URGENT! LL security exploit

Well, to Tuach's credit, I just got paid, so I take that back.

I could care less about my password getting changed - I want to know, and know NOW, exactly what data was exposed, which elements were encrypted, and how they were encrypted. I have 0% faith that this information is secure even in its encrypted form, absent that information.

If LL hasn't responded to my several forms of information request by tomorrow, regardless of whether it's a weekend or not, I will be calling their local law enforcement to file a report on this for the permanent record. I will also be cancelling my credit card tomorrow morning when I go to the bank.

It is unacceptable that this was known for 2 days and no notice was provided to the residents to allow for timely credit card cancellations, etc.

Bad form LL, extremely bad form.

Now that we got our little contest out of the way, I thought I'd mention this strikes me as odd. You can't really do that unless you add a new version that'll only be used for new accounts. That wouldn't be that much of an improvement on an active site.

There are only three ways you could do that:

1. Having the unencrypted passwords somewhere, but that's insecure.
   
2. Forcing everybody to reset their password, but given this thread that'd be just too funny.
   
3. Cracking the passwords by bruteforce to switch them to the new algorithm. This would work, I guess, assuming people use easily breakable passwords.
   

So I'm feeling curious, how do you update it?

Stopped in after dinner and saw this.



That is correct.



I'm impressed, if only that you have a dictionary that small with "concentricity" in it.

I should have chosen "zoophilia." Would have been a much better fit for this forum anyway.

Of course it wasn't 20 minutes, was it? It was about two hours, counting setup time. And that's starting with full source, in a function that I had to get to run in the slowest scripting language on Earth. So much for "low-hanging fruit."

If I had changed even one detail, or not posted the source, you wouldn't have known where to begin. Which is sort of my whole point.

(Linden, please don't disappoint me by letting your password storage mechanism be as pathetic and trivial to overcome as my example.)

But, in all fairness, Dale has elegantly demonstrated the weakness of MD5-hashed password algorithms. Let this be a reminder to all, including me, not to place too much faith in your password hash algorithm when you have a determined adversary.



Paid, with my compliments.

This is so obvious. I can only wonder if it took that long to figure out what happened and that an announcement two days ago would have only amounted to "Something happened; stay tuned.".

That's easy.

This is for an SSL-secured web site with users who hate Javascript, so I don't have the luxury of doing client side manipulation, so the "test password" function (which is not on the web server itself) gets the unencrypted password when you log in. Just like most web sites.

That function can "version" the stored hash to determine which format it's in. If it's in an obsolete format, but it correctly matches that format, the new-format hash is created and overwrites it.

It's simple, transparent, and highly modular. It also means that at any given time, there are at least two complex and different password formats in the database.

It's not perfect, because people who never log in don't get their passwords updated, but that's a small population and I can harass them by email with dire threats.

That was in my dictionary as well. It'd have got there in about an hour.



I didn't start working on it immediately, and I had to write a script for it. I also had to download a word list. I also didn't hurry much. And I did several test runs before starting this one. I also set my server to try 1675569 passwords with up to 40000 iterations, which would have taken 40 hours, in case my quick searches wouldn't work. And of course, I also posted on the forum while doing all this

The actual attacker would have made preparations beforehand, such as downloading word lists, and getting as many password crackers with easily modified functions. The actual attacker would have much faster code as well, and if they planned this well, would also have more computers available. With a well written C program, a 10x improvement over what I got would be quite possible.

Based on all that, I'd say that a 10x or more speed improvement vs mine, and starting to get passwords in 15 minutes would have been quite possible.

The LL database, if I had it, would have been much, much easier to crack. I'd just first crack my own password. Once I had that, it'd confirm the method is good. Then I'd go on to try the absurdly easy stuff like "password" against the whole database, which would yield hundreds of accounts in minutes, while hand picking some accounts (such as Anshe's) for more exhaustive treatment.

BTW, I have some experience in this area, as I cracked about 90% of my school's passwords (including the admin's) in about an hour as a demonstration (got permissions beforehand).



This is what's called "security by obscurity" and it simply doesn't work. The algorithm is very easily exposed. All it takes is some kind of dumb permissions problem on the webserver to give out the source. A very easy mistake is to keep backup versions of the scripts on the server, which are returned as text instead of getting executed. Then what? Once it's known, LL would have the option of ignoring it, or resetting all the passwords, and we'd be in this situation once more.



Actually, most systems don't bother doing what you did (although it's a perfectly legitimate thing to do) and just store MD5(password + salt).



Well, see, this is exactly the thing, you seem to underestimate how determined people can be. LL is a big target. I wouldn't be surprised if there were a couple dozen people out there whose favourite passtime is to watch security lists, then try vulnerabilities against companies they decided to target.

This hypothetical person would first run a portscan against LL's servers and determine the software running and their versions. Then watch vulnerability lists for those products. When something matches, rush to a cybercafe and give it a try. If it works, they walk away with the data on a flash drive.

Somebody determined enough could dig up a lot of information on LL, and use it to their advantage. This kind of person could just spend years like that, taking any information they can get, until they finally get to the big stuff. Your secret algorithms would probably be obtained pretty fast under such a process.

Got to thank you for the technical challenge though, this was pretty fun

Can someone please clarify this for me (from an email sent by Linden):

8<---------------------

Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm.

------------------------>8

How can you MD5 hash payment information? Wouldn't that make it useless to them too? Am I just reading that incorrectly because it is late?

Yes and the support emails i write about it come back with "we will deal with it on monday" and "try again" kinda stuff...

Yeah, I know, but it would have been a lot funnier.



Once again, go back 50 or so posts to where I already said that. It's just that in this particular case, security through obscurity probably worked.

And as you have so aptly pointed out, cracking passwords is just a matter of time if you have the algorithm. Security through obscurity is really all you've got in a case like this.



Any intelligent approach would apply another level of indirection.



True (and again something I already said dozens of posts ago). But most systems have a couple of hundred to a couple thousand users. I'd like to think that people in charge of 600,000+ passwords are a little better prepared.

After all, this is the same LL that came up with a ridculously complicated cloud-generation algorithm when they could've just said if (rand()>0.5) add_clouds(). So there's hope.

I wonder... Perhaps they seized this opportunity to change algorithms, and that was the reason behind the suddenly-after-two-days password reset.

What I think you've missed about my calling it rash is this: it doesn't appear rash because they did it, it appears rash because of how they did it. They had two whole days to prep to handle the easily-foreseeable problems, but they seem to have utterly airballed on that. That's why it seems to me more like a rash decision than a considered one. If you had read everything I'd written, you would have seen that I was the first and person profiling the enormous speed of MD5 and its lack of suitability for this purpose.

That's bad, bad news for the passwords.

It's utter nonsense for the payment information.



Hmm. Really? What do you think, Dale?



Yes, it would. This came from PR, not engineering.

I second that. I do NOT want to have to wait a whole fucking weekend to get this issue addressed. This is my fucking bank account on the line here.

I thought that was

GimmieYourTonguebigboy

I thourght it was "Douwannamakeout?"

Holy ****, will people like this get the tampon out of their fucking ****, stop sucking your mothers tit and stop being a little crying **** *** about every ******* thing that happens.


SHIT HAPPENS THEN YOU STEP IN IT. LIVE WITH IT.

I think it took them longer than two days. I reported that my SL account had been hacked on Sunday. Of course the only reporting that could be done was a message to Customer Support and Live Help as the individual was selling off my first land and deleting my inventory. I left numerous messages to Customer Support on Tuesday because it was impossible to talk to an actual person. After about 5 attempts I did speak with someone, but all communications with Customer Service left me feeling more and more like the perpetrator rather than the victim. I know of two other accts that were hacked. When all was said and done and my locked acct was returned to me, I had an account that had $40L in it, the hacker had sold my first land, transferred over $5000 Lindens to an account that I could see on my acct transaction log and they had deleted all my inventory and left me a prim "salt for your wounds". Linden's response? We're sorry. Oh, did I mention that since the account was locked Linden didn't even let me have the $500 weekly stipend for the premium account for that week.

Yeah, I can see lawyers getting involved in this. I can see a class action suit. Good luck

Holy crap

Oh this is really clever.

Just trying to change the password for one of my alts, get the email, click the link, answer the secret question... and what pops up on the screen?

"You are about to be redirected to a connection that is not secure. The information you are sending to the current site may be retransmitted to a nonsecure site. Do you want to continue?"

This just gets worse.

Lewis

At least we still have the forums.

(No, really.)

Ah, not so. True security is when the attacker knows everything but the password, and still has no other alternative but to try to crack it by brute force. For example, the algorithm for PGP/GPG signing and encryption has been public for years, but hasn't yet been broken.

