Archive | 2013

Researchers Crack 4096-bit RSA Encryption With a Microphone

Your website & network are Hackable


So this is a pretty interesting acoustic based cryptanalysis side-channel attack which can crack 4096-bit RSA encryption. It’s been a while since we’ve seen anything hardware based, and RSA 4096 is pretty strong encryption, I wonder how they figured this one out.

Acoustic Cryptanalysis

It makes sense though when you think about it, although I wouldn’t have thought about it – I wasn’t even aware that processors made any audible noise when processing (even if the noise can only be picked up by a fairly high quality mic).

Security researchers have successfully broken one of the most secure encryption algorithms, 4096-bit RSA, by listening – yes, with a microphone — to a computer as it decrypts some encrypted data. The attack is fairly simple and can be carried out with rudimentary hardware. The repercussions for the average computer user are minimal, but if you’re a secret agent, power user, or some other kind of encryption-using miscreant, you may want to reach for the Rammstein when decrypting your data.

This acoustic cryptanalysis, carried out by Daniel Genkin, Adi Shamir (who co-invented RSA), and Eran Tromer, uses what’s known as a side channel attack. A side channel is an attack vector that is non-direct and unconventional, and thus hasn’t been properly secured. For example, your pass code prevents me from directly attacking your phone — but if I could work out your pass code by looking at the greasy smudges on your screen, that would be a side channel attack. In this case, the security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data.

Interesting that one of the researchers involved in this is also a co-inventor of RSA, but that’s also a good thing – showing they are constantly trying to find ways to improve it, break it etc.

Perhaps all new encryption software will come with a feature to play some kind of white noise/music to disrupt any snooping of the high frequency CPU sounds.


Without going into too much detail, the researchers focused on a very specific encryption implementation: The GnuPG (an open/free version of PGP) 1.x implementation of the RSA cryptosystem. With some very clever cryptanalysis, the researchers were able to listen for telltale signs that the CPU was decrypting some data, and then listening to the following stream of sounds to divine the decryption key. The same attack would not work on different cryptosystems or different encryption software — they’d have to start back at the beginning and work out all of the tell-tale sounds from scratch.

The researchers successfully extracted decryption keys over a distance of four meters (13 feet) with a high-quality parabolic microphone. Perhaps more intriguingly, though, they also managed to pull of this attack with a smartphone placed 30 centimeters (12 inches) away from the target laptop. The researchers performed the attack on different laptops and desktops, with varying levels of success. For what it’s worth, the same kind of electrical data can also be divined from many other sources — the power socket on the wall, the remote end of an Ethernet cable, or merely by touching the computer (while measuring your body’s potential relative to the room’s ground potential).

Thankfully it’s a very academic type of attack and doesn’t have much of a real world implication on the majority of folks, the method could be constructed for other algorithms I assume – using the same technique.

But really, how many people sit around in public places decrypting sensitive documents? I don’t think there’s many.

Source: ExtremeTech


Posted in: Cryptography, Exploits/Vulnerabilities, Hardware Hacking

Tags: , , , , , , , , ,

Posted in: Cryptography, Exploits/Vulnerabilities, Hardware Hacking | Add a Comment
Recent in Cryptography:
- PEiD – Detect PE Packers, Cryptors & Compilers
- DROWN Attack on TLS – Everything You Need To Know
- Dell Backdoor Root Cert – What You Need To Know

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,736 views
- Hackers Crack London Tube Oyster Card - 44,949 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 33,086 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


THC-Hydra 7.5 Released – Fast Parallel Network Logon Cracker

Find your website's Achilles' Heel


Hydra is a parallelized network logon cracker which supports numerous protocols to attack, new modules are easy to add, beside that, it is flexible and very fast.

THC-Hydra

Features

  • IPv6 Support
  • Graphic User Interface
  • Internationalized support (RFC 4013)
  • HTTP proxy support
  • SOCKS proxy support

The tool supports the following protocols –

And is faster in most tests than ncrack or medusa.

