Microsoft making US vulnerable not there self.

The world is growing faster in IT industry and the biggest IT company such as Microsoft, Apple, Google are in top five in vulnerability list of top ten by CVE

Vendor Name Number of Products Number of Vulnerabilities #Vulnerabilities/#Products 1 Microsoft 400 4103 10 2 Apple 101 2938 29 3 Oracle 256 2814 11 4 IBM 720 2575 4 5 Cisco 1292 2338 2 6 SUN 204 1617 8 7 Mozilla 21 1525 73 8 Google 44 1396 32 9 Adobe 97 1384 14 10 Linux 14 1335 95

with a number of vulnerability if we see as user prospective the scenario let us vulnerable not the Microsoft. Because actually we using there Services.

As Microsoft Disclosed Some vulnerability on 13 oct it make me surprise that with all these vulnerability the attacker can control our system, see our personal data, can get Admin rights and so on.

 1. MSI5-106- CRITICAL (Remote Code Execution).

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.


2. MS15-108-CRITICAL (Remote Code Execution).

"This security update resolves vulnerabilities in the VBScript and JScript scripting engines in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that uses the IE rendering engine to direct the user to the specially crafted website."

3. MS15-109-CRITICAL (Remote Code Execution).

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online."

And Some impotent patch


4. MS15-107 -Impotent (Information Disclosure).

5. MS15-110 -Impotent (Remote Code Execution).

6. MS15-111- Impotent (Elevation of Privilege).

Brute Force Facebook Passwords (99% Working!)

Note: This Article Is Not For Noobs! Learners Are Welcomed! This Article Is For Educational Purposes Only, Any Misuse Of Information Given Below Is Prohibited! InfosecHacker Admin will not be responsible for Malfunctions Made by you.

Hi Guys! I am back with a fresh tutorial here, and this time its on hacking facebook! The method I am going to use here will be brute forcing, Using World’s Best Passwords Dictionary, CrackStation,
So, First lets know something about Brute force attacks,
“A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.”

But, In our case I’ll be using a Python script and a Long Dictionary Of passwords. I have personally tried it on myself and it really works .
Here’s the list of what we need:

• A Kali Machine / Or Any Python Engine Will work!
• Facebook.py ( v1 or v2 <v1 Recommended Because Not Used v2 yet!>)
• And, A FaceBook id Of course :p
• CrackStation Word List! (Download Here)

Now, Lets Start The Work!

step 1. Install Python-mechanize using command mention below

[*] root@root:~#apt-get install python-mechanize

step 2.

Add facebook.py using the command below

[*] root@root~# chmod +x facebook.py

[*] root@root:~# python facebook.py

step 3.
Now enter |Email| or |Phone number| or |Profile ID number| or |Username| of the victim,                                                                 You can use graph.facebook.com for more information!

Step 4 .
Now Give The Path Of Your CrackStation Word list !

step 5.
Now it will try all passwords present in the word list, So relax and have a cup of coffee because it will take time depending on speed of your processor and password strength of your victim!

 

Hope this article was helpful Any feedback or Questions? Leave a Comment And I’ll be Happy To Help

Collision Attack: Widely Used SHA-1 Hash Algorithm Needs to Die Immediately.

SHA-1 – one of the Internet's widely adopted cryptographic hash function – is Just about to Die.

Yes, the cost and time required to break the SHA1 algorithm have fallen much faster than previously expected.

According to a team of researchers, SHA-1 is so weak that it may be broken and compromised by hackers in the next three months.

The SHA-1 algorithm was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm. Like other hash functions, SHA-1 converts any input message to a long string of numbers and letters that serve as a cryptographic fingerprint for that message.

Like fingerprints, the resulting hashes are useful as long as they are unique. If two different message inputs generate the same hash (also known as a collision), it can open doors for real-world hackers to break into the security of banking transactions, software downloads, or any website communication.

Collision Attacks on SHA-1

Researchers from the Centrum Wiskunde & Informatica in the Netherlands, Inria in France, and Nanyang Technological University in Singapore have published a paper that showed that SHA-1 is vulnerable to the same collision attacks, which they dubbed – Freestart Collision.

Collision attacks appear when the same hash value (fingerprint) is produced for two different messages, which then can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1.

Breaking SHA1 Now Costs between $75,000 and $120,000

Back in 2012, the well-known security researcher, Bruce Schneier estimated that it would cost $700,000 to carry out a collision attack on SHA1 by 2015 and just $173,000 by 2018.

However, based on new research, such attacks could be performed this year for $75,000 to $120,000 – thanks to a new graphics-card technique known as "boomeranging" that finds SHA1 collisions.

"Our new GPU-based projections are now more accurate, and they are significant below Schneier’s estimations," the research paper reads. "More worrying, they are theoretically already within Schneier estimated resources of criminal syndicates as of today, almost 2 years earlier than previously expected and 1 year before SHA-1 being marked as unsafe."

Move to SHA-2 or SHA-3 Before it Gets TOO Late

The published findings are theoretical and will not cause any immediate danger, but we strongly encourage administrators to migrate from SHA-1 to the secure SHA-2 or SHA-3 hash algorithms as soon as possible.

Administrators should consider the impact SHA-1 would have to their organization and plan for:

·         Hardware compatible with SHA-2/SHA-3

·         Server software updates supporting SHA-2/SHA-3

·         Client software support for SHA-2/SHA-3

·         Custom application code support for SHA-2/SHA-3

SHA-2 is developed by the NSA, whereas SHA-3 is developed by a group of independent researchers.

Reference:  http://thehackernews.com/