Security Web Digest: Windows Passwords Insecure

Researchers discover memory-intensive, but fast cracking method Microsoft's chief security strategist warns that vulnerabilities aren't going away Authentica upgrades document security system Alladin Knowledge Systems r


Swiss researchers released a paper this week outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from 1 minute 41 seconds. The method involves using large lookup tables to match encoded passwords to the original text entered by a person, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code. Microsofts manner for encoding passwords has certain weaknesses that make such techniques particularly effective,said Philippe Oechslin, a senior research assistant and lecturer at the Cryptography and Security Laboratory of the Swiss Federal Institute ofTechnology in Lausanne (EPFL).

Microsoft Corp.s chief security strategist, Scott Charney, on Thursday told members of the U.S. House Armed Services Committee that a robust security response capability and effective risk management are critical because software vulnerabilities will continue to be unavoidable regardless of the type of operating system used. His appearance comes nearly a month after the Department of Homeland Security signed an exclusive enterprise contract with Microsoft covering server and desktop software for approximately 140,000 users. News of the deal led some experts to warn that the new homeland security agency had made itself a "hostage" of flawed Microsoft security practices. Others, including Rep.Mac Thornberry (R-Texas), expressed concern about the governments reliance on a single vendor for the majority of its software infrastructure -- a situation some have warned could make it easier for hackers and criminals to cause damage to networks and data.

Authentica Inc. this week introduced PageRecall 3.1, the latest version of its secure document program that ensures that the content is always secure no matter where it is distributed or stored, the company said in a statement. "Rights management technology is the only solution that can enable content sharing, but at the same time protect against unauthorized access and use of information once it is delivered," said Victor DeMarines, director of marketing at Authentica. PageRecall 3.1 adds new functionality, including a way to prevent screen capture applications from working.

Aladdin Knowledge Systems this week announced the launch of Privilege 6.1,the latest version of its electronic software distribution (ESD) platform that offers publishers reduced development costs and the flexibility to effectively and efficiently manage all aspects of software marketing and sales online, the company said in a statement. "Whether you are selling software B2B or B2C,on-line or off-line, our new technology provides strategic options for securing, marketing, and controlling the purchase of software," said YankiMargalit, CEO of Aladdin Knowledge Systems. "Privilege 6.1 gives software publishers the flexibility to sell everything from high-end accounting applications to the latest first-person shooter games through the channels of their choice. They can even safely leverage peer-to-peer networks with our technology." Privilege enables secure distribution without constraining license flexibility, which allows publishers to explore new license/marketing models such as "Try-Before-You-Buy," the company said.

Online Voting

Researchers at Johns Hopkins University and Rice University said they had uncovered bugs in a Diebold Inc. voting system that could allow voters and poll workers to cast multiple ballots, switch others votes, or shut down an election early. "Its unfortunate to find flaws in a system as potentially important as this one," said Tadayoshi Kohno, a graduate student at the John Hopkins Information Security Institute. The researchers found the software on a Diebold Internet site in January and said they believe it was at the heart of an electronic touch-screen voting system used last year in Maryland, Georgia, Kansas and California.