Next Page >>
million
...
> $ time ~/john/john-1.7.9-jumbo-5/run/unique -v -mem=25 1gu < 1g
> Total lines read 1000000000 Unique lines written 697066573
Here's some further analysis of the 1 billion sample used as a training
set along with a separate 1 million sample used as a test set:
Applying the 697 million unique passwords (from the 1 billion sample
above) as a wordlist (6 GB file size) to crack another 1 million of
pwgen'ed passwords cracks 418168 of them (41.8%). For a uniform
distribution (which is not the case), this would correspond to total
On Thu, Jan 19, 2012 at 09:21:17AM +0100, valentino.angeletti@enel.com wrote:
> may ask you what software (and how it works brute force ecc) you used?
John the Ripper, indeed - generating a custom .chr file (which is based
on trigraph frequencies) from a sample of 1 million of pwgen'ed
passwords and then using this file to crack another (non-overlapping)
sample of pwgen'ed passwords. My initial notification to oss-security
and Bugtraq included these links, which describe this in more detail:
http://www.openwall.com/lists/john-users/2010/11/17/7
Millions of PDF invisibly embedded with your internal disk paths
----------------------------------------------------------------
I found an interesting privacy issue while analyzing PDF files. This bug
occurs when you are using Internet Explorer to print locally saved web pages
as PDF and affects all IE versions including IE8. It does not matter which
PDF generation software you are using like Adobe Acrobat Professional,
CutePDF, PrimoPDF, etc as long as you are invoking it from inside the IE
print function. In Windows, even when your default browser is not IE and if
you right click a file to select the PRINT from the context menu, then by
-----Original Message-----
From: Inferno [mailto:inferno@securethoughts.com]
Sent: Monday, November 23, 2009 7:46 AM
To: bugtraq@securityfocus.com
Subject: Millions of PDF invisibly embedded with your internal disk paths
Millions of PDF invisibly embedded with your internal disk paths
----------------------------------------------------------------
I found an interesting privacy issue while analyzing PDF files. This bug
>
> -----Original Message-----
> From: Larry Seltzer
> Sent: Tuesday, July 01, 2008 3:26 PM
> To: 'Stefan Frei'; bugtraq@securityfocus.com
> Subject: RE: New Paper: More than 600 million users surf at high risk
>
> A reply from Robert Hensing at Microsoft
> (http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w
> eb-browser-study-full-of-fail.aspx) says that your study did not include
> minor version information for Internet Explorer, probably because such
-----Original Message-----
From: Larry Seltzer
Sent: Tuesday, July 01, 2008 3:26 PM
To: 'Stefan Frei'; bugtraq@securityfocus.com
Subject: RE: New Paper: More than 600 million users surf at high risk
A reply from Robert Hensing at Microsoft
(http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w
eb-browser-study-full-of-fail.aspx) says that your study did not include
minor version information for Internet Explorer, probably because such
The "keyspace searched" column above shows percentage of the full
{62 different, length 8} keyspace. I'd also include percentages of the
smaller keyspace that corresponds to the pronounceable passwords only,
but its size is non-trivial to calculate, so I did not bother...
Additionally, there are over 2 thousand duplicates in just 1 million of
generated passwords. Sounds like too many dupes. Not what a user would
expect, I think.
More info on the attack:
- Likely : All Firefox versions supporting the KEYGEN tag.
I. Background
~~~~~~~~~~~~~
Firefox is a popular Internet browser from the Mozilla Corporation. In 2007 the
Mozilla Corporation had a revenue of over 75 million dollars [1], out of
which 68 million where made with a search advertising deal, in other words with
the search box in Firefox that defaults to Google.
I envy the spirit of everyone that works on Firefox code in their spare time,
for free.
be interconnected in a single stack to create a virtual switch that provides 2.11 Tbps of capacity and up to
384 10/100/1000 Ethernet ports as well as 16 10GE uplink ports. All C-Series products include a comprehensive
lifetime warranty that includes services for which many competitors charge additional fees. Included benefits,
such as advanced hardware return, firmware feature upgrades (which most vendors cover at most for 90 days)
and telephone support (which most don’t include or severely limit) combine to significantly decrease operational costs
for organizations – equaling savings of up to $1 million in service contract fees over the life of a customer’s network.
