Tag Archives: password

超過三億筆的密碼 (Hash 過的)

Troy Hunt 放出三億筆 SHA1 hash 過的密碼讓大家研究:「Introducing 306 Million Freely Downloadable Pwned Passwords」。 他引用了 NIST 新的草案中對密碼的建議,阻擋已知外洩的密碼: 檔案可以在「I been pwned? Pwned Passwords」這邊下載。

Posted in Computer, Murmuring, Network, Privacy, Security, Service, Social | Tagged , , , , , , , , , , | Leave a comment

歡樂的 md5crypt 密碼...

作者寫了一篇關於以前在 WHOIS 記錄上看到一串 $1$ 開頭的 md5crypt 密碼 XDDD:「I mean, why not tell everyone our password hashes?」。 Now the fields are filtered but this is a reasonably recent change. Prior to July 2015 the hashed passwords were shown to anyone who … Continue reading

Posted in Computer, Murmuring, Network, Security | Tagged , , , , , , , , , , | Leave a comment

重設密碼 + Social Engineering

在「The password reset MitM attack」這邊看到 PRMitM (Password Reset Man-in-the-Middle) 這樣的攻擊,原始論文在「The Password Reset MitM Attack」這邊可以取得。 用圖說明基本版的攻擊方式: 另外列出了各大站台的狀態: 以及各家簡訊的文字,可以發現不是每一家都有把產品的名稱寫上去: 這方法好有趣啊... XD

Posted in Computer, Murmuring, Network, Security, Service, WWW | Tagged , , , , , , , , , , , | 1 Comment

利用手機的 sensor 取得 PIN 碼

把 side-channel information 配合上統計方法就可以達到 74% 的正確率:「Phone Hack Uses Sensors To Steal PINs」。 透過 browser 的 javascript 就可以拉出這些資料,然後利用這些資料去猜你的手機 PIN 碼: Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the … Continue reading

Posted in Browser, Computer, Firefox, GoogleChrome, Hardware, Murmuring, Network, Programming, Safari, Security, Software, WWW | Tagged , , , , , , , , , , , , , , , , , | Leave a comment

用 SessionGopher 拉出機器上各種密碼與 Key

同事在 Slack 上提到 fireeye/SessionGopher 這個工具,可以從機器上拉出各種敏感資訊: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. 方法是掃 … Continue reading

Posted in Computer, Murmuring, OS, Security, Software, Windows | Tagged , , , , , , , , , , , , , , , , | Leave a comment

透過手機螢幕上的餘熱猜測 PIN 碼

利用手機螢幕上的餘熱分析可能的 PIN 碼:「Heat traces left by fingers can reveal your smartphone PIN」,在輸入完 PIN 碼的 30 秒內的準確度都還是很高 (80%): The report further revealed that if the thermal image is collected within 15 seconds of a PIN being entered, the technique is accurate … Continue reading

Posted in Computer, Hardware, Murmuring, Security, Telephone | Tagged , , , , , , , , , , | Leave a comment

下一個版本的 Chrome (56) 將會對要求卡號或是密碼的 HTTP 站台標示「Not Secure」

如同之前在「Google Chrome 56 將會對 HTTP 網站標示「Not secure」」提到的規劃,Google Chrome 56 (也就是下一個版本) 將會對要求卡號或是密碼的站台標示「Not Secure」:「Chrome 56 Beta: “Not Secure” warning, Web Bluetooth, and CSS position: sticky」。 比較九月的 screenshot 與最近的 screenshot,從「Not secure」變成「Not Secure」了... 這是九月的: 而這是最近的: 可能是這樣標示會讓使用者更有警覺?

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Software, WWW | Tagged , , , , , , , , , , | Leave a comment

把 CSC (卡片背面的三碼) 變成 OTP (動態密碼)

把信用卡背面的後三碼 (Card security code) 變成動態密碼,雖然一般只會有三碼,但對於網路消費應該會有不少幫助,不過這樣就不能完全不拿出卡片了...:「This high-tech card is being rolled out by French banks to eliminate fraud」。 產品叫做 MotionCode,會先從法國開始: Today both Société Générale and Groupe BPCE, two of France’s largest banking groups, are preparing to roll out these cards across … Continue reading

Posted in Computer, Financial, Hardware, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , , , | 1 Comment

Yahoo! 這次應該是史上最大的一次 leak...

Yahoo! 這次爆出來的 leak 應該是目前史上最大的一次:「An Important Message About Yahoo User Security」。 目前 Yahoo! 的研判是 2014 年時由政府單位搬出去的: A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by … Continue reading

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , | Leave a comment