Tag Archives: password

重設密碼 + Social Engineering

在「The password reset MitM attack」這邊看到 PRMitM (Password Reset Man-in-the-Middle) 這樣的攻擊,原始論文在「The Password Reset MitM Attack」這邊可以取得。 用圖說明基本版的攻擊方式: 另外列出了各大站台的狀態: 以及各家簡訊的文字,可以發現不是每一家都有把產品的名稱寫上去: 這方法好有趣啊... XD

Posted in Computer, Murmuring, Network, Security, Service, WWW | Tagged , , , , , , , , , , , | 1 Comment

利用手機的 sensor 取得 PIN 碼

把 side-channel information 配合上統計方法就可以達到 74% 的正確率:「Phone Hack Uses Sensors To Steal PINs」。 透過 browser 的 javascript 就可以拉出這些資料,然後利用這些資料去猜你的手機 PIN 碼: Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the … Continue reading

Posted in Browser, Computer, Firefox, GoogleChrome, Hardware, Murmuring, Network, Programming, Safari, Security, Software, WWW | Tagged , , , , , , , , , , , , , , , , , | Leave a comment

用 SessionGopher 拉出機器上各種密碼與 Key

同事在 Slack 上提到 fireeye/SessionGopher 這個工具,可以從機器上拉出各種敏感資訊: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. 方法是掃 … Continue reading

Posted in Computer, Murmuring, OS, Security, Software, Windows | Tagged , , , , , , , , , , , , , , , , | Leave a comment

透過手機螢幕上的餘熱猜測 PIN 碼

利用手機螢幕上的餘熱分析可能的 PIN 碼:「Heat traces left by fingers can reveal your smartphone PIN」,在輸入完 PIN 碼的 30 秒內的準確度都還是很高 (80%): The report further revealed that if the thermal image is collected within 15 seconds of a PIN being entered, the technique is accurate … Continue reading

Posted in Computer, Hardware, Murmuring, Security, Telephone | Tagged , , , , , , , , , , | Leave a comment

下一個版本的 Chrome (56) 將會對要求卡號或是密碼的 HTTP 站台標示「Not Secure」

如同之前在「Google Chrome 56 將會對 HTTP 網站標示「Not secure」」提到的規劃,Google Chrome 56 (也就是下一個版本) 將會對要求卡號或是密碼的站台標示「Not Secure」:「Chrome 56 Beta: “Not Secure” warning, Web Bluetooth, and CSS position: sticky」。 比較九月的 screenshot 與最近的 screenshot,從「Not secure」變成「Not Secure」了... 這是九月的: 而這是最近的: 可能是這樣標示會讓使用者更有警覺?

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Software, WWW | Tagged , , , , , , , , , , | Leave a comment

把 CSC (卡片背面的三碼) 變成 OTP (動態密碼)

把信用卡背面的後三碼 (Card security code) 變成動態密碼,雖然一般只會有三碼,但對於網路消費應該會有不少幫助,不過這樣就不能完全不拿出卡片了...:「This high-tech card is being rolled out by French banks to eliminate fraud」。 產品叫做 MotionCode,會先從法國開始: Today both Société Générale and Groupe BPCE, two of France’s largest banking groups, are preparing to roll out these cards across … Continue reading

Posted in Computer, Financial, Hardware, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , , , | 1 Comment

Yahoo! 這次應該是史上最大的一次 leak...

Yahoo! 這次爆出來的 leak 應該是目前史上最大的一次:「An Important Message About Yahoo User Security」。 目前 Yahoo! 的研判是 2014 年時由政府單位搬出去的: A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by … Continue reading

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , | Leave a comment

Dropbox 儲存密碼的方式

記得 Dropbox 前陣子才強迫所有使用者重設密碼:「The Dropbox hack is real」,官方的報告在這:「Resetting passwords to keep your files safe」,當時洩漏出來的資訊可以知道 2012 年的時候 Dropbox 用的是 SHA1: What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. … Continue reading

Posted in Cloud, Computer, Murmuring, Network, Programming, Security | Tagged , , , , , , , , , , , , | Leave a comment

常見密碼表

先前在「NIST 新的密碼規範」這邊提到了用字典檔避免使用者選擇弱密碼的問題: When processing requests to establish and change memorized secrets, verifiers SHOULD compare the prospective secrets against a dictionary of known commonly-used and/or compromised values. This list SHOULD include passwords from previous breach corpuses, as well as dictionary words … Continue reading

Posted in Computer, Murmuring, Network, Security | Tagged , , | Leave a comment