Unless you live under a rock, you’ve likely seen a recent top news headline with the words “security breach” somewhere in there. This is not the type of press companies want to be recognized for, and it is even worse for the millions of customers who are left out in the cold when their unauthorized information is made public.
High-profile security breaches are becoming more common every year as cyber criminals are becoming more sophisticated in finding new security vulnerabilities to penetrate to access protected data. These hackers aren’t planning to ease up on businesses anytime soon, either. With that in mind, the best course of action for organizations is to rapidly test, identify and fix where they are most vulnerable.
IBM recognized this need two years ago when it launched IBM X-Force Red, a team of security professionals and ethical hackers whose goal is to help businesses discover vulnerabilities in their computer networks, hardware and software applications before cybercriminals find those same vulnerable areas. The security testing expertise that IBM X-Force Red brings to the table spans multiple industries including healthcare, financial services, retail, manufacturing, government and the public sector.
Although there are unique security vulnerabilities in each industry, password security issues remain among the top areas of concern for every enterprise, no matter the industry. It only takes one weak password for a cybercriminal to breach an entire business. The need for greater password security has given rise to an entire segment of “password auditing” solutions that test for password weaknesses within an enterprise, particularly among website applications.
Password auditing, or password cracking, is the act of running plain text through an algorithm to generate a hash, then matching the plain text to hashes. When a match occurs, the hash is considered cracked. Once the hash is cracked, so is the password. This assumes there hasn’t been anything added to the password before hashing — referred to as password “salt” — which is added to slow down hackers.
In the world of password auditing, there is little that the IBM X-Force Red team doesn’t know. The team put this on full display recently at the Black Hat Security Conference in Las Vegas, Nevada. However, as the team prepared for the security event, members realized that, to rapidly test all aspects of an organization’s password security vulnerabilities, they would need a strong compute foundation to run their tests at scale.
Dustin Heywood, also known as EvilMog, from the IBM X-Force Red team and a member of Team Hashcat — a group of password security researchers and the contest team for the open source Hashcat project — led both teams, first in a demo of their “Cracken” password cracking application, then in the Black Hat “Crack me if you can” password cracking contest. He decided to turn to IBM Cloud infrastructure as a service (IaaS) for high-computing performance and scalability. In preparation for both the demo and the contest, Heywood and his team provisioned and tested a complex, 32-server virtual server environment with 64 NVIDIA Tesla P100 graphical processing units (GPUs) all in under a day. In the words of one Hashcat team member, “it was a little like bringing a nuke to a gunfight.”
The IBM Cloud environment provided a fivefold increase over the existing IBM X-Force Red 16-server GPU-based infrastructure to fuel the “Cracken” password cracking application and demonstrate real-time, eight-character password cracking in an average of two to three minutes, a feat that would normally take the X-Force Red GPU-based infrastructure alone about eight to 12 hours per password to accomplish.
The IBM X-Force Red team didn’t stop there. With the DEF CON 26 conference coming hot on the heels of Black Hat, EvilMog used the same IBM Cloud and Cracken combined infrastructure to tackle the “Crack Me If You Can” contest, which is essentially, the World Series of password cracking contests. Over a two-day period, Team Hashcat cracked more passwords than any other team.
The team’s performance shows that the IBM Cloud is an ideal environment to consider for quickly running complex, compute-intensive applications.
Security penetration testing to better manage vulnerable data
IBM recognized this need two years ago when it launched IBM X-Force Red, a team of security professionals and ethical hackers whose goal is to help businesses discover vulnerabilities in their computer networks, hardware and software applications before cybercriminals find those same vulnerable areas. The security testing expertise that IBM X-Force Red brings to the table spans multiple industries including healthcare, financial services, retail, manufacturing, government and the public sector.
Although there are unique security vulnerabilities in each industry, password security issues remain among the top areas of concern for every enterprise, no matter the industry. It only takes one weak password for a cybercriminal to breach an entire business. The need for greater password security has given rise to an entire segment of “password auditing” solutions that test for password weaknesses within an enterprise, particularly among website applications.
Password auditing, or password cracking, is the act of running plain text through an algorithm to generate a hash, then matching the plain text to hashes. When a match occurs, the hash is considered cracked. Once the hash is cracked, so is the password. This assumes there hasn’t been anything added to the password before hashing — referred to as password “salt” — which is added to slow down hackers.
Hacking anything to secure everything
In the world of password auditing, there is little that the IBM X-Force Red team doesn’t know. The team put this on full display recently at the Black Hat Security Conference in Las Vegas, Nevada. However, as the team prepared for the security event, members realized that, to rapidly test all aspects of an organization’s password security vulnerabilities, they would need a strong compute foundation to run their tests at scale.
Dustin Heywood, also known as EvilMog, from the IBM X-Force Red team and a member of Team Hashcat — a group of password security researchers and the contest team for the open source Hashcat project — led both teams, first in a demo of their “Cracken” password cracking application, then in the Black Hat “Crack me if you can” password cracking contest. He decided to turn to IBM Cloud infrastructure as a service (IaaS) for high-computing performance and scalability. In preparation for both the demo and the contest, Heywood and his team provisioned and tested a complex, 32-server virtual server environment with 64 NVIDIA Tesla P100 graphical processing units (GPUs) all in under a day. In the words of one Hashcat team member, “it was a little like bringing a nuke to a gunfight.”
Big results
The IBM Cloud environment provided a fivefold increase over the existing IBM X-Force Red 16-server GPU-based infrastructure to fuel the “Cracken” password cracking application and demonstrate real-time, eight-character password cracking in an average of two to three minutes, a feat that would normally take the X-Force Red GPU-based infrastructure alone about eight to 12 hours per password to accomplish.
The IBM X-Force Red team didn’t stop there. With the DEF CON 26 conference coming hot on the heels of Black Hat, EvilMog used the same IBM Cloud and Cracken combined infrastructure to tackle the “Crack Me If You Can” contest, which is essentially, the World Series of password cracking contests. Over a two-day period, Team Hashcat cracked more passwords than any other team.
The team’s performance shows that the IBM Cloud is an ideal environment to consider for quickly running complex, compute-intensive applications.
0 comments:
Post a Comment