You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room, but how do you protect a company from the threat of social engineering attacks?
For any of you that are involved in security awareness efforts, you know what I am talking about. It could happen tomorrow, it could happen today or it might already have happened.
In a recent disclosure posted by renowned hacker and developer DarkCoderSc (Jean-Pierre LESUEUR) explained that how one can easily Socially Engineer Microsoft Skype Support team to get access to any skype account.
From a social engineering perspective, employees are the weak link in the chain of security measures in place. He simply used the weakness of Skype password recovery system itself.
One simply need to request a new password to Skype support and asking to change the password. After the initial step one needs to proof the real ownership of the account requested. You must give 5 contacts accounts to the support desk.
“That’s easy because you just have to add 5 fake temporary accounts to the target account and its done. Another option is to simply ask the target what people he know on Skype. That option wasn’t that hard because I have over 1000 contacts.” he suggests the trick.
Within few seconds attacker can become owner of any victim account by proving very basic information to support team.
“Also Microsoft’s Support Team should make a serious effort to communicate better to their customers. At the moment they do not seem to care that much about their customers.“
In a blog post last Friday, Twitter’s Director of Information Security Bob Lord, said the company had discovered a major attack and shut it down almost immediately, but the attackers may have had access to user names, email addresses, session tokens and passwords for approximately 250,000 users.
Lord said that Twitter detected unusual access patterns that led to it identifying unauthorised access attempts to Twitter user data.
“We discovered one live attack and were able to shut it down in process moments later. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.
Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password – at least ten (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites.
Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords. We also echo the advisory from the US Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers”.
The attack follows hacks into a number of major media outlets, including The Washington Post, The New York Times, and The Wall Street Journal. Unnamed sources quoted by the newspapers say they suspect Chinese hackers, possibly associated with the Chinese government, to be involved.
Twitter have not mention that how hackers were able to infiltrate Twitter’s systems, but Twitter’s blog post alluded that hackers had broken in through a zero-day vulnerability in Oracle’s Java software.
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Currently it supports the following modules:
- ftp_login : Brute-force FTP
- ssh_login : Brute-force SSH
- telnet_login : Brute-force Telnet
- smtp_login : Brute-force SMTP
- smtp_vrfy : Enumerate valid users using the SMTP VRFY command
- smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
- http_fuzz : Brute-force HTTP/HTTPS
- pop_passd : Brute-force poppassd (not POP3)
- ldap_login : Brute-force LDAP
- smb_login : Brute-force SMB
- mssql_login : Brute-force MSSQL
- oracle_login : Brute-force Oracle
- mysql_login : Brute-force MySQL
- pgsql_login : Brute-force PostgreSQL
- vnc_login : Brute-force VNC
- dns_forward : Forward lookup subdomains
- dns_reverse : Reverse lookup subnets
- snmp_login : Brute-force SNMPv1/2 and SNMPv3
- unzip_pass : Brute-force the password of encrypted ZIP files
- keystore_pass : Brute-force the password of Java keystore files
Project Home: http://code.google.com/p/patator/
A hacker who calls himself Hannibal has posted thousands of alleged login email addresses and passwords of Arab Facebook users.
Emails and passwords for the social network Facebook have been published on Pastebin. Hannibal claims he has more than 30 million credentials of Arab users that he will publish regularly.
The hacker backs Israel and said, “State of Israel, not to worry, you’re in the hands of the world’s best hacker that I am. I will continue to support the government of Israel will continue to attack the Arab countries.”
In addition to the Facebook details he claims that he has possession of 10 million bank accounts and four million credit card details, which he warns he will publish if Iran continues to threaten Israel.
The most recent post said, “Unfortunately today I received an email from Mohammad Reza Rahimi [an Iranian politician] who threatens that would raise most of his men to find me and kill me. I assure you Mr. Fool, you can keep looking as you want, you will not find me even if you have a staff of 1,000 people who search for and carry out search for information about me.”
A spokesman for Facebook said, “This does not represent a hack of Facebook or anyone’s Facebook profiles. We have spent time investigating the information and have determined less than a third of the credentials were valid and almost half weren’t associated with Facebook accounts.”
“Additionally, we have built robust internal systems that validate every single login to our site, regardless if the password is correct or not, to check for malicious activity. By analysing every single login to the site we have added a layer of security that protects our users from threats both known and unknown. Beyond our engineering teams that build tools to block malicious activity, we also have a dedicated enforcement team that seeks to identify those responsible for threats and works with our legal team to ensure appropriate consequences follow.”
BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.
It works way better than it ever should.
$ ruby bozocrack.rb my_md5_hashes.txt
The input file has no specified format. BozoCrack automatically picks up strings that look like MD5 hashes. A single line shouldn’t contain more than one hash.
Example with output:
$ ruby bozocrack.rb example.txt
Loaded 5 unique hashes
To show just how bad an idea it is to use plain MD5 as a password hashing mechanism. Honestly, if the passwords can be cracked with this software, there are no excuses.
BozoCrack was written by Juuso Salonen