Blog‎ > ‎

MongoDb, Automatic Updates, Passwords, MS-CHAPv2, Sonera IPTV (fail)

posted Aug 26, 2012, 11:36 AM by Sami Lehtinen   [ updated Aug 26, 2012, 11:37 AM ]
  • Studied MongoDB Master-detail transactions  documents sample topic was also quite nice. Purchase orders, stock information, sales data, etc. Yeah, that's the stuff I handle in our POS & ERP databases all the time.
  • Automatic updates can be a security issue. Especially now when Windows 8 reports installed applications to Microsoft by default. Sample references: utorrent case and stuxnet malware. Many programs do not properly check updates, so if network path to update server or update server itself is compromised, it can easily lead to situation where auto update installs malware. This is something that has already happened to uTorrent and also Stuxnet used something similar, except much more complex and advanced attack. In worst case exe file is downloaded using http/ftp from host identified only by DNS and after download automatically run without any validity checking.
  • Password hints? What, why, sigh! Just like password recovery confirmation questions. In this article they say that it's easy to recover Windows password hints, so what? If password is strong, there could be another recovery-key, but it naturally should be much stronger than the password itself. Usually I don't use any password hints and password questions also contain at least 20 random characters. Because as said earlier, password recovery should be much harder than guessing a password. Otherwise it's simply bad for security. So in that article they tell that they can recover your password hint. Well, isn't that quite obvious, because it's data that it's supposed to be shown without password. Of course password hint could be encrypted using your password (lulz). So if someone would use attack mentioned in that posting with my account. They would find that my hint is: "None of your **** business" and the password recovery key is something like: £TKDåRd4hi59%Tp3s$Q$öYVBoä☻tg7ÅJwT[y3F7B I wish you very very good luck when guessing or brute forcing it. Amount of entroply in password recovery key is more than 256 bits, which it would mean that reversing SHA-256 or cracking AES-256 should be pretty trivial task for you too. This also means that this password recovery key is much stronger than 2048 bit RSA-key. Actually to have corresponding security level with RSA-keys 15,360 bit key should be used. 3072 bit RSA key is only corresponds 128 bits of entropy. This also means that RSA keys need to be ridiculously long compared to ECC keys. ECC key with only 512 bits is as secure as RSA key with 15,360 bits. I'm going to update my GPG keys ECC format as soon as version supporting it is officially relesed.
  • Sonera KotiTV (home tv) IPTV service is just what I hate about bad services. No time shift, no automatic recording, no automatic record everything mode, doesn't allow record high definition nor pay-tv channels, only 5x forward / backward speed + skipping in 60 second leaps, no other speed alternatives. Also TV show search (using web browser) was super slow, it took 28 seconds to make search for documentary. That's ridiculous! It shouldn't be true, it has to be some kind of joke, right? Is this candid camera? Uh, no. Unfortunately it's all too real. If Google search would have similar performance, it would take at least century for web search results to be ready. Because I tele ordered this service, I can cancel it without fees in 14 days. I'm still considering that, beucase they simply fail too hard. It shouldn't be impossible to deliver really perfect IPTV service, but no, this one simply sucks. They also advertice catch-up service, which would allow you to view past programs, but it only works for Disney channels. With current tech, I would prefer to have all possible channels recorded for lets say three months. If I have especially selected to save something over that expiry time, it should be possible too. But current service sucks. It's also kind of sluggish when browsing EPG etc. I just wonder if fiber connection (FTTH) isn't fast enough to provide EPG data.
  • MS-CHAPv2 and therefore PPTP is seriously broken, because it partitions passwords and uses independent DES operations. It's so funny to notice that everything is extremely safe. After a while, it's seriously broken, even if nothing has changed? So we should be very cautious about current "safe" algorithms.
  • Played with hashcat.  - Good thing with this? My 20 characters long random passwords with extended (unicode) character are still absolutely safe. It's just users with stupid or "clever" passwords, who are in danger zone. Anyway, even those passwords will contain only about ~120 bits of entropy. Which means that if you want to store content with AES-256 using secure random string (I don't say password on purpose!), it should be about 40 characters long. Yep, 20 chars is way short for proper symmetric encryption.