Update

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Encrypting Passwords

When it comes to choosing a password, you want one that is easy to remember and yet difficult to crack. There is a way by which one can create a complex password which remains easy to remember. Such passwords can be created using ciphering techniques using various algorithms. This task sounds difficult and the average computer user might be baffled with such terms. A simple way of achieving this task is to automate it so that anybody can create a robust password. There are some Web sites that do this job of encrypting a simple password and making it difficult to crack. One particular site www.passwordchart.com makes use of encryption technology by taking a phrase that you key in and using it to generate a table which in turn is used to create a password based on a simple text that can be remembered easily. The resultant password generated is an alphanumeric string of characters.

This sort of ciphering basically uses a MD5 hash and it is a simple substitution cipher. For this, an MD5 hash of the chart selection phrase is performed and the first four bytes of the hash are used as a random number seed to a Mersenne Twister pseudo-random number generator. Next, the password chart is filled using sequences of one to three random upper and lower case letters and optionally numbers and punctuation by grabbing successive numbers generated by the Twister. The reason for the random sequence length is to make reversing the substitution cipher that much harder to do. Finally, the alphanumeric characters in the password are converted using the chart. This is basically a simple substitution cipher that can help people maintain relatively secure passwords. This process can be worked out on any computer. It also works offline if the chart generated is printed and preserved.

Google lemon

Google appears to be quite serious about security. Cross site scripting (XSS) and other sorts of injection attacks pose a threat to Google. In order to deal with them, Google’s security team is developing a black box fuzzing tool called Lemon to automatically find XSS problems in applications. Do not expect to use this in-house developed security tool in the near future as Google plans to keep a tight lid on this effort.

Fuzzing, also known as fault injection testing, is a widely used technique in security circles to try and break down applications and expose flaws.

According to the blog of a Google developer, their vulnerability testing tool enumerates a Web application’s URLs and corresponding input parameters. It then iteratively supplies fault strings which designed to expose XSS and other vulnerabilities to each input; this analyses the resulting responses for evidence of such vulnerabilities.

Google Lemon can also determine other types of security issues such as cooking poisoning and response splitting attacks. Lemon is home-made and is being actively developed by Google to spot new attack vectors.

Google initially looked out for commercially available fuzzers in the market but later realised that its needs would be served best by developing its own product. Lemon is highly customised for Google apps and the company has no plans to market it externally.

In the recent past, Google has seen a number of serious XSS flaws, some of which included an AdWords flaw in December and a Google Desktop flaw in February that were publicly disclosed and originally discovered by third parties.