(Copy of the Vendor Homepage: http://www.enterasys.com/products/security-enabled-infrastructure/securestack-cseries.aspx )
Abstract:
send to the user by email.
Unfortunately PunBB initialises the mersenne twister random number
generator on every request with a number between 0 and 1.000.000,
depending on the current microsecond. This means there are only
one million possible new passwords and new activation links. It
would be possible to bruteforce this limited area, but the amount
of time and traffic that would be required is huge.
Because of this a better one shot solution was developed that
allows to determine the new password and the new activation link
Botnet fighters have another tool in their arsenal, thanks to Microsoft.
/ COPIED FROM ARTICLE
The software vendor is giving law enforcers access to a special tool that
keeps tabs on botnets, using data compiled from the 450 million computer
users who have installed the Malicious Software Removal tool that ships
with Windows.
/ END COPY AND PASTE
--------------------------------------------------------------
Million Dollar Script 2.0.14 Remote File Disclosure Vulnerability.
--------------------------------------------------------------
download : http://www.milliondollarscript.com
author : p4imi0
contact : p4imi0@gmail.com
exploit : index.php?link=%2Fetc%2Fpasswd
google dork : inurl:"index.php?link=" "Million Dollar Script"
thanks to : str0ke, Cr[]w.
mt_srand((double) microtime() * 1000000);
$posthash = md5($mybb->user['uid'].mt_rand());
}
Code like this will seed the random number generator with only
one million different seed values. In addition to that the first
generated random number will be leaked to the user in form of the
post hash. Because the user knows his 'uid' it is easy to find the
seed used by just bruteforcing the one million possibilities.
A normal desktop PC is able to perform this attack in less than a
second.
-----Original Message-----
From: stefan.frei@gmail.com [mailto:stefan.frei@gmail.com] On Behalf Of
Stefan Frei
Sent: Tuesday, July 01, 2008 11:40 AM
To: bugtraq@securityfocus.com
Subject: New Paper: More than 600 million users surf at high risk
Hi List,
For the last 18 month we analyzed the daily USER-AGENT data collected by
Google's Web search and application servers around the world to study
mode rootkit that hides itself? Or why not do a million other things
since you've gotten them to first run code as admin? I mean, it's
really kind of silly to make TaskManager crash and tip your hand like
that, don't you think?
You see, (and this must be 1 million and 12 times said here) if you get
someone to run arbitrary code as administration, then, well, it doesn't
matter at all what comes after "then." Then, ANYTHING. If the admin
runs arbitrary code, nothing matters at all, period.
If that's the response you got from MSFT that makes you think they are
Introduction:
=============
Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the
Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based
user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and
videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters
in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)
"Java is a programming language and computing platform released by Sun
Microsystems (now Oracle). It is the underlying technology that powers
state-of-the-art programs including utilities, games, and business
applications.
Java runs on more than 850 million personal computers worldwide, and
on billions of devices worldwide, including mobile and TV devices."
II. DESCRIPTION
---------------------
BT's plan is to sneak one of this boxes into every UK home. Not only
does the BT Home Hub support broadband but also VoIP (BT Broadband
Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision).
Additionally, BT will give users the option to use their BT Home Hub to
join FON, a community-shared Wi-Fi. An unofficial source has reported
us that there are 2+ million BT Home Hub users in the UK.
If you're thinking: "well I'm not based in the UK so this research
doesn't concern me", then think again! The BT Home Hub is just a
Thomson/Alcatel Speedtouch 7G router. Furthermore, the vulnerabilities
we found are most likely present in other Speedtouch models due to
* WHID 2009-16: Primary schools hit by smut hack
(http://whid.webasppsec.com/whid/2009/16/primary_schools_hit_by_smut_hack)
We also continue to follow older incidents and the following incidents where
significantly updated this week:
* WHID 2008-36: RBS WorldPay Data Breach Hits 1.5 Million
(http://whid.webasppsec.com/whid-2008-36) - scope of incident revealed.
