No dia seguinte, o desenvolvedor do MD5 declara: "Md5crypt Password scrambler is no longer considered safe". ri demais.<br><br><a href="http://phk.freebsd.dk/sagas/md5crypt_eol.html?highlight=md5">phk.freebsd.dk/sagas/md5crypt_eol.html?highlight=md5</a><br>

<br><br><br><div class="gmail_quote">2012/6/7 Ivanildo Galvão <span dir="ltr"><<a href="mailto:ivanildo@itservices.com.br" target="_blank">ivanildo@itservices.com.br</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div link="blue" vlink="purple" lang="PT-BR"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Com certeza perdeu pontos, desta forma o serviço passa a ter a desconfiança de todos os usuários.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Já mudei a minha senha e penso seriamente em sair alterando em todos os serviços de redes sociais e e-mails.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Sds,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ivanildo Galvão<u></u><u></u></span></b></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Consultor de Tecnologia<u></u><u></u></span></b></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#c00000">MCP, MCT, MCSA, VSP, VTSP, ITIL V3<u></u><u></u></span></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">Tel. (84) 3201 2146                 | Cel. (84) 9111 8873<u></u><u></u></span></p><p class="MsoNormal">

<span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:ivanildo@itservices.com.br" target="_blank"><span lang="EN-US">ivanildo@itservices.com.br</span></a></span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">    | </span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.itservices.com.br/" target="_blank"><span lang="EN-US">www.itservices.com.br</span></a></span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> <span lang="EN-US"><u></u><u></u></span></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">Twitter</span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#984806" lang="EN-US">:</span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US"> @ivanildogalvao <u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img src="cid:image001.jpg@01CD44A0.449BCDD0" alt="Descrição: Descrição: Descrição: Descrição: http://t2.gstatic.com/images?q=tbn:ANd9GcQI4ZEGsNwiYIiYGnywUNOvmUzPmGhH1UHv06QxJDjryTCM3ClQOg" border="0" height="53" width="83"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">  </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img src="cid:image002.jpg@01CD44A0.449BCDD0" alt="Descrição: Descrição: Descrição: Descrição: http://t2.gstatic.com/images?q=tbn:ANd9GcQFyGrF-fTbBPkpE1F0ZGsmGSb-QEX_75vhfFhZOlQIVX-Mg0CM" border="0" height="54" width="100"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">  </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img src="cid:image003.png@01CD44A0.449BCDD0" alt="Descrição: Descrição: Descrição: Descrição: http://www.ctsblackburn.com.au/images/stories/sophos_reseller.gif" border="0" height="54" width="81"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US"><u></u><u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#002060" lang="EN-US">APC, IBM, DELL, Fortinet, Citrix, Kerio, Microsoft</span></b><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US"><u></u><u></u></span></b></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:owasp-natal-bounces@lists.owasp.org" target="_blank">owasp-natal-bounces@lists.owasp.org</a> [mailto:<a href="mailto:owasp-natal-bounces@lists.owasp.org" target="_blank">owasp-natal-bounces@lists.owasp.org</a>] <b>Em nome de </b>Eduardo Coelho<br>

<b>Enviada em:</b> quarta-feira, 6 de junho de 2012 22:23<br><b>Para:</b> Noilson Caio<br><b>Cc:</b> <a href="mailto:owasp-natal@lists.owasp.org" target="_blank">owasp-natal@lists.owasp.org</a><br><b>Assunto:</b> Re: [Owasp-natal] Confirmado hack no Linkedin<u></u><u></u></span></p>

<div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">É grave.<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Merece um alerta, em especial para quem usa a mesma senha para diversos serviços diferentes.<u></u><u></u></p>

<div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Linkedin perdeu alguns pontos. Usar hash sem salt, veio? Serio? =/<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div>

<p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br clear="all">Atenciosamente,<u></u><u></u></p><div><p class="MsoNormal">Eduardo Coelho Lima<u></u><u></u></p></div><div>

<p class="MsoNormal">>> <a href="mailto:eduardocoelholima@gmail.com" target="_blank">eduardocoelholima@gmail.com</a><u></u><u></u></p></div><div><p class="MsoNormal"><a href="http://coelho.ithub.com.br" target="_blank">http://coelho.ithub.com.br</a><u></u><u></u></p>

</div><p class="MsoNormal" style="margin-bottom:12.0pt"><br><br><u></u><u></u></p><div><p class="MsoNormal">2012/6/6 Noilson Caio <<a href="mailto:caiogore@gmail.com" target="_blank">caiogore@gmail.com</a>><u></u><u></u></p>

