Tag Archives: passwords

[ISN] CarolinaCon-12 – March 2016 – FINAL ANNOUNCEMENT

Forwarded from: Vic Vandal CarolinaCon-12 will be held on March 4th-6th, 2016 in Raleigh NC. For the cheap price of $40 YOU could get a full weekend of talks, hacks, contests, and parties. Regarding the price increase to $40, it was forced due to ever-rising venue costs. But we promise to provide more value via; great talks, great side events, kickass new attendee badges, cool giveaways, etc. We’ve selected as many presentations as we can fit into the lineup. Here they are, in no particular order: – Mo Money Mo Problems: The Cashout – Benjamin Brown – Breaking Android apps for fun and profit – Bill Sempf – Gettin’ Vishy with it – Owen / Snide- @LinuxBlog – Buffer Overflows for x86, x86_64 and ARM – John F. Davis (Math 400) – Surprise! Everything can kill you. – fort – Advanced Reconnaissance Framework – Solray – Introducing PS>Attack, a portable PowerShell attack toolkit – Jared Haight – Reverse Engineer iOS apps because reasons – twinlol – FLOSS every day – automatically extracting obfuscated strings from malware – Moritz Raabe and William Ballenthin – John the Ripper sits in the next cubicle: Cracking passwords in a Corporate environment – Steve Passino – Dynamic Analysis with Windows Performance Toolkit – DeBuG (John deGruyter) – Deploying a Shadow Threat Intel Capability: Understanding YOUR Adversaries without Expensive Security Tools – grecs – AR Hacking: How to turn One Gun Into Five Guns – Deviant Ollam – Reporting for Hackers – Jon Molesa @th3mojo – Never Go Full Spectrum – Cyber Randy – I Am The Liquor – Jim Lahey CarolinaCon-12 Contests/Challenges/Events: – Capture The Flag – Crypto Challenge – Lockpicking Village – Hardware Hack-Shop – Hacker Trivia – Unofficial CC Shootout LODGING: If you’re traveling and wish to stay at the Con hotel here is the direct link to the CarolinaCon discount group rate: www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CCC-20160303/index.jhtml NOTE: The website defaults to March 3rd-6th instead of March 4th-6th and the group rate is no longer available on March 3rd. So make sure that you change the reservation dates to get the group rate. ATTENTION: The discount group rate on Hilton hotel rooms expires THIS weekend on JANUARY 31st 2016, so act quickly if you plan on staying at the hotel for all of the weekend fun and you want the group rate. CarolinaCon formal proceedings/talks will run; – 7pm to 11pm on Friday – 10am to 9pm on Saturday – 10am to 4pm on Sunday For presentation abstracts, speaker bios, the final schedule, side event information, and all the other exciting details (as they develop and as our webmaster gets to them) stay tuned to: www.carolinacon.org ADVERTISERS / VENDORS / SPONSORS: There are no advertisers, vendors, or sponsors allowed at CarolinaCon….ever. Please don’t waste your time or ours in asking. CarolinaCon has been Rated “M” for Mature. Peace, Vic




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] This 11-year-old is selling cryptographically secure passwords for $2 each

arstechnica.com/business/2015/10/this-11-year-old-is-selling-cryptographically-secure-passwords-for-2-each/ By Cyrus Farivar Ars Technica Oct 25, 2015 We now live in a world where a New York City sixth grader is making money selling strong passwords. Earlier this month, Mira Modi, 11, began a small business at dicewarepasswords.com, where she generates six-word Diceware passphrases by hand. Diceware is a well-known decades-old system for coming up with passwords. It involves rolling actual six-sided dice as a way to generate truly random numbers that are matched to a long list of English words. Those words are then combined into a non-sensical string (“ample banal bias delta gist latex”) that exhibits true randomness and is therefore difficult to crack. The trick, though, is that these passphrases prove relatively easy for humans to memorize. “This whole concept of making your own passwords and being super secure and stuff, I don’t think my friends understand that, but I think it’s cool,” Modi told Ars by phone. Modi is no ordinary sixth-grader, either. She’s the daughter of Julia Angwin, a veteran privacy-minded journalist at ProPublica and author of Dragnet Nation. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] OPM to Fully Do Away with Passwords for Network Access

www.nextgov.com/cybersecurity/2015/10/opm-fully-do-away-passwords-network-access-2-years/122768/ By Aliya Sternstein Nextgov.com October 13, 2015 Following one of the most devastating government data breaches ever revealed, the Office of Personnel Management is on track to replace password logins with two-step identification for accessing agency networks in two years, according to new goals set by the Obama administration. Suspected Chinese espionage artists allegedly used a contractor’s passcode to break into records on 21.5 million current and prospective national security employees, along with their relatives. While mandated to control network access with digital smart cards since 2004, only 1 percent of OPM computer users needed something more than a password to sign on as of September 2014, according to the White House. Meanwhile, hackers gnawed at OPM’s networks from 2013 until the agency discovered the breach in April. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Faked NatWest, Halifax bank sites score REAL security certs

