Salted Hash: Live from Black Hat USA (Day 3)

Thursday is the day of the week that Hacker Summer Camp takes on some changes. The corporate side of things starts to wind down, and the Black Hat attendees are likely heading to one of two places – DEF CON or home. Salted Hash will remain for DEF CON, so expect more updates over the next few days.

Setting Black Hat and DEF CON aside for a moment, this update will address something unique that took place earlier this week; namely BSides Las Vegas.

For the last five years, BSides Las Vegas has been the third option when it came to the hacker confab in the desert.

It was founded as a way to host the talks rejected by Black Hat and DEF CON in 2009. Back then, it was called an un-conference. However, it isn’t fair to call it an un-conference anymore; it’s a global event, and one that’s worth looking into.

This week at BSides Las Vegas, there was a talk on career strategies for InfoSec hopefuls and existing worker bees; a talk on the value of threat intelligence feeds (and how to measure their actual intelligence); talks on various tools and methodologies, a talk on properly tuning an IDS and getting actual intelligence from it, and much more.

If you missed BSides Las Vegas this year, don’t worry. It’s free, and it will return next summer. Plus, most of it was recorded, so you will have a chance to catch the talks when their released over the coming weeks (sometimes sooner).

Another unique thing offered at BSides Las Vegas is a rookie track (called the Proving Ground) that features speakers giving their first “full” presentation. The Proving Ground is actually a great place to see the hacking community at its best. Getting over the jitters of your fist talk isn’t easy, and BSides is one of the most welcoming communities around.

This year BSides Las Vegas also hosted PasswordsCon, which bills itself as a “hacker conference that’s all about passwords, PIN codes, and digital authentication.”

I wasn’t able to make it to PasswordsCon, but I did manage to get some password-related information from Trustwave. Hopefully the PasswordsCon talks were recorded, and if so, they’ll be available soon. If Trustwave’s data is anything to go by, conferences like this are sure to become the norm.

From Trustwave:

“Weak or default passwords contributed to one third of compromises investigated by Trustwave. Annihilate weak passwords: Implement and enforce strong authentication policies. Deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone.

“IT administrators can do their part to hinder password-cracking attacks by using unique, random salts when hashing stored passwords whereby a piece of unique, random piece of data is combined with each password before the hash is calculated. Secure password storage combined with well-educated users and a properly designed policy for user password choice can play a vital role in helping prevent a breach.”

Sticking to the numbers, the company says that in 2013 and 2014, of the 626,718 stored passwords that were collected during penetration testing engagements, more than half of them were recovered in just a few minutes. Moreover, 576,533 of them were cracked within 31-days (92 percent).

As the quote mentions, 31 percent of the 691 intrusions that Trustwave investigated in 2013 were directly related to weak or default passwords. In fact, the company concluded that there is a serious misconception when it comes to password complexity and strength.

“Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure,” the company explained in an overview of their password analysis.

“The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.”

When it comes to the fail list, Password1 remained the top password cracked, followed by Hello123, password, Welcome1, banco@1, and training.

It’s hard to be shocked. Password1 and password – just to pick two – have been the most commonly cracked passwords for nearly a decade now. This is why I once wrote that passwords are always going to be a problem, no matter how you look at it.

Then again, some of these weak passwords might be useful after all, if you follow the research from Microsoft and researchers at Carleton University, in Ottawa, Canada.