CF Passwords Hacked?

[2fast2nick]

Make sure you are never using the same password in two places

[LongRange]

Quote:

Originally Posted by chowdan

I'm not saying that this site is doing that, but they have the ability to do some very malicious things.

Exactly. By the time a TCP session is established with their servers, and the client indulges in a bit of light HTTP(S), they could fingerprint quite a bit about the OS, patch level, browser type, location, referrer... without even trying hard.

If the password is anything other than completely random, which is extremely rare for a human-generated password, they can gain insights into the syntax used by this person, which has obvious predictive value for optimisation of a brute-force engine.

It really is like a large-scale social engineering experiment.

[2fast2nick]

Quote:

Originally Posted by IslandHopper

Funny that, i do see the red triangle but only when posting, normal browsing through CF it's just the circled 'i' with not secure....

Posting....


Browsing....

they should be forcing all traffic to https, and not allow anything over http

[Lepke]

If you want to see who's selling your email, use the + after your name plus whatever site you're giving your email to. Ex: johngotti+cruisers@gmail.com
When you get a new email sold by that site +cruisers will be after your name.

[StuM]

Quote:

Originally Posted by Lepke

If you want to see who's selling your email, use the + after your name plus whatever site you're giving your email to. Ex: johngotti+cruisers@gmail.com
When you get a new email sold by that site +cruisers will be after your name.

That works with gmail, but it's not an RFC standard and won't work with the majority of mail servers. (Same as gmail ignores dots (periods) in the username part of an address - they're about the only ones who do).


In fact some mail servers won't accept emails with a + in the originators address.

[benvanstaveren]

Quote:

Originally Posted by LongRange

Exactly. By the time a TCP session is established with their servers, and the client indulges in a bit of light HTTP(S), they could fingerprint quite a bit about the OS, patch level, browser type, location, referrer... without even trying hard.

Just from a TCP connection starting they can't fingerprint anything about you. At the point you establish a HTTP connection, then yes, but then again CF then has the same information.

Quote:

If the password is anything other than completely random, which is extremely rare for a human-generated password, they can gain insights into the syntax used by this person, which has obvious predictive value for optimisation of a brute-force engine.

It really is like a large-scale social engineering experiment.

Sorry, but no. Someone would have to enter more than one password, most likely something on the order of 100+ for any relevant information to be obtained as to the syntax used by anyone. See also spam filters. It takes a while to train any type of Bayesian or Markov chain to be able to predict anything with a reasonable percentage of success.



The person running HaveIBeenPwned is a very well known and respected member of the IT security community, and wouldn't do anything malicious with any of the data - it would kill his career, and would get him sued in less time than it took to write this reply

[benvanstaveren]

Quote:

Originally Posted by Lepke

If you want to see who's selling your email, use the + after your name plus whatever site you're giving your email to. Ex: johngotti+cruisers@gmail.com
When you get a new email sold by that site +cruisers will be after your name.

A lot of places won't accept that format because they consider it invalid (even though it's perfectly fine and standardized).



For better results, find yourself a cheap email provider that lets you use your own domain name where anything sent to any address on that domain goes to the same mailbox - then filter appropriately. (For example for CF my email is cruisersforum@mypersonaldomain.example)

[LongRange]

Quote:

Originally Posted by benvanstaveren

Just from a TCP connection starting they can't fingerprint anything about you.

Incorrect. Even a single TCP SYN allows passive deduction of the likely OS, and even its vintage and patch level, thus providing useful information about what attack vectors are most viable.

TTL, advertised window size, MSS, RFC 1323 options (SACK, timestamping), NOPs, padding size and values... the combination of those attributes can frequently be used to identify the sender OS with significant accuracy.

There are plenty of commoditised tools for that kind of fingerprinting, making it available even to those who do not really understand the concepts.

And that's all before you send them so much as a measly SYN-ACK in response.

Quote:

Originally Posted by benvanstaveren

At the point you establish a HTTP connection, then yes, but then again CF then has the same information.

HTTP is a stateless protocol. The "connection" is provided by TCP.

By the time a HTTP(S) request/response sequence is complete, they know your browser's advertised user-agent, the referrer, ... Even the client's customised security settings can sometimes be inferred.

Quote:

Originally Posted by benvanstaveren

Sorry, but no. Someone would have to enter more than one password, most likely something on the order of 100+ for any relevant information to be obtained as to the syntax used by anyone. See also spam filters. It takes a while to train any type of Bayesian or Markov chain to be able to predict anything with a reasonable percentage of success.

