Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Advertisements

Why hackers should oppose government

I suppose I could sum up an entire article with “because they lie”. However I don’t think that would cover the complexity of the issue at hand. Hackers, by both profession and mentality, question authority and push the status quo. By no means, do I mean “Hacker” as the black hat sitting in mommy’s basement in a poorly lit room purposely stealing credit card and identity information; by hacker, I am talking about someone who tinkers and tries to improve the way things are currently done.

The government, any government, is by it’s nature the opposite of the hacker mentality. We try to empower individuals to be self-reliant and build their own life where nobody can tell them how to live. Government tries to consolidate the power into a central entity that distributes resources to fit its goals, even if those under its authority disagree.

Right now, I see too much support for government from others. It’s starting to feel like everyone has forgotten that America was formed by revolutionaries fighting against oppression. Simply because we didn’t want to be told what we could do, and who we could do it with. Yes, laws have a place, but too many laws are bad because it becomes more possible to break the law.

That is what brings me to hackers. Right now, network security is a very dangerous field, and doing things 100% legally makes it hard to find the security holes. If you stumble upon big security problems but didn’t have a contract set up first, you risk possible jail time for disclosing it to the business, even when done discreetly as to not alert everyone and cause panic. Being a security good Samaritan is strongly discouraged because of government.

Think about it this way. Pretend you’re a kid and the government is your parent. when you were a kid, and your parents had a really stupid rule, or the rule was no longer needed, what did you do? You probably talked to your parents to change the rule, and they likely said “no”. For me, I had to break the rule in a way as to show i could act responsibly and the ONLY thing they could punish me for was breaking a rule that was silly. Sometimes, I would get punished. Sometimes, they would finally get the point. But the point is, for change to happen, rules need to be challenged and broken. This is at the very core of who a hacker is: we question EVERYTHING.

I don’t care if you’re a Republican, Democrat, anarchist, or communist, you should still oppose government intervention into our lives, and everyone’s lives. Do you really think that making a new law is going to stop criminals who are ALREADY breaking the law? No, you’re going to create new criminals. At the very least, current laws need to be enforced in full, so EVERYONE feels the pain of these oppressive laws. If you wouldn’t apply a law to EVERYONE, you shouldn’t have the law in the first place.

Hackers should unite against government power, fight against stupid laws intended to single out people, and fight for the little guy, because guess what, hackers? We’re the little guy. We are the antihero. We walk the thin line between good and bad. We need to push authority. We serve a vital role for change.

Stop wasting it!

I was thinking, after I hit “publish”; When I speak of a hacker, I speak of someone who questions things, someone who needs to know “why”, someone who strives for better than “okay”… I speak of myself, my friends, my family, hopefully, I am speaking to YOU as well.

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

My View on this NSA thing

I have tried to keep my blog as non-political as possible, but with the news that has recently come to light regarding the NSA with both Verizon call data, and the PRISM program that snarfs up all our internet communications; I find myself very hard pressed to ignore the issue, but I will do my best to simply represent my objections to the issue, without getting too political.

Basically, the stories that have come to light indicate that the government, with the consent and direction of the Obama administration (and Bush previously) have been issuing secret programs and warrants to collect all of your communication data. With Verizon wireless, it appears that they are using the call metadata, not your actual call contents but rather your phone number, call time, call length, who you called, and other details but no name. They are getting that information from all Verizon customers, and put it through data-mining to find out who might need to be “watched” more closely.

This presents a very large concern to me. As someone who values both freedom, and privacy, this action bothers me to my core. The government isn’t waiting till they suspect someone of actually communicating with terrorists before looking into their activities; they are looking at everyone, looking for possible bad guys. the problem with the later, is that even if you have done NOTHING wrong, you’re being watched. The government is just WAITING for you to screw up, so they can get more information on you.

It doesn’t just end there however. The NSA is also using a program called PRISM to gobble up all of the internet communications and activities of all Americans online. They are claiming they have agreements with major companies who give them this data. They named, Microsoft, Google, Apple, Facebook and many many more (Some of the companies are denying any knowledge of such a program, or that they do not simply give information to the government or law enforcement, which is completely beside the point) The information they are gathering, consists of email information, VOIP call data, chat history, web habits (like what sites you visit or “like” or “favorite”), shopping information. Essentially they are getting access to all you do, and can study it.

It is important to remember, that in the pursuit to fight “terror” we have systematically given up so many of our civil liberties and freedom for the false promise of “safety” that it simply proves, that which Benjamin Franklin said “Those who would trade liberty for security deserve neither”. This is exactly true. We as a country cannot allow this level of intrusion into our personal lives to continue.

There are important way to fight this, most importantly is voting. Our government is failing us as citizens, and we’re sitting by watching it happen. WAKE THE FUCK UP! it is important to hold EVERY elected official accountable for their actions (how they vote on anything) by literally tossing them out of office. Yes, I said FIRE THEM! Enough with this “we’re just protecting you” bullshit, and GET OFF MY LAWN!

Encryption and android, putting on your digital armor.

How much personal information do you keep on your mobile device? Your phone, or tablet, the devices that follow you everywhere you go, chances are you probably keep a whole lot more than you think you do.

If you lost your phone, I bet it likely you’d feel naked, exposed and vulnerable. All your contacts, search history, GPS history, email, and a wealth of personal and private information would be available to anyone who happened to come across it. Most people only use the slide to unlock that leaves all your data open for any person with nefarious, dastardly intentions to steal or use against you.

Tonight I’m going to discuss one option that android offers to help protect you from just that scenario. Since the release of Honeycomb, it has been possible to fully encrypt your device. Once you choose to encrypt your device, you cannot undo it without a factory reset, meaning to remove the encryption, you will have to destroy all the data on your mobile device, so please, proceed with caution.

If like to take a moment to discuss encryption, and what it actually does, because many people are lead to a false sense of security thinking since their device is encrypted that their data is completely protected, and unreadable to anyone else. This is a false statement, and there is no such thing as a security silver bullet. There will ALWAYS be a way around your security, but leaving your door open just screams “rob me blind, I don’t even shut my door”. Digital security is often the same. If you leave your phone laying unattended with no protection, even a person who means no harm might be tempted to look at its contents.

An encrypted phone or tablet, will lock your data with a PIN or password. Without the password, the data on the device looks like garbage. It looks like garbage that is, when it’s locked. While you’re using it, your data is readable. So if you leave a delay timer to prevent the phone from locking, you are leaving the door open for a small amount of time.

I suggest setting the power button to automatically lock, and also to avoid any delay in screen lock after the screen powers off. This will help to ensure that while you are not using your device, nobody else is either.

If encryption sounds like something you are interested in, I will be more than happy to wall you through the setup.

Before you can start full device encryption you will need to take the following steps:
1) set either a PIN or password in the “security” section of the settings menu
2) plug in the device

image

Once you have taken the previous two steps, click on the “encryption” section and click the button to start the encryption process. The encryption took almost a full hour on my nexus 7, so I would expect at least that, unless you only have a very small amount of internal storage.

Once you have encrypted your device, you will need your PIN or password for the following situations; powering on, rebooting, or waking the device from sleep, booting into recovery. To be honest, you will type it so often, it becomes second nature to you.

I encrypted my tablet a few weeks ago, and I have not noticed any performance difference, or had any negative experiences due to the device being encrypted. You can still use lock screen widgets, I use my tablet for alarms, and you don’t need to type a password to silence or shut off the alarm, only to gain access to the device.

image

As usual, if you have questions or comments feel free to contact me on Twitter (@DarkLordZim) or via email (DarkLordZim@gmail.com)

Do you know who’s using your WiFi? Or how to check?

This may sound like a stupid question, but in reality most people don’t. I work in IT support, the customers I support all work from home, or on the road. Many have no idea even what devices are connected to their network, let alone how to set encryption.

My goal for this post is to show you some easy ways to map your network, to ensure only devices you want are using your network. Rogue devices can negativity impact your network in a variety of ways. An attacker could steal your passwords or files, a poorly functioning device could cause internet speeds to drop to a crawl, or even disconnect your computers from the net.

That said, it is easy to monitor your network, and at a very minimum you should audit network usage twice a month (I do it almost daily, because it really only takes seconds to check).

The quickest way to get an idea of who or what is connected on your network is a ping scan, there is an app built specifically for network mapping and even some troubleshooting on android called ‘Fing’ it will report all live ip addresses, along with the manufacturer of the devices network card. Once you have the list of connected/live devices, Fing will let you troubleshoot each device. Some of the things I do with Fing are; port scanning, connecting to windows shared drives, ftp. here is a link to Fing in the play store.

image

Here is a shot of Fing in action

Some of us that are hyper focused on the security of our networks, even go so far as building lightweight intrusion detection systems, but I would not expect that an average person would take the time to learn how to set one up, or even pay the huge prices charged by others to do it. Simply scanning your network is a great step in protecting your digital privacy, if you notice connected devices that shouldn’t be there, you can adjust settings within your routers configuration to block the device.

I will write a follow-up post, with some windows, and Linux tools that are user friendly, and give similar function to Fing on android. I would also like to note that Fing is also available on iOS, but it has been awhile since I used it as I avoid my iPad like the plague.

If you have concerns or questions, feel free to hit me up on Twitter @DarkLordZim or email DarkLordZim@gmail.com

Disclosure: Small business and offering “free” WiFi – what NOT to do

In the interest of what I ran into last night, I will share what horrible networking practices this business I stumbled upon was employing. I was driving past a local tire shop, and noticed they had an open Wi-Fi network named “Goodyear”. So I thought to myself “let’s just take a peek at what is accessible to why user”.

There was no authentication agreement once connected, no ‘rules of conduct’ if you will that even most coffee shop networks toss up at users. Lately I have been using my nexus 7 to see just how much mayhem I am able to cause, without looking suspicious with a laptop.

Once I connected to the network, I fired up Dsniff to analyze the network layout. There was a curious hostname, with a Netgear device signature, that I felt warranted a look. So I scanned the services, and noticed a network share was the only service available, signaling this was likely a NAS device. A NAS on a open public WiFi, I could only dream what treasures lay within its storage.

Using ES File Manager’s built in Samba services to connect, for fun I try using the default ‘Guest’ account, and tada, I’m presented with a share and the secret share data. In the root of the ‘My Documents’ folder, I find a fun file named ‘LOGINS.rtf’ and save it to my tablet for later review.

The business is closed, nobody inside, and yet TONS of information, just waiting to be plucked. If the NAS was so easy, I open chrome and browse to the router login page, yet again, default username/password. I have to verify root login so I adjust the filter settings on the router to block all requests for Google.com, Facebook.com, and twitter.com; and low and behold, it was successful.

I am sharing this, so that anyone running a small business will take serious caution to ensure that their sensitive data, is segregated from the public WiFi network. It can be done very simply, even with regular routers from best buy. Please do not think that offering ‘free’ wireless will be positive for your customers. Their data is valuable and if they are compromised because your system was poorly managed, that will reflect poorly on you.