Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

New Threat Actor 'Void Arachne' Targets Chinese Users with Malicious VPN Installers

The Hacker News - 19 Červen, 2024 - 12:23
Chinese-speaking users are the target of a never-before-seen threat activity cluster codenamed Void Arachne that employs malicious Windows Installer (MSI) files for virtual private networks (VPNs) to deliver a command-and-control (C&C) framework called Winos 4.0. "The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well as
Kategorie: Hacking & Security

New Threat Actor 'Void Arachne' Targets Chinese Users with Malicious VPN Installers

The Hacker News - 19 Červen, 2024 - 12:23
Chinese-speaking users are the target of a never-before-seen threat activity cluster codenamed Void Arachne that employs malicious Windows Installer (MSI) files for virtual private networks (VPNs) to deliver a command-and-control (C&C) framework called Winos 4.0. "The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well asNewsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Warning: Markopolo's Scam Targeting Crypto Users via Fake Meeting Software

The Hacker News - 19 Červen, 2024 - 12:08
A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft. The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC,
Kategorie: Hacking & Security

Warning: Markopolo's Scam Targeting Crypto Users via Fake Meeting Software

The Hacker News - 19 Červen, 2024 - 12:08
A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft. The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC, Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Top 10 Windows productivity tips

Computerworld.com [Hacking News] - 19 Červen, 2024 - 12:00

Each week, I ask Windows Intelligence readers to share their favorite Windows PC tips with me. There are some I see submitted over and over — the top productivity tips many of my most enthusiastic readers think everyone should know.

Now, I want to share them with you, bringing them into one place for an easily skimmable guide filled with tweaks and upgrades you can put straight to work.

There are more PC tips where these came from! Sign up for my free Windows Intelligence newsletter to get free Windows Field Guides and three new things to try every Friday.

Windows productivity tip #1: Clipboard history

Windows has a built-in clipboard history. Just press Windows+V to find it. If you haven’t activated it, you can turn it on in one click from there.

You can copy multiple things and access both text and images you’ve recently copied within it. Or, if you find yourself pasting the same things again and again, you can “pin” items to your clipboard history for easy future access.

The clipboard history tool can help you perform other advanced tasks, too: You can sync your clipboard between PCs with your Microsoft account, for example, or paste items as plain text.

To configure the clipboard history, head to Settings > System > Clipboard. It’s available on both Windows 10 and Windows 11.

The clipboard history is stored entirely on your PC — unless you choose to sync it in Settings.

Chris Hoffman, IDG

Windows productivity tip #2: The power user menu

The “power user menu” was added during the Windows 8 days, when Microsoft removed the Start menu. It’s still useful today, offering a quick way to access a variety of useful system options and administrative tools. Whether you want to shut down your PC, launch File Explorer, or open a Terminal window, you can do it from the power user menu.

To open it, right-click your Start button on the taskbar or press Windows+X on your keyboard. You can then select an item in the menu with one more click.

Windows productivity tip #3: Plain-text pasting

Copy-pasting text on a PC can be a pain. You often end up copying formatting — fonts, colors, links, and other junk — when you just want plain old text.

You can paste just the plain text in nearly any application — if you use the right shortcut. Just press Ctrl+Shift+V instead of Ctrl+V to paste. This works in most applications, including web browsers like Google Chrome. (It now even works in Microsoft Word by default, too.)

Windows productivity tip #4: A website as an app

If you frequently use web apps, you might want to install them as applications, giving them their own separate windows, shortcuts, and taskbar icons for convenient access.

To do this in Google Chrome, visit the website you want to turn into an “app” — like Gmail, for example. Then, click the menu button on Chrome’s toolbar and select Save and Share > Create shortcut. Name it whatever you like, check “Open as window,” and you’re done.

If the website offers a Progressive Web App (PWA), you will see an “Install” button in the menu. You can use that instead.

This works in Google Chrome, Microsoft Edge, and other Chromium-based browsers. (Firefox, unfortunately, doesn’t support the option.)

This is the closest thing you can get to a Windows desktop app for Gmail.

Chris Hoffman, IDG

Windows productivity tip #5: Ctrl key shortcuts

There’s a good chance you already know some basic text-editing keyboard shortcuts. For example, you can hold Shift and use the left and right arrow keys to select text. But the Ctrl key makes all those keyboard shortcuts work with entire words and not individual characters.

