Monday, September 26, 2011

Microsoft's "Coordinated Vulnerability Disclosure"

Microsoft has been finding vulns in other people's products since forever. That's because for those of us "skilled in the art", it's impossible not to. Remember: when software crashes for you, you simply restart it. When it crashes for us, we trap it in a debugger, and use tools like !exploitable in order to see if it's exploitable.

Until now, Microsoft's response to such bugs as been ad-hoc. I'll bet that they've simply ignored the majority of such bugs. It takes a fair amount of work to take a bug that's "probably exploitable" to prove that it's "reproducibly exploitable". Security engineers should do it to keep in practice, but it's costly.

But now Microsoft has created an official disclosure policy for their engineers. Now, when they find a bug in somebody else's product, their engineers know what policy to follow.


Microsoft should be praised for not using the word "responsible" disclosure. The words "vulnerability disclosure" describe a fact, "responsible" describes an opinion. In a room of 10 cybersecurity experts, you'll get 15 opinions one what is "responsible" for disclosing a vulnerability. (And few would agree with my opinion that no disclosure is irresponsible, and that each of the different ways a bug is disclosed has a different set of tradeoffs).

The Golden Rule

Microsoft's policy of how they disclose bugs to others mirrors their policy of how they would like others to disclose bugs in Microsoft's products. This is the "coordinated" bit in their disclosure -- where "coordinated" gives the upper hand to the affected vendor rather than the vuln discoverer.

Most controversial is the idea "under no circumstances will Microsoft release details of an unpatched vulnerability unless evidence of public attacks exists". This gives the vendor the ("irresponsible") ability to bury bugs by never patching them. Microsoft has buried bugs on occasion by doing this.

In contrast, Mozilla and Chrome have policies that say if they fail to patch a bug within a certain timeframe, then it's OK for the discover to disclose it. Knowing how vendor's react, I prefer this policy.

I'm looking a fight

Here's what I want to see: Microsoft report a bug to Mozilla or Chrome that they bury. Which policy wins? Does Microsoft follow their policy and never publicly disclose the bug? Or do they switch and follow the Chrome/Mozilla policy and report anyway?

Password cracking, mining, and GPUs

People imagine that sophisticated hacking requires sophisticated computers. The truth is that almost everything a hacker does can be done with a cheap notebook computer, or even a mobile phone.

The major exception is password cracking, and related crypto tasks like bitcoin mining and certificate forgery. In these cases, a minor investment in hardware can be warranted.

In particular, those who need to crack passwords (pen-testers, sysadmins, hackers) should buy a gaming graphics card in order to speed up cracking. Or, when buying notebooks for pen-testing, they should choose those with graphics processors.

What’s a GPU

Computers, as we know them, used to contain a single processor, called the central processing unit or CPU".

Now they contain a second processor, called the graphics processing unit or GPU. As the name implies, GPUs are intended for graphics, which means games and video.

But GPUs aren’t just for graphics; they are good for any highly repetitive task. Typical GPU applications include video transcoding, statistical modeling, physics simulations, medical imaging, financial modeling, and cryptography. Password cracking is just one form of cryptography.

It’s important to keep in mind that graphics processors are no more powerful than central processors. Trying to run non-repetitive tasks on the graphics processor results in a speed decrease. Foolish hackers regularly attempt this, and are regularly disappointed. Instead, graphics processors are optimized for calculations that are highly repetitive, whereas normal processors are optimized for the major of code that isn’t very repetitive.

These days, most computers come with a GPU. The iPhone has an ARM CPU and a PowerVR GPU. The latest Intel "Sandy Bridge" CPUs come with a custom Intel GPU built into the chip. AMD processors (formerly called "Athlon") have a version of the Radeon GPU on the chip. Except for AMD’s built-in GPUs, these aren’t programmable by the user, and therefore, can’t be used for anything other than graphics (although Intel keeps promising to make their GPU more programmable). Even AMD’s built-in GPU is slow relative to add-on GPUs.

Instead, when this paper mentions GPUs, it refers to the gaming cards with the fastest GPUs. Such cards can easily accelerate password cracking by 20 times. Using such cards, people are putting 8 GPUs in a system, accelerating password cracking by 160 times. That means a password that would otherwise take 6 months to crack can now be cracked in a day -- assuming you are willing to spend $3000 on graphics cards.

Radeons are better than GeForce

There are only two manufacturers of high-end gaming cards: nVidia with their GeForce cards, and AMD with with their Radeon cards. Both sell a wide range of cards, from the very cheap (but slow) to the very expensive (but fast). Prices typically range from around $100 for the cheaper ones, to $800 for the most expensive, with the best price-performance ratio around the $250 mark (two $250 cards will likely be faster than a single $700 card).

For gaming, Radeons and GeForces have roughly the same performance, with the fastest GeForce cards being the slight favorite. For super computer applications, like weather modeling or physics simulations, the GeForce cards are the clear favorite. However, for crypto, it’s the Radeon cards that come out on top. For equivalently priced cards, a Radeon card will be over twice as fast as a GeForce card when cracking passwords.

There are a few reasons for this. Radeons have more theoretical power, but suffer from a "VLIW" instruction set that makes it hard to realize that power in practice. Password cracking is VLIW friendly, though, and can tap into that power. In addition, Radeons have specific integer instructions like "bitalign" (aka. "rotate") and "BFI_INT" ("bitselect") that speed up popular crypto operations.

Thus, a cheap model of the Radeon like the HD 5770 costing $109 will outperform an expensive GeForce model like the GTX 590 costing $749. The most expensive Radeon model, the HD 6990 costing $739, will be over three times as fast at cracking passwords.

