Add to del.icio.us     Digg this

November 21, 2007

According to various reports, Steven Murdoch, a Cambridge University researcher has successfully utilized Google to reveal a secret password used by a potential hacker to compromise the university's security blog.

The Internet attacker allegedly created an account in Wordpress when he attacked the "Light the Blue Touch Paper" blog, the online journal of the Computer Laboratory at Cambridge University. Wordpress stores passwords as MD5 hashes without salting, a process that adds length and a lot of complexity to a typical password.

Curious to find out what this password might be, Murdoch then tried a dictionary attack in both English and Russian (the likely native language of the attacker). Rather than building a rainbow table that maps passwords to hashes for a more exhaustive range of possible inputs, Murdoch plugged the MD5 into Google which revealed multiple sites featuring the word "Anthony", the attacker's password.

The approach was successful in discovering the password, since the hash was located in the URL itself!

Murdoch said "this makes a lot of sense (!) (...) I've even written some code which does pretty much the same thing. When I needed to store a file, indexed by a key, a simple option is to make the filename the key's MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions."

Overall, Google's variant on hacking illustrates a few critical security elements:

Google is indexing password hashes, as well as everything else.

Overall, MD5 hashes without "salting" are totally useless.

Murdoch's Internet posting on his findings has understandably created a lively thread on the "Light the Blue Touch Paper" blog.

One respondent created a certain utility that lets users find out if their passwords are safe.

Generally speaking, utilizing difficult to guess passwords are fairly simple common sense that somehow often gets overlooked and in many IT circles.

As one poster notes, searching for hashes of common default passwords such as "admin" throws up some "database dumps" and various other similar instances.

Add to del.icio.us     Digg this

Source: The Register

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.