Jan 03 2024

Malware using google exploit maintain access

Category: Information Security,Malware,Password Securitydisc7 @ 7:38 am

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

  • When the user is logged in with the browser, in which case the token can be used any number of times.
  • When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
  • If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MultiLogin Exploit

Dec 29 2023

New Medusa Stealer Attacking Users To Steal Login Credentials

Category: Cyber Attack,Password Securitydisc7 @ 9:24 am
New Medusa Stealer Attacking Users to Steal Login Credentials

While the world celebrated Christmas, the cybercrime underworld feasted on a different kind of treat: the release of Meduza 2.2, a significantly upgraded password stealer poised to wreak havoc on unsuspecting victims. 

Cybersecurity researchers at Resecurity uncovered the details of New Medusa Stealer malware.

Resecurity is a cybersecurity company specializing in endpoint protection, risk management, and cyber threat intelligence.

Translation:
Attention! The New Year’s Update
Before the New Year 2024, the Meduza team decided to please customers with an update. Under the Christmas tree, you can find great gifts such as significant improvements in user interface (panel), modal windows on loading, and expansion of data collection objects

A Feast Of Features

Meduza 2.2 boasts a veritable buffet of enhancements, including:

  • Expanded Software Coverage: The stealer now targets over 100 browsers, 100 cryptocurrency wallets, and a slew of other applications like Telegram, Discord, and password managers. This broader reach increases its potential for victimization.
  • Enhanced Credential Extraction: Meduza 2.2 digs deeper, grabbing data from browser local storage dumps, Windows Credential Manager, and Windows Vault, unlocking a treasure trove of sensitive information.
  • Google Token Grabber: This new feature snags Google Account tokens, allowing attackers to manipulate cookies and gain access to compromised accounts.
  • Improved Crypto Focus: Support for new browser-based cryptocurrency wallets like OKX and Enrypt, along with Google Account token extraction, makes Meduza a potent tool for financial fraud.
  • Boosted Evasion: The stealer boasts an optimized crypting stub and improved AV evasion techniques, making it harder to detect and remove.

These advancements position Meduza as a serious competitor to established players like Azorult and Redline Stealer

Its flexible configuration, wide application coverage, and competitive pricing ($199 per month) make it an attractive option for cybercriminals of all skill levels.

A Recipe For Trouble

The consequences of Meduza’s widespread adoption are grim.

  • Account Takeovers (ATOs): Stolen credentials can be used to hijack email accounts, social media profiles, bank accounts, and other online services.
  • Online Banking Theft: Financial data gleaned from infected machines can be used to drain bank accounts and initiate fraudulent transactions.
  • Identity Theft: Sensitive information like names, addresses, and Social Security numbers can be exploited for identity theft and financial fraud.

To combat this growing threat, individuals and organizations must:

  • Practice strong password hygiene: Use unique, complex passwords for all accounts and enable two-factor authentication where available.
  • Beware of phishing scams: Don’t click on suspicious links or download attachments from unknown sources.
  • Keep software up to date: Regularly update operating systems, applications, and security software to patch vulnerabilities.
  • Invest in robust security solutions: Implement comprehensive security solutions that can detect and block malware like Meduza.

Login Credentials: Username/Password Journal

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Medusa Stealer

Aug 07 2023

How an 8-Character Password Could be Cracked in Just a Few Minutes

Category: Password Securitydisc7 @ 9:14 am
How an 8-Character Password Could be Cracked in Just a Few Minutes

Advances in graphics processing technology and AI have slashed the time needed to crack a password using brute force techniques, says Hive Systems.We may be compensated by vendors who appear on this page through methods such as affiliate links or sponsored partnerships. This may influence how and where their products appear on our site, but vendors cannot pay to influence the content of our reviews. For more info, visit our Terms of Use page.

Security experts keep advising us to create strong and complex passwords to protect our online accounts and data from savvy cybercriminals. And “complex” typically means using lowercase and uppercase characters, numbers, and even special symbols. But, complexity by itself can still open your password to cracking if it doesn’t contain enough characters, according to research by security firm Hive Systems.

