Scorpion Software Blog

Password cracking is not new. Brute force cracking of passwords has existed for some time, and its one of the primary causes of password insecurity this day and age. But do you know just how easy it really is? Or just what can be used to accelerate the process?

You might not realize this, but your video card is an amazingly powerful computer. The graphics processing unit (GPU) is purposed to do extremely difficult mathematical calculations really fast. Combine it with distributed cracking software like what is published by ElcomSoft and you can reduce the time it takes by a factor of 50. NVIDIA GPU acceleration make it extremely effective in hacking static passwords in no time flat. Let me give you some examples (with thanks to Elcomsoft for the graphing data)

You can crack millions of passwords a second to recover MD5, NTLM and LM hashes without the need for expensive specialty hardware.

Leveraging the GPU acceleration pushes that past 2.8 BILLION hack attempts at the NTLM hashes for Windows passwords every second.

Even those password protected Office 2007 documents are not safe.

Thats 17,500 passwords A SECOND. When you think of your video card, you think of rendering your favorite first person shooter 3D environment. Not shooting holes through your office documents.

Of course, wireless passwords aren't that much safer.

The preshared keys in WPA can be cycled through at over 52,400 passwords a second. That's over 3 million attempts at the password to your wiress access points every minute. No wonder static passwords are such a weak form of authentication in the industry. Gives an entirely new meaning to a Quake LAN party... when you can turn those gaming machines into a distributed cracking platform to go through TRILLIONS of passwords in no time flat.

And you STILL want to leave all your corporate assets protected with static passwords alone? Are you kidding me?

We sometimes get asked why we don't support SMS based tokens in AuthAnvil. For those that don't know, the idea behind an SMS based token is that a server sends a text message to a cell phone with the next passcode to use to log into a system. There are several reasons why we don't support this, but it boils down to two specific areas of concern... security and reliability.

SMS spoofing is rampant in the industry. It is trivial to trap and trace SMS messages, allowing an attacker to play a man-in-the-middle attack without having to attack the underlying site that is using the system. Further more, you are trusting the security of the cell phone provider, which isn't always the best thing to do. For those that remember my talk on social engineering attacks and identity theft during my lecture at the Microsoft Conference Center a couple of years ago, you will recall me making a call on stage and changing the complete account settings for a popular US cell carrier of an attendee to my own phone (with his permission of course). The point is that most cell providers are just to easy to hack into. If you need more evidence of this, you can look at Ben's post on how easy it is to breach Sprint's systems. 

When the accounts themselves aren't that easy to attack, the criminal element have other options. With the roll out of SMS messages to many European banks, we are now seeing the criminal element attack these financial institutions through flaws in Nokia based phones that have an inherent flaw in their design. This Monday PC World reported that fraud investigators in the Netherlands had found criminals were paying top dollar (umm... guess that would be euro) for discontinued Nokia 1100 cell phones. Why? Because they can be tampered with to allow an attacker to intercept one time passwords (OTP) sent from the bank to specific numbers. You can see where we are going with this. And it will be interesting to see how the banks and vendors of SMS based tokens deal with this in the coming months.

Security aside, the other reason we don't use SMS tokens is reliability. What good is a token if you can't get the OTP when you are out of the network area? This is frequent when in the dungeons of a data center or server room. When on the road in another country, to use an SMS based system you have to pay for roaming services. You ever see how much that costs?? Or what about when you need to log into a system such as your laptop while on an airplane, where you must turn off your cell phone. That's just not practical. And what about load delay? It is said that on some cell carrier networks, SMS messages just cannot be guaranteed for delivery. With so much text messaging going on these days, sometimes it can take up to 30 seconds (and sometimes longer) for messages to arrive. These frequent delays and lost messages just don't make it easy to accept SMS as a viable option for our clients.

So there you have it. That is why we don't use SMS tokens. We focus on easy to use hardware and software tokens that work out of band, with the OTP being generated and shown on an LCD or phone screen. So even if your cell phone isn't connected to a network or is in 'airplane mode', you can still generate the credential you need to log in. 

It surprises me to this day that many of our customers don't use AuthAnvil to its full potential. Many people think its only used to protect Remote Web Workplace for their Small Business Server, or that it is only for their VPN. It can definitely be used in that way, but sometimes its good to know that it can actually do more for you. You invested in the architecture... why not use it???

