Category Archives: security

securely wiping your hard drive without dban

Technologic

Well if DBAN doesn’t cut it for some reason there’s always a more native Linux way to do this.

Step one is getting a Linux live CD, DVD or USB stick and boot from that. I used the Debian Live CD myself, which boots into character mode so you don’t end up with XServer not getting your video settings right.

Once you’re in a shell, you can use the shred command to wipe your HD’s data by overwriting it a number of times with random data. I found that out by reading a post by a lad named Jason on the topic which was a nice help. I only had to add the “sudo” call in front of the command to actually allow it to get write access to the disk on Debian.

First figure out what partition/drive you want to wipe by running:

cat /proc/partitions

Then, in my case, I had to run this to wipe sda:

sudo shred -fvz -n 6 /dev/sda

The -fvz basically means, [f]orce write permissions, [v]erbose output so you can see the wiping progress and write [z]ero’s on the last run to hide the wiping. -n 6 tells it to do 6 runs of random data writing.

Using DBAN is still the easier way to get this done, but if that’s causing you trouble you can use this as a backup wiping measure.

Photo by Hugo Chinaglia, cc-licensed.

things I learned from hacking my own wifi access point

wifi

I read this article recently on how this guy hacked his neighbours WIFI access point relatively easy. After that I wondered how easy it would be to crack my own WIFI network because my password wasn’t all that complex. In fact, it even has some dictionary words in it. So I got me a copy of BackTrack 5, got up to speed on hacking tools like airdump-ng, aircrack-ng, John the Ripper (love that name) and started cracking.

Here’s what I learned:

  • Getting enough data from a WPA encrypted WIFI access point to start hacking on far away from the crime scene takes only a few minutes if you know what you’re doing.
  • To get access to your WIFI network interface you need to run BackTrack on the bare metal. Running it as a virtualized guest OS in VMWare doesn’t expose your WIFI interface as WIFI. Booting the OS from a USB disk did the trick for me.
  • Don’t save files in /tmp/ on Ubuntu if you plan to reboot. They will get wiped when you reboot. *facepalm*
  • John The Ripper and aircrack-ng exist for Windows as well. Hacking away with the native versions seriously increases your hack attempts per second (800 vs 2700 on my machine) instead of running them on a virtual box. I know this is obvious because you’re running on the native OS, but I just assumed those tools where Linux only at first. Silly me.
  • John the ripper has its brute force limit set to 8 characters at compile time. That means that it’s a bit harder to get hacked if you have a 9 character password because you have to recompile or use the external modes. I ended up using the external modes.
  • Brute forcing a WPA packet for a 9 character password takes ages. Literally! It ran for hours and it didn’t even get close to finishing. At 2700 attempts per second with a 9 character password combining numbers, upper- & lower-case characters it would take about 872 years to find all possible combinations. If you use a 100 laptops like mine simultaneous (Intel i7 2Ghz) that is. Ouch.
  • There’s a bunch of word lists out there containing commonly used passwords. If your password is in one of those lists, chances are it will be found in no-time (2700 passwords per second remember). So it’s a good thing to make that password as random as possible.
    The free lists you find online are supposed to be of lesser quality. If you’re willing to shelve out a few bucks however, you can get bigger and high quality lists. Still this proves that having a good randomized password is pretty important.

Conclusion

My WIFI password is harder to crack than I thought. Yet I’m going to change it to something more random because those dictionary words are not in the current frequently used password lists right now, but it could end up in there in the near future. For all I know it’s already in some password list I didn’t see.

Photo by g. tavmen, cc-licensed

how to figure out if a site is a scam

All right, everybody be cool, this is a robbery!

I was looking into getting some ebooks so I googled around a bit and something came up that was offering a nice deal. In fact, it was so nice that a little warning indicator popped up in my brain. It was looking a bit too good to be true, you know, the typical signs of a scam: if it’s too good to be true, it usually is.

Then I read the conditions and apparently you had to pay upfront before you could buy a book. Hmm. More warnings popped up.

