Lulzsec released information about their latest hack today. This time their victim was specialforces.com. As part of this attack they dumped the information of over 18,000 users which included usernames, email addresses and one or more passwords for each user.

After doing a quick clean up, sort and unique on the dirty password list I was able to extract just under 34,000 passwords from the list. The results below are taken directly from Pipal and have not been modified in any way.

Note: It’s likely there will be some incorrectly specified passwords in this list. I did give it a quick skim to remove the obvious, but I wasn’t going to run over each of the 33,881 entries to confirm.

Not surprisingly, special forces terminology appeared seven times (8 if you include Mike) out of the top 10 base words.

What did surprise me is how many people seem to use their sign up year as the last 4 digits of their password.

The password ‘!@#123QWEqwe’ also caught my attention. Obviously it looks pretty good but to me it’s the secure equivalent of ‘qwerty123456′. I’d be keeping an eye out for this one in any future analysis.

Update: Based on a comment by Robert Winkle below, I have added the stats for the non-uniqued password list as well. My original plan was to use the list as part of my private password list hence the need for uniquing, but as Robert correctly pointed out, the results are much more telling and interesting when based off the original list.

The line-up for Black Hat is looking damn impressive and I’m really looking forward to attending these briefings and learning from some of the masters of the industry.

Unfortunately the Defcon schedule hasn’t been released yet, but damn sure I’ll be impressed by the quality of the talent.

I’ll be tweeting about the event from my iphone as often as I can, so follow me @damiangrace to get live updates… and hey, there might even be some unsavoury pics if my phone/account gets hacked… ***

Let me know if you’re also attending and maybe we can catch up.

Additional Important Notes:

1) Yes I’m aware that using electrical devices at these conferences is crazy…

2) yes I’m crazy…

3) Yes I’ll be wearing my tin foil hat *thumbs up*

*** or I party too hard! 

Hacker attacks Victorian servers

http://www.zdnet.com.au/hacker-attacks-victorian-servers-339301026.htm

China spies suspected of hacking Julia Gillard’s emails

http://www.news.com.au/technology/federal-ministers-emails-suspected-of-being-hacked/story-e6frfrnr-1226029713668

So anyone connected to the internet is fair game, so the question becomes: How do I stop my company from being the next headline?

Glad you asked…

Enter SANS 504: Hacker Techniques, Exploits and Incident Handling course

SANS, one of the best known names in the IT security training arena, has a course dedicated to teaching IT staff how to understand what hacker are up and put in place measures to keep the company systems safe. SANS 504: Hacker Techniques, Exploits and Incident Handling course gives hands-on experience in understanding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan.

This course is being offered as a ten week Mentor lead course here in Sydney, this allow the attendees to gain the maximum study benefits while still having personal lives. It starts on the Thursday, June 2, 2011 and running each Thursday until August 4, 2011.

Learn and work through the SANS courseware with Chris Mohan, one of the few SANS’ GSE holders in the world and a handler at the Internet Storm Center, to help make the courseware relevant and of immediate use to you.

With the Australian dollar nearing an all-time high and using the code Mentor10 for an addition 10% off the course, SANS Security training has never been more cost effective and affordable!

Register here: http://www.sans.org/mentor/details.php?nid=24644

And just in case your company doesn’t think taking IT security is important, show your boss even the Australia’s spy agency ASIO gets cyber wing to protect the country. If the country needs protecting don’t you think your company does to?

http://news.smh.com.au/breaking-news-technology/australias-spy-agency-asio-gets-cyber-wing-20110311-1br4g.html

I think overall I was probably lucky to pass. I don’t do much reverse engineering as part of my daily duties so my experience in this area is basically nill. With that background I really should have been studying from July right up to the last possible moment to take the exam.

Anyway, I passed! Now only two more exams to do before xmas.

Help them help you by filling out the questionnaire. The need 5000 responses and at the time of writing have only received 231 so get cracking!

http://nmap.org/survey/

This time it was the SANS GIAC Web Application Penetration Tester (GWAPT) certification. I managed to scrape through with a 97.33% which I am pretty happy about

hmm, I just realised this is the first time in about 8 months I haven’t had a certification hanging over my head… hmm… all of a sudden I feel all alone… confused… lost… bored…

OK, now I have to find something else to do…

Suggestions anyone?

*  Bring a system compromised during testing with Metasploit into the IMPACT environment and deploy an IMPACT Pro Agent. The Agent is a patented, syscall proxy payload that allows users to:

1. Launch IMPACT Pro’s full range of automated penetration testing capabilities from the compromised system.
2. Leverage IMPACT’s broad selection of commercial-grade exploits, plus multiple pre- and post-exploitation capabilities for in-depth, comprehensive attack replication.
3. Pivot penetration tests to other systems, mimicking an attacker’s attempts at identifying and exploiting paths of weakness to backend systems and data.