Changelog for 7.5

  • Added module for Asterisk Call Manager
  • Added support for Android where some functions are not available
  • hydra main:
    • – reduced the screen output if run without -h, full screen with -h
    • – fix for ipv6 and port parsing with service://[ipv6address]:port/OPTIONS
    • – fixed -o output (thanks to www417)
    • – warning if HYDRA_PROXY is defined but the module does not use it
    • – fixed an issue with large input files and long entries
  • hydra library:
    • – SSL connections are now fixed to SSLv3 as some SSL servers fail otherwise, report if this gives you problems
    • – removed support for old OPENSSL libraries
  • HTTP Form module:
    • – login and password values are now encoded if special characters are present
    • – ^USER^ and ^PASS^ are now also supported in H= header values
    • – if you the colon as a value in your option string, you can now escape it with \: – but do not encode a \ with \\
  • Mysql module: protocol 10 is now supported
  • SMTP, POP3, IMAP modules: Disabled the TLS in default. TLS must now be defined as an option “TLS” if required. This increases performance.
  • Cisco module: fixed a small bug (thanks to Vitaly McLain)
  • Postgres module: libraries on Cygwin are buggy at the moment, module is therefore disabled on Cygwin

You can download THC-Hydra 7.5 here:

hydra-7.5.tar.gz

Or read more here.


Posted in: Network Hacking, Password Cracking

Tags: , , , , , , ,

Posted in: Network Hacking, Password Cracking | Add a Comment
Recent in Network Hacking:
- DMitry – Deepmagic Information Gathering Tool
- Automater – IP & URL OSINT Tool For Analysis
- Criminal Rings Hijacking Unused IPv4 Address Spaces

Related Posts:

Most Read in Network Hacking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,435,226 views
- Wep0ff – Wireless WEP Key Cracker Tool - 514,400 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 327,678 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Linux.Darlloz Worm Targets x86 Linux PCs & Embedded Devices

Your website & network are Hackable


So this is not a particularly technical source article, but it looks fairly interesting and I haven’t heard of this Linux.Darlloz worm before, so it might be new to some of you too.

Seems like it’s going after old php-cgi installs, which are very common on embedded systems (routers/pos systems/stbs etc). The vulnerability being used is actually pretty old and was patched back in May 2012.

It’s not really likely to cause a serious risk to servers, which tend not to run php-cgi any more – and it would be more common for them to be updated.

A new worm is targeting x86 computers running Linux and PHP, and variants may also pose a threat to devices such as home routers and set-top boxes based on other chip architectures.

According to security researchers from Symantec, the malware spreads by exploiting a vulnerability in php-cgi, a component that allows PHP to run in the Common Gateway Interface (CGI) configuration. The vulnerability is tracked as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012.

The new worm, which was named Linux.Darlloz, is based on proof-of-concept code released in late October, the Symantec researchers said Wednesday in a blog post.

“Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability,” the Symantec researchers explained. “If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.

The only variant seen to be spreading so far targets x86 systems, because the malicious binary downloaded from the attacker’s server is in ELF (Executable and Linkable Format) format for Intel architectures.

I’m not exactly sure what the end game for this worm is, perhaps it’s just into spreading and doesn’t do anything particularly malicious. But in this day and age, that seems pretty unlikely. Infected hosts are more likely to be turned into botnet zombies for a DDoS network.

It seems like it has infection vectors for non x86 architectures, but no actual infections on non PC devices have been confirmed – so the code might not even work properly.


However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.

These architectures are used in embedded devices like home routers, IP cameras, set-top boxes, and many others.

“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux,” the Symantec researchers said. “However, we have not confirmed attacks against non-PC devices yet.”

The firmware of many embedded devices is based on some type of Linux and includes a web server with PHP for the web-based administration interface. These kinds of devices might be easier to compromise than Linux PCs or servers because they don’t receive updates very often.

Patching vulnerabilities in embedded devices has never been an easy task. Many vendors don’t issue regular updates and when they do, users are often not properly informed about the security issues fixed in those updates.

In addition, installing an update on embedded devices requires more work and technical knowledge than updating regular software installed on a computer. Users have to know where the updates are published, download them manually and then upload them to their devices through a Web-based administration interface.

It’s an interesting enough story though, something to keep an eye out for, but honestly I don’t think it’s going to spread very far – and it won’t do much damage. Only old and neglected machines will be vulnerable to the exploit.

But well, as we know – there are far too many such machines plugged into the Internet.

