もっと詳しく

When a Cambridge University team wanted to break a hacker’s password, they turned to Google – with startling results. But there’s a lesson for you too..

There’s a certain amount of crowing associated with hacking the blog of a security team – which might be why a hacker, apparently Russian, broke into the blog of the Cambridge University security team at the Light Blue Touchpaper blog.

He did it via some weaknesses in their WordPress installation, upgrading himself from a plain “can post” user to an admnistrator of the blog using a zero-day (that is, previously unnoted) vulnerability, via SQL injection.

But the interesting part came later, when the team was clearing up. They could see the user, but what password had he used? All they had was the entry in the MySQL database for the password; but that had been loosely encoded (encrypted is too strong a word) using the MD5 hash.

You shouldn’t, in theory, be able to extract the original text from an MD5 hash. That would take millions, or at least thousands, of computers running all the time.

But Steven Murdoch began thinking. Who is there out there who has thousands of computers running all the time? Um, everyone. And some might be generating MD5 hashes and putting them on the web…

He took the hash – 20f1aeb7819d7858684c898d1e98c1bb – from the database and stuck it into Google. Lo and behold, it turned out to be “Anthony”.

So far, so trivial. Except this: if someone does the same trick on a site that you use, they might be able to get read access to the database. They’ll be able to see the username and email associated with the MD5 hash. And, on the assumption that you use that password repeatedly, such a hacker could trawl the web looking for places you log in.

So: want to check the security of your favourite password(s)? First, use the MD5 hashing page here (it’s a Javascript function; there’s nobody grabbing your password, I’d wager, though if you want to feel safe and have OSX, go to the terminal and type md5 -s mypassword – though use your password, not mypassword.

Second, paste that code into your favourite search engine. If it returns no results – well done! You’ve evaded that hack, for now.

So, how did you do? (I passed. Phew.)

Hints if you failed: change that password to one which includes both letters and numbers.

And no, we don’t know if the junior official at HMRC used MD5.

Source