2,190
 

Hacker hits Symantec and accesses passwords


 
3
most viewed right now
+95  34
44 comments @thotties


section   (0 bx goons and 1 bystanders) Share this on Twitter       Share this on Facebook
 

 1 month ago '15        #1
1474 page views
18 comments


Putin~Work 3608 heat pts3608
space
avatar space
space
$11,966 | Props total: 56274 56274
Hacker hits Symantec and accesses passwords
 

 
Security firm Symantec was attacked by a hacker back in February, but the company did not reveal details of the incident.

The attack has been brought to light by Guardian Australia which has seen some of the data extracted by hackers. This comprises not only passwords, but what is thought to be a list of Symantec clients -- including government agencies. But Symantec is downplaying the data breach, dismissing it as a "minor incident".

Symantec says that it did not go public about the incident because it came to the conclusion that the hacker only attacked a data lab that was not connected to its corporate network. The company says that "no sensitive personal data was hosted in or extracted from this demo lab, nor were Symantec’s corporate network, email accounts, products or solutions compromised".

Guardian Australia reports that the attack was carried out by the same hackers said to be responsible for medical data that was available for sale on the dark web.

In the February incident, the hacker was able to access what appeared to be a list of clients using Symantec's CloudSOC services, account managers and account numbers. The security firm says that the data was "not used for production purposes" and was made of "dummy e-mails and a small number of low-level and non-sensitive files for demonstration purposes".

Included in the list of clients are police, government agencies, banks and large companies, but Symantec says: "This is an old list of some of the largest public and private entities in Australia -- it was in the environment for testing purposes. These entities are not necessarily Symantec customers, nor do we necessarily host services for them".

In a statement the company also said:

Consistent with our internal policies and guidance, which align with national and international data protection laws, no sensitive personal data or information has been disclosed that would trigger any regulatory obligations, but Symantec will continue to take appropriate remediation efforts if the situation changes.
visit this link https://betanews.com/2019 .. symantec-hack/
+4   



best
worst
18 comments
 

 1 month ago '10        #2
jhust4ever 34 heat pts34
space
avatar space
space
$1,186 | Props total: 1780 1780
I've never trusted a password manager.
+7   

 1 month ago '18        #3
GustavoB88 2 heat pts
space
space
space
$731 | Props total: 1694 1694
The iron knee
+4   

 1 month ago '16        #4
00010111 131 heat pts131
space
avatar space
space
$4,946 | Props total: 18507 18507
 jhust4ever said
I've never trusted a password manager.
Where do you store your passwords?
+2   

 1 month ago '12        #5
daman729 27 heat pts27
space
avatar space
space
$13,263 | Props total: 16048 16048
This is the downside of using password managers, cloud services, etc. People actually think their data is more secure being stored on the cloud and these other backup services lol. If anything, it can actually make you more vulnerable.
+7   

 4 weeks ago '16        #6
00010111 131 heat pts131
space
avatar space
space
$4,946 | Props total: 18507 18507
 daman729 said
This is the downside of using password managers, cloud services, etc. People actually think their data is more secure being stored on the cloud and these other backup services lol. If anything, it can actually make you more vulnerable.
There are several password managers that are stored/encrypted locally. Hosting your valuable data 'in the cloud' will always leave you vulnerable.

I'm curious about dude who says that he doesn't use password managers though.

 4 weeks ago '10        #7
jhust4ever 34 heat pts34
space
avatar space
space
$1,186 | Props total: 1780 1780
 00010111 said
Where do you store your passwords?
Encrypted text files
+1   

 4 weeks ago '16        #8
00010111 131 heat pts131
space
avatar space
space
$4,946 | Props total: 18507 18507
 jhust4ever said
Encrypted text files
So a password protected file.

How is that different from a locally stored password manager?

