2012年9月3日 星期一

駭客世界因科技而高強 - 雲端服務最大威脅 ( Hacker using GPU technology will make the world wide cloud service in dangerous position )

SUN VALLEY, ID - JULY 12:  Mark Zuckerberg,(R)...
SUN VALLEY, ID - JULY 12: Mark Zuckerberg,(R) chief executive officer and founder of Facebook Inc., and Andrew Houston, founder and chief executive of Dropbox, wait in a parked car for the traffic to clear out at the Sun Valley Lodge during the Allen & Company Sun Valley Conference on July 12, 2012, in Sun Valley, Idaho. The conference has been hosted annually by the investment firm Allen & Company each July since 1983. The conference is typically attended by many of the world's most powerful media executives. (Image credit: Getty Images via @daylife)
Dropbox: Yes, we were hacked ( Dropbox:是的,我們被駭客攻擊了 )

Dropbox reports that the recent spam attacks that impacted some European customers occurred when hackers used passwords obtained from outside sites to access some Dropbox accounts. The company promised a new two-factor authentication option and offered other tips. ( Dropbox的報告說,在最近的受垃圾郵件攻擊的影響,歐洲的一些客戶發生,駭客從外部網站訪問一些Dropbox的帳戶使用的密碼。本公司承諾將提供一個新的雙因子身份驗證選項及其他的提示。)

Maybe this will put an end to all that “Dropbox of the Enterprise” talk by cloud storage providers.( 也許這將杜絕所有的“Dropbox的雲存儲供應商的企業”講座,由。)

On Monday night, Dropbox acknowledged that spam mailings afflicting users starting a few weeks ago happened when hackers used passwords obtained from third-party sites to access “a small number” Dropbox user accounts. The company called in outside experts to help its security pros and here’s what they discovered, according to the Dropbox blog.( 在週一晚上,Dropbox的承認,垃圾郵件困擾用戶在幾個星期前開始發生時, 駭客使用從第三方網站訪問“少量多次”的Dropbox的用戶帳戶的密碼。一家名為外部專家,以幫助其安全性的優點,在這裡他們發現,根據Dropbox的博客。)

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.( 我們的調查發現,新近被盜的用戶名和密碼,從其他網站使用的Dropbox的帳戶登錄到一個小數目。我們已經聯繫到了這些用戶,並幫助他們保護他們的帳戶。)

Cloud content sharing as trend
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.( 也被用來竊取密碼訪問僱員的Dropbox帳戶包含一個項目文件,用戶的電子郵件地址。我們認為這是不正確的訪問導致的垃圾郵件。很抱歉,關於這一點,並提出了額外的控制,以幫助確保它不會再次發生。)

It also said it would start offering a two-factor authentication option in a few weeks and is providing a new web page to let Dropbox account holders check out accesses to their account. ( 它也表示,將在幾週內開始提供雙因素身份驗證“選項,並提供了一個新的網頁,,讓Dropbox帳戶持有人檢查訪問他們的帳戶。)

The company also recommended that users select unique (and new) passwords for all their accounts to help bolster security.( 該公司還建議用戶選擇唯一的(新)他們所有的帳戶,以幫助加強安全的密碼。)

The situation is reminiscent of the LinkedIn security issue in June, as TechCrunch pointed out. ( 目前的情況是讓人聯想到六月份的LinkedIn的安全問題,TechCrunch的指出。)

This is just the latest proof that cloud-deployed services are not immune from security — and other — snafus that impact any technology. But it’s a rude wakeup call to consumers who love the easy-to-use offerings and employ them without a ton of thought. The whole “Dropbox of the enterprise” meme started when dozens of companies touting IT-friendly cloud storage all glommed onto Dropbox’s huge popularity in the consumer market to position themselves. Dropbox claims 50 million users but is also flying into a headwind as Apple iCloud, Microsoft SkyDrive, Google Drive and other consumer-friendly options gain traction. ( 這僅僅是雲部署服務的最新證明,也不能倖免,從安全性 - 其他 - 影響技術的混戰。但它是一個粗魯的警醒消費者誰愛易於使用的產品,聘請他們沒有一噸重的思想。整個“保管箱的企業”米姆開始時,glommed到數十家公司吹捧IT友好的雲存儲Dropbox的巨大消費市場的普及,給自己定位。 Dropbox的索賠50萬用戶,但也飛入了逆風,谷歌,微軟的SkyDrive蘋果iCloud驅動器和其他消費的選項獲得牽引力。)

