5

The NY Times recently published a story about how they were hacked during a four month period. The hacks allegedly were carried out by part of the Chinese military.

One part of the story that confused me was the following:

From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.

While hashes make hackers’ break-ins more difficult, hashed passwords can easily be cracked using so-called rainbow tables — readily available databases of hash values for nearly every alphanumeric character combination, up to a certain length. Some hacker Web sites publish as many as 50 billion hash values.

I remember that when news about the LinkedIn passwords being stolen was announced last year that LinkedIn was criticized for not having salted their passwords, and they also said that they would salt passwords in the future to improve security.

If the NY Times had salted passwords then rainbow tables would not be useful for the hackers correct? Does the fact that rainbow tables are mentioned in the story mean that the reporter was confused about how the hack would likely have occurred? Or does this mean that the NY Times was likely using unsalted passwords. If so does this point to poor security on the part of the NY Times (I guess that wouldn't be too surprising given the extent of the hack).

Basically my question is does the fact that rainbow tables were mentioned in the story imply that the NY Times had poor security policies in place. Or are rainbow tables still useful for hacking organizations that have good security practices in place.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
Gabriel Southern
  • 153
  • 4

3 Answers3

4

This is mostly speculation, but I see a number of plausible scenarios:

  • The article is correct, and NY Times did not salt their passwords;

  • They salted them, but used a hashing algorithm not slow enough;

  • The attackers targeted a few specific passwords (probably by guessing and/or brute forcing them).

As for your last question, AFAIK the value of salting is to increase the amortized cost of breaking N passwords (i.e. without salting, breaking 1 password or all of them have the same cost; with salting, N passwords cost N times more than 1 password). A rainbow table could be created specifically to target a single account, but the cost of doing so is always greater than just brute forcing it (see @ThomasPornin's comment), so I doubt that's what happened. So I'm guessing you're right in your suspicion that "the reporter was confused about how the hack would likely have occurred".

Community
  • 1
mgibsonbr
  • 2,905
  • 2
  • 20
  • 35
  • 3
    You can amend your "generally greater" into "always greater". Building a table which can recover _X_ passwords has cost _1.7*X_, while brute force with the same set of _X_ passwords has average cost _X/2_ and worst cost _X_, always lower than the rainbow table cost. – Thomas Pornin Feb 01 '13 at 12:09
4

Although in that case the password hashing was probably unsalted (see @pgolen's answer: default hash functions on Windows do not use salts), you must remember that salts are only a deterrent. Salt prevent a large class of attack optimizations such as rainbow tables and parallel cracking. However, if a password is weak, then it is weak. With salts, the attacker must concentrate on each password individually. But if a password can be found in 1000 guesses, then 1000 guesses will suffice to crack it...

The other characteristic which is often sought for password hashing, along with salts, is configurable slowness: that's what the "iteration count" is about in PBKDF2 and bcrypt. Slowness increases the attack cost for the attacker even when concentrating on a single password. But if your password is "Password1", no bcrypt with many iterations and salts will save you.

Salts and slowness are not an ideal protection; that's just the best thing available. "Best" does not mean "good".

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

This article is most likely correct. It is mentioned that attacker gained access to domain controller (so Windows and Active Directory). Windows doesn't salt passwords. The best that NY Times could do was to disable storing LM hashes and I think it was done. Nevertheless NTLM hashes are quite easy to crack, even without rainbow tables.

pgolen
  • 529
  • 2
  • 5
  • That's interesting that Windows does not salt passwords, I had assumed they would. It seems like a poor security choice that should be fixed by now. – Gabriel Southern Feb 01 '13 at 17:23
  • @Gabriel: Well, password hashes in Windows could be better, but fixing it is not as easy at it might look. Main problem - backward compatibility. – pgolen Feb 01 '13 at 21:36
  • 1
    @Gabriel: But on the other hand if an attacker is able to dump password hashes he or she most likely had already gained administrator rights. It is also important to note that attacker doesn't need to crack password hash, there is an interesting attack called "pass the hash" (http://en.wikipedia.org/wiki/Pass_the_hash). Check also this: http://blogs.technet.com/b/trustworthycomputing/archive/2012/12/11/mitigating-targeted-attacks-on-your-organization.aspx – pgolen Feb 01 '13 at 21:43