Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Advertisements

Arguing over jester? Read this first. Then grow up, and shut up!

There is one thing lately that has been bothering me enough to write this post. The fighting over something so silly as the jester. Yes, it’s a bloody battle on Twitter, and both sides are wrong. It’s time to just quit fighting… Seriously, cut it the fuck out!

Those who support jester, stop feeding the trolls. Jester is a big boy, he’s demonstrated it many times that he can handle himself. Yet most of you jump into a fight when anyone tried to incite jester. It’s like you feel personally attacked just because you believe he’s doing good which makes anyone who disagrees evil that needs to be shut up. Just stop it!

You jester haters go too far too! Most trolls are just looking to start a fight because they feel he’s some kind of poser and anyone who defends him would obviously be a drooling moron, so why feed into that steotype? Just ignore trolls silence is your best weapon.

Where do I stand when it comes to “J”? I don’t give a fuck about it, there are many more important things that matter to me to worry about a guy who makes habits of hitting hornets nests with a sledge hammer. Any blowback he gets, he brings on himself. He’s shown he can handle the trolls, and normally he won’t even respond to them, because they are just trying to view smoke up his ass. When they do need a response, he handles it mostly respectfully, warning, strong warning, and if needed, a slap.

For fuck sake people, stop fighting over stupid shit that doesn’t even affect your daily life. Focus your rage on changing the real world, focus on things you yourself can change. Trolls aren’t going to change jester’s religious followers by bullying them, and supporters aren’t going to stop tells by fueling their rage in fighting.

There, I’m done with that topic, you should be too.

Grow the fuck up! You are all acting like spoiled highschool brats!

Why hackers should oppose government

I suppose I could sum up an entire article with “because they lie”. However I don’t think that would cover the complexity of the issue at hand. Hackers, by both profession and mentality, question authority and push the status quo. By no means, do I mean “Hacker” as the black hat sitting in mommy’s basement in a poorly lit room purposely stealing credit card and identity information; by hacker, I am talking about someone who tinkers and tries to improve the way things are currently done.

The government, any government, is by it’s nature the opposite of the hacker mentality. We try to empower individuals to be self-reliant and build their own life where nobody can tell them how to live. Government tries to consolidate the power into a central entity that distributes resources to fit its goals, even if those under its authority disagree.

Right now, I see too much support for government from others. It’s starting to feel like everyone has forgotten that America was formed by revolutionaries fighting against oppression. Simply because we didn’t want to be told what we could do, and who we could do it with. Yes, laws have a place, but too many laws are bad because it becomes more possible to break the law.

That is what brings me to hackers. Right now, network security is a very dangerous field, and doing things 100% legally makes it hard to find the security holes. If you stumble upon big security problems but didn’t have a contract set up first, you risk possible jail time for disclosing it to the business, even when done discreetly as to not alert everyone and cause panic. Being a security good Samaritan is strongly discouraged because of government.

Think about it this way. Pretend you’re a kid and the government is your parent. when you were a kid, and your parents had a really stupid rule, or the rule was no longer needed, what did you do? You probably talked to your parents to change the rule, and they likely said “no”. For me, I had to break the rule in a way as to show i could act responsibly and the ONLY thing they could punish me for was breaking a rule that was silly. Sometimes, I would get punished. Sometimes, they would finally get the point. But the point is, for change to happen, rules need to be challenged and broken. This is at the very core of who a hacker is: we question EVERYTHING.

I don’t care if you’re a Republican, Democrat, anarchist, or communist, you should still oppose government intervention into our lives, and everyone’s lives. Do you really think that making a new law is going to stop criminals who are ALREADY breaking the law? No, you’re going to create new criminals. At the very least, current laws need to be enforced in full, so EVERYONE feels the pain of these oppressive laws. If you wouldn’t apply a law to EVERYONE, you shouldn’t have the law in the first place.

Hackers should unite against government power, fight against stupid laws intended to single out people, and fight for the little guy, because guess what, hackers? We’re the little guy. We are the antihero. We walk the thin line between good and bad. We need to push authority. We serve a vital role for change.

Stop wasting it!

I was thinking, after I hit “publish”; When I speak of a hacker, I speak of someone who questions things, someone who needs to know “why”, someone who strives for better than “okay”… I speak of myself, my friends, my family, hopefully, I am speaking to YOU as well.

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

My View on this NSA thing

I have tried to keep my blog as non-political as possible, but with the news that has recently come to light regarding the NSA with both Verizon call data, and the PRISM program that snarfs up all our internet communications; I find myself very hard pressed to ignore the issue, but I will do my best to simply represent my objections to the issue, without getting too political.

Basically, the stories that have come to light indicate that the government, with the consent and direction of the Obama administration (and Bush previously) have been issuing secret programs and warrants to collect all of your communication data. With Verizon wireless, it appears that they are using the call metadata, not your actual call contents but rather your phone number, call time, call length, who you called, and other details but no name. They are getting that information from all Verizon customers, and put it through data-mining to find out who might need to be “watched” more closely.