Source: PC World


Posted in: Linux Hacking, Malware

Tags: , , , , , , , ,

Posted in: Linux Hacking, Malware | Add a Comment
Recent in Linux Hacking:
- Cyborg Hawk Linux – Penetration Testing Linux Distro
- The Linux glibc Exploit – What You Need To Know
- LaZagne – Password Recovery Tool For Windows & Linux

Related Posts:

Most Read in Linux Hacking:
- Kon-Boot – Reset Windows & Linux Passwords - 140,157 views
- Russix – LiveCD Linux Distro for Wireless Penetration Testing & WEP Cracking - 126,755 views
- BackTrack v2.0 – Hackers LiveCD Finally Released - 101,242 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Sandboxie – Sandbox Your Browser / Software / Programs In Windows

Find your website's Achilles' Heel


Sandboxie enables you to easily sandbox your browser and other programs, it runs your applications in an isolated abstraction area called a sandbox. Under the supervision of Sandboxie, an application operates normally and at full speed, but can’t effect permanent changes to your computer. Instead, the changes are effected only in the sandbox.

Sandboxie - Sandbox Your Programs

For those too lazy to set up a full on vm image for testing stuff, this is a pretty good alternative.

Benefits of the Isolated Sandbox

  • Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
  • Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don’t leak into Windows.
  • Secure E-mail: Viruses and other malicious software that might be hiding in your email can’t break out of the sandbox and can’t infect your real system.
  • Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.

Registration is optional but there is a nag screen after 30 days (typical shareware style).

You can download Sandboxie here:

SandboxieInstall.exe

Or read more here.


Posted in: Countermeasures, Malware, Security Software

Tags: , , , , , , ,

Posted in: Countermeasures, Malware, Security Software | Add a Comment
Recent in Countermeasures:
- Cuckoo Sandbox – Automated Malware Analysis System
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response
- MISP – Malware Information Sharing Platform

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,153 views
- Password Hasher Firefox Extension - 117,804 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,731 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Stuxnet 2 Under Development By Spy Agencies?

Find your website's Achilles' Heel


It’s been a fair while since we’ve heard a mention of Stuxnet, so the potential for Stuxnet 2 is quite interesting. Of course at this point, it’s pretty much all just rumours – but still I’d be very surprised if such a thing wasn’t already in the works.

Apparently in this case, it’s the Saudi and Israeli governments working together so develop something more powerful than Stuxnet, for the same end – to disrupt Iran’s nuclear program and facilities.

Hold the front page: Saudi Arabian and Israeli spy agencies are developing a worm more powerful than Stuxnet to sabotage Iran’s nuclear program again, after meeting in Vienna last week.

Sound a little far-fetched? Well, stranger things have happened but this particular yarn comes from Iran’s FARS news agency, thought to have strong ties to the country’s Revolutionary Guard, so a healthy dose of scepticism is probably advised.

Citing “an informed source close to the Saudi secret service”, the agency claims that the November 24 meeting was held to “increase the two sides’ cooperation in intelligence and sabotage operations against Iran’s nuclear program”.

“One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet to spy on and destroy the software structure of Iran’s nuclear program,” the source told FARS, adding that the $1m plan was welcomed by the Saudis.

It’ll be interesting to see in the coming months if anything actually turns up, and well even if it does – will Iran ever let us hear about it? For those not familiar with the original:

Stuxnet is a computer worm discovered in June 2010 that is believed to have been created by United States and Israel agencies to attack Iran’s nuclear facilities. Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit. – Wikipedia


The two sides had apparently set off on this hardline course after being frustrated by a warming of relations between the US and Iran and a deal struck between the Islamic Republic and the US, UK, Russia, China, France and Germany.

This November 24 deal, branded a “historic mistake” by Israel, will see Iran agree to halt some of its nuclear activities in return for around £4bn in sanctions relief.

The yarn certainly plays to the paranoia and FUD so often present in coverage of the Middle East, but it’s unlikely that Israel would want to anger its allies in Washington by jeopardising the recent rapprochement with Iran.

Unless, that is, the idea is to have the malware all ready to go in case there’s a sudden breakdown in talks.

A final thought: FARS lifted almost word-for-word an entire Onion story last year claiming most rural US voters would rather hang out with former Iranian president Mahmoud Ahmadinejad than Barack Obama.

The agency’s editorial judgement was called into question again this year after it posted a story claiming an Iranian boffin had invented a time machine.

If it follows a similar infection vector to the original Stuxnet tho, we probably would hear of it due to the massive Windows infections that precede the attacks on the industrial systems.

