Banking on a Live CD. An investigative series I’ve been writing over the past three years about organized cyber crime gangs using malware to steal millions of dollars from small to mid-sized organizations has generated more than a few responses from business owners concerned about how best to protect themselves from this type of fraud. I said this nearly three years ago, and it remains true: The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online. All of the malware used in the attacks I’ve written about is built for Windows.
That’s not to say bad guys behind these online heists won’t get around to targeting Mac OS X, or users of other operating systems. What the Puppy desktop looks like. The quickest way to temporarily convert your Windows PC into a Linux system is to use a Live CD. Here’s a step-by-step guide that should get you up and running in no time flat, with Puppy Linux, an extremely lightweight and fast version of Linux. How Companies Can Beef Up Password Security. Separate password breaches last week at LinkedIn, eHarmony and Last.fm exposed millions of credentials, and once again raised the question of whether any company can get password security right.
To understand more about why companies keep making the same mistakes and what they might do differently to prevent future password debacles, I interviewed Thomas H. Ptacek, a security researcher with Matasano Security. Ptacek is just one of several extremely smart researchers I’ve been speaking with about this topic. Below are some snippets from a conversation we had last week.
BK: I was just reading an article by Eric Chabrow, which pointed out that LinkedIn — a multi-billion dollar company that holds personal information on some of world’s most important executives — has neither a chief information officer nor a chief information security officer. BK: Why doesn’t cryptographic hash mean much? BK: Okay. BK: I’ll bite: What’s the difference? BK: So what’s the catch here? On Security: The Nature of Cyberwar. Defence in Depth: Cracking OS X Lion Passwords. UPDATE [2011-10-15]: The issues described in this post have now been resolved by Apple. Users running OS X Lion 10.7.2 or security update 2011-006 are no longer affected by the vulnerabilities detailed below (CVE-2011-3435 and CVE-2011-3436). For further details on this security update please see Apple's advisory. In 2009 I posted an article on Cracking Mac OS X passwords. Whilst this post has been quite popular, it was written for OS X 10.6 and prior. Since the release of Mac OS X Lion (10.7) in July, I have received numerous requests for an update.
In previous versions of OS X (10.6, 10.5, 10.4) the process to extract user password hashes has been the same: obtain the user's GeneratedUID and then use that ID to extract hashes from a specific user's shadow file (See my previous post for a more detailed description). When it comes to Lion, the general premise is the same (albeit a few technical differences) . $ dscl localhost -read /Local/Default/Users/bob dsAttrTypeNative:ShadowHashData: Defence in Depth: Cracking Mac OS X Passwords. In this post I will demonstrate how to both extract and crack Mac OS X passwords. The OS X variants that this tutorial is aimed at are 10.4 (Tiger), 10.5 (Leopard) and 10.6 (Snow Leopard).
Whilst Mac OS X is based on a Unix variant (BSD), there are several key differences between traditional Unix-based and Mac OS systems when it comes to password storage. Lets take a quick look at some of the differences. If you have ever poked around on an OS X system, you may have noticed the absence of the /etc/shadow file. Another key difference is the way in which the two systems store their hashes. Lastly, most Unix variants will use multiple rounds of the MD5 or DES cryptographic hash functions in order to encrypt system passwords. In sum, OS X password storage has the following characteristics: Password hashes are stored in the /var/db/shadow/hash/<GUID> file Each user has their own shadow file Local OS X passwords are stored as SHA1 hashes The command we use to extract our GUID is as follows: # .