and domain controllers to not create the LanMan hash. Then, run some of the freeware tools available to delete all existing LanMan hashes from the password history (as they can be used to help guess what the current password is).

Better yet, enforce a minimum of 15 characters. You should still run a tool to delete all the old password hashes just to be safe. With a 15 character password, it won’t save the LM hash, so it will be much tougher to crack.

I’ve done an experiment in the classroom on password length (before Steve Riley wrote an article on this – no offense Steve!). I ask each person on one side of the classroom to pick a password. They think up a password – one they would typically use at work. Don’t say it, just think of it. Then I ask people on the other side of the classroom to think of a passphrase. Don’t say it out loud- just think of it. I ask the first side of the room (password) to count the length of the password they thought of – and I ask the others (passphrase) to count the length of their passphrase. The first side of the room is usually sitting between 7 and 13 characters long. The second side of the classroom is anywhere from 20 to 60 characters long (rarely shorter than 15).

Asking users to think of passwords as ‘passphrases’ is a really good way to encourage long password length. It’s usually easier for a user to remember their passphrase, and it’s easy for them to change it next month (they can simply change a word or value in their phrase.) A good passphrase usually includes one or more spaces in the phrase – that helps with the special character (how many people put spaces in their passwords? not many…)

Therefore, if you want to go with a minimum less than 15, use 7, else do 15+ and educate folks about the coolness of the passphrase. Just don’t use 8. (See my article here – why 7 is better than 8: http://www.securityfocus.com/infocus/1319)

Advertisements

Leave a comment »

New Microsoft IIS Zero-Day Vulnerability

Today (May 19, 2009) Microsoft released a security advisory for Microsoft IIS Servers. This flaw can enable attackers to read sensitive files on the webserver by submitting a specially crafted URL to the IIS server.

This is only the third vulnerability we’ve seen in IIS since October of 2004 (last issues were Feb 2008 and July 2006) – IIS has been pretty secure over the last few years (unlike the years 2000-2004 where we saw numerous bulletins, patches, and exploitations such as code red and nimda).

This flaw appears to me much more serious for customers running IIS 5 (Windows 2000) because the vulnerable WebDAV services are running by default. IIS6 (Windows Server 2003) doesn’t enable WebDAV by default.

It is unclear what level of access may be granted to an attacker via this exploit as it all depends on how the webserver has been configured and how the file system security has been applied to the data on the webserver. In a default configuration (and I would gather most installations), this flaw might allow the attacker to read certain files on the webserver, but would not allow them to write any files. If the attacker us unable to write any files to the webserver, it’s far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server. One note of caution – this flaw could enable attackers to read code pages on the webserver, where these pages might include usernames or passwords for applications or databases controlled by the webserver.

Shavlik recommends people running IIS5 or IIS6 run the IIS Lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day.

Leave a comment »

Microsoft releases patch for Powerpoint 0-day flaw

Microsoft patched all Windows versions of Powerpoint today – addressing both a 0-day flaw and 13 other privately reported security vulnerabilities. The 0-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website. The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user. (If the user was logged on as an administrator, the evil code could execute as admin. If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Microsoft has NOT released a patch at this time for Powerpoint on Mac. They said they weren’t seeing this flaw being executed against Macs and therefore didn’t want to hold up release of this patch for Windows machines while they finished the Mac patch. The patch for Powerpoint on Mac will be released at a later date.

The patches released today include versions of Powerpoint that weren’t flagged as vulnerable to the zero-day as Microsoft also included fixes for 13 additional vulnerabilities that were privately reported. Some of these vulnerabilities impact the newer versions of Powerpoint that were not vulnerable to the 0-day. Included in today’s release are patches for the Powerpoint viewer as well as the full version of Powerpoint.

Security patches for items like Powerpoint are considered ‘client-side’ patches because they can only attack a machine once a user has taken an action on their computer. Typical client-side actions might include opening malicious documents, reading an evil email, or viewing an evil web page. These types of attacks are usually constrained to systems where a user is interactively working on the desktop. Systems which don’t have a lot of user interaction at the desktop, like servers, are usually less susceptible to client-side attacks, though they are just as vulnerable if a user performs one of these actions at the desktop. In most cases, client side exploits only obtain the same level of access on the system as that of the currently logged on user.

Server-side attacks, on the other hand, don’t require user interaction to exploit vulnerabilities. Both workstations and servers are susceptible to server-side attacks. Server-side vulnerabilities leverage flaws in ‘services’ that are running on machines such as web services, file and print services, and networking services (such as TCP/IP or NetBIOS). Because these services are constantly running and are exposed externally on the system, no user interaction is required to interact with these services. This means the exploit can propagate from machine to machine very quickly. SQL Slammer, Nimda, Code Red, and Conficker are all examples of server-side exploitation. In many instances, server-side exploitation leads to administrative or ‘system’ level access on the target computer.

Viruses are a great example of a client-side vulnerability. Because it’s client-side, viruses usually require user interaction in order to spread and are therefoew slower to spread than a Worm. Worms, on the other hand, are representative of server-side exploitation. Since a worm doesn’t require user intervention to spread, it can propagate to other systems very rapidly.

Based on these definitions, today’s Powerpoint release addresses a client-side vulnerability. Its attack vector is dependant upon a user performing an action. As a result, we won’t see rapid propagation of infected systems through this vector (though once a machine is infected, it could launch other attacks using worm-like server side attack mechanisms such as Conficker). Best to patch your client-side systems (where users interact with the desktop) for this issue first, then patch any servers where Powerpoint products may be installed.

Leave a comment »