And well the original ‘source’ of this news is rather suspicious to say the least, with them publishing satire as real news last year.

Source: The Register


Posted in: Legal Issues, Malware, Privacy

Tags: , , , , , , , , ,

Posted in: Legal Issues, Malware, Privacy | Add a Comment
Recent in Legal Issues:
- The Panama Papers Leak – What You Need To Know
- FBI Backed Off Apple In iPhone Cracking Case
- TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,705 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,636 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,628 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


ike-scan – Discover & Fingerprint IKE Hosts (IPsec VPN Servers)

Find your website's Achilles' Heel


ike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern.

ike-scan can perform the following functions:

  • Discovery Determine which hosts in a given IP range are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
  • Fingerprinting Determine which IKE implementation the hosts are using, and in some cases determine the version of software that they are running. This is done in two ways: firstly by UDP backoff fingerprinting which involves recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; and secondly by Vendor ID fingerprinting which compares Vendor ID payloads from the VPN servers against known vendor id patterns.
  • Transform Enumeration Find which transform attributes are supported by the VPN server for IKE Phase-1 (e.g. encryption algorithm, hash algorithm etc.).
  • User Enumeration For some VPN systems, discover valid VPN usernames.
  • Pre-Shared Key Cracking Perform offline dictionary or brute-force password cracking for IKE Aggressive Mode with Pre-Shared Key authentication. This uses ike-scan to obtain the hash and other parameters, and psk-crack (which is part of the ike-scan package) to perform the cracking.

The retransmission backoff fingerprinting concept is discussed in more detail in the UDP backoff fingerprinting paper which should be included in the ike-scan kit as UDP Backoff Fingerprinting Paper.


The program sends IKE phase-1 (Main Mode or Aggressive Mode) requests to the specified hosts and displays any responses that are received. It handles retry and retransmission with backoff to cope with packet loss. It also limits the amount of bandwidth used by the outbound IKE packets.

IKE is the Internet Key Exchange protocol which is the key exchange and authentication mechanism used by IPsec. Just about all modern VPN systems implement IPsec, and the vast majority of IPsec VPNs use IKE for key exchange. Main Mode is one of the modes defined for phase-1 of the IKE exchange (the other defined mode is aggressive mode). RFC 2409 section 5 specifies that main mode must be implemented, therefore all IKE implementations can be expected to support main mode. Many also support Aggressive Mode.

Building and Installing

  • Run git clone https://github.com/royhills/ike-scan.git to obtain the project source code
  • Run cd ike-scan to enter source directory
  • Run autoreconf --install to generate a viable ./configure file
  • Run ./configure or ./configure --with-openssl to use the OpenSSL libraries
  • Run make to build the project
  • Run make check to verify that everything works as expected
  • Run make install to install (you’ll need root or sudo for this part)

You can download ike-scan here:

master.zip

Or read more here.


Posted in: Cryptography, Hacking Tools, Network Hacking

Tags: , , , , , , , , ,

Posted in: Cryptography, Hacking Tools, Network Hacking | Add a Comment
Recent in Cryptography:
- PEiD – Detect PE Packers, Cryptors & Compilers
- DROWN Attack on TLS – Everything You Need To Know
- Dell Backdoor Root Cert – What You Need To Know

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,736 views
- Hackers Crack London Tube Oyster Card - 44,949 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 33,086 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


vBulletin.com Hacked – Forum User Emails & Encrypted Passwords Leaked

Your website & network are Hackable


vBulletin.com hacked is the latest news going around, there seems to have been a spate of these lately, with huge numbers of user accounts leaked. Thankfully this time, the passwords are actually hashed, but with what algorithm – we aren’t quite sure. Perhaps someone could figure it out with HashTag.

I do have some vBulletin forums as well, so I got the e-mail below:

“We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Apparently they are using some kind of salted hash, so the password hashes should be fairly robust. But with the speed of hash brute forcing, any weak passwords should be discovered fairly quickly.

Forumware giant vBulletin.com has admitted that it’s been turned over by hackers who made off with customer user IDs and encrypted passwords.

vBulletin said it was resetting account passwords in response the the breach, which it blamed on a series of “sophisticated attacks”:

It’s unclear what form of “password encryption” vBulletin actually used. In particular it’s unknown if the forum followed industry best practice and stored passwords only in a hashed digest format together with a pinch of salt as a defence against rainbow table-style brute-force attempts to decode its (now leaked) user credential database.

