From the Integrigy servers statistics, I have known that we get hundreds of visits a day from the Oracle proxy and cache servers.  Many days collectively the Oracle domains (.com, .uk, etc.) are number one.  The vast majority of the hits are on blog, RSS feeds, and our whitepapers.  But I have not known how Oracle actually uses this information internally.  Well, now I know someone is at least reading our comments and recommendations.

Last month, I posted about an issue we encountered during a number of recent Oracle Applications 11.5.10.2 assessments regarding the system profile option SIGNON_PASSWORD_HARD_TO_GUESS being incorrectly set.  This issue turned out to be related to the 11.5.10.2 maintenance pack instructions (Metalink Note ID 316365.1).  My comment was "Unfortunately, there is no step in Section 3 to make sure you set the profile option back to Yes."  Well, two weeks later Oracle has updated the instructions in Section 3 Step 2 to remind customers to reset the profile option.
 

When clients are deploying an unpublished supplier or customer application to the Internet for the first, they are always amazed at the sheer number of random attacks.  Granted many of these are looking for PHP pages or some other long ago patched vulnerability.  The question that always arises is "How did they find the server so quickly?"  Well, the hackers are just searching blocks of addresses on a continual basis.

The IPv4 address space is over 4 billion addresses (255*255*255*255), but in reality only a small portion of it is actually meaningful.  A very nice graphic representation is here and the original comic version is available here.

This past March, I published a white paper looking at how some applications hash credit card numbers and how vulnerable these hashes are to brute forcing.  I developed a proof of concept to roughly estimate the timings (about 2 million hashes per second).  Looking ahead, I estimated with additional optimization, multi-threading, and faster processors probably 50 million hashes per second is achievable.

Well, I was probably off by a factor of at least 5 on my future estimate.  Elcomsoft announced this week that it has filed a patent for a technique to use the "massively parallel processing" capabilities of the GPU on a video card to brute force passwords.  Others have also been doing research in this area.

A better estimate is at least 200 million hashes per second for a single pass of SHA-1 or MD-5 and I wouldn't be surprised if someone could achieve 500 million hashes per second in the near future.  This would allow someone to brute force all possible unsalted SHA-1 hashes in just 10 days rather than 3 years.  Adding intelligence with regards to brands and common issuing bank prefixes, most of the brute force times are reduced to minutes or seconds.  Storing plain-text digits (prefix and/or last 4) makes brute forcing a trivial exercise.

When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strong cryptographic hash functions, large salt values, and multiple iterations.