Diary of a Network Geek

Have my super secret accounts been compromised?

Probably. I know, that’s not really what anyone wants to hear, but it’s also pretty truthful at this point. I mean, if you pay any attention to the news these days, then you’ve heard about all the recent data breaches. Most recently, there’s the Saks Fifth Avenue and Lord & Taylor data breaches, but before that there was Equifax, Under Armour, Uber and more. And, I know for myself, just having a Yahoo-related email account has made me susceptible to having my information compromised multiple times over the years.
But, what if you’re not sure? Or, what if you think you may have had an account that was part of a breach and want to know for sure? Then, head over to Have I Been Pwned and put in your email address. If you’ve been part of any of the big breaches in the past couple years, this site will tell you.
Also, if you’re not sure about that “secure” password you’re about to start using, then you can put that in at this site, too, and if it’s a well-known, well-hacked password, you’ll know before you use it. (That’s important to know because the well-known passwords are easier to pull out of even an encrypted password database.) If you don’t see it at first, just check the top menu for “Passwords” and you’ll get straight to it.

In this day and age, none of us can afford to be lax with our personal data and our data security. So, it may not be my normal “fun” link for Friday, but it’s definitely worth taking a minute to check your on-line safety.

This post originally appeared on Use Your Words.

It’s never too late, or too early, to get more secure on-line.

Those of you who know me, know that I spend most of my days toiling in the corporate data mines and as a result, I’ve spent an inordinate amount of time thinking about computer security. I also tend to be tech support for my friends and family, which covers a surprising amount of ground and technical situations. It seems like, lately, the biggest concern has been security. Either people are worried about having credit card information stolen or getting a virus or having some other password violated. Unfortunately, not enough of them are worried about backing up their systems, and, if I’m being totally honest with you, dear readers, I should worry about that more myself.
But, at the end of the day, I’m often left feeling like I can’t possibly give everyone the good advice that they need to stay safe with their technology and the internet. I tend to approach things from a corporate point of view, and even run my own network at home a little bit like a smaller version of the networks I’m responsible for at my “day job”. But, that approach doesn’t work for most people and I don’t have time to do a lot of customizing for their individual concerns.

Now, though, I’ve found a site that can help; Security Planner. It’s a free, interactive guide to let regular people get expert-reviewed advice to help them address their concerns about staying safe on their phones, tablets and computers. You just answer some simple questions about what worries you regarding technology and what can go horribly wrong, and they give you a simple action plan to help you get and feel safer. And, if you’re a more advanced user, or more intensely paranoid, they can help point you toward expert advice that, with a little more research and work on your part, can help you, too.
Best of all, it’s free.
Right now, the site is only in English, but they hope to expand to Spanish and French eventually, too.

So, do me, and whoever else you might go to for tech support, a favor; make a security plan for the coming year now.

This post originally appeared on Use Your Words.

First of all, you should know I’m talking about computer security, not home security.

Secondly, know that “in a box” really means something more like “all in one place”.
I’m suggesting this site this week because security is on my mind.  Not only in a corporate sense, but in a personal sense.  In a professional setting, I’ve brushed up against something that could conceivably heighten scrutiny of my own personal foot-print on the internet.  And, I’ve had a particular address from a particular Eastern European country banging against on of my WordPress installations pretty hard this past week.  All of which added up to me checking my collected links for a security themed site I could share with you all.
The site is called Security In A Box and it’s a collection of tips, advice and links to programs meant to help keep you safe on the internet.  Their advice covers everything from creating good passwords to staying safe on social media.  And, they have group-specific suggestions for special interest groups who might have an additional level of scrutiny, either by other special interest groups or governments.  It’s quite a good site for everyone, of course, but of special interest to anyone who might find themselves at the sharp end of one of the many sharpened sticks running loose on the internet without keepers.

So, stay safe this weekend and enjoy the lovely weather while it lasts!

