Weekly Edition
Return to the Security page
| |||||||||||||
Apache.org services attacked
The Apache Infrastructure Team has reported
a direct, targeted attack against the server hosting their issue-tracking
software. "If you are a user of the Apache hosted JIRA, Bugzilla, or
Confluence, a hashed copy of your password has been compromised. JIRA and
Confluence both use a SHA-512 hash, but without a random salt. We believe
the risk to simple passwords based on dictionary words is quite high, and
most users should rotate their passwords. Bugzilla uses a SHA-256,
including a random salt. The risk for most users is low to moderate, since
pre-built password dictionaries are not effective, but we recommend users
should still remove these passwords from use. In addition, if you logged
into the Apache JIRA instance between April 6th and April 9th, you should
consider the password as compromised, because the attackers changed the
login form to log them."
(Log in to post comments)
Apache.org services attacked Posted Apr 13, 2010 20:10 UTC (Tue) by endecotp (guest, #36428) [Link]
Well worth reading the linked article for the What Happened, What Worked and What Didn't Work info.
Apache.org services attacked Posted Apr 14, 2010 6:52 UTC (Wed) by bleakgadfly (guest, #64985) [Link]
Indeed! It's quite fascinating reading how the intruders attacked their system step by step.
1955 wants its unsalted password storage back Posted Apr 14, 2010 2:06 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
"JIRA and Confluence both use a SHA-512 hash, but without a random salt."
Unless these two services do something extraordinary it seems as though their security design already renders them not fit for purpose.
And when I tried to follow up on JIRA and find out more about how they ended up with no salt (making their password database an unnecessarily tempting target)... I found their own news story explaining that they'd left available a database contain the plaintext passwords of their users.
So, this is data that shouldn't even exist, and not only does it exist, but it's kept in a database years after it is no longer used. And not only is it in this database, but the database is connected to the Internet and becomes compromised.
But JIRA sent out email telling everyone about this (with all the affected passwords still valid) so that's OK then...
Free (as in price) doesn't make it secure Posted Apr 14, 2010 17:01 UTC (Wed) by clugstj (subscriber, #4020) [Link]
The Atlassian products are proprietary software, with all the disadvantages that come with that. Just because they give them away for some users doesn't make them:
a) secure b) the best tools for the job
Free (as in price) doesn't make it secure Posted Apr 15, 2010 6:48 UTC (Thu) by Cato (subscriber, #7643) [Link]
Business users who want an open source wiki could do worse than Foswiki: http://foswiki.org/Home/WebHome - it has a pretty good security process, nice features, many plugins, etc.
Apache.org services attacked Posted Apr 14, 2010 4:37 UTC (Wed) by motk (subscriber, #51120) [Link]
Indeed. This is quite disappointing of Atlassian; Given that they sell an SSA solution it's quite embarrassing. I'm going to be expecting some good answers here, and a solid forward plan.
Passwords for web authentication Posted Apr 14, 2010 9:00 UTC (Wed) by epa (subscriber, #39769) [Link]
Inevitably people will reuse passwords from one service to another. (I know I do, and I am not the most stupid user who exists.) This episode illustrates why password authentication is a bad idea. Why isn't there a way to use a public/private keypair to authenticate yourself to a site?
Passwords for web authentication Posted Apr 14, 2010 9:11 UTC (Wed) by johill (subscriber, #25196) [Link]
You can use SSL client certificates to authenticate to a site.
Passwords for web authentication Posted Apr 14, 2010 9:36 UTC (Wed) by __alex (subscriber, #38036) [Link]
Have you actually tried this in practice? It's not a total disaster but it's not exactly fit for public consumption.
Passwords for web authentication Posted Apr 14, 2010 10:02 UTC (Wed) by epa (subscriber, #39769) [Link]
An alternative would be to have the browser generate a unique password for each site based on part of its URI plus a secret supplied by the user. Then you don't have to remember a separate password for every site, just one. The browser keychain is similar, but of course if that is lost then so are all the passwords; here one secret generates all of them.