An actual improvement of security would have been like this: Take the password, and apply various safety checks to it, such as length, presence of digits, presence of dictionary words. If it's bad, don't allow it. This of course will make a lot of people unhappy, but it works.


I agree with that. If they got this by SQL injection there's a quite trivial defence: Simply move the password checking algorithm to the database. Make a check_password function that returns true or false. Then the application itself doesn't need permission to read the password tables, and can only call the function to check.

In that case, a simple SQL injection would have failed to yield anything useful.



Well, IMO, it's just a proper security procedure. Maybe they didn't know two days ago. I can only speculate here. But what's quite clear is that once you've determined you've been breached the proper course of action is to take the affected system down immediately, even if that annoys lots of people.

What do you suggest they should have done instead? IMO, the proper course of action would have been doing exactly this, but two days ago.

Well, doesn't matter all that much for the passwords anymore, as they've been reset anyway. But it does seem to confirm my suspicions that getting something out of there in a couple of minutes would have been quite possible.

Got to agree about the payment data stuff though.



A MD5 hash is secure (well, not anymore really, it's been broken pretty badly) because it can't be reversed. But you don't have to figure out how to reverse it for a password, all you have to do is to try to encode the most logical choices and see if you find anything.

In case anybody wants to see what it takes to do a trivial brute force password cracker, here's the one I wrote for the contest. It takes passwords from stdin, and the arguments are the maximum iterations count and the number of passwords (for progress estimation).

#!/usr/bin/perl -w
use strict;
use Digest::MD5 qw(md5 md5_hex md5_base64);
use Time::HiRes qw(gettimeofday tv_interval);
my $max_rounds = $ARGV[0];
my $rows = $ARGV[1];

my $hash;
my $i;
my $count = 0;
my $result = "beacface99bd0dc785fc0347348d6c29";

my $t0 = [gettimeofday()];
my $elapsed = 0;
my $speed;
my $percent;
my $eta;

while(my $line = <STDIN>) {
        chomp $line;
        $line = lc($line);
        $hash = $line;
        for($i=0;$i<$max_rounds;$i++) {
                $hash = md5_hex("${hash}:12345");

                if ( $hash eq $result ) {
                        print "FOUND! $line, ". ($i+1) ." iterations\n";
                        exit(0);
                }
        }

        $count++;
        if ( $count % 1000 == 0 ) {
                $elapsed = tv_interval ( $t0 );
                $speed = (1000/$elapsed);
                $percent = ($count/$rows) * 100;
                $eta = (($rows - $count) / $speed) / (60*60);
                print "Elapsed: $elapsed, ${speed}/s, ${percent}\% complete, ETA $eta hours.\n";
                print("Processed $count passwords, current $line\n");
                $t0 = [gettimeofday()];
        }
}

print("Exited without success");

Hi everyone - sorry for the silence yesterday. As you can imagine we were pretty busy.

I want to reassure you all that we have no evidence the attacker hacked anyone's accounts. We combed the logs and think we safely reassure you that no one lost any L$ or inventory as a result of the breach. The password resetting is a precaution only.

For those of you having problems with answering your security question or with forgotten or obsolete email addresses, we've updated the web form to give you more options for resetting your password over the weekend. For details, just check out the Linden blog at http://blog.secondlife.com.

If you still run into trouble, we will have Lindens answering the phones on Monday to help you out. More details on that to come.

Here's another one in python I wrote last night. I didn't find the word until I added "concentricity" to the dictionary though.

from sys import stdin
import md5

fh = open("dict")
for line in fh.readlines():
  m = md5.new(line[:-1] + ":12345")
  counter = 1
  hexdig = m.hexdigest()
  while counter < 5000:
    n = md5.new(hexdig + ":12345")
    hexdig = n.hexdigest()   
    counter = counter + 1
    if hexdig == "beacface99bd0dc785fc0347348d6c29":
        print line+str(counter)

For the info, and thank you to all of the staff that stayed up all night to handle this problem, i really am very pleased. Its nice to know that you all cared enough to do this, and caring is the optimum word here. Thank you too for keeping us informed in the forums, yes we over hash everything to death here, and were not nice at times, but its our way of handling things..yes were all addicted to SL, but would you want us to be otherwise ? Would love for yall to consider keeping the forums open, it has been a wealth of information during this time.

BTW your link to the blogs, brings up a DNS error page for me, as i run my cursor over it, i can see the 1st line or so of it, but clicking on the link no works.