Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!


Google reveals secret passwords?

Google

Add to del.icio.us     Digg this story Digg this

November 21, 2007

According to various reports, Steven Murdoch, a Cambridge University researcher has successfully utilized Google to reveal a secret password used by a potential hacker to compromise the university's security blog.

The Internet attacker allegedly created an account in Wordpress when he attacked the "Light the Blue Touch Paper" blog, the online journal of the Computer Laboratory at Cambridge University. Wordpress stores passwords as MD5 hashes without salting, a process that adds length and a lot of complexity to a typical password.

Curious to find out what this password might be, Murdoch then tried a dictionary attack in both English and Russian (the likely native language of the attacker). Rather than building a rainbow table that maps passwords to hashes for a more exhaustive range of possible inputs, Murdoch plugged the MD5 into Google which revealed multiple sites featuring the word "Anthony", the attacker's password.

The approach was successful in discovering the password, since the hash was located in the URL itself!

Murdoch said "this makes a lot of sense (!) (...) I've even written some code which does pretty much the same thing. When I needed to store a file, indexed by a key, a simple option is to make the filename the key's MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions."

Overall, Google's variant on hacking illustrates a few critical security elements:

  • Google is indexing password hashes, as well as everything else.
  • Overall, MD5 hashes without "salting" are totally useless.
  • Murdoch's Internet posting on his findings has understandably created a lively thread on the "Light the Blue Touch Paper" blog.

    One respondent created a certain utility that lets users find out if their passwords are safe.

    Generally speaking, utilizing difficult to guess passwords are fairly simple common sense that somehow often gets overlooked and in many IT circles.

    As one poster notes, searching for hashes of common default passwords such as "admin" throws up some "database dumps" and various other similar instances.

    Add to del.icio.us     Digg this story Digg this

    Source: The Register

    Google


    Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

    Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.


    You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
    Google and all the others.

    Click here to order your Proxy Sentinel™ Internet security server today!

    Proxy Sentinel™ is the most secure Internet proxy server on the market today. Click here for more information.
    Site optimized by Pagina+™
    Powered by Sun Hosting
    Search engine keywords by Rank for Sales
    Development platform by My Web Services
    Internet Security.ca is listed in
    Global Business Listing

    | Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
    Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer