(The Hosting News)
On December 17th, Mozilla received an email from a third party notifying the company of a file that contained user records that was posted to a public web server. The information in this file listed users email, addressses, first and last names, and MD5 password hashes.
The Company relied through an email stating “We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the thrid party who reported the issue, the file has been downloaded only by Mozilla staff.”
Since the the company has removed the passwords from their site and are asking users to reset their passwords for all content used through Mozilla. “We have identidied the process which allowed this file to be posted publicly and have taken steps to prevent this in the future.
We are also evaluation pther processes to ensure your information is safe and secure” the email also declared.
Chris Lyon, directore of infrastructure security at Mozilla, said on Decemeber 27th through a blog post, that the file included 44,000 inactive accounts using older, MD5 pasword hashes. The company erased the MD5 passwords, leaving the accounts inactive. Lyon also stressed that current users employ a more secure SHA-512 password hash with per-user salts and therefore are “not at risk.”
Chester Wisniewski, senior security advisor at Sophos Canada, addresses the problems with MD5 passwprd hashes” “MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings. This permit securty experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.” Chester commened Mozilla’s response to the incident but questions how the company accidentall published this information to begin with and why MD5 password hashes were still in the system.
“If you are a web site administrator or developer, are you still storing passwords using methods like Gawkwer(DES) or Mozilla(MD5)? We know they are broken, and it is important to migrate away from these algorithms in case you have a database accidentally make its way outside of your orginization,” Wisniewski summarized.
Source: Share this storyDigg this storyAdd to del.icio.usAdd to RedditPosted Wednesday, December 29th, 2010. Filed under Industry News. Trackbacks/Pings Trackback URL
Related ArticlesFirefox Announces Major Security Flaw UpdateDedicated Server Firm, SoftLayer, Provides IPv6 SupportHostDime Receives RIPE and LACNIC IP AllocationsNetriplex Announces Year-End Colocation SpecialView News by CategoryFeaturesIndustry NewsWeb Hosting EventsWeb Hosting Talk Newsletter
View the Original article
1. Click Subscription of Mr.Chris Farrell Membership $4.95 7 day Trial For Newbies/Dummies - Not Criminal IM Coach/Mentor.
2. Click DirecTV For US Satellite TV Subscription. Also Dish Network Call Now Toll Free : 877-287-3983 for an Obligation Free Chat.
3. Click 100DayLoans.com for cash advance payday loan 100 days repayment,SUBJEST to your State Laws Also Credit Reports and Scores
4. CLICK Coupon Codes & My Web Hosting Reviews/Recommendation
__
__
__
__
__
2. Click DirecTV For US Satellite TV Subscription. Also Dish Network Call Now Toll Free : 877-287-3983 for an Obligation Free Chat.
3. Click 100DayLoans.com for cash advance payday loan 100 days repayment,SUBJEST to your State Laws Also Credit Reports and Scores
4. CLICK Coupon Codes & My Web Hosting Reviews/Recommendation
______