Here’s how the Ctrl key upgrades other keyboard shortcuts while working with text in nearly any application, from your web browser and email client to Microsoft Word:

  • Ctrl+Backspace: Backspace entire words to the left of the cursor at once — not just individual letters.
  • Ctrl+Delete: Delete entire words to the right of the cursor at once — not just individual letters.
  • Ctrl+Left arrow or Ctrl+Right arrow: Move the cursor to the previous word or the next word.
  • Ctrl+Shift+Left arrow or Ctrl+Shift+Right arrow: Select entire words at once.
Windows productivity tip #6: Window snapping

The Snap feature is an incredibly useful way to quickly arrange multiple windows on your screen. In addition to clicking a window title bar and dragging it to the left or right edge of your screen, you can also use shortcuts such as Windows+Left arrow and Windows+Right arrow to snap windows to one side of your screen or the other.

On Windows 11, you have access to Snap Layouts for even more options — press Windows+Z to open Snap Layouts. (Here’s my ultimate guide to the Windows Snap feature to learn all the tricks you need.)

Snap is an absolutely useful tool for multitasking on Windows.

Chris Hoffman, IDG

Windows productivity tip #7: A Task Manager time-saver

The Windows Task Manager is a critical tool for all PC users. You might want to open it to see what applications are using resources, close an application that’s frozen, or just manage the startup applications that launch when you sign into your PC.

There’s no need to press Ctrl+Alt+Delete and click “Task Manager” to open it. Just press Ctrl+Shift+Esc, and the Task Manager will appear immediately. You can also right-click an empty spot on your taskbar and select “Task Manager” to launch it on either Windows 11 or Windows 10.

Windows productivity tip #8: Easy emoji insertions

Like it or not, emoji are part of modern communication. You can insert them anywhere on your PC — type them in emails, place them in Word documents, or even use them in file names.

To open the emoji picker on Windows, press Windows+. or Windows+; (that’s the Windows key along with a period or a semicolon).

You can then start typing to search for an emoji or browse through them. This works on Windows 10 and 11. You’ll also find other things you can insert in this pane — like special characters, for example.

With this shortcut, inserting emoji is just as easy on Windows as it is on your phone.

Chris Hoffman, IDG

Windows productivity tip #9: Pinned app shortcuts

The Windows key opens the Start menu, Windows+Tab launches Task View, and Windows+C opens Copilot. But you can activate the favorite apps you have pinned to your taskbar using the keyboard, too.

Just press Windows+1, Windows+2, or the Windows key along with any other number — 1 through 0. For example, if you press Windows+1, Windows will activate the first application shortcut from the left on your PC’s taskbar.

(Since 0 appears to the right of 9 on the number row on your keyboard, the 0 key will activate the 10th shortcut from the left.)

Windows productivity tip #10: Instant key transformation

Want to put your keyboard to better use? You can turn a key into any other key. For example, many people transform their Caps Lock key into something else. Here’s one idea: If your keyboard doesn’t have a convenient Play/Pause key, you could “remap” the Caps Lock key into a Play/Pause key.

There are a variety of ways to remap a key; my favorite is the Keyboard Manager included with Microsoft’s free PowerToys package.

To use it, install Microsoft PowerToys on your PC. Launch PowerToys from your Start menu or system tray, select “Keyboard Manager,” and use the “Remap a key” tool here to make a key function as another key. Microsoft has even more in-depth documentation on using the Keyboard Manager tool.

With a few clicks, you can transform a key on your keyboard into another key.

Chris Hoffman, IDG

Microsoft’s PowerToys package is packed with useful tools, too — Keyboard Manager is just scratching the surface of what you can do with it. For example, it has a convenient Always on Top tool for making any window “always on top” of all other windows. That can be a big productivity boost in the right situation.

Want more PC tips like these? Sign up for my Windows Intelligence newsletter today — you’ll get three things to try in your inbox each Friday. Plus, get free copies of Paul Thurrott’s Windows 11 and Windows 10 Field Guides as a special welcome bonus.

Kategorie: Hacking & Security

Důležitá volba v nenápadných paragrafech. EU rozhoduje, kolik soukromí obětujeme boji proti zločinu

Zive.cz - bezpečnost - 19 Červen, 2024 - 10:45
Právě proběhlé volby do Evropského parlamentu se často pejorativně označují za „volby druhé kategorie“, ale ve skutečnosti europoslanci a zástupci vlád jednotlivých členských států rozhodují o legislativě, která ovlivňuje náš život víc než většina našich vlastních českých zákonů. Nebo se do nich v ...
Kategorie: Hacking & Security

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

The Hacker News - 19 Červen, 2024 - 09:36
Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances. Both shortcomings impact all versions of the software prior to version 2024-04, which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024. The flaws
Kategorie: Hacking & Security

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

The Hacker News - 19 Červen, 2024 - 09:36
Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances. Both shortcomings impact all versions of the software prior to version 2024-04, which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024. The flawsNewsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

AR/VR headset sales decline is temporary: IDC

Computerworld.com [Hacking News] - 18 Červen, 2024 - 23:18

Shipments of augmented reality and virtual reality (AR/VR) headsets dropped 67.4% year over year in the first quarter of 2024 as a result of an evolution in the market, new data from International Data Corp. (IDC) reveals.

“The decline in shipments was expected as the market transitions to include new categories such as Mixed Reality (MR) and Extended Reality (ER),” IDC noted Tuesday. “Despite the decline, the average selling price (ASP) rose to over $1,000 as Apple entered the market and incumbents such as Meta focused on premium headsets such as the Quest 3.”

The future of such products in the enterprise is in flux, with Microsoft pulling back and laying off workers from its HoloLens division last year, while Apple is clearly targeting the enterprise market with its Apple Vision Pro.

However, IDC’s projections for shipments and selling prices may be thrown off by news that broke later the same day: Apple is reportedly abandoning plans to build a Vision Pro 2, concentrating instead on developing a lower-specced, lower-cost model for release in late 2025.

The research firm said that it recently revised its taxonomy of headsets to incorporate two new categories: “Mixed Reality which occludes the user’s vision but provides a view of the real world with outward facing cameras, and Extended Reality, which employs a see-though display but mirrors content from another device or offers a simplistic heads-up display.”

Headset market in flux

Meta again led the market in the first quarter in terms of share, while Apple’s recent entry into the market enabled it to capture the second position. ByteDance, Xreal, and HTC rounded out the top five, IDC said.

When online pre-sales of Apple’s Vision Pro AR/VR headsets began on Jan. 19 they sold out quickly, but as Computerworldnoted soon after, stable delivery dates could indicate limited demand for the $3,500 device.

Fast forward to April, and Apple said that it had cut Vision Pro production due to low demand, according to Ming-Chi Kuo, an Apple analyst at TF International Securities.

Jitesh Ubrani, research manager for worldwide mobile device trackers at IDC, said that with mixed reality on the rise, “expect strictly virtual reality headsets to fade in the coming years as brands and developers devise new hardware and experiences to help users eventually transition to augmented reality further down the line. Meanwhile, extended reality displays are set to garner consumer attention as they offer a big screen experience today while incorporating AI and heads-up displays in the near future.”

Meanwhile, Ramon T. Llamas, research director with IDC’s augmented and virtual reality team, said that although ASPs for the overall market crested above the $1,000 mark, this is not representative of all products.

“ASPs for augmented reality (AR) headsets have almost always been above this price point, but ASPs for VR, MR, and ER headsets have typically been lower,” he said. “Apple’s Vision Pro drove ASPs higher for MR headsets, but the addition of lower-cost devices from Meta and HTC have kept those ASPs from going much higher. Meanwhile, there were many devices for VR and ER priced below $500.”

Return to growth

Looking ahead, Llamas said that IDC is anticipating ASP erosion across all products: “Because the overall market is still in its early stages with more expensive first- and second-generation devices, prices will be high even as early adopters buy them. In order to reach scale in the mass market, vendors will need to reduce prices on later and upcoming devices.”

IDC is forecasting that “headset shipments will return to growth later this year with volume growing 7.5% over 2023. Newer headsets and lower price points will help with the turnaround expected later this year. Beyond that, headset shipment volume is expected to see a compound annual growth rate (CAGR) of 43.9% from 2024–2028.”

Updated on June 19, 2024, to add report that Apple is abandoning development of the Vision Pro 2.

