The top 25 Worst Passwords of 2012

One thing I like to do when a new password list is dumped from a hacker attack is to analyze them for patterns with a program like Pipal. Every year Splashdata takes a look at all of the passwords dumped over the year and provides a list of the worst passwords that exist. These passwords are short, simple or easily guessable.

So without further delay, here are the top 25 passwords NOT to use on your system according to Splashdata:

#              Password                Change from 2011

1               password                Unchanged
2               123456                    Unchanged
3               12345678                 Unchanged
4               abc123                    Up 1
5               qwerty                    Down 1
6               monkey                   Unchanged
7               letmein                   Up 1
8               dragon                    Up 2
9               111111                     Up 3
10             baseball                   Up 1
11             iloveyou                   Up 2
12             trustno1                  Down 3
13             1234567                   Down 6
14             sunshine                  Up 1
15             master                     Down 1
16             123123                     Up 4
17             welcome                  New
18             shadow                    Up 1
19             ashley                      Down 3
20             football                   Up 5
21             jesus                       New
22             michael                   Up 2
23             ninja                       New
24             mustang                  New
25             password1               New

New this year is the password compared to its position from last year. As you can see people are still using many of the same, easy to guess passwords year after year.

We have shown several password dumps analyzed with Pipal over the last few years and be it a small password dump of 20,000 or a large one of over 400,000, the top ten passwords are usually the same.

I can see why “password, 124567, and abc123” are always at the top of the list, but what in the world is people’s fascination with the password “Monkey”? It has always shown up in the top ten list of passwords used in every test that we have run.

Needless to say if you use any of these 25 passwords, change them now. Long complex passwords using upper and lower case letters, numbers and special characters are always the best way to go. As complex passwords reach 10 or greater characters the time it takes to crack them increases immensely.

On Windows based systems it is recommended to use 15 or more characters for your passwords. As on some older systems, 14 characters or less can be cracked in a very short amount of time (as few as 5 seconds!) if the password hashes can be obtained and if the system allows weak LM hashes.

New EMP Missile Knocks out Computers and Electronics with Precision

Ask any Sci-Fi geek what the greatest threat to computers is and they will not respond with “Cyberwar”, or anything with the word “Cyber” in it. They will say – EMP. Electromagnetic Pulse weapons will kill any electronics in its blast radius. The problem is that EMP based weapons can have a large field of effect. An EMP blast from a high altitude nuclear weapon detonation could knock out systems in a whole country.

But what if you had the ability to target individual buildings? And not only that, what if you could place this weapon in a missile based package?

Well, now, you can!

Last week, members of Boeing, Raytheon and the US Air Force Research Laboratory successfully tested the first high power Microwave missile. The Counter-Electronics High Powered Advanced Missile Project or CHAMP for short, successfully targeted and destroyed the electronics in a two story building:

“CHAMP approached its first target and fired a burst of High Power Microwaves at a two story building built on the test range. Inside rows of personal computers and electrical systems were turned on to gauge the effects of the powerful radio waves.”

“Seconds later the PC monitors went dark and cheers erupted in the conference room. CHAMP had successfully knocked out the computer and electrical systems in the target building. Even the television cameras set up to record the test were knocked off line without collateral damage.”

This missile is a huge leap in EMP based weapons. The ability to target individual sites (7 were targeted in the test) with no collateral damage is imperative to the insurgent type wars that the US is fighting today.

This technology marks a new era in modern-day warfare, in the near future, this technology may be used to render an enemy’s electronic and data systems useless even before the first troops or aircraft arrive,” said Boeing program Manager Keith Coleman. “Today we turned science fiction into science fact”

The US already owns weapons that can knock out power plants. These weapons (Like the BLU-114/B) work by releasing conductive material over power plants. The material shorts out the high power transformers effectively shutting the plants down. Weapons like this were used by the US to take out Serbia’s power in 1999 and even Iraq’s power during Desert Storm.

But what if the target facilities have backup generators? Or you wanted to target individual buildings instead of entire cities? Or the target had electronics that needed to be destroyed? In these cases CHAMP would be an exceptional choice.

But using them together could be even more devastating to enemy forces.

This missile most likely will replace cyber warfare in many cases. As the “Shamoon” coder found out, code may not always act like you want it to. And one of the greatest fears in Cyber War is that the code will be captured, modified and used against the creator.

Using CHAMP will knock out not only the computers but any electronics in the target area.

Science Fiction has indeed become Science Fact!

The Military’s Declassified “Mach 4” UFO – from 1950!

Recently declassified material from the United States Air Force shows something right out of Science Fiction. In the 1950’s the US was working on a UFO!

Yes, you read that right, a UFO!

Okay, not really a UFO, but it sure looks like one. Meet Project 1794 or otherwise known as the “Avrocar”.

Project 1794 was a Vertical Take off and Landing vehicle created by Avro Aircraft LTD in Canada. The original vehicle had a theoretical top speed of mach 3.5-4 and an operational ceiling of up to 100,000 feet.

“The Avrocar intended to exploit the Coandă effect to provide lift and thrust from a single “turborotor” blowing exhaust out the rim of the disk-shaped aircraft to provide anticipated VTOL-like performance. In the air, it would have resembled a flying saucer.” – From Wikipedia

The project never really “took off” and switched hands from the USAF to the US Army before it was finally abandoned.

Check out these pictures that were included in a recently De-classified document titled “Project 1794, Final Development Summary Report” on the National Archives Website and some from the Public Domain:

This slideshow requires JavaScript.

Though an interesting idea, it never had anything near the success of the A-12 and SR-71 Blackbird projects from the 1960’s. These planes did indeed reach mach 3+, had a maximum ceiling of 85,000 feet (95,000 for the A-12) and for a creation of the ’60’s, looked WAY ahead of their time:

If nothing more, the release of the classified material will give the UFO conspiracy theorists and alien hunters something to talk about.

Social Engineering Toolkit v4.1.1 “Gangnam Style” Released

David Kennedy and the Trusted Sec crew have recently released yet another update to the very impressive Social Engineering Toolkit.

SET v4.1.1 codenamed, “Gangnam Style”:

This version has a number of new enhancements including the ability to natively use Apache with the multiattack combining the Java Applet Attack and the Credential Harvester. Traditionally speaking, the credential harvester attack could only be used by the native SET HTTP server. We recently developed a php hook that gets copied over to the web root along with the standard Java Applet attack. If the Java Applet fails, the backup for credential harvester can be used. In addition, a number of stability updates were given to the standard Credential Harvester attack.

The harvester now supports multi-threading for faster response times when hitting the website. All-in-all this release adds a ton of new functionality and features. In addition to these changes, the Metasploit Meterpreter ALLPORTS payload is now supported through the PyInjector and ShellCode Injection techniques for the Java Applet. Lastly, we’ve added a new Java Applet that has been redesigned and heavily obfuscated. Enjoy!”

SET is one of our favorite computer security tools here at CyberArms.I can not think of an easier to use tool that allows you to check the security of your network against social engineering attacks.

We are just so grateful that David Kennedy and his team spend so much time tweaking and updating it.

Nice job guys!