 4 weeks ago '07        #9
ericsupreme 
space
space
space
$682 | Props total: 553 553
 daman729 said
This is the downside of using password managers, cloud services, etc. People actually think their data is more secure being stored on the cloud and these other backup services lol. If anything, it can actually make you more vulnerable.
that's why dlt's like blockchain etc will change the game

 3 weeks ago '04        #10
eazyvaboy 72 heat pts72
space
avatar space
space
$4,564 | Props total: 16715 16715
 00010111 said
Where do you store your passwords?
I don't use password managers either. They are not secure.

I store my sentence hints in an encrypted text file.

This is not what I actually use but this is an example:

Say for everything, you are going to add:

" I like" to the beginning and

"A lot" to the end

This will be the standard prefix and suffix of all of your password adding upper/lower/special characters and numbers.

!L1k3 password A!0t

Your password hint in my encrypted file will be first team upper. This means first team in NBA/NFL/NHL (city) in alphabetical order in upper case. You pick the sport. Only you would know. This would mean:

1st team upper = !Lik3ATLANTAA!0t

2nd team lower = !Lik3bostonA!0t

So in my encrypted file, you would only see things like

Bank password = 4th team lower

ECampus password = 6th team upper

This takes away the inherent vulnerability of password complexity forgetfulness and passwords are not vulnerable to brute force attacks. Plus if you get my encrypted password file, you would not be getting anything of use.

+7   

 3 weeks ago '17        #11
Wavie Crockett 2 heat pts
space
avatar space
space
$1,334 | Props total: 3814 3814
 eazyvaboy said
I don't use password managers either. They are not secure.

I store my sentence hints in an encrypted text file.

This is not what I actually use but this is an example:

Say for everything, you are going to add:

" I like" to the beginning and

"A lot" to the end

This will be the standard prefix and suffix of all of your password adding upper/lower/special characters and numbers.

!L1k3 password A!0t

Your password hint in my encrypted file will be first team upper. This means first team in NBA/NFL/NHL (city) in alphabetical order in upper case. You pick the sport. Only you would know. This would mean:

1st team upper = !Lik3ATLANTAA!0t

2nd team lower = !Lik3bostonA!0t

So in my encrypted file, you would only see things like

Bank password = 4th team lower

ECampus password = 6th team upper

This takes away the inherent vulnerability of password complexity forgetfulness and passwords are not vulnerable to brute force attacks. Plus if you get my encrypted password file, you would not be getting anything of use.

+2   

 3 weeks ago '06        #12
~ KiLLa KaZi ~ 
space
space
space
$5,420 | Props total: 2492 2492
 eazyvaboy said
I don't use password managers either. They are not secure.

I store my sentence hints in an encrypted text file.

This is not what I actually use but this is an example:

Say for everything, you are going to add:

" I like" to the beginning and

"A lot" to the end

This will be the standard prefix and suffix of all of your password adding upper/lower/special characters and numbers.

!L1k3 password A!0t

Your password hint in my encrypted file will be first team upper. This means first team in NBA/NFL/NHL (city) in alphabetical order in upper case. You pick the sport. Only you would know. This would mean:

1st team upper = !Lik3ATLANTAA!0t

2nd team lower = !Lik3bostonA!0t

So in my encrypted file, you would only see things like

Bank password = 4th team lower

ECampus password = 6th team upper

This takes away the inherent vulnerability of password complexity forgetfulness and passwords are not vulnerable to brute force attacks. Plus if you get my encrypted password file, you would not be getting anything of use.

Good sh*t but if the site gets hacked and uses some fu*ked up hashing algo then you could still be sh*t outta luck .. there's millions of rules you can apply when decrypting db's and passfiles ..

!Lik3bostonA!0t

Rules:

! = prepend "!"