Kategorie: Hacking & Security

Embracing Anonymity and Privacy: Tails 6.4 Release Insights

LinuxSecurity.com - 18 Červen, 2024 - 22:59
As digital privacy and security evolves, anonymity cannot be overemphasized. Tails is a live operating system designed to keep its focus on privacy and anonymity. Its unique focus allows you to boot it on almost any computer using a USB stick or DVD drive and use state-of-the-art cryptographic tools for protecting files, emails, and instant messaging conversations without leaving a trace behind on your machine. With its focus on anonymity and its use of state-of-the-art cryptographic tools to encrypt files and instant messaging conversations from being kept under lock and key.TAILS (an acronym for The Amnesic Incognito Live System) leverages the Tor network to protect online privacy and evade censorship. Each Tails session acts like a clean slate when shutting down; no data remains from session to session unless saved into an encrypted Persistent Storage space.New Features in Tails 6.4Tails version 6.4 brings many notable updates that will appeal to Linux administrators and privacy-minded users alike. Cryptography Strength Reinforced with Random SeedOne of the key enhancements for Tails is including a random seed on USB flash drives as part of our cryptographic strength enhancement. This feature is invaluable in strengthening cryptography across our system''such as Tor, HTTPS connections, and the Persistent Storage feature''by strengthening cryptography across them. By keeping this random seed outside Persistent Storage itself, all users benefit from increased cryptographic protections regardless of configuration differences.Tails 6.4 Switches to HTTPS over Onion Services for APT RepositoriesIn an unconventional move from past versions, Tails 6.4 has transitioned away from using onion services for Debian and Tails APT repositories in favor of HTTPS addresses to improve reliability for the Additional Software feature and streamline software management for users.Software Updates and Bug FixesOne compelling factor in adopting Tails 6.4 is its current software stack and array of fixed problems. Tails 6.4 offers an updated Tor Browser (13.0.16) and Tor client (0.4.8.12) to give users access to the latest developments in secure browsing; email communication has also been improved thanks to an upgraded Thunderbird (115.12.0).Numerous bugs have been addressed to enhance user experience significantly. Problem resolution includes fixing and unlocking Persistent Storage issues, connecting to mobile broadband networks on particular hardware, and reenabling Thunderbird's previously disabled PDF reader due to security. Furthermore, user experience refinements such as more informative error messages in Tails Cloner and smooth interactions when using the Unlock VeraCrypt Volumes utility demonstrate developers' attentiveness towards user feedback.Upgrading and New InstallationsFor existing users, upgrading to Tails 6.4 should be straightforward, with automatic upgrades from as early as version 6.0 being available for automatic upgrading. Newcomers or those wishing for manual upgrades can follow detailed installation instructions provided by the Tails project, which are explicitly tailored for various platforms.Why Linux Administrators Should Take NoteLinux administrators who prioritize security and seek to safeguard their systems against surveillance and censorship will find Tails 6.4 indispensable. With its enhanced cryptographic measures, commitment to updating core components like the Tor Browser and client, and quick bug resolution, Tails exudes an environment designed specifically to secure its systems.Administrators will appreciate Tor's operational transparency--all network traffic is automatically routed through it, eliminating risks related to network surveillance. Furthermore, its persistent storage feature enables safekeeping of essential files, configurations and software across sessions without jeopardizing its security posture.Alternatives to Tails for Privacy and SecurityTails stands out for its anonymity and security features, but it isn't alone in this respect. Linux distributions such as Whonix and Qubes OS also provide similar functionality; Whonix operates by isolating user internet connections within an isolated virtual machine that routes all traffic via Tor. Meanwhile, Qubes takes an alternative approach by compartmentalizing various aspects of its OS into isolated VMs to prevent malware from crossing boundaries. Open Source choices ftw!Learn More about Tails and PrivacyTails 6.4 is evidence of this project's ongoing dedication to privacy, security, and user experience. With every update, Tails equips the global community with toolsets designed to increase online anonymity while guarding against surveillance intrusions. Linux administrators who place great value in security measures will find this release compelling enough to upgrade existing systems or implement this OS into their operations in an increasingly monitored digital world.Best distro for privacy and security in 2024Which distros are most focused on privacy ?How to Encrypt Files on LinuxEnhanced Privacy with Predator-OS
Kategorie: Hacking & Security

Apple’s cautious AI strategy is absolutely right

Computerworld.com [Hacking News] - 18 Červen, 2024 - 20:45

(Editor’s note: This column originally appeared on Computerworld Sweden on June 14, 2024.)

Just as everyone expected, and almost demanded, Apple finally started talking about artificial intelligence — in its own way, of course. The big keynote at WWDC on Monday might not have been the AI ​​event many had thought was coming. For example, the deal with Open AI, where Chat GPT will be used as an extension of Apple devices’ own AI capabilities, was negotiated in a matter of minutes.

Apple appears to be approaching AI with caution. Cautious, you might call it, but I actually think this strategy is the right one, and it aligns with what I called for earlier: AI that integrates seamlessly and easily into solutions we already know and use.

Apple Intelligence (of course Apple’s AI has been trademarked) is not a special app, or a special assistant or a “Copilot.” These are small, clever features, built on small, specialized models, sprinkled throughout the software. In Siri, in the photo app, as a writing aid, and so on, all in a seemingly non-intrusive way — an extra function, or help, that is there, if you want it.