So how do you determine if a site is a scam? Well, googling the name might help and turn up some warnings. But it didn’t in my case. That search however did turn up one thing by chance. A site that calculates the ranking of this ebook scam site gave me links to similar sites. When I opened one of them, it turned it had the same layout. In fact, it was a clone of the original site hosted on a different domain.

Scam?

So how many more domains like that are there? I tried a few google tricks and finally struck gold by copying a line of text from the site’s privacy policy, surrounding it with quotes to have The Google search for that exact piece of text. If that line is unique enough, it should only turn up a single website. Or websites that copied the same text. Or complete clones of the website as in this case.

The result? Google turned up a huge list of sites hosting the exact same content under a ton of different domains, sometimes with a different layout theme or logo. But plain copies none the less.

Scam!

Picture by Alex Abian, cc-licensed.

how not to get your accounts hacked online

DSC02405

Easier said than done is one of those expressions that applies nicely to managing your online account passwords.
The rules are, as said, rather simple:

1. Use a complex password.
2. Do not reuse your password for multiple sites or services.

A password like “pqu9ijLrFcDvmiphXRGo” is super-secure, but it’s pretty damn hard to remember too. Let alone using a different complex password on every site you use.

But unfortunately, it’s pretty damn necessary if you look at the recent Dropbox account “hack” for example, which was possible because a password was reused from another hacked site.
LinkedIn, Gamigo, eHarmony, Last.fm, Sony, WordPress, and just this week Blizzard. They all got hacked at some point and all of them requested their users to change their password asap.

If you where on any of these sites and you have reused your password at other places… well, you should change those too.
When all your passwords are following a recognizable pattern, well… hackers can figure that out too. Even if only the hashed value of your password was dumped online on pastebin for example, any password can be found given enough computing time.
If you are using dictionary words in your password, you’d be surprised how little time it actually takes. Oh and those smart tricks like replacing some letters with numbers? Modern hacking tools like John The Ripper know those as well.

How do we go about those 2 golden rules then? Well, how about letting the computer do the remembering for us? They’re good at that kind of stuff!

Here’s how you can do that:

1. Use KeePass Password Safe to store & manage all your passwords (download here).
2. Have it generate a unique & random password for every site/account you sign up for.
3. Create a good, complex, yet easy to remember master password to protect the KeePass database.
4. Synchronize the KeePass DB with all your devices using something like DropBox’s cloud storage.

Now you don’t have to remember any of those passwords, except that one very important one. Thanks to the sync you can reach your KeePass database from all your machines & devices (Windows, Mac, Linux & Android at least for DropBox).

There are a few exceptions where I picked my own password instead of an auto-generated one. Again it’s something easy to remember, yet hard to guess or crack. I do that for my Google account for example, so I can use that from anywhere without needing access to my KeePass DB. Just to be on the safe side that one has two-step verification on it as well.
Few accounts deserve this exceptional privilege however, so I use it sparingly.

Be safe!

Photo by grittycitygirl, cc-licensed.

how to create a password that takes thousands of years to crack

ENTER YOUR PASSWORD

I see a lot of guides about this online, but a lot of them are using tricks that don’t really add any real extra protection when choosing a good complex password.

You make a password hard to crack by combining upper & lower case letters, numbers and a few special characters to increase the passwords strength. Replacing letters with numbers is a common trick, so cracking tools use it too. Using a few dictionary words renders long passwords but doesn’t make them that much safer due to dictionary attacks. Pass phrases are often too long as some online service still enforce ridiculously short password lengths.

The best idea that I’ve run into so far is described as follows on Wikipedia:

mnemonic passwords: Some users develop mnemonic phrases and use them to generate high-entropy (more or less random) passwords which are nevertheless relatively easy for the user to remember. For instance, the first letter of each word in a memorable phrase. Silly ones are possibly more memorable.[32] Another way to make random-appearing passwords more memorable is to use random words (see diceware) or syllables instead of randomly chosen letters.

