Well we finally had enough time away from the lab to get around to the Kontest for the free Kon Boot license. The contest will be to write an article for our site on a password tool of your choice, it has to be a tool we haven’t covered already (but not an obscure tool that is only useful to a handful of people and no Nirsoft tools :p ). It can be a recovery tool, cracker, exploit etc… it doesnt have to be a long article, just as long as your covering the basics of how to use the tool and maybe some examples. The contest will end next Monday so get those articles in to . 10 lucky winners will receive the licenses shortly afterwards

A hacker named Kirllos seems to have sold close to 700,000 accounts, and has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices. Kirllos’ Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account — Kirllos wants as little as $0.025 per Facebook account.

If you look at the source code — on the sign up page — and do a simple search for ‘twttr.BANNED_PASSWORDS’ you can find all 370 passwords that you can’t use. Hit more to see the passwords.
(more…)

Seems like Myspace addon on site rockyou.com fell victim to sql injection flaw and exposed more than 32 millions of passwords in plaintext.
http://igigi.baywords.com/rockyou-com-exposed-more-than-32-millions-of-passwords-in-plaintext/

A backdoor vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the web, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.
David Chen, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s config file.

That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network , given that the routers also expose their web interfaces to the internet.

Src: chenosaurus.com

A new study, which is being published in the Proceedings of the Human Factors and Ergonomics Society, details just how long we’ve been aware of the password problem. It cites a study of Unix passwords from 1979, which showed that about 30 percent of the passwords were four characters or less, and about 15 percent being words that appear in the dictionary. Fast forward to 2006, when a separate survey of 34,000 MySpace passwords revealed that the most common were “password1″, “abc123″, “myspace1″, and “password”.

src: arstechnica.com

A new post appeared on the Wordpress discussion list today revealing more details about the process. Everyone is apparently able to reset a Wordpress password if the email address of the Wordpress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password. The email address of the account holder has to be supplied in the form. Wordpress usually will send a confirmation email first asking the email account owner if the password should be reset. The vulnerability manipulates the query to skip this step.

It is not possible to exploit this vulnerability further which means attackers cannot get access to the user account. It can however be theoretically be used to reset the password regularly to lock the user or admin out of the Wordpress blog.

A temporary fix for the remote admin password reset vulnerability was posted. Wordpress administrators need to change one line of code in the wp-login.php file of the Wordpress installation to protect their blog from the attack. There is no official release fixing this problem, apply this changeset to your wp-login.php.

change line 190 in wp-login.php to

if ( empty( $key ) )

With

    if ( empty( $key ) || is_array( $key ) )

It is advised to apply the temporary fix as soon as possible to Wordpress installations.

Newer Version Has Been Released! CLICK HERE!

Based off of the idea of Bryce Whitty’s “Computer Repair Utility Kit” from Technibble.com. The downfalls of Bryce’s idea was that he had the complete package with all the tools offered for download on his site, which of course sucked up bandwidth, and some authors of the applications, while freeware, wanted the only download of their software to be at their own sites.

To bypass these problems Tech Tools uses Ketarin, which is an application downloader that checks to see if an application has been updated and downloads it if so.

So I’ve compiled a list of apps that that were part of the original tool, and either
subtracted or added them due to their portability. i.e. if the program had an installer i didnt include it, I used mostly standlone executables for this first package.

You use Ketarin to first download all your tools and it will automatically extract them to their categorized folders.Once Downloaded you can then open Pstart.exe ,its menu is already configured to show the downloaded tools. You would then use Ketarin weekly to auto-update all these tech tools so you would always have a fresh copy of the program on your USB.

Version 2.0 update: added more tools and fixed some categories

If you have any questions,bugs, or ideas to include in the next version please visit the topic in our forums
*** THE NIRSOFT TOOLS THAT GET DOWNLOADED FOR PASSWORD RECOVERY GET MISTAKENLY IDENTIFIED AS VIRUS/HACKTOOLS THEY ARE NOT VIRUSES!!!***
I’m trying to keep it up to date every few months to make sure the weblinks to some apps are fixed.

DID you change your computer password?

This simple act can save money and protect your personal information, the Broadband Minister, Stephen Conroy, said yesterday as he launched the first “National Change Your Password Day”.

Senator Conroy, who revealed his own computer had this week been bombarded with more than 50 fake emails pretending to be from his bank, said people should change their passwords at least twice a year.

He recommended passwords always include letters and numbers and warned people to be vigilant. “Stop and think before you click on links or attachments,” he said.

“No one wants to lose their bank details to criminals or fall victim to an online scam and that’s why it’s important that people understand simple steps, such as getting a better, stronger password, can help them stay smart online and protect their personal information.”

He said this would build confidence in the digital economy, especially as more people increasingly use computers for personal, social networking and business purposes.

“Don’t just choose a password with your birthday or the name of your favourite football team. Get security software and update it regularly,” he said.

Meanwhile, the Auditor-General said he would have a full inquiry into the Government’s first failed broadband tender. The Opposition spokesman, Nick Minchin, has urged the audit into the process after Telstra was excluded on a technicality and the Government said none of the other bids was good enough.

The Government made the surprise announcement to instead set up its own $43 billion company to build the broadband network.

Via: smh.com.au

Software makers elmcomsoft were denied use of their PGP cracking wallpaper on their exhibit by Reed Exhibitions supposedly from complaints by PGP

Via: blog.crackpassword.com