Information Security News
The Vietnamese software dream (part 2)
CMCSoft, FPT IS, Hanel, Misa or Tinh Van are the Vietnamese well known names in the international market, while BKAV, CMC InfoSec, FPT IS, Lạc Việt, VTC Mobile, AVSoft Corp. have been famous for utility software. Developing the software industry is the ...
We received a sample of a Word document exploiting CVE-2012-0158 which I took a look at. The file itself is pretty small (325Kb) and based on VirusTotal's MD5 hash report, 30/47 scan engines detected and confirmed it exploits CVE-2012-0158. I used the malwr sandbox to get a better look on how this Word document behaves while running on a Windows system. The one thing I noticed is Yara was positive to check if the file is running in a virtual machine.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Seminar will boost business security
This is Nottingham
The event by Talk*INFOSEC is at Antenna Media, Beck Street, Nottingham, from 4pm to 6.45pm. It will give an insight into how to keep businesses secure, including online. Topics covered will include storing company data, such as client information ...
Give three password crackers a list of 16,000 cryptographically hashed passwords and ask them to come up with the plaintext phrases hey correspond to. That's what Ars did this week in Dan Goodin's Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331.” Turns out, with just a little skill and some good hardware, three prominent password crackers were able to decode up to 90 percent of the list using common techniques.
The hashes that Ars provided the security experts were converted using the MD5 cryptographic hash function, something that puzzled our readers a bit, as MD5 is seen as a relatively weak hash function, compared to hashing functions like bcrypt. flunk wrote, "These articles are interesting but this particular test isn't very relevant. MD5 wasn't considered a secure way to hash passwords 10 years ago, let alone now. Why wasn't this done with bcrypt and salting? That's much more realistic. Giving them a list of passwords that is encypted in a way that would be considered massively incompetent in today's IT world isn't really a useful test."
To this, author Dan Goodin replied that plenty of Web services employ weak security practices: "This exercise was entirely relevant given the huge number of websites that use MD5, SHA1 and other fast functions to hash passwords. Only when MD5 is no longer used will exercises like this be irrelevant. Goodin later went on to cite the recent compromises of "LinkedIn, eHarmony and LivingSocial," which were all using "fast hashing" techniques similar to MD5.