<p class="MsoNormal" style="margin-bottom:12.0pt">é isso mesmo.<br><br><br><u></u><u></u></p><p>LinkedIn has <a href="http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/" title="An Update on LinkedIn Member Passwords Compromised" target="_blank">confirmed</a> that some of the password hashes that were <a href="http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/" target="_blank">posted online</a> do match users of its service. They have also stated that passwords that are reset will now be stored in salted hashed format. <u></u><u></u></p>

<p>What is a salt? It is a string that is added to your password before it is cryptographically hashed. What does this accomplish? It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques.<u></u><u></u></p>

<p><img src="http://sophosnews.files.wordpress.com/2012/06/passwordsalts466.png?w=466&h=204" alt="Password hash with salt example" border="0" height="204" hspace="10" vspace="10" width="466"><u></u><u></u></p><p>This is an important factor is slowing down people trying to brute force passwords. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt.<u></u><u></u></p>

<p><u></u><img src="http://sophosnews.files.wordpress.com/2012/06/linkedin60pc1.png?w=250&h=250" alt="60% of LinkedIn passwords cracked" height="250" hspace="10" vspace="10" width="250" align="right"><u></u>After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, or which 3.5 million have already been brute forced. That means over 60% of the stolen hashes are now publicly known.<u></u><u></u></p>

<p>We also did some additional testing of commonly used passwords that should never be used. We started with the list of <a href="http://nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/" title="Passwords used by the Conficker worm" target="_blank">passwords that the Conficker worm used</a> to spread through Windows networks.<u></u><u></u></p>

<p>All but two of the Conficker passwords were used by someone in the 6.5 million user password dump. The two passwords that weren't found were 'mypc123' and 'ihavenopass'.<u></u><u></u></p><p>Other passwords that we found in the dump include 'linkedin', 'linkedinpassword', 'p455w0rd' and 'redsox'. We even found passwords that suggest people should know better like 'sophos', 'mcafee', 'symantec', 'kaspersky', 'microsoft' and 'f-secure'.<u></u><u></u></p>

<p>We will continue to keep Naked Security readers up to date with what is known as we learn more. <u></u><u></u></p><p>It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves which could put the victims at additional risk from this attack.<u></u><u></u></p>

<p><i>Special thanks to Beth Jones and Richard Wang from SophosLabs for their hard work and assistance with this post.</i><u></u><u></u></p><p class="MsoNormal"><span style="color:#888888"><br><br><br><br><br><br clear="all">

<br><span>-- <u></u><u></u></span></span></p><div style="margin-left:30.0pt"><p class="MsoNormal"><span style="color:#888888">Noilson Caio Teixeira de Araújo<br>Linux Professional Institute Certification  2 - LPI000182893<br>

Novell Certified Linux Administrator (CLA) - 10111916<br>Novell Data Center Technical Specialist<br><br><a href="http://ncaio.ithub.com.br" target="_blank">http://ncaio.ithub.com.br</a><br><a href="http://br.linkedin.com/in/ncaio" target="_blank">http://br.linkedin.com/in/ncaio</a><br>

<a href="http://www.commandlinefu.com/commands/by/ncaio" target="_blank">http://www.commandlinefu.com/commands/by/ncaio</a><br><a href="http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php" target="_blank">http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php</a></span><u></u><u></u></p>

</div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:#888888"><br></span><br>_______________________________________________<br>Owasp-natal mailing list<br><a href="mailto:Owasp-natal@lists.owasp.org" target="_blank">Owasp-natal@lists.owasp.org</a><br>

<a href="https://lists.owasp.org/mailman/listinfo/owasp-natal" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-natal</a><u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div>

</div></div><br>_______________________________________________<br>
Owasp-natal mailing list<br>
<a href="mailto:Owasp-natal@lists.owasp.org">Owasp-natal@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-natal" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-natal</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div style="margin-left:40px">Noilson Caio Teixeira de Araújo<br>Linux Professional Institute Certification  2 - LPI000182893<br>Novell Certified Linux Administrator (CLA) - 10111916<br>

Novell Data Center Technical Specialist<br><br><a href="http://ncaio.ithub.com.br" target="_blank">http://ncaio.ithub.com.br</a><br><a href="http://br.linkedin.com/in/ncaio" target="_blank">http://br.linkedin.com/in/ncaio</a><br>

<a href="http://www.commandlinefu.com/commands/by/ncaio" target="_blank">http://www.commandlinefu.com/commands/by/ncaio</a><br><a href="http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php" target="_blank">http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php</a><br>

</div> <br>