The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

GPU cracks 6 character password in 4 seconds An nVidia GeForce GT220 graphics card, which costs about £30, is capable of cracking strong passwords in a matter of hours. Security experts were able to crack a  6 character password in 4 seconds, a 7 character password in less than 5 minutes, and 8 character password in four hours. " People have worked out that the processing power of graphics cards, due to the architecture of the chips, is more powerful than a normal processor for doing certain tasks ," said Neil Lathwood, IT director at UKFast.

Facebook content restrictions bypass Vulnerability Blackhat Academy claims to have found a way to bypass content restrictions on links, as posted on their site and posts put on a user's public wall. Even Security Analysts claim that Facebook was notified of these vulnerabilities on July 31st, 2011. To date (October 4, 2011), Facebook has yet to do anything about this. Facebook has only recently purchased Websense to attempt to push this vulnerability under the rug, however the exploit still works.To access Facebook's FQL API, Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. FQL does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious Facebook application or directly on the FQL development api page for information gathering. : <?php # User agent checking methods $fb_string = '/facebookexternal/i';         ...

Exploit Pack - An open source security framework Exploit Pack is an open source security framework developed by Juan Sacco. It combines the benefits of a Java GUI, Python as Engine and well-known exploits on the wild. It has an IDE to make the task of developing new exploits easier, instant search features and XML-based modules. A GPL license for the entire project helps to ensure the code will remain free. It also features a ranking system for contributors, tutorials for everyone who wants to learn how to create new exploits and a community to call for help. Why use Exploit Pack? It has a module editor that allows you to create your own custom exploits. There is an instant search feature built-in on the GUI for easier access to modules. Modules use XML DOM, so they are really easy to modify. It uses Python as its Engine because the language is more widely used on security related programming. A tutorial is also provided. If you want to earn money, they will pay you for eac...

Derbycon 2011 Videos Talks The idea behind DerbyCon was developed by Dave Kennedy (ReL1K), Martin Bos (PureHate), and Adrian Crenshaw (Irongeek). Their motivation stemmed from a desire to see more of the old-style talks and events of the conventions of the past. DerbyCon was hosted by some specialized two-day training courses from 30th Sep-2nd Oct 2011 in Louisville, Kentucky. DerbyCon isn't just another security conference. They have taken the best elements from all of the conferences. DerbyCon is a place you can call home, where you can meet each other, party, and learn. Their goal is to create a fun environment where the security community can come together to share ideas and concepts. Whether you know Linux, how to program, are established in security, or a hobbyist, the ideal of DerbyCon is to promote learning and strengthen the community. Day 1 Adrian, Dave, Martin: Welcome to DerbyCon 2011 – Intro to the con and events KEYNOTE ~ HD MOORE – Acoustic Intrusions Johnny Long...

Hash Code Cracker V 1.2 Released ~ Password Cracking from BreakTheSecurity BreakTheSecurity is proud to release the Hash Code Cracker Version 1.2. Our latest release supports Online Cracking function. Description: This password cracker is developed for PenTesters and Ethical hackers. Please Use this software for legal purposes(Testing the Password Strength). Features: This software will crack the MD5, SHA1,NTLM(Windows Password) hash codes. No need to install. Supports All platforms(windows XP/7,Linux,..). V1.2 Changelog : Included Online cracking Support Minimum Requirements: Java Runtime Environment: JRE 1.6 should be installed.(you can get it from oracle.com) How to Run the Application? Download the .zip file and extract. Extract the zip file. Open the Terminal or command prompt. Navigate to the path of Extracted zip file (i mean HashCodeCracker Folder) in Terminal/CMD. Type this command "java -jar HashCodeCracker.jar". Now the applica...

Linux - Means Freedom [The Hacker News Magazine] October 2011 Issue Released Dear Readers,                          We here at The Hacker News were very humbled to be given the opportunity to celebrate 10 millions hits to the website. Wow! We are so very grateful for your support and as I told you last month, I don't think Hacking is going anywhere and neither are we!! Your feedback is very important to us. Feel free to send us your thoughts and desires for Hacking news. If you want to write an editorial, let us know. We'd love to include it next month. For now, we will see you in our daily and best wishes for a great month. Content of October Edition: Linux - Means Freedom How to make my Linux Secure ? Hackathon Insider Threads Vs Hackers Linux : How to Series by Alok Srivastav Window 8 - Touch the Future The Security Model of Window 8 Server Microsoft Security Development Cycle September Cybe...

