Sign in to follow this  
Followers 0
howyadoin

Nice backboor vulnerability to access many web accounts

14 posts in this topic

You recall how Sarah Palin got her account hacked? FYI - The person did by way of finding the answers to her security questions and simply entered these on the login form, had her password emailed to him and viola- he was in.

I know everyone here is probably aware of this hack.

I'm bringing it up because it makes for interesting discussion.

I'll start with this : I can't believe that nearly every account on the internet offers this "security feature" (which may I add, is an oxy moron!!! :D ). And funnier yet it's required on some places as part of the sign up process. I'm also amazed at how many people actually use this "feature". Haha, it makes me laugh to know that this easy backdoor exists and is sooo common place, making it a field day for anyone who wants to hack their targets account(s). It blows my mind away in amazement actually :o . I can't believe it - they all try so hard to "secure" their accounts but have this there????? In fact, this technique provides people the poor mans way of carding- instead of buying skimming equipment, you can do it free via this method (though the security question feature is not used by some banks)- true you won't get access to as many accounts, but when you're on a budget, you'll take what you can get. But all the other types of internet accounts.. many have this but shouldn't.

Someone needs to bitchslap all of them intellectually with the truth that it offers no security in many cases and the "why" in why this is so (that is, when they're the talkative type who talks about themselves and their life on the internet- wait a minute, if they even leave things in their trash with like say their dogs name, what high school they attended etc you can simply pick their trash and get these this way- uh oh for them... little do they know, I can look up their posts and pick their trash and piece together the answers to their security questions cause they've spilled the beans in their posts and their trash without knowing it!). At least I'm smarter than them, if I'm ever required to select a dumb security question and answer, do you all think I actually answer the truth to any of those questions??? I'm not that ignorant... I make up random shit and make that my answer and it's never the same answer twice... I also never post these answers anywhere on the internet nor can they be found in my trash (lest it's picked for info).

Frankly, since this is a nasty backdoor way into someones account(s), it should be discontinued by everyone, but it won't be any time soon - they're slow learners.

Amazing ignorance out there to leave this hole open.. :o:o:o:huh:

P.S. That's why I've been thinking everyone out there is not shredding enough- it should even include anything that reveals anything at all about you and your life, right down to the name of your damn dog. Sorry people out there, you're a damn easy hack still though you ignorantly think your trash is "safe"... haha, NOT. No wonder since I came into this hobby in the 80's, I've been shredding everything- even a simple paper with my dogs name written on it (btw, I may have a dog or not, I'm not saying.. haha)- I've always known better than to leave anything readable thrown away... I don't care if it's only a note to call my grandma and discuss what to have for dinner- and this isn't paranoia gone overboard, it's just that someone can collect notes like this and others I think are ok to toss and piece them all together and have quite a good picture of personal life, my dogs/pets name, the road on where I grew up on, my high school (and thus that schools mascot name can be had easily), my first roommates name, and so on. Most of know, I presume, to hack someone many times you have to do just what I said, follow and research your target for a period of time, gather the bits and pieces of info together to form a picture of your target and then...slam, they get hit. So, therefore, this is not paranoia, but being aware of commonly used hacking techniques (just saying this in case anyone came back with a "Boy, are you paranoid." remark).

0

Share this post


Link to post
Share on other sites

So you invent answers that are either nonsensical or completely false. No amount of research will ever determine the answer to the security question.

0

Share this post


Link to post
Share on other sites

Recognizing that sometimes it would be nice not to be locked out of an account that only has the security question as the secondary form of authentication, in the past I've done things like using the md5 or sha1 hash of the actual answer, trusting myself to remember the process if somehow I lose the password, and at least adding an additional layer someone would have to guess (the fact that it is long makes it so that it can't be bruteforced or wordlisted).

The one that always cracks me up is the "last 4 digits" option. Supposing that the person answered this one honestly there are only 10000 possible combinations. Without a system that limits the number of guesses, this might as well say "The password is: god".

0

Share this post


Link to post
Share on other sites
So you invent answers that are either nonsensical or completely false. No amount of research will ever determine the answer to the security question.

Correct.

And, the only place I store passwords to accounts is on a paper which is filed in a not so obvious place in a file box-and the file box as I call it isn't a file box at all, but something not normally used to file stuff (also for security reasons, to not apepar obvious). The file box does not have anything dumb like an index tab separator which reads "passwords" or "accounts" etc. In fact, I store many PC related things in this box and none of it has index tab separators with obvious names (for security, so if someone comes looking, it'll appear to be an innocent file box of nothing computer/accounts related). But it's easy for me to recall the name of where the password/accounts paper is, thus haven't had one instance of forgetting or losing anything yet. Plus, if it comes down to it and I lost the entire file box (only could happen while moving to another residence, and if I were that unorganized and careless), I'd rather lose it and have to make new accounts all over than get a massive hacker attack and its consequences- this the lessor of 2 evils.

Speaking of getting attacked by hackers, which is why I'm so careful, this wouldn't be needed except for the fact I've seen and read some hackers attack their own :huh: ... go figure. So, I'm careful.

0

Share this post


Link to post
Share on other sites
The one that always cracks me up is the "last 4 digits" option. Supposing that the person answered this one honestly there are only 10000 possible combinations. Without a system that limits the number of guesses, this might as well say "The password is: god".

I agree.

0

Share this post


Link to post
Share on other sites

I used to write my passwords down on paper to, but now use keepass or keepassx,

The search function on it works great..

0

Share this post


Link to post
Share on other sites

Just use the regular answer, hashed with something like MD5. That will throw most people off.

Edited by tekio
0

Share this post


Link to post
Share on other sites

There are systems that still allow unlimited guesses? I must be living in a cave!

0

Share this post


Link to post
Share on other sites
So you invent answers that are either nonsensical or comply false. No amount of research will ever determine the answer to the security question.

ye, whata logic xD

0

Share this post


Link to post
Share on other sites
So you invent answers that are either nonsensical or comply false. No amount of research will ever determine the answer to the security question.

ye, whata logic xD

How did you also manage to get a spelling error in my quoted post? :huh:

edit: Unless you were evidencing that spelling shit rong is also a good method. Oh, ok, nice! :voteyes:

Edited by decoder
0

Share this post


Link to post
Share on other sites
I used to write my passwords down on paper to, but now use keepass or keepassx,

The search function on it works great..

I have keepass on a flash drive but keep forgetting to use it.. go figure. Your post reminded me, thanx. :)

Ugg.. now I have to add lots of passwords and usernames to my Keepass.. now look at what you started for me Swerve- all that work, it's your fault. Hahaha, jk. :lol: LOL.

:D

Just use the regular answer, hashed with something like MD5. That will throw most people off.

Hmmm... I'd add that to what I'm doing but don't know how or where to start. But, in light of what I just found here, Reverse MD5 hash lookup, I don't know if it's so great. :o

Well, than again... maybe I'll take that back. I just tried "reverse md5 hash lookup" on several pieces of text and kept getting this back as a response :

Results

The given MD5 hash reverses to:

[object HTMLCollection]

I'm wondering if that site keeps putting this up unintentionally. Isn't the point to give you the actual text it's hiding? Hmmm... perhaps the site has an bug going on... hmmm..........

Makes me wonder about other online tools like this... hmm....

Edit : Had to add new part about the apparent bug in the online reverse hash tool. And btw, there ARE other online encrypt/decrypt md5 tools, like this HERE and I tested this and this one WORKED. So much for MD5, uh oh....

Do you realize there's probably more tools to decrypt OTHER encrytpion... well, now that does it! I'm making a list of this shit and makes me wonder about the greatness of encryption I've heard about..arg. Oh, then again.. I tested it more and see if I encrypt using one sites tool and decrypt on another site, it can't be found there.. hmm...very funny.

Edited by totallyAunti
0

Share this post


Link to post
Share on other sites
Just use the regular answer, hashed with something like MD5. That will throw most people off.

Hmmm... I'd add that to what I'm doing but don't know how or where to start. But, in light of what I just found here, Reverse MD5 hash lookup, I don't know if it's so great. :o

Well, than again... maybe I'll take that back. I just tried "reverse md5 hash lookup" on several pieces of text and kept getting this back as a response :

Results

The given MD5 hash reverses to:

[object HTMLCollection]

I'm wondering if that site keeps putting this up unintentionally. Isn't the point to give you the actual text it's hiding? Hmmm... perhaps the site has an bug going on... hmmm..........

Makes me wonder about other online tools like this... hmm....

Edit : Had to add new part about the apparent bug in the online reverse hash tool. And btw, there ARE other online encrypt/decrypt md5 tools, like this HERE and I tested this and this one WORKED. So much for MD5, uh oh....

Do you realize there's probably more tools to decrypt OTHER encrytpion... well, now that does it! I'm making a list of this shit and makes me wonder about the greatness of encryption I've heard about..arg. Oh, then again.. I tested it more and see if I encrypt using one sites tool and decrypt on another site, it can't be found there.. hmm...very funny.

First - The point of MD5-ing your answer isn't to make it unknowable, it's to make it damn near impossible to guess. Sure if someone knew the answer for you, and knew what encryption scheme you used, they could reset your password, but they shouldn't and that's where the extra layer of security comes in to play.

Second - How are they going to reverse the MD5 hash if they don't have the hash in the first place? If they had the hash, there would be no reason to reverse it.

Third - Yes, there are 'problems' with MD5 relating to collisions which make it possible to break it faster than it was previously thought, and while it is no longer as computationally secure as one would hope and we should begin moving away from it, that really isn't the point here.

Fourth - The online tools you found are just using lookup tables to find the precomputed plaintext:hash key pair. Prove me wrong, prove to me that these tools are really somehow instantly reversing MD5 - 8b760484d5383ebf8f347a262142e5c1 or SHA1 - 81f10f4eddaba5f5e6650ab17064d36e05a3a13c (same plaintext)

Edited by n3xg3n
0

Share this post


Link to post
Share on other sites
I used to write my passwords down on paper to, but now use keepass or keepassx,

The search function on it works great..

For you and everyone here...

Speaking of what keepass does which is encrypting your usernames and passwords, I have a free program that is an add-on for browsers and it encrypts all the text you type on web pages, whether it's a post you're typing in here or typing in usernames and passwords some place - it literally encrypts everything you type, even if you type in a search into Google. And you can see it happen in real time in a small window which you can position anyplace in your window. I like having it for security so I'd thought I'd share it with you all. Here it is :

KeyScrambler

Download.com's program description is :

Program price : Free

KeyScrambler Personal 2.4.1.1

OS supported : Windows 2003, Windows Vista, Windows Server 2008, Windows 2000, Windows 7, Windows XP

KeyScrambler Personal is a free plug-in for your Web browser that protects everything you type from keyloggers. It defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable. Unlike anti-virus and anti-spyware programs that depend on recognition to remove keyloggers that they know about, KeyScrambler will protect you from both known and unknown keyloggers. What's more, KeyScrambler provides protection without getting in your way. You don't have anything to learn about the program and you don't have to do anything differently, but with KeyScrambler your important personal information will be a whole lot safer.

-------------------------------

:P

0

Share this post


Link to post
Share on other sites
Just use the regular answer, hashed with something like MD5. That will throw most people off.

Hmmm... I'd add that to what I'm doing but don't know how or where to start. But, in light of what I just found here, Reverse MD5 hash lookup, I don't know if it's so great. :o

Well, than again... maybe I'll take that back. I just tried "reverse md5 hash lookup" on several pieces of text and kept getting this back as a response :

Results

The given MD5 hash reverses to:

[object HTMLCollection]

I'm wondering if that site keeps putting this up unintentionally. Isn't the point to give you the actual text it's hiding? Hmmm... perhaps the site has an bug going on... hmmm..........

Makes me wonder about other online tools like this... hmm....

Edit : Had to add new part about the apparent bug in the online reverse hash tool. And btw, there ARE other online encrypt/decrypt md5 tools, like this HERE and I tested this and this one WORKED. So much for MD5, uh oh....

Do you realize there's probably more tools to decrypt OTHER encrytpion... well, now that does it! I'm making a list of this shit and makes me wonder about the greatness of encryption I've heard about..arg. Oh, then again.. I tested it more and see if I encrypt using one sites tool and decrypt on another site, it can't be found there.. hmm...very funny.

First - The point of MD5-ing your answer isn't to make it unknowable, it's to make it damn near impossible to guess. Sure if someone knew the answer for you, and knew what encryption scheme you used, they could reset your password, but they shouldn't and that's where the extra layer of security comes in to play.

Second - How are they going to reverse the MD5 hash if they don't have the hash in the first place? If they had the hash, there would be no reason to reverse it.

Third - Yes, there are 'problems' with MD5 relating to collisions which make it possible to break it faster than it was previously thought, and while it is no longer as computationally secure as one would hope and we should begin moving away from it, that really isn't the point here.

Fourth - The online tools you found are just using lookup tables to find the precomputed plaintext:hash key pair. Prove me wrong, prove to me that these tools are really somehow instantly reversing MD5 - 8b760484d5383ebf8f347a262142e5c1 or SHA1 - 81f10f4eddaba5f5e6650ab17064d36e05a3a13c (same plaintext)

Apparently the hash would have to be in their database which is highly unlikely as I've now seen. Example, the MD5 you gave above produced this result on one site :

Results

Md5 Hash: 8b760484d5383ebf8f347a262142e5c1

A decryption for this hash wasn't found in our database

I can see why I questioned it's security as I had since I'm somewhat new to encryption and this is what had me incorrectly thinking the wrong thing when I came across the online tools. I've since changed my mind.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0