Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Correcthorsebatterystaple dwsg 07 09-13
1. Credera is a full-service management and
technology consulting firm. Our clients range
from Fortune 1,000 companies to emerging
industry leaders. We provide expert, objective
advice to help solve complex business and
technology challenges.
Dallas Office
15303 Dallas Parkway
Suite 300
Addison, TX 75001
972.692.0010 Phone
972.692.0019 Fax
Denver Office
5445 DTC Parkway
Suite 1040
Greenwood Village, CO 80111
303.623.1344 Phone
303.484.4577 Fax
Houston Office
800 Town & Country Blvd
Suite 300
Houston, TX 77024
713.496.0711 Phone
713.401.9650 Fax
Austin Office
9020 N Capital of Texas Hwy
Suite 345
Austin, TX 78759
512.327.1112 Phone
512.233.0844 Fax
2. Discussion document – Strictly Confidential & Proprietary
correcthorsebatterystaple:
hacking passwords by example
Dallas, TX
July 9, 2013
Dallas Web Security Group
Dustin Talk
3. Agenda …
P@ssw0rdZ
• Expectations and Objectives
• What makes a good password?
• Demo: Cracking a user list of ~1.5million users
– What a leak looks like
– Using rainbow tables (or google)
– Using the leaked information from others
– Using common passwords
– Lists created by experts
– Lists created by l33t h4x0r
– Brute Force on the GPU
– Hybrid Attacks & Key Sequences
• What can be done?
• Q&A
7/19/2013
Dallas Web Security Group
3
4. Dustin Talk (not Anonymous)
Dustin Talk
Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters
degree in Computer Science from Texas A&M University. Dustin has several years experience in
custom web application development with a focus on security, emerging technologies, and
Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams
building applications in Java including supply chain optimization, large scale eCommerce
implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts.
Past Presentations:
• Addressing Top Security Threats in Web Applications
• OWASP Top 10 - Live Exploits by Example
• Stripe’s Capture The Flag #2
• OAuth 1.0 / 2.0
• OpenID
Introductions…
7/19/2013
Dallas Web Security Group
4
5. The Organizational Goal is to equip you with knowledge that you may
incorporate in your job, your next project, or just to have fun (not lulz)
Participant Expectations
• Provide Education to Seed Investigation
• Learn how to secure yourself and those around you
Expectations and Objectives …
7/19/2013
Dallas Web Security Group
5
6. How strong are your passwords? Let’s ask Microsoft…
Microsoft has provided a free tool to ensure that your password is strong:
https://www.microsoft.com/security/pc-security/password-checker.aspx
How would these rate:
• password12345678790
• Luvnme4aChange@$
Let’s see if they are strong using some simple tools:
• Online MD5 creator: http://md5-hash-online.waraxe.us/
• Elite Google Password Decoder: http://www.google.com/
What makes a good password? …
7/19/2013
Dallas Web Security Group
6*Figure and statistics from June 2012 WhiteHat Security Statistics Report
7. Perhaps we should ask someone else? Intel…
Microsoft Intel has provided a free tool to ensure that your password is strong:
https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html
How would these rate:
• AdMos185auj;
• Wt4e-79P-B13^qS
Let’s see if they are strong using some simple tools:
• Online MD5 creator: http://md5-hash-online.waraxe.us/
• Elite Google Password Decoder: http://www.google.com/
What makes a good password? …
7/19/2013
Dallas Web Security Group
7*Figure and statistics from June 2012 WhiteHat Security Statistics Report
9. Simple tips for a better password
Creating a stronger password
• The more random the better*
• The longer the better*
• A mix of numbers, letters (upper and lower), symbols
• NO words! or anything L!K3 a word (the h4x0r knows)
• No personal info (pin code, home address, etc.)
• No keyboard tricks (!@#,123,QWE)
Use some helpful tools:
• https://lastpass.com/passwordhelp.php?a=1
• https://lastpass.com/generatepassword.php
What makes a good password? …
7/19/2013
Dallas Web Security Group
9*Figure and statistics from June 2012 WhiteHat Security Statistics Report
11. What can be done? …
Attend More Meetings…
What To Do Now
• Don’t use hashes to secure users: http://hashcat.net/wiki/doku.php?id=oclhashcat_plus
• Don’t rely on salts to protect you
• Use bcrypt (an adaptive hashing algo): http://en.wikipedia.org/wiki/Bcrypt
What to Do Now For Fun
• Download John the Ripper
• Download oclHashcat-plus (and get a decent GPU)
Reference Materials
• http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
• http://hashcat.net/oclhashcat-plus/
• http://www.openwall.com/john/
7/19/2013
Dallas Web Security Group
11