Secure Development Tip of the Week

Subscribe by Email

Your email:

Application and Cyber Security Blog:

a Security Innovation Blog covering software engineering, cybersecurity, and application risk management

Current Articles | RSS Feed RSS Feed

Antisec hacking into Booz Allen Web site

  
  
  
  

AntiSecCan the hackers inflict more damage now that they have the password hashes?

Antisec hacker movement, which targets the websites of governments and their agencies worldwide, hacked into the Booz Allen Hamilton web site, and posted a 130 MB file of data stolen from Booz Allen's servers on the Pirate Bay BitTorrent website. Antisec publicly sneered at Booz Allen's security and said it had stolen about 90,000 military emails as well as a great deal of passwords. The passwords are protected by the MD5 cryptographic hash function, though that protection can be cracked.

There are two stories here that need to be disentangled: 

1)      AntiSec got on to an unprotected server and got hold of information

2)      Some of that information was the MD5 hashes of passwords

The issue is not so much that MD5 allowed the original attack, but that now that AntiSec have the password hashes, it has been suggested that they may be able to obtain the actual passwords and use them to get on the network before Booz Allen can get all the passwords changed.  This actually isn’t likely to happen. MD5 is weak but not that kind of weak.

One property you want from a hash function is collision resistance – it’s very hard to find two inputs that give the same hash value. For MD5 it should take 64 bits of effort to find a collision. In fact, because of that weakness, it only takes about 20 bits of effort to do it. This lets an attacker potentially get a fake certificate from a Certificate Authority (CA) that uses MD5. The attacker generates two cert requests with the same MD5 hash, one innocuous (mydomain.com) and one malicious (google.com). They then request a certificate for the innocuous request, and the signature on that one is also a signature on the malicious one (because they have the same hash), so now they’ve got a cert for google.com. This is a significant weakness in MD5, and it’s why it’s not recommended any more. However, that’s not the attack AntiSec can mount.

Another property you want from a hash function is preimage resistance – it’s very hard to find an input that hashes to an already selected value. In the case of the Booz Allen hack, this is the attack AntiSec would like to mount: they have the hashes of each of the passwords and they don’t need to find the actual password, they just need to find something that gives the same hash. Perhaps oddly, although MD5 is very weak against collisions, it’s still pretty strong against preimage. It should take 128 bits of effort to find a preimage for MD5 (because it has 128 bits of output); in fact, the best known attack takes… 120 bits of effort. This is much better than good enough.

So the weakness of MD5, though significant in other contexts, isn’t an important part of the story here.

MD5 is widely used to protect passwords in FreeBSD-based Unix systems and others, so it’s not like Booz Allen made a uniquely bad choice here. They probably didn’t even make a choice at all. Maybe people should investigate moving towards SHA-based password hashes but there are more pressing security needs out there.

Comments

Hackers attacking MD5 passwords aren't going to use theoretical or cryptographic attacks; with MD5, brute force is the king. 
 
Yes, this is fair.
Posted @ Thursday, July 21, 2011 6:10 AM by William Whyte
I disagree that the obtaining of MD5 passwords is insignificant. While you're correct that MD5 is weak by today's standards, but still relatively strong against the attacks that you detail, those aren't the attacks that would be mounted.  
 
You know that the MD5 hashes are of passwords. So you're not trying to find a preimage that is arbitrary binary data, but one that's a password. With enough passwords, a simple dictionary attack will probably crack at least one password in the list. Even if Booz Allen had a relatively decent password policy, MD5's real weakness when it comes to hashing passwords is its speed. MD5 was made to be fast as a general-purpose hashing algorithm. With today's computer time costs, it's relatively cheap to buy server time capable of brute forcing tons of MD5 hash attempts for incredibly cheap.  
 
Hackers attacking MD5 passwords aren't going to use theoretical or cryptographic attacks; with MD5, brute force is the king. 
 
Posted @ Thursday, July 21, 2011 10:34 AM by Tom Samstag
Nice write-up thanks. I think to be honest brute force is not required ... all that's needed in this case is a rainbow table attack; the reason is that the passwords were not salted at all - the devs that setup the database didn't have a clue. Some further reading here on this type of password cracking method and how to defeat it: <a href="http://www.internetsecuritydb.com/p/password-storage-101.html>Password Storage 101
Posted @ Friday, July 22, 2011 9:07 AM by Damian
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Follow Us