Posts Tagged Password Security
Password Cracking Arrives to the Cloud
Posted by Mourad Ben Lakhoua in News, Password Security on November 4, 2009
David Campbell a security consultant made a study regarding password safety. the research has been based on the cost evaluation of cracking password with a paid service by Amazon EC2 web service.
The security expert found that for cracking 12 character password that is based on lowercase letters “a” and “z”, hackers would need to pay about 1,5 million dollars. While for 11 character the password costs 60 thousands dollars, and for 10 he can get the password for just 2300 dollars.
Mixing the password with numbers and letters will enhance the protection measures but not as needed. For example the coast to crack 10 combined characters alphanumeric is less than 60 thousand dollars while 11 characters hacker should spend 2.1 million. Adding special characters (!@#$%) will make the price jump for more than 106 thousands for 8 character.
Cloud Computing has significantly reduced the coasts for purchasing and maintaining expensive equipment but its time to invest a part of the IT budget on solid encryption solution like two factor authentication or password managing solution, to eliminate different threats for password guessing and man in the middle attack.
make sure you subscribe to my RSS feed!
Computer’s could get owned by a USB device
Posted by Mourad Ben Lakhoua in Operating System, Password Security, Pentesting on September 21, 2009
USB Switchblade is a tool that can help you to be a king on the enemies’ land. Hack5 USB Switchblade is the second name for this tool but this does not change anything.
The project consists of several software packages that do a great job for password grabbing and pentesting:
Dump SAM is made for dumping the windows Security Account Manager.
IE/Firefox Password Grabber makes a good job for grabbing browser passwords.
VNC-Service is a hidden installer that helps to add users and monitor the network activity on the victim machine.
On the official sites there are several techniques for using this tool:
1. Max Damage Technique just Plug your U3 Drive in any computer with XP/2000/2003 (Requires Administrator account) and Wait about 20-45 seconds Eject U3 Drive, Go to “Run” in the start menu, Type in “X:\Documents\logfiles”(X = Flash Drive Letter) Press enter, Open the text file with the computer name you got into and you will find what you are looking for.
2. Amish Technique here you start by Downloading the Amish Payload 1.0, Extract the payload to the root of your flash drive, Plug your flash drive in to any computer, Go to “My Computer” double-click (autorun) the USB Drive, Select the “Open Files On Folder” option when inserted into a target computer, Wait about 20-45 seconds, Eject the flash drive, Go to “Run” in the start menu. Type in “X:\Dump”(X = Flash Drive Letter), Press enter , Open the text file with the computer name you got into and that’s it.
3. Gandalf’s technique: the advantage of this technique that you can use it on a USB drive, iPod, local computer, it doesn’t matter you just need to run start.vbs and then you can find the passwords and logs at $backup/%computername%.7z.
This brings a very important issue in the corporate security, disabling the usb ports is vital for the Information system but companies also need to pay attention on educating users about the potential security risks posed by USB flash drives. On the other hand it can be sometimes very useful 
.
make sure you subscribe to my RSS feed!
Vulnurability makes eBay Developers Program accounts at Risk
Posted by Mourad Ben Lakhoua in Internet, News, Password Security, Vulnerabilities & attacks, Web Security on August 13, 2009
eBay security specialists asked developer program members to change their passwords. This is due to a new vulnerability discovered that can allow an attacker to intercept important accounts details.
Kumar Kandaswamy eBay Developers program manager has reported on the guidance published that the company has found a way in which an outsider can access users account information at eBay Developers program, so as a preventive measures it is highly recommended to change all user passwords.
The vulnerability does not allow attackers to grab financial information such as credit card or bank account information or Social Security numbers.
But in 2007 a hacker called Vladuz has managed to bypass all the protection measures and to obtain eBay unauthorized accesses which are intended to be just for employees as a result the hacker was arrested in Romania.
eBay developers program helps users to work with its API and develop online application for web resources. Now when you click join and you want to select a new password there is a strict safety standards for creating password “ Your password must be 8 characters or longer, and contain at least 1 upper case letter (A-Z), 1 lower case letter (a-z), 1 number (0-9), and 1 special character (!@#$%*+-_.?). For example, Cool_devel0per.” That’s good for user’s security .
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments