Password 101: how to suck at security

Password 101: how to suck at security.

(Totally not a satire post…. Totally…)

1. Always Use a simple password.
2. Always write it down.
3. Always Use the same password for everything.
4. Never change your password. Continue reading

Privacy, is it dead?

So, it’s been a couple of weeks since the NSA “PRISM” was leaked. Outrage followed, but seems to have died down. Which got me thinking, most people I know are their own worst enemies when it comes to their own privacy and important information.

How many of you have Facebook? Most people do. Now, let me be clear, I don’t use Facebook and haven’t for a long time, but my wife does.

Everyone has started to post play by play updates so EVERYONE can know what they are doing. The problem is then, how can you get mad the government collected the data? You posted it in the internet equivalent of screaming in the downtown square, then getting mad someone wrote down what you yelled.

Don’t get me wrong, what the NSA is doing, is wrong; however most people are not taking even the slightest steps to guard their privacy. This makes it very hard moving forward, because it gives us another “lesser of two evils” scenario: Do we give up, and let the government monitor everything we do? Or do we punish those who even stumble on publicly published information that is sensitive in nature for “hacking”

What I think really needs to happen is that people need to start taking privacy seriously. I can’t count how often I have gotten after my family for posting information that could be used against them, and without fail, they ALWAYS seem surprised that what they posted wasn’t private.

Read the end user license agreements for all of the software, and websites you use, they always list what they do with information that travels through their services. Is unfair to get mad at companies and government for spying when you click “I accept” without reading the terms of service.

For this problem to change, it’s going to take a shift in our mentality, not just more useless legislation to supposedly limit the government, even though they already ignore the laws currently on the books, how is another law going to fix things?

Simple solution: Stop being stupid!

My View on this NSA thing

I have tried to keep my blog as non-political as possible, but with the news that has recently come to light regarding the NSA with both Verizon call data, and the PRISM program that snarfs up all our internet communications; I find myself very hard pressed to ignore the issue, but I will do my best to simply represent my objections to the issue, without getting too political.

Basically, the stories that have come to light indicate that the government, with the consent and direction of the Obama administration (and Bush previously) have been issuing secret programs and warrants to collect all of your communication data. With Verizon wireless, it appears that they are using the call metadata, not your actual call contents but rather your phone number, call time, call length, who you called, and other details but no name. They are getting that information from all Verizon customers, and put it through data-mining to find out who might need to be “watched” more closely.

This presents a very large concern to me. As someone who values both freedom, and privacy, this action bothers me to my core. The government isn’t waiting till they suspect someone of actually communicating with terrorists before looking into their activities; they are looking at everyone, looking for possible bad guys. the problem with the later, is that even if you have done NOTHING wrong, you’re being watched. The government is just WAITING for you to screw up, so they can get more information on you.

It doesn’t just end there however. The NSA is also using a program called PRISM to gobble up all of the internet communications and activities of all Americans online. They are claiming they have agreements with major companies who give them this data. They named, Microsoft, Google, Apple, Facebook and many many more (Some of the companies are denying any knowledge of such a program, or that they do not simply give information to the government or law enforcement, which is completely beside the point) The information they are gathering, consists of email information, VOIP call data, chat history, web habits (like what sites you visit or “like” or “favorite”), shopping information. Essentially they are getting access to all you do, and can study it.

It is important to remember, that in the pursuit to fight “terror” we have systematically given up so many of our civil liberties and freedom for the false promise of “safety” that it simply proves, that which Benjamin Franklin said “Those who would trade liberty for security deserve neither”. This is exactly true. We as a country cannot allow this level of intrusion into our personal lives to continue.

There are important way to fight this, most importantly is voting. Our government is failing us as citizens, and we’re sitting by watching it happen. WAKE THE FUCK UP! it is important to hold EVERY elected official accountable for their actions (how they vote on anything) by literally tossing them out of office. Yes, I said FIRE THEM! Enough with this “we’re just protecting you” bullshit, and GET OFF MY LAWN!

Encryption and android, putting on your digital armor.

How much personal information do you keep on your mobile device? Your phone, or tablet, the devices that follow you everywhere you go, chances are you probably keep a whole lot more than you think you do.

If you lost your phone, I bet it likely you’d feel naked, exposed and vulnerable. All your contacts, search history, GPS history, email, and a wealth of personal and private information would be available to anyone who happened to come across it. Most people only use the slide to unlock that leaves all your data open for any person with nefarious, dastardly intentions to steal or use against you.