Lik3 = l33tspeak --> e = 3

boston = boston

A!0t = l33tspeak --> l = ! o = 0

having words/phrases like "ilikebostonalot" in a dict file can easily turn into !Lik3bostonA!0t when you have special rules to apply

whenever *possible try to use ":" since most of the time when we decrypt the files they will be in "username:hashedpwd" format .. if you use a : it will throw it off for some but experienced decrypters can spot it .. if you can use spaces then that can be good too (but a lot of sites don't allow it)

the real issue is most ppl are lazy and use the same password for every site .. and a lot of sites still store their sh*t in plaintext so even if you have a super complex password it won't do you any good ESPECIALLY if you use the same password on another site

ppl think their sh*t is safe because it has special characters but little do they know some sites stores the sh*t in plaintext so no decryption is even needed smh


[pic - click to view]



[pic - click to view]



the best part about these "complex" passes is that I can generate NEW rules to apply to other hashed passwords and the decryption success rate shoots up like a muthaphucka
+4   

 3 weeks ago '04        #13
TBX 32 heat pts32
space
avatar space
space
$3,315 | Props total: 1305 1305
Some peeps with experience in here eh, good discussion

I do encrypted file on an encrypted cold storage drive, doesnt come near a network

But really your sh*t is only as safe as whoever is hosting it
+2   

 3 weeks ago '09        #14
messy marv stan 5404 heat pts5404
space
avatar space
space
$73,950 | Props total: 126410 126410
i never write down passwords or use any password manager
+1   

 3 weeks ago '04        #15
eazyvaboy 72 heat pts72
space
avatar space
space
$4,564 | Props total: 16715 16715
 ~ k*lla KaZi ~ said
Good sh*t but if the site gets hacked and uses some fu*ked up hashing algo then you could still be sh*t outta luck .. there's millions of rules you can apply when decrypting db's and passfiles ..

!Lik3bostonA!0t

Rules:

! = prepend "!"

Lik3 = l33tspeak --> e = 3

boston = boston

A!0t = l33tspeak --> l = ! o = 0

having words/phrases like "ilikebostonalot" in a dict file can easily turn into !Lik3bostonA!0t when you have special rules to apply

whenever *possible try to use ":" since most of the time when we decrypt the files they will be in "username:hashedpwd" format .. if you use a : it will throw it off for some but experienced decrypters can spot it .. if you can use spaces then that can be good too (but a lot of sites don't allow it)

the real issue is most ppl are lazy and use the same password for every site .. and a lot of sites still store their sh*t in plaintext so even if you have a super complex password it won't do you any good ESPECIALLY if you use the same password on another site

ppl think their sh*t is safe because it has special characters but little do they know some sites stores the sh*t in plaintext so no decryption is even needed smh


[pic - click to view]



[pic - click to view]



the best part about these "complex" passes is that I can generate NEW rules to apply to other hashed passwords and the decryption success rate shoots up like a muthaphucka
I feel what you are saying. I appreciate the response and I respect your knowledge but I will have to respectfully disagree. If we are talking about Web applications, it is very unfeasible that this is susceptible to a dictionary attack for two reasons:

Before we even get into that keep in mind that you can't use the term decryption when talking about hashing and secure cryptographic hashes because they are two different things. Hashing is not encryption. Encryption allows you to decrypt if you have the key or decryption mechanism. This is a two-way function. Hashing is a one-way function meaning that once you use a secure hash (not lanman or MD5 but like with current secure SHAs such as SHA256/SHA512), it is close to mathematically impossible that you cannot get the original value from the hashed value. This is the property of pre-image resistant. You would have to rainbow table or use a reverse hash lookup table (hashing version of dictionary file) with the known hash algorithm to pass a known file pass the hash to see if they match the value stored in the password database and even with that... More below on that.

I have worked for a few large companies and I have never seen one that stores the password in cleartext in todays day and age. That wouldn't pass ISO 27001 or NIST 800-53. But for this example, let's a*sume that they do.

