Wednesday, April 3, 2013

Bitcoin Price Check - 3 April, 2013

Here is a very short screencast that takes you on a tour of checking the latest price for bitcoins on Mt. Gox exchange.

This is my first embedded video, here on blogger - so this is a bit of a test.

You should be able to run this at full screen, to see the details better that you might in your current windowed rendering.

Posted by at No comments: Links to this post
Labels:
Reactions: 

Wednesday, January 25, 2012

Password Management Software: KeePassX

For the progressing student of cyber-jutsu, it will be evident that the number of usernames and passwords one needs to manage can become extreme.  From a white-belt level we learn that human nature must be observed if we are to win in cyberspace.  Human nature, in this case, is the simple fact that most people will take the path of least resistance.  If something is difficult to do - then they will not do it.  If it is easier to do the wrong thing, then most people will do that thing - even to their own detriment.  So our goal in this is simple:  make it easy to do the right thing.

Social networking sites, Blogging sites e-Bay, PayPal, pandora (music site), other web sites and just about any system you need to log into, all require usernames and passwords to access.  The common, but unsophisticated and unacceptable solution many people who have not been initiated into the ways of cyber-jutsu adopt is, to re-use the same password for every site they log into.

The practicing cyber-jutsu student will quickly see the problem with this.  If the password for any one of these sites is compromised or somehow revealed to a malicious person - then all of the accounts with the same password are thus compromised.  The result can be described as a cyber-tsunami.

While the reality is that there is "no silver bullet"; and, we must be perpetual students and develop on-going processes to maintain our cyber-security, we can talk here about one part of the overall process.  Let us look at the pros and cons to employing a software tool category known as password managers.  In particular, I'll talk about a free tool called KeePassX.



KeePassX is a cross-platform password management program.  It is available for Windows, Mac OS X, and our favorite operating system, Linux.  OK.  So, what does it actually do?

The program creates an encrypted database (256 bit key based on either the AES or Twofish algorithms) to store your usernames, passwords, links, and additional related information.  What that means practically, is that even if someone were to get ahold of your database file, they would have a hard time cracking it to get your information.  Additionally, KeePassX gives you what we call a "two-factor" authentication option to access your stored information.

Two-factor authentication, in this case, can be thought of as factor 1. something you know, and optionally factor 2. something you have.  And, in this case, the "something you have" is any file you would like to use.  You identify a computer file that needs to be present to log into the password database.  If this sounds too technical for you - trust me - it takes more brain power to understand the philosophies behind its operation than it does to use the very intuitive user interface.


To use the "second factor", one need only click the "Key File" check-box, and then the "Browse..." button to select the file you want to use.  I recommend using a file on removable media, such as a usb drive.  In this way, whenever you want to log into this program, you have to supply the file that is on the removable media.  This makes your password management database very secure.

Once you are logged in, you can create groups to help classify the different sites or systems you need to log into.  Then you create the accounts within those groups.  When you want to log into a site, you select it in the main window, then click on the "user" button along the top (which looks like an icon of a person).  This copies the username into your clipboard, so you can paste it into the login box on the website (ctrl-v on Windows and cmd-v on Mac OS X).  Then you do the same thing to enter your password.  Click on the password button at the top of the screen (which looks like an icon of a key) and then paste it into the password field on the website.


On Linux systems, you can automate the whole process such that you can select the site you want to log into, double-click it, and your default web-browser will automatically launch and the username and password will automatically populate the fields and log you in.  This takes a bit of configuration, and may be considered a brown-belt level task.

Alas, we are trying to make this an easy process - and so far - it just seems to be more work.  So where do we get our win?

The major win is found in this applications ability to generate random and complex passwords for you.  These passwords that are generated will never need to be remembered, and never need to be typed out.  The only password you will ever need to remember is the password you need to get into KeePassX, when you first launch it (as described above).

You can adjust your settings within the Password Generator window to meet your desired complexity and the capabilities of the site you are using.  You may be surprised to find some of the sites you use will not allow special characters in the password.  Similarly, many sites have unsatisfactory length restrictions.  As a general rule, more complex and longer passwords are the way to go.

The program collects "entropy" based upon your random key-strokes and mouse movements, to ensure that the password that is generated is truly random.



The "New Password" field (see image below) will populate with a complex password after enough entropy has been gathered.  This is a fast process.


And there is your benefit.  That long and ugly password is not crackable in any reasonable amount of time, given current technology.  If you are securing your bank accounts - then a good policy will be to change that password on a regular basis.  As long as you change the password more frequently than the amount of time it would take to crack the password, your account will not be cracked.  The exact frequency will be an increasing quality as technology continues to increase computing power.  At this time, changing your password in this manner once per month should be more than sufficient.

Changing a password that you don't need to remember in your brain should be less of a chore than coming up with new passwords you have to recall from memory every month.

You should also recognize that so many people use a word or a name for their password (often simply appending or prepending a number) that the majority of attackers use "dictionaries" to attack accounts.  You might note that the password listed above, will NEVER be found in a dictionary.  This is important.  It means that an attacker has to "brute force" your password one character at a time.  This is a very time-intensive process, which requires many many computing cycles.

