Diary of a Network Geek

Have my super secret accounts been compromised?

Probably. I know, that’s not really what anyone wants to hear, but it’s also pretty truthful at this point. I mean, if you pay any attention to the news these days, then you’ve heard about all the recent data breaches. Most recently, there’s the Saks Fifth Avenue and Lord & Taylor data breaches, but before that there was Equifax, Under Armour, Uber and more. And, I know for myself, just having a Yahoo-related email account has made me susceptible to having my information compromised multiple times over the years.
But, what if you’re not sure? Or, what if you think you may have had an account that was part of a breach and want to know for sure? Then, head over to Have I Been Pwned and put in your email address. If you’ve been part of any of the big breaches in the past couple years, this site will tell you.
Also, if you’re not sure about that “secure” password you’re about to start using, then you can put that in at this site, too, and if it’s a well-known, well-hacked password, you’ll know before you use it. (That’s important to know because the well-known passwords are easier to pull out of even an encrypted password database.) If you don’t see it at first, just check the top menu for “Passwords” and you’ll get straight to it.

In this day and age, none of us can afford to be lax with our personal data and our data security. So, it may not be my normal “fun” link for Friday, but it’s definitely worth taking a minute to check your on-line safety.

This post originally appeared on Use Your Words.

First of all, you should know I’m talking about computer security, not home security.

Secondly, know that “in a box” really means something more like “all in one place”.
I’m suggesting this site this week because security is on my mind.  Not only in a corporate sense, but in a personal sense.  In a professional setting, I’ve brushed up against something that could conceivably heighten scrutiny of my own personal foot-print on the internet.  And, I’ve had a particular address from a particular Eastern European country banging against on of my WordPress installations pretty hard this past week.  All of which added up to me checking my collected links for a security themed site I could share with you all.
The site is called Security In A Box and it’s a collection of tips, advice and links to programs meant to help keep you safe on the internet.  Their advice covers everything from creating good passwords to staying safe on social media.  And, they have group-specific suggestions for special interest groups who might have an additional level of scrutiny, either by other special interest groups or governments.  It’s quite a good site for everyone, of course, but of special interest to anyone who might find themselves at the sharp end of one of the many sharpened sticks running loose on the internet without keepers.

So, stay safe this weekend and enjoy the lovely weather while it lasts!

Sadly, not mine.

So, regular readers know how much I love coding up little random generators, right?  Well, this is the same thing, only it’s not random and I didn’t make it.
I’ve changed jobs a lot.  I mean, it’s unusual that I stay at the same gig more than three years.  So, I’ve made a lot of resumes, sometimes even customizing them to the particular job I may be applying to at any given moment.  Well, now, you don’t have to do that kind of work yourself.  Now, you can use Resunate, the Smart Online Resume Builder!
You just load up your current resume, then add in the job you want to apply for and let this website tell you where your resume matches, or doesn’t match, the job description.  Then, as if that weren’t enough, they actually let you create a new resume based on the changes, automagically!

Wow, I can’t tell you how much I wished I’d had that when I was job hopping so much in the nineties and early noughts.  This would have saved me so much hassle!  Well, in any case, you have it now.  And, what the heck, it’s Friday and you’ll be dreaming of another job today anyway, so you might as well go use it to update your resume!
Have a great weekend, y’all!

No, seriously, it is.

If it makes you feel any better, most people’s passwords are too weak.
I suppose you think it doesn’t matter how “strong” your Gmail (or Hotmail or whatever free email you use) password is, right?  Well, you’d be wrong.  I recently read an account about how one person’s Gmail account was hacked and used to spam and try to get her friends to send the hacker money, all posed as her.  Of course, that was after deleting more than 4 Gigabytes of stored messages and photos.  You can read that account, as told by her husband, over at the Atlantic, in an article titled “Hacked!”  It’s worth reading, especially if you’re not in the IT business.  And, frankly, even for a fellow professional computer geek, it might be eye-opening to see how hacked email accounts are being used these days.  I have to admit, I was a little surprised that the attacker in question actually used the account personally to try and con money out of the victim’s friends and family.

I was not, however, all that shocked to see how many accounts are compromised on a regular basis.  Think the thousands.  Daily.
Right, so thousands of email accounts on which people depend are hijacked, used and abused on a daily basis.  If it hasn’t happened to you, it’s probably only a matter of time.  So, how do they do it?  Shared, easily guessable passwords.
Yes, it’s that easy.
Stop for a minute and think about how many passwords you use on a regular basis.  How many are the same?  How many accounts do you have for things like bank accounts and credit cards and medical records that use the same password as your email?  And how many of those accounts use that same email address as the username?
Getting the picture?

