Now this is interesting a proper mathematical calculation for using cloud computing to crack passwords, now Amazon has opened up their EC2 (Elastic Compute Cloud) the cost of massive parallel processing power has come right down.

And guess what, someone thought of using it to crack passwords. It seems the cut-off would be a 12 character password as even with all lower case characters it would cost USD1.5 million to crack.

It gets exponentially cheaper as you remove each character (due to the calculation using the power of the number of characters) so a 10 character password would only cost you just over USD2000!

Forget what you’ve learned about password security. A simple pass code with nothing more than lower-case letters may be all you need – provided you use 12 characters.

That’s the conclusion of security consultant David Campbell, who calculated the cost of waging a brute-force attack on various types of passwords using cloud computing services offered by Amazon.

Based on hourly fees Amazon charges for its EC2 web service, it would cost more than $1.5m to brute force a 12-character password containing nothing more than lower-case letters a through z. But user beware, an 11-character code costs less than $60,000 to crack, and a 10-letter phrase costs less than $2,300.

Adding upper-case letters and numbers to a password offers some additional security, but not as much as you might think. Such a phrase using 10 characters would cost less than $60,000 to attack, while an 11-character code would cost roughly $2.1m. Even passwords that contain an additional 32 characters such as !@#$% are relatively cheap to crack if they are short enough. An eight-character password would cost a little more than $106,000.

I’d say adding upper case letters and numbers makes quite a difference, a 10 character passwords jumps from just over USD2000 to crack all the way up to USD60,000. That’s a factor of 30!

I’d say a 10 character password containing uppercase, lowercase, numbers and specials characters should be well into the millions and keep you fairly safe.

I did write some guidelines and tips on creating a secure password a while back, you can check it out here – Good Password Guidelines – How to Make a Strong/Secure Password.

The analysis, which Campbell posted here, builds off of research fellow security consultant Haroon Meer of SensePost presented earlier this year at the Black Hat conference. In it, he showed how EC2 could provide criminals using stolen credit cards with the equivalent of a super computer to crack encryption keys and passwords.

And that, in turn, will require new ways of thinking on the part of white hats.

“As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor,” said Campbell. “Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.”

Although Amazon takes pains to ration resources it makes available to single customers, Meer showed it was possible to get around such limitations using a single credit card. Presumably, it would be even easier to bypass those controls using hundreds or thousands of stolen credit cards, something that is trivial for criminals to get a hold of. Campbell’s assumptions are based on simple arithmetic.

It’s interesting research nevertheless, I’d say Cloud Computing is only going to get more powerful and cheaper to rent so character based passwords may become completely defunct at some point in the future.

The computing power is not at the point where you have to worry about your 1024 bit RSA encryption quite yet, but it may well be in the near future as it’s already advised to use a 2048 bit key length!

Combining this platform with the abundance of stolen credit card details the blackhats have could be quite devastating.

Source: The Register

Tags:  amazon ec2,  Amazon Elastic Compute Cloud,  black hat conference,  black-hat,  brute-force,  brute-forcing,  cloud computing,  david campbell,  ec2,  haroon meer,  Password Cracking,  password-hacking,  password-security,  sensepost

RATS – Rough Auditing Tool for Security – is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.

RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify –with-expat-lib and –with-expat-include options to configure so that it can find your installation of the library and header. Expat can be found here.

You can download RATS here:

Source Code: rats-2.3.tar.gz
Windows Binary: rats-2.3-win32.zip

Or read more here.

Tags:  buffer overflow,  code audit tool,  code auditing tool,  code-auditing,  expat,  perl security,  php-security,  python security,  race conditions,  RATS,  scan c code,  scan perl code,  scan php code,  scan python code

It was 2008 when the UK government originally proposed disconnecting pirates from the Internet, then a few months later Australia followed suit.

The latest is that it’s really going to be legislated and will come into force by April 2010 under the Digital Economy Bill.

I’ve noticed this trend picking up lately, a few companies are adopting this strategy or at least discussing it. First hit – warning, second hit – suspension then finally third hit is permanent disconnection and possible blacklisting.

Illegal file-sharers could be booted off the internet by summer 2011, says Lord Mandelson. The Business Secretary, who has been charged with ironing out the UK’s plans to tackle internet piracy, revealed that disconnecting repeat offenders will be a last resort.

Mandelson told the government’s Digital Creative Industries Conference that the “consequence-free” days of illegal file-sharing are over, and that a “legislate and enforce” strategy had been identified as the best way to tackle the problem. “Three strikes is a reasonable way of describing our approach,” he said.