www.theregister.co.uk/2015/10/13/faked_natwest_halifax_bank_sites_score_real_security_certs/ By Simon Sharwood The Register 13 Oct 2015 UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs). Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare’s certification partner GlobalSign and GoDaddy – have handed out certs to sites like natwestnwolb.co.uk. That site’s a faked attempt at luring traffic away from UK bank NatWest’s real online banking operation at www.nwolb.com. Another UK bank, Halifax, is flattered by the existence of fake site halifaxonline-uk.com. Someone’s trying to take a bit out of Apple at itunes-security.net, PayPal has to cope with emergencypaypal.net and phishers even think someone’s likely to have such fat fingers that they end up at btintranert.com. While some of the sites above are chucklesome to a degree, Netcraft notes that “Consumers have been trained to ‘look for the padlock’ in their browser before submitting sensitive information to websites, such as passwords and credit card numbers.” The padlock will appear when sites have a valid certificate, so the errors made by certification authorities lend a little more authenticity to fake phishing sites, no matter how ridiculous their URLs. That authenticity will help those sites to fool punters into inadvertently handing over their internet banking credentials and other personal details, which won’t end well. Netcraft’s Graham Edgecombe notes that CAs have a code of conduct that requires them to be especially careful when handing out certificates to high-risk sites like those that purport to have anything to do with online banking. Edgecombe stops short of accusing CAs of ignoring those checks, but points out that free trial certificates with short expiry times are phishers’ favourites. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] LogMeIn buying password manager LastPass

www.csoonline.com/article/2991479/application-security/logmein-buying-password-manager-lastpass.html By Peter Sayer IDG News Service Oct 12, 2015 Identity and access management specialist LogMeIn has agreed to buy Marvasol, the company behind online password store LastPass. The companies expect to close the deal, valuing Marvasol at between US$110 million and $125 million, in a matter of weeks. LogMeIn is firmly in the enterprise market, while Marvasol has been steadily extending the LastPass secure password storage tool in that direction, with password sharing and group access functions. LastPass stores an encrypted version of its customers’ passwords in the cloud, allowing them to unlock and access them with a single password from almost any Internet-connected device through either secure browser plugins or a web interface. The company offers apps for Android and iOS, as well as plugins for Internet Explorer, Chrome, Firefox and Safari. Using the service on a single device category is free; multiple categories requires a subscription. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FBI issues alert for IoT device security

http://www.healthcareitnews.com/news/fbi-issues-alert-iot-device-security By Erin McCann Managing Editor Healthcare IT News September 16, 2015 When the Federal Bureau of Investigation issues an alert to healthcare organizations and others warning of the serious cyber risks the Internet of Things presents, it’s probably best to pay attention. For healthcare security folks, this means paying closer attention to the myriad IoT devices within their organizations. And they’re not necessarily all the devices you might think of. They also include things such as HVAC remotes, Wi-Fi camera, insulin dispensers, thermostats and any type of wearable and other medical devices. These devices, FBI officials said, are notorious for having serious security deficiencies. This, combined with patching vulnerabilities, make these IoT devices an attractive target for cybercriminals. So what are the most pressing IoT risks, according to the FBI? The first is exploiting the Universal Plug and Play protocol to gain access to these devices. The next involves taking advantage of those default passwords to transmit malicious and spam emails or swipe personal and financial data. There’s also the risk of cybercriminals overloading these devices, effectively rendering them inoperable, which could have serious consequences in the realm of healthcare. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 3l33t haxxors don’t need no botnet, they just pinch passwords

http://www.theregister.co.uk/2015/09/08/dell_secureworks_malwareless/ By Darren Pauli The Register 8 Sep 2015 Half of all breaches Dell’s SecureWorks outfit has responded to over the last year have been a result of attackers using legitimate admin tools and stolen credentials. Dell’s threat research unit says the “living off the land” hack tactic makes security controls that seek malware and hacking infrastructure redundant, especially when command and control infrastructure are not used or run only briefly. Researchers cited three recent investigations where companies had been popped using administrator credentials. In one case, attackers stole the network credentials a manufacturing company staffer which were then used to log into the corporate Citrix platform and tap internal corporate resources. Those crims also used the unnamed client’s Altiris software distribution platform to pivot laterally through the company’s network and yank intellectual property. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ashley Madison password crack could spell trouble across the Internet

http://arstechnica.com/security/2015/09/ashley-madison-password-crack-could-spell-trouble-across-the-internet/ By Dan Goodin Ars Technica Sep 10, 2015 Now that a hobbyist team has uncovered programming errors that make more than 15 million of the Ashley Madison account passwords orders of magnitude faster to crack, it will be only a matter of time before a large percentage of them are available to hackers everywhere. And given how rampant password reuse is, the tsunami-sized torrent is sure to affect accounts all over the Internet. As Ars chronicled in a 2012 feature headlined Why passwords have never been weaker—and crackers have never been stronger, it’s not unusual for Twitter, Amazon, and online services to monitor large leaks and require password changes for affected users. As we reported: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail