iPhone iOS 4.3.5 vulnerability (pin/password bypass to make calls) from Sigtrap.
Just head over to the service’s website and enter a password in the form. You do not necessarily have to enter a password that you use actively. You can alternatively enter a comparable password to find out how long it would take to hack your password with a brute force, or maybe a combined dictionary and brute force attack.
The latest version of OS X Lion allows any user to easily change the password of any local account, due to permissions oversights on Apple’s part. The news comes less than a month after another Lion vulnerability that let users bypass LDAP without a password gained notoriety.
Originally reported by Defence in Depth blogger Patrick Dunstan, the root of the newly discovered problem in Mac OS X 10.7 is tied to the user-specific shadow files used in modern OS X platforms. These files are essentially hash databases and contain, among other things, the user’s encrypted passwords. Ideally, they should be accessible only via high-privilege accounts.
According to Dunstan, Apple dropped the ball in terms of how Lion handles privilege. “Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Dunstan wrote. “This is accomplished by extracting the data straight from Directory Services.” Any user can accomplish this trick by simply invoking the directory services listing using the /Search/ path — for example, $ dscl localhost -read /Search/Users/bob (where “bob” is the username). This causes Lion OS X to spew out the contents of Bob’s shadow hash file, including data that can be used to crack Bob’s password with a simple script, such as a Python script written by Dunstan.
Source: Info World
Recently, hackers hacked into the databases of various public and private organizations (Sony, MySpace, Gawker, PBS, etc) and released millions of user accounts along with associated emails and passwords. Since there are a number of different databases, it is not really viable to check them on your own and see if your account was also leaked.
Should I Change My Password is a useful website that was created to help you easily check if your account was among those released to the public by hackers. The site uses databases released by hackers to check and match your email against the records in those databases. Simply enter your email and click “Check it!”.
If your email is found among the records, you should immediately change your password to protect your account.
Features:
Check out ShouldIChangeMyPassword @ www.shouldichangemypassword.com (via Lifehacker)
Password management system LastPass has reset users’ master passwords as a precaution following the discovery of a possible hack attack against its systems.
The move follows the detection of two anomalies – one affecting a database server – on LastPass’s network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.
The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).
If you have a strong, non-dictionary-based password or pass phrase, this shouldn’t impact you – the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute-forcing.To counter that potential threat, we’re going to force everyone to change their master passwords. Additionally, we’re going to want an indication that you’re you, by either ensuring that you’re coming from an IP block you’ve used before or by validating your email address…
We realise this may be an overreaction and we apologise for the disruption this will cause, but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later.
LastPass’s decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Software, here.
The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn’t sure how hackers might have entered its network – if indeed that’s what happened – an assault based on an initial break-in via its Voice over IP system is the company’s best initial guess as to what might have gone wrong.
This week’s security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses – though not the passwords – of enrolled users. The two incidents are not thought to be related.
Source: theregister.co.uk
UPDATE: We received a small chunk of the compromised passwords, check to see if your name is on this list
Sony has some bad news for PSN users, confirming that PSN personal information is “believed” to be in the hands of an “unauthorized person.” Users who use the same password for multiple accounts should make immediate changes to all of their online accounts.
Sony has confirmed that the PSN outage by what it called an “external intrusion” a few days ago has resulted in the theft of the personal information of the roughly 70 million active PSN accounts. A post today on the PlayStation Blog by Senior Director of Corporate Communications and Social Media Patrick Seybold said that as early as April 17 account information may have been stolen.
“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network,” Seybold wrote.
There is a laundry list of compromised personal information, including the loss of logins, passwords, street addresses, and purchase histories. Even credit card information could be at risk, though Sony is “no evidence” theft of credit card information occurred.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained (emphasis added).
In response to the intrusion, Seybold wrote that Sony turned off the PSN, contacted an outside security firm for assistance, and quickly stepped up efforts to strengthen PSN infrastructure.
Change your passwords, keep careful note of charges to your accounts, and keep an extra eye out for things out of place with your personal accounts. Stay tuned to gamrFeed for further updates.
Source: PlayStation Blog
Tickets are on sale now for eXcon and BSidesCT security conference.
June 11th 2011 , located Meriden, CT
It’s only 2hrs from either Boston or NYC.
http://exconference.com
If you want to attend or speak at the conference hit their email up on the site!!!
Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: “123456.” So is the runner-up: “password.”
On Sunday night, hackers posted online a trove of data from Gawker Media’s servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords.
At least two popular passwords are science-fiction references: “trustno1″ was Special Agent Mulder’s password on “The X-Files,” and “thx1138″ is a George Lucas film that envisioned a dystopian future. Other popular passwords are just plain-old geeky: “dragon,” “superman,” “princess,” “starwars” and “nintendo.”
Outputted into a 500MB torrent file, currently residing on the popular torrent tracker ThePirateBay is a database dump of about a million or so commenters and staff passwords.
Inside the torrent file lies a file entitled Readme.txt. This file is potentially the most sensitive of them all, for it holds the usernames and passwords used by the entire Gawker staff, focusing particularly on Gawker’s founder Nick Denton.
The usernames and passwords to Denton’s Google Apps, Twitter, Campfire accounts are all listed; Denton uses the same password for them all.
Also some gaming sites ftp passwords were stolen too..
Though all of the passwords were encrypted,simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.
