Jump to content

Privacy Concerns


Juris

Recommended Posts

Hi all, I've been debating asking this here for a while but have held off till now. I'm not going to start a political debate and won't respond to anyone who tries but I'm a little concerned over certain tensions I think we're all aware of in the world right now and whether this can effect our privacy and data on the ED forum regards authorities and some upcoming legislative changes which may be coming in the RF for sites and users both Russian and foreign.

 

1) Am I right in thinking the forum is hosted in Russia and if so will our user data be open to the authorities and if so what would be needed for them to acquire it.

2) Can our data, account, usernames, passwords, posts be completely deleted permanently including all archives by us if we choose to or request it from the mods and can we revoke our agreement to the T&C's including those involving the sharing of the above with DCS affiliates. Basically a complete wipe & leave the forums.

 

I'm trying to be as delicate with this post as possible but it has become a concern for me with everything going on. I've chosen to ask it in open forum as possibly others may have similar concerns and would like to know themselves. Cheers guys.

MSI Gaming 9 ACK, Intel 4790k 4.4ghz, AMD 295x2 GPU, 32gb Corsair Dominator Platinum 2133mhz, DCS on Samsung 840pro SSD. Windows 10 Pro 64-bit.

Link to comment
Share on other sites

If you have posts on the forum that you do not want someone to have access to, why did you post them on a public forum?

ASUS ROG Maximus VIII Hero, i7-6700K, Noctua NH-D14 Cooler, Crucial 32GB DDR4 2133, Samsung 950 Pro NVMe 256GB, Samsung EVO 250GB & 500GB SSD, 2TB Caviar Black, Zotac GTX 1080 AMP! Extreme 8GB, Corsair HX1000i, Phillips BDM4065UC 40" 4k monitor, VX2258 TouchScreen, TIR 5 w/ProClip, TM Warthog, VKB Gladiator Pro, Saitek X56, et. al., MFG Crosswind Pedals #1199, VolairSim Pit, Rift CV1 :thumbup:

Link to comment
Share on other sites

Just wondering what you are worried about, buddy? The Russians are welcome to all my stuff, to be honest i'd be more concerned over what Facebook has than what Eagle Dynamics has. I'm working for an American Fortune 500 global security company and we are merrily doing business with the Russians right now.

 

Also, website trawlers download forums quite often so the public facing parts are no sooner on here as they are on archives around the world.

 

Nevertheless, I'm sure the forum admin in Russia can answer the deletion of data question. Personally I would have thought that guarantees are too hard to come by and not going to fulfill what you are asking, but I'm still interested on what you would hope to accomplish or concerned what you think you might lose?

___________________________________________________________________________

SIMPLE SCENERY SAVING * SIMPLE GROUP SAVING * SIMPLE STATIC SAVING *

Link to comment
Share on other sites

I think it's safe to say that once something is posted to the internet it's never going to disappear.

 

Kind of like posting something on a public bulletin board. You don't know who actually saw it, copied it, re-posted it, etc.

 

The first rule of computer security is that there is no security. If you can access it, anyone can (with some extra work).

 

The real concern is what has been posted and what someone can do with that information.

F-15C-User-Bar-ACM.v2.jpg

MapleFlagMissions - Read Our Blog for Updates

Link to comment
Share on other sites

If you have posts on the forum that you do not want someone to have access to, why did you post them on a public forum?

 

Times change and objectives of governments change. We are on a forum dealing with military simulation so we all know that things change. I don't think someone can simply not post anything on any open social space worldwide in the paranoid fear something somewhere might change at some point in time. Would be a very silent world if we all did that.

 

Just wondering what you are worried about, buddy? The Russians are welcome to all my stuff, to be honest i'd be more concerned over what Facebook has than what Eagle Dynamics has. I'm working for an American Fortune 500 global security company and we are merrily doing business with the Russians right now.

 

Also, website trawlers download forums quite often so the public facing parts are no sooner on here as they are on archives around the world.

 

Nevertheless, I'm sure the forum admin in Russia can answer the deletion of data question. Personally I would have thought that guarantees are too hard to come by and not going to fulfill what you are asking, but I'm still interested on what you would hope to accomplish or concerned what you think you might lose?