You may note that in the image above, I have NOT selected the option to ensure that the generator includes characters from every group.  Forcing the program to include characters from every group actually reduces the overall randomness of your password.  If an attacker doesn't know exactly what your password is composed of - nor exactly how many characters your password it - this makes the job of cracking the password even harder.

You should use this program, or one like it, for as long as you have to use passwords.  Ultimately, passwords may be replaced by other means such as biometric devices (e.g. fingerprint readers, iris readers, etc.)

Using a program like this means you have to keep your KeePassX database safe and secure.  You can actually keep the entire database on a usb key.  If someone gets your database, and guesses your password, and figures out what file you are using as the second authentication factor - then you still lose.  So, care must be taken.  But - like your house keys, or your car keys - having a small device to keep safe seems to be something we are capable of doing.  Long, complex passwords, on the other hand - are simply better off being managed by a computer program.

How do you come up with a good password for the database itself?  I always suggest that folks use the first letter of each word in a long phrase they can recall easily.  The typical example is the phrase, "four score and seven years ago..."  which would or could yield the password:  4#&7ya

In my humble opinion, that password is too short - but it is good as an example to teach how to come up with a complex password.  Another good thing to do is to come up with a positive affirmation as the phrase for your password.  In this way, you achieve true cyber-jutsu.

"Dissatisfaction with life arises from desiring to have what cannot be had, and desiring to avoid what cannot be avoided." - The Buddha

"dwLafd2hwcbh,&d2awcba."-TB

If you are a brainiac  - perhaps you could take a phrase like that and use the second letter in each word - or the last letter of each word.  I think you get the idea now.  Your goal should be to come up with a password for your KeePassX login that is more than 8 characters in length, and uses upper and lower case letters, numbers, and at least one special character.

Posted by at No comments: Links to this post
Labels: ,
Reactions: 

Anonymous DDoS Attack: OpIreland

Last night, into early this morning, Anonymous hacktivists launched a successful DDoS (Distributed Denial of Service) attack against http://justice.ie, the Department of Justice and Equality in Ireland website as a "warning shot across the bow", in response to an announcement that "the Irish government plans, before the end of January, to bring in a law which would allow Irish courts to block access to websites accused of infringing copyright...".  (See:  http://www.tjmcintyre.com/2012/01/irelands-sopa-faq.html and search for the twitter tag #OpIreland)

These activities raise many questions about citizenship, the law, liberty on the Internet, intellectual property rights, civil disobedience, and more.

When you think about and research these operations, there are some things that you should keep in mind. Not the least of which is that, according to information published by Anonymous, OpIreland was intentionally conducted "after business hours" when the need for the website would be less critical for anyone seeking to use it.  The goal was to raise awareness, and it seems they have succeeded in that.

Some will denounce these activities out of hand as illegal and wrong.  They will attempt to say that support for these Anonymous Operations is taking a side against intellectual property rights.  I'm not sure that is a fair assessment.  There are already laws on the books which can be used to prosecute those who steal other's work.  What is being attacked here, is the notion that wide-sweeping new laws are required to combat online piracy.  The danger is that these laws are so wide sweeping, that they will end up being used to censor law-abiding netizens and their online content.

In a perfect world, there would be no need to temporarily, forcibly, shut down a government website to direct attention at questionable legislation that, much like our own Patriot Act, is being pushed through the Irish legislature in a timeframe that will not allow proper analysis and debate.  But it is clear that we live in a world that is far less than perfect.



As I write this, http://justice.ie is back online.  The site was not damaged, and it was down for probably less than two hours as a result of the DDoS.  The Anonymous threats are far more dangerous.  

A message dropped onto Pastebin advised, "
  1. If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate internet, destroying dozens upon
  2. dozens of government and company websites. As you are reading this we are amassing our allied armies of
  3. darkness, preparing boatloads of stolen booty for our next raid. We are sitting on hundreds of rooted servers
  4. getting ready to drop all your mysql dumps and mail spools. Your passwords? Your precious bank accounts? Even
  5. your online dating details?! You ain't even trying to step to this."


This may seem like techno-babble to many of you - if that is the case, take my word, it is threatening.

If the Anonymous Hacktivists move into the above noted phase of operations, I fear they will have gone too far.  There is a difference between raising awareness through a more or less peaceful DDoS demonstration and cracking into accounts and distributing private bank account information.  The DDoS operations can clearly be compared to a physical-world protest on a city street that would impede movement through the area for a time because so many people have flooded the street that there is no clear path for traffic to flow.   Cracking into accounts and distributing bank account information is theft.  One could argue, depending upon the owners of the bank accounts, that such operations would be akin to the illegal activities of Robin Hood - but they are clearly illegal, nevertheless.

