Diary of a Network Geek

The trials and tribulations of a Certified Novell Engineer who's been stranded in Houston, Texas.

4/13/2018

PWNED?

Filed under: Fun,News and Current Events,The Day Job — Posted by the Network Geek during the Hour of the Hare which is in the early morning or 7:30 am for you boring, normal people.
The moon is Waning Gibbous

Have my super secret accounts been compromised?

Probably. I know, that’s not really what anyone wants to hear, but it’s also pretty truthful at this point. I mean, if you pay any attention to the news these days, then you’ve heard about all the recent data breaches. Most recently, there’s the Saks Fifth Avenue and Lord & Taylor data breaches, but before that there was Equifax, Under Armour, Uber and more. And, I know for myself, just having a Yahoo-related email account has made me susceptible to having my information compromised multiple times over the years.
But, what if you’re not sure? Or, what if you think you may have had an account that was part of a breach and want to know for sure? Then, head over to Have I Been Pwned and put in your email address. If you’ve been part of any of the big breaches in the past couple years, this site will tell you.
Also, if you’re not sure about that “secure” password you’re about to start using, then you can put that in at this site, too, and if it’s a well-known, well-hacked password, you’ll know before you use it. (That’s important to know because the well-known passwords are easier to pull out of even an encrypted password database.) If you don’t see it at first, just check the top menu for “Passwords” and you’ll get straight to it.

In this day and age, none of us can afford to be lax with our personal data and our data security. So, it may not be my normal “fun” link for Friday, but it’s definitely worth taking a minute to check your on-line safety.

This post originally appeared on Use Your Words.

4/15/2016

Security In A Box

Filed under: Geek Work,Red Herrings,The Dark Side,The Tools — Posted by the Network Geek during the Hour of the Hare which is terribly early in the morning or 6:00 am for you boring, normal people.
The moon is Waning Gibbous

First of all, you should know I’m talking about computer security, not home security.

Secondly, know that “in a box” really means something more like “all in one place”.
I’m suggesting this site this week because security is on my mind.  Not only in a corporate sense, but in a personal sense.  In a professional setting, I’ve brushed up against something that could conceivably heighten scrutiny of my own personal foot-print on the internet.  And, I’ve had a particular address from a particular Eastern European country banging against on of my WordPress installations pretty hard this past week.  All of which added up to me checking my collected links for a security themed site I could share with you all.
The site is called Security In A Box and it’s a collection of tips, advice and links to programs meant to help keep you safe on the internet.  Their advice covers everything from creating good passwords to staying safe on social media.  And, they have group-specific suggestions for special interest groups who might have an additional level of scrutiny, either by other special interest groups or governments.  It’s quite a good site for everyone, of course, but of special interest to anyone who might find themselves at the sharp end of one of the many sharpened sticks running loose on the internet without keepers.

So, stay safe this weekend and enjoy the lovely weather while it lasts!

1/4/2011

Change Your Passwords!

Filed under: Advice from your Uncle Jim,Geek Work,News and Current Events,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Rooster which is in the early evening or 6:35 pm for you boring, normal people.
The moon is Waning Gibbous

Yeah, yeah, happy New Year to you you, too, now, go change your passwords.

No, seriously, change your passwords.  Think about how long it’s been since  you either setup that account or changed the password on it.  Now, consider that there have been some significant security breaches in the past year, including the issues at Gawker and their family of popular websites, and think about how many places you’ve used that same password.  It’s your favorite one, right?  The one you use for all your accounts, because it’s so, so easy to remember?  Guess what, it’s also probably easy to crack and is probably in a database on some hacker/cracker website right now matched up with the e-mail address you used, too.  How long will it be, do you suppose, before someone gets into all your accounts?

Right.
So, go change your passwords.
Not sure how to pick a good one?  Well, if you trust the U.S. Government for security, you can go to their Computer Emergency Readiness Team (aka US-CERT) for advice on choosing a secure password.  If you’re like me, though, you categorically do NOT trust a government agency for your personal security, in which case I recommend that you check out premier security expert Bruce Schneier’s advice for picking a secure password.

