Password Dictionaries

February 6, 2011

Password cracking tools like John the Ripper work by generating potential passwords and then matching them against the system being tested. These potential passwords come from a “dictionary” – a list of words that are assumed to be potential passwords, that are used as seeds to generate permutations that a user might have selected.

But what’s better than permutations a user might have selected? How about password lists from breaches, so that we can see what users ACTUALLY use.

According to the site, these passwords will crack roughly 5% of user accounts on a given system. If you’re using one of them, change it now.

123456
12345
123456789
password
iloveyou
princess
1234567
12345678
abc123
nicole
daniel
babygirl
monkey

Leave a Comment » | Exploits | Permalink
Posted by matt

Adobe Reader Patches

February 5, 2011

It looks like this will be a busy patch week – in addition to the usual Patch Tuesday fun from Microsoft, Adobe has announced a set of patches for their Reader product on all supported operating systems. As malicious PDF files are one of the most common exploit launching techniques these days, it would be prudent to begin planning your patching operations.

Leave a Comment » | Exploits | Permalink
Posted by matt

Hack Chrome, Win $20k

February 4, 2011

The annual Pwn2Own contest is next month in Vancouver, and there’s an additional prize this year. As always, the latest copies of Firefox, Safari, and IE will be available as targets – hackers who manage to exploit the browser in a significant way will win a cash prize and the laptop that the browser was running on at the time. For the first time, though, Google’s Chrome is available as a target, and they’ve staked an additional $20,000 as prize money for anyone able to break their product.

Let the games begin. It seems like every year, someone manages to trot out a zero-day exploit and win the contest on at least one platform; it will be interesting to see how Chrome fares against dedicated competition like this.

Leave a Comment » | Exploits, Networking | Permalink
Posted by matt

Tandberg Default Root Account

February 3, 2011

Cisco has announced that Tandberg E, EX, and C series Personal Video Endpoints running pre-TC4.0.0 software shipped with a default root account with no password.

Well, that’s not great.

Workaround and mitigation details at the link.

Leave a Comment » | Exploits | Permalink
Posted by matt

Android Data Leak

February 2, 2011

A new exploit has been discovered for a once-patched vulnerability in Android 2.3. A security hole in the default web browser allows a malicious web page to harvest the contents of the handset’s SD card, which could contain sensitive information.

Google is aware of the issue; their current workarounds are to disable Javascript, use a different web browser, or remove the SD card.

Leave a Comment » | Exploits, Smartphones | Permalink
Posted by matt

Huawei Cipher Weakness

January 28, 2011

According to this post on Bugtraq earlier this week, the Huawei HG520 and HG530 home WAPs have a weak generation scheme for the default encryption key – it can be generated from the device’s MAC address. And since the MAC address is available to anyone on the network, that means that the encryption key can be generated by anyone who is passively eavesdropping on traffic.

Just another example of why you should never, ever, use the vendor’s default password for anything. Even if it’s “secure” and “unique”. There has to be some way to generate it reliably during manufacturing, and that algorithm is rarely secure enough to rely upon.

Leave a Comment » | Exploits, Networking | Permalink
Posted by matt

Next Entries »