First when you say, whenever *possible try to use ":" since most of the time when we decrypt the files they will be in "username:hashedpwd" format. This is absolutely incorrect from what I have seen. The picture you have is not how enterprise Web applications like Facebook, Yahoo, IG, banks, etc. store their passwords. Maybe 10-15 years ago but software developers and security practitioners are way past this. Username is a different column (or sometimes even different database) using ID as primary key linking it to the respective password. So you have to inner join the FK in the database if you can put the ID with the username. Let me know if you haven't seen this and I can post a picture of this for you.

Second, a dictionary attack means that there is a file that already has these passwords presaved so ilikebostonalot would at least have to be in the dictionary file before the prepend could occur. Now when you start talking about prepend, you are talking unmasking my prefix of the root pass. But if you look at my example, I have a prefix and a suffix so you would have to prepend AND append. !Lik3 as well as A!0t

So you would need a hybrid dictionary attack with the ability to append/prepend a brute-force mask. If you are doing this, this using 76 billion cycles per second (76,000,000,000 c/s) on a password 15 characters long (like my example) with just letters and numbers and no special characters this is a few days per password. When you add special characters in, this increases to years.

That is not even taking into account hashed passwords like SHA512, or salting which is industry standard. Salting along with peppering for military and industry trade secrets.

Finally, you are also giving an example of what is called an "offline attack". This is not something that occurs over the Web. This happens when someone can get ahold of the entire password file or download this from the DB and run this attack against it. Online, this can be accomplished through an SQL injection query of an unprotected database or a privilege escalation (amongst other things) but this is not as feasible to do this over a secure Web layer because security functions such as request throttling and other stuff will slow this down. Not saying these can't be broken but that is not the way it's done for Web applications.


Last edited by eazyvaboy; 06-29-2019 at 04:15 PM..
+4   

 3 weeks ago '06        #16
~ KiLLa KaZi ~ 
space
space
space
$5,420 | Props total: 2492 2492
 eazyvaboy said
I feel what you are saying. I appreciate the response and I respect your knowledge but I will have to respectfully disagree. If we are talking about Web applications, it is very unfeasible that this is susceptible to a dictionary attack for two reasons:

Before we even get into that keep in mind that you can't use the term decryption when talking about hashing and secure cryptographic hashes because they are two different things. Hashing is not encryption. Encryption allows you to decrypt if you have the key or decryption mechanism. This is a two-way function. Hashing is a one-way function meaning that once you use a secure hash (not lanman or MD5 but like with current secure SHAs such as SHA256/SHA512), it is close to mathematically impossible that you cannot get the original value from the hashed value. This is the property of pre-image resistant. You would have to rainbow table or use a reverse hash lookup table (hashing version of dictionary file) with the known hash algorithm to pass a known file pass the hash to see if they match the value stored in the password database and even with that... More below on that.

I have worked for a few large companies and I have never seen one that stores the password in cleartext in todays day and age. That wouldn't pass ISO 27001 or NIST 800-53. But for this example, let's a*sume that they do.

First when you say, whenever *possible try to use ":" since most of the time when we decrypt the files they will be in "username:hashedpwd" format. This is absolutely incorrect from what I have seen. The picture you have is not how enterprise Web applications like Facebook, Yahoo, IG, banks, etc. store their passwords. Maybe 10-15 years ago but software developers and security practitioners are way past this. Username is a different column (or sometimes even different database) using ID as primary key linking it to the respective password. So you have to inner join the FK in the database if you can put the ID with the username. Let me know if you haven't seen this and I can post a picture of this for you.

Second, a dictionary attack means that there is a file that already has these passwords presaved so ilikebostonalot would at least have to be in the dictionary file before the prepend could occur. Now when you start talking about prepend, you are talking unmasking my prefix of the root pass. But if you look at my example, I have a prefix and a suffix so you would have to prepend AND append. !Lik3 as well as A!0t

So you would need a hybrid dictionary attack with the ability to append/prepend a brute-force mask. If you are doing this, this using 76 billion cycles per second (76,000,000,000 c/s) on a password 15 characters long (like my example) with just letters and numbers and no special characters this is a few days per password. When you add special characters in, this increases to years.

That is not even taking into account hashed passwords like SHA512, or salting which is industry standard. Salting along with peppering for military and industry trade secrets.

Finally, you are also giving an example of what is called an "offline attack". This is not something that occurs over the Web. This happens when someone can get ahold of the entire password file or download this from the DB and run this attack against it. Online, this can be accomplished through an SQL injection query of an unprotected database or a privilege escalation (amongst other things) but this is not as feasible to do this over a secure Web layer because security functions such as request throttling and other stuff will slow this down. Not saying these can't be broken but that is not the way it's done for Web applications.
Preciate the reply

Do you know any exploiters/hackers/crackers and deal with them daily? Trust when I say a lot of sites are still storing their stuff in plaintext (you'd be surprised honestly) .. All day everyday all I see is sites being hacked/dumped -- databases/passfiles being leeched and posted so we can crack em .. my GPU's never get a break .. When you are cracking hashes the files can be formatted a number of ways .. you can crack em by using only the hash itself " b4ad7dd6e021aec6e17f7af7615dac19:jCB:W}~[4nxZ`OtPRVVdpZ?;"axg(I ".. or they can be in username:hashedpwd format like " eazyvaboy:b4ad7dd6e021aec6e17f7af7615dac19:jCB:W}~[4nxZ`OtPRVVdpZ?;"axg(I " .. that is how they will be formatted AFTER we extract the columns we want from the sql file (can use SQLRiP for that) .. you can use any delimiter u want but most of the time it'll be ":" .. that's why I said if you use a ":" in your password it will throw hashcat off because it will see "2 delimiters"

Yea, that's what I said .. if a dict file already has "ilikebostonalot" in it then all you have to do is create a rule/multi-rule to replace certain characters/uppercase/lower etc .. you'd have to be familiar with Hashcat to understand how it works tho .. even if I didn't have "ilikebostonalot" in a dict I could still have "ilikealot" in there and make a rule that will insert all types of random names/countries/sports teams/cities into that after the "ilike" part .. ex. "ilikeatlantaalot" then have another rule that will turn that into "l33tsp34k" .. rules can basically cut out the hybrid attack methods (you can still have good success rate with Hybrid but I rarely use it)

That's why I said IF they used a "fu*ked up hashing algo" (meaning something stupid like SHA1-256/MD5 .. basically any fast algo) then you'd be fu*ked .. something like bcrypt you can forget about it .. even SHA512 can be a lil tough if you have a lot of hashes to crack

and yea of course its an offline attack .. find a way in .. lay low .. shell that sh*t .. lay low again .. then leech the db/pf whenever you're ready .. load up 8 1080 TI's and go to work :)

There are soo many sites that are hacked/shelled (maybe even this one ;)) right now and they don't even know it .. and even when they find out they usually won't say anything for months .. damage is done by then :)

good talk tho, bruh .. knowledge is power
+3   

 3 weeks ago '04        #17
eazyvaboy 72 heat pts72
space
avatar space
space
$4,564 | Props total: 16715 16715
 ~ k*lla KaZi ~ said
Preciate the reply

Do you know any exploiters/hackers/crackers and deal with them daily? Trust when I say a lot of sites are still storing their stuff in plaintext (you'd be surprised honestly) .. All day everyday all I see is sites being hacked/dumped -- databases/passfiles being leeched and posted so we can crack em .. my GPU's never get a break .. When you are cracking hashes the files can be formatted a number of ways .. you can crack em by using only the hash itself " b4ad7dd6e021aec6e17f7af7615dac19:jCB:W}~[4nxZ`OtPRVVdpZ?;"axg(I ".. or they can be in username:hashedpwd format like " eazyvaboy:b4ad7dd6e021aec6e17f7af7615dac19:jCB:W}~[4nxZ`OtPRVVdpZ?;"axg(I " .. that is how they will be formatted AFTER we extract the columns we want from the sql file (can use SQLRiP for that) .. you can use any delimiter u want but most of the time it'll be ":" .. that's why I said if you use a ":" in your password it will throw hashcat off because it will see "2 delimiters"