The legislation, which will see those caught illegally downloading sent warning letters, will be officially set out in the Digital Economy Bill that is expected next month and will come into force in April 2010. “Technical measures will be a last resort and I have no expectation of mass suspensions resulting.”

I don’t see what the big deal is really, just use encrypted protocols or sign up to a VPN package and use another country that’s no so big on stamping down on piracy.

A lot of people use VPNs here in US or UK simply because BitTorrent traffic is throttled, it’s a small price to pay.

The same measures could be used to avoid any ISP snooping and get your downloads in peace. The whole Torrent scene has become a bit of a mess lately and it’s a hotpot of bogus files and tracked downloads.

Even with something like PeerGuardian you aren’t totally safe.

Repeat offenders will be issued with a second letter. If this fails to stop them illegally downloading, they will be put on a “serious infringers list”, with ISPs expected to “exercise technical measures”.

Mandelson also said that Ofcom will monitor the success of the warning letters in the first year and if illegal file-sharing has not reduced by 70 percent then suspending net connections will be brought into force.

“The threat for persistent individuals is, and has to be, real, or no effective deterrent to breaking the law will be in place,” he added.

Mandelson also said a “proper route of appeal” would be available for those suspended from the web. Once notified of possible suspension, offenders will be given 20 working days to appeal to an independent body, although Ofcom has yet to appoint the body. Mandelson said the suspension would not come into force until the appeal has been heard.

It’s interesting as well that they aren’t going hardcore right off the bat, they are still giving people a chance. If piracy reduces by 70% after the initial measures are put in place no-one will get disconnected.

Does that mean 30% of people can still download copyright content without any repercussions?

I’ll be watching the implementation anyway to see what kind of effect it has, I’d like to see the figures before and after 12 months and of course the metrics for measurement.

Source: Network World

Tags:  bit-torrent,  bittorrent,  digital economy bill,  encrypted torrent,  fighting piracy,  file-sharing,  illegal file sharing,  lord mandelson,  p2p,  peer guardian,  peerguardian,  piracy,  torrent,  UK,  uk-government,  VPN

KrbGuess is a small and simple tool which can be used during security testing to guess valid usernames against a Kerberos environment. It allows you to do this by studying the response from a TGT request to the KDC server. The tool works against both Microsoft Active Directory, MIT and Heimdal Kerberos implementations. In addition it will detect if an account lacks pre-authentication.

The tool is supplied with a file containing a list of usernames and requests a TGT for each user and then waits for the response. If the KDC responds with a valid TGT or with an error message stating that pre-authentication is required, a valid username has been discovered. Several guesses can be run in parallel (currently only against a single KDC) in order to improve performance.

Be careful not to run with to many threads and low timeouts as it will bring the KDC to its knees during the time of the test. The default values have been tuned against a virtual machine, and currently eat somewhere around 80% CPU which gives me roughly 700 guesses per second. In most cases the network throughput won’t be the performance bottleneck. So far I’m seeing that 2-3MBit of queries is generating a sustained 100% CPU load against both Heimdal on Ubuntu and Windows 2003.

The tool is written in Java and does not rely on any Kerberos libraries to perform the guessing. In order to successfully run the tool against a system it needs at least the realm, dictionary and a server parameters to be set. eg.

java -jar krbguess.jar -s 192.168.56.11 -r HEMMA \ -o report.txt -d ./dic.txt

You can download KrbGuess here:

krbguess-0.21-bin.tar.gz

Or read more here.

Tags:  active directory security,  active-directory-hacking,  brute forcing kerberos,  hacking tool,  Hacking Tools,  heimdal kerberos,  kdc,  kerberos,  kerberos domain controller,  kerberos hacking,  kerberos security,  krbguess,  Network Hacking,  network-security,  Password Cracking,  password-hacking,  password-security,  Windows Hacking

Facebook has had a fair share of problems, being a large community of course it’s going to be a ripe target for spammers, scammers and malware distributors.

The latest to hit is a spam e-mail claiming to be from the Facebook team that actually spreads a nasty piece of malware called Bredolab. It’s also been observed the trojan will connect to additional servers to install more malware.

The ultimate goal as usual is to make the victims part of a botnet.

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.

Researchers at several security firms have tied the Bredolab Trojan to a spam campaign targeting Facebook users.

The malware is being blasted out by spammers in e-mails claiming to come from “The Facebook Team.” Inside the e-mails is a message that the recipient’s Facebook password has been changed. In order to get the new one, recipients are told to open the accompanying attachment containing the malware.

Researchers at Websense told eWEEK Oct. 27 that they have observed more than 350,000 of the messages. On the company’s blog, researchers explained that the malware connects to two servers to download additional malicious files. Among them is Pushdo, also known as Cutwail.