Very incorrect. It is typical - and even encouraged by some authorities - to come up with passwords which follow a particular private logic that the user can use as a memory aid. "London2018summer!" lends itself to guessing that "{HolidayLocation}{Year}{Season}!" is a syntax worth prioritising in a brute-force attack.

Quote:

Originally Posted by benvanstaveren

The person running HaveIBeenPwned is a very well known and respected member of the IT security community, and wouldn't do anything malicious with any of the data - it would kill his career, and would get him sued in less time than it took to write this reply

I'm very happy for him, but personally I wouldn't touch his site with a barge pole. Desensitising non-technical people to the practice of providing their usernames and passwords - if asked (!) - is certainly bad security karma. In many well-run organisations it would be a firing offence for a security professional to design a system along those lines.

Unless its purpose is not what it seems

[benvanstaveren]

Quote:

Originally Posted by LongRange

Incorrect. Even a single TCP SYN allows passive deduction of the likely OS, and even its vintage and patch level, thus providing useful information about what attack vectors are most viable.

TTL, advertised window size, MSS, RFC 1323 options (SACK, timestamping), NOPs, padding size and values... the combination of those attributes can frequently be used to identify the sender OS with significant accuracy.

Correct - but then again, the level of work required to get this is more than the average Joe Q. Scriptkiddie would bother with; as far as the SYN fingerprinting goes at least.

Quote:

There are plenty of commoditised tools for that kind of fingerprinting, making it available even to those who do not really understand the concepts.

And that's all before you send them so much as a measly SYN-ACK in response.

Also correct - however... (yes I'm going to be like that) - in the give-or-take 20-odd years in IT and half of that doing security related hoo-hah, the average spammer/scriptkiddie doesn't go that far because the effort far outweighs the reward.

Quote:

HTTP is a stateless protocol. The "connection" is provided by TCP.

Aware of that You said HTTP connection in your previous answer I think, so I just went with that to avoid seeming like an anal retentive ******* (which, admittedly, I am so I'm sorry if I'm offending anyone at the moment).

Quote:

By the time a HTTP(S) request/response sequence is complete, they know your browser's advertised user-agent, the referrer, ... Even the client's customised security settings can sometimes be inferred.

Entirely correct, however, that information is available to any webserver - so even CF has this information, and like it or not, advertisers will go even further with canvas fingerprinting and so on to track you - yet you never hear anyone about that

Quote:

Very incorrect. It is typical - and even encouraged by some authorities - to come up with passwords which follow a particular private logic that the user can use as a memory aid. "London2018summer!" lends itself to guessing that "{HolidayLocation}{Year}{Season}!" is a syntax worth prioritising in a brute-force attack.

Yes and no - you would still need to have some form of filter/classifier that understands that "London2018summer" is in fact a holiday location/year/season - you can't infer that in any other way except to slap together all known destinations, years, and seasons - at which point, all you have is a dictionary - and a dictionary is useless for brute-force attempts because most services will rate limit you or outright block you after too many failed attempts.


If you get a hold of dumps in the wild that contain weakly salted/encrypted passwords, you'd still need to have a go at it with John the Ripper to get anything out of it - and admittedly, if by that point you have a dictionary that will pick up on the password style suggested above, that's a single style - how many are there?



I mean, I'm a big advocate of either passphrases ("This is my super secret 5th password that I don't use anywhere else") or running a good old pwgen 64 to get something that's got enough entropy to keep most people busy for too long.

Quote:

I'm very happy for him, but personally I wouldn't touch his site with a barge pole. Desensitising non-technical people to the practice of providing their usernames and passwords - if asked (!) - is certainly bad security karma. In many well-run organisations it would be a firing offence for a security professional to design a system along those lines.

Unless its purpose is not what it seems

You are never asked to provide username and password at the same time - you can enter your email address to see if it's been found in dumps that were made public, or you can enter a password (any password) to see if that has also been found in dumps - regardless of whether it's yours or someone else's - if it's been found in some form or other, it will tell you that that password is "known" in the wild, and thus most likely will be part of someone's dictionary.



As far as it goes, I'm all for being paranoid, but at the same time you can't advocate IT security yet at the same time tell people to disregard using a tool that can save their collective bacon. I find that hard to reconcile



Anyway! Let's agree to disagree on the usefulness/trustworthiness of HIBP, before we derail the thread entirely - always willing to talk shop in PM or a more suitable topic though

[kev_rm]

The problem is not the login page. It's the normal pages. The cookies are sent to the server, in clear text, along an insecure path on the internet. The cookies contain your password in an in-secure hash. The cookie is literally called "cfpassword". It looks like an MD4 or MD5 hash. The same is true for your session cookies. Anyone in the middle could easily hijack your session and impersonate you.