Brokenness of MD5 leads to attack on “The Sun”

Image by goblinbox (queen of ad hoc bento) via Flickr

News coverage in Britain has been dominated by “hackgate” for several weeks now, the interest only subsiding as the horrific nature of what happened in Norway on Friday became clear.

In the middle of all this the website of News International‘s leading daily, the Sun, was taken over by the “LulzSec” crackers – who spent several hours boasting over Twitter about how they were battling the Sun’s admins.

Human security is the weakest form of security – we have all worked in places were management expect you to share passwords, after all. But it seems that one of the issues here was technical, according to the latest issue of New Scientist.

Various passwords at NI were hashed with the MD5 algorithm, which is thoroughly broken: something which is pretty worrying when a locate md5 command throws up 2928 references.

What makes it worse is that the breakage has apparently been known since 1996. (From what I can gather the issue is that the hashed code can have duplicates ie two different inputs can give the same output – meaning it is possible to create an MD5 hash that matches the expected code but which does not indicate that the supplier of the MD5 hash is genuine.)

Update: (And with thanks to John Rentoul for spotting the spelling mistake). It has been said to me that “this explanation makes no sense whatsoever”. Well, I am merely commenting on  what others have reported – click on some of the links below – to make the point that a clearly very broken hash algorithm is in very widespread use. But there are many ways to pick up a password file that admins may have exposed and not worried about because they think it’s encrypted and so unbreakable. Perhaps that happened here? Back in the ‘olden days’ before the web crushed all internet competitors, FTP sites were very common and littered with password files. Perhaps the Sun has an FTP site (this venerable protocol still has some uses after all)?

Related articles

• LulzSec claims to have News International emails (guardian.co.uk)
• Murdoch’s Sun newspaper is hacked by LulzSec, which at first redirected folks to fake article saying he killed himself, then to LulzSec Twitter page (guardian.co.uk)
• Choosing a bad password, the Rebekah Wade way. (jgc.org)
• Lax security makes it easy to hack News International (newscientist.com)
• LulzSec vs Murdoch: the lessons, and what’s next? (stilgherrian.com)