Page 14 - Cyber Warnings August 2017
P. 14

The estimates shown assume a sequential, pure brute-force attack. But that is not how an
               attacker is going to crack these passwords. Here’s the reality: on a Windows 10 desktop with
               one graphics card, using a publicly available wordlist I cracked the first six of the passwords
               above (SHA-1 hashed / unsalted, no longer recommended, but still common practice
               nonetheless), in less than a minute total for all of them. The others I’d guess could be cracked in
               less than a day given the same wordlist and a rule-based attack. This is a perfect example of a
               defensive security strategy formed without an offensive perspective on security. Had the authors
               gone on the offensive, they’d have sought a more pragmatic approach than a raw brute-force
               attack, and concluded that the passwords above are not secure.

               Go on the offensive with passwords: assess your organization’s current vulnerability by
               attempting to crack a global list of your password hashes. I imagine the results will be
               surprising, if not outright shocking. They will likely reveal both a training need and a justification
               for acquiring password manager licenses for all employees.

               CONCLUSION
               Offensive security is a very wide discipline, and the recommended steps in this article are just a
               start. But one thing is certain: if your organization doesn’t know how it specifically can be
               attacked, any defensive strategy is on weak footing, and potential attackers will be the first to
               discover your vulnerabilities. However, if your organization can become better attackers than
               the real threat actors, you can steal the offensive away from attackers. The best defense is, as
               they say, a good offense.


               About The Author
                                         Brad O’Hearne is a 25-year career software architect / developer,
                                         application security expert, and independent security researcher.
                                         He resides in Gilbert, AZ and enjoys cycling, soccer, reading, and
                                         spending time with his family.

                                         He is available for consultation and can be contacted at
                                         [email protected].






















                    14   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   9   10   11   12   13   14   15   16   17   18   19