 

Facebook is a very different thing, yet interlinked in terms of privacy so I understand your point. Believe me if people aren't worried about their privacy on FB they're quite stupid tbh. However I'm questioning here as regards the Russian aspect as its a Russian forum and the laws are different as are recourse methods so I am looking for those details.

 

While the public trawlers grab everything public its more my concern regards the private data held. You wouldn't mind someone having access to your review of a product on Amazon but I think you'd be more concerned who has access to the CC details you used to buy it (thats not an aspersion on ED but externals).

 

Like I said this isn't a political debate, I just want to fly an awesome simulation, but changes in the real world can effect us as we've seen so I'd like to know where we stand on these issues in the Russian context here on ED (when in Rome ya know) & if we can go and have that private data such as CC details and passwords deleted and not accessed by those who I hadn't agreed to access them originally but may change with time.

 

When you agree to T&C's anywhere you can only do that based the laws/regime in place at the time which rules the T&C. If the laws/regime change the acceptance should be capable of withdrawal if you would no longer have accepted them under the new laws/regime. (see FB Max Schrems data deletion case in the EU).

MSI Gaming 9 ACK, Intel 4790k 4.4ghz, AMD 295x2 GPU, 32gb Corsair Dominator Platinum 2133mhz, DCS on Samsung 840pro SSD. Windows 10 Pro 64-bit.

Link to comment
Share on other sites

Pay with Paypal. Problem solved.

ASUS ROG Maximus VIII Hero, i7-6700K, Noctua NH-D14 Cooler, Crucial 32GB DDR4 2133, Samsung 950 Pro NVMe 256GB, Samsung EVO 250GB & 500GB SSD, 2TB Caviar Black, Zotac GTX 1080 AMP! Extreme 8GB, Corsair HX1000i, Phillips BDM4065UC 40" 4k monitor, VX2258 TouchScreen, TIR 5 w/ProClip, TM Warthog, VKB Gladiator Pro, Saitek X56, et. al., MFG Crosswind Pedals #1199, VolairSim Pit, Rift CV1 :thumbup:

Link to comment
Share on other sites

Pay with Paypal. Problem solved.

 

Sorry but that does not address the issue of pre-existing data, CC details, passwords etc. It would only apply to new signups buying for the 1st time but doesn't relate to the forum itself directly.

 

Question still stands. Any mods care to chime in? Cheers.

MSI Gaming 9 ACK, Intel 4790k 4.4ghz, AMD 295x2 GPU, 32gb Corsair Dominator Platinum 2133mhz, DCS on Samsung 840pro SSD. Windows 10 Pro 64-bit.

Link to comment
Share on other sites

  • 2 weeks later...

As for the forum, a simple whois and trace informs that the forum is hosted in France, by OVH.

Source

For the website http://www.digitalcombatsimulator.com, the IP 87.98.182.202 is also hosted in France. The signal start from France, goes to switzerland, USA, Armenia and then home (I'm in Belgium). Well, quite a good travel!

See for yourself

 

Edit: My concern about security is that I would like to see the forum login in https (SSL/TLS) instead of in clear like it is now.

Someone listening the traffic can very easily grab our passwords and access to our account. And if you have the same password for the forum and for the website, a hacker can easily access to all our licences.

Hopefully, the payment means need to be completed at each order and are not (does not seems to be) stored in the server.

 

Edit2: I find it quite 'weird' that the sites are hosted in France instead of Russia, because of the Russian laws concerning websites hosting.

Copy-Paste of an article I found:

"Passed by the Duma on July 4, 2014. This legislation still awaits the Senate’s approval and Putin’s signature. The law, if passed, will require all websites that store user data about Russian citizens to house that data on servers located inside Russia. According to the legislation’s logic, websites will be barred from storing Russian users’ personal data anywhere outside of Russia (though the law’s actual text is somewhat vague on this point, perhaps because of jurisdictional limitations on what Russia can mandate outside its borders). The law applies to a wide variety of websites, ranging from e-booking services to Facebook, affecting any website or online service operating on the concept of “users.”"

Source


Edited by Cedaway

DCS Wish: Turbulences affecting surrounding aircraft...

[sIGPIC] [/sIGPIC]

Gigabyte GA-Z170-HD3P - Intel Core i5 6600K - 16Gb RAM DDR4-2133 - Gigabyte GeForce GTX 1080 G1 Gaming - 8 Go - 2 x SSD Crucial MX300 - 750 Go RAID0 - Screens: HP OMEN 32'' 2560x1440 + Oculus Rift CV1 - Win 10 - 64bits - TM WARTHOG #889 - Saitek Pro Rudder.