Tonight I’m going to discuss one option that android offers to help protect you from just that scenario. Since the release of Honeycomb, it has been possible to fully encrypt your device. Once you choose to encrypt your device, you cannot undo it without a factory reset, meaning to remove the encryption, you will have to destroy all the data on your mobile device, so please, proceed with caution.

If like to take a moment to discuss encryption, and what it actually does, because many people are lead to a false sense of security thinking since their device is encrypted that their data is completely protected, and unreadable to anyone else. This is a false statement, and there is no such thing as a security silver bullet. There will ALWAYS be a way around your security, but leaving your door open just screams “rob me blind, I don’t even shut my door”. Digital security is often the same. If you leave your phone laying unattended with no protection, even a person who means no harm might be tempted to look at its contents.

An encrypted phone or tablet, will lock your data with a PIN or password. Without the password, the data on the device looks like garbage. It looks like garbage that is, when it’s locked. While you’re using it, your data is readable. So if you leave a delay timer to prevent the phone from locking, you are leaving the door open for a small amount of time.

I suggest setting the power button to automatically lock, and also to avoid any delay in screen lock after the screen powers off. This will help to ensure that while you are not using your device, nobody else is either.

If encryption sounds like something you are interested in, I will be more than happy to wall you through the setup.

Before you can start full device encryption you will need to take the following steps:
1) set either a PIN or password in the “security” section of the settings menu
2) plug in the device

image

Once you have taken the previous two steps, click on the “encryption” section and click the button to start the encryption process. The encryption took almost a full hour on my nexus 7, so I would expect at least that, unless you only have a very small amount of internal storage.

Once you have encrypted your device, you will need your PIN or password for the following situations; powering on, rebooting, or waking the device from sleep, booting into recovery. To be honest, you will type it so often, it becomes second nature to you.

I encrypted my tablet a few weeks ago, and I have not noticed any performance difference, or had any negative experiences due to the device being encrypted. You can still use lock screen widgets, I use my tablet for alarms, and you don’t need to type a password to silence or shut off the alarm, only to gain access to the device.

image

As usual, if you have questions or comments feel free to contact me on Twitter (@DarkLordZim) or via email (DarkLordZim@gmail.com)

Wireless hacking on android

With the power of the tablets coming out now, and the open platform that Linux provides, there is a great opportunity for hacking from an easily hidden, Trojan style device with lots of power to allow us to do many different wireless attacks.

Possible attacks:
1. ARP spoofing
2. Ssl stripping
3. Session hijacking
4. Vuln scanning
5. Port and service scams

These are just a few features available in a tool called

Dsploit

. Using the application you can select all kinds of attack vectors, you can capture packets in a pcap dump for reading in Whitehall later.

It works well in a small networks and labs, but my next task is to blow up a public network and see what I’m able to find. If the located information is enough, I will approach face to face with data, and options on how to fix their problems.

Other WiFi tools in my toolbox include, droidsheep, ding (network scanner), connectbot, and sshdroid.

I will be writing a follow up on how to use the tools, and talk about the other tools.

Always, ALWAYS be mindful of what you share online.

With your privacy under attack by so many organizations, and governments; it is important to remember that anything you share can come back to haunt you. Facebook recently changed its privacy policies to include a statement that anything you post (be it pictures, posts, stories, poems, status updates, etc…) is owned by Facebook, and can be used as they please because all users are capital entities.

I also just read about an iPhone/iPad app called “snapchat” that purports to automatically delete pictures sent after a max of 10 seconds since it was received. This is done in an effort to protect teens from “accidently” sharing photos of themselves that could cause trouble for them (think the Amanda Todd incident) however, there is nothing stopping anyone from taking a screenshot of the picture or even doing a few other ways of capturing the content before it is auto deleted.

It is important to stay educated when sharing anything online, as once it has been released in a digital format, there will ALWAYS be a trace of it somewhere on the internet. The only way to truly protect your pictures, or information is to keep it off the web to begin with.

If you are worried about maintaining your copyright for your works that you post online, make sure you carefully read ALL the privacy and content notices under the end user license agreements for any company or website that you use. In a best case scenario you would be using your own private server, and private storage that would allow you to maintain ownership of all your intellectual property.

Privacy and intellectual property is a huge concern in today’s world. Governments, and companies will seek to profit and use your information for their gain, and most times with little concern for how it impacts you.