I’m going to take a slight departure from my normal free stuff on Friday posts.

Don’t worry, this is still free, but it’s not just a “click here and look at this thing” kind of post.  This week, you’ll need to actually do a couple of things to get the full benefit of this post.  Basically, it’s a little Summer DIY project for the mildly geeky and social.

Have you ever been to someone’s home and had to ask for their WIFI…
Read More

Keyless entry tools may be a bit of a misnomer, but, technically, that’s what I’m talking about in this very special Tools for Tuesday post.

Actually, since I missed posting a tool last week, I’m going to mention several tools in this week’s post.  The difference is that these tools are all related.  Of course, all these things are related to lock picking, sometimes referred to as “lock sport” or “steel-bolt hacking”.
We’ve all seen this on TV or in the movies.  The hero, or anti-hero, needs to get into a room for some reason, only to be confronted with a locked door.  A locked door that would stop the average person, but not the hero of the story we’re watching.  Instead of being stymied by this apparently insurmountable obstacle, our hero, or heroine, simply pull out a set of lock picks with which they proceed to fiddle about with, often by the light of a flashlight held in their mouth, until the formerly locked door is suddenly, almost magically, opened.  Who among us has not wanted to be able to do the same thing?  How many times have we found ourselves on the wrong side of a locked door, wishing we had a set of lock picks with which to quietly gain entry to whatever is on the other side of said door?  And, perhaps more commonly, how often have we simply forgotten our keys, to home of office, and wanted to avoid the inconvenience of going to fetch them or find someone who could let us in?

Well, I have long wanted to be able to do all those things at one time or another.
In August of 2012, while attending DEF*CON 20, I finally got my initiation into the world of lock picking.  Or, as I more often prefer to euphemistically refer to it; keyless entry.  I spent several good hours at the Lockpick Village put on by TOOOL, The Open Organization of Lockpickers.  It was there that several very patient people taught me the basics of lock picking.  There were other opportunities to learn things like bumping and impressioning, as well as learning how to bypass locks other than the standard door lock or keyed padlock.  I haven’t had the time, or opportunity to explore those non-picking tools too much yet, but several of the tools in the photo above came from TOOOL.  TOOOL sells a fine starter’s set of lock picks and tension bars, which I bought at DEF*CON and can be purchased via their Equipment page.  You can see the two picks I use most often, and a tension tool on the right, resting on top of the TOOOL leather case.
I like these picks and tension tools because they’re light, but sturdy and relatively economical.  They also have nice sized grips which feel comfortable in my meat-hook-like hands.  It’s important that I feel like the tools I’m using to open a lock aren’t constantly in danger of breaking off in said lock, further complicating my opening of it.  These tools do that quite well, and look good while doing it.

The other thing in that photo which came from TOOOL is the progressive training locks, as they call them, though they’re really just specially prepared tumblers.  They’re in the large-ish grey thing near the middle of the photo, which I refer to as a lock picking vice, perhaps incorrectly, and which I’ll describe in a minute.  Actually, to be specific, the three training locks in the vice are the first three of a complete set of ten.  They start with a single pin in the tumbler and go all the way up to six pins in a tumbler, for the first, “normal” training locks.  The last four are a special spool-shaped pin, which is harder to pick, and go from one pin up to four pins in the “security” training lock set.  To get the entire set of ten ran me $120 before tax and shipping, but they are totally worth it.  In theory, I could have gotten ten of my own locks, stripped them down to just the bare necessities and pinned them out myself, but I can guarantee that they would not look as neat as these.  And, that’s assuming that I could find a source for the spool-shaped security pins for those last four.
I just got these recently, and I think it was just in time because my skills were getting pretty rusty!  I hadn’t touched my picks in a couple of months and found myself completely unable to pick a simple padlock that used to take me a couple of quick seconds to open.  It was mortifying!  I should note, these training locks are a little looser and easier to pick than a real-world lock, but that’s intentional.  The idea being, of course, that you need to get the feel for it before graduating to a real lock.  Incidentally, a standard padlock usually has four pins.  The average American door lock, like we normally use on houses, has five pins.  And, I’m told, that normal European door locks, like would be used on most residential doors, use six pins.  So, that’s why the training locks are pinned the way they are.  They make a logical progression of difficultly with real-world application.