Link to comment
Share on other sites

  • 1 month later...
Sorry but that does not address the issue of pre-existing data, CC details, passwords etc. It would only apply to new signups buying for the 1st time but doesn't relate to the forum itself directly.

 

Question still stands. Any mods care to chime in? Cheers.

 

Your data is as safe as everywhere else. If someone hacks it, it might be gone. Thats how the whole internet thing works.

 

Now we all know what you are aiming for here... As in most countrys if you get into a despute with the government there might be special laws that lets em exit your data. (Refer to country laws)


Edited by ericoh
Link to comment
Share on other sites

Sorry but that does not address the issue of pre-existing data, CC details, passwords etc. It would only apply to new signups buying for the 1st time but doesn't relate to the forum itself directly.

 

Question still stands. Any mods care to chime in? Cheers.

 

Payments are handled through SagePay, which is a british company.

Good, fast, cheap. Choose any two.

Come let's eat grandpa!

Use punctuation, save lives!

Link to comment
Share on other sites

2) Can our data, account, usernames, passwords, posts be completely deleted permanently including all archives by us if we choose to or request it from the mods and can we revoke our agreement to the T&C's including those involving the sharing of the above with DCS affiliates. Basically a complete wipe & leave the forums.

 

Upon simple user request, in general, no. IANAL and there may be special cases where this might be required of us but in general we do not do this.

 

Also, this forum can be queried by google, so good luck on getting anything you write here "off the internet".

Good, fast, cheap. Choose any two.

Come let's eat grandpa!

Use punctuation, save lives!

Link to comment
Share on other sites

Sorry but that does not address the issue of pre-existing data, CC details, passwords etc. It would only apply to new signups buying for the 1st time but doesn't relate to the forum itself directly.

 

Question still stands. Any mods care to chime in? Cheers.

 

I'm curious as to why you'd think the Russian government would take an interest in you, or anyone else on here?

 

If they wanted that info, they'd get it one way or another.

 

If you're using the same password for ED accounts, then you are asking for trouble. Even if the forum did get hacked, at worst, you'd see a lot more spam in your junk folder, unless you've put everything bar your inside leg measurements in your profile.

Link to comment
Share on other sites

1. Change your password regularly - a no brainer.

 

2. Your bank will always be responsible for any losses incurred through fraudulent use of your card or account details. They are the ones who set up and run all the systems used for online payments. If you haven't given anyone your details in a manner inconsistent with proper use of the card, then you are never responsible for any losses through fraud.

Link to comment
Share on other sites

TFC, a british company, is the publisher.

 

Payments handled through PayPal are obviously not done in Russia.

Payments by CC are done with SagePay, a major card handler in the british isles (I am presently located in Dublin, Ireland, and a majority of card terminals I use when paying my groceries are SagePay).

 

Do not worry about your CC details. Neither Eagle Dynamics, nor TFC, and definitely no-one in russia, technically ever has them.

 

Passwords are stored as salted hashes. We do not have your password. We would require a couple hundred thousand years on the most powerful supercomputers to get your password. ;) (How that works is a bit complicated, but basically handled through encryption where your computer encrypts it as you type it - and it is sent in encrypted form - and this is then compared with the database entry of the encrypted data. If it matches, all is good. But the "hash" saved in the database cannot be used backwards without an amount of computation power that I doubt even NSA has available - without spending years and years with the most sophisticated stuff on the planet.)

 

Basically, even if a government where the servers in question is located (France, Germany, UK) wanted your data, and even if we wanted to give it to them, we couldn't.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

1) Am I right in thinking the forum is hosted in Russia and if so will our user data be open to the authorities and if so what would be needed for them to acquire it.

 

To me it looks like the forum is hosted in Germany, though I suspect this might simply be a load balancing technique with the actual backend located somewhere else.

