New RIT Honeynet Website

We now have a new website dedicated to the RIT Honeynet Project.

http://honeynet.rit.edu

We will be posting the honeynet updates there, as well as data once we go live. Stay tuned for more updates!

Using MD5 with new PHPbb

MD5 is one of today’s biggest security weaknesses. So why would anyone ever want to use it or worse migrate away from a stronger scheme to it? The answer to these questions is the ever looming interoperability. Even though SPARSA is a security group we also face these challenges and while writing code to allow for Blowfish interfacing with all these programs might be more secure it would also be much more time consuming.

As a result we here at SPARSA are completing an endeavor to migrate all our usernames systems ( Drupal, Linux, PHPbb3, Gallery2…etc ) to a single username and password scenario. The problem we face is that we have significant presence already established via PHPbb. As such we would want to use our PHPbb database and group structures to propagate all the databases and passwd files.

In order to do this in the easiest way and the way that currently allows for the most expansion is to revert PHPbb3's PHPass library usage and replace it with MD5 that was featured in PHPbb2.
The PHPass library creates hash's based on a structure similar to MD5 but with pseudo-random salt values.

The reason we decided against this course of action is because PHPBB’s next incarnation will probably not accept MD5 at all or will certainly discourage its use. Instead we decided to pursue a course of action that would make a new column in the PHPbb database explicitly for MD5 Passwords for security reasons the naming of this database should be something that hides its true purpose and an additional hash function should be placed over it making it difficult for anyone who might break into your database to break your MD5 passwords.

It is at this time less than feasible to reverse each hash and then re-encrypt into MD5 for the other databases although that would be optimum this is of course the exact opposite of the purpose of the hash and this is action is of questionable ethics. An additional concern is we do not want any users to experience lockout time or have to reset their password.

This problem turns out to be a relatively easy fix, almost too easy and would prove an interesting local attack against PHPbb by an attacker to gain passwords even if they were encrypted in those most sophisticated encryption.

There is only one file that one needs to edit.

phpbb3/includes/auth/auth_db.php – Where success and plain text password are handeled.
add these lines right before
// Successful login... set user_login_attempts to zero...

Add in the lines

$password_new = md5( $password );

$sql = "UPDATE " . USERS_TABLE . "

SET column_name = '$password_new'

WHERE user_id = " . $row['user_id'];

$db->sql_query($sql);

ImagineRIT here we come!

As of January 23, 2009 SPARSA has officially submitted a proposal to ImagineRIT. ImagineRIT is RIT's innovation fair where clubs gather and display different projects to the public. This year SPARSA has proposed to build an automated security test system that will generate security reports for individuals at the event. This system uses off the shelf hardware and software which is combined in an innovative way. It starts off by having a Prism based cards with HostAP drivers in a computer. The card will sniff the network for wireless probe packets, and once it receives a probe it will change the Access Point name to fit that request. Additionally, there will also be a wireless access point offered for users who have no preferred network saved and desire to have the tests performed. Upon connecting to the network the user will be treated to a captive portal which will present them terms allowing for network scanning. If the user rejects the terms they will be redirected to normal RIT internet; However if they accept the terms they will be asked to create a password. The password will be a key to their report if they choose to visit the booth. Once the user is in the network they will be given an IP address and be able to surf the internet freely. While they are surfing, our servers will scan their computers for common vulnerabilities. A report will then be generated and secured pending arrival of the user to our both. From that report anonymous security statistics will be generated and be displayed on a screen. When the user arrives they will be given access to a terminal that they are able to enter their computer name and the password on. They will be given a summery of their current security weaknesses and how to fix them, along with the option to print them for future use. The project although developing only some code will itself make the RIT campus safer and hopefully be an interesting insight into the world of security for those who would not normally be privy to it.

RIT Honeynet Project

The RIT Honeynet Project has finally taken off. We were approved by the department heads a while back, and have been waiting for them to obtain the hardware for us. We now have an assortment of hardware to play with including about 12 machines, a KVM, a switch and a hub. We also have a rack and cooling. This is currently set up in projects lab but may shift depending on space concerns. When we have time, we will start configuring the honeynet systems and playing with Honeywall (https://projects.honeynet.org/honeywall/). Future updates about the honeynet project will be posted here once it has been configured.