* Use IMPACT Pro’s automated Rapid Penetration Test (RPT) to exploit vulnerabilities, then launch Metasploit’s db-autopwn feature and subsequently upload the results back into IMPACT Pro. This allows users with less training and expertise to view Metasploit testing information within the IMPACT environment.

I for one am looking forward to playing with this

Press Release

Blog Announcement

This site will be blacked out between now and the 29th of January 2010.

If you would also like to support the cause, visit www.internetblackout.com.au to find out how to black out your site.

I found it so worthwhile I’ve decided to give it a review. So let’s start from the start and I’ll give you as much detail as I think I am legally allowed.

Getting Access

First of all the sign up process is not quite what I have experienced with other certifications. I psyched myself up, sat down with my bosses’ credit card and was all ready to spend some of his money… but no… The guys at offensive-security don’t want your money straight off. Instead they email you with an openVPN configuration attachment with the purpose confirming that you can actually connect to their labs before taking your (or your bosses ) hard earned money.

Now a point of note for those located behind an Ironport Mail Gateway: I waited days for the response email and heard nothing. I was actually starting to get a rather cranky at their (lack of) service. I mean, I had employer dollars to spend. I managed to get in contact with them and deduced that Ironport* have given the Offensive-Security mail server IP a reputation of -3 which is well under our drop by reputation thresholds. After rearranging with them to send all correspondence to my Gmail account we were away.

The Course

So with email working and the VPN confirmed operational we arranged payment for the course (which again was a problem due to the credit card not being in my name… but we won’t go into that) and I got my material and 60 days lab time. What you actually get for your $700USD is quite impressive.

• One PDF containing the course lessons.
• One set of SWF video files where Muts walks you through all but the last few of the course modules.
• 24/7 access to the Labs for 60 days via VPN which is full of vulnerable devices to attack; and,
• Hours of guaranteed pain, suffering, joy, frustration and exhilaration.

The combination of these materials creates a very comprehensive learning environment. Overall there are 16 modules of delightfully wicked goodness. The PDF covers each of them in fair detail but the videos are the real meat of the course. Each module covers a specific aspect of penetration testing. These range from the information gathering stage, all the way to keeping access and rootkits.

Muts, through the videos, keeps you company as you make your way through the course material. He pushes you to learn more and he provides links to more information in case you would like to expand your knowledge in any of the areas that can’t be covered in depth through a 5 minute presentation. I found him to be very articulate and the videos are of quite high quality.

The videos only cover from chapters 1 – 13 and then you are left with the PDF to guide you through the rest. This turns out ok however as the last 3 modules are more of a brief and require more external reading through the provided links rather than the total immersion that is the previous modules.

Most modules allow for hands on practice through the labs. This was of the most benefit to me as this is how I learn best. Often I find you can read something that sounds simple and easy but when it comes to actually putting it into practice things just don’t go according to plan. Hours were spent by me working through the exercises and trying to smooth out the lumps and bumps and believe me… there were plenty of lumps and bumps

Lastly once you have finished the modules you are free to (and actively encouraged to) attack the rest of the lab network with the exception of the other student machines. A list of final challenges is set upon you and the goal is simply to get root or admin access to each device. This is quite a lot of fun, and far from easy.

The Exam

The first thing I have to say about this exam is that it’s a really tough exam. You are given 24 hours to gain root or admin access on 5 devices. From what I have seen in the field, these devices are as close to the real deal as you can get.

It was a lot of fun when I wasn’t stressing to the hilt. The different ways to break into these devices was very good and bound to stretch your mind.

What else can I say about this exam… well not much. I’m not allowed to… sorry

After you successfully pass the exam you are given access to a forum just for OSCP’s where you are free to discuss all aspects of the exam and course. I found it interesting that students worked out multiple different ways to get into the same devices. This brings on my only real point of angst about this course. I was unable to crack one device, so as soon as I got access to the forums I jumped in to find out how to crack this nut. It turns out everyone before me (that posted) had done it using a particular exploit that works on a particular port (could I be any more obscure ). So moving back to my pain point… That port was not even open on that device during my exam!!! So, I still have no idea how to get into this device.

Conclusion

This is a brilliant course!

I have done many courses both from vendors and course providers such as SANS and the Offensive-Security. While a lot of the other courses have been great, the Pentesting with Backtrack (OSCP) has easily provided me with the most value. I walk away from this course actually feeling like I have achieved something solid. This is both due to the time it takes to work through the course at your own pace and the quality of the content.

This course is by no means for beginners into IT. It works through some very complex topics and concepts. It is recommended that you have at least some coding experience as well as an operational knowledge of Windows and Linux.

For $700USD I think it’s a must for anyone in the IT security industry to work towards and I expect to see the certification gain serious traction and the respect it deserves in the near future. I know I’d be looking for an OSCP if I was hiring.