Yahoo hacked: Google, Microsoft users at risk  ( 雅虎被駭客攻擊了,谷歌、微軟使用者有風險了 )

Boston: More than 400,000 Yahoo user names and passwords were stolen and published on the Web, putting other websites at risk as well, after hackers exploited a vulnerability in Yahoo's computer systems.
Some logins for Google, AOL and Microsoft services were among those compromised. The three companies said they required affected users to reset passwords for sites including Gmail, AOL, Hotmail, MSN and Live.com.

Yahoo issued a statement apologising for the breach, the latest setback for a company that has lost two chief executives in a year and is struggling to revive stalled revenue growth.

Chairman Alfred Amoroso acknowledged that Yahoo had experienced a "tumultuous" year at its annual shareholder meeting on Thursday morning. Interim CEO Ross Levinsohn told attendees he was optimistic about the company's progress.

The breach prompted criticism from security experts who said that a major Internet firm like Yahoo should do a better job at protecting user data.
"This points to some very lax security practices," said Rob D'Ovidio, associate professor of criminal justice at Drexel University.
As an example, he noted that the hackers were able to produce more than 400,000 cleartext passwords within a day. That indicates that Yahoo either did not encrypt them at all or used an encryption method that was easy to crack, he said.

The professional networking service LinkedIn recently came under similar criticism. Security experts chided the company for failing to use sophisticated encryption practices to secure its passwords, millions of which were released following a breach last month.

What happened?

Yahoo spokeswoman Dana Lengkeek said "an older file" had been stolen from Yahoo Contributor Network, an Internet publishing service that Yahoo purchased about two years ago. It helps writers, photographers and videographers to sell their work over the Web.

"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users' accounts may have been compromised," she said.

AOL said the Yahoo data published on the Web included valid passwords for 1,699 accounts. Microsoft and Google declined to provide similar numbers.Other firms whose customers were at risk include Comcast, Verizon Communications and AT&T, Rapid7 researcher Marcus Carey said. He estimated that tens of thousands of accounts of users of services other than Yahoo were affected by the breach.

AT&T and Verizon did not have any immediate comment. Officials with Comcast could not be reached.
AOL Senior Vice President David Temkin said spammers typically use credentials like the ones stolen from Yahoo to break into email accounts and use them to send out spam.

"In this case, I think we actually got ahead of it before the people who stole those accounts were able to use them," Temkin said.

The five most popular passwords in the group were "123456", "password", "welcome" and "ninja", according to an analysis by anti-virus software maker ESET.

How a cheap graphics card could crack your password in under a second ( 便宜的顯示卡可以在1秒破解你的密碼 )
GPU computing power increase much for Hacker

I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer.

In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called “Cain & Abel”.

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet?
Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.

Yes, you can force your users to have a 15-character password consisting of random numbers and letters, and throw in punctuation as well. This is great as an idea, but we know that most users think that a password like “Barry1943Manilow” where 1943 was the year he was born, is complex and hard to remember. Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet? Or stuck to the side of the screen? Because anything much less than this is going to be open to attack over the next few years.

A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention. Nor has Microsoft, frankly, who should be having a whole raft of alternative, hardened solutions in place ready for its business customers to roll out.

What are the solutions? To be honest, I’m not sure. A combination of TPM, biometrics, passwords and maybe something else entirely new will be needed. But it’s clear that a complex password that users will actually accept for day-to-day authentication, and keep secret, might be history.

  • 雲端服務之產業最大威脅是新的高科技駭客,利用 GPU 在1秒破解你的密碼;
  • GPU  破解密碼技術如大量被始用,將增加許多雲端服務之風險;
  • 目前,雲端服務來至新的  GPU  破解密碼技術似乎沒有完全 100% 防制之法;
Enhanced by Zemanta