Celebrating 5th Birthday of Wikileaks  (Born : 4th Oct 2006) The wikileaks.org domain name was registered on 4 October 2006. The website was unveiled, and published its first document, in December 2006. The site claims to have been " founded by Chinese dissidents, journalists, mathematicians and start-up company technologists, from the US, Taiwan, Europe, Australia and South Africa ". The creators of WikiLeaks have not been formally identified. It has been represented in public since January 2007 by Julian Assange and others. Assange describes himself as a member of WikiLeaks' advisory board. News reports in The Australian have called Assange the " founder of WikiLeaks ". According to Wired magazine, a volunteer said that Assange described himself in a private conversation as "the heart and soul of this organisation, its founder, philosopher, spokesperson, original coder, organizer, financier, and all the rest". 2006–08 WikiLeaks posted its fi...

Contest Winners Announcement : Wireless Penetration Testing Guide book We ran a competition for the book " Backtrack 5 Wireless Penetration Testing " last week. Today, Vivek Ramachandran, the author of the book and Founder of SecurityTube.net is announcing the winners in the video below. We will be contacting the winners via email soon. Two Best Comments Selected by Author are : Scott Herbert : For me it's the "man-in-the middle" and other cutting edge wireless attacks that make it a book worth getting (even if I don't win). neutronkaos : What interests me most about this book is that it is dedicated to wireless hacking. In an age where almost everybody is rocking a wireless AP, this book could do alot in offense and defense. I have been a Backtrack fan since Backtrack 3 and I have seen several of Mr. Ramachandran's primers on security tube. I am currently deployed to Afghanistan and I am working towards a degree in Network Security. I would love to have this boo...

Apache killer exploit modified for better Results " 4L4N4 K!LL3R " or Killapache  DDOS tool exploit, previously coded by kingscope 's , re-edited and coded by " S4(uR4 " , which kills apache and still many websites are vulnerable. S4(uR4 rewrite this exploit on php/curl (web based) with agressive mode. Exploit Consist of 2 part : 1) Test Part (for test u need use static content of site, maybe images, text, html, doc file, etc) 2) Xploiting Part Difference B/w Old and New Modified Exploit: 40c40 < $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n"; --- > $p = "HEAD ".($ARGV[2] ? $ARGV[2] : "/")."HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n"; 56c56 < $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n"; ---...

DarkComet-RAT v4.2 fwb (Firewall bypass) This version is firewall bypass it will inject to web browsers and bypass firewall rules. Targets are in this order : Firefox, Opera, Chrome, Safari, Internet Explorer and Explorer if all fails (normally never) then it runs normally. Notice now you can use remote computers as SOCKS5 proxies changelog: - Now server module doesn't melt each times - SOCKS5 Server added – Multithread. - Camera streaming is now more stable - Camera capture interval added - Camera disable streatch enabled/disabled added - File Manager doesn't crash on transfer anymore - Sound capture more stable and a bit faster - New process manager GUI and more user friendly - Process Dump added to the new process manager - Screen capture totally recoded, faster in Vista and Seven than before - Screen capture control more stable - No more black screen in screen capture on resize (avoid using 16bit colors in some systems) Most performant is 8Bit. - New password ...

Thailand Prime Minister Twitter, Facebook accounts Hacked Prime Minister Yingluck Shinawatra's personal Twitter account was hacked yesterday in what officials said was possibly part of a conspiracy to embarrass the government. The false tweets accused her of cronyism and various failures. The final post read: " If she can't even protect her own Twitter account, how can she protect the country? " Authorities vowed to prosecute the guilty parties. Information and Communication Technology Minister Anudith Nakornthap said an investigation found the hacker used a prepaid phone card and an iPhone to access the accounts. He denied a report that an arrest was imminent, but said details from the investigation would be announced today.Ms. Yingluck won a clear victory in July, but is accused by her critics of being a puppet of her brother, former Premier Thaksin Shinawatra who was thrown out of office in a 2006 military coup. " This country is a business. We work for...

Proof of Concept : PuttyHijack - Hijack SSH/PuTTY Sessions PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers. The injected DLL installs hooks and creates a socket in guest operating system for a callback connection that is then used for input/output redirection. PuttyHijack does not kill the current connection, and will cleanly uninject if the socket or process is stopped. Leaves no race for further analysis. How to run/install PuttyHijack Start a nc listener on some fully controlled machine. Run PuttyHijack specify the listener ip and port on victime machine (Some socail engg skill may be helpfull) Watch the echoing of everything including passwords (grab it for further analysis) Help commands of PuttyHijack !disco – disconnect the real putty from the display !reco – ...

HTC Android Vulnerability - Exposes Phone numbers, Gps, SMS, Emails etc If you are running a HTC Android smartphone with the latest updates applied, chances are your personal data is freely accessible to any app you have given network access to in the form of full Internet permissions.This vulnerability isn't a backdoor or some inherent flaw in Android, it is instead HTC failing to lock down its data sharing policies used in the Tell HTC software users have to allow or disallow on their phone. The problem being, not only is your data vulnerable when Tell HTC is turned on, it's just as vulnerable when it is turned off. In brief, any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on: the list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations phone numbers from the phon...