Passwords for web authentication Posted Apr 14, 2010 11:00 UTC (Wed) by michel (subscriber, #10186) [Link] passwordmaker perhaps?
Passwords for web authentication Posted Apr 14, 2010 16:17 UTC (Wed) by epa (subscriber, #39769) [Link]
Yes, like passwordmaker, but built in to the browser.
Passwords for web authentication Posted Apr 14, 2010 18:26 UTC (Wed) by JohnLenz (subscriber, #42089) [Link]
There is a firefox plugin, so for all intents and purposes it is built into the browser. https://addons.mozilla.org/en-US/firefox/addon/469
Passwords for web authentication Posted Apr 15, 2010 16:04 UTC (Thu) by epa (subscriber, #39769) [Link]
Brilliant. I'll start using it. Now all we need is for it to be widely adopted and perhaps a little bit easier to use. (Instead of 'choose password' and 'confirm password' form entries, sites could just have a checkbox 'let my browser's password manager do its thing'.)
Passwords for web authentication Posted Apr 14, 2010 10:30 UTC (Wed) by drag (subscriber, #31333) [Link]
> Why isn't there a way to use a public/private keypair to authenticate yourself to a site?
Probably the easiest and more effective thing would be to just have built-in support for auto-generating passwords and saving them in Gnome-keyring or similar mechanism.
This is basically what I do manually. I generate passwords using 'pwgen' in the terminal and copy-n-paste them into the browser. I either use a firefox extension to plug them into Gnome-keyring or just use Epiphany (which uses the keyring by default). I save a copy of passwords I care about to a Encryptfs-protected file (by way of nautilus + cryptkeeper applet).
It would be nice to have a fully automated way of doing this. There may be a extension already that I am not aware of.
The trouble is that many websites have really f-ing lousy password policies. Like 6-12 characters only, no special characters or only spaces and underlines and crap like that.
_ESPECIALLY_ banks or other institutions have the worst policies ever. Even going so far as to look for swear-words and crap like that pops up. Morons.
Using this method I will frequently have passwords that are 30-40 characters long. Length and complexity is really irrelevant, except for the lame password policies for many sites, since I don't have to memorize them. Of course, like everybody else, I use 'throwaway' simple passwords for stuff I don't care about. Bad habits die hard.
--------------------
I think that in this specific case using something like Http-digest instead of cookie-based authentication would of closed a few holes.
One of the attacks used was to inject a XSS attack using a tinyurl link. This was used to steal session cookies from administrators. I think that http-digest would of prevented that particular approach from working, but I am not sure.
http-digest over SSL/TLS is kinda the default approach I take. I know that there are flaws to that approach, but I struggle to understand them. I can't really think of anything better, except TLS client certificate checking, but that is such a huge pain I don't even want to deal with it.
Passwords for web authentication Posted Apr 14, 2010 11:37 UTC (Wed) by danpb (subscriber, #4831) [Link]
> http-digest over SSL/TLS is kinda the default approach I take. I know that
> there are flaws to that approach, but I struggle to understand them.
This IEFT draft gives a good overview of the flaws/problems in Digest-MD5, but I'm unclear on whether the security problems identified there would be mitigated by your layering over SSL
http://tools.ietf.org/search/draft-ietf-sasl-digest-to-hi...
Passwords for web authentication Posted Apr 14, 2010 13:23 UTC (Wed) by NAR (subscriber, #1313) [Link] Probably the easiest and more effective thing would be to just have built-in support for auto-generating passwords and saving them in Gnome-keyring or similar mechanism.This might even work as long as you use a single browser on a single user account on a single computer. When three browsers on two operating systems computers on two computers are used, things begin to get complicated. Maybe it would be nice if Firefox, Internet Explorer, Opera, Safari, Chrome, etc. could sync their passwords to some USB flash device regardless of underlying operating systems and could use each other's passwords.
