By the Gods, what have I become? (Part 1)

This week I decided to sneak in to a digital identity course that’s being taught by my security teacher Ken Bauer. My reasons behind this were to basically know what “regular” people  (by this I mean non-tech savvy people) are afraid of, what their doubts about the internet are and the reasons why they don’t feel safe online. This will give me a better perspective on what to talk about in this blog and how to talk about it.

Today’s day one and I’m writing this as we take the course, so I’ll talk a bit about the experience. We had a talk with Dave Cormier and people dared to ask several questions. Interestingly enough, all the questions so far have been completely related to security. Will hackers get me? Is my information safe? What do people generally steal from internet users? Will I ever get hacked?

questions

The answer to all of this was: you are always at risk.

Since the course is about digital identity, I will also talk about that. First of all, what is digital identity? It’s basically the way you represent yourself online. It’s how people will see you on social media. You may think “but it’s the internet, I can be whomever I want to be!” to that I say, of course you can! However be ready to face the consequences of that. Digital identity is similar to a tattoo. You choose the design and ink it in your body forever and ever. So, like a tattoo, be sure to create something you like, something that represents you and preferably something you aren’t ashamed of.

tattoo

Once you realize everything you do can be found by literally anyone, you can start worrying about all those terrible, terrible pictures from middle school. That bad hairdo will be haunting you till the end of your digital days. And you may even start asking yourself: who am I? This, I believe, is the best question to ask. When you find out who you are and who you want to be, is when you can start taking steps into becoming that person. This is vital to create your digital identity.

But back to my research. Although everyone in this course (including myself) is part of the Millennial generation, we’ve been witnesses to technology’s drastic XXI century revolution. We think we know how stuff works when in reality we don’t. Due to this, we are incredibly afraid of what might happen if we share too much or too little. I’m pretty sure at least 50% of all the people here have been scammed, phished, cyber bullied or tricked while on the internet. My advice is to always be aware that the whole world can see what you post, if you feel confident about it after that thought then feel free to post it! Just remember you’re never anonymous (unless you really, really know how to do so, expect posts about that for my security blog posts in the future).

regretnothing

I’m eager to know more about how my generation thinks and how I can potentially help them as well as learn more to become a better computer systems engineer (and hacker).

Stay tuned for more.

All gifs obtained from http://giphy.com/

The cake is a lie

Ah, the internet. Our generation’s favourite place to be. It gives us everything we could possibly want or need. You can watch videos, listen to music, play games, communicate with friends or family, research things, write documents, share information, meet people, you can even buy cake! But beware, my friends, for the cake is a lie.

Older generations love saying how bad the internet is, complaining about how we spend all our day sitting in front of a computer or looking at a cell phone instead of “socializing” and “being productive”. We all know that we don’t socialize because we don’t want to, not because the internet is holding us hostage. However, people from the internet may literally hold us hostage by using this tool. Fortunately, I’m here for you to explain the most common attacks and dangers of the internet, as well as give you tips and tricks on how to protect yourself and your loved ones. We’ll start with the ugly part first.

The following video was created in August 2015 to show mainly parents the dangers of social media and the internet as a whole. It’s a fantastic example of how people can and will be manipulated into believing something they cannot corroborate.

 

As we can see, it’s very easy making someone believe anything when you’re hiding behind a screen. Most times people will gain your trust or trick you into believing you’re in an official web page so that they can obtain your data. Whether you believe it or not, your information is important and can be sold for hundreds, thousands or even millions of dollars. The buyers of said information can either be people you know or people you don’t which makes it so much scarier. This information can then be used in many other ways, the most common are:

  • Identity theft
  • Selling your information
  • Using your bank accounts and credit cards
  • Sharing private photos or information on social media

By doing this, you’re vulnerable to frame-up, theft, kidnapping, blackmail and even homicide. But what to do to be safe, then?

fish

First of all be sure to check the URL of every page you visit, also don’t trust any links that take you to a “bank” web page. But most of all, be careful with what you do on social media and who you talk to.

Facebook, Twitter, Instagram, Snapchat, and all social media are all great ways of keeping in touch with friends and family, they’re ways to express what we think and let humanity know a bit more of us, but mostly they’re fun. I’m all in for being active on the internet and sharing your experiences, thoughts and even photos. However, you have to be careful with what you say and post.

erase-ron

You must assume that every single thing can and will be used against you. We have all heard at least one case of cyber bullying caused by private pictures being spread across the internet, it’s unfair and those who do it should be punished, but the reality is that things like that can happen. So pretty please, be careful with what you do, think before you act.

Now, if you love livin’ la vida loca and usually connect to wireless WiFi networks, STOP DOING IT. It’s extremely easy for hackers to steal passwords and information when you’re connected to said networks. If you have no other choice but to do it, at least encrypt all your passwords and preferably use a virtual machine.

If you’re a millennial and have all the Internet of Things things, read every single instruction to know exactly how it works and always change the default passwords. Most importantly, make sure they’re connected to a separate network, this way no one will have access to your things unless you let them.

When chatting, be sure that your way of communication is safe. According to the Business Insider the following are the most secure messaging apps:

  • TextSecure
  • Signal
  • Telegram (secret chats only)
  • Silent Texts
  • Gliph
  • Crypto Cat
  • Bleep

I personally would add Whatsapp because in their recent updates, have done a lot to protect their user’s data. You are safe there too, don’t worry. For more information on how to chat safely, check out Rubiology’s post on end-to-end encryption.

