An exclusive gaming industry community targeted
to, and designed for Professionals, Businesses
and Students in the sectors and industries
of Gaming, New Media and the Web, all closely
related with it's Business and Industry.
A Rich content driven service including articles,
contributed discussion, news, reviews, networking, downloads,
and debate.
We strive to cater for cultural influencers,
technology decision makers, early adopters and business leaders in the gaming industry.
A medium to share your or contribute your ideas,
experiences, questions and point of view or network
with other colleagues here at iVirtua Community.
A Cambridge University researcher successfully used Google tounearth a password used by an attacker to compromise its security blog.
The attacker created an account in Wordpress when he attacked the Light the Blue Touch Paperblog, the online journal of the Computer Laboratory at CambridgeUniversity. Wordpress stores passwords as MD5 hashes without salting, aprocess that adds length and complexity to password hashes.
Curious to know what this password might be, Cambridge researcherSteven Murdoch tried a dictionary attack in both English and Russian(the likely native language of the attacker).
Rather than building a rainbow table that maps passwords to hashesfor a more exhaustive range of possible inputs, Murdoch plugged the MD5into Google which revealed multiple sites featuring the word "Anthony",the attacker's password. The approach hit on a result because the hashwas in the URL.
Quote:
"This makes a lot of sense - I've even written code which does thesame. When I needed to store a file, indexed by a key, a simple optionis to make the filename the key's MD5 hash. This avoids the need toescape any potentially dangerous user input and is very resistant toaccidental collisions,"
Murdoch notes.
The new variant on Google hacking illustrates a couple of importantpoints: that Google is indexing password hashes, albeit inadvertently,as well as everything else; and that MD5 hashes without salting arenext to useless.
Murdoch's posting on his findings has sparked a lively thread on the Light the Blue Touch Paper blog. One respondent created a utility that lets users find out if their passwords are safe.
Using hard to guess passwords is simple common sense that somehowoften gets overlooked. As one poster notes, searching for hashes ofcommon default passwords such as "admin" throws up database dumps andthe likes.