This spam campaign seems to be generating some fairly high levels of traffic meaning whoever is behind it is pretty serious and committed to this vector for disseminating malware.

Social engineering isn’t a new method for propagating malware as always the weakest link is never the technological barriers but is always the stupidity/greed/gullibility of humans.

You can ALWAYS hack the wetware.

“One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails,” according to M86 Security.

MX Logic noted that Bredolab bypasses firewalls by injecting its own code into the legitimate process svchost.exe and explorer.exe. It also contains anti-sandbox code to thwart researchers, and creates the following files: %AppData%\wiaservg.log, %Windir%\temp\wpv861256600826.exe and %Programs%\Startup\isqsys32.exe. Bredolab also creates the processes isqsys32.exe and svchost.exe.

Sophos is detecting the malware as Troj/BredoZp-M or Mal/Bredo-A.

“Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software,” Graham Cluley, senior technology consultant at Sophos, advised in a blog post.

It looks like a pretty advanced piece of malware code which evades firewall measures and even tries to thwart analysis by AV companies.

Anti sandbox code and process injection, these bad guys are getting smart.

That does not bode well for the average citizen.

Source: eWeek

Tags:  anti sandbox,  botnet,  bredolab,  bredolab trojan,  cutwail,  drone,  facebook,  facebook password,  facebook security,  facebook spam,  hacking-facebook,  malware,  password theft,  pushdo,  sandbox,  scam,  scammers,  Social Engineering,  spam,  spammers,  viruses,  worm,  zombie

Yokoso! is a project focused on creating fingerprinting code that is deliverable through some form of client attack. This can be used during penetration tests that combine network and web applications. One of the most common questions we hear is “so what can you do with XSS?” and we hope that Yokoso! answers that question.

We will creating JavaScript and Flash objects that are able to be delivered via XSS attacks. These code payloads will contain the fingerprinting information used to map out a network and the devices and software it contains.

In basic terms Yokoso! is a collection of infrastructure fingerprints. These fingerprints are useful during penetration tests to determine both what infrastructure is in use and to determine who are the admins of that infrastructure. It is built using the URIs of the web administration interfaces.

You can download Yokoso! v0.1 here:

yokoso.0.1.tar.gz

Or read more here.

Tags:  cross-site-scripting,  inguardians,  web fingerprinting,  web fingerprinting tool,  web infrastructure delivery,  XSS,  xss attack tool,  yokoso

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications.

Goals

1. Identify the prevalence and probability of different vulnerability classes.
2. Compare testing methodologies against what types of vulnerabilities they are likely to identify.

The statistics was compiled from web application security assessment projects which were made by the following companies in 2008 (in alphabetic order):

• Blueinfy
• Cenzic with Hailstorm
• DNS with WebInspect
• Encription Limited
• HP Application Security Center with WebInspect
• Positive Technologies with MaxPatrol
• Veracode with Veracode Security Review
• WhiteHat Security with WhiteHat Sentinel

The statistics includes data about 12186 sites with 97554 detected vulnerabilities. The report contains Web application vulnerability statistics which was collected during penetration testing, security audits and other activities made by companies which were members of WASC in 2008. The statistics includes data about 12186 sites with 97554 detected vulnerabilities.

You can find the full study here:

Web Application Security Statistics

Tags:  hacking-web-applications,  hacking-websites,  wasc,  web application security consortium,  web application security statistics,  web-application-hacking,  web-application-security,  web-security

It’s been almost 2 years since the last update on Nikto, which was version 2.

For those that don’t know, Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Changes

This version has gone through significant rewrites under the hood to how Nikto works, to make it more expandable and usable.

• Rewrite to the plugin engine allowing more control of the plugin structure and making it easier to add plugins
• Rewrite to the reporting engine allowing reporting plugins to cover more and also ensuring that output is written if Nikto is quit before finishing
• Large overhaul of documentation to document built-in methods and variables
• Addition of caching to reduce amount of calls made to the web servers, as well as a facility to disable smart 404 guessing.
• Addition of simple guessing for whether a system is an embedded device and to report what it is
• Plugin to use OWASPs dictionary lists to attempt to brute force directories on the remote web server (as mutate 6)
• Plugin to attempt to brute force domains (as mutate 5)
• Allow username guessing (mutate 3 and 4) to use a dictionary file as well as brute forcing
• Support for NTLM authentication
• Lots of bug fixes and new security checks

You can download Nikon 2.1.0 here:

nikto-current.tar.gz

Plugins and DB can be found here.

Or read more here.

Tags:  gpl,  hacking web apps,  hacking-websites,  libwhisker,  nikto,  nikto 2,  nikto 2.1,  Web Hacking,  web scanner,  web server scanning,  web-application-hacking,  web-application-security,  web-server-security

Ah it’s that time of the year again when all the back to skoolers have some mad l33t knowledge and wanna h4×0r the planet or something.

Hmmm website hacking, sounds simple eh?

thriller wrote:
hai i would like to know website hacking how?……… sedn to my mail

Ok I’m following up up to the exploding part? Not quite sure about that one.

kesarjahs wrote:
hi 2 all, i just want to ask if you have program for hacking of yahoomail /gmail account? If you don’t mind can you send it to my gmail account coz i want to hack and try to explode. I’m looking forward to the end such a long time.

sincerely,
Kesar Jahs

Ok this one is really bizarre, what kind of question does he expect actually?

Jason Davis wrote:
What is this site. I’m a lil lost
J

WTF, does this look like Security Focus? Oh right copy and paste, at least have the decency to change the e-mail you lazy fuck.

Rudra wrote:
Hello,
I’m the senior product manager and a founder employee of Wank Security – the industry’s leading on demand penetration testing company. Previously I’ve written articles in Hakin9, infosec magazine and CISSP training materials for renowned authors. I would also like to contribute to Security focus on a wide variety of topics including penetration testing. Please let me know if you are accepting articles at this point. Offline, I’ve been working on a article on security threats for online gaming. I can contribute this one if it fits your requirement to start with.

Hope to hear from you soon!

Thanks!
Rudra

Ah back to the normal cheating spouse/erase my debt thing going on.

Aliana wrote:
Quick background – I would like to start a new life, my x husband ran my credit to the ground. I am a 28 year old mother and am seeking someone who can help me erase my debt. If you know of anyone please pass on my email address, if not I am sorry to have wasted your time. Thank you!

What’s the bet this guy is Indian, all their e-mails start with ‘Sir’. BTW if you find the magic undetectable hacking tool Fadi, I want a copy too – thanks.

Fadi wrote:
Dear Sir,
i m looking for undetectable hacking tool to purchase is there any so please tell mei didn’t found any yet please sir i shall be highly thankfull to u .

I’m not exactly sure what kind of site people think this is, but since when did we do identity searches? She didn’t even mention what country she’s in or how I’m supposed to locate this mysterious person.

Nia wrote:
Do u need the permission of the individual to be able to give me their location?
And how much will it cost for one search?

Website: Hotmail

Credit cards? I have plenty, you can have them all if you want..I keep buying stuff I don’t really need.

noname wrote:
I want to buy credit card what to do to buy?

mig22 or mig33? Make up your mind..

ahmad wrote:
dear friend,
i just wanted to request you something. there is a software used for chating via mobile. its name is mig22. i want to request you to find some way or make some software for that , for hacking or cracking mig33 password. i will be very thankful to you.
waiting for your reply

Oh wow, poor you Louis. I swear people seem to think every ‘hacker’ runs some kind of hack on demand password recovery scheme.

Louis wrote:
Hi,

My ex stole my email accounts and changed all the details so I cant access them or recover them, can you please help me get the passwords so I can recover the email accounts?

Thanks in advance,

Louis

This one sounds like a 419er.

collins masango wrote:
i would need a good creditcard dealer to be suppling me with numbers,this for long time deal,preferably russian,german,canadian,uk or american

This one is a little bit scary..and disjointed, coins and bombs? What a combination.

Alana wrote:
I looking for imfo on atm and coin machines and how to crack into them and on bombs

Keep an eye on the retards here:

http://www.darknet.org.uk/category/retards/

Tags:  brute-force,  carding,  cracking,  credit card numbers,  hack facebook,  hack hotmail,  hacking,  hacking yahoo,  hacking yahoo mail,  hacking-gmail,  idiots,  Phishing,  Retards,  spam,  spammers

origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.

Features

• Create PDF documents from scratch.
• Parse existing documents, modify them and recompile them.
• Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
• High-level operations, such as encryption/decryption, signature, file attachments…
• A GTK interface to quickly browse into the document contents.

Full Scripts

Some scripts are provided to help in performing common actions on PDF files. You can contribute more by sending your own scripts to origami(at)security-labs.org.

• detectjs.rb: search for all JavaScript objects.
• embed.rb: add an attachment to a PDF file.
• create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
• moebius.rb: transform a PDF to a moebius strip.
• encrypt.rb: encrypt a PDF file.

You can download Origami here:

origami-1.0.0-beta1.tar.gz

Or read more here.

Tags:  analyze pdf,  document forensics,  forging pdf,  hacking pdf,  information gathering,  information-leak,  origami,  parse pdf,  pdf forensics,  pdf security