Thus, the consequence is that if you want to crack WiFi WPA2 passwords, Windows NTLM password, Unix salted MD5 hashes, or Bitcoin hashes, then you should probably invested in one of these GPUs. Even a cheap $100 card can increase speed over your desktop processor by 20 times. Ideally, you should buy a Radeon card for this rather than a GeForce card.

Moore’s Law

The above discussion applies to June 2011. Next year, CPUs and GPUs will be twice as fast.

But it’s the relative performance that matters. Next year’s $250 graphics card will likely outperform next year’s CPU by 20 times. Unless AMD or nVidia makes radical changes to their chip architectures, the next generation of the Radeon will still likely outperform the next generation of GeForce cards.

Therefore, when you finally get around to buying that graphics card for password cracking, you’ll have to look on the web for password cracking benchmarks to see which card is currently giving the best price/performance ratio.

Notebook GPUs

The above discussion have been for desktop computers that consume a lot of electricity. Pen-testers often don’t have that luxury -- they often only have a notebook (running something like BackTrack Linux). In that case, they want to buy a "mobile" version of the Radeon or GeForce chips. They can’t buy such chips as addons, but instead, have to choose a noteboook that has their desired chip.

According to recent benchmarks, mobile Radeons are still faster than GeForces, but it’s highly variable. Notebook GPUs have an enormous range, as batttery life is traded for gaming speed. Thus, one notebook with a powerhungry GeForce may be a better choice than another notebook with a battery conserving Radeon. You’ll have to look at benchmarks, or theoretical numbers (based on clock speeds and core counts) to figure out which is best for your needs.

Also note that there are three classes of laptops: the normal laptops, the low end netbooks, and the high-end gaming laptops. Historically, only the high-end gaming laptops contained graphics processors, but now graphics processors are appearing throughout a wider range.

High-end gaming laptops are the best choice for password cracking power. The biggest ones have graphics processors that rival desktop cards. You can buy an Alienware M18x with a Radeon mobile GPU that is faster than all but the fastest desktop GPU. It’s also 18-inches across, weighs 8 pounds, lasts only a few minutes on battery, and costs $2400.

GPUs are becoming more popular in average notebook computers. Asus makes some nice, average sized laptops with GeForce GPUs for a good price. Of particular note are the current MacBook Pros (15 inch or 17 inch) which come with a good Radeon GPU. The GPU is far slower than desktop GPUs, but of course, they don’t drain the battery, and don’t jack up the price. My MacBook Air has a GeForce GT320M that triples password cracking speed over the built-in processor (benchmarks below).

Curiously, GPUs are becoming popular for cheap "netbook" computers. That’s because the low-power central processors do not handle video well. Therefore, manufacturers are including low-power GPUs for video. Some Intel netbooks have Intel graphics, which can’t (yet) be programmed for password cracking. Some contain nVidia’s ION graphics, which is hardly faster at cracking passwords than the Atom CPU. The best choice these days are the new AMD netbooks with the C-30, C-50, and E-350 processors that are a combination of x86 CPU with a Radeon GPU on the same lower-power chip. A $280 Asus EEE PC 1015B or an $430 HP dm1z are the best netbooks for pen-testers at the moment.

What about FirePro, Quadro, and Tesla?

Both AMD and nVideo make more expensive cards for high-end customers. These are actually the identical chips in the gaming cards, but sold for 10 times the price. They would be a foolish choice for password cracking.

There is a reason for the higher price. The companies put features into the chips for high-end customers, then disable those features for gamers. Thus, if you are a graphics artist using software to draw the next 3D movie, the version with the high-end features enabled are probably worth the price. But these features mean nothing to password cracking. Indeed, the high-end chips are slightly worse at password cracking: because high-end customers care about reliability, they run the chips at speeds slight slower (and cooler) than for gamers.

The more expensive version of the Radeon card is called "FirePro". The more expensive version of the GeForce card is called "Quadro".

But, there is a third high-end version of the GeForce card called "Tesla". This is just like the "Quadro" card (all high-end features) enabled -- but it’s missing a the output port. You can’t connect a monitor to it. It’s purpose is just for GPU processing, like geological simulations to help find oil, or financial models to figure out the best stock price. Because they are missing the "display" portion, they use slightly less electrical power. People building supercomputers out of GPUs tend to choose the Tesla cards. If you rent "cloud computing" time using GPUs, they will probably be Tesla cards. I find this all a bit foolish -- GeForce or Radeon cards would be far more cost effective.

GPUs vs. FPGA vs. ASIC

Rather than doing password cracking in software, it should be possible to do it faster, cheaper, and with less electrical power using hardware like FPGAs or ASICs.

While this works in theory, it doesn’t work so well in practice. CPUs and GPUs are so cheap because their manufacturers sell them in enormous quantity. You could design your own chip that is 100 times faster than a cheap GPU, but it would cost you 200 times as much, per chip.

Some people do great things with hardware, such as Pico Computing, but most of the time, it’s just easier writing software for a mainstream chip, then let Moore’s Law make the chips go faster every year.

Building the ideal password cracking rig

Let’s say that you want to build the fastest computer (for cracking) for the cheapest price. Such a system will be driven by the cost of the graphics cards.

A relatively cheap, and simple, solution would be to buy three or four Radeon HD 6990 (as of June 2011) cards and stick them into a homebuilt computer. You’ll need a bigger power supply, a motherboard that supports four PCIe slots (spaced correctly for cards that are two-slots wide), and a slightly bigger case, but all of these are relatively common. Other than that, you only need a standard CPU, memory, and boot drive -- the cheaper the better (the less you spend on these, the more you can spend on more graphics cards).

This solution is probably best for pen-testers. Our time costs money. It doesn’t take long to assemble.