Yea, that's what I said .. if a dict file already has "ilikebostonalot" in it then all you have to do is create a rule/multi-rule to replace certain characters/uppercase/lower etc .. you'd have to be familiar with Hashcat to understand how it works tho .. even if I didn't have "ilikebostonalot" in a dict I could still have "ilikealot" in there and make a rule that will insert all types of random names/countries/sports teams/cities into that after the "ilike" part .. ex. "ilikeatlantaalot" then have another rule that will turn that into "l33tsp34k" .. rules can basically cut out the hybrid attack methods (you can still have good success rate with Hybrid but I rarely use it)

That's why I said IF they used a "fu*ked up hashing algo" (meaning something stupid like SHA1-256/MD5 .. basically any fast algo) then you'd be fu*ked .. something like bcrypt you can forget about it .. even SHA512 can be a lil tough if you have a lot of hashes to crack

and yea of course its an offline attack .. find a way in .. lay low .. shell that sh*t .. lay low again .. then leech the db/pf whenever you're ready .. load up 8 1080 TI's and go to work :)

There are soo many sites that are hacked/shelled (maybe even this one ;)) right now and they don't even know it .. and even when they find out they usually won't say anything for months .. damage is done by then :)

good talk tho, bruh .. knowledge is power
Thanks for the reply. I appreciate your knowledge. I will take your word for it that plenty of sites are still storing their stuff in plaintext but I can't imagine any Fortune 1000 or below are doing it. Finding a site using an NTLM or and MD5 hash is like finding a priceless artifact in a pawnshop. I've consulted for a ton of companies and I haven't came across one yet. I'm sure there are some rinky dink and low risk low reward places still doing it but I don't know anyone that knows anyone that knows anyone that has come across this on a company with stuff to lose. The most high risk I would see having this would be local and state governments because they have important information but not enough budget to hire the correct expertise. And remember, the sports teams analogy were just a very generic example to explain how to make a strong password our of a sentence. Generally, someone would use something else but even with this, this still requires alot of of a*sumptions to work.

- You can get password file offline
- It has a weak hash algorithm
- You have to actually know the hash algorithm with hashcat because you have to specify the hash algorithm you will try to attack the password file with along with choosing the attack mode and rules (Yes, I am familiar with hashcat and the more rules/multirules you choose, the longer it will take). You are doing these rules typically on a file. Unless you have a high-value target with specific info, you are not going to know which particular one to drill down into.
- It is in your dictionary file.

And with hashcat, if you are going to do a rule based attack and you would do whichever compatible function/rule upper, lower, inverse, capitalize, with whatever rejects and to the Nth on the entire file but with 15 and special characters, I think I will be good.

Appreciate the conversation.


 1 week ago '06        #18
kgb 
space
space
space
$605 | Props total: 309 309
good info in here. i dont trust pw managers.

 1 week ago '08        #19
cohs 10 heat pts10
space
space
space
$5,149 | Props total: 14090 14090
Worked for a startup that was saving passwords plaintext. You’re doomed out there.

Home      
  




 


 
 

yesterday...


most viewed right now
+50online now  16
Image(s) inside Almost drowned in her pus-y so I swam to her butt
36 comments
2 days ago
@thotsdimesetc
most viewed right now
+165online now  14
Image(s) inside Diddy been on his ruthless 50 cent sh-t. Animal ambition
94 comments
1 day ago
@hiphop
most viewed right now
+16online now  13
Image(s) inside Slim400 : "Im here 4 a reason Hol'Uppp." (Hospital Pic)
34 comments
1 day ago
@hiphop
most viewed right now
-45online now  4
Jadakiss gets his pizza with CRUST ONLY
146 comments
1 day ago
@hiphop
back to top
register contact Follow BX @ Twitter Follow BX @ Facebook search BX privacy