A pair of researchers at Crowe Horwath will demonstrate Cracklord, a platform for distributing password cracking workload over CPUs and GPUs on multiple devices in order to efficiently break hashed passwords. It can undo hashed passwords faster than an individual machine could.
The platform has two parts, Resources, which gains access to the hardware, and Queue, which is an interface for submitting cracking jobs to Cracklord. Resources uses a range of common hash-cracking tools including Hashcat, John the Ripper and rcrack. "CrackLord is a way to load balance the resources, such as GPUs and CPUs, from multiple hardware systems into a single queuing service," say the researchers, Lucas Morris and Michael McAtee.
Fernando Arnaboldi, a senior security researcher and consultant at IOActive, says he's found a flaw in XSLT v.1 that allows seeing part of text documents something XSLT v. 1 is not supposed to show before it displays an error. That partial document could reveal valuable information such as passwords, he says.
XSLT is not very good at keeping track of very large or very small numbers, he says, so small amounts of, say, Bitcoins could be removed unnoticed from an account and moved to another.
He will also show how he exploits a major Web browser to open certain files when read from any Web server a user has logged into. The problem stems from the implementation of same-origin policies that lets scripts from one Web page to access data in another if both pages have the same origin. He has told the browser manufacturer under responsible disclosure to give it the chance to fix the problem.
He says he will release a paper including code to repeat all the attacks he outlines so others can check whether their implementations are vulnerable and take steps to secure them.
Sign up for Computerworld eNewsletters.