In any case, users who inadvisedly choose the same password for vBulletin as elsewhere also need to change their password at the second location – this time to something different from anything they use elsewhere.

Another reminder not to reuse passwords, use weak passwords etc. It comes shortly after some large forums (like MacRumours) were hacked, forums using vBulletin – which leads some to believe there is a pretty nasty 0-day for vBulletin out there.

This has been supported by the fact that such an exploit is for sale on various exploit marketplaces by a group called Inj3ct0r Team. I’ve seen no reports so far though on the validity of the exploit for sale, and could it be what caused these compromises.


The disclosure of a breach at vBulletin comes a week after forum site MacRumors (which runs on vBulletin) was hacked, exposing the credentials of more than 860,000 users. In a statement acknowledging the compromise, MacRumours apologised for the breach and advised commentards to change up their passwords.

The attacks against MacRumors and vBulletin may be linked.

A hacking group called Inj3ct0r Team claimed responsibility for both the MacRumours and vBulletin attacks before offering to sell the vulnerability exploit used – supposedly targeting an unpatched security hole in multiple versions of vBulletin’s server software – for $700 a pop through various exploit marketplaces, The Hacker News reports.

The quality and provenance of the goods on sale remains unclear, but even the possibility that the sale could lead to widespread attacks against online forums has given some site admins the jitters. Hacking conference DEF CON, for one, has suspended its forums as a precaution, pending the availability of a suitable patch; a move it is making out of an abundance of caution and during its quiet season, months before its annual hacker jamboree in Las Vegas.

https://forum.defcon.org/ was also taken down for a while until the whole thing got sorted out. You can find the code for sale on the groups site here for $7000USD:

vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execute (0day)

Let’s see who pops next.

Source: The Register


Posted in: Exploits/Vulnerabilities, Web Hacking

Tags: , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- shadow – Firefox Heap Exploitation Tool (jemalloc)
- Intel Hidden Management Engine – x86 Security Risk?
- TeamViewer Hacked? It Certainly Looks Like It

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,010 views
- AJAX: Is your application secure enough? - 120,153 views
- eEye Launches 0-Day Exploit Tracker - 85,577 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


LANs.py ARP Spoofer – Multithreaded Asynchronous Packet Parsing/Injecting

Your website & network are Hackable


LANs.py is a multithreaded asynchronous packet parsing/injecting ARP spoofer & poisoner.

Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.

This script uses a python nfqueue-bindings queue wrapped in a Twisted IReadDescriptor to feed packets to callback functions. nfqueue-bindings is used to drop and forward certain packets. Python’s scapy library does the work to parse and inject packets.

Requirements

  • Linux
  • Scapy
  • Python nfqueue-bindings 0.4.3+
  • aircrack-ng
  • Python twisted
  • BeEF (optional)
  • A wireless card capable of promiscuous mode if you choose not to use the -ip option

You can download LANs.py here:

LANs.py

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- DMitry – Deepmagic Information Gathering Tool
- Automater – IP & URL OSINT Tool For Analysis
- shadow – Firefox Heap Exploitation Tool (jemalloc)

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,981,786 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,435,226 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 681,050 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Cupid Media Hack Exposes 42 Million Passwords In Plain Text

Find your website's Achilles' Heel


42 Million Passwords – now that’s a big number, and the worst part – they aren’t even hashed. Nope, not at all – not even badly. Apparently the intrusion took place earlier this year, in January 2013 – but there was no public announcement.

The data was found on the same server where the hacked data from some other big heists was stored (Adobe/PR Newswire/NW3C etc). And to make it even worse, at least 10% of the users (which itself is over 4 million) use absolutely terrible passwords – passwords that would have been useless even if they were hashed.

Cupid Media Plain Text Passwords
Image Source: Cupid Media Hack Exposed 42M Passwords

Almost 2 million of the users had the password ‘123456‘ followed by 1.2 million with ‘111111‘ (I’m guessing they had a 6 char minimum password requirement).

A hack on niche online dating service Cupid Media earlier this year has exposed names, e-mail addresses and—most notably—plain-text passwords for 42 million accounts, according to a published report.