I’ll offer two bits of advice on the topic.
First, if any system lets you, choose a password that includes numbers and special characters, not just letters.  The example I always use is “@2brutus”  And, yes, that means I will NEVER again use that as a password. *sigh*  I like to substitute numbers for letters which resemble them, like the number one instead of the letter L or the letter I.  In the example, I’ve taken a  whole word out “et” and substituted the “at” symbol, or “@”.
Secondly, try to use something that is not a single word, but a phrase.  Again, in the example, I took my bastardization of “et tu brute”, which I remembered as “et tu brutus” and mashed it up a bit.  I have known people who use short sentences, however.  One guy I worked with occasionally used lines from Lewis Carroll’s [amazon_link id=”0810911507″ target=”_blank” ]Jaberwocky[/amazon_link], which adds the extra security of words that will most likely never be found in any standard dictionary of any language.

So, trust me on this, if you haven’t done it, start the new year right and change your passwords.


Advice from your Uncle Jim:
"A bone to the dog is not charity. Charity is bone to the dog, when you are just as hungry as the dog."
   --Jack London

9/26/2010

Windows Password Recovery Tools

Filed under: Fun,Fun Work,Geek Work,GUI Center,MicroSoft,The Dark Side,The Network Geek at Home — Posted by the Network Geek during the Hour of the Horse which is around lunchtime or 1:44 pm for you boring, normal people.
The moon is Waning Gibbous

Remember, these are “administrator utilities” not “hacker tools”.

In my business, it pays to make the distinction.
When people call me for help outside the office, the calls usually fall into a couple categories; a virus, a slow computer, a lost password and “how do I do X?”  Sadly, I’ve been doing a lot of virus and spyware removal, but, also, lately, I’ve had a couple of “lost password” calls.  I actually love getting those, for a couple reasons.
First, lost passwords are surprisingly easy to recover if you have physical access to the machine.  It’s funny to me how few people get that.
Secondly, I find recovering passwords fun.  In a way, it was one of the first things that drew me into the business.  I was one of those guys who got hooked by the security bug not by War Games, but by Sneakers.  Yeah, I know, most guys my age especially will tell you it was War Games that really got them hooked.  What can I tell you?  I’ve always been kind of a late bloomer.  And, my dirty, little secret is that after seeing Sneakers, I wanted to be Marty Bishop.  Seriously.

Anyway, my recent experience with Windows password recovery requests gave me an opportunity to refresh my tools.  After Googling a bit, I found a handy About.com page titled “Top 6 Free Windows Password Recovery Tools“.  I downloaded several, most of which were based on bootable CDs of one kind or another.  I like those kinds of toolkits because they don’t require even limited access to operating system, just the ability to reboot the machine from the CD toolkit.
In the end, I tried two; 0phcrack and the Offline NT Password & Registry Editor.

Now, I’m not positive, but I’m pretty sure that 0phcrack is the free, opensource fork of l0phtcrack.  Now, for an old-timer like me, l0phtcrack was THE password cracker to have, back in the day.  Created by a group of well-known hackers, some of whom famously testified before Congress, it was not free.  At least, theoretically.  If you knew where to look, you could get copies.  And, yes, I  them.  But, this version IS free and seems like it had some improvements.
For one thing, the old version had a slightly clumsy text-based interface.  This version has a much nicer interface that seems to use X-Windows.  It’s also far more intuitive to use.  It ran pretty fast, really, though, sadly, didn’t seem to be able to crack the non-dictionary word used as a password on the Windows 7 box I was using it against.

On the other hand, the Offline NT Password & Registry Editor has been around for several years, and had several updates, though it retains the text-based interface.  I don’t remember when I used this the first time, but, so far, it hasn’t let me down in a pinch.  This time was no different.  So, yes, even though it has “NT” in the name, I’ve used it on everything from Windows 2000 through Windows 7 without a hitch.  Of course, your results may vary.  The bonus of this product is also it’s most potentially dangerous drawback; it directly edits the registry and password files.  This is dangerous, in a way, because if something goes wrong, this could, theoretically, lock you out of your machine permanently.  In practice, this has never actually happened to me.
One advantage of this utility is that you can change or simply remove the password for any active user on the system.  Also, you can use it to promote an active user to being an administrator equivalent.  Now, by “active user” what the developers mean is any account that is not disabled.  Though, I think there may be the option to activate a deactivated account.  I’m not positive, though, because I’ve never had to look for it or try to use it.  And, yes, this worked like a charm to simply blank the password on the Windows 7 machine that had apparently forgotten its own password.

So, there you have it.  Two tools to recover lost Windows passwords.
Oh, and, just a quick disclaimer here.  I’m not responsible for any damage you might accidentally do to your machines with these utilities.  Nor am I advocating using them to break into your ex-spouse’s computer to read their adulterous e-mail to their lover.
I’m just sayin’….