But for hobbiests who enjoy messing around with hardware, the economics are a bit different. They might want to get fancy, for example, building a custom case using PCIe extender cables or even a PCIe splitter to fit 32 cards in a system. You only need PCIe 1x speed for password cracking, not the full PCIe 16x speed that’s used for gaming.

Regardless of the system you build, you probably need to worry about cooling. Such systems are going to produce a lot of heat. Moreover, you need to worry about where your cool air comes from, and where the hot air is going. It’s going to be an annoyance whether you are in a data center, in a lab, or installing it at home.

All this cooling will cause of a lot noise (unless you are in a data center). Hobbiests buy expensive components that cut down on the noise, like water cooling systems. I stick my computer in a closet that happens to have an air conditioning duct. In labs or at home, you may find yourself playing with ducts to get the cooling right and the noise reduced.

Windows, using commercial software like that from Elcomsoft, takes the least effort to setup and run, but Linux using free software gives you more control over what’s going on. For example, some people (such as Bitcoin miners) have reported that Windows can’t recognize more than 4 cards, whereas Linux has no problem. There is also the issue of systems only being able to use cards connected to monitors -- which requires either a monitor be plugged into each card, or a "dummy plug" be used to make the card think there is a monitor installed.

But, the thing to keep in mind is decreasing marginal returns. Buying a $250 Radeon card will increase cracking speeds by 20 times. Buying a second $250 Radeon card will only double the previous card’s speed. A single desktop with four Radeon HD 6990s for $3000 will increase cracking speed by 160 times. Buy a second such system, for another $3000, will only double your cracking speed after that.


Hobbiests spend a lot of time trying to overclock their systems. If they work hard enough at it, they can get an extra 20% performance increase.

The trick for password cracking is to increase the speed of the GPU, but at the same time, decrease the speed of memory. Unlike graphics, GPU cracking doesn’t use the memory. By lowering the memory speed, you lower power consumption, and lower the amount of heat generated. That power/heat can then be used to increase the speed of the GPU calculations.

Radeons come with an overclocking application on Windows, but it doesn’t allow you to change much. This utility will only let you overclock by 10%, but won’t let you underclock the memory.

A graphics card vendor named MSI has its own Radeon overclocking utility "Afterburner" that you can use for all Radeon cards, not just those sold by MSI: This will allow you do overclock the chip more, as well as underclock the memory.

If you are overclocking the card, it may cause your system to crash. If that happens, you may need to increase the voltage sent to the card.

If overclocking, and if you have increased voltage, your card will produce a lot more heat. You’ll probably have to adjust the fan speed to compensate, to lower temperatures back down to reasonable levels. You probably do not want to run your card above 80 degrees Celsius. On the other hand, fans aren’t designed to run at high speed for extended periods -- the more you jack up fan speed, the more likely it is for the fan to fail. If your card is running below 68 degrees Celsius, you might want to consider lowering the fan speed.

Overclocking, higher voltage, and higher temperatures will decrease the lifetime of the graphic chip before it fails. You probably don’t care: two years from now, when your overclocking madness causes the chip to fail, you’ll be upgrading to the latest GPU anyway.

The economics of cracking

Putting a single $250 Radeon card in your desktop for password cracking makes sense. Building multiple cracking rigs for massive number crunching probably doesn’t. The reason is that password cracking is an exponential effort.

Consider passwords chosen from an alphabet of UPPER and lower case, numbers, and $ymbols. That’s roughly 100 different characters. That means every letter we add to a password increases the difficulty of cracking by 100 times.

Let’s say you can crack all 8 character passwords within a day. It would then take you 100 days to crack a 9 character password and 27 years to crack a 10 character password. We can graph this effort on the following picture:

As you can see, it's a bit nonsensical. Below 9 characters, it's nearly zero effort to crack passwords. Above 9 characters, the line shoots almost straight upwards. Only around 9 characters do we see a line that isn't nearly-zero or nearly-infinite.

That means there are three classes of passwords: those we can crack easily with a desktop computer (8 characters or fewer), those we cannot crack at all (10 characters or more), and those we can crack more of if we purchase more expensive computers (9 character passwords).

There is decreasing marginal returns to buying GPUs. Buying a single card increases cracking speed by 20 times. Buying a second GPU willy only additionally increase speed by 2 times.

Buying a $3000 rig can increase cracking speed by 160 times. Buying a second $3000 rig will only increase cracking speed by an additional 2 times. All people have to do is add another character to the length of their password, increasing it’s complexity by 100 times, and defeating your investment.

On the other hand, there is the fact that your competitors have the same idea in mind. Let’s say that you go in and pen-test a company that hired a different pentesting firm last year. That other firm found passwords and cracked all the weak ones. You find the same password list. If you crack fewer passwords, you look like a poorer pentester than the previous firm. If you can crack a few more, you look like a better pentester.

The same is true of hackers. You can assume the target company has already fixed all it’s weak passwords -- but where "weakness" is defined as "crackable by one GPU". If you come in with two GPUs, you’ll find a few more passwords.

This is of particular interest to Bitcoin miners, where it’s essentially a race against other miners to find the latest hash. Whereas twice the computing power does not equal twice the number of passwords cracked, twice the power does mean twice the earning power for Bitcoins.

Bitcoin mining benchmarks

Password cracking and Bitcoin mining are essentially the same thing. You can therefore leverage their work in figuring out what hardware you want for cracking.

A good reference is the list of hardware at

I’ve selected a few of the numbers from the link above, as well as benchmarked my own computers.

0.2ARM Cortex-A8CPU in my iPhone
0.6ARM Cortex-A9 dualCPU in my iPad
1.1Intel Atom N270My pen-testing netbook CPU
1.8nVidia IONA common netbook GPU for Atom CPUs
2.5Core 2 Duo 2.13 GHzMy MacBook Air CPU
6.1nVidia GT 320MMy MacBook Air GPU
6.2AMD C-30Asus $280 netbook with GPU/CPU combo
11.0AMD E-350HP dm1z $450 netbook with GPU/CPU combo
17.0Radeon HD 6490M2011 MacBook Pro
19.2Core i7 980xMy desktop, 6-core 3.3 GHz, hyperthreaded, top-of-the-line CPU
21.0PS3Playstation 3 using the Cell GPU
100.0Tesla M2050Amazon EC2 cloud computer w/ Tesla card
300.0Radeon HD 5830$109 card popular with miners -- if you can find one
314.0Radeon HD 6950$240 @Newegg and probably what you should buy
358.0Radeon HD 6970My desktop's graphics card, cost $330
800.0Radeon HD 6990Fastest single card, overclocked, roughly $740, with two GPUs

  • SSE

    SSE is the name for GPU-like instructions that are part of the CPU. They operate on 4 numbers at a time, and therefore, are 4 times faster than normal instructions for repetitive tasks.

    Modern processors, like the Intel Atom, Core2, and Core i3/i5/i7, as well as AMD Athlon/Phenom/etc. processors, all can execute two SSE integer instructions per clock cycle. That means pretty much that you just need to look at MHz in order to figure out which processor will crack passwords faster.

    This also applies to Intel’s energy efficient Atom processor. While the Atom is notorious for being slower on most tasks, it’s just as fast, per-core and per-MHz, as the other processors. Thus, a 1.6 GHz Atom will perform the same as a 1.6 GHz Core2 or 1.6 GHz AMD processor at password cracking -- but at about half the power. In addition, the GeForce-based ION graphics chip designed to go with the Atom hardly accelerates password cracking.

  • MacBook Air

    Whereas I use netbooks for pen-testing, I use a MacBook Air for everything else (programming, writing blogposts). I’m not a fan of Apple’s operating system, I usually run Windows or Linux on it.

    My MacBook is faster at password cracking than the older netbooks, but is quite a bit behind the latest Radeon-based netbooks. My next pen-testing netbook is likely going to be the HP dm1z.

  • HP dm1z

    At $429, this is expensive for a "netbook", but it has 4 features that make it stand out.

    1. It has the GPU/CPU combo from AMD. Not only is its CPU faster (dual core), but its GPU is a lot faster.
    2. It comes with 3-gigs of RAM, expandable to 8-gigs. Most "netbooks" come with 1-gig, expandable to 2-gigs.
    3. It comes with Gigabit Ethernet, whereas other "netbooks" come with only 100-mbps Ethernet.
    4. HP claims 9.5 hour battery life, which is at the top end of the range for "netbooks".

    Thus, while I’m tempted by its cheaper cousin the $279 Asus, I’ve ordered the dm1z to take to DefCon. I’ll be blogging successes/failures with it in a few days.

  • MacBook Pro

    The 15-inch MacBook Pro is probably going to be the notebook of choice for a lot of hackers, and probably has the best password cracking speed of anything short of a specialized gaming notebook.

    Currently, there are some quirks with Mac OS X bitcoin mining software, compared to Windows or Linux. It should be getting as much as twice the benchmarks posted above.

  • Radeon HD 6950

    If you do password cracking, you should get one, maybe two, of these cards and stick them in your existing desktop computer. They give the greatest bang-for-the-buck right now. An older Radeon HD 5830 are probably better bang-for-the-buck at half the price, but all the Bitcoin miners have snapped them up, so you can’t find any.

    The 6950 is slight slower than the 6970, but at 66% of the price. The fastest single card, the 6990, combines two 6950 GPU chips on a single card but at three times the price.

    Six months from now (Juned 2011) the situation will have changed, but in all probability, a $250 will still provide the best bang for the buck.

  • Tesla

    As the benchmarks show, the Tesla card is 10 times the price, but 1/3 the performance, of a Radeon HD 6950 card. That’s 30x price-performance difference.

    The economics don’t get any better using a Tesla in Amazon’s EC2 instances. You can currently make money mining bitcoins using Radeon cards, but you’d lose a lot of money trying to mine bitcoins on Amazon.

Password cracking vs. power consumption

The section above focused on capital costs, comparing graphics cards by their price performance. If you only run them occasionally to crack passwords, this is the most meaningful comparison. However, if you run them 24-hours a day, 365 days a year, then you’ll me more concerned by how much electricity they use.

A high performance graphics cards uses around 200-watts, but itself (not counting the rest of the computer). The average price for electricity in the United States is 11-cents per kilowatt-hour. Therefore, running that card for a year will cost $192.72. Of course, you need a system to stick that into. You might consider something like a computer based on an Intel Atom processor that only consumes 10-watts by itself. Modern processors, like a low-powered Nehalem, is also good at running at lower power. But, most desktops run at around 100-watts of power while doing password cracking.

Usually, the card that wins on price/performance also wins at electrical power usage. The Radeon HD 6950 mentioned above turns out to be at the top in terms of passwords cracked per watt.

But there are other things to consider. Some states, notably California, punish people who use too much electricity. In some cities, using more than 400 kilowatt-hours per month kicks you up to the next bracket, where electricity could cost 20-cents, 30-cents, or even more per kilowatt-hour. You may find it cheaper buying a generator than buying electricity from the grid.

Or, being that it’s California, you can get a heavily subsidized solar power generating unit for pretty cheap. You can hook it up to power your computer while the sun shines, and either turn off your computer at night or run it from the grid. Some places are now have “smart grids” that monitor electricity on a minute-by-minute basis rather than a monthly basis, and will charge you different amounts depending on the time of day. The price for electricity can be half during the night than during the peak hours during the day. You might configure your computer to run cracking software only at night, and to go to sleep during the day. 

