[3415] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, December 10, 2012
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Dec 10 17:00:06 2012
From: Monique Yeaton <myeaton@mit.edu>
To: "ist-security-fyi@mit.edu" <ist-security-fyi@mit.edu>
Date: Mon, 10 Dec 2012 21:58:57 +0000
Message-ID: <3ACED3B2A8CEFB4598A845F07FD4A05F10DD0A0F@OC11EXPO24.exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0762183553=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============0762183553==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_3ACED3B2A8CEFB4598A845F07FD4A05F10DD0A0FOC11EXPO24excha_"
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10DD0A0FOC11EXPO24excha_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Microsoft Security Updates for December 2012
2. Passwords: Now Cracked Faster
------------------------------------------------------------------
1. Microsoft Security Updates for December 2012
------------------------------------------------------------------
This week, for Patch Tuesday, Microsoft is planning to release seven new se=
curity bulletins<http://technet.microsoft.com/en-us/security/bulletin/ms12-=
dec>. Five are critical, two are important. The fixes affect the following =
products:
* Microsoft Windows and Windows Server (all versions)
* Internet Explorer (IE6 through IE10)
* Microsoft Office (in particular Word)
* Microsoft Exchange Server
* Microsoft Office Web Apps
On Tuesday, the security updates will be available from the Windows Update =
tool, the Windows Server Update Services or the Download Center. MIT WAUS s=
ubscribers will receive the updates when they have been tested and released=
.
------------------------------------------------
2. Passwords: Now Cracked Faster
------------------------------------------------
At a conference in Oslo last week, a presentation described how a cluster o=
f 25 AMD Radeon GPUs (read: very, very fast computers) using a combination=
of software (including a freely available password-cracking suite optimize=
d for GPU computing) can make 348 billion guesses per second against NTLM h=
ashed passwords (NTLM stands for NT LAN Manager, a suite of Microsoft secur=
ity protocols that provides authentication, integrity and confidentiality t=
o users). It makes 63 billion guesses against SHA-1 hashed passwords (SHA-1=
is an algorithm used in cryptography).
In human speak: Passwords can now be cracked faster, giving password thieve=
s even stronger tools to read your passwords.
The system described above operates against off-line password lists which a=
re now available due to the large number of system breaches that led to pas=
sword leaks.
What this means for users is that 8-character passwords are no longer suffi=
cient and we should use longer passwords to help defeat brute force attacks=
and complex passwords to help defeat dictionary attacks. Of course, users =
should also not use the same password on multiple accounts. See these addit=
ional tips on passwords<http://ist.mit.edu/security/passwords>.
Read the story in the news<http://arstechnica.com/security/2012/12/25-gpu-c=
luster-cracks-every-standard-windows-password-in-6-hours/>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Read all Security FYI Newsletter articles and submit comments online at htt=
p://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10DD0A0FOC11EXPO24excha_
Content-Type: text/html; charset="us-ascii"
Content-ID: <63076AB2C8FE6149A50E3B3542976BFE@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Garamond, sans-serif; ">
<div><span style=3D"font-family: Helvetica; ">In this issue:</span></div>
<div><span class=3D"Apple-style-span" style=3D"border-collapse: separate; f=
ont-family: Calibri; font-size: medium; border-spacing: 0px; "><span class=
=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacing: 0=
px; font-family: Helvetica; font-size: 14px; ">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; border=
-spacing: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse:=
separate; border-spacing: 0px; "><span class=3D"Apple-style-span" style=3D=
"border-collapse: separate; border-spacing: 0px; "><span class=3D"Apple-sty=
le-span" style=3D"border-collapse: separate; border-spacing: 0px; "><span c=
lass=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacin=
g: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse: separa=
te; border-spacing: 0px; font-size: 12px; ">
<div>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">1. Microsoft Security Updates f=
or December 2012</p>
<p style=3D"margin: 0px; font-size: 14px; ">2. Passwords: Now Cracked Faste=
r</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">-------------------------------=
-----------------------------------</p>
<p style=3D"margin: 0px; font-size: 14px; ">1. Microsoft Security Updates f=
or December 2012</p>
<p style=3D"margin: 0px; font-size: 14px; ">-------------------------------=
-----------------------------------</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">This week, for Patch Tuesday, M=
icrosoft is planning to release seven new
<a href=3D"http://technet.microsoft.com/en-us/security/bulletin/ms12-dec">s=
ecurity bulletins</a>. Five are critical, two are important. The fixes affe=
ct the following products:</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<ul>
<li style=3D"margin: 0px; font-size: 14px; ">Microsoft Windows and Windows =
Server (all versions)
</li><li style=3D"margin: 0px; font-size: 14px; ">Internet Explorer (IE6 th=
rough IE10) </li><li style=3D"margin: 0px; font-size: 14px; ">Microsoft Off=
ice (in particular Word) </li><li style=3D"margin: 0px; font-size: 14px; ">=
Microsoft Exchange Server </li><li style=3D"margin: 0px; font-size: 14px; "=
>Microsoft Office Web Apps </li></ul>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">On Tuesday, the security update=
s will be available from the Windows Update tool, the Windows Server Update=
Services or the Download Center. MIT WAUS subscribers will receive the upd=
ates when they have been tested and
released.</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">-------------------------------=
-----------------</p>
<p style=3D"margin: 0px; font-size: 14px; ">2. Passwords: Now Cracked Faste=
r</p>
<p style=3D"margin: 0px; font-size: 14px; ">-------------------------------=
-----------------</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">At a conference in Oslo last we=
ek, a presentation described how a cluster of 25 AMD Radeon GPUs (rea=
d: very, very fast computers) using a combination of software (including a =
freely available password-cracking suite
optimized for GPU computing) can make <b>348 billion guesses per second </=
b>against NTLM hashed passwords (NTLM stands for NT LAN Manager, a suite of=
Microsoft security protocols that provides authentication, integrity and c=
onfidentiality to users). It makes
63 billion guesses against SHA-1 hashed passwords (SHA-1 is an algorithm u=
sed in cryptography).</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">In human speak: Passwords can n=
ow be cracked faster, giving password thieves even stronger tools to read y=
our passwords.</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">The system described above oper=
ates against off-line password lists which are now available due to the lar=
ge number of system breaches that led to password leaks.</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; ">What this means for users is th=
at 8-character passwords are no longer sufficient and we should use longer =
passwords to help defeat brute force attacks and complex passwords to help =
defeat dictionary attacks. Of course,
users should also not use the same password on multiple accounts. See thes=
e <a href=3D"http://ist.mit.edu/security/passwords">
additional tips on passwords</a>.</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; "><a href=3D"http://arstechnica.c=
om/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-i=
n-6-hours/">Read the story in the news</a>.</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; ">=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; ">Read all Se=
curity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/">http://securityfyi.wordpress.=
com/</a>.</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; ">=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; "><br>
</p>
</div>
<div>Monique Yeaton</div>
<div>IT Security Communications Consultant</div>
<div>MIT Information Services & Technology (IS&T)</div>
<div>(617) 253-2715</div>
<div>http://ist.mit.edu/security</div>
<div><br class=3D"khtml-block-placeholder">
</div>
<br class=3D"Apple-interchange-newline">
</span></span></span></span></span></span></div>
</span></span></div>
</body>
</html>
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10DD0A0FOC11EXPO24excha_--
--===============0762183553==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0762183553==--
