TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

iOS 6.1 Lockscreen Bypass

February 14th, 2013 by admin in Apple, News, Privilege Escalation

The flaw is relatively easy to exploit and this lets you bypass the security code and use the full Phone app. From there you have access to the address book, and the pictures app by trying to change a contacts picture.

Apple promised to fix the iOS 6.1 iOS Exchange bug in a forthcoming software update so perhaps they’ll fix this annoying glitch as well.

Steps to follow:
First part:
-Go to emergency call, push down the power button and tap cancel.
-Dial 112 and tap green and inmediately red.
-Go to lock screen.
Ok…ready for second part:
-Go to passcode screen.
-Keep pushing down the power button …1…2…3…seconds and before showing the slider “turn off”…tap the emergency call button and …voilá!
-Then without releasing the power button press the home button and ready…

Comprehensive list of Password dumping tools for windows

February 5th, 2013 by admin in cracking, News, Password Info, Privilege Escalation

Bernardo Damele compiled a list of password dumping tool into a google spreadsheet:

https://docs.google.com/spreadsheet/ccc?key=0Ak-eXPencMnydGhwR1VvamhlNEljVHlJdVkxZ2RIaWc#gid=0

iPhone iOS 4.3.5 vulnerability

December 12th, 2011 by admin in Apple, News, Privilege Escalation

iPhone iOS 4.3.5 vulnerability (pin/password bypass to make calls) from Sigtrap.

  1. Turn on the phone.
  2. Slide to unlock.
  3. Press Emergency Call.
  4. Enter a very long phone number.
  5. Press and hold down the Power button.
  6. Wait for one second.
  7. Press the Call button.
  8. The phone will show the “Slide to power off” screen.
  9. Release the Power button.
  10. Press Cancel.
  11. Double press the Home button.
  12. Press the Phone icon.
  13. Make calls.

How secure is your password?

November 28th, 2011 by admin in cracking, Life, News, Password Info


Just head over to the service’s website and enter a password in the form. You do not necessarily have to enter a password that you use actively. You can alternatively enter a comparable password to find out how long it would take to hack your password with a brute force, or maybe a combined dictionary and brute force attack.

http://www.howsecureismypassword.net/

OS X Lion bugs allow changing local user passwords and viewing shadow files

September 20th, 2011 by admin in Apple, cracking, News, Privilege Escalation, Uncategorized

http://www.flickr.com/photos/rubendomfer/5974823525/

The latest version of OS X Lion allows any user to easily change the password of any local account, due to permissions oversights on Apple’s part. The news comes less than a month after another Lion vulnerability that let users bypass LDAP without a password gained notoriety.

Originally reported by Defence in Depth blogger Patrick Dunstan, the root of the newly discovered problem in Mac OS X 10.7 is tied to the user-specific shadow files used in modern OS X platforms. These files are essentially hash databases and contain, among other things, the user’s encrypted passwords. Ideally, they should be accessible only via high-privilege accounts.

According to Dunstan, Apple dropped the ball in terms of how Lion handles privilege. “Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Dunstan wrote. “This is accomplished by extracting the data straight from Directory Services.” Any user can accomplish this trick by simply invoking the directory services listing using the /Search/ path — for example, $ dscl localhost -read /Search/Users/bob (where “bob” is the username). This causes Lion OS X to spew out the contents of Bob’s shadow hash file, including data that can be used to crack Bob’s password with a simple script, such as a Python script written by Dunstan.

Source: Info World

Should I change My Password

September 5th, 2011 by admin in Life, News

Recently, hackers hacked into the databases of various public and private organizations (Sony, MySpace, Gawker, PBS, etc) and released millions of user accounts along with associated emails and passwords. Since there are a number of different databases, it is not really viable to check them on your own and see if your account was also leaked.

Should I Change My Password is a useful website that was created to help you easily check if your account was among those released to the public by hackers. The site uses databases released by hackers to check and match your email against the records in those databases. Simply enter your email and click “Check it!”.

If your email is found among the records, you should immediately change your password to protect your account.

 

Features:

  • Checks if your password was compromised in recent hacker attacks (in 2011).
  • Uses a number of databases released by hackers to the public.
  • Your emails and passwords are not stored in their database.
  • List of compromised databases posted on the website. See “Sources” at the bottom.
  • Free, no registration needed. Simply enter your email address to search the records.

Check out ShouldIChangeMyPassword @ www.shouldichangemypassword.com (via Lifehacker)

LastPass resets passwords following possible hack

May 5th, 2011 by admin in News

Password management system LastPass has reset users’ master passwords as a precaution following the discovery of a possible hack attack against its systems.

The move follows the detection of two anomalies – one affecting a database server – on LastPass’s network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.

The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).

If you have a strong, non-dictionary-based password or pass phrase, this shouldn’t impact you – the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute-forcing.To counter that potential threat, we’re going to force everyone to change their master passwords. Additionally, we’re going to want an indication that you’re you, by either ensuring that you’re coming from an IP block you’ve used before or by validating your email address…

We realise this may be an overreaction and we apologise for the disruption this will cause, but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later.

LastPass’s decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Software, here.

The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn’t sure how hackers might have entered its network – if indeed that’s what happened – an assault based on an initial break-in via its Voice over IP system is the company’s best initial guess as to what might have gone wrong.

This week’s security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses – though not the passwords – of enrolled users. The two incidents are not thought to be related.

 

Source: theregister.co.uk

Sony: PSN Personal Info Was Stolen

April 29th, 2011 by admin in News

UPDATE: We received a small chunk of the compromised passwords, check to see if your name is on this list

Sony has some bad news for PSN users, confirming that PSN personal information is “believed” to be in the hands of an “unauthorized person.”  Users who use the same password for multiple accounts should make immediate changes to all of their online accounts.

Sony has confirmed that the PSN outage by what it called an “external intrusion” a few days ago has resulted in the theft of the personal information of  the roughly 70 million active PSN accounts. A post today on the PlayStation Blog by Senior Director of Corporate Communications and Social Media Patrick Seybold said that as early as April 17 account information may have been stolen.

“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network,” Seybold wrote.

There is a laundry list of compromised personal information, including the loss of logins, passwords, street addresses, and purchase histories. Even credit card information could be at risk, though Sony is “no evidence” theft of credit card information occurred.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained (emphasis added).

In response to the intrusion, Seybold wrote that Sony turned off the PSN, contacted an outside security firm for assistance, and quickly stepped up efforts to strengthen PSN infrastructure.

Change your passwords, keep careful note of charges to your accounts, and keep an extra eye out for things out of place with your personal accounts. Stay tuned to gamrFeed for further updates.

Source: PlayStation Blog

eXcon and BSidesCT Security conference

April 27th, 2011 by admin in News

Tickets are on sale now for eXcon and BSidesCT security conference.
June 11th 2011 , located Meriden, CT
It’s only 2hrs from either Boston or NYC.
http://exconference.com
If you want to attend or speak at the conference hit their email up on the site!!!

Naked Password

March 2nd, 2011 by admin in News, Password Info


The whole idea of naked password is a jQuery Plugin to encourage your users to enter stronger passwords. Pixelated model Sally tastefully removes items of clothing as the password grows stronger.

http://www.nakedpassword.com

« Previous ArticleNext Article »