So, what do you do?
First, stop reusing passwords.
Second, make more secure passwords.  And, don’t think that the old way of replacing “L” with the numeral one or the letter “O” with the numeral zero and that kind of thing will work, either.  The hackers are on to that.  It’s better to use words that are not in the dictionary.  So, yes, made up words.  Or, even better, phrases, which is what I’ve recommended for some time.  Having a hard time coming up with one?  Try using one generated randomly for you at passphra.se, a random passphrase generator which was inspired by an XKCD comic.  The comic explains the reasoning behind the passphrase idea and the generator.  Also, XKCD is pretty funny and if you’re geeky like me at all, it’s well worth checking out.

In today’s world, we’re way too interconnected and digital and reliant on those systems to have relaxed security.  It doesn’t matter if you’re a geek or not.  Please, think about your passwords and how easily they might be compromised.  Then think about what that might mean to your life, digital and otherwise.
Now, if you’ll excuse me, I have to go change some passwords…

Advice from your Uncle Jim:
"Character may be manifested in the great moments, but it is made in the small ones."
   --Phillips Brooks

Yeah, yeah, happy New Year to you you, too, now, go change your passwords.

No, seriously, change your passwords.  Think about how long it’s been since  you either setup that account or changed the password on it.  Now, consider that there have been some significant security breaches in the past year, including the issues at Gawker and their family of popular websites, and think about how many places you’ve used that same password.  It’s your favorite one, right?  The one you use for all your accounts, because it’s so, so easy to remember?  Guess what, it’s also probably easy to crack and is probably in a database on some hacker/cracker website right now matched up with the e-mail address you used, too.  How long will it be, do you suppose, before someone gets into all your accounts?

Right.
So, go change your passwords.
Not sure how to pick a good one?  Well, if you trust the U.S. Government for security, you can go to their Computer Emergency Readiness Team (aka US-CERT) for advice on choosing a secure password.  If you’re like me, though, you categorically do NOT trust a government agency for your personal security, in which case I recommend that you check out premier security expert Bruce Schneier’s advice for picking a secure password.

I’ll offer two bits of advice on the topic.
First, if any system lets you, choose a password that includes numbers and special characters, not just letters.  The example I always use is “@2brutus”  And, yes, that means I will NEVER again use that as a password. *sigh*  I like to substitute numbers for letters which resemble them, like the number one instead of the letter L or the letter I.  In the example, I’ve taken a  whole word out “et” and substituted the “at” symbol, or “@”.
Secondly, try to use something that is not a single word, but a phrase.  Again, in the example, I took my bastardization of “et tu brute”, which I remembered as “et tu brutus” and mashed it up a bit.  I have known people who use short sentences, however.  One guy I worked with occasionally used lines from Lewis Carroll’s [amazon_link id=”0810911507″ target=”_blank” ]Jaberwocky[/amazon_link], which adds the extra security of words that will most likely never be found in any standard dictionary of any language.

So, trust me on this, if you haven’t done it, start the new year right and change your passwords.

Advice from your Uncle Jim:
Knowing that something is the right thing doesn't always make it easy to do, but that's not an excuse.

Remember, these are “administrator utilities” not “hacker tools”.

In my business, it pays to make the distinction.
When people call me for help outside the office, the calls usually fall into a couple categories; a virus, a slow computer, a lost password and “how do I do X?”  Sadly, I’ve been doing a lot of virus and spyware removal, but, also, lately, I’ve had a couple of “lost password” calls.  I actually love getting those, for a couple reasons.
First, lost passwords are surprisingly easy to recover if you have physical access to the machine.  It’s funny to me how few people get that.
Secondly, I find recovering passwords fun.  In a way, it was one of the first things that drew me into the business.  I was one of those guys who got hooked by the security bug not by War Games, but by Sneakers.  Yeah, I know, most guys my age especially will tell you it was War Games that really got them hooked.  What can I tell you?  I’ve always been kind of a late bloomer.  And, my dirty, little secret is that after seeing Sneakers, I wanted to be Marty Bishop.  Seriously.

Anyway, my recent experience with Windows password recovery requests gave me an opportunity to refresh my tools.  After Googling a bit, I found a handy About.com page titled “Top 6 Free Windows Password Recovery Tools“.  I downloaded several, most of which were based on bootable CDs of one kind or another.  I like those kinds of toolkits because they don’t require even limited access to operating system, just the ability to reboot the machine from the CD toolkit.
In the end, I tried two; 0phcrack and the Offline NT Password & Registry Editor.

