9 Popular Password Manager Apps Found Leaking Your Secrets

Is anything safe? It's 2017, and the likely answer is NO.

Making sure your passwords are secure is one of the first line of defense – for your computer, email, and information – against hacking attempts, and Password Managers are the one recommended by many security experts to keep all your passwords secure in one place.
Password Managers are software that creates complex passwords, stores them and organizes all your passwords for your computers, websites, applications and networks, as well as remember them on your behalf.

But what if your Password Managers itself are vulnerable?

Well, it's not just an imagination, as a new report has revealed that some of the most popular password managers are affected by critical vulnerabilities that can expose user credentials.

The report, published on Tuesday by a group of security experts from Team of the Fraunhofer Institute for Secure Information Technology in Germany, revealed that nine of the most popular Android password managers available on Google Play are vulnerable to one or more security vulnerabilities.

Popular Android Password Manager Apps Affected By One Or More Flaws
The team examined LastPass, Keeper, 1Password, My Passwords, Dashlane Password Manager, Informaticore's Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords – each of which has between 100,000 and 50 Million installs.

"The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials," 

In each application, the researchers discovered one or more security vulnerabilities – a total of 26 issues – all of which were reported to the application makers and were fixed before the group's report went public.

Read more »

Hack Windows using winAUTOPWN 3.4 –Completing 4 years of windows hacking

winAUTOPWN has been an old favourite to automate windows hacking and vulnerability testing.  The project is the brainchild of Azim Poonawala of [C4]Closed Circuit Corporate Clandestine and saw its first release in 2009. Fast forward to 4 years; it has matured into a good exploitation framework with a plethora of options. As the Author states about it  -

Autohack your targets - even if you have consumed and holding a bottle of 'ABSOLUT' in one hand and absolute ease (winAUTOPWN) in the other.

In layman terms, winAUTOPWN is a unique exploit framework which helps in gaining shell access and pwning (aka exploiting vulnerabilities) to conduct Remote Command Execution, Remote File/Shell Upload, Remote File Inclusion and other Web-Application attacks. To add cherry on the top, it can also help in conducting multiple types of Denial of Service attacks on targets, furthermore, It can also be used to test effectiveness of IDS/IPS 

Read more »

Another Hack Allows Access to Locked iPhones

A glitch in Apple's iOS 6.1 operating system makes it possible to access an iPhone's sensitive data, including contacts and photos, without entering the correct passcode, or personal identification number (PIN).

The security flaw, the second PIN bypass that security researchers have found this month, takes a bit of tricky button-pushing in a specific order. But once done successfully, it allows an intruder to download the phone's data over USB to a computer that would have otherwise been locked out.

Read more »

Awesome Facebook chat codes

Within few years Facebook evolves a lot and becomes the hobby of people around the globe. You meet new people, share your related ideas, see your favorite product pages and play social games on Facebook. You can also chat with your friends on Facebook, to enhance Facebook chat experience; Facebook introduces chat codes due to which you can include pictures according to your mod in your chat box during chat with someone, that’s really cool. Isn’t it? So here we have Awesome Facebook chat codes which enables you to include different kind of pictures in your Facebook chatting, enjoy your chat!!!

Read more »

Hackers Use Stolen Passwords to Jimmy Into Dropbox

The habit of using the same username and password combination for multiple sites has come around to bite Dropbox and its users. Network intruders who came into the possession of name/password combos from other sites, tried them out on Dropbox and were able to break into many users' accounts -- including the account of a Dropbox employee, which led to a deluge of spam.

Dropbox says reused passwords are to blame for a wave of spam that's hitting subscribers to the service.

The company found that usernames and passwords recently stolen from other websites were used to sign in to some Dropbox accounts. One of these accounts belonged to a Dropbox employee, and it contained a project document with some users' email addresses.

This improper access led to the spamming of many users, Dropbox said.

The company has taken various steps to improve security, including the coming introduction of two-factor authentication.

"The downside of not having more rigorous access controls in place around sensitive data is that they can be compromised," Todd Thiemann, senior director of product marketing at Vormetric, told TechNewsWorld. "Dropbox appears to have learned that the hard way."


Bless My Soul, What's Wrong With Me?

Some Dropbox customers began complaining about being spammed back in mid-July.

The company called in external investigators to look into the matter, and on Tuesday it said the situation was most likely attributable to usernames and passwords employed by its subscribers across multiple sites.

It has contacted customers whose accounts had been hijacked and helped them protect their accounts.

"Given [Dropbox's] poor track record when it comes to security, I was floored" by the company's statement about contacting users whose accounts had been hijacked, said Rob Sobers, technical marketing manager at Varonis.

"They are assuming they know exactly which accounts were compromised," Sobers told TechNewsWorld. "What about the accounts whose passwords might have been stolen but haven't been breached yet?"

All Shook Up

"What other customer information is stored in Dropbox folders -- credit card data? Passwords?" Varonis's Sobers asked. "Which employees have access to customer data? Of the employees that have access to customer data, how many of them reuse their passwords?"

As for the project document stolen from a Dropbox employee whose account was hijacked, "A Dropbox employee should have clearly defined policies surrounding password strength and reuse for anything they do with customer data, regardless of where it's stored," Randy Abrams a research director at NSS Labs, told TechNewsWorld.

