## quarta-feira, setembro 13, 2017

### 733bi/fo@@h732=|\$dGGGHHH&+~52: "Think Like a Hacker - A Sysadmin's Guide to Cybersecurity" by Michael J. Melone

“Thinking like a hacker means studying the tooling that hackers use, attending hacker conferences such as DEFCON [and C-Days in Portugal], and practicing hacking and exploitation in a lab environment.”

In “Think like a Hacker: A Sysadmin’s Guide to Cybersecurity” by Michael J. Melone

What happens in real life passwords-wise? (I know what I’m talking about; back in the day I was in the trenches doing this for a living…)

Unless the hacker guesses the formula. And this is where the billions of attempts come in. If an employee or hacker steals the list of hashes and usernames they will use them to guess the formula. The bigger the list the more chances of a password being repeated in it, if the hacker spies two hashes that are the same (or with modern functions, hashes that are related with a regularity that clever math can show) then that might mean that the passwords used to generate them are the same, and if the said password is 12345678 then it's very likely Mr. hacker will guess the formula required, and at that point off we go to the races. If the hacker has the database on his own computer (and one can rent very big, very fast computers now for very little \$\$\$) many billions of guesses and tries and tests on the hash function can be done every second.

Good web sites do three things, firstly they "salt" their passwords with a random string which is kept separately like "733bi/fo@@h732=|\$dGGGHHH&+~52-" which means that all passwords have that added to them before hashing. Secondly, they use strong hash functions like not SHA-1. The final thing that it is easy to do is to stop users using any password in the top 5000 passwords lists, stop them using any dictionary word and insist that the password contains numbers, capitals, lowercases and symbols.

A password manager is a good way to go for remembering all these different passwords some of them will generate a random password of a specific length for you when you set up a new account and they are available as apps on smartphones, however choose a secure password to access it and ensure it is securely encrypted using something like AES and be careful where it's stored, remember the "Cloud" is just another computer hosted somewhere in the world, there is no guarantee cloud storage is secure; if you back up to these services then encrypt the backups (Companies like Apple offer this with just a check box and password field as an option in your back up settings).

I am extremely careful with LinkedIn these days, I once found all my information available online (legitimately) because they had changed their privacy options and data was open by default to certain LinkedIn partners who took it upon themselves to publish my CV publicly (thanks for the spam to the email accounts I used at that time guys!), they seem to have a very relaxed approach to privacy and peoples profiles often appear in straight Google searches, CV's by their nature tend to include a lot of personal information, and certainly a lot of contact info.

Most hacking attempts do not even use passwords; they exploit failings of the site's code itself. Meanwhile the 'password complexity' argument is based on being able to submit thousands of passwords a second to the same account. Any system which allows that is a dumb piece of design. The sensible answer is that you should not use a guessable password. The rest is basically a 'straw man' designed to shift attention away from the real security failings of the software industry.

Passwords are recognised as being extremely fallible and there is a big discussion going on as to how to replace them, biometrics are equally insecure and you can't change them if they are compromised, as for flaws in code allowing exploits, these will always exist, even the best programmers make mistakes and the sophistication of cracking tools is improving all the time. I view this as being a bit like home security, you can add all the window locks, security deadbolts and alarms that you like, it's never a guarantee that someone can't break in, and in the case of on-line data where government funded agencies are involved then all bets are off.

Personally, I try not to put anything important on the internet, my plans for world domination and my Mum's recipe for bread pudding I memorise, and keep in my head, they can't hack that......yet! :)