Finally, although it may sound stupid and exaggerated, put a sticker, piece of paper or whatever in front of your computer’s camera. It’s scary how easy it can be for someone to hack into your camera and watch your every single move (even if that means watching you binge watch a Netflix series, eat junk food and occasionally chuckle at some meme).

Be paranoid if you must, just be aware of the dangers you’re exposed to while discovering the multiple marvels of the internet. Now, proceed to enjoy one of my favourite internet wonders.

All your passwords are belong to us

Passwords, the ones that keep our stuff safe. Or do they? In this particular blog post, I’ll be discussing the most known/common methods for cracking passwords. For information regarding password safety, check Rubiology’s post here.

magic word

It’s not uncommon for us to hear someone complaining about how an account of theirs was “hacked”. What they usually mean by that is that someone gained access to their profile and changed stuff while being there. In order to gain access into any system, you need to first crack the password. The following are 10 methods for obtaining someone’s password:

Brute-force

This is the most common method of them all. It consists of trying several alpha-numeric combinations until you get the right one. It’s simple to program, but it can be very slow if your GPU isn’t your ally.

Examples of programs that use this methodology are:

  • Wfuzz
  • Medusa
  • Rarcrack

hacker glove

Dictionary

As its name says so, this method uses a file which contains words typically stored in a dictionary (and some others like the most used passwords) to search for the real password you’re trying to crack. While it’s faster than the brute-force method, this one’s calculating time may vary from immediately to billions of years. This depends on the password’s length, combination and character usage.

Examples of programs that use it are:

  • Cain and Abel
  • John the Ripper
  • L0phtCrack

Rainbow Tables

Rainbow tables are a very elegant way for cracking a password. They consist of a series of lists of pre-compiled hashes (click the link to read more about hashing). These lists are the hashes of all possible password combinations for any hashing algorithm. It takes way less time than the two previous methods, however it requires a LOT of GPU power. If a password is salted (with random extra characters), it may be impossible for a Rainbow Table to crack it.

Programs that use them are:

  • OphCrack
  • RainbowCrack

giphy

Phishing

We’ve all heard of this. Phishing is when a hacker creates a mirrored site and steals information from it. This means that the hacker creates a site that looks and behaves exactly like a bank’s webpage, a social media log in or your e-mail account log in. The user rarely realizes it’s fake until it’s too late and have already given their data to the hacker.

Social Engineering

A hacker in disguise. They make the user believe they’re talking to the IT department or to an authority figure in order to get their data. If you can get a password without having to do anything at all, why bother?

Malware

Another popular term. Malware is, by definition, malicious software; it finds its way into your computer and browser files and steals as much information as it finds. Malware can also install key loggers and screen scrapers to see what the user is typing all the time.

hackers mainframe

Offline cracking

Surprisingly, this is the most common way of obtaining someone’s password. It’s rather simple: when a system is compromised (eg: when your phone’s unlocking attempts have exceeded the limit and it blocks itself), hackers are able to physically access the system servers, user password’s hash files, etc (normally through a third party). Once there, they can take as much time as they want until the password is cracked.

Shoulder surfing

Pro hackers in disguise. They enter a company by looking just like another employee and taking notes of everything they see. Many, many people stick post-it’s to their computers’ screen with their username and password in order to never forget them. If you ever do this you must know that hackers never forget either.

surf

Spidering

Corporate passwords usually are made up by words connected to the business. If a hacker informs him/herself of the common in-company lingo, he/she will include these words into their dictionary file, their Rainbow Table or try to brute-force the system into letting them in.

Guess

When in doubt, just take a guess. If you get to know your target a bit better, you’ll discover potential passwords with every word they say. Social media is the place to be when trying to guess a password, everyone unconsciously talks about them.

Other types of password cracking exist, they use networking protocols such as HTTP, SSH, SMTP, FTP, Cisco standards, etc. The most famous and efficient of them has to be THC-Hydra. Just by reading its name you can tell it’s a mean program. It’s really fast and has included so many protocols, it makes password and IP cracking a walk through the park. You can find this software at your own risk here.

It’s scary how easy it is to crack some passwords. The following is an info graphic that shows how long it takes to crack passwords depending on their length and their usage of lowercase/uppercase letters as well as numbers and symbols.

As you see, cracking passwords isn’t really complicated if the password isn’t correctly created. Like I said before, for information on how to create a proper password and more safety tips go to Rubiology’s post! He’s got tons of methods for preventing attacks and, if you weren’t convinced already, he’s also got Tom Cruise.

For more information on how each method works and what programs exist check these pages out (it’s were I got most of my info from):

Welcome, stranger.

You can call me Miss F. This is by no means a private/incognito blog, my name is Fredele but is often found to be unpronounceable, so I’m making it easier for you. You’re welcome.

The main purpose of this blog is currently to post about computer/information security for  Ken Bauer‘s #TC2027 course. However, due to my genuine passion for the topic, I may or may not continue this blog after the course has ended.

Without further ado, I officially declare this blog inaugurated.

PS: This is the first blog I run, I don’t really know what I’m doing, bear with me.

PS2: If you wish to read my daily rants and adventures, follow me on Twitter here!

giphy

Giphy gif found here: giphy.com/cheezburger-hello-waving-IBMavwmu4KEEw