The latter is important because it bothers me enormously is when AI is shoved down one’s throat. Just because an AI feature exists, maybe I don’t want to use it? No one but I knows what tasks I’m better at than AI, and it obviously varies from person to person.

For example, I am very good at writing and processing text. I definitely don’t want any AI getting in there (I even turn off the spell check in Word). On the other hand, sitting with transcriptions and translations is boring as hell, so I’m happy to take help there.

I’m a decent hobby photographer and don’t need an AI to make my photos “better” unsolicited. However, it can be fun or effective to take AI help to remove some ugly detail, play with the depth of field, or expose subjects.

I’m also a frequent user of chat, both privately and at work, but I think it feels a bit dirty to click on the suggested answers in Microsoft Teams chat (“Great”, “That sounds good.”) because it feels quite disrespectful to the person I’m communicating with.

BAbove all, I am seriously uninterested in Google’s new “AI Overviews,” which have now been rolled out, starting in the US. The AI ​​function in Google’s search engine takes the liberty of using AI to try to guess what you are looking for — and answer it.

I’m extremely good at Googling; it’s a skill I’ve developed over many years. And when I do research with the help of Google, it’s not one answer I’m looking for, but a balanced assessment that I make based on the information I google, thank you very much. Even if Google’s AI in the future gives “correct” answers instead of suggesting to glue the cheese on pizza, that’s just not what I want to use a search engine for.

So that’s why I think Apple is right here. It is through these kinds of simple, friendly and optional functions that do not require advanced “prompt engineering” that the masses will be introduced to and actually use AI tools. Because even though it might sound like it sometimes, most people don’t use Chat GPT at all.

Now Apple has the luxury, if you call it that, of not having to position itself as an “AI company” as a number of other tech giants want to do, although there has been pressure from investors to start delivering in this area. Apple sells mobile phones (and other hardware, but mainly phones). Therefore, it can be worthwhile to focus more on data protection and privacy, and on introducing features at a pace and in a way that makes mobile phone buyers see value in their presence.

Moreover, Apple isn’t charging extra for it, as most others do. Of course, Apple Intelligence is so far only available on the iPhone 15 Pro and Pro Max (and Mac computers with M-chip). And, presumably, that sprinkling of AI isn’t so sparkling yet as to warrant an immediate upgrade for most people.

But even if this particular iteration of Apple Intelligence will not become everyone’s everyday AI — anymore than the first iPhone became everyone’s smartphone — I believe, this is the way development will go. AI is fundamentally a commodity, a general-purpose technology.

It’s a feature, not a product.

This column is taken from CS Veckobrev, a personal newsletter with reading tips, link tips and analysis sent directly from Computerworld Sweden‘s editor-in-chief, Marcus Jerräng. Do you also want the newsletter on Fridays? Sign up for a free subscription here.

Kategorie: Hacking & Security

Analysis of user password strength

Kaspersky Securelist - 18 Červen, 2024 - 13:30

The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of guessing an eight-character password consisting of same-case English letters and digits, or 36 combinable characters, within just 17 seconds.

Our study of resistance to brute-force attacks found that a large percentage of passwords (59%) can be cracked in under one hour.

How passwords are typically stored

To be able to authenticate users, websites need a way to store login-password pairs and use these to verify data entered by the user. In most cases, passwords are stored as hashes, rather than plaintext, so that attackers cannot use them in the event of a leak. To prevent the password from being guessed with the help of rainbow tables, a salt is added before hashing.

Although hashes are inherently irreversible, an attacker with access to a leaked database can try to guess the passwords. They would have an unlimited number of attempts, as the database itself has no protection against brute-forcing whatsoever. Ready-made password-guessing tools, such as hashcat, can be found online.

Methodology

Our study looked at 193 million passwords found freely accessible on various dark web sites. Kaspersky does not collect or store user passwords. More details are available here and here.

We estimated the time it takes to guess a password from a hash using brute force and various advanced algorithms, such as dictionary attacks and/or enumeration of common character combinations. By dictionary we understand here a list of character combinations frequently used in passwords. They include, but are not limited to real English words.

Brute force attacks

The brute-force method is still one of the simplest and most straightforward: the computer tries every possible password option until one works. This is not a one-size-fits-all approach: enumeration ignores dictionary passwords, and it is noticeably worse at guessing longer passwords than shorter ones.

We analyzed the brute-forcing speed as applied to the database under review. For clarity, we have divided the passwords in the sample into patterns according to the types of characters they contain.

  • a: the password contains only lowercase or only uppercase letters.
  • aA: the password contains both lowercase and uppercase letters.
  • 0: the password contains digits.
  • !: the password contains special characters.