Industrial electricity costs less than residential. A lot of cities have “hacker collectives” where people get together and rent industrial space, for typical non-criminal hacker activities like building robots or taking apart iPhones. They can supply the cheaper industrial rates for electricity for your password cracking or bitcoin mining needs.

Or your can move to a cheaper state. Here is a good reference for electricity prices by state.

What you crack

I thought I’d list the common things that hackers find themselves needing to crack. It’s not really relevant to GPUs, but I thought I’d mention it for completeness.

Bitcoin mining: A fixed number of new bitcoins are generated per day, and it’s a race to find the matching hash before anybody else does. The winner gets the bitcoins. It uses SHA256, which is exactly like SHA256 passwords. There is a lot of free bitmining software on the Bitcoin forums.

WPA passwords: Home users, and many businesses, use WPA, which is protected by only a simple password. In order to make it more difficult, the WPA standard requires a minimum of 8 characters, and rather than protect it by hashing the password once, it re-hashes it 4000 times -- making the computational difficulty to be around a 10-character password. Ten letters in a password is probably beyond the ability for "brute-force" cracking, which tries all combinations, unless you make certain assumptions, such as assuming the person used only lower-case and numbers (which is a valid assumption for most passwords). Most cracking is therefore done using a dictionary of known passwords, followed by "mutations" (such as adding a 4-digit number onto the end). Because the password is "salted" with the SSID, you can’t use rainbow tables to get the hash. There is lot of good software for doing this. I’ve used the free software "pyrit" and the commercial package from "Elcomsoft" in the past. The graph above of relative WPA cracking speeds is for the Elcomsoft package using last year's cards.

NTLM challenge-response: Windows passwords aren’t "salted", which means it’s easier to Rainbow crack them than to crack them. However, you often see "challenge-response" exchanges on the wire. This requires cracking in order to break. You see these with Windows-specific protocols like SMB and MS-RPC. In addition, you’ll see these as an optional authentication on other protocols, such as LEAP authentication for WiFi, or NTLMv2 inside e-mail and HTTP headers.

Salted passwords on a hacked server: When a hackers (or pen-tester) breaks into a server, they will grab the password file or database. Stupid sysadmins either have the passwords in cleartext (no cracking needed) or in simple MD5 hashes (cracked with Raindbow tables). Smart sysadmins "salt" the passwords, which requires cracking. Software: oclHashcat

Documents: PDF, ZIP, RAR, and Word/Excel files are often encrypted. Such files might contain secrets useful for a hacker. Reportedly, Wikileaks had to decrypt an encrypted ZIP file containing the famous "Collateral Murder" video from Iraq. Cracking password-protected documents is the most common feature of commercial software, since home users and businesses need it when they forget their password. There are lots of companies that sell GPU accelerated software for this, such as Elcomsoft.


Buying a $250 GPU that increases password cracking speed 20 times is a no-brainer. Buying a notebook computer based on GPU is probably a wise idea for pen-testers.

But passwords are a little strange. They grow exponentially in complexity, which means you get decreasing marginal returns from buying more hardware. Thus, while buy a graphics card (or maybe two) is cost effective, massive investments in hardware are unlikely to crack that many additional passwords.

Of course, if you are Bitcoin mining, then the more GPUs the better. Even after recent wild fluxuations in bitcoin prices, it’s still profitable at the moment.

Chronic Threats: SQL injection

What is the reason for the recent rash of hacking? Why was LulzSec able to take on high-profile victims like Sony, the FBI, and the CIA?

The answer is this: hackers aren't necessarily smart; the problem is that the victims are stupid. Hackers like LulzSec exploited "obvious" problems in the victim websites. But for all their obviousness, we (as an industry) still don't know how to fix them.

For example, take the most common problem, called "SQL injection". This problem is caused by the fact that websites treat input as "code" rather than "data". This is demonstrated by his recent vulnerability at CNN (which I got from a Tweet by Dave Aitel, it's still working last I checked). CNN set up a website that allows people to query information about colleges. A typical page looks like the following:

What we see in this picture is the webpage that is accessed with the URL Data for all the colleges are stored in a database. Each college is given a unique numeric identifier. In this case, the college_id of 7966 represents Oklahoma State University in CNN's database. The web-application takes this number from the URL and uses it to query the database, then formats the results in a web page.

The problem with CNN's website is that it doesn't treat 7966 as just data, but also as code. Hackers can replace that number with code, and CNN's database will run it. The easiest way to test this is to enter in faulty code, which generates an error message. The way that most of us do that is simply put a quote ' character at the end of the field. This allows us to test that this flaw exists, that the website will run our code, without actually running code on the database. An example is below:

As you see, simply putting a quote ' character at the end causes the website to produce an error message as it tries to run the code. The website of the Chinese hacker who discovered this vulnerability has an even better example that runs harmless code that grabs the version number. It's URL containing code looks like:||+utl_inaddr.get_host_name((select+banner+from+v$version+where+rownum=1))--

The thing about this vulnerability is that any teenager can exploit it. You would think that a guy with 10 years experience creating websites would know more about this problem than a teenage hacker, but the reverse is true. Most people who create websites don't really understand how they truly work, nor do they care. They care about the end result, about what the user sees, about pretty pictures. They rarely care about the boring technical details. Website designers are shockingly ignorant about the cybersecurity implications of their work. Conversely, teenagers are shockingly ignorant about how to create websites -- they only know how to break them.

The problem with this threat is that it's chronic. Everybody in the cybersecurity community understands this problem, but nobody knows how to fix it. Sure, we know how to fix this specific bug -- just change one line of code, and the problem goes away. The thing we don't understand is how to prevent a similar bug from appearing yet again. We have tools, like scanners that look for such bugs on websites, code analyzers to point out such bugs in the web-app code, and web-app firewalls to block some attacks, but none of these tools are wholly effective.

Take a bow everybody, the security industry really failed this time

I haven’t said anything about Lulzsec publicly yet and I don’t really have a good reason for the lack of comment. I have been watching their activities with great amusement. On Saturday I saw they released a large list of routers IP addresses and the username and passwords. The passwords looked like they were set to default values. This actually made me laugh out loud and I had two thoughts. First and foremost how was this allowed to happen if you are doing regular security checks? The second thought is who will take the blame for this from the offending company?

First off I've heard a lot of people say that Lulzsec did security a favor by really showing the need for security. I disagree completely. I think Lulzsec has show how ineffective the security community and marketplace really is. These were not mom and pop targets that got hit but instead were several mega corporations that spend more money on security than most people will make in a lifetime. The spending did not stop the compromise and posting of their sensitive data so what good is it?

Putting your security in the hands of tools will fail you every time.

A tool is a device that helps you accomplish a goal not a magic device that will accomplish the goal by itself. A hammer does not build a house for a carpenter nor will a vuln scanner make a network secure.

How did all those routers go with easy to guess user names and passwords and nobody in the company noticed? I have no inside knowledge but I can take an educated guess: the belief that security tools will work and that security policies will be followed. I am sure somebody somewhere is explaining to their boss that the security policy was followed to the letter and vulnerability scans were completed regularly and these were not detected. As a pentester I run into tests all the time that are suppose to be a “gloves off no limits test” and the first thing I am handed is a list of systems off limits, So although the networks may have been scanned maybe the routers were excluded because they were considered “mission critical” with no attack surface so they were excluded from vulnerability testing.

Tools like vuln scanners, IPSes, and WAFs will fail you when you need them most. I spend most of my time looking at how to get attacks by security tools and it is pretty easy. I try to explain that to clients but often times tools are easier to find than good people so they go with tools.

If you exclude anything from vulnerability testing you will fail.

I know that there are some systems that really are important and it will be an operating problem if they go down. Ask your self this: if that is true why aren’t these systems the targets of more testing so you can find the cause of your faults and not a hacker group. Anybody that thinks that Lulzsec or any other hacker will respect your no scan list you are crazy.

As a former network admin I know that complex networks are actually a hodgepodge of cross fingers and jerry rigging to get to work. Once these Frankenstein networks are working nobody wants to touch them in fear of breaking something that make take into the wee hours of the night to fix. This is no excuse for keeping some systems off limits for testing.

The second thought is who to blame. In reality I think everyone in security is to blame. I include myself in this. We don’t really prepare customers for real world risks and often focus of things that sell like compliancy. Having worked for and with a lot of security product companies I have observed the compromise of a security products ability to protect in the name of customer requests more times than I can count. We in security cater more to check writers than we do actual security. Normally the check writers don’t want security, they want a check box filled that will have the minimal impact on operations.

Security is the first business I have seen where the customer is not always right.

I will admit I have changed testing strategies to appease customers. The wide eyed “you are gonna do what?!?!” response to a testing planned has made me worried about losing a client so although I will ruffle my feathers and puff out my chest on the importance of the testing but in most cases I will acquiesce to please the clients. This is my fault and I should not do it.

Setting client expectations…for real.

I have not seen a company that is actually secure. It doesn’t matter if the threat if simple password guessing or holding a Glock 21 to the head of your network admin I can get access. Often times security testing is used to verify security to a certain point, a point of tradeoffs for the company between cost security and feasibility of attack. While the Glock approach may not be as feasible as other attacks it will work every time. At this point you should not be judging the feasibility of the attack but instead the determination of the attacker. As a company as if you really have something work stealing and if so what lengths would somebody go to steal it?

This might not be the best example but it is the first anecdote I thought of while writing this post:
I once did a pentest for a company that had a WEP encrypted wifi network. They network manager wanted to spend his budget on other things than security so it was never upgraded. The reason: we have guys with guns at the gates so no one can really get within range of out network to attack it. In my plan to executives I mentioned two possibilities to carry out the “no holds barred” testing. One idea was skydiving into the facility with my computer; the other was just having a helicopter circle close by. The executives immediately said no for various reasons. They were later forced to admit that either idea would work. Now if I had been a real attacker I would not have cleared my plans with the first and been able to compromise their network and do dirty deeds ranging from theft of IP to maintaining access for a cohort off site. I failed my client because I let their fear of success take over testing.

I am not alone in this failure. If you show me a person that says they have never dialed back testing to please a client I can show you a person reading a prepared statement from their marketing department. Make no mistake that often the hurdles thrown up in front of security are people worrying you will succeed or at least make their life more difficult. And the fear of success or just being annoyed will often motivate clients to veto an attack vector they know will work. If this were to cause a fix I would be happy but often if there is nothing in the report the client won’t fix anything.

Because of failures like these the security community does not prepare clients for real attacks by determined attackers like Lulzsec. The clients of the security industry are systematically compromised and exposed for all to see like a cadaver during an autopsy.

In the end while I see some sales guys rubbing their hands together in glee over the thought that Lulsec will drive security spending up I am absolutely convinced that the last thing this problem needs is more money.

Until there is a mindset change by executives of these companies no amount of security spending will keep them safe…and that’s our failure as an industry.

Undersea Cable Map

Here is an awesome site for viewing the map of undersea cables:

Undersea cables are interesting. In Richard Clarke's cyberthriller Breakpoint, hackers start their attacks by taking out undersea cables. Whether by bombing the landing sites, cutting the cables, or cyberattacking their routers, attacking these cables is near the top of everyone's list of cyberggedon scenarios.

A couple years ago, there was a series of cuts in the Middle East. Many suspected foul play, but as it turns out, such cuts are common, such as when ships drag their anchors along the bottom. That's why landing sites avoid shipping lanes. There is a cable cut somewhere in the world roughly every 3 days, and there are fleets of ships whose sole job it is to fix these cuts.

Even though they were accidental, they had a major effect on the Internet. Some countries in the Middle East were largely cut off from the Internet for a few weeks, and Britains found their VoIP to outsourced support centers in India to have enormous lag/latency, as packets had to be routed West through the United States, rather than East through the Suez Canal.

The NSA has their own nuclear powered submarine. Among the uses for such a thing is to sit off the coast of Russia and eavesdrop on radio waves. But of course, the other use could be to secretly tap these cables. But these cables are getting faster at an enormous rate. They continue to lay new cable, and they upgrade the equipment on the ends to increase they data rates they send through the cables. Older cables (i.e. 10 years old) would carry 200-gbps. New cables carry 6-tbps. A computer costing $2000 is able to monitor 10-gbps (assuming the right software), so the NSA would need just 20 computers to eavesdrop on  one of the old cables, but 600 of them for one of the newer cables.

I grew up in Oregon, a quiet state on the West Coast between Washington (home of Microsoft and Adobe) and California (home of Silicon Valley). Curiously, though, it's a major landing site for cables going to Asia. There are several reasons for this. One reason is that it's 700 miles shorter (calculating the distance NRT-PDX vs. NRT-LAX). Another is that Intel's main site is located in Hillsborough, Oregon, which has a created a small hi-tech mecca (Linus Torvalds lives in Oregon).

The biggest reason, though, is cheap power because of all the dams on the Columbia Riva. Whereas residential power rates are 12-cents per kilowatt/hour average in the U.S., Columbia River power is around 4-cents per kilowatt/hour -- possibly cheaper for the data centers built right next to the damns. In order to exploit this cheap power, the states of Oregon and Washington strung fiber optic cables up the river for data centers. Google, Amazon, and Facebook have built data centers there to capitalize on the cheap power and fast connection. (Google won't say what it pays for electrical power, but they displace aluminum smelters that became unprofitable when power went above 3-cents per kilowatt/hour).

I've create a picture of Oregon in the map below. I've marked Intel (Hillsboro), Google (The Dalles), Facebook (Prineville), and Amazon (Boardman). You can see the landing sites for cables on the left. Click on the image to enlarge.

Note that the landing sites are not near ports. That's because ship anchors are the leading cause of cable cuts, so they want to locate the landing sites as far from ships as possible.

Using ncrack to test for servers vuln to Morto worm

Looks like the Morto worm is floating around. I frequently run into just seeing 3389 open on pentests and if the local admin account is "administrator" you can beat up on it pretty good with ncrack.

hdm did a post on why/how you can find those pesky local admin accounts with weak password by using the smb_login module. post is here.

If you live where someone is gonna give you a hassle because SMB is not allowed out, you can always use ncrack to prove your point. I did a short post on it awhile back.

Anway, grab it from nmap svn, and compile, dont think the RDP plugin for it was enabled in the downloadable binaries (i didnt check...i use the svn).

The F-Secure blog has the list of passwords its using here.

Looks like this:

$ ncrack -vv -d7 --user administrator -P /home/user/morto.txt,CL=2

rdp:// (EID 1) Login failed: 'administrator' 'admin'

rdp:// (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.94

rdp:// (EID 2) Login failed: 'administrator' 'password'

rdp:// last: 0.00 current 0.50 parallelism 2


Discovered credentials on rdp:// 'administrator' 'admin123'

rdp:// last: 0.02 current 0.01 parallelism 2

rdp:// Increasing connection limit to: 2

rdp:// (EID 30) Attempts: total 30 completed 30 supported 1 --- rate 1.62

rdp:// (EID 31) Login failed: 'administrator' '1234567890'

rdp:// finished.

rdp:// (EID 31) Attempts: total 31 completed 31 supported 1 --- rate 1.81

nsock_loop returned 3

Discovered credentials for rdp on 3389/tcp: 3389/tcp rdp: 'administrator' 'admin123'

Ncrack done: 1 service scanned in 18.00 seconds.

Probes sent: 31 timed-out: 0 prematurely-closed: 0

Ncrack finished.

Validity of most-common-password lists

As this tweet asks: what's the validity of the various lists of the most common passwords people choose, such as this one

The answer is: it depends. If you dump the passwords at the average website, you'll see these as common passwords.

But they may not reflect passwords chosen for important sites, like corporations or banking. The less important a site, the poorer the passwords. People will choose poor passwords for something like Sony Playstation gaming than they would for their corporate account. This is especially true when your corporate account enforces rules for password complexity and reset.

Thus, just because the password "123456" is incredibly common doesn't mean that fact is useful to hackers trying to get valuable information.

Or, look at it another way. When we pen-testers break in, we usually want to get an "administrator" account rather than a "user" account, so that we can control the system. Administrators choose tougher passwords than users. Thus, just because users choose bad passwords doesn't mean we can crack administrator passwords.

There is another flaw in the statistics. Yes, "123456" might be the most common passwords on the Internet, but what percentage of passwords match that? Do 10% of users choose that password? 1%? 0.1%? Depending on the importance of a website, that number is going to be closer to 0.001% than 1%. In other words, just because you know the most common passwords doesn't mean you'll be likely to guess a persons password before the system locks you out.

