Category Archives: Hacking

Are you using strong and unique passwords? You should!

Filed under Hacking
Tagged as ,

I have been following several stories of recent targeted attacks against a few high profile security professionals. Two that I was made aware of were pdp from GNUCITIZEN and Alan Shimel from StillSecure, After All These Years. pdp had his Gmail account compromised and his entire mailbox mirrored all over BitTorrent. Alan’s, was far worse with his mailbox compromised, personal info released and his blog domain hijacked. Both pdp and Alan have returned to blogging after the attacks and I commend them for making such a quick come back.

While these types of attacks are not new…it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have…do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.

Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great…but you can still get lazy. We all have the lazy bug…especially with online forums and web sites. One idea that I learned to help combat this was to have a “throw away” password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn’t care if they were compromised. Everything else…use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point…LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it’s a pain in the ass to use a password manager but in the end…it’s well worth the extra work.

So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS’s (and a Blackberry)…KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it’s free…it’s tough to find a more robust solution.

So yes, go for it! These targeted attacks should remind you that it’s a good time to change those passwords to something complex and unique. Don’t forget to use a password manager to help you out!

San Francisco’s network held hostage by network admin

Filed under Hacking

This is just a classic case of one administrator who managed to get all the “keys to the kingdom”. From the San Francisco Chronicle:

“Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city’s new FiberWAN (Wide Area Network), where records such as officials’ e-mails, city payroll files, confidential law enforcement documents and jail inmates’ bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn’t work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.”

As part of his plan he also:

“…engineered a tracing system to monitor what other administrators were saying and doing related to his personnel case, law enforcement officials said. “

As of right now all other administrators are locked out of the system and he has the only password! I also saw on CNN today that he still won’t give up the password when a judge asked him in court today. Awesome…so how does this happen? While exact details still are not clear…lack of proper controls, proper monitoring of privileged users, oversight, separation of duties…are just a few things that comes to mind.

This should be a reminder for the corporate world that all privileged users (network administrators in this case) should be held to a higher standard then other users on the network. Thus, need more oversight and monitoring. Hopefully the city can get the password cracked or the guy eventually gives it up.

What does a hacker…hear?

Filed under Hacking

What does a hacker hear?

Good post on Bloginfosec last week that talks about all the interesting security related sounds that go on in pretty much any environment just by listening.

If you saw Johnny Long’s “No Tech Hacking” presentation then you will probably remember the line “What does a hacker see?” as Johnny pointed out items in pictures that wouldn’t be a big deal to the average person but to a hacker this information becomes extremely valuable.

Russell Handorf who wrote the article on Bloginfosec also put together a pretty cool quiz that you can take online to see if you can recognize some typical and not so typical sounds from various computing devices. I would be interested in hearing more about cell phone defaults…for example, does your phone have a default sound for Bluetooth sync? Like Russell mentioned in his article, it is pretty easy to use a tool like hcidump or the soon to be released BTfind which will help identify and enumerate found Bluetooth devices.

Next time you are at a conference, on the bus, train or at your local coffee shop pay attention and listen…you might be amazed at what you hear.