The time it takes to crack a password using the brute-force method depends on the length and the number of character types. The results in the table are calculated for the RTX 4090 GPU and the MD5 hashing algorithm with a salt. The speed of enumeration in this configuration is 164 billion hashes per second. The percentages in the table are rounded.

Password pattern Share of passwords of this type in the dataset, % Share of brute-forceable passwords (by pattern, %) Maximum password length in characters by crack time < 60 s 60 s to 60 min 60 min to 24 h 24 h to 30 d 30 d to 365 d > 365 d 24 h to 30 d 30 d to 365 d > 365 d aA0! 28 0,2 0,4 5 0 9 85 — 9 10 a0 26 28 13 15 11 10 24 11 12 13 aA0 24 3 16 11 0 15 55 — 10 11 a0! 7 2 9 0 14 15 59 9 10 11 0 6 94 4 2 0 0 0 — — — a 6 45 13 10 9 6 17 12 13 14 aA 2 15 22 11 14 0 38 10 — 11 a! 1 6 9 11 0 11 62 — 10 11 aA! 0,7 3 2 12 10 0 73 9 — 10 0! 0,5 10 27 0 18 13 32 10 11 12 ! 0,006 50 9 10 5 6 19 11 12 13

The most popular type of passwords (28%) includes lowercase and uppercase letters, special characters and digits. Most of these passwords in the sample under review are difficult to brute-force. About 5% can be guessed within a day, but 85% of this type of passwords take more than a year to work out. The crack time depends on the length: a password of nine characters can be guessed within a year, but one that contains 10 characters, more than a year.

Passwords that are least resistant to brute-force attacks are the ones that consist of only letters, only digits or only special characters. The sample contained 14% of these. Most of them can be cracked within less than a day. Strong letter-only passwords start at 11 characters. There were no strong digit-only passwords in the sample.

Smart brute-force attacks

As mentioned above, brute force is a suboptimal password-guessing algorithm. Passwords often consist of certain character combinations: words, names, dates, sequences (“12345” or “qwerty”). If you make your brute-force algorithm consider this, you can speed up the process:

  • bruteforce_corr is an optimized version of the brute-force method. You can use a large sample to measure the frequency of a certain password pattern. Next, you can allocate to each variety a percentage of computational time that corresponds to its real-life frequency. Thus, if there are three patterns, and the first one is used in 50% of cases, and the second and third in 25%, then per minute our computer will spend 30 seconds enumerating pattern one, and 15 seconds enumerating patterns two and three each.
  • zxcvbn is an advanced algorithm for gauging password strength. The algorithm identifies the pattern the password belongs to, such as “word, three digits” or “special character, dictionary word, digit sequence”. Next, it calculates the number of iterations required for enumerating each element in the pattern. So, if the password contains a dictionary word, finding it will take a number of iterations equal to the size of the dictionary. If a part of the pattern is random, it will have to be brute-forced. You can calculate the total complexity of cracking the password if you know the time it takes to guess each component of the pattern. This method has a limitation: successful enumeration requires specifying a password or assuming a pattern. However, you can find the popularity of patterns by using stolen samples. Then, as with the brute-force option, allocate to the pattern an amount of computational time proportional to its occurrence. We designate this algorithm as “zxcvbn_corr”.
  • unogram is the simplest language algorithm. Rather than requiring a password pattern, it relies on the frequency of each character, calculated from a sample of passwords. The algorithm prioritizes the most popular characters when enumerating. So, to estimate the crack time, it is enough to calculate the probability of the characters appearing in the password.
  • 3gram_seq, ngram_seq are algorithms that calculate the probability of the next character depending on n-1 previous ones. The proposed algorithm starts enumerating one character, and then sequentially adds the next one, while starting with the longest and most frequently occurring n-grams. In the study, we used n-grams ranging from 1 to 10 characters that appear more than 50 times in the password database. The 3gram_seq algorithm is limited to n-grams up to and including three characters long.
  • 3gram_opt_corr, ngram_opt_corr is an optimized version of n-grams. The previous algorithm generated the password from the beginning by adding one character at a time. However, in some cases, enumeration goes faster if you start from the end, from the middle or from several positions simultaneously. *_opt_* algorithms check the varieties described above for a specific password and select the best one. However, in this case, we need a password pattern that allows us to determine where to start generating from. When adjusted for different patterns, these algorithms are generally slower. Still, they can provide a significant advantage for specific passwords.