 

$ host forums.eagle.ru
forums.eagle.ru has address 46.4.91.3

$ whois 46.4.91.3
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '46.4.91.0 - 46.4.91.31'

% Abuse contact for '46.4.91.0 - 46.4.91.31' is 'abuse@hetzner.de'

inetnum:        46.4.91.0 - 46.4.91.31
netname:        HETZNER-RZ14
descr:          Hetzner Online AG
descr:          Datacenter 14
country:        DE
admin-c:        HOAC1-RIPE
tech-c:         HOAC1-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
mnt-lower:      HOS-GUN
mnt-routes:     HOS-GUN
source:         RIPE # Filtered
[...]

 

I don't know what kind of legal permission Russian authorities would need to access this type of data, but generally speaking we should assume that everything we post and do on the Internet is already in the hands of services associated with one or several countries.

 

I don't see how this particular forum would be of special interest to Russian authorities, though.

 

2) Can our data, account, usernames, passwords, posts be completely deleted permanently including all archives by us if we choose to or request it from the mods and can we revoke our agreement to the T&C's including those involving the sharing of the above with DCS affiliates. Basically a complete wipe & leave the forums.

 

I didn't check the T&C, but from my point of view it would be weird for users to have their posts deleted. That would be detrimental towards the archival function of the forum. Imagine some of the more knowledgeable users deleted all their posts, then all kinds of links would point to an empty space. I for one would not want to see users disappear as if they'd never existed.

 

However, you could delete or edit all your posts yourself (unless they're locked or deleted). AFAIK the forum does keep a history of everything, so this wouldn't help against the scenario where authorities get access to the server, but at least you'd get a much lower profile for all kinds of search engines.

 

Finally, with everything we've learned during the past year, I wouldn't consider the Russian authorities as the worst enemy of privacy. In that regard, I just watched "Citizenfour" the other day and can highly recommend it.

Link to comment
Share on other sites

Passwords are stored as salted hashes. We do not have your password. We would require a couple hundred thousand years on the most powerful supercomputers to get your password. ;) (How that works is a bit complicated, but basically handled through encryption where your computer encrypts it as you type it - and it is sent in encrypted form - and this is then compared with the database entry of the encrypted data. If it matches, all is good. But the "hash" saved in the database cannot be used backwards without an amount of computation power that I doubt even NSA has available - without spending years and years with the most sophisticated stuff on the planet.)

 

When you consider all the other systems that have been famously compromised in the past couple of years, what you have explained above is pretty impressive. :thumbup:

Link to comment
Share on other sites

Lots of systems get compromised, some famous ones will get other types of data (and there's always the risk of a programming error somewhere, no matter the vendor in question). But as far as CC stuff goes, the risk is the same as everywhere: those do get out, because sometimes people manage to hack the banks themselves - even VISA has been "hacked". SagePay could get hacked. Paypal can get hacked. Your bank can get hacked.

 

But most compromised payment/account info comes from attacks (usually done through worms, botnets, etcetera) that pick the data up from YOUR computer. (Sometimes through you being less than careful about what you do, sometimes through vulnerabilities in programs you use - like browsers, browser plugins, etc. An example that has happened was a series of "attacks" on advertisement vendors, where malware was implanted into advertisements they served - meaning that every site that used their service would be attempting attacks on every user accessing those sites - and if said users had a given vulnerability in their system (unpatched Flash, for example), malware would get onto their computer and next time they enter their CC data when purchasing on Steam, Ebay, Amazon, whatever... Boom.)

 

So I'm not saying that your data is 100% secure. I'm saying it's as secure as any other "reputable" vendor on the internet. Which does not mean "nothing bad will ever happen to you", same way no policeforce can say you'll never get mugged, or happen to use your card in an ATM terminal that has been manipulated, etc.


Edited by EtherealN

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

Example regarding that: if you have a vulnerability, and get attacked through some automated means like the advert server "hacks", they wouldn't need to reverse-compute your password from the hash. They'd get it in clear text as you type on your keyboard.

 

Basically, keep your security systems up-to-date, and when Windows (or OSX) says it has an update, APPLY IT. It is a nuisance, but do it. You still won't be 100% secure (again compare with muggers, tampered ATM's, etc), but most likely you'll be fine, just like most people will be fine on the street.

 

But regarding potential political fallout (again, obviously, no discussion of the politics themselves!), your exposure is the same as when shopping with Amazon or Steam, pretty much.

 

I know a lot of people, especially in the US, can sometimes get a bit of a questionmark in their head about "who is these SagePay people?" This really is a key point: they are not very present in the US market, but they are HUGE on the british isles. They are a mainstream payment broker who does a big business as a big player in normal grocery-store terminals etcetera.

