The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: hacking passwords

Worst Day for eBAY, Multiple Flaws leave Millions of Users vulnerable to Hackers

Worst Day for eBAY, Multiple Flaws leave Millions of Users vulnerable to Hackers

May 23, 2014Mohit Kumar
It's not been more than 36 hours since eBay revealed it was hacked and we just come to know about three more critical vulnerabilities in eBay website that could allow an attacker to compromise users' account once again, even if you have already reset your account password after the last announcement. Yesterday eBay admitted to the massive data breach that affected 145 million registered users worldwide after its database was compromised. eBay urged its 145 million users to change their passwords after the cyber attack, but are passwords enough? eBay Data breach happened mainly because of their vulnerable infrastructure, not weak passwords. I think eBay's morning just going to be bad to worse as today, three Security researchers came forward with three more different types of critical flaws in eBay website that leave its 145 million users vulnerable to hackers. HACKER UPLOADED SHELL ON eBAY SERVER (UNPATCHED) A critical security flaw in the eBay website for i
Securing Passwords with Bcrypt Hashing Function

Securing Passwords with Bcrypt Hashing Function

April 10, 2014Anonymous
Passwords are the first line of defense against cyber criminals. It is the most vital secret of every activity we do over the internet and also a final check to get into any of your user account, whether it is your bank account, email account, shopping cart account or any other account you have. We all know storing passwords in clear text in your database is ridiculous. Many desktop applications and almost every web service including, blogs, forums eventually need to store a collection of user data and the passwords, that has to be stored using a hashing algorithm. Cryptographic hash algorithms MD5, SHA1, SHA256, SHA512, SHA-3 are general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. Hashing is the greatest way for protecting passwords and considered to be pretty safe for ensuring the integrity of data or password. The benefit of hashing is that if someone steals the database with hashed passwords, they o
Vulnerable Texas Transportation Site 'TxTag' leaves 1.2 Million Credit Cards at Risk

Vulnerable Texas Transportation Site 'TxTag' leaves 1.2 Million Credit Cards at Risk

April 05, 2014Swati Khandelwal
Do you know, Why another major company is getting hacked every week? Because of poor policies, Laziness to Incident Response and lack in will-power to put efforts on applying important patches. Some companies are not taking their security more seriously, and best suitable example for this is  TxTag,  an electronic toll collection systems in Texas operated by Texas Department of Transportation (TxDOT) . 1.2 MILLION CREDIT CARD ARE AT RISK Security researcher, David Longenecker   claimed a serious flaw at  TxTag website that exposes the active Credit Card Details and Personal Information of 1.2 Million Drivers including active TxTags (vehicle stickers with microchips, which are scanned by electronic readers on toll roads), Names, phone numbers, full residence addresses, email addresses, along with their complete Credit card numbers and Expiration date. According to David, the account names could be easily predictable by anyone, which is typically an 8-digit number that beg
Worst Data Breach in German History, 18 Million Email Passwords Compromised

Worst Data Breach in German History, 18 Million Email Passwords Compromised

April 05, 2014Swati Khandelwal
Germany has confirmed its biggest Data theft in the country's history with usernames and passwords of some 18 million email accounts stolen and compromised by hackers. The Story broke by the German press, Der Spiegel on Thursday, when German Authorities revealed another mass hacking of private data belonged to German citizens and major Internet companies both in Germany and abroad. 16 MILLION AND NOW 18 MILLION Authorities in the northwestern city of Verden unearthed a treasure of personal information, a list of about 18 million stolen email addresses and passwords, and seized it just after only two months from the previous major data breach, when researchers came across 16 million compromised email accounts of German users while conducting research on a botnet, a network of computers infected with malware.  The accounts were compromised by hackers in the mid of January, and Der Spiegel suggests that the same group of hackers is responsible for both thefts and t
5-year-old Boy discovers Microsoft Xbox Password Bypass vulnerability

5-year-old Boy discovers Microsoft Xbox Password Bypass vulnerability

April 04, 2014Mohit Kumar
A 5-year-old San Diego boy managed to hack one of the most popular gaming systems in the world, Xbox and has now been acknowledged as a security researcher by Microsoft. Kristoffer Von Hassel uncovered a vulnerability in Xbox Live's password system, that would allow someone to log into a Xbox player's account without their password. Kristoffer's parents noticed he was logging into his father's Xbox Live account simply by tapping the space bar. YES, BACKDOOR ENTRY WITH JUST SPACE-BAR His father noticed that Kristoffer logged in as his Xbox Live account to play video games that he wasn't meant to be playing and asked how he had done it.  Kristoffer revealed that by typing in the wrong password and then by pressing the spacebar, he bypassed the password verification through a backdoor, and it was pretty simple! HIS FEELING, "was like yeah!" 5-year-old gamer actually hacked the authentication system of a multi-billion dollar company,
Tesla Cars Can Be Hacked to Locate and Unlock Remotely

Tesla Cars Can Be Hacked to Locate and Unlock Remotely

March 31, 2014Swati Khandelwal
Smart Phones, Smart TVs, Smart Refrigerators, even Smart Cars! When it comes to Smart devices, we simply provide them the master control of various tasks to make our life easy and more comfortable, unaware about its worst impact. At the starting of last month we reported that by using a $20 toolkit called CAN Hacking Tool (CHT) , hackers can hack your Smart Cars, giving entire control of your car to an attacker from windows and headlights to its steering and brakes. Now a new research carried out on the  Tesla Smart car  has proved that the hackers are able to remotely locate or unlock the Tesla Motors Inc. electric vehicles, just by cracking a six-character password using traditional hacking techniques. At the Black Hat Asia security conference in Singapore on Friday, Nitesh Dhanjani , a corporate security consultant and Tesla owner, said a recent study conducted by him on the Tesla Model S sedan pointed out several design flaws in its security system, and there wasn&
Edward Snowden obtained classified NSA documents by stealing Coworker’s Password

