Time it takes a hacker’s computer to randomly guess your password:

of course unless they’re using a nice setup and using gpu power

MAPDAV is designed to use what is known about a user or users (ex, username, first name, middle name, last name, etc) on a unix/linux system from a /etc/passwd file and tries to come up with probable combinations that could be the user’s password. An administrator could run the output through a cracker and see if their user’s passwords are anything easy to guess.

For example, if we had a passwd file entery such as:
chrisa:x:107:102:Chris Anderson:/home/chrisa:/usr/bin/bash

We could have MAPDAV derrive some possible passwords, such as chrisa, chrisanderson, andersonchris, canderson, ChrisAnderson, Anderson Chris, CHRIS, plus any other combinations you entered. It has quite a few other features you can use to modify the output to have arbitrary characters, be in reverse, and other useful things.

Out of a sample of 30192 users, MAPDAV 1.0p8 cracked 4.7% of the passwords on the default settings, 1.2% of which were NOT the same user/pass. This combind with a good conventional wordlist could give good crack results.

More info: http://mapdav.sourceforge.net

The hackers uncovered the hack in order to run Linux or PS3 consoles, irrespective on the version of firmware the games console was running. They found it was possible to calculate the public private keys, giving users the ability to sign their own software and load it into the PS3. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

Read more: http://www.theinquirer.net/inquirer/news/1934470/hackers-mock-sony-ps3#ixzz19cCnto6t
The Inquirer – Computer hardware news and downloads. Visit the download store today.

http://fail0verflow.com/

Darth Null had a nice writeup on how to make crypt(3) rainbow tables. After being told that the salt made it impossible to generate Rainbow Tables, unless you went through the trouble to create 4096 different tables (one for each salt) the reason cited was the presence of the two-character salt at the beginning of the hash. He went out and devised a solution couple of nights later, it was able to actually read, write, and process crypt(3) hashes in their native form (as opposed to a flat hexadecimal dump of the hash). He wanted to submit it for schmoocon but didnt get accepted , so rather than sit on the information, he decided to release it on his blog.

1. Instead of generating 4096 tables of 1-8 character passwords, just create 1 table of 3-10 character passwords, and use the 1st two characters of the plaintext passwords as the salt. (That part will make more sense if you read the paper.)
2. It’s still kind of slow: 9x slower than LM hashes, for example. But CPUs are much faster than they were in 2003, when people first started building tables for LM hashes.
3. It also takes a lot of storage. But storage, likewise, is much cheaper than it was seven years ago.

The whitepaper can be found here: http://bit.ly/ij8hQU

Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: “123456.” So is the runner-up: “password.”

On Sunday night, hackers posted online a trove of data from Gawker Media’s servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords.

At least two popular passwords are science-fiction references: “trustno1″ was Special Agent Mulder’s password on “The X-Files,” and “thx1138″ is a George Lucas film that envisioned a dystopian future. Other popular passwords are just plain-old geeky: “dragon,” “superman,” “princess,” “starwars” and “nintendo.”

Outputted into a 500MB torrent file, currently residing on the popular torrent tracker ThePirateBay is a database dump of about a million or so commenters and staff passwords.

Inside the torrent file lies a file entitled Readme.txt. This file is potentially the most sensitive of them all, for it holds the usernames and passwords used by the entire Gawker staff, focusing particularly on Gawker’s founder Nick Denton.

The usernames and passwords to Denton’s Google Apps, Twitter, Campfire accounts are all listed; Denton uses the same password for them all.

Also some gaming sites ftp passwords were stolen too..

Though all of the passwords were encrypted,simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

Passware Kit decrypts hard disks encrypted with BitLocker or TrueCrypt in a matter of minutes if the target computer is running. Now Passware Kit is capable of this instant decryption even for powered-off computers by analyzing a hibernation file (hiberfil.sys).

The software instantly extracts BitLocker and TrueCrypt encryption keys from a hiberfil.sys file, which is created automatically when a system hibernates. This means that if the target computer with a mounted BitLocker or TrueCrypt hard disk has hibernated at least once, Passware Kit will instantly decrypt the hard disk even if the target computer is no longer running.

http://bit.ly/pw-55

JavaScript Distributed Computing System is online. Cracks MD5,SHA1,SHA256 & SHA512 hashes in pure JavaScript
http://www.andlabs.org/tools/ravan.html

Most Apple applications store the Login passwords and critical information to prevent hassle of entering the password every time by the user. Often these applications use their own proprietary encryption mechanism to store the credentials. But on Mac many applications use the Keychain files for storing the username,passwords and sometime even other critical data. In such cases KeychainRecovery helps in recovering the lost master password of the Keychain file.
You can download it from securityxploded.com , the same site that brought you the Firefox Master password cracker.

A security hole in iPhone 4 software allows you to make a call after dialing a few pound signs and timing a few others as found by a MacForums member.

When your iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###. Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc.

A very similar security flaw discovered on the iPhone that we blogged about in 2008 that allowed people to easily bypass the lock screen to access mail, contacts and bookmarks. Apple later acknowledged the bug and issued a software update patching the issue.

An Apple spokeswoman’s response regarding the security flaw:
“We’re aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November.”