[sIGPIC][/sIGPIC]

Daniel "EtherealN" Agorander | Даниэль "эфирныйн" Агорандер

Intel i7 2600K @ 4.4GHz, ASUS Sabertooth P67, 8GB Corsair Vengeance @ 1600MHz, ASUS GTX 560Ti DirectCU II 1GB, Samsung 830series 512GB SSD, Corsair AX850w, two BENQ screens and TM HOTAS Warthog

DCS: A-10C Warthog FAQ | DCS: P-51D FAQ | Remember to read the Forum Rules |

|
| Life of a Game Tester
Link to comment
Share on other sites

When you consider all the other systems that have been famously compromised in the past couple of years, what you have explained above is pretty impressive. :thumbup:

 

If you're referring to the safety of passwords, it makes sense really.

 

The easy way would be to store a password in plaintext in the database. Then when a user tries to log in, the combination of username and password that was entered into the login-form is compared to the data stored in the database. If it's a match, the user is logged in and the application can do all kinds of stuff, like display a personal account or whatever.

 

The downside is that anyone with access to the database (application developers, system administrators, hackers, federal authorities) could know the user's secret password.

 

That's why by today's standards, a different approach is chosen. While the username is still stored in plaintext, the password isn't stored in plaintext. Instead a so called hash is generated from the password.

 

The important thing about hashing algorithms is that for a given input, they must always produce the same output. But it should be impossible to re-create the input from the output.

 

An example:

Plaintext: This is secret
SHA1 hash: bba397523dc13f0ca90079585b6ff3d4b5b15106

 

Another thing about hash algorithms is that they typically produce same-length output regardless of how long the input is. So if you took the text of the entire Lord of the Rings trilogy, the SHA1 hash would still be exactly as long as in the example above.

 

With this, when a user tries to login, the application doesn't compare two passwords, it compares two hashes. If the hashes are identical, there is a very high probability that the passwords are identical.

 

(One attack scenario is to find so called "collisions", other strings that generate the same hash. But that's a bit too far away from the topic at hand.)

 

Now there's one more thing we need so that we're on the safe side. Identical passwords would generate identical hashes. So even if an attacker with database access didn't know the passwords, he could still see if different users have the same password.

 

Even worse, such an attacker could then grab lists of passwords that are available on the Internet, generate hashes for all of them and see if some of the password hashes in the database appear in his own list of hashes. If so, he would then have a password that generates the same hash and could successfully log in.

Such lists of password hashes are called "rainbow tables" and they, too, are available on the Internet.

 

So, in order to make life miserable for the attacker again, each password-hash is generated from the password plus something random that is then stored with the user data. This random thing is called a "salt", and there's nothing wrong with the salt being just another SHA1 hash.

 

Now my password + salt looks something like this:

Password + salt: This is secret+0a9c44ceb8a78dc9b23417084c941044b9670134
SHA1 hash of passwort + salt: beeca2eb40ef6ddd01edbf32d700415f683629ce

 

Now the database would contain this information about me:

User: Yurgon
Password: beeca2eb40ef6ddd01edbf32d700415f683629ce
Salt: 0a9c44ceb8a78dc9b23417084c941044b9670134

 

The rest is of course simple: When I try to login in, the application gets the salt associated with my username, uses the password I entered, combines it with the salt and then creates a hash of these two. If this hash is identical to the hash stored in the database, chances are that I entered the right password.

 

Now there are more things an application designer could do in order to make life even harder for an attacker, but for starters, the above method is pretty much state of the art.

 

If I understand EtherealN correctly, he's simply stating that the ED site and the ED forum use this technique. In addition, both sites have the password hashed before the browser sends it so that an attacker listening to the Internet traffic somewhere between the user and the forum would only see the hashed password, not the password itself, giving more security even though the forum does not yet offer traffic encryption via HTTPS.

 

TL;DR

 

As far as I can tell, ED uses state of the art techniques to store and transmit passwords so that this data is next to useless for an attacker. It would be waaay easier for an attacker to go after our client computers and grab this kind of data while it is typed on the keyboard than to reverse passwords by analyzing their hashes.