Passwords for web authentication Posted Apr 14, 2010 16:49 UTC (Wed) by drag (subscriber, #31333) [Link]
It should be possible to sync in that manner. It should be possible to do it securely using a online service or over the network, also, as long as the keychain mechanism you use is encrypted prior to transmission.
Passwords for web authentication Posted Apr 14, 2010 17:48 UTC (Wed) by sorpigal (subscriber, #36106) [Link]
You'd think in these modern "OMG cloud services!" times trivial things like this, which have been needed for years, would exist. It's not a question of being difficult so much as it is a question of getting people to agree on how to do it. I suppose I could write a Firefox extension which knows how to sync passwords in a particular way (in fact, I'm sure such things exist) but it's pretty useless if it only works in Firefox and for web site passwords.
Passwords for web authentication Posted Apr 14, 2010 20:27 UTC (Wed) by drag (subscriber, #31333) [Link]
It seems to me that modern 'cloud services' are more about getting hands on user's data then it is providing anything really simple and useful.
Passwords for web authentication Posted Apr 15, 2010 22:54 UTC (Thu) by efexis (guest, #26355) [Link]
That's the thing about buzz words... they're just words!
Passwords for web authentication Posted Apr 14, 2010 18:28 UTC (Wed) by guillaume.girard (subscriber, #27245) [Link]
You might be interested in PasswordSafe then: http://www.schneier.com/passsafe.html. There is a Python variant called loxodo that can read and write the same database file, and run on Linux. The file is encrypted and can be synced around as you want.
Passwords for web authentication Posted Apr 15, 2010 2:16 UTC (Thu) by jello (subscriber, #6083) [Link]
Well, there's Weave (https://mozillalabs.com/weave/) which works for Firefox. It encrypts everything before transmitting it to the remote server. The Chrome extension API apparently doesn't currently support doing weave-like stuff with anything other than bookmarks, but that could change as it matures.
Passwords for web authentication Posted Apr 15, 2010 6:56 UTC (Thu) by Cato (subscriber, #7643) [Link]
There are many clients and web services that do this - one that looks quite good, though still closed source, is LastPass - review here: http://www.pcmag.com/article2/0,2817,2343562,00.asp and Linux client here: https://lastpass.com/misc_download.php
This is a cloud-based service with optional clients for Linux, Windows, Mac, Android, iPhone, etc, and has some nice features like generating good passwords, auto logoff on idle, etc. They sell some premium services but the basic service is free.
Passwords for web authentication Posted Apr 15, 2010 5:56 UTC (Thu) by skitching (subscriber, #36856) [Link]
Another option is OpenID (http://en.wikipedia.org/wiki/OpenID).
Only one id-provider needs to be trusted with the real credentials - and that id-provider can be *you* if you have a suitable server available.
AIUI, you open an account, you provide url "https://foo.example/~myid" which says that you trust site "https://foo.example" to authenticate you for access to the account.
I've used my Ubuntu Launchpad OpenID to log into various other sites, and it works well. Of course if Launchpad's database gets stolen I have a problem..
Passwords for web authentication Posted Apr 15, 2010 8:21 UTC (Thu) by madhatter (subscriber, #4665) [Link]
For my money, this is a particularly good idea since openID leaves back-end security decisions in the hands of the end-user.
You can run your own openID server if you feel you need to, or delegate to a remote provider who acknowledges some kind of better-than-straight-password authentication engine such as the yubikey (see, eg, http://www.teaparty.net/technotes/yubikey.html#103 ).
Passwords for web authentication Posted Apr 15, 2010 12:32 UTC (Thu) by michel (subscriber, #10186) [Link]
As someone living in the US, I find that URL and it's homepage really hilarious. The content seems to run so counter to the conservative tea party 'movement' here...
teaparty.net Posted Apr 15, 2010 19:44 UTC (Thu) by madhatter (subscriber, #4665) [Link] I'm afraid the teaparty in question is more Alice in Wonderland than Boston, but I'm glad it made you laugh.
|
|||||||||||||