Stream is actually a popular topic and the security concerns everybody, so something interesting can come up out of these discussions.Originally Posted by paul_nicholls
LOL! Wow! I certainly started a big 'discussion'!
In my own case I'm lucky not to use Steam, but what would happen if to the same degree GMail/Hotmail/Yahoo accounts would get stolen?
Nobody has really given any counter argument to math i have provided. I gave different propability scenarios that should give some kind of hints. It's true that:
- If you prove that bruteforcing through all password combinations takes 1000000 years, how likely is it that someone can optimize the algoritm by 99.9999% so that calculation is done in reasonable time?
- You don't have to bruteforce the full range of random words, just up till first match. You may be lucky sooner or later.
- If no salt is involved, you can use many optimizations like premade lists that guess by ignoring unlikely words like aaa*, bbg* and so forth. There can be alot more optimizations i don't know about.
- If hackers get to know salt algorithm they wouldn't need to go through all 128-256 lengths, but usual 8-10 char lengths that are unsalted passwords.
This wasn't Steam talk now. There is nothing to discuss about it as long as we have no details on how their systems work. In general, if hackers get access to passwords its fault of other things. Low security systems. Most hacked sites that get news popularity propably had their passwords stored as plaintext. Properly encrypted system is truly unbreakable, there's just too many web hosters that make errors in 1 thing or another. It is tough to protect against all possible attacks, but that is a different topic.
It is that you make encryption sound as breakable as cookie that makes me defend it so heavily. To give another simple example, if i selfkeep a 256 bit xor key for text, how would you be able to crack the text? Nobody could, in million years.
<edit>
After some thinking I've got your point that you are only defending the encryption method itself. There are also some flaws in the reasoning you provide to which I do not agree, but maybe this is for a another discussion.
To resume, my point is that although in a perfect scenario it is infeasible to break 256-bit encryption on a purely theoretical level, the specific case of stolen Steam account information has a high chance (e.g. bigger than 50%) of being revealed to third party, even though it *might* have used 256-bit encryption to secure its data.
Last edited by LP; 22-11-2011 at 05:43 AM.
All I wanted is to point out that having ecrypted data does not guarantee its security. Nowadays computers and especialy computer clouds offer huge computational power wich makes data encryption wich has been considered perfectly safe a few years ago, not so safe anymore. If we are hones no data encryption is perfectly safe.
But now I'll point out another thing that might result in ever bigger discusion.
What if hackers don't have to do any data decryption afterall?
Various articles about Steam hack only says that data from the user accounts database was stollen, but no article wich I read doesn't says how that was done. If hackers managed to copy database data as copying database file-s then they will definitly need to decrypt the data before using it. But what if they managed to copy database data by interfaceing to the database itself fooling it that they are some steam web application? This way they might have managed to retrive already decrypted data as usualy data encryption is done with database engine itself.
If we take into account that steam system isn't run just on one server it means that the database itself had to be globally available. This means that hacker had ability to imposter as being one of those servers and accesing a database this way. Offcourse they needed to have proper database login creditentials to gain acces to the database data, but since it isn't very likly that database creditentials are being periodicaly changed they had lot's of time in trying it out (trying a few hundreds of password one day, a few hundreds next day, and so on). All that they had to do is keep number of login trials (guesing of passwords) low enough for not trigering anny alarms and that is all.
And i don't agree with thatNot all encryptions are perfectly safe, but some are. You may have also noticed increasing amount of sites which demand password to contain at least 1 number and capital letter, to improve even the bad ones.
From end to start, the password guessing is in my opinion history already, unless system is built really bad. Admins will most likely get big red alarms after 5 wrong password attempts already, and ban the IP. They can shut it down if they see the attacks continuing on numerous IPs. Well, it doesn't require even admins, systems can prevent repeated attempts automatically usually.
If i was admin to such cloud server network, i'd use same IP whitelist for each server. As we know, the hackers were able to crack into something else than normal steam login because otherwise they wouldn't access all users at once. So, if each server only allows connections from other servers that are in the whitelist, wouldn't that solve everything? Admins themselves only need localhost connection to the server they are at. Allowing remote connection to big amount of data can be a root of problems. Even most server software (FileZilla FTP, Apache etc) lets admins only login from local network, by default.
There is no encryption that is perfectly safe.And i don't agree with that
As for various sites requesting for using numbers in passwords it is only to prevent pasword breaking by using dictionarry attack wich is a lot faster as brute force attack becouse it is guesing password with the help of prechoosen words. Ass for using capital letters it only prolongs brute force attack, that's all.
...or, unless, that system is being used by users who are humans.
Sure and prevent all legitimate users from the entire subnet access to the server. Banning IPs is a very bad idea as some ISPs serving thousands of users may have only one public IP. By doing so you've just helped a successful DOS attack, which denied access to many legitimate users.
...and simplify DOS attacks further to this server: just access this server from multiple IPs and it will automatically shut down, how cool is that!
I would consider such server system highly insecure because if you rely on IP address whitelist, you are immediately a candidate for IP spoofing.
First off, i'm not making things up. I have built web services and seen many configuration options. You seem to be tackling on minor details now on things you could have thought of solutions yourself too.
What does bots password guessing have to do with humans?
Ban IP for 10 hours or ban user, that's minor details. ISP's dynamic IPs usually change at frequency of once per 24 hours, but may vary alot. I used to have same IP for many weeks. Getting 1 user a "access denied" for preventing 1 hacker would be perfectly acceptable trade any day. User can request his password to his email if its lost, no system will let you attempt it more than 10 times, normally just 5.
It doesn't have to be an automatic shutdown. Or don't pull the plug and let system get hacked with all user database stolen, yay! I'd rather stop the system, call the police and see what they can do about the ongoing attack. Doublecheck security settings, maybe change admin passwords and if all ok, restart....and simplify DOS attacks further to this server: just access this server from multiple IPs and it will automatically shut down, how cool is that!
I would consider it an additional layer of security that makes hackers job even harder than if there was no whitelist. Coming at the cost of less admin access though, but still worth it.
This is actually very speculative. From what we can tell, they could just as well put a gun on sysop's face in an armed assault to the datacenter, download the necessary data in raw unencrypted format and be gone. Who knows...
Posting Permissions
Reply With Quote
Bookmarks