Jump to:

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: password security

May 16 2023

HACK KEEPASS – EXTRACT KEEPASS MASTER PASSWORD FROM MEMORY USING THIS TOOL

Category: Password Securitydisc7 @ 8:10 am
Hack KeePass – Extract KeePass master password from Memory using this tool

KeePass is a piece of software that is both open-source and free to use. It is a trusted companion for users of Windows, Linux, and Mac OS X, as well as users of mobile devices. However, a newly found security hole has brought attention to the program, demonstrating that not even the most secure of systems are immune to the possibility of having security problems.

This security flaw, which has been given the identifier CVE-2023-32784, makes it possible for the user’s master password to be dumped from memory even when the user’s workspace is closed or the program is no longer active. The master password is the main key that may be used to unlock the user’s database of passwords. A hostile actor could be able to extract the plain text master password from a memory dump. KeePass 2.x versions previous to 2.54 include this vulnerability. This vulnerability is widespread in KeePass 2.x versions. It’s possible that this is a dump of the KeePass process, but it might also be a swap file, a hibernation file, or even a RAM dump of the whole system. The fact that the initial character of the password cannot be reconstructed is the only minor solace in this situation.

A researcher by the name of vdohney built a proof-of-concept tool and gave it the suitable moniker “KeePass Master Password Dumper” in order to draw attention to this issue. This program provides a clear demonstration of how the master password might be retrieved from KeePass’s memory with the exception of the first character. This can be done without needing code to be executed on the machine that is being targeted, and it can be done even if the workspace is locked or if KeePass is no longer operating.

When entering passwords, KeePass 2.X makes use of a text box that was built specifically for it called SecureTextBoxEx. This text box is utilized not just for the insertion of the master password, but also in other locations in KeePass, such as password edit boxes (which means that the attack may also be used to retrieve the contents of other password edit boxes).

Security Researcher Creates Tool to Extract Passwords from KeePass Databases

The vulnerability that is being exploited here is the fact that a leftover string is formed in memory for each character that is entered. Because of the way that.NET operates, once an instance of it has been created, it is very difficult to delete it. For instance, when the word “Password” is entered, it will leave behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The proof-of-concept program looks through the dump to find these patterns and suggests a possible character to use for each location in the password.

The reliability of this attack is susceptible to change based on the manner in which the password was written as well as the number of passwords that were input within a single session. However, it appears that the way.NET CLR creates these strings implies that they are likely to be well ordered in memory. This is true even if there are numerous passwords used for a single session or if there are errors in the passwords. Therefore, if three distinct passwords were entered, you have a good chance of getting three options for each character place in that sequence. This enables you to recover all three passwords if they were entered.

New Linux for Cyber forensics and Investigators – CSI Linux

Should You Be Concerned About This?
It is dependent on the threat model you choose. This discovery does not significantly worsen your condition if your machine is already infected with malware that is operating in the background with the rights of your user. On the other hand, in contrast to KeeTheft and KeeFarce, there is no need for any kind of process injection or other code execution for the malware to be stealthy and dodge the antivirus software. This may make it simpler for the malware.

It might be a problem if you have a reasonable suspicion that someone could get access to your computer and undertake forensic examination. Even if KeePass is completely shut down or secured, it is still possible for the master password to be rediscovered. This is the worst-case situation.

If you have a clean machine and utilize full disk encryption with a strong password, you should be OK. Because to this discovery, it will be impossible for anybody to steal your credentials remotely over the internet.

Tags: HACK KEEPASS, MASTER PASSWORD

May 04 2023

World Password Day: 2 + 2 = 4

Category: Password SecurityDISC @ 8:46 am

World Password Day: 2 + 2 = 4

World Password Day is always hard to write tips for, because the primary advice you’ll hear has been the same for many years.

That’s because the “passwordless future” that we’ve all been promised is still some time away, even if some services already support it.

Simply put, we’re stuck with the old, while at the same time preparing for the new.

That’s why we’ve come up with four tips for 2023, but split them into two halves.

Thus the headline: 2 + 2 = 4.

We’ve got two Timeless Tips that you already know (but might still be putting off), plus two Tips To Think About Today.

TIMELESS TIP 1. PASSWORD MANAGEMENT

Use a password manager if you can.

Password managers help you choose a completely different password for every site. They can come up with 20 random characters as easily as you can remember your cat’s name. And they make it hard to put the right password into the wrong site, because they can’t be tricked by what a site looks like. They always check the URL of the website instead.

TIMELESS TIP 2. GO TWO-FACTOR

Use 2FA when you can.

