Re: File Selection with HTML and security in general from Mikko Rantalainen on 2003-04-29 (www-html@w3.org from April 2003)

From: Mikko Rantalainen <mira@cc.jyu.fi>
Date: Tue, 29 Apr 2003 14:49:07 +0300
To: www-html@w3.org
CC: Joris Huizer <joris_huizer@yahoo.com>, joris_huizer@yahoo.com
Message-ID: <3EAE66B3.6060609@cc.jyu.fi>
[This is getting offtopic. This post contains mostly generic 
security information.]

Joris Huizer / 2003-04-29 10:43:
> --- Kevin Hanna <kevin@hanna.net> wrote:

>> If a cracker where to get their grubby hands on your encrypted
>> passwords.  It could easily take less than a minute to crack
>> them using a dictionary attack.  If the dictionary attack
>> didn't work it could still take less than a day and likely not
>> more than 2 days.

>> Operating systems have a default location for storing the
>> passwords (and other relevant information).  Browsers tell the
>> web server which operating system is being used.  So figuring
>> out EXACTLY what file(s) to grab requires no guess work.  If
>> somebody with super user privileges were to open a page that
>> exploited that savety.  They could easily have most of the
>> passwords to that system in less than a couple days.
>> 
> As far as I know, there are encryption methods of
> which no decryption is known ("easy" encryption but
> impossible decryption) - and this type of encryption
> is (? should be ?) used by all operating systems. 

You've just described a hashing algorithm. These are sometimes 
called one-way-encryption. The idea is to throw away so much 
information that it's impossible to return to original content.

The problem is that the attacker isn't interested in the original 
password (he cannot compute that from hash) but *any* password that 
the system accepts for the given user. If there's only one possible 
password for that hash value the attacker gets the original 
password, otherwise he just uses one that is equivalent from the 
systems point of view.

> Unfortunately, in some OS's (at least, on many Windows
> versions) there's little difference between a standard
> user and the administrator - are you seriously
> suggesting all secret info of companies at the
> internet is at risc as any cracker good break in
> within a few days ??

Any system where administrator (or root) uses applications that 
shouldn't be trusted (like pretty much everything that talks to net) 
is in risk of getting cracked. If you're running the application 
with higher rights than it requires and it has a flaw that allows it 
to leak files from the computer you're hosed.

> Anyway, maybe some old OS's are badly secured - but
> they are insecure anyway - not only when a html page
> could send their info 

No. It doesn't matter how secure the OS is. All it takes is one dumb 
administrator surfing with a browser with a security hole. Because 
administrator has access to files that contain all the passwords (or 
the hashes - it's pretty much the same thing from the attackers 
point of view) the browser he's using has the same access.

Say, the administrator is running latest version of Windows 2000 
server with MSIE with latest patches applied. If the MSIE has 
javascript turned on (the default) the attacker can read local file 
from harddrive <URL:http://www.pivx.com/larholm/unpatched/>. It 
doesn't matter even a little bit the system has so called "encrypted 
file system" because the administrator has access to the file once 
he's logged in. So does the flawed browser. All the attacker needs 
is "C:\WinNT\System32\config\SAM".

Note that I just described how attacker could receive the file even 
though MSIE doesn't have (known) security flaws in the file input 
implementation. There're other ways to leak information, too.

See also:
http://www.firewall.com/dcforum/SECURITY/90.html
http://aspin.asu.edu/ISACA/whitepapers/oct98.html

In case of windows 95,98,ME I think the correct file is 
"C:\Windows\user.dat", though 95,98,ME has so minimal security that 
one seldom needs passwords. For linux, all you need is "/etc/shadow".

According to my experience, windows admins run programs as 
"Administrator" way too often and if, for example, their browser has 
a security flaw the system is practically toast. Linux and UNIX 
admins in general have some clue for security and run as root only 
for the programs that truly require it.

Yep, I'm running my copy of W2K as a normal user and run only 
selected programs as "Administrator". It's truly a pain in the ass 
because even microsoft doesn't have a clue how software should work 
when the user doesn't have full access and I need to run as 
administrator much more often than I'd think is necessary. All 
practical solutions for this require that I have administrator 
password in cleartext in some file accessible for me -- and that's 
because MS decided that the only way to authenticate another user 
via "run as" service is username/password combo. UNIX systems have 
setuid executeables and sudo plus much better security model for 
devices like CD-RW drives (one doesn't need to be root to use those, 
write access to the device is enough).

-- 
Mikko
Received on Tuesday, 29 April 2003 07:49:04 UTC