Posted on 2009-06-25

WebCT, the popular Learning Management System used at many post secondary institutions, fails at implementing password hashing. Version 4.1 on WebCT, which is still in use at a number of schools, uses the crypt() DES hashing algorithm, which truncates the user's password to only eight 7-bit characters. The downside to this is, no matter how strong your password is, the brute force, dictionary, or other attacks against it, need only consider up to 8 characters, and with a limited character set. A recent Core2 processor at 2.5ghz can crack salted DES crypt()'d passwords at a rate of 2 - 2.5 million per second, per core. Slashing through the keyspace at a rate of 10 million per second with only a single desktop computer, means that the entire lowercase alphanumeric keyspace between 1 and 8 characters is exhausted in only 3.5 days. Now a 2-way 4 core Xeon 3.0ghz can crack on the order of 25 million combinations per second, meaning the entire alphanumeric keyspace is exhaused in ~100 days, now divide that between 4 of them, and your only talking about a month. Using the power of cloud computing, you could use 20 (the maximum default quote) of the EC2 Extra Large High CPU instances, to crack that same keyspace in just over 4 days, at a total cost of $1650, about the same price as a single Xeon X5570 2.93ghz CPU.

How to tell when you're being "Protected" by DES
set a reasonably long password, then log out, and when you attempt to login, only use the first 8 characters of your password, if the login succeeds, then beware, you have DES. Now that nosy neighbor in the computer lab only needs to get the first part of your password to compromise your account. WebCT contains sensitive information such as grades, but also in-progress and submitted assignments, which if stolen could result in a charge of Academic Dishonestly (plagiarism) and result in possible lost credits or expulsion.

By: Allan Jude

Posted on 2009-06-24

Infrastructure is all the various bits that hold a website up, like the piers of a bridge, or the legs of a chair. For your average blog or forum the most common failure is overloading the database, which happens when unoptimized queries lock tables for too long, or when a single database just cannot handle the volume of queries that are coming in. When any one part of that infrastructure fails, the entire site comes crashing down. In this brief article Security Analyst Allan Jude examines some of the common pitfalls of infrastructure design.

Read more

Posted on 2009-06-24

The most common cause of Security Fails is improper implementation, people who do not fully understand the concepts involved trying to engauge in complicated crypto. We'll be profiling a number of different security fails that we know about, and we would love it if you could point out any that you happen to know about or find. FreeBSD Security Officer and all around security Guru Colin Percival offers his advice on what is the Cryptographic right answer.

By: Allan Jude

AppFail.com profiles some of the biggest and most spectacular failures of (Web) Applications, Infrastructure, Design and Security on the internet. A wise man learns by the mistakes of others, a fool by his own.

Welcome to AppFail.com We will test your apps, websites, security and see how bad it will fail. If you have a site that is on digg and you go down when a link is posted... You need us.