Data Breaches and Password Hashes WITH the New IPv6 RA Flood Attack

Baythreat, 2012

Topic background

I will explain what happened at CCSF to convince our ex-CTO that we had been breached, and how this incident was spectacularly mishandled to create pointless fear and scandal.

Then I will show stolen data from several companies and compare their password storage systems, which are representative of modern Website security techniques.

The techniques used include:

Plaintext storage
Unsalted MD5
Unsalted SHA-1
Salted hashes

All these techniques are obsolete and provide almost no protection. The correct technique is to use interated hashing to slow attacks, with 5000 or more rounds, such as implemented in bcrypt and PBKDF2.

Unfortunately, almost no one is using those techniques. Instead, almost every website you use is foolishly endangering users for no good reason.

Synopsis

What are your obligations to protect data, and when have you been breached? These are not simple questions to answer--a falsely reported data breach at CCSF caused an international scandal in Jan. 2012.

After explaining what a data breach is, I will present an analysis of a recent major attack that breached dozens of companies. I will explain the hashing techniques they used and what they should have used instead.

Are you protecting your passwords properly? Very few companies are.

The New IPv6 RA Flood Attack

I'll explain and demonstrate the new attack in thc-ipv6-2.0 that kills Windows 8 and Mac OS X, and freezes Win 7 & Server 2008 R2, even with the "IPv6 Readiness Update".

Last revised 12-2-12