The cache of personal information was found on the same servers that housed tens of millions of records stolen in separate hacks on sites including Adobe, PR Newswire, and the National White Collar Crime Center, KrebsonSecurity journalist Brian Krebs reported Tuesday night. An official with Southport, Australia-based Cupid Media told Krebs that user credentials appeared to be connected to “suspicious activity” that was detected in January. Officials believed they had notified all affected users, but they are in the process of double-checking that all affected accounts have had their passwords reset in light of Krebs’s discovery.

The compromise of 42 million passwords makes the episode one of the bigger passcode breaches on record. Adding to the magnitude is the revelation the data was in plaintext, instead of a cryptographically hashed format that requires an investment of time, skill, and computing power to crack.

Standing at 42 million passwords, it is indeed one of the biggest breaches ever – and whoever got hold of this had to put no time, effort or computing power into brute forcing hashes. They just opened the DB dump and had 42 million e-mail addresses and passwords.

With many people re-using their passwords across multiple sites, this is indeed like striking the lottery for hackers.

Back in 2011 when Canadian Dating Site PlentyofFish.com was Hacked, they exposed 30 million user accounts – so they weren’t far behind. Notice any similarities? Yah both dating sites…and both storing passwords in plain text.


Making matters worse, many of the Cupid Media users are precisely the kinds of people who might be receptive to content frequently advertised in spam messages, including male enhancement products, services for singles, and diet pills.

The Cupid Media user records reviewed by Krebs contain the usual assortment of weak passwords. More than 1.9 million accounts were protected by 123456. Another 1.2 million used 111111. Users who used the same e-mail address and password to secure accounts on other sites are vulnerable to hijacking. Word of the Cupid Media compromise follows recent reports of password leaks from a host other sites or companies, including Adobe (150 million reversibly encrypted passwords), MacRumors forums (860,000), and web software developer vBulletin (number not disclosed).

Ars has long advised readers to use a password manager that stores a long, randomly generated password that’s unique for every important site. That way, when breaches hit a particular site, users are left scrambling to change credentials for other accounts that used the same password.

You can read more here too:

Cupid Media Hack Exposed 42M Passwords
42 million passwords exposed following massive dating website hack

Once again, another good reason to use PassPack/LastPass/KeePass etc. It once again reinforces the fact that reusing passwords is a terrible idea, especially when sites like this still exist in 2013 that store your password in plain text.

Source: Ars Technica


Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

Tags: , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- shadow – Firefox Heap Exploitation Tool (jemalloc)
- Intel Hidden Management Engine – x86 Security Risk?
- TeamViewer Hacked? It Certainly Looks Like It

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,010 views
- AJAX: Is your application secure enough? - 120,153 views
- eEye Launches 0-Day Exploit Tracker - 85,577 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


HashTag – Password Hash Type Identification (Identify Hashes)

Your website & network are Hackable


HashTag.py is a Python script written to parse and identify the password hash type used.

HashTag supports the identification of over 250 hash types along with matching them to over 110 hashcat modes (use the command line switch -hc to output the hashcat modes). It is also able to identify a single hash, parse a single file and identify the hashes within it, or traverse a root directory and all subdirectories for potential hash files and identify any hashes found.

One of the biggest aspects of this tool is the identification of password hashes. The main attributes used to distinguish between hash types are character set (hexadecimal, alphanumeric, etc.), hash length, hash format (e.g. 32 character hash followed by a colon and a salt), and any specific substrings (e.g. ‘$1$’). A lot of password hash strings can’t be identified as one specific hash type based on these attributes. For example, MD5 and NTLM hashes are both 32 character hexadecimal strings. In these cases the author made an exhaustive list of possible types and has the tool output reflect that.

HashTag

It has three main arguments:

  • Identifying a single hash type (-sh)
  • Parsing and identifying multiple hashes from a file (-f)
  • Traversing subdirectories to locate files which contain hashes and parse/identify them (-d)

Usage:

You can download HashTag here:

HashTag.py

Or read more here.


Posted in: Cryptography, Password Cracking

Tags: , , , , , , , , ,

Posted in: Cryptography, Password Cracking | Add a Comment
Recent in Cryptography:
- PEiD – Detect PE Packers, Cryptors & Compilers
- DROWN Attack on TLS – Everything You Need To Know
- Dell Backdoor Root Cert – What You Need To Know

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,736 views
- Hackers Crack London Tube Oyster Card - 44,949 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 33,086 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95