This presents a very large concern to me. As someone who values both freedom, and privacy, this action bothers me to my core. The government isn’t waiting till they suspect someone of actually communicating with terrorists before looking into their activities; they are looking at everyone, looking for possible bad guys. the problem with the later, is that even if you have done NOTHING wrong, you’re being watched. The government is just WAITING for you to screw up, so they can get more information on you.

It doesn’t just end there however. The NSA is also using a program called PRISM to gobble up all of the internet communications and activities of all Americans online. They are claiming they have agreements with major companies who give them this data. They named, Microsoft, Google, Apple, Facebook and many many more (Some of the companies are denying any knowledge of such a program, or that they do not simply give information to the government or law enforcement, which is completely beside the point) The information they are gathering, consists of email information, VOIP call data, chat history, web habits (like what sites you visit or “like” or “favorite”), shopping information. Essentially they are getting access to all you do, and can study it.

It is important to remember, that in the pursuit to fight “terror” we have systematically given up so many of our civil liberties and freedom for the false promise of “safety” that it simply proves, that which Benjamin Franklin said “Those who would trade liberty for security deserve neither”. This is exactly true. We as a country cannot allow this level of intrusion into our personal lives to continue.

There are important way to fight this, most importantly is voting. Our government is failing us as citizens, and we’re sitting by watching it happen. WAKE THE FUCK UP! it is important to hold EVERY elected official accountable for their actions (how they vote on anything) by literally tossing them out of office. Yes, I said FIRE THEM! Enough with this “we’re just protecting you” bullshit, and GET OFF MY LAWN!

Do you know who’s using your WiFi? Or how to check?

This may sound like a stupid question, but in reality most people don’t. I work in IT support, the customers I support all work from home, or on the road. Many have no idea even what devices are connected to their network, let alone how to set encryption.

My goal for this post is to show you some easy ways to map your network, to ensure only devices you want are using your network. Rogue devices can negativity impact your network in a variety of ways. An attacker could steal your passwords or files, a poorly functioning device could cause internet speeds to drop to a crawl, or even disconnect your computers from the net.

That said, it is easy to monitor your network, and at a very minimum you should audit network usage twice a month (I do it almost daily, because it really only takes seconds to check).

The quickest way to get an idea of who or what is connected on your network is a ping scan, there is an app built specifically for network mapping and even some troubleshooting on android called ‘Fing’ it will report all live ip addresses, along with the manufacturer of the devices network card. Once you have the list of connected/live devices, Fing will let you troubleshoot each device. Some of the things I do with Fing are; port scanning, connecting to windows shared drives, ftp. here is a link to Fing in the play store.

image

Here is a shot of Fing in action

Some of us that are hyper focused on the security of our networks, even go so far as building lightweight intrusion detection systems, but I would not expect that an average person would take the time to learn how to set one up, or even pay the huge prices charged by others to do it. Simply scanning your network is a great step in protecting your digital privacy, if you notice connected devices that shouldn’t be there, you can adjust settings within your routers configuration to block the device.

I will write a follow-up post, with some windows, and Linux tools that are user friendly, and give similar function to Fing on android. I would also like to note that Fing is also available on iOS, but it has been awhile since I used it as I avoid my iPad like the plague.

If you have concerns or questions, feel free to hit me up on Twitter @DarkLordZim or email DarkLordZim@gmail.com

Disclosure: Small business and offering “free” WiFi – what NOT to do

In the interest of what I ran into last night, I will share what horrible networking practices this business I stumbled upon was employing. I was driving past a local tire shop, and noticed they had an open Wi-Fi network named “Goodyear”. So I thought to myself “let’s just take a peek at what is accessible to why user”.

There was no authentication agreement once connected, no ‘rules of conduct’ if you will that even most coffee shop networks toss up at users. Lately I have been using my nexus 7 to see just how much mayhem I am able to cause, without looking suspicious with a laptop.

Once I connected to the network, I fired up Dsniff to analyze the network layout. There was a curious hostname, with a Netgear device signature, that I felt warranted a look. So I scanned the services, and noticed a network share was the only service available, signaling this was likely a NAS device. A NAS on a open public WiFi, I could only dream what treasures lay within its storage.

Using ES File Manager’s built in Samba services to connect, for fun I try using the default ‘Guest’ account, and tada, I’m presented with a share and the secret share data. In the root of the ‘My Documents’ folder, I find a fun file named ‘LOGINS.rtf’ and save it to my tablet for later review.

The business is closed, nobody inside, and yet TONS of information, just waiting to be plucked. If the NAS was so easy, I open chrome and browse to the router login page, yet again, default username/password. I have to verify root login so I adjust the filter settings on the router to block all requests for Google.com, Facebook.com, and twitter.com; and low and behold, it was successful.

I am sharing this, so that anyone running a small business will take serious caution to ensure that their sensitive data, is segregated from the public WiFi network. It can be done very simply, even with regular routers from best buy. Please do not think that offering ‘free’ wireless will be positive for your customers. Their data is valuable and if they are compromised because your system was poorly managed, that will reflect poorly on you.