Also, for each password, we calculated a best value: the best crack time among all the algorithms used. This is a hypothetical ideal case. To implement it, you will need to “guess” an appropriate algorithm or simultaneously run each of the aforementioned algorithms on a GPU of its own.

Below are the results of gauging password strength by running the algorithms on an RTX 4090 GPU for MD5 with a salt.

Crack time Percentage of brute-forceable passwords ngram_seq 3gram_seq unogram ngram_opt
_corr
3gram_opt
_corr
zxcvbn
_corr
bruteforce
_corr
Best < 60 s 41% 29% 12% 23% 10% 27% 10% 45% 60 s to 60 min 14% 16% 12% 15% 12% 15% 10% 14% 60 min to 24 h 9% 11% 12% 11% 12% 9% 6% 8% 24 h to 30 d 7% 9% 11% 10% 11% 9% 9% 6% 30 d to 365 d 4% 5% 7% 6% 8% 6% 10% 4% > 365 d 25% 30% 47% 35% 47% 35% 54% 23%

The bottom line is, when using the most efficient algorithm, 45% of passwords in the sample under review can be guessed within one minute, 59% within one hour, and 73% within a month. Only 23% of passwords take more than one year to crack.

Importantly, guessing all the passwords in the database will take almost as much time as guessing one of them. During the attack, the hacker checks the database for the hash obtained in the current iteration. If the hash is in the database, the password is marked as cracked, and the algorithm moves on to working on the others.

The use of dictionary words reduces password strength

To find which password patterns are most resistant to hacking, we calculated the best value for an expanded set of criteria. For this purpose, we created a dictionary of frequently used combinations of four or more characters, and added these to the password pattern list.

  • dict: the password contains one or more dictionary words.
  • dict_only: the password contains only dictionary words.
Password pattern Share of passwords, % Share of passwords that can be cracked with a dictionary attack (by pattern, %) Maximum password length in characters by crack time < 60 s 60 s to 60 min 60 min to 24 h 24 h to 30 d 30 d to 365 d > 365 d 24 h to 30 d 30 d to 365 d > 365 d dict_a0 17 63 15 8 5 3 7 10 11 12 aA0! 14 5 6 5 5 3 76 6 7 8 dict_aA0 14 51 17 10 7 4 11 9 10 11 dict_aA0! 14 34 18 12 10 6 20 7 8 8 a0 10 59 22 6 6 1.8 6 10 11 12 aA0 10 19 13 13 6 7 42 9 10 11 0 6 92 5 1.5 1.3 0 0 15 — — dict_a0! 5 44 16 10 8 5 17 9 9 10 dict_a 4 69 12 6 4 2 6 11 12 13 a0! 2 31 19 13 9 5 23 9 9 10 a 1.2 76 7 6 3 3 6 11 12 13 dict_aA 1.2 56 15 8 6 3 11 9 10 10 dict_a! 0.8 38 16 10 8 5 23 8 9 10 aA 0.7 26 10 28 7 2 27 9 10 10 dict_aA! 0.5 31 17 11 10 6 26 8 9 9 0! 0.4 53 15 8 7 5 13 9 10 11 dict_only 0.2 99.99 0.01 0.0002 0.0002 0 0 18 — — dict_0 0.2 89 6 2 2 0 0 15 — — aA! 0.2 11 8 10 16 3 52 8 9 9 a! 0.1 35 16 10 9 5 25 8 9 10 dict_0! 0.06 52 13 7 6 4 17 9 10 11 ! 0.006 50 10 6 8 4 20 8 9 10

The majority (57%) of the passwords reviewed contained a dictionary word, which significantly reduced their strength. Half of these can be cracked in less than a minute, and 67% within one hour. Only 12% of dictionary passwords are strong enough and take more than a year to guess. Even when using all recommended character types (uppercase and lowercase letters, digits and special characters), only 20% of these passwords proved resistant to brute-forcing.

It is possible to distinguish several groups among the most popular dictionary sequences found in passwords.

  • Names: “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel”;
  • Popular words: “forever”, “love”, “google”, “hacker”, “gamer”;
  • Standard passwords: “password”, “qwerty12345”, “admin”, “12345”, “team”.

Non-dictionary passwords comprised 43% of the sample. Some were weak, such as those consisting of same-case letters and digits (10%) or digits only (6%). However, adding all recommended character types (the aA0! pattern) makes 76% of these passwords strong enough.

Takeaways

Modern GPUs are capable of cracking user passwords at a tremendous speed. The simplest brute-force algorithm can crack any password up to eight characters long within less than a day. Smart hacking algorithms can quickly guess even long passwords. These use dictionaries, consider character substitution (“e” to “3”, “1” to “!” or “a” to “@”) and popular combinations (“qwerty”, “12345”, “asdfg”).

