Friday, March 30, 2012

Utah County Researcher Cracks Stratfor Passwords

In an earlier blog post, I talked about the hack against Stratfor, whose user password hashes, credit card hashes, and e-mail were leaked to the public.  One might ask what happens to those databases once they are leaked? Kevin Young, a fellow Utah County Security Researcher and friend, decided to make a research project out of the leak. 

He grabbed a copy of the hash and credit card database, set up a password cracking farm, and started cracking.  Here are some excerpts from the conversation we had:

Kevin: I've gone round and round stratfor a couple of times now.

Kevin: I had about 150k of the 860k then quit to focus on the CC hashes. I got most all of the CC hashes.

Blake: What percent of the CC hashes would you say you have?

Kevin: 90%+

Kevin: Then, I restarted about 2 months ago -- I could get an exact date if you need it -- to completely start over again on the 860k list. I wanted a better methodology and recordkeeping. That's when I figured this was publish-able research.

Blake: So you did in fact restart your cracking against the password hash database?

Kevin: Yes

Blake: After restarting, how many have you cracked?

Kevin: 208,807.  Now...that excludes a LOT of duplicates.

I went on to ask Kevin what the most complex password was.  He gave me almost a dozen complex passwords including pass phrases.  Frankly I was shocked.  I knew he had been doing research and writing custom password cracking rules, but it was staggering to see what he was getting in return.  Per Kevin's request, I will not post actual passwords as they are in fact passwords for REAL individuals out there however I asked permission to slightly modify passwords while still keeping the structure and he agreed.  Here are some examples of cracked passwords:




Go Gators!

You can follow Kevin, and his research on Twitter: @IT3700    or his blog:

Disclaimer: I received permission from Kevin Young to post this and quote him.  He has reviewed the content and signed off on it.

Wednesday, March 28, 2012

How many paragraphs would you write?

If you aren't already familiar with this case, Geopolitical Analysis group Stratfor ( was hacked towards the end of last year and subsequently lost:

  • 5 Million E-mails
  • 800,000 user password hashes
  • 76,000 credit card hashes
Note: For the novice among us, a hash does not mean that it resided in plain text, but it's pretty close.

The CEO of Stratfor posted a 19 paragraph response on his website talking about the attack and then what occurred afterwards.  Essentially his response was to try to repair some of the damage that had been done to its user base and take responsibility for its compromise of security

 George Friedman - CEO of Stratfor states:

"In early December I received a call from Fred Burton, Stratfor's vice president of intelligence. He told me he had received information indicating our website had been hacked and our customer credit card and other information had been stolen."

"We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files. This was a failure on our part. As the founder and CEO of Stratfor, I take responsibility for this failure, which has created hardship for customers and friends, and I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn't grow with it."

See Reference:

Put yourself in this situation as an IT Manager, Director, COO, CIO, or CEO.  How many paragraphs would you write to the public if your site had been compromised?

Monday, March 26, 2012

E-mail Forms - Attacker's View

E-mail forms on a web page can be really tricky.  Most sites use them as a "Contact Us" page where a user can submit feedback to the company.  In some cases, sites go one step further and allow you to send a message to another person.  An example of this would be a site that allows you to send a gift(card) where the sender can include a message to the recipient.  If not secured properly though, these forms can be abused.

Think about the following scenarios:

1) Let's say you aren't encoding the text sent from your "Contact Us" page.  An attacker could put in attack code (like javascript or a hidden iframe) and an unsuspecting employee could view that message and have that code run.  Now you have a compromised user/machine inside your organization, and the attacker can now move further into your company

2)  In a form where the user can specify the recipient and message, an attacker could use your form to send their own content.  This attack vector is even better!  Now an attacker can use you to send out their spam.  They can specify the addressee, the content, and maybe even specify the "from" address.  Now they can use you to send out their spam for them, and you take the fall.

Both of these scenarios can be mitigated by:

  • Employees should be educated in being suspicious of content and validating it before viewing or opening.
  • Encoding text in comment boxes to ensure a mail client doesn't try to interpret it as code
  • Require visitors to your site to make a purchase of an item before allowing them to send a message to another user for a gift purchase.  They may still try to send a malicious message, but you are now able to track who the user is including their payment information.
  • If you still want to allow users to send messages from your site, at the very least require some type of valid login.  Don't make this publicly accessible.  People will abuse it!

Friday, March 23, 2012

Website Owners Don't Know They Were Hacked

 An article by Emil Protalinski of ZDNet talks about a recent survey done against approximately 600 website owners and administrators who had sites compromised.

Here is a summary of the findings:
- 90% didn't notice any strange activity, despite the fact their sites were being abused to send spam, host phishing pages, or distribute malware
- 63% of site owners don't even know how they were hacked
- 26% had not yet figured out how to resolve the problem at the time they completed the survey 
- 20% of those attacks were due to out of date software
- Approximately 50% only discovered the attack when they attempted to visit their own site and received a browser or search engine warning

The article also has a nice flow chart of how/why attacks occur.  Here is a link to the full article.

This is why you have someone test your site, and tell you where you are vulnerable instead of a hacker doing it maliciously.

While a Web Penetration Test does not guarantee your site is 100% safe, it certainly closes holes and makes you aware of where you are potentially vulnerable. 

Another piece of advise: Always monitor and keep backups of your logs!!

Wednesday, March 14, 2012


Well the day has finally come.....
I have decided to open a blog.  Who would've thought??

First, let me introduce myself.  My name is Blake, and I have been in the tech industry for over 10 years.  I have been in the Security Industry for 3 of those years and have thoroughly enjoyed it.  I specialize in Forensics, Network Assessments, and Web Penetration Testing.

The purpose of this blog is in part a small way to start my intentions to become an Independent Security Consultant/Web Penetration Tester.  I have always loved finding out how things work as well as breaking them....

I want to be able to provide Small Businesses who cannot afford dedicated Security Professionals or hire large firms to conduct assessments affordable consulting services.

Small Businesses are just as much of a target as Large Enterprises in fact they are a much easier target because they feel that they can hide in the shadows.  Just look through your log files to realize how untrue that is.

I reached out to multiple contacts I had within Web Firms for Small Companies and boy did I get really supportive feedback!!  The Web Firms were just as concerned as the Small Businesses.  I even provided some services for free to kick start this process, and it has been a great experience.

If you are interested in my services,  please contact me, and I'd be happy to discuss your needs.