What these lists do tell is the psychology behind what people choose as passwords. People choose easy patterns on the keyboard, like "123456" or "qazwsx". People choose their children's names or birthdates. People choose a swearwords. People choose sports teams. People choose words like "dragon" and "monkey". I have no idea why "monkey" is so popular, I just know that it is.

This information can be used in password crackers. Unlikely guessing a person's password on a website, which is one attempt every few seconds, cracking passwords can try billions of combinations per second. But even doing a billion tries per second, a hacker still can't guess an 8 character password in 100 years. Therefore, a hacker has to be smart. Knowing that "monkey" is popular, the hacker will try variations, like "m0nkey" or "monkey1234". Thus, if a hacker gets a database of encrypted passwords (aka. hashes), he or she will be able to guess 20% of those passwords, either by trying the most common passwords, or simple variations of those passwords.

This is also useful to people wanting to know how to choose passwords. Even if your password isn't in the list, it shows you how people choose passwords, and what not to do. For example, maybe your sports team isn't in the list, but when you see the many sports teams that are, you learn that maybe basing your password on a sports team isn't a good idea.


The better spammers get at solving CAPTCHAs, the harder it becomes for humans to prove that they are, in fact, humans. RECAPTCHA, in particular, has become annoying lately. I often fail the first attempt (or 100% of the attempts if going through TOR, for some reason). Here is a list of CAPTCHAs, see if you can solve them:

That's "pœna", not "poena".

It would be a mistake to think it was "Miftake"

Is it "1300.8", or "1300.8 or "1300."? 

What the heck is ISO-TSAP? \

This great blog post criticizes this grossly incompetent advisory by the US DHS CERT. Both mention “ISO-TSAP”? What is “ISO-TSAP"?

Just TCP, the same protocol that carries Internet traffic.

That’s what makes the DHS advisory incompetent, because it blames TCP’s lack of encryption for the problems in the Siemens industrial controllers. But a protocol like TCP isn’t supposed to encrypt data, it’s just supposed to carry traffic between two end-points. If you want encryption (like SSL), you are supposed to layer that on top of TCP.

So if ISO-TSAP is just TCP, why is it called by a different name?

That answer is a bit more political. The Internet as we know it wasn’t the Internet the government designed. Instead, they designed a competing Internet known as either “OSI” or “ISO”.

The government first created a blueprint, called the “OSI Model”. That model defines seven layers, where each layer is responsible for a specific task. Layer 1 defines how bits are sent onto the nearest wire. Layer 2 defines how packets are sent only as far as the next hop (to the other end of the wire). Layer 3 defines how packets go hop to hop across the world wide network to the destination computer. Layer 4 defines how the packets reach the destination application on that target computer, whether it be the web browser, iTunes, Skype, etc.

TCP fits in layer 4, but not precisely as OSI defines it. Mostly, it’s a terminology difference. For example, the OSI/ISO standard might say “disconnect” the connection, but TCP/IP might say “close” the connection. The ISO-TSAP standard is mostly just a translation between this terminology, showing how if somebody writes code that conforms with the OSI/ISO Layer 4 standard, how it will work when run over the TCP/IP standard.

There is one important difference. TCP/IP sends data as a “stream”. Yes, even though the underlying IP sends packets, the TCP on top reassembles this back into a stream of bytes, so that applications see no boundaries between packets.

But the OSI/ISO Layer 4 standard defines a boundary between packets. Therefore, the ISO-TSAP standard adds 4 bytes to each TCP packet to include a “length” field, so that applications can discover the original packet boundaries that are hidden by TCP. Therefore, if you were to ask about the precise protocol differences between ISO-TSAP and TCP, it would be the addition of the following header to each packet:
0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       |      vrsn     |    reserved   |          packet length        |

So this OSI stuff has been obsolete for over 20 years, why the heck is the Siemens controller still using it?

Well, that’s the problem with industrial-control/SCADA systems: they are 20 years out of date. It’s the way that industry works. They expect to install a piece of equipment and have it run unchanged for decades.

And that, not “lack of encryption in ISO-TSAP”, is the cause of the Siemens vulnerabilities. The system was created using cybersecurity concepts that are 20 years old, that haven’t caught up with the radical change in cybersecurity that we’ve seen in the last 10 years.

Indeed, the reported Siemens vulnerabilities are just the tip of the iceberg. If a system is using ISO-TSAP instead of raw TCP, it’s probably using all the other dumb stuff from ISO/OSI. The most egregious is something called ASN.1, which is a way of abstractly defining fields in packet. When you “concretely” define fields in packet, the lengths tend to be fixed. For example, you might have a username field that is precisely 16 bytes long. When you “abstractly” define fields, they can be any length. A programmer might make a “safe” assumption that a username couldn’t possibly longer than 1000 character, and might reserve a buffer in memory of that length. But, of course, a malicious hacker can exceed that, and provide a username 2000 bytes long, overflow that buffer, overwrite other parts of memory in such a way that allows the hacker to break into the system. Such “buffer-overflows” are significantly less common on today’s networks -- except in those places that are still behind the times using things like ASN.1.

I know of at least one vendor’s implementation of ICCP (Inter Control Center Communications Protocol) that also runs on ISO-TSAP and uses ASN.1 that if full of such buffer overflows.

It is this problem of being 20 years behind the times that it likely the cause of the grossly incompetent DHS advisory. It was probably written with input from the Siemens engineers who explained the problems, and the Siemens engineers are working with 20 year old concepts. The DHS employees probably did little of their own analysis, and certainly, they never talked to the guy who discovered the problems.


The grossly incompetent DHS advisory is just a reflection of the fact that the industrial-control/SCADA systems are grossly out of date. This is demonstrated by the fact that I have to roll back the clock to a time before many readers of this post were born (RFC 1006) in order to explain what the heck is going on.