2FA is short for two-factor authentication, where a password alone is not enough. 2FA often relies on one-time codes, typically six digits long, that you have to put in as well as your same-every-time password. So it’s a minor inconvenience for you, but it makes things harder for the crooks, because they can’t jump straight in with just a stolen password.

TIP FOR TODAY 1. LESS IS MORE

Get rid of accounts you aren’t using.

Lots of sites force you to create a permanent account even if you only want to use them once. That leaves them holding personal data that they don’t need, but that they could leak at any time. (If sites can’t or won’t close your account and delete your data when asked, consider reporting them to the regulator in your country.)

TIP FOR TODAY 2. REVISIT RECOVERY

Revisit your account recovery settings.

You may have old accounts with recovery settings such as phone numbers or email addresses that are no longer valid, or that you no longer use. That means you can’t recover the account if ever you need to, but someone else might be able to. Fix the recovery settings if you can, or consider closing your account (see previous tip).

And with that, Happy World Password Day, everybody 🌻

Password Keeper Book: My Personal Keeper – The Ultimate Password Organizer With Alphabetical Tabs: Never Forget a Password Again with Our Secure Password Keeper Book

  InfoSec tools | InfoSec services | InfoSec books

Tags: The Vault, world password day

Dec 08 2022

Don’t Sell Your Laptop Without Following These Steps

Category: data security,Information Security,Password SecurityDISC @ 9:13 am
Don’t Sell Your Laptop Without Following These Steps

Before selling or trading in your laptop, it is important to prepare the device for its new owner as this will help ensure all of your personal data remains safe.

In an age when every day, a new version of a laptop with better features, sleek design, and improved performance hits the market, it is no wonder that you also wish to buy a new laptop to achieve excellence in performance and enjoy new features.

You have money, you can buy a new laptop, great! But what about your previous laptop? If you are thinking of selling it, then…stop.

If you think selling a laptop is all about saving your data, finding a seller, and selling it, then you need to think again. It goes beyond this! It is not all about getting a fair price, but also saving your personal information and private data from reaching a stranger – that might cost you a lot if that stranger is fraudulent or malicious.

Before selling or trading in your laptop, it is important to prepare the device for its new owner. This can be done by taking several simple precautions that will help ensure all of your personal data remains safe.

1 Save Your Important Data

It goes without saying that your first step should be keeping a backup of your essential data, including personal and work-related files and folders, containing documents, presentations, emails, plans, strategies, or anything else that you have prepared with so much hard work.

If you don’t want to see your data slipping from your fingers, then this should be your number one step.

You can save your data on a data drive or upload it to a reliable cloud service. Or send them to your own email address (well, this is my favorite way of saving my data!). Do whatever suits you, but saving data is a must before selling your laptop.

However, this can only work if you have a few GB of data. In case you have terabytes of data then owning a workstation from companies like Western Digital (WD) is a good way to go.

2 Delete Passwords Permanently

Nobody wants the passwords of important accounts to get leaked. Full stop! But have you ever thought about how to save your passwords before giving your laptop? What — did you just say you can do it by signing off from all your accounts and deleting history and cookies? Ah, I wish it was really that easy, but it is not. 

Where technology has brought so much ease into our lives, there it has also become a trouble in many ways — like this one. Unfortunately, some software can extract passwords even if you log out from your accounts.

That is where you should act smartly if you don’t want someone to sneak into your Facebook and start sending weird messages through your accounts to your friends. It could trigger so many controversies – eh. So, cut iron with iron.

You can also use apps such as password generators. One such example is the IPVanish password generator which lets users delete passwords permanently from their browsers. If you wish to do that manually, follow these easy steps:

For Chrome browser: First, open Chrome and click on the three-dot menu icon located in the top right corner. Then select “Settings” and click on “Passwords” under Autofill. Here you will find a list of all the websites that have saved credentials, along with their usernames and passwords.

Select an entry to see the details, then click on the three-dot menu icon next to it and select “Remove.” You’ll be asked to confirm by clicking “remove” again; once confirmed all login information for that website will be deleted from your computer. (Read more on Google.)

For Firefox: First, launch the Firefox browser on your device. Then, click the ‘Menu’ icon (three lines in the upper right corner) and select ‘Options’ or ‘Preferences’. In this menu, you will see a section for ‘Logins & Passwords. You can then scroll through all of your saved logins and passwords until you find the one that needs to be deleted.

