MD5-wormRecently, a number of students have received strange e-mails coming from the unca.edu domain. You might have been notified that your e-mail account was hijacked, or maybe you’re having trouble logging in this week (like I am). OnePort is down for everyone, so it’s not just you. However, I thought this would be a perfect time to make everyone aware of the following…

As of this January, MD5, the most popular form of web security, has been cracked. What does this mean for you? Well, some sites, like paypal.com for example show in the address bar some sort of verification of proper security in the address bar. The certificate verified that the website you were at was actually what it said it was. This is pertinent if you are taken to a seemingly scammy webpage that asks you to update your information (called phishing). Usually you could look at the little pad lock icon, green highlight, or whatever, click it, and see that you were in fact on a web page owned by paypal (for example). With MD5 cracked, any savvy malicious jerk could (in theory) decrypt paypal’s certificate and put it on their own webpage so that even the most secure of web browsers and operating systems will trust that thief.

The above scenario is unlikely as Paypal’s administrator’s password is likely very complicated and impossible for a password guesser to guess. However, your own personal passwords are likely made to be more memorable, and therefore are more predictable. MD5 cracking has unfortunately spread to a public forefront. The bottom line is simple, update your password to use uppercase, lowercase, numbers, symbols, non-dictionary words, and outright gibberish. If not for your unca e-mail account, at least for your more important accounts. Hopefully, OnePort’s downtime has nothing to do with all this mess.

Advertisements