PSA: Don’t upload your important passwords to GitHub

A GitHub search showing private keys in public places.

It's akin to warning someone not to brush her teeth with a brick or to dry her hair with a blow torch, but based on numerous links circulating on Twitter Thursday morning, it bears saying: don't post sensitive account credentials to GitHub, or any other code repository.

On Thursday morning, the microblogging site was awash with messages linking to passwords and private cryptographic keys that are publicly accessible. Searches like this, this, and this turned up dozens of accounts that appeared to be exposing credentials that should never be made public. (Just minutes before Ars published this post, the searches stopped working, most likely as a result of GitHub admins who were trying to save users from their own carelessness. Many of the same GitHub accounts could still be located using Google, however.) Assuming they're still being used to log in to valid accounts, their exposure compromises the entire security that users attempted to establish when they generated the keys in the first place.

Ars won't be calling out individual accounts, although one GitHub offender appeared to reveal a password for an account on Chromium.org, the repository that stores the source code for Google's open-source browser. An eagle-eyed security researcher reported finding "an ssh password to a production server of a major, MAJOR website in China." Another tweet showed what appeared to be a sensitive GitHub authentication token used by a prominent front end developer for Bitly. In the wrong hands, a valid token could help miscreants redirect millions of people to malicious sites.

Read 3 remaining paragraphs | Comments

Secret backdoors found in firewall, VPN gear from Barracuda Networks

A variety of firewall, VPN, and spam filtering gear sold by Barracuda Networks contains undocumented backdoor accounts that allow people to remotely log in and access sensitive information, researchers with an Austrian security firm have warned.

The SSH, or secure shell, backdoor is hardcoded into "multiple Barracuda Networks products" and can be used to gain shell access to vulnerable appliances, according to an advisory published Thursday by SEC Consult Vulnerability Lab.

"This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog," the advisory states. The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username "product" with no Update: a "very weak" password to log in and gain access to the device's MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda.

Read 4 remaining paragraphs | Comments

Sony fined $395,000 for 2011 hack of its PlayStation Network

A UK government body has fined Sony £250,000 (about $394,570) for the devastating 2011 hack of its PlayStation Network, which resulted in one of the largest online breaches ever.

The Information Commissioner's Office announced the fine on Thursday, a little less than two years after Sony officials first disclosed the criminal intrusion into the online game platform. The breach exposed names, addresses, e-mail addresses, dates of birth, and cryptographically hashed passwords associated with some 77 million accounts. It also put credit card data at risk. The hack resulted in Sony shutting down the network for more than three weeks as engineers contained the damage and rebuilt the network.

"There’s no disguising that this is a business that should have known better," David Smith, deputy commissioner and director of data protection, said in the statement. "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

Read 5 remaining paragraphs | Comments

Grammar badness makes cracking harder the long password

Comparison of the size of password search space when treating the password as a sequence of characters or words, or as words generated by grammatical structure.

When it comes to long phrases used to defeat recent advances in password cracking, bigger isn't necessarily better, particularly when the phrases adhere to grammatical rules.

A team of Ph.D. and grad students at Carnegie Mellon University and the Massachusetts Institute of Technology have developed an algorithm that targets passcodes with a minimum number of 16 characters and built it into the freely available John the Ripper cracking program. The result: it was much more efficient at cracking passphrases such as "abiggerbetter password" or "thecommunistfairy" because they followed commonly used grammatical rules—in this case, ordering parts of speech in the sequence "determiner, adjective, noun." When tested against 1,434 passwords containing 16 or more characters, the grammar-aware cracker surpassed other state-of-the-art password crackers when the passcodes had grammatical structures, with 10 percent of the dataset cracked exclusively by the team’s algorithm.

The approach is significant because it comes as security experts are revising password policies to combat the growing sophistication of modern cracking techniques which make the average password weaker than ever before. A key strategy in making passwords more resilient is to use phrases that result in longer passcodes. Still, passphrases must remain memorable to the end user, so people often pick phrases or sentences. It turns out that grammatical structures dramatically narrow the possible combinations and sequences of words crackers must guess. One surprising outcome of the research is that the passphrase "Th3r3 can only b3 #1!" (with spaces removed) is one order of magnitude weaker than "Hammered asinine requirements" even though it contains more words. Better still is "My passw0rd is $uper str0ng!" because it requires significantly more tries to correctly guess.

Read 9 remaining paragraphs | Comments