There’s a few variations on this one, but if you pick yourself an easy to remember phrase and:

  • use every first letter of each word.
  • use every first letter of each syllable of each word.
  • drop the vowels in each word.

You come up with something that looks quite randomly picked, yet easy to remember. Depending on the chosen method you phrase can be a long one, or shorter to ensure a nice and lengthy strong password.

For example:

  • Ymwahayfsoe: Your mother was a hamster and your father smelt of elderberries.
  • Imgntimipttkl: Imagination is more important than knowledge. (*)
  • llyrbsrblts: All your base are belong to us.

If you play with that a little by adding some numbers, capitalizing here and there and inserting a few special characters, you have something that ends up being pretty safe. #Ymwahayfso3 for example has 73 bits of entropy, which should take about 344 thousand years to crack if you’re try all combinations on a desktop PC. Take that humongous timespan with a grain of sale though. Proper hackers might use multiple machines using multiple GPU’s to crack passwords, shortening that time-frame considerably.

(*) Since English isn’t my native tongue that might not be 100% correct, but you get the idea right?

Photo by marc falardeau, cc-licensed

break out of the search bubble

This is relevant to my interests

Did you know that when you search on the popular search engines these days you’re actually doing that from inside a “search bubble”? Google, Bing and Yahoo all do it, to give you more tailored and “relevant to your interest” results.

Let’s take Google for example, since most people are using that one anyway. They are tracking your searches and clicks, if you’re logged in or not. They do this to compose a profile on you so that they can give you more specific search results the next time you look for something. They try to determine your sex, age and location (just like on IRC) to feed you the search results your are probably looking for. They are filtering the information based on a profile they’ve created on you.

The damn thing is that this actually works quite well. As a software developer I search a lot for technical, programming related topics. Google knows this and will give me those before any other possible hits. But what are you missing? What links are not included in your personal bubble just because Mr Google finds them irrelevant for you?

So how do you bust out of this bubble? You could use a browser with privacy mode but as long as you’re still using Google to search, or Chrome, you can’t be sure.

Another way is to use a different search engine. I know! A different search engine. It’s been ages since that happened right?

Enter DuckDuckGo. Beside the funny name and the mascot (A duck! Who would have guessed!) this one doesn’t put you in a bubble, doesn’t track your info and uses SSL by default.
Give it a try, and you’ll see that your results are quite different from Google’s. I have to be honest here and say that in some cases, the Google results are “better”. But that’s the bubble at work here.

DuckDuckGo also has a ton of specific search goodies like a built-in calculator and conversion engine, some specific tech goodies (whois queries, md5 hashes etc) and the !bang searches which allow you to search sites and topics directly.

As you can see, there’s plenty of reasons to try this new duck on the block out and burst out of your search bubble. The goodies alone make it worth checking out imo.

how to get hacked on an open wifi network

camp

This has been circulating on twitter but is important enough to have it echo here as well. A lot of websites like Facebook, twitter etc are not using a secure way to transfer their login info. In fact once you’ve logged in using a secure HTTPS connection they simply use a browser cookie to “remember” who you are for all following requests to the site.
The problem with this approach is that this cookie is sent over the wire with each request. If that request is done of a simple and unprotected HTTP connection, the cookie can be sniffed off the network you are using.

If this network happens to be an open WIFI hotspot in a public place, that means anybody with the right tools can hack your twitter, facebook or whatever account. Finding the right tools has become extremely simple now as there is Firefox plugin called FireSheep that does exactly that. Check out the screenshots in to see how easy it is and this follow up post for more technical details.

So now that you know this is possible, make sure the web sites you’re using always use a HTTPS connection (all the time) when you’re on an open WIFI hotspot, or simply don’t log in to the websites that don’t offer full HTTPS protection.
Check the security tips listed in the follow up post linked above for more protection tips (on Firefox).

Photo by Krstnn Hrmnsn, cc-licensed.