Below is our simple list of 5 random things you might not know about AuthAnvil:

1. You can use AuthAnvil in more places than you think. You probably already know that you can use AuthAnvil to protect your terminal services logon, log on to web sites running on IIS6 and IIS7 like Outlook Web Access and Sharepoint and even your RRAS connections. (Check out this demo if you haven't seen it) But did you know you can also use it to log into: 
   • Most routers and managed switches
   • Many brands of firewalls, including Microsoft's Threat Management Gateway.
   • Many forms of the Unix/Linux console
   • SSH
   • Apache websites
   • Most SSL VPN concentrators
   • etc, etc 
2. AuthAnvil was designed for small businesses who many only need a few tokens, but scales to work with hundreds or thousands of users. What makes AuthAnvil work so well is that it is simple. But building something that is simple isn't always easy. What makes AuthAnvil so successful is that we leverage the Microsoft solution stack to deliver the solutions you need, when you need them. You can start with a single standalone Small Business Server 2003 box running IIS6 for 5 users... and take it all the way through Microsoft's stack to clustered servers with redundancy and scalability. One of my favorite installs is a partner who deployed a failover cluster using Windows Server 2008 HA for their SQL Server infrastructure, and then a web farm of Windows Web Server 2008 front end IIS7 servers to host AuthAnvil web services with load balancing, redundancy and failover. To help with the scaling of user provisioning over the Internet they used ISA 2006 in an array configuration to offer the security and redundancy they needed now, and in the future. Talk about a sweet setup. And it just works. Just as well as if it was hosting a few users on that SBS box.
3. You can administer AuthAnvil using PowerShell. So many people are looking for IT efficiencies these days. It is one of the reasons Microsoft continues to invest heavily into using PowerShell for administration of many of their server products, from Exchange 2007 to System Center Virtual Machine Manager. And you can use it for AuthAnvil too. With the introduction of our administrative web services last year, AuthAnvil administrators can script everything from user provisioning to token management. All in an environment they are getting used to. Of course, if you like to code, you can also directly connect to the web services. They are delivered using SOAP/XML... which means its extremely easy to consume and use... especially in Visual Studio. 
4. You can get detailed compliance reporting using business intelligence tools like SQL Server Reporting Servers and Crystal Reports. All change management events within AuthAnvil are logged in SQL. Which means it 'just works' with SQL Server Reporting Services (SSRS). You can use the reporting capabilities of these systems to pull out reports that meet your business needs. We have some customers that actually use AuthAnvil as a way to audit when staff are accessing the office remotely, or when they access other networks that the company is responsible for. The results are clear reports on when and where staff are extending their workspace to  remote locations... be it in the office, across the country, or around the globe.
5. You can create trust relationships between different AuthAnvil servers to offer 'loose federation' between networks. Using our proxied delegation technology, it is possible to eliminate the need to have different tokens on different networks across the Internet. In this way, your users who are permitted to log into foreign domains can use their same token there as well. This eliminates the "boat anchor" keyring that people fear in most token based strong authentication solutions, where they end up with 4 or 5 different tokens for different unrelated systems. And the added benefit of this is that if a staff member leaves your organization and you disable their account in your own AuthAnvil server, they will NOT be allowed to log into your partner's networks. And if you no longer wish to offer that circle of trust to your partner, you can turn it off in an instant!  

As you can see, there is more to AuthAnvil than meets the eye. If you would like to learn more about anything I have mentioned above, let's talk.

Today during our round table webinar, discussion included a question about how to educate users about security. I had mentioned a good video to consider that was produced by the Commonwealth of Virginia, called the "Duhs of Security". Check it out in the YouTube video below.

So yesterday Symantec released their annual Global Internet Security Threat Report which found that criminals in the digital underground were buying complete user accounts and passwords for less than the price for a can of coke.

Guy Bunker, Chief Scientist at Symantec said:

"This recession proof 'Underground Economy' is reaching such a level of growth and maturity that there are signs of a price war developing, as online criminals find it increasingly easy to steal private details, and barter to sell them for bargain prices. As above ground the world economy spirals, the Underground Economy has never been healthier."

This is getting more difficult to defend against when the plethora of keystroke logger malware covertly captures passwords to critical systems like desktop login, email access and even intranet portals without your knowledge. It is why two-factor authentication systems like AuthAnvil are so valuable for businesses who have staff and partners accessing corporate resources from across town, across the city or across the globe. Combining login credentials with a physical authentication token raises the bar and gives a level of identity assurance to make sure criminals can't easily forge ahead. Even if they can capture a password, it's useless to them since an AuthAnvil credential can only ever be used once. 

And did you know you can deploy AuthAnvil in your own business for less than a can of coke a day? Want to find out more? Let's talk.