This study lets us draw the following conclusions about password strength:

  • Many user passwords are not strong enough: 59% can be guessed within one hour.
  • Using meaningful words, names and standard character combinations significantly reduces the time it takes to guess the password.
  • The least secure password is one that consists entirely of digits or words.

To protect your accounts from hacking:

  • Remember that the best password is a random, computer-generated one. Many password managers are capable of generating passwords.
  • Use mnemonic, rather than meaningful, phrases.
  • Check your password for resistance to hacking. You can do this with the help of Password Checker, Kaspersky Password Manager or the zxcvbn
  • Make sure your passwords are not contained in any leaked databases by going to haveibeenpwned. Use security solutions that alert users about password leaks.
  • Avoid using the same password for multiple websites. If your passwords are unique, cracking one of them would cause less damage.

Tor – Xác định các exit relay độc hại

VNSECURITY - 18 Srpen, 2014 - 13:00
1. Mở đầu Bài viết này là phần mô tả sơ lược và bình luận bài báo "Spoiled Onions: Exposing Malicious Tor Exit Relays"[1]. Tor exit relay là nút cuối dùng trong hành trình vận chuyển của các gói tin trọng mạng Tor, gói tin từ đây sẽ đi đến địa chỉ ...
Kategorie: Hacking & Security

Lấy lời nhạc nhaccuatui.com

VNSECURITY - 18 Srpen, 2014 - 13:00
Nhaccuatui vừa nâng cấp trình chơi nhạc trên web của mình có thể hiển thị lời nhạc theo thời gian khá tốt. Bài viết này sẽ trình bày các bước để lấy lời nhạc đó và cung cấp một công cụ để thực hiện trong 1 cú enter ;) (*). Lấy ...
Kategorie: Hacking & Security

[defcon 2014 quals] polyglot

VNSECURITY - 18 Srpen, 2014 - 13:00
Challenge was getting 0x1000 bytes from socket, and executing it following these rules (all shellcodes and codes are at the end of this writeup): [code] - all general purpose registers are 0 - stack is at 0x42000000 - pc    is at 0x41000000 [/code] All binaries: x86 : polyglot_9d64fa98df6ee55e1a5baf0a170d3367 armel : polyglot_6a3875ce36a55889427542903cd43893 armeb : polyglot_c0e7a26d7ce539efbecc970c154de844 PowerPC: polyglot_5b78585342a3c116aebb5a9b45e88836 Our shellcode ...
Kategorie: Hacking & Security

Phân tích ứng dụng Btalk trên Android – Phần một: Cơ chế xác thực người dùng

VNSECURITY - 18 Srpen, 2014 - 13:00
Lưu ý: các phân tích trong bài viết này được dựa trên phiên bản Btalk 1.0.6 tải về từ PlayStore. Các vấn đề được nêu trong bài viết này BKAV đã được gửi email thông báo từ trước. (pdah - cb_ - k9) Cơ chế đăng ký và kích hoạt Quá trình xác ...
Kategorie: Hacking & Security

Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028)

VNSECURITY - 18 Srpen, 2014 - 13:00
In previous post, we analyzed and exploited stack based buffer overflow vulnerability in chunked encoding parsing of nginx-1.3.9 - 1.4.0. We mentioned that there was another attack vector which was more practical, more reliable. I talked about this attack vector at SECUINSIDE 2013 in July (btw, a great conference and ...
Kategorie: Hacking & Security

[Secuinside CTF 2013] movie talk

VNSECURITY - 18 Srpen, 2014 - 13:00
Challenge itself is very interesting, as we have typical use-after-free problem. It's running on Ubuntu 13.04 with NX + ASLR. When we run challenge it gives us message as : [code] ###################################### #                                    # #   Welcome to the movie talk show   # #                                    # ###################################### 1. movie addition 2. movie deletion 3. my movie list 4. quit : [/code] movie addition is very straight ...
Kategorie: Hacking & Security

[Secuinside CTF 2013] Reader Writeup

VNSECURITY - 18 Srpen, 2014 - 13:00
Description: http://war.secuinside.com/files/reader ip : 59.9.131.155 port : 8282 (SSH) account : guest / guest We have obtained a program designed for giving orders to criminals. Our investigators haven't yet analyzed the file format this program reads. Please help us analyze the file format this program uses, find a vulnerability, and take a shell. From the description we can ...
Kategorie: Hacking & Security
Syndikovat obsah