 

Edit: An important thing is that the above only works if the hash algorithm isn't seriously flawed. If it's seriously flawed, it might become possible to deduct the input from the output. Most hash algorithms in use today are indeed flawed, but not so bad as to being completely compromised. Just bear in mind that SHA1 is just one of many hash algorithms and is not considered secure any more. As far as I know, a new, secure and non-flawed hash algorithm is still under development.

 

Plus: Corrected a typo in the sample password.


Edited by Yurgon
Link to comment
Share on other sites

Nice write up, Yurgon! :thumbup:

 

Maybe this goes too far into the details, but maybe you can answer me a question:

If an attacker had access to the database and knew that

 

User: Yurgon

Password: beeca2eb40ef6ddd01edbf32d700415f683629ce

Salt: 0a9c44ceb8a78dc9b23417084c941044b9670134

and is also aware that "state of the art" is that

 

SHA1 hash of passwort + salt

Wouldn't he still be able to use those rainbow tables? The only factor preventing him from doing so is that he might not know the exact algorithm of how salt and password are combined, right? And this would be "security by obscurity", which is usually not accepted as appropriate by experts, as far as I know.

 

Atm I can only think about one way to circumvent this: by using an additional salt that is not stored directly in the user database so that it remains unknown by the attacker. But then, if the hacker has access to a complete database dump, even this might not be sufficient.

 

So my question is, what additional techniques are used here?

Link to comment
Share on other sites

From what I've learned playing around in the old backtrack Linux..

If you come across a hashed password that has 12 or more characters, especially a mix of numbers, letters, lower, upper and symbols then it'll take people an awful long time to break it...

 

As for rainbow / lookup tables - in my limited experience, the public ones available aren't very good. I've had a heap of passwords before now and they couldn't match one.

 

If they really want in then they're gonna needa few of these and they don't come cheap..

 

http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

 

 

DISCLAIMER: I am not a hacker, I just got curious about Backtrack and the tools so I gave it a go. It seems anyone can do it with some help from youtube but the problem is once you start getting passwords that are over 8 - 10 chars long. Then it takes mega time to try and guess or brute it.

 

 

Edited to add: This is what lets most people down... Weak passwords or passwords people can figure out easily.

 

http://www.cbsnews.com/news/the-25-most-common-passwords-of-2013/

 

Hackers prey on people using dumb passwords or passwords they can guess from the info they gather about you such as DOB or other memorable info that might be public knowledge.

 

When using backtrack you would be surprised at how many people I discovered use stupid passwords like those in the links above..

 

Anyhoo, I don;t want to get too deep into discussions of hacking because that's just getting us off topic. Needless to say, make your passwords long and complicated and chances are they'll never be cracked or guessed.

 

 

Oh and one final thing which I just have to mention... If you run websites, don't be a fool like one guy I discovered when experimenting around with backtrack tools...

This guy had spent ages setting up a dating site and had gathered thousands of members only to leave a PDF on his web server which the web developer provided with EVERY master account user and password.

His FTP, web admin, Cpanel.. the whole lot was there for all to find.... Be smart and be safe!


Edited by Tumbleweed

My Hangar: P-51D Mustang - KA-50 Blackshark - A-10C Warthog - F-86F Sabre - FC3 - Combined Arms - UH-1H

My Flying Adventures: www.dcs-pilot.com :pilotfly:

Link to comment
Share on other sites

Maybe this goes too far into the details, but maybe you can answer me a question:

If an attacker had access to the database and knew that

 

User: Yurgon

Password: beeca2eb40ef6ddd01edbf32d700415f683629ce

Salt: 0a9c44ceb8a78dc9b23417084c941044b9670134

and is also aware that "state of the art" is that

 

SHA1 hash of passwort + salt

Wouldn't he still be able to use those rainbow tables? The only factor preventing him from doing so is that he might not know the exact algorithm of how salt and password are combined, right? And this would be "security by obscurity", which is usually not accepted as appropriate by experts, as far as I know.

 

Atm I can only think about one way to circumvent this: by using an additional salt that is not stored directly in the user database so that it remains unknown by the attacker. But then, if the hacker has access to a complete database dump, even this might not be sufficient.

 

So my question is, what additional techniques are used here?

 

Good question! :)

 

Individual Salts

 

The thing about rainbow tables is that computing them takes a lot of time/resources and storing them takes a lot of space. If there was no salt, it would be worth computing hashes for all kinds of known words, numbers, passwords and combinations thereof.

 

But if every single account has a unique salt (this part is of course incredibly important: every account must have a different salt!), an attacker would have to perform the computation for every account. That means there probably won't be pre-computed rainbow tables available on the net, which means the attacker has to do it himself.

 

I'm no subject matter expert, but I guess even with a huge botnet it would take a lot of time, and botnets don't solve the problem of storage (unless a rather sophisticated botmaster used them for distributed storage; I'm not sure whether such a thing is already in use, although I shouldn't be too surprised if it is, really).

 

In essence, a salt unique to each user doesn't make it impossible to find a collision, it just makes it pretty expensive in terms of time, computing power, resources and possibly also electric power if the attacker has to actually pay the power bill.

 

I did mention additional techniques, though.

 

Computing a hash of salt+hash: Going several rounds

 

So far I took the salt and the password and generated a hash.

 

Now, let's say I take the salt and the previously generated hash and generate a hash of them.

 

Then I keep on creating a hash of the salt and the previous hash a thousand times. The result of these 1,000 rounds is the password I store in the database.

 

On my side (application developer), I know I have to compute a thousand rounds of hashes every time a user tries to log in. This is certainly going to cost me in terms of required CPU time. If my server can't handle it, I get a bigger one or start heading towards cloud or load-balancing solutions.

 

But if an attacker wanted to see if one in a number of possible passwords results in the hash he already knows, he would have to calculate a thousand rounds of hashes for each password. With this simple idea, I can make him spend at least a thousand times as long in order to compute his collision. In addition, I can try to pick a hash algorithm that is notoriously slow in the first place, further raising the bar.

 

This way, I can make it much less appealing for any attacker to try to crack passwords this way, and it only costs me a few lines of code and a couple of CPU cycles. That's pretty clever IMO (unfortunately, I didn't come up with it; I hope the guy who did made a fortune though, because it's simple and brilliant). :)

 

The best thing about it is: the whole thing works even if the attacker knows exactly how the computation is done, so there's absolutely no security by obscurity involved. :smartass:

 

Edited to add: This is what lets most people down... Weak passwords or passwords people can figure out easily.

 

That would be my guess as well.

 

Coming back to "why to use a salt": It makes cracking and pre-computing of passwords so expensive that it's usually not worth the effort, given that lots of users do use weak passwords so that attacking the login-mechanisms with lots of known weak passwords makes a lot more sense.

 

The recent leaks of rather private celebrity photos were attributed to some login form that had no flood prevention so the attacker was able to flood it until he scored a hit.

 

On the opposite site, I recently witnessed a hoster that blocked an IP address for more than 12 hours after just 3 failed login attempts. I'd say that's a rather extreme measure, though. :)

 

This guy had spent ages setting up a dating site and had gathered thousands of members only to leave a PDF on his web server which the web developer provided with EVERY master account user and password.

His FTP, web admin, Cpanel.. the whole lot was there for all to find.... Be smart and be safe!

 

Haha, yeah, this kind of stupid sh** happens way too often. I think I haven't f***ed anything up on such an epic scale, but I do sometimes wonder how I could miss totally obvious stuff in my PHP code or leave SQL dumps in places they shouldn't be. :music_whistling:

 

Regarding good passwords, this one's always a great help. :)

 

http://xkcd.com/936/

Link to comment
Share on other sites

Regarding good passwords, this one's always a great help. smile.gif

 

http://xkcd.com/936/

 

 

Now I have to wonder how many people are using that password thinking it's the hardest to crack.... :megalol:



Win 10 64 Pro, MSI Z390 I7-9700K @5ghz Kraken Z63, 32Gb Corsair Dominator, MSI RTX-2070, 1TB NVME 2TB SSD's, TM Warthog, Pro Rudders, OpenTrack w/ IR Clip

Link to comment
Share on other sites

Now I have to wonder how many people are using that password thinking it's the hardest to crack.... :megalol:

 

I heard a story first hand where attendants to a company meeting were handed papers that read something like "Write down (Your name)" and we'll print a poster for you with your name on it.

 

And then the requests came in where it read (Your name). Apparently, people didn't realize they were supposed to replace (Your name) with their actual name. :doh:

 

So, if I was a password cracker, I would definitely include "correct horse battery staple" in the list of known passwords to check against. :D

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...