When I found the Tri-Pik, as I call it, I was actually looking for something else, but I was thrilled.  The “Deluxe Adjustable Tri-Pik LOCK PICKING Holding Fixture“, as it is called on the website where I found it, is pretty fantastic.  In fact, I’d just about call it essential to my reintroduction to lock picking.
The basic idea is this; a real lock would be surface mounted in, say, a door, and would leave me both hands free to manipulate the tension tool and pick, and this tool lets you simulate that.  Without this, I would be holding the training lock in one hand, keeping tension on the cylinder via the tension bar with that same hand, while manipulating the pins with the pick in the other hand.  A fine way to learn, but not very realistic.  The Tri-Pik fixes that.  It is so named because it’s designed to let me mount up to three training locks in it at once, locking them in place via a hand-tightened set screw from below.  It’s quite a good system.  Simple, but effective, and reasonably priced at $35 plus tax and shipping.  I cannot recommend the Tri-Pik enough to someone learning how to pick locks.  It’s really, really fantastic.

Oddly enough, I found the Tri-Pik while looking for the fourth tool I’m mentioning today; the Southard Jackknife Lockpick Set.  I had seen this at DEF*CON, but I was a little hesitant to buy one, since I was flying back to Houston afterwards and didn’t want to have it mistaken for a knife and taken from me by a TSA agent.  But, now that I’m back, and it turns out the NSA has been watching all of us all along anyway, I decided to go ahead and get one of these little beauties.  Eventually, I’ll add this into my “every day carry”, so I’ll always be able to open doors, but first, I need to practice with it a bit.  Obviously, the idea is to fold it all up like a pocket knife and carry it with you, but the genius, in my opinion, is how they handle the tension tool.  It fits over the top of the folded-away picks, with one end sliding into a tight, narrow opening in the center of the main body of the tool set, using tension to keep it all together.  It works quite well and provides the amateur locksmith with a complete set of tools including; the tension tool, a long hook pick, a diamond-shaped pick, a half circle pick, a “snake rake”, an alternative rake and a diamond-shaped broken key extractor.  Add to that a really nice mechanism hold the picks in both a closed and “ready to use” position and you’ve got a great, portable toolset here for just under $40, before tax and shipping.  A fantastic deal in my opinion.

The last “tool” is really a book.  Namely, the very good lockpicking primer, [amazon_link id=”0970978863″ target=”_blank” container=”” container_class=”” ]The Visual Guide to Lockpicking[/amazon_link].  I have to admit, even though I had this book long before I learned how to pick locks at DEF*CON, I found it just a little too intimidating and confusing to use before I had some hands-on experience.  Now that I do, however, I can see just how good a resource this is.  It covers the majority of mechanical locks that a self-taught locksmith might encounter and have to deal with, including tubular locks and locks with pins on both the top and bottom of the cylinder, which are both challenges I have yet to master.  While no substitute for a good teacher, this book really is a great place to start if you can’t get direct instruction and has fantastic illustrations explaining the entire process.  It’s well worth the $15 or so that Amazon.com is asking.  (And, yes, if you buy a copy from that link, I get a credit.  Thanks!)

Incidentally, if you can’t quite figure the connection between “network geek” and “lockpicking”, the answer is far simpler than you might imagine.  In the early days of computers, the best of the best were pretty much all at M.I.T.,where it is widely believed the term “hacker” originated, and, to get access to computer labs, and a place to crash while programs ran on the big, old iron that were computer systems back then, the hard-core computer geeks all became locksmiths so that they could get the tools to pick locks and never be on the wrong side of a locked door.  Or, at least, that’s what I read in [amazon_link id=”1449388396″ target=”_blank” container=”” container_class=”” ]Hackers: Heroes of the Computer Revolution[/amazon_link] by Stephen Levy back when I was just getting started in IT.
So, yeah, that’s a mess of tools for Tuesday this week and a peek into the crazy way my mind works.  I hope it makes up for missing last week!

A new screwdriver set, with a complete set of long-shaft bits, and a special set of “tamper resistant” bits for work. Purchased because the original in-house installers of a projector are all claiming ignorance now that we have to replace it.
Luckily, Harbor Freight Tools had a sale and this whole set was less than $20!

The screws in question, incidentally, are the “hex” or “Allen wrench” style with a post in the center.  Kind of deceptive and frustratingly hard to identify when you don’t know their name!

Published via Pressgram

No, I’m not advocating that you actually do this!

But, in Europe, it’s already been done.
Apparently, the special key that costs you $160 for your super-secure BMW isn’t really all that much of a deterrent after all.  According to a story that ran recently on ExtremeTech, hacker-thieves have found a way to bypass the BMW security system and, in a separate step, decode the information needed to actually start the car without having the special, expensive key.  It seems that the on-board diagnostic port on the cars gives them complete, unsecured access to the data in the car’s computer, which allows them to get the codes they need to program up a new key and drive away in your very high-end car.  Interestingly enough, they’re able to do this because BMW is required by law to keep the codes and on-board diagnostic information unencrypted to allow competing firms to service the vehicles and not get locked out by BMW to form a monopoly.
Although the article focuses on BMWs, likely this is happening to other cars that use a similar technology and for the same reasons.  It’s just that right now, the expensive, high-end BMWs are what the thieves are stealing, and in fact they’ve always been popular targets for thieves due to their general popularity, so they’re getting all the attention.

Frankly, when I first heard about these “special” keys and ignition systems, I wondered how long it would be before they were subverted.  I just generally distrust systems like that, which operate over easily accessible networks.  Too many points of failure.  Anyway, check out the video in the link.  It’s pretty scary how quickly they can accomplish their goal of stealing the car.
But, what an amazing, real-world test of that security system!

So, how is this “fun” for a Fun Friday link?
Okay, it’s not really, but it seemed appropriate to share while I was out at DEF*CON in Las Vegas.  But, all you criminal types, don’t get any ideas!  My house is being watched and I’ll be back by the time that most of you read this!

I’m pretty sure I was propositioned by a prostitute on Match.com this morning.

I could be wrong, of course, but when a 27-year-old woman who’s profile says she’s “almost divorced” and looking for people in the age range between 35 and 37 sends an email to a 43-year-old man (ie. me) asking if he’s interested in a “one-nighter”, it seems suspicious to me.  Maybe I’m just cynical.
She started off sending me a short note that was a little vague, but at least sounded like she might have possibly read my profile.  Well, except for the part where I was 43.  But, most people I bump into out in the world aren’t very detail oriented, so I gave her the benefit of the doubt and  suggested that I might be a little old for her.  I went on to explain that I wasn’t comfortable dating someone who hadn’t started school yet when I would have graduated from college.  What I didn’t say was that it would make me feel like a pervert to dating someone potentially young enough to be my daughter, but, that’s what I was trying to get at, in a polite way.  Then I wished her good luck in her search and went on my merry way.
This morning, I got a note back asking if I was interested in a “one-nighter”.  And, then she gave me an e-mail address at Hotmail.com.  That raised two, giant red flags for me.  First of all, while I am a wizard in the sack, there’s nothing about my Match.com profile that would indicate that to the casual observer.  And, frankly, while many women find me absolutely adorable, I think that’s more based on my personality and sense of humor than my rugged good looks.  It’s been years since I was pretty.
So, sure, maybe she’s just a messed up kid trying to work out her “daddy issues” and not a hooker, but I suspect that she’s looking for an entirely different kind of “daddy”.  Either way, I don’t need that particular flavor of drama at this point in my life.  Seriously.