* WHID 2008-01: Information stolen from geeks.com
(http://whid.webasppsec.com/whid-2008-01) - FTC settlement documents shed
light on the incident.
- New rt2rtc utility convert rainbow table from raw file format (.rt) to compact file format (.rtc)
- New rtc2rt utility convert rainbow table from compact file format (.rtc) to raw file format (.rt)
- The rcrack/rcrack_cuda program support both .rt and .rtc rainbow table file format
- Conversion from non-perfect to perfect rainbow table is supported by rt2rtc utility
The hash cracking performance of RainbowCrack software now exceeds 100000 million plaintexts per second.
Visit http://project-rainbowcrack.com/ for more information.
Zhu
July 22, 2009
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense? This is
> the
> one million and fourth time: "If your 'vulnerability' begins with 'if
> I
> can get the user to run code' then whatever comes after the 'then'
> doesn't matter. Period."
>
> t
>
>
> --- On Tue, 7/1/08, Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:
>
>> From: Nick FitzGerald <nick@virus-l.demon.co.uk>
>> Subject: RE: New Paper: More than 600 million users surf at high risk
>> To: bugtraq@securityfocus.com
>> Date: Tuesday, July 1, 2008, 8:27 PM
>> Paul Schmehl to Larry Seltzer:
>>
>>> My completely non-scientific,
As promised in CONFidence [4], we're releasing the full details
including PoC scripts:
http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/
In summary, there are currently about 3 million BT Home Hub routers in
the UK whose default WEP key AND admin password can be easily
predicted.
ABOUT GNUCITIZEN
not randomize it.
A typical POST size limit in Ruby frameworks is 2 MB, which takes about
6 hours of i7 CPU time to parse. Thus, an attacker with a single 850
bits/s line can keep one i7 core busy. The other way around, an attacker
with a Gigabit connection can keep about 1.000.000 (one million!) i7
cores busy.
== v8 ==
Google's Javascript implementation v8 uses a hash function which looks
Where: From remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. These people now have access to some of the best the
Web has to offer - including dazzling 3D games and entertainment,
interactive product demonstrations, and online learning applications."
Product Link:
> If Jim is going to get Nancy to run a program, and that's "not all that
> hard," then why not just have that program do what you want in the
> first
> place rather than worrying about the power switch nonsense? This is
> the
> one million and fourth time: "If your 'vulnerability' begins with 'if
> I
> can get the user to run code' then whatever comes after the 'then'
> doesn't matter. Period."
>
> t
Where: Remote
======================================================================
3) Vendor's Description of Software
"Over 450 million Internet-enabled desktops have installed Adobe
Shockwave Player. These people now have access to some of the best the
Web has to offer - including dazzling 3D games and entertainment,
interactive product demonstrations, and online learning applications."
Product Link:
five 9's SLA's, then the failure of one domain on that physical
hardware would impact the SLA's of all the other domains.
> That's why I don't view it as a DoS vulnerability.
How absolutely bizzare. Basically you spend half a million dollars on
Sun hardware, and it isn't required to do this better than VMWare? In
fact, it does it worse than VMWare. I am just stunned at your
acceptance of a serious problem.
> If you exploit this on your
On Wed, Sep 10, 2008 at 09:01:05PM +0200, Florian Weimer wrote:
>
> > How absolutely bizzare. Basically you spend half a million dollars on
> > Sun hardware, and it isn't required to do this better than VMWare?
>
> I think you've got it exactly backwards: you don't let non-trusted
> people run code on these machines because they are so expensive.
>
Right, and even if you are forced to allow root access to someone who
"Java is a programming language and computing platform released by
Sun Microsystems. It is the underlying technology that powers
state-of-the-art programs including utilities, games, and business
applications.
Java runs on more than 850 million personal computers worldwide,
and on billions of devices worldwide, including mobile and TV devices."
II. DESCRIPTION
---------------------
Next Page>>
|