Edward Snowden obtained classified NSA documents by stealing Coworker's Password

February 13, 2014Swati Khandelwal
We are quite aware of the leaks that the Whistleblower Edward Snowden carried out against the US National Security Agency (NSA) and after reading every related update, watching every document that he provided to various news websites, you all are left with a question in mind that,  How he could carry out this whole operation without any helping hand? Yes, you are right! The former NSA contractor Edward Snowden allegedly managed to access thousands of the classified documents by stealing one of his coworker's passwords, according to an unclassified NSA memorandum obtained by the NBC News . Three Members, one NSA's civilian employee, an active duty member of the U.S. Military and a contractor were found involved in the actions that may have aided Snowden's operation; from which NSA 's civilian employee has been stripped of his security clearance and has resigned. Other two has been obstructed from accessing National Security Agency (NSA) facilities, th
'123456' giving tough competition to 'password' in Worst 25 Passwords of 2013

'123456' giving tough competition to 'password' in Worst 25 Passwords of 2013

January 21, 2014Swati Khandelwal
123456, password, 12345678, qwerty… or abc123 , How many of you have your password one of these??? I think quite a many of you. Even after countless warnings and advices given to the users by many security researchers, people are continuously using a weak strength of password chains. After observing many cyber attacks in 2013, we have seen many incidents where an attacker can predict or brute-force your passwords very easily. From 2012, the only change till now is that the string " password " has shifted to the second place in a list of the most commonly used passphrases and string " 123456 " has taken the first place recently, according to an annual " Worst Passwords " report released by SplashData , a password management software company They announced the annual list of 25 most common passwords i.e. Obviously the worst password that found on the Internet. The Most common lists of the passwords this year are " qwerty ," " abc123 ," &qu
Hacking Wireless DSL routers via Administrative password Reset Vulnerability

Hacking Wireless DSL routers via Administrative password Reset Vulnerability

January 03, 2014Mohit Kumar
If you want to hack a Netgear and Linkys Wireless Routers , there is a quick backdoor entry available, that allow an attacker to reset the admin panel password to defaults. Eloi Vanderbeken , a hacker and reverse-engineer from France has discovered an administration password Reset vulnerability in many Netgear and Linkys Routers. In a blog post , Eloi said that During Christmas Holidays he forgot the admin interface password of his Linksys WAG200G router and in an effort to gain access back of its administration panel, he first scanned the Router and found a suspicious open TCP port i.e. 32764. To do further research on this port service, he downloaded a copy Linksys firmware and reverse-engineered it. He found was a secret backdoor interface that allowed him to send commands to the router from a command-line shell without being authenticated as the administrator. Then he blindly tested commands, but doing so flips the router's configuration back to factory settings with defau
Hacking Gmail accounts with password reset system vulnerability

Hacking Gmail accounts with password reset system vulnerability

November 22, 2013Wang Wei
Oren Hafif , a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account. He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass. In a proof of concept video demonstration, the attacker sends his victim a fake " Confirm account ownership " email, claiming to come from Google. The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password. The link from the email apparently points to a HTTPS  google.com URL, but it actually leads the victim to the attacker's website because of CSRF attack with a customized email address. The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then will ask to res
iOS apps vulnerable to HTTP Request Hijacking attacks over WiFi

iOS apps vulnerable to HTTP Request Hijacking attacks over WiFi

October 30, 2013Anonymous
Security researchers Adi Sharabani and Yair Amit  have disclosed details about a widespread vulnerability in iOS apps , that could allow hackers to force the apps to send and receive data from the hackers' own servers rather than the legitimate ones they were coded to connect to. Speaking about the issue at RSA Conference Europe 2013 in Amsterdam, researchers have provided details  on this  vulnerability , which stems from a commonly used approach to URL caching. Demonstration shows that insecure public networks can also provide stealth access to our iOS apps to potential attackers using HTTP request hijacking methods. The researchers put together a short video demonstrating, in which they use what is called a 301 directive to redirect the traffic flow from an app to an app maker's server to the attacker's server. There are two limitations also, that the attacker needs to be physically near the victim for the initial poisoning to perform this attack and t
WiFi Hacking software AirCrack-NG updated after 3 years

WiFi Hacking software AirCrack-NG updated after 3 years

June 03, 2013Wang Wei
The Best WiFi hacking suite  AirCrack-NG updated to 1.2 Beta 1 after three years from the last release. Aircrack-ng is a set of tools for auditing wireless networks. New version added a few new tools and scripts (including distributed cracking tool). Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. Release Notes: Compilation fixes on all supported OSes. Makefile improvement and fixes. A lot of fixes and improvements on all tools and documentation. Fixed licensing issues. Fixed endianness and QoS issues. Download AirCrack-NG for Linux and For Windows
Cloud computing best for password hacking !

Cloud computing best for password hacking !

November 19, 2010Mohit Kumar
On-demand cloud computing is a wonderful tool for companies that need some computing capacity for a short time, but don't want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers.  A lot of hacking activities involve cracking passwords , keys or other forms of brute force that are computationally expensive but highly parallelizable. For a hacker, there are two great sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from a service provider. Either one can deliver computing on-demand for the purpose of brute force computation. Botnets are unreliable, heterogeneous and will take longer to "provision." But they cost nothing to use and can scale to enormous size. Researchers have found botnets composed of hundreds of thousands of PCs. A commercial cloud computing offering will be faster to provision, have predictable performance and can be billed to
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.