But, oddly enough, earlier in the week, I was reading a security blog at TechRepublic by Michael Kassner.  The entry was titled “Online Dating Services Risking More Than a Broken Heart” and was all about the potential security issues related to on-line dating.  Now, I work in the industry and I maintain pretty decent security, even at home, but I know not everyone is quite as paranoid as I am.  And, that’s just within the IT industry!  I cannot imagine the wild and wooly dangers faced by people foolish enough, or desperate enough, to contact someone who seems to good to be true through their own, personal e-mail address!  Not to mention how much data you put up on a profile that may be active indefinitely on a dating site.
So, go read his article and think about what you put out there, where you put it and who might be reading it.

Oh, and one last bit of dating advice from your Uncle Jim, if she seems too good to be true, she probably is!

Advice from your Uncle Jim:
"Character may be manifested in the great moments, but it is made in the small ones."
   --Phillips Brooks

Yeah, yeah, happy New Year to you you, too, now, go change your passwords.

No, seriously, change your passwords.  Think about how long it’s been since  you either setup that account or changed the password on it.  Now, consider that there have been some significant security breaches in the past year, including the issues at Gawker and their family of popular websites, and think about how many places you’ve used that same password.  It’s your favorite one, right?  The one you use for all your accounts, because it’s so, so easy to remember?  Guess what, it’s also probably easy to crack and is probably in a database on some hacker/cracker website right now matched up with the e-mail address you used, too.  How long will it be, do you suppose, before someone gets into all your accounts?

Right.
So, go change your passwords.
Not sure how to pick a good one?  Well, if you trust the U.S. Government for security, you can go to their Computer Emergency Readiness Team (aka US-CERT) for advice on choosing a secure password.  If you’re like me, though, you categorically do NOT trust a government agency for your personal security, in which case I recommend that you check out premier security expert Bruce Schneier’s advice for picking a secure password.

I’ll offer two bits of advice on the topic.
First, if any system lets you, choose a password that includes numbers and special characters, not just letters.  The example I always use is “@2brutus”  And, yes, that means I will NEVER again use that as a password. *sigh*  I like to substitute numbers for letters which resemble them, like the number one instead of the letter L or the letter I.  In the example, I’ve taken a  whole word out “et” and substituted the “at” symbol, or “@”.
Secondly, try to use something that is not a single word, but a phrase.  Again, in the example, I took my bastardization of “et tu brute”, which I remembered as “et tu brutus” and mashed it up a bit.  I have known people who use short sentences, however.  One guy I worked with occasionally used lines from Lewis Carroll’s [amazon_link id=”0810911507″ target=”_blank” ]Jaberwocky[/amazon_link], which adds the extra security of words that will most likely never be found in any standard dictionary of any language.

So, trust me on this, if you haven’t done it, start the new year right and change your passwords.

Advice from your Uncle Jim:
You don't have to be a genius to succeed. You just have to be the cleverest monkey in the cage.

Speaking of survivalism and the coming zombie apocalypse…

Okay, so last week I was sharing links about survival rations to keep you going through some “worst case” scenarios.  Well, this week, I think I have found the ultimate in fear marketing for the survival market.  Seriously.  The Mossberg “Just-In-Case” line.
You get, in an air-tight tube complete with carry strap, a Mossberg 500 12-gauge shotgun with pistol grip in a resealable water-proof bag, and either a “survival kit in a tin” or, for the marine models, a multitool with serrated, lock-back knife.  I assume you have to buy your own ammo, but, still, that’s pretty much the last thing every long-term survival kit needs, right?  Stock up on those rations, then fend off the zombies with the shotgun.  That should pretty much cover it.

No, this is not a joke.
Yes, a friend told me about this, so their word-of-mouth campaign is working.