Posts Tagged Authentication/Encryption
L0phtcrack 6: the old guard is back!
Posted by Mourad Ben Lakhoua in Best Practices, Password Security, Pentesting on June 1, 2009
After more than three years since Symantec stopped the support and development of L0phtcrack the tool that provided a titanic opportunity for passwords auditing and recovery.
Here comes yesterday the same team with the new version L0phtcrack 6.
As the project rights being reacquired by the original authors from Symantec it was possible for them to continue developing this utility. In the last five years many things have been changed in the operating system security so they improved some features like the Support for x64 processors and the latest releases from Microsoft (Vista, XP and windows 7),Ubuntu and others.
I used the LC4 and LC5 and they worked perfectly to recover lost password that are less than 14 characters so update your corporate password policy and make sure that you meet password security best practices.
subscribe to my RSS feed!
Unlocking encryption myths
Posted by Mourad Ben Lakhoua in News on April 13, 2009
There’s no debate over the fact that data breaches are sharply on the rise. In mid-March the chief enterprise risk officer for Visa, Ellen Richey, said that common sense dictates that a challenging economy will produce increased data theft activity – sales of stolen data remains an exceptionally vibrant business despite the downturn. Richey added that: ’security and law enforcement experts have confirmed that cyber attacks on consumers and businesses have intensified in recent months.’
According to the Identity Theft Resource Centre’s 2008 breach report, which only tracks incidents involving personally identifiable data, there were 656 reported breaches at the end of 2008, an increase of 47 per cent over the 2007 total of 446. And we’re off to a rather distressing start in 2009, with 125 breaches reported in the first three months of the year, affecting 1,553,069 records, according to the Open Security Foundation (www.datalossdb.org).
What is more depressing is that the Identity Theft Resource Centre reports that only 2.4 per cent of the companies involved in reported breaches utilized encryption. The vast majority of the exposed data was open to attack, a sad fact that no doubt delighted data thieves and enabled them to profit from the purloined data.
Criminals are so pleased by the discovery of unencrypted data that they are now deliberately targeting small and midsize business, according to information presented at the Visa Security Summit 2009, under the assumption that big business will have already done the right thing and have encrypted data throughout its lifecycle.
you can find more On The British Computer Society’s website
DNS Poisoning
Posted by Mourad Ben Lakhoua in News on February 23, 2009
security researcher Dan Kaminsky who works at security services firm IOActive, said this week at BlackHat that the time may have come for IT vendors and users to consider broad adoption of the more-permanent security protections offered by DNS Security Extensions, or DNSSEC, technology.
The cache-poisoning flaw was publicly disclosed last July and after several months was discovered by Kaminsky, who first notified IT vendors to give them time to develop a fix. When he finally detailed the vulnerability, Kaminsky said it existed at the DNS protocol level and was so ubiquitous that virtually every domain name server resolving IP addresses on the Internet was vulnerable to attack.
The flaw could be used by attackers to spoof DNS traffic, potentially enabling them to redirect Web traffic and e-mail messages to systems under their control. Other security researchers said that although the concept behind such attacks had been well understood for some time, Kaminsky demonstrated an extremely effective way in which the attacks could be carried out.
You can read more about it here.
SUBSCRIBE
