Wednesday, December 15, 2010

The ugly truth of web security

Last few weeks as we all aware there were lot of interesting things happened in the cyber world. Wikileaks, 4chans, Gnosis, LOIC, DDoS are some of the keywords today. couple of days ago a reputed web media company called Gawker media was hacked by a gang known as Gnosis. they didn't stop only by hacking the site but they dump 1.3 million data from Gawker database which includes username passwords the future changes of Gawker site source codes and upload it as a torrent file (i however found that torrent file and downloaded the content :D ) so, if you are using a account to comment on sites like Gizmodolifehacker then you account is most probably been hacked ! and the worst case is if you are using the same password for every site in the web then you are in a huge trouble.

Things i noticed in hacked files

when i go through the downloaded files i noticed there are thousands of people using "password", "password1" without quotations as their password there were few common passwords like "password", "qwerty", "qwerty12". not only the normal Gawker users the people who are in administrative positions had very weak passwords. so, as users people should be more careful when choosing a correct password.

Things web developers should learn

here the hackers exploited a vulnerability in the CMS and took control of everything. there were lot of things that Gawker media web development team has done wrong.
they have saved the password not the salted hash !!!! you must NOT do it. instead you should save the salted hash.
why didn't they use a mechanism like openID or Facebook connect. then the attackers cannot get the users passwords.
and the other main thing as the attackers mentioned in a readme file :

Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard) Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the first 8 characters "abcdefgh" are encrypted and stored in the database. If your password is longer than 8 characters you only need to enter the first 8 characters to log in!

YA DONT SAY!! :D?

 Because of this we were only able to recover the first 8 characters of someones password! If the password is 8 characters long there's a good chance that it migt be longer than 8 characters! But still, there's 1000's of people using 1 - 8 character passwords for us to have some fun with! 

so when designing a web site beware of algorithms you are using to hash passwords if it's like in this case the outdated encryption algorithm make hell a lot of trouble..

after this attack there were thousands of articles posted on new security models and i will discuss some of them later, but as for final words i think as users we have the responsibility to keep our privacy as Google CEO once said if you want your privacy don't post anything on the web. when choosing a password security question users should think not twice, thrice.....

cheers !
Kesh
at