3/31/2009

Conficker Worm

Filed under: Advice from your Uncle Jim,Career Archive,Deep Thoughts,Geek Work,MicroSoft,The Dark Side,The Network Geek at Home — Posted by the Network Geek during the Hour of the Monkey which is in the late afternoon or 5:01 pm for you boring, normal people.
The moon is Waning Gibbous

Are you worried about this?

So, this whole “the Internet is going to melt and your computer is going to explode on April 1” thing has really reached a fever pitch. Are you worried? Should you be? Look, I know that 60 Minutes did a thing about it, but, honestly, I think it’s mostly been blown out of proportion. For one thing, it takes advantage of an old, well-known flaw in Windows that was patched back in October, which was months before this worm got out into the wild. So, if you’ve been doing your updates like you should, chances are that you’ll be fine. And, if you haven’t, well, thanks to a couple of security researchers, there are some tools to take care of the problem.

So, if you haven’t done it yet, update your antivirus programs. And, then do your Windows updates. The rest should pretty well take care of itself.
Oh, also? Don’t open e-mail from strange people, especially if the name on the e-mail sounds a little off. Don’t go to shady or sleazy websites, either. Those warez sites all are just as likely to have infected programs as they are “legitimately” pirated ones. So, just don’t use them.

As usual, the press are making a really big deal about this, but most people probably won’t be effected. Just do your updates like you’re supposed to and don’t break the law, no matter how you feel about copyright and software prices.

So, uh, stay calm and carry on.


Advice from your Uncle Jim:
"You see things and you say 'Why?'. I dream things that never were and say 'Why not?'"
   --George Bernard Shaw

9/19/2008

Hacking is Sexy

Filed under: Fun,Fun Work,Geek Work,News and Current Events,Red Herrings,Rotten Apples,The Dark Side — Posted by the Network Geek during the Hour of the Tiger which is terribly early in the morning or 5:44 am for you boring, normal people.
The moon is Waning Gibbous

Stop laughing.

Okay, so this is totally no joke. Marketing people now use sex to sell absolutely everything. Even hacking. Yes, over at SexyHacking.com they have hot chicks dispensing computer security information and techniques. Really. And, apparently, they were supposed to be at Blackhat, one of the big security conferences in Vegas, this year, too.  Not sure if they actually were or not.
Well, thank you, to the Security Monkey for pointing this out to us.

So, sex sells. Go figure.
(Oh, and don’t forget, today is “Talk Like A Pirate Day“.)

7/8/2008

Lawyers Telling Judges What to Think?!

Filed under: Advice from your Uncle Jim,Certification,Criticism, Marginalia, and Notes,Deep Thoughts,Geek Work,Life, the Universe, and Everything,News and Current Events,The Dark Side — Posted by the Network Geek during the Hour of the Snake which is just before lunchtime or 11:45 am for you boring, normal people.
The moon is Waning Gibbous

No, not really.

So, there’s obviously been quite a furor about this new law here in Texas that apparently requires anyone doing any kind of computer forensic work to get a Private Investigator’s License. Now, one of my favorite computer security bloggers, Security Monkey (aka The Chief) of A Day in the Life of an Information Security Investigator, has a blog entry about this. His sources in Texas have a different, more relaxed, take on this law. They seem to think that it’s only going to effect professionals doing investigative work for a third party. I think they’re wrong.
As at least one other commenter on A Day in the Life of a Computer Security Investigator pointed out, no matter what the lawyers think and say, only a judge sitting on a case can really interpret the law. And, only after that precedent is set can anyone say what the law covers and doesn’t.
Based on the Slashdot story about someone getting charged with a felony for using a fake name to sign up to MySpace, it seems like this is going to be an important step in the process. I mean, until that all important precedent is set, there’s no telling how people will try to use this new law.

As I wrote here the other day about this far-reaching law, I think it’s just another example of the sad state of our legal system. Laws like this have effects that are much, much further reaching than the bill’s author intended, and it’s ripe for abuse by our overly litigious society.


Advice from your Uncle Jim:
"When you handle yourself, use your head; when you handle other, use your heart."
   --Donna Reed


Powered by WordPress
Any links to sites selling any reviewed item, including but not limited to Amazon, may be affiliate links which will pay me some tiny bit of money if used to purchase the item, but this site does no paid reviews and all opinions are my own.