Now, I’m not positive, but I’m pretty sure that 0phcrack is the free, opensource fork of l0phtcrack.  Now, for an old-timer like me, l0phtcrack was THE password cracker to have, back in the day.  Created by a group of well-known hackers, some of whom famously testified before Congress, it was not free.  At least, theoretically.  If you knew where to look, you could get copies.  And, yes, I  them.  But, this version IS free and seems like it had some improvements.
For one thing, the old version had a slightly clumsy text-based interface.  This version has a much nicer interface that seems to use X-Windows.  It’s also far more intuitive to use.  It ran pretty fast, really, though, sadly, didn’t seem to be able to crack the non-dictionary word used as a password on the Windows 7 box I was using it against.

On the other hand, the Offline NT Password & Registry Editor has been around for several years, and had several updates, though it retains the text-based interface.  I don’t remember when I used this the first time, but, so far, it hasn’t let me down in a pinch.  This time was no different.  So, yes, even though it has “NT” in the name, I’ve used it on everything from Windows 2000 through Windows 7 without a hitch.  Of course, your results may vary.  The bonus of this product is also it’s most potentially dangerous drawback; it directly edits the registry and password files.  This is dangerous, in a way, because if something goes wrong, this could, theoretically, lock you out of your machine permanently.  In practice, this has never actually happened to me.
One advantage of this utility is that you can change or simply remove the password for any active user on the system.  Also, you can use it to promote an active user to being an administrator equivalent.  Now, by “active user” what the developers mean is any account that is not disabled.  Though, I think there may be the option to activate a deactivated account.  I’m not positive, though, because I’ve never had to look for it or try to use it.  And, yes, this worked like a charm to simply blank the password on the Windows 7 machine that had apparently forgotten its own password.

So, there you have it.  Two tools to recover lost Windows passwords.
Oh, and, just a quick disclaimer here.  I’m not responsible for any damage you might accidentally do to your machines with these utilities.  Nor am I advocating using them to break into your ex-spouse’s computer to read their adulterous e-mail to their lover.
I’m just sayin’….

I finished Little Brother by Cory Doctorow this weekend.

I cannot recommend this book enough. It is so, so worth braving the Young Adult section of the bookstore or library to get and definitely worth getting for your own young adults. Don’t be put off by the fact that it’s geared toward a younger audience, because there’s actually a bit more sex in it than most science-fiction I’ve read this year! Seriously!
Little Brother, in short, is about the Department of Homeland Security. Not quite the way it is now, but where it might be going if we’re not careful. The story is about a somewhat precoscious teen named Marcus who’s a bit of a geek. He plays live-action role-playing games and works with computers and subverts his school’s security measures to get out of class to play alternate reality games. But, he and several of his friends get caught up in a bad situation while doing this one day. In the story, terrorists blow up the Bay Bridge in San Francisco while Marcus and his friends are skipping school. And, the DHS sweeps them up with other questionable people and interrogates them.
Frankly, the interrogation techniques are probably what you’ve read about already. Simple humiliation by not being allowed to use bathroom facilities, sleep deprivation, isolation, aggressive and extended questioning sessions, you know, the usual. The kinds of things that are used all the time to get information out of alleged terrorists. Only Marcus isn’t a terrorist and he hasn’t even been charged with a crime. The DHS is only questioning him because he seems a little suspicious and out of the ordinary. You know, the usual. The usual nightmare that anyone in the wrong place at the wrong time just being a regular, normal citizen might go through because we’re handing over our freedoms with the idea that we might gain security in exchange.

Well, they release Marcus and two of this three friends. Marcus got the worst of the questioning, but all of them are worried about their missing friend. Only Marcus, he’s gotten angry at how he was treated. Much the way I imagine many otherwise innocent people have gotten angry at how they’ve been treated or “questioned”. So, Marcus decides he’s going to get back at the DHS. And, thanks to his talents as a young computer hacker, he does.

I won’t ruin the story by telling you all that happens, but it is a gripping read, not lessened by the fact that it’s something which could happen right here in our country. In fact, some people feel it is happening. One of the many things I liked about this book was how accurate the computer security was. Doctorow really researched this well and even called in contacts like the infamous Bruce Schneier to help get it right. As a matter of fact, they get it so right that I’d recommend this book to anyone interested in getting the basics of computer security. They explain public key cryptography, protocol tunneling, and several other key concepts in modern computer security that, frankly, are somewhat hard to explain.
If you’re worried about the future of your country, or just the future of your children, I encourage you to read this book. If you want to encourage the next generation to be politically aware and have a good understanding of the issues, buy this book for them.

I may not always agree with Cory Doctorow’s political agenda, but Little Brother is a great book and will provide many topics of discussion for interested classes and families.
Read this book!