For Safari Browser: To begin, open up the Safari browser on your computer and click the ‘Safari’ menu at the top left corner. In that menu option, select ‘Preferences’ and then navigate to the ‘Passwords’ tab. (Read more on Mozilla.)

Here you will see a list of all of your stored passwords that have been saved by Safari. To delete one or more of these passwords, simply check off each box next to each entry that you wish to remove and hit delete in the bottom right corner. (Read more on Apple.)

3 Format the Drive

Have you saved your important data? Great! Now, what about data that is still on your laptop? Obviously, you can’t leave it like this for others to see your private information and confidential data. No, just deleting data files and clearing Recycle Bin or Shift + Delete might not work. It can still keep the issue of data leakage and privacy breaches there. 

In this condition, most people go for drive formatting that cleans up your laptop and makes it data free. However, this method works if your files are overwritten and you are using a solid-state drive (SSD) with TRIM enabled.

With HDD or TRIM disabled, you would have to overwrite the hard drive if you don’t want cheap software to recover your data – yes, even after formatting. It is very easy to recover a permanently deleted file through even cheap software. So, be safe than sorry!

4 Prepare Your Laptop for Selling

Once you are done saving your information, next, it is time to prepare your laptop for sale at a good price. The price of your gadget also depends on its model, functionalities, current market price, and a lot more. However, improving the outer condition, and speed, upgrading Windows, and enhancing the memory storage can enhance the price of your laptop. 

So, work on the following things to get good bucks:

  • First, install the latest Windows to make your buyer happy. You can vow anyone with the latest functionalities already installed on the laptop, so that person wouldn’t have to go through all the trouble. It is a good chance to impress a buyer.
  • Second, work on the speed of the laptop. Half of the work is already done when you delete files and data. So, reset the laptop to speed it up.
  • Clean up your laptop, please. Don’t take your laptop to a buyer with all the lint or dust trapped between keys and scratches on the screen. You can remove lint or dust with a brush and change the screen cover. This simple work can make a lot of difference.
  • Lastly, visit a laptop expert and ask for a thorough inspection so that you can rectify if there are any internal faulty parts.

Don't Sell Your Laptop Without Following These Steps

PROFESSIONAL HARD DRIVE ERASER 32/64Bit Professional Edition – Wipe your Hard Drive Securely for for ALL operating systems

Tags: data erase, data security

Jul 29 2022

Strong Authentication – Robust Identity and Access Management Is a Strategic Choice

Category: Authentication,Password SecurityDISC @ 8:26 am
Strong Authentication – Robust Identity and Access Management Is a Strategic Choice

Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed.

Usernames and passwords are insufficient and vulnerable means of authentication on their own; therefore, it is essential to employ strong authentication techniques like multi-factor authentication (MFA) to confirm users’ identities before granting secure access to resources,” Sarah Lefavrais, Product Marketing Manager, Thales states in her recent article. It’s true. Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed to improve security without hindering user convenience.

What is Strong Authentication?

Tech Target states that strong authentication is “any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter.” It is commonly referred to as a way to confirm a user’s identity when passwords are not enough. As Tech Target continues, the European Bank and many that adopt its guidelines state that strong authentication must include “at least two mutually-independent factors” so that the compromise of one will not lead to the compromise of the other. These factors are:

  • Knowledge – Something the user knows
  • Possession – Something the user has
  • Inherence – Something the user is

As Lefavrais states, employing more than one of these measures is needed to ensure only legitimate users can access applications and services,  and when applications contain sensitive data such as confidential, personally identifiable information that needs to be protected. 

In IAM strategy, strong authentication methods like MFA and Modern Authentication are quickly replacing traditional methods like passwords, especially as the new gold standard for how IT and security teams enforce access controls, and gain visibility into access events – especially as workloads move to the cloud, VMs and across remote and hybrid environments.

The IAM Security BoundaryStrong authentication is a critical component of modern-day identity and access management. It not only provides additional layers of security around entry points, but allows for customizable levels of authentication, authorization, and access control throughout your environment, giving users only the permissions (and sign-in requirements) they need. To illustrate that point, we’ll investigate two of the primary methods, MFA and Modern Authentication, further in-depth.

Multi-factor Authentication (MFA) is widely seen as the strongest mode of authentication. MFA allows you to:

  • Protect against the compromise made possible by weak passwords. With MFA, a password alone is insufficient to grant access, so credential stuffing and brute force attacks are rendered useless.
  • Reduce identity theft from phishing and other social engineering schemes. Even if you do click on that email and enter a few credentials, if your bank, work VPN, or other access point requires MFA (especially with tokenization, biometrics, or location-based entry), chances are those credentials won’t be enough, and hackers will move on to easier targets.
  • Stay within compliance boundaries like the OMB Memorandum for Zero Trust Cybersecurity and the European Union Agency for Cybersecurity (ENISA) and CERT-EU guidelines, as noted by Lefavrais. These require MFA use throughout subordinate enterprises.

A few MFA methods used in strong authentication include:

  • FIDO security keys
  • Certificate-based smart cards and certificate-based USB tokens
  • Mobile phone and software-based authentication
  • One Time Password (OTP) authenticators
  • Pattern-based (or grid) authenticators
  • Hybrid tokens

Modern Authentication relies on technologies, such as FIDO and Webauthn, contextual authentication and modern federation protocols, which ensure proper user identity and access controls in cloud environments.  That means you can implement more effective access security for cloud apps, alongside the existing access controls that are already in place for on-premises and legacy applications. Flexible policy-based access enable a friendly experience while maintaining a high level of security for roles or resources requiring it.

What to Look for in a Strong Authentication Service

When choosing a strong authentication service, be it on-premises or in the cloud, features to consider are:

  1. Policy-based access with ability to implement conditional access. In order to optimize the end user experience while maintain the best access security for a particular user and application, look for a solution that can enforce a range of authentication methods through policies and risk scoring.
  2. Resistant to phishing. Phishing accounts for roughly a quarter of all data breaches, according to Verizon’s 2021 DBIR. Strong authentication solutions with FIDO2 can both authenticate securely and prevent attacks.
  3. User experience. Do the methods involved create security fatigue, or is it simple to secure multiple-use authentication journeys?
  4. Adaptability and customizability. Can you assign different access controls based on role or asset? What about context, environment, or use case?

Ultimately, you need to ensure your strong authentication provider supports your industry’s identity and access regulations and integrates smoothly with your current identity environment, deploying flexibly and maintaining equilibrium as you transition over. To maintain a risk-based authentication posture, IAM solutions must continue evolving alongside increased digitization demands.  When a single lock and key no longer suffice to safeguard the VMs, remote environments, and cloud-based assets of today, we must adopt the access management and strong authentication methods that can.

About the Author: Katrina Thompson is an ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.

Strong Authentication

Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0

Tags: Identity and Access Management

May 14 2022

He sold cracked passwords for a living – now he’s serving 4 years in prison

Category: Dark Web,Hacking,Password SecurityDISC @ 12:07 pm
He sold cracked passwords for a living – now he’s serving 4 years in prison

In this article, it turns out to be the first name (in Latin script, anyway) of a convicted cybercriminal called Glib Oleksandr Ivanov-Tolpintsev.

Originally from Ukraine, Tolpintsev, who is now 28, was arrested in Poland late in 2020.

He was extradited to the US the following year, first appearing in a Florida court on 07 September 2021, charged with “trafficking in unauthorized access devices, and trafficking in computer passwords.”

In plain English, Tolpintsev was accused of operating what’s known as a botnet (short for robot network), which refers to a collection of other people’s computers that a cybercriminal can control remotely at will.

A botnet acts as a network of zombie computers ready to download instructions and carry them out without the permission, or even the knowledge, of their legitimate owners.

Tolpintsev was also accused of using that botnet to crack passwords that he then sold on the dark web.

What to do?

Tolpintsev’s ill-gotten gains, at just over $80,000, may sound modest compared to the multi-million dollar ransoms demanded by some ransomware criminals.

But the figure of $82,648 is just what the DOJ was able to show he’d earned from his online password sales, and ransomware criminals were probably amongst his customers anyway.

