Author: carl

A web programmer and Linux system administrator who would like to be a writer.

June 2016 Adobe flash player update

Adobe has released an update to flash player. This is an important update which addresses several security problems, one of which is being actively exploited. So if you have flash installed, you may want to head over to the flash player home page for an update. And here’s the Adobe security bulletin.

Passwords: salts, hashes

In the previous post we saw that network and web site accounts with reasonable security use hash functions to protect passwords.

But even using a hash function isn’t enough, because the bad guys have rainbow tables. A rainbow table is a list of common passwords (like Password123) and their hash values. So if a site suffers a data breach exposing account data, a simple hash function won’t be much of a barrier, because the criminal can compare the hash values (in the breach data) against a rainbow table and recover many of the weaker passwords.

To counter rainbow tables, sites typically salt users’ passwords: when someone creates a password, the site generates some random characters (the salt), appends that to the user’s password, runs the salted password through the hash function, and then stores the hash value and the salt. When the user tries to log in, the site takes the password they typed, appends the salt stored with the user’s account, sends that through the hash function, and compares the hash values.

Salting hashes sets the bar a lot higher, because the criminal would need to compute a new rainbow table for each password (because each password will have a different salt).

This is why I get frustrated with fiction that makes it look easy to crack passwords. Any account worth hacking will likely be protected by some or all of the following safeguards:

  1. salted and hashed passwords
  2. a password policy enforcing complexity rules (e.g., your password has to be at least eight characters, has to include numbers and punctuation characters, and can’t look too much like a word)
  3. active response locking an account after too many failed attempts
  4. two-factor authentication (you log in with your username and password, but then the site won’t give you access until you enter a code it sends to your cell phone)

Active response in particular makes guessing passwords impractical. If your character is trying to break into a network or web site account, too many failed attempts are going to end up locking the target account. Your character is better off trying to steal the password with a phishing attack, social engineering, using a keylogger, exploiting a flaw in the “forgot my password” feature, or even a security camera pointed at the keyboard.

And an account protected by two-factor authentication is nearly unassailable, because your character would need the target’s password and their cell phone. Social engineering might be best here.

Twitter passwords up for sale

The latest in a string of such things, someone is offering to sell 33 million twitter passwords. Twitter claims that they weren’t breached, but they’re resetting the passwords of affected users, anyway. So it might not hurt to reset your twitter password.

Passwords: this isn’t a game show

Have you ever seen a movie where someone is running a computer program to crack a password (or a missile launch code), and it discovers one character at a time? It looks like a Wheel of Fortune contestant correctly guessing a letter or buying a vowel. This is a trope I think writers and screenwriters should avoid.

Passwords don’t work like Wheel of Fortune. If they did, it would mean that each individual character is stored separately, and it would take around the same (boringly brief) length of time to guess each one.

When you sign up for a account on a web site that has reasonable security, the site takes the password you provided and puts it through something called a one-way hash function. The hash function turns your password into a hash value: it transforms something like

Password123

into something like

b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1

or

Password124

into

ae5b6bf3a00dabe4bcb06918044f3032c6e7c80c

Hash functions (there are many of them–I used sha1sum for these examples) have several important features:

  1. It works the same way every time (sha1sum always hashes Password123 to b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1).
  2. It’s very difficult to find two passwords that have the same hash value, but it’s not impossible. (This means that a hash value does not uniquely determine a password.)
  3. You generally can’t work backwards from the hash value to recover the password (it’s different from encryption, which allows you to decrypt the encrypted value).
  4. A minor change in the password (changing 3 to 4 above) drastically affects the hash value.

So when you set your password, the site hashes your password and saves the hash value, not the original password. Next time you log in, it uses the same hash function to hash the password you just typed in and compares that hash value to the hash value stored next to your username. If the hash values match, then you typed the correct password, and the site gives you access. If they don’t match, you get the “invalid password” message.

That’s one of the many reasons that the Wheel of Fortune thing is so absurd. The site checking the password you just typed doesn’t even know the original password. It’s checking one hash value against another–the whole thing matches or the whole thing fails. So even if a criminal compromises the site through some security vulnerability and manages to download the username/password database, they get a bunch of stuff they can’t read.

In the next post we’ll see that hashing passwords is better than storing passwords in clear text, but that it’s still not sufficient.

Tumblr password breach

And now Tumblr is saying that they’ve had a data breach potentially exposing the passwords of 65 million accounts. Like the LinkedIn and MySpace breaches, this appears to be a few years old, and Tumblr is forcing passwords resets on the accounts it thinks is affected. Still, it wouldn’t hurt to reset your Tumblr password.

MySpace password breach

There’s a story going around that someone is trying to sell a collection of SEVERAL HUNDRED MILLION MySpace passwords (and that it’s the same person who is selling 100+ million LinkedIn passwords). As with the LinkedIn case, this may be a data breach from months or even years ago.

Still, if you have a MySpace account, or if you’ve re-used a MySpace password elsewhere, this might be a good time to change your password.

LinkedIn account breach

A LinkedIn data breach has been in the news the last few days. Someone is trying to sell a set of 117 million LinkedIn accounts from a 2012 breach, a breach that now appears to be much larger than was originally reported.

If LinkedIn thinks that your account is affected, they’ll probably force you to reset your password. And even if they don’t, this might be a good time for you to do that anyway, especially if you think your password might be older than 2012.

2016 AccessU

I spent most of last week at the John Slatin AccessU conference, an annual digital accessibility conference held on the St. Edwards University campus in Austin. This post will be a somewhat haphazard collection of observations from the conference, but it may serve as sort of a followup to the web accessibility post from a couple of months ago.

There were several people at the conference with visual impairments. Two in particular stand out in my mind, as they were in several of the sessions I attended. One of them used a service animal (German Shepherd, I think), and the screen of his laptop was remarkably smudged (because, why would he care?). The other fellow used a collapsible cane, and he typically only opened his laptop far enough to get his hands on the keyboard. I’m not sure their laptop screens ever actually came on (which probably helped the battery life). The second fellow said he works part-time as an accessibility tester for Knowbility (the group that organizes the conference).

There was another fellow there who was sighted but had no arms (born that way, I presume). I didn’t see him use a computer, but I’ve seen pictures of other people who don’t have the use of their arms. They grasp a stick or pencil in their teeth and use that to type (that must take a lot of patience).

And there was a woman with diminished vision who gave a presentation demonstrating how she uses a computer. She uses a combination of a screen reader and a magnification tool. She uses the magnification tool to set the screen in reverse video mode for high contrast. Her demonstration was particularly interesting, because the computer she was using had trouble connecting to the wireless network, and then it wanted to run Windows updates. She got some help and rolled with it pretty well, but it was instructive to see what a barrier it was to be faced with poorly-presented error messages.

The third day of the conference I attended a mobile accessibility bootcamp presented by Paul J Adam, and that was really interesting. The presenter said that people with visual impairments favor iOS over Android, and it turns out that it’s by a pretty wide margin: in a July 2015 survey of over 2500 screenreader users, about 70% use an iOS device as their primary platform (compared to around 21% using Android).

As one of the exercises in the mobile accessibility bootcamp, I tried using a native app on my Android phone with the Talkback screen reader, and it was a real struggle. Some of that was my unfamiliarity with screen readers in general and Talkback in particular, but some of it was probably poor accessibility in the app (and that’s likely pretty common).

If you ever visit Austin, the St. Edwards campus is really nice (the Sorin Oak is particularly impressive), and Pinthouse Pizza has really good beer.