Encrypting sensitive data in cloud services such as Dropbox is critical because, "as a rule of thumb, anything stored in the cloud that's not meant to be a Playboy Expose should be encrypted," Abrams continued.

Upping the Security Ante

Measures Dropbox is taking to improve security include two-factor authentication, new automated mechanisms to help identify suspicious activity, and a new page that lets users examine all active logins to their account.

The company may require users to change their passwords in some cases, for example where the passwords are commonly used or haven't been changed in a long time.

It is also recommending that users set a unique password for each website they use.

"Going forward, integrating password education with regularly mandated password changes would be a good thing," NSS Labs' Abrams said.

However, "the problem is that a policy of password-only security is outdated," Leonid Shtilman, CEO of Viewfinity, told TechNewsWorld. He advocates using biometric facial recognition technology.

Comments on Security Measures

Password reuse across multiple sites "is a universal problem ... and it's better for services such as Dropbox to offer multi-factor authentication, given the gravity of data that people store on these systems," Frank Artes, a research director at NSS Labs, told TechNewsWorld.

In the interim, it would be a best practice to force a full change of passwords and set a threshold on password strength, Artes suggested.

Computer security "is an evolving process, driven by the harsh reality of computer crime," David Perry, global director of education at Comodo, told TechNewsWorld. "I have no doubt that this kind of 'oops' moment will be very common over the next decade."

Dropbox did not respond to our request to comment.

Read more »

MULTIPLE LOGIN IN YAHOO MESSENGER

 

Multiple login in yahoo Without Using any Software
You can login with multiple id’s on the same yahoo messenger without
any download or patch .
Follow these steps :
1. Go to Start —-> Run . Type regedit, then enter .
2.Navigate to HKEY_CURRENT_USER ——–> Software —>yahoo
—–>pager—->Test
3.On the right page , right-click and choose new Dword value .
4.Rename it as Plural.
5.Double click and assign a decimal value of 1.
Its done!!
Now close registry and restart yahoo messenger and try Multiple Login

Read more »

Hack orkut, facebook any account using cookie stealer

Cookies stores all the necessary Information about one’s account , using this information you can hack anybody’s account and change his password. If you get the Cookies of the Victim you can Hack any account the Victim is Logged into i.e. you can hack Google, Yahoo, Orkut, Facebook, Flickr etc.
What is a CookieLogger?
A CookieLogger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim.
Today I am going to show How to make your own Cookie Logger…Hope you will enjoy Reading it …

Read more »

Crack wifi passwords in less than 4 minutes

FUN FACTS:

-WEP stands for Wired Equivalent Privacy
-WEP is used to secure wireless networks from eavesdroppers
-WEP usually takes hours to crack

WEP has always been a long and tedious job, untill recently, when two FBI agents demonstrated how it´s possible to crack WEP in under 4 minutes (3 to be exact).

Here is how they did it:

Read more »

Tutorial Get the serial number you need

Get the serial number you need ! (For Certain Things)

* Go to Google.

* In the search field type: "Product name" 94FBR

* Where, "Product Name" is the name of the item you want to find the serial number for.

* And voila - there you go - the serial number you needed.

HOW DOES THIS WORK?

Read more »

Top 10 Tricks to exploit SQL Server Systems

Whether it is through manual poking and prodding or the use of security testing tools, malicious attackers employ a variety of tricks to break into SQL Server systems, both inside and outside your firewall. It stands to reason then, if the hackers are doing it, you need to carry the same attacks to test the security strength of your systems. Here are 10 hacker tricks to gain access and violate systems running SQL Server.
1. Direct connections via the Internet

These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield's Port Report shows just how many systems are sitting out there waiting to be attacked. I don't understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.

Read more »

John the Ripper – Password cracking at its best

If you are into password cracking then you probably know about it,John the Ripper is one of the most popular password testing and breaking program available. JTR, as its fondly called ,combines multiple password cracking packages into one package,includes auto detection of hashes and is a fast password cracker. It is currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS and supports 15 different platforms . Its primary purpose is to detect weak Unix passwords ( no..I m kidding,Its primary purpose is to break passwords :P ).It can natively detect and crack various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and WindowsNT/2000/XP/2003 LM hash. JTR has an active community and multiple third party patches have been added to increase its functionality to include MD4-based password hashes and passwords stored in LDAP, MySQL and others unsupported hashes. JTR is the penultimate when it comes to password cracking in windows (Cain and Abel is the ultimate :P), but for Linux and open source,its the best you can get your hands on.Fire it up with a wordlist and you are good to go
Here is a sample output of JTR in Debian environment (shamelessly taken from Wikipedia)

root@0[john-1.6.37]# cat wpass.txt

user:AZl.zWwxIh15Q

root@0[john-1.6.37]# john -w:password.lst wpass.txt

Loaded 1 password hash (Traditional DES [24/32 4K])

example         (user)

guesses: 1  time: 0:00:00:00 100%  c/s: 752  trying: 12345 - pookie

You can download JTR from here

 Like this article ? You can always support me by buying me a cup of coffee

Read more »