So, don’t forget the following:

  • Pick proper passwords. For accounts that require a conventional username and password, choose wisely, or get a password manager to do it for you. Most password crackers use password lists that put the most likely and the easiest-to-type passwords at the top. These list generators use a variety of password construction rules in an effort to generate human-like “random” choices such as jemima-1985 (name and year of birth) ahead of passwords that a computer might have selected, such as dexndb-8793. Stolen password hashes that were stored with a slow-to-test algorithm such as PBKDF2 or bcrypt can slow an attacker down to trying just a few passwords a second, even with a large botnet of cracking computers. But if your password is one of the first few that gets tried, you’ll be one of the first few to get compromised.
  • Use 2FA if you can. 2FA, short for two-factor authentication, usually requires you to provide a one-time code when you login, as well as your password. The code is typically generated by an app on your phone, or sent in a text message, and is different every time. Other forms of 2FA include biometric, for example requiring you to scan a fingerprint, or cryptographic, such as requiring you to sign a random message with a private cryptographic key (a key that might be securely stored in a USB device or a smartcard, itself protected by a PIN). 2FA doen’t eliminate the risk of crooks breaking into your network, but it makes individual cracked or stolen passwords much less useful on their own.
  • Never re-use passwords. A good password manager will not only generated wacky, random passwords for you, it will prevent you from using the same password twice. Remember that the crooks don’t have to crack your Windows password or your FileVault password if it’s the same as (or similar to) the password you used on your local sports club website that just got hacked-and-cracked.
  • Never ignore malware, even on computers you don’t care about yourself. This story is a clear reminder that, when it comes to malware, an injury to one really is an injury to all. As Glib Oleksandr Ivanov-Tolpintsev showed, not all cybercriminals will use zombie malware on your computer directly against you – instead, they use your infected computer to help them attack other people.

The Darkest Web

The Darkest Web (Allison Barton Book 2) by [Kristin Wright]

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: cracked passwords, dark web, The Darkest Web

Nov 26 2021

Password Security for online protection

Category: Password SecurityDISC @ 4:50 pm

The Hack-Proof Password System: Protect Yourself Online With a Memory Expert’s In-Depth Guide to Remembering Passwords

Nov 20 2021

Study reveals top 200 most common passwords

Category: Password SecurityDISC @ 9:34 am
Study reveals top 200 most common passwords

Nordpass has published its annual report, titled “Top 200 most common passwords,” on the use of passwords. The report shows that we are still using weak passwords.

The list of passwords was compiled with the support of independent researchers specializing in data breach analysis., the study is based on the analysis of a 4TB database containing passwords across 50 countries.

Most used passwords are still 123456, 123456789, 12345, qwerty, and “password”. Businesses fail to enforce strong passwords, and rarely request employees to enable multi-factor authentication (MFA). 

The report revealed that the most common passwords in 2021 were:

  1. 123456 (103,170,552 hits)
  2. 123456789 (46,027,530 hits)
  3. 12345 (32,955,431 hits)
  4. qwerty (22,317,280 hits)
  5. password (20,958,297 hits)
  6. 12345678 (14,745,771 hits)
  7. 111111 (13,354,149 hits)
  8. 123123 (10,244,398 hits)
  9. 1234567890 (9,646,621 hits)
  10. 1234567 (9,396,813 hits)

Below is the map showing password leaks per capita:

top used passwords

Do you ever have trouble remembering your usernames and passwords when you visit a website? Access Denied password notebook is a safe and accessible place where you can save all of your important internet addresses, usernames, and passwords. To help you find what you’re searching for fast, the pages are structured into easy-to-follow parts.

The Quick and Easy Way to Manage Your Personal Usernames and Passwords!

Tags: most common passwords

Sep 27 2021

Proper password security falling short despite increase in online presence

Category: Information Security,Password SecurityDISC @ 9:32 am
Proper password security falling short despite increase in online presence

While 92 percent of people know that using the same password or a variation is a risk, 65 percent still re-use passwords across accounts, drastically increasing the risks to their sensitive information, a LastPass report revealed.

proper password security

While consumers have a solid understanding of proper password security and the actions necessary to minimize risk, they still pick and choose which information they apply that knowledge to, according to the report.

Spending more time online, yet lacking proper password security

Strong cybersecurity habits are more important than ever this year, given the sheer volume of time individuals have spent online in the last 18 months and the corresponding spike in cyber-attacks. Yet the survey revealed that despite 71 percent of people working wholly or partly remote and 70 percent spending more time online for personal entertainment during the pandemic, people were still exhibiting poor password behavior.

