reseize logo;

Who is what? What is where? Where am I? Are you there?

You have hit the other collection, a newslog designed for the curious.

Friday, November 23, 2007

Crack Passwords with Google

A clever bloke into security research at the University of Cambridge computer lab wrote in his bog last Friday that he's discovered Google works as a password MD5 hash cracker.
Someone had hacked into his bogsite a few weeks ago and created a user account. After he quickly disabled the rogue account, Steven J. Murdoch did some forensics work -- he's doing academic security research, remember -- and thought to figure out the attacker's password. Since his bogsite uses Wordpress, which stores passwords as unsalted MD5 hashes in its user database, he tried a dictionary attack. That didn't find any match, even with numbers added to the ends of words. He then used a Russian dictionary, because shell code that had been installed by the attacker had Russian in the comments. No word matchup there, either. Murdoch writes that he could have found or written a better password cracker. He could have varied the case of letters, added symbols to the mix, or used common substitutions of numbers for letters, but he didn't want to spend more time. Instead, he turned to Google.
He plugged the raw MD5 hash of the attacker's password into a Google search and, voila, Google found him some matches. One was a geneology page for people with the surname of "Anthony" and another was a real estate advertisement placed by a guy named "Anthony". Murdoch writes, "And indeed, the MD5 hash of 'Anthony' was the database entry for the attacker. I had discovered his password." In both cases, the target hash was embedded within a URL. It seems MD5 hashes are often used to index webpages, with the input to the MD5 algorithm being the webpage's name.
He concludes, "Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best -- storing large databases and searching them. I doubt, however, that they envisaged this use though." So don't go typing your passwords into pages that get posted on the worldwide interwibble.
This was seized 4 u at The Inquirer
tags: ,,,,


Monday, November 19, 2007

PayPal To Offer Virtual Credit Card Payment Product

Paypal will launch a new virtual credit card payment product Tuesday.
The new service "PayPal Secure Card" generates a one use unique Mastercard number that Paypal users can utilize to make payments on sites that don't take Paypal. According to Reuters, the software package with PayPal Secure Card automatically recognizes an e-commerce checkout page and fills out the payment information for the user.
It's a great idea; not only does this open up Paypal accounts to shopping on sites that don't take Paypal, it also provides credit card access to folks who don't have a credit card (or similar credit style debit card), either by choice or because they are unable to obtain one. On the security front it also provides an alternative to using your actual credit card online, a secure way of using your credit card (if linked to your Paypal account) without the risk of your real details being disclosed.
This was seized 4 u at Techcrunch
tags: ,,,,