[IS&T Security-FYI] SFYI Newsletter, December 10, 2012

Monique Yeaton myeaton at MIT.EDU
Mon Dec 10 16:58:57 EST 2012 

In this issue:


1. Microsoft Security Updates for December 2012

2. Passwords: Now Cracked Faster



------------------------------------------------------------------

1. Microsoft Security Updates for December 2012

------------------------------------------------------------------


This week, for Patch Tuesday, Microsoft is planning to release seven new security bulletins<http://technet.microsoft.com/en-us/security/bulletin/ms12-dec>. Five are critical, two are important. The fixes affect the following products:


  *   Microsoft Windows and Windows Server (all versions)
  *   Internet Explorer (IE6 through IE10)
  *   Microsoft Office (in particular Word)
  *   Microsoft Exchange Server
  *   Microsoft Office Web Apps


On Tuesday, the security updates will be available from the Windows Update tool, the Windows Server Update Services or the Download Center. MIT WAUS subscribers will receive the updates when they have been tested and released.



------------------------------------------------

2. Passwords: Now Cracked Faster

------------------------------------------------


At a conference in Oslo last week, a presentation described how a cluster of 25 AMD Radeon GPUs  (read: very, very fast computers) using a combination of software (including a freely available password-cracking suite optimized for GPU computing) can make 348 billion guesses per second against NTLM hashed passwords (NTLM stands for NT LAN Manager, a suite of Microsoft security protocols that provides authentication, integrity and confidentiality to users). It makes 63 billion guesses against SHA-1 hashed passwords (SHA-1 is an algorithm used in cryptography).


In human speak: Passwords can now be cracked faster, giving password thieves even stronger tools to read your passwords.


The system described above operates against off-line password lists which are now available due to the large number of system breaches that led to password leaks.


What this means for users is that 8-character passwords are no longer sufficient and we should use longer passwords to help defeat brute force attacks and complex passwords to help defeat dictionary attacks. Of course, users should also not use the same password on multiple accounts. See these additional tips on passwords<http://ist.mit.edu/security/passwords>.


Read the story in the news<http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/>.



===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================



Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20121210/ddfcff45/attachment.htm

More information about the ist-security-fyi mailing list