Password Authentication for Web and Mobile Apps

Tags: password security

Jul 27 2021

Cracking Password Protected ZIP, RAR & PDF using Zydra

Category: Password SecurityDISC @ 11:00 am
Cracking Password Protected ZIP, RAR & PDF using Zydra

Having confidential documents on a system, like a pdf of financial data or a zip including personal images and videos, ensure they’re password-protected so nobody else can access them. Encrypting documents with a password provides security that although the device is under attack, the attackers would be unable to view files while on the system.

Even so, just like everything else, when files have a password, this can be brute-forced. And here we’re trying to understand about zydra, a file brute-forcing tool, and see how it works by brute-forcing a document and inspecting the details. You will only need a Kali Linux and some encrypted files to perform this tutorial. Zydra works in two modes: brute force and dictionary. And we will try the example on each way.

Table of Contents

Password Cracking Manual

Jul 21 2021

Windows “HiveNightmare” bug could leak passwords – here’s what to do!

Category: Password Security,Windows SecurityDISC @ 1:24 pm
Windows “HiveNightmare” bug could leak passwords – here’s what to do!

Windows “hives” contain registry data, some of it secret. The nightmare is that these files aren’t properly protected against snooping.

As if one Windows Nightmare dogging all our printers were not enough…

…here’s another bug, disclosed by Microsoft on 2021-07-20, that could expose critical secrets from the Windows registry.

Denoted CVE-2021-36934, this one has variously been nicknamed HiveNightmare and SeriousSAM.

The moniker HiveNightmare comes from the fact that Windows stores its registry data in a small number of proprietary database files, known in Microsoft jargon as hives or hive files.

These hive files include a trio called SAMSECURITY and SYSTEM, which between them include secret data including passwords and security tokens that regular users aren’t supposed to be able to access.

They’re kept in a special, and supposedly secure, folder under the Windows directory called C:\Windows\System32\config, as you see here:

C:\Windows\System32\config> dir
[. . .]
Directory of C:\Windows\System32\config
[. . .]
21/07/2021  12:57           524,288 BBI
25/06/2021  06:21            28,672 BCD-Template
21/07/2021  14:45        32,768,000 COMPONENTS
21/07/2021  12:57           786,432 DEFAULT
21/07/2021  12:32         4,194,304 DRIVERS
[. . .]
21/07/2021  12:57            65,536 SAM       <--some system secrets included
21/07/2021  12:57            32,768 SECURITY  <--some system secrets included
21/07/2021  12:57        87,556,096 SOFTWARE
21/07/2021  12:57        11,272,192 SYSTEM    <--some system secrets included
[. . .]

The moniker SeriousSAM comes from the filename SAM, which is short for Security Account Manager, a name that sounds as serious as the file’s content’s are.

Tags: HiveNightmare

Jul 07 2021

Vulnerability in the Kaspersky Password Manager

Category: Password SecurityDISC @ 11:13 am
Vulnerability in the Kaspersky Password Manager

Stupid programming mistake, or intentional backdoor?

Tags: Kaspersky Password Manager

Jun 15 2021

RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries

Category: Access Control,Password SecurityDISC @ 9:34 am
rockyou2021.txt sample password's list

What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches. 

According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries:

rockyou2021.txt

The compilation itself has been dubbed ‘RockYou2021’ by the forum user, presumably in reference to the infamous RockYou data breach that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text. 

With a collection that exceeds its 12-year-old namesake by more than 262 times, this leak is comparable to the Compilation of Many Breaches (COMB), the largest data breach compilation ever. Its 3.2 billion leaked passwords, along with passwords from multiple other leaked databases, are included in the RockYou2021 compilation that has been amassed by the person behind this collection over several years.

Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak. 

How to check if your password was leaked?

Updated on 10/06: We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to the CyberNews personal data leak checker or our leaked password checker.

Note: We take our readers’ privacy extremely seriously. To protect your privacy and security, the data that you enter in the search field is hashed, and we use only this hash to perform a search in our database. We do not collect entered emails or passwords, nothing is logged when you perform a leak check.

Source: RockYou2021

Tags: Password breach, Rockyou2021

Jun 04 2021

How to hack into 5500 accounts… just using “credential stuffing”

Category: Information Security,Password SecurityDISC @ 2:41 pm
How to hack into 5500 accounts… just using “credential stuffing”

We all ought to know by now that passwords that are easy to guess will get guessed.

We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.

We tried the 10 all-digit sequences 112123 and so on up to 1234567890, and eight of them were in the top 20.

Then we tried other obvious digit combos such as 000000111111 and 123123 (we started with six digits because that’s Apple’s current minimum length, and because we noted that 123456 came out well ahead of 12345 and 1234).

The others were equally easy: qwertypasswordabc123password1iloveyou and qwertyuiop, the last being a useful reminder that length alone counts for very little.

Strong enough for everything?

What to do?

  • Don’t re-use passwords. And don’t try to invent a technique for modifying each password slightly from an original template to make them seem different, because the crooks are on the lookout for that.
  • Consider a password manager. Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised. Remember that you don’t have to put all your passwords into the manager app if you don’t want to: it’s OK to have a special way of dealing with your most important accounts, especially if you don’t use them often.
  • Turn on 2FA if you can. Two-factor authentication doesn’t guarantee to keep the crooks out, but it stops attacks like this one from being carried out so easily and on such a broad scale, because the passwords alone would not have been enough.
  • Report payment anomalies. Obviously, you need to look for outgoing payments that shouldn’t have happened, and for incoming payments that never arrived. But also look out for outgoing payments that somehow failed when they should have gone through, or for incoming funds you didn’t expect, no matter how small the amount. The sooner you report any errors, even if you didn’t lose any money, the sooner you help both yourself and everyone else.

Jun 02 2021

“Have I Been Pwned” breach site partners with… the FBI!

Category: Password SecurityDISC @ 12:06 am
“Have I Been Pwned” breach site partners with… the FBI!

If your password gets stolen as part of a data breach, you’ll probably be told. But what if your password gets pwned some other way?

n case you’ve never heard of it, Have I Been Pwned, or HIBP as it is widely known, is an online service run out of Queensland in Australia by a data breach researcher called Troy Hunt.

The idea behind HIBP is straightforward: to give you a quick way of checking your own online accounts against data breaches that are already known to be public.

Of course, you’d hope that a company that suffered a data breach would let you know itself, so you wouldn’t need a third party website like HIBP to find out.

But there are numerous problems with relying on the combined goodwill and ability of a company that’s just suffered a breach, not least that the scale of the breach might not be obvious at first, if the company even realises at all.

And even if the company does do its best to identify the victims of the breach, it may not have up-to-date contact data for you; its warning emails might get lost in transit; or it might not be sure which users were affected.

May 07 2021

Your Passwords Are Useless!

Category: Password SecurityDISC @ 2:53 pm

FIDO: The YubiKey 5 NFC is FIDO certified and works with Google Chrome and any FIDO-compliant application on Windows, Mac OS or Linux. Secure your login and protect your Gmail, Facebook, Dropbox, Outlook, LastPass, Dashlane, 1Password, accounts and more.

May 06 2021

15% of Brits use their pet’s name as a password

Category: Password SecurityDISC @ 9:49 am
15% of Brits use their pet’s name as a password

It’s world password day! Cast your mind back to last month when it was revealed 15% of people use their pets name as their password… Make sure yours is as strong as can be!

Tags: world password day

Mar 19 2021

The benefits and challenges of passwordless authentication

Category: Password SecurityDISC @ 1:38 pm
The benefits and challenges of passwordless authentication

Passwordless authentication swaps traditional passwords for a system that identifies users by more secure methods such as “possession factor” or “inherent factor.” By switching to a passwordless approach, companies provide their employees with the same effortless and secure authentication methods that users experience on their smartphones (e.g., FaceID or fingerprint scanner). Sometimes this is confused with 2-factor authentication, because the second factor of 2FA is typically passwordless, but passwordless access is different.

There are different ways to implement passwordless authentication:

  • Via a user’s email, which is considered to be a secure method to transmit a token that can be used by a person to confirm their identity
  • Through the user’s smartphone, which is protected with a passcode and biometry. There are authenticator applications that may generate one-time passwords or receive push notifications asking the user to confirm the login
  • Through a hardware token to be connected via USB, NFC, or BLE. Some hardware tokens can also generate one-time passwords and even have a keyboard to provide the ability to input data (e.g., an authentication challenge code).

Passwordless authentication is a relatively new method so it can be challenging to choose the type of implementation relevant to your needs. Below we compare the advantages and disadvantages of using email, a mobile authenticator, and hardware token.

implement passwordless

The benefits and challenges of passwordless authentication

Advantages and Disadvantages of Password Authentication

Tags: passwordless

Next Page »