Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityIntroduction

• Correct encryption use• Guide to passwords• Dictionary hacking• Brute-force hacking• Securing systems

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityEnsuring optimum encryption

• Depending on how your server is configured you may have several encryption possibilities.

• Standard routines include:– Standard DES (2 character salt)– Extended DES (9 character salt starting with _)– MD5 (12 character salt starting with $1$)– Blowfish (16 character salt starting with $2$)

• Think of the salt as an indicator of password randomness. Bigger salt = harder to hack.

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityUsing different routines in PHP

• How can we check using PHP which encryption routines are available?

• Simple. The server will set one or more of the following variables to 1 if it is available:– CRYPT_STD_DES– CRYPT_EXT_DES– CRYPT_MD5– CRYPT_BLOWFISH

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityGenerating encrypted passwords

• In order to encrypt a password we can use the crypt() function in PHP.

• Without specifying a salt, PHP will default to Standard DES.

• We can easily create our own PHP function that will generate a random salt of any desired length.

<?phpfunction makeSalt($salt_length){ $salt = "";

for($char = 0; $char < $salt_length; $char++){ $salt = $salt . chr(rand(40,126));}return $salt;

}?>

• By placing the code above on our page, we can simply call it and send it the length of salt we want it to create.

• The call to rand() gives us characters including numbers, letters and most special characters.

$user = $_POST['myusername'];$pass = $_POST['mypassword'];

if (CRYPT_STD_DES == 1){

$salt = makeSalt(2);echo("<br>Standard DES salt: " . $salt);$standard_des_pass = crypt($pass, $salt);

}

if (CRYPT_EXT_DES == 1){

$salt = "_" . makeSalt(8);echo("<br>Extended DES salt: " . $salt);$extended_des_pass = crypt($pass, $salt);

}

if (CRYPT_MD5 == 1){

$salt = makeSalt(8);$salt = substr($user, 0, 8) . substr($salt, -(8-

strlen($user)));$salt = "$1$" . $salt . "$";echo("<br>MD5 salt: " . $salt);$user_salted_pass = crypt($pass, $salt);

}

if (CRYPT_BLOWFISH == 1){

$salt = makeSalt(12);$salt = substr($user, 0, 12) . substr($salt, -(12-

strlen($user)));$salt = "$2$" . $salt . "$";echo("<br>Blowfish salt: " . $salt);$user_salted_pass = crypt($pass, $salt);

}

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityGood passwords

• A good rule of thumb is that the more characters an encryption routine generates, the harder it is to break.

• However, this rule is useless if the password– is too short (less than 8 characters)– is a word that can be found in a dictionary– does not contain any numbers or special characters

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityEncryption in action

• Password = rasmuslerdorf• Standard DES: l.3StKT.4T8M

• Extended DES: _J9..rasmBYk8r9AiWNc

• MD5: $1$rasmusle$rISCgZzpwk3UhDidwXvin0

• Blowfish: $2a$07$rasmuslerd............nIdrcHdxcUxWomQX9j6kvERCFjTg7Ra

• So, how do we go about cracking these passwords?• A good first approach is to do a dictionary hack...

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityDictionary hacking

• The process of dictionary hacking is as follows:

1. Get the next word in the dictionary.2. Encrypt it using the same salt as the next user.3. Is the encrypted dictionary word the same as the user’s encrypted

password? If yes then we’ve hacked their password!4. If not and we have other users then goto 2.5. Else if we have other dictionary words goto 1.6. Else the password wasn’t one of the words in our dictionary.

• Creating a program that performs this task is easy...

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityMaking it difficult for the hackers

• So, as far as hacking is concerned, provided that we don’t use a dictionary word as our password we’re safe yes? No...

• A non-dictionary password means that we have to do a brute-force approach.

• This means that we have to go through every possible combination of possible passwords until we find a match.

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityBrute-force hacking

• Brute-force hacking can take a long time!• If the characters we can use to make a password consist

of all letters and numbers (a total of 62 characters in total) then we can easily deduce how many ‘keys’ we have to check.

• 4 characters = 624 = 14776336 keys• 6 characters = 626 = 56800235584 keys• 8 characters = 628 = 218340105584896 keys

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityBrute-force hacking

• With the processing speeds of modern PCs, even this number of keys is crackable.

• Even if you make the passwords longer then it is possible using clusters of PCs spread across the globe and using the Internet to break the task down into more manageable chunks.

• However, using the same encryption strength as most modern browsers, it could take hundreds to thousands of years to break a decent password.

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityUncrackable passwords

• For speed reasons, most hacking programs only use a subset of characters in their brute-force key generators.

• The following table contains a list of special characters that are not used.

• Using any of these characters in your own passwords should render them uncrackable!

• Note: in order to use these characters you need to press the ALT key followed by the combination given using the numeric keypad.

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecurityFeet of clay

• A security system is only as good as its weakest component.

• There are several steps that a systems administrator must go through to make a hackers job harder.

• Most of these are easy to accomplish although the specific details are not given here as this would be a module in its own right. Briefly, the steps are:

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecuritySecuring systems

• Ensure that the operating system is up to date and contains the latest security patches before connecting to the network .

• Do not upgrade to a new operating system until it has been tested over the course of several months.

• Run a good anti-virus program and keep it up to date.• Determine the role of any computer connected to the

Internet and ensure that only those services required are permitted to run on it.

• Administrator passwords should be very strong.

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecuritySecuring systems

• Only use the administrator account when necessary.• Use different passwords for administrator or root and

general user accounts.• Force new users to change their passwords when they first

login. • Disable or delete old or unused accounts that belong to

people who no longer need access.• Disable Telnet and FTP.  Use SSH instead.• Drop any connection to a server if a login is failed 3 times

(takes time to make a connection).

Yvan Cartwright, Y.J.F.Cartwright@staffs.ac.uk

Web SecuritySecuring systems

• Make sure to configure all installed software, disable all unused features and be sure to limit the availability of any features that are enabled.

• Install a software or hardware firewall to protect individual services.

• Restrict access to services to within the company’s IP addresses.

• Maintain good physical security.• Do not run anonymous FTP on any server with sensitive

or “not public” data.• Make frequent backups of systems and data.