It’s been a while since I have posted and I wanted to give folks a quick update and explanation on why things haven’t progressed as quickly as I’d hoped. I’d like to try to not be a one hit wonder and continue to improve the security of our customers by sharing real world experiences and practical knowledge.
First off – there were some technical inaccuracies in my first post. Namely, NT 4.0 and lower operating systems seem to only support 14 character or less passwords (I use the term ‘NT based’ throughout my blog and it caused some confusion, I should have said Windows 2000 and later, we’re not really crazy about NT 4.0 anymore and secretly wish all customers would upgrade to WS2003. :)).
In addition I stated incorrectly that Windows 2000 and later operating systems support 128 character passwords when in fact this number is 127 (damn 0-based arrays).
In the weeks since I posted my first blog it hit Bugtraq, forwarded by a researcher from Security Friday (www.securityfriday.com) who does very interesting (and scary) analysis of our challenge / response protocols (NTLM, NTLMv2 etc.). His demonstration at Blackhat lends further support to the claim that ‘longer is better’ when it comes to passphrases and this was in fact the conclusion he came too after demonstrating how to sniff an NTLM based session setup and crack it in real time using a 16 node Beowolf cluster.
Over the weekend the boys at Sunbelt (who own the W2knews mailing list, one of my favorite lists) posted a link to my blog as well. They have a subscriber base of over half a million folks and I appreciate their honorable mention and as of tonight I’m up to 27,000 views and counting.
So where are we at? I have yet to blog about my ‘admin personas’ where I will give administrators the same treatment I give the miscreants and attempt to broadly categorize them into 3 categories (Default, Skilled and Advanced). I have yet to blog about malware and I have lots of stories to share here as well. When I do eventually blog about malware I’ll talk about malware trends that concern me . . . the two biggest threats to our customers, IMHO being that of the rootkit and the worm / bot. I’ll talk about the YYT_HAC rootkit, the current ‘state of the bot’ and a sophisticated reverse shell backdoor we stumbled across and how it works etc. All very scary stuff – it should be a must read for any IR team – it will probably make the team question their abilities to respond to this stuff . . . as well it should.
The reason I haven’t blogged recently is because I’ve been just been stupid busy . . . I had an unexpected trip out to Redmond and of course we released MS04-028 followed by 10 other bulletins this month . . . you all know what it’s like for YOU when we release security bulletins . . . my team supports the customers who have questions about or need help with the bulletins. Good times.