I have one last thing for you to consider about this most recent, and in fact all hacktivist DDoS activities.  I have heard folks say that because it takes a very large number of computer systems to pull off a DDoS, that there is wide-spread and popular support for Anonymous.  This simply isn't the case.  If it were, the DDoS wouldn't be necessary to raise awareness.  The reality is that the hacktivists who are actually "pulling the trigger" to execute the DDoS are what we refer to as "bot herders".  These are people who have control of hundreds, thousands, and in some cases tens or hundreds of thousands of compromised home and business computers.  When these computers are compromised, software is installed "enlisting" these systems into a "bot army".  The systems continue to function as normal; but, they also wait and listen for the command to attack.  When that attack command is received, it is often a simple command telling the system to repeatedly "ping" the target system.  The target system is quickly overwhelmed by "ping" requests, and can no longer respond to legitimate traffic.  The site, in effect, is taken offline in this manner.

Perhaps a more democratic way to implement a popularly supported DDoS protest campaign, would be to invite folks to join the cause, rather than draft them into unknown participation.  That would be better cyber-jutsu. ;)

Sensei Metajunkie


Posted by at No comments: Links to this post
Labels: , , , , , ,
Reactions: 

Monday, June 20, 2011

The Rich Seize Internet Name-space!

ICANN (the controlling authority for the Internet) will accept applications ($185,000) for new root domain names (i.e. website suffixes like .com and .net), for 90 days, beginning Jan 12, 2012.  Winners awarded their domain name (e.g.: .ipod, .apple, .cisco, .pepsi, .democrat, .republican, .healthcare, .books, .worldbank, etc.) must pay $25,000 annually.  These new root domain names can be in "nearly any word in any language, including in Arabic, Chinese and other scripts", this was decided at a meeting today in Singapore.  (Source:  Associated Press)

What does this mean?  It means that .com just became a "second class" root domain.  I'm not sure that this is good for small businesses in any way - but, that obviously isn't a concern for ICANN.  Anyone who can afford the process can apply for any root domain name they want.  If two people or entities want the same domain name, they can bid on it - so who ever has more money wins.  If, for example, Pepsi and Coke, in addition to applying for .pepsi and .coke, both wanted .drink or .beverage or .pop or .soda - they could fight it out in good ol' greenbacks via public auction.

That is all well and good for Pepsi and Coke; but, what about a small Information Security Company, like CyberCede Corporation?  What are the chances that web traffic going to cybercede.com will decrease in favor of being directed to whomever owns .infosec, or .security?

The face of the Internet is about to change - perhaps more drastically than it has changed since its inception.

This also means that there are sites you just won't be able to reach without knowing a foreign language, or without having a modification to your keyboard to allow you to type in non-Romanic characters.  I think this is significant.  Up until this point, the Internet has been a global unifying movement.  Sure, you can find pages that have foreign language content today - but you can at least read the address of that page in English.  I would go so far as to believe that Internet use could have been contributing to the adoption of English as a global standard language for international communication.

While some might scream "mono-culture" - that simply isn't what I'm talking about here.  It is a well documented fact that a national language goes far in unifying a people.  In the same way, English has unified many people around the world via the Internet.  In some very small way, we were, in my humble opinion, rolling back the damage done by the Biblical tale of the Tower of Babylon.  The world has been "getting smaller", and in large part that has been because of the Internet.  I think this move will reverse that perception.

To sum it up - we can expect big money to create great domain space names, and attempt to market .com into obscurity; and, using a US English keyboard, where previously it was a gateway to information in every corner of the world, will now become a limiting factor - barring entrance to foreign sites for the average American.  But hey - who cares, right?  Most Americans don't actually get world-wide information from the Internet.  Their computers are the little brother to their massive television sets, that broadcast 'truth' directly into their subconscious minds.  After all - TV is only meant for mindless relaxation and reassurance; and, the Internet is just for Facebook games and Porn, right?  As long as I can order my pizza online - I don't care what they do.  Mmmm pizza and sitcoms - the American Dream.  Go back to sleep .... go back to sleep.  OH?! incoming facebook message on my phone!  Oh it's just a someone using facebook to promote their blog... go back to sleep.... go back to sleep.  zzzzz



Posted by at 1 comment: Links to this post
Labels:
Reactions: 

Wednesday, March 23, 2011

Cyber Attack From Iran

A well prepared attacker with an IP address originating in Tehran, Iran (212.95.136.18) compromised a user account in an RA (Registration Authority) at comodo.com, created themselves a new userID, and quickly generated CSRs (Certificate Signing Requests) for nine certificates.  Comodo is a certification authority present in the Trusted Root Certification Authorities Store on Microsoft Windows, as well as all modern web browsers such as Mozilla Firefox and Google's Chrome.

Given proper circumstances, the resulting certificates could be used to spoof content, conduct phishing attacks, and/or perform man-in-the-middle attacks against all popular browsers, across many platforms.  Using these certificates, the attacker could redirect a victim to a forged Firefox plug-in download page, and deliver them malicious add-ons to install.  The certificate would appear valid to the the browser, so there would be no warning to the user that something was amiss.  At that point, the attacker could control the lion's share of computer's in American homes.

However, upon discovery, all certificates were revoked.  This will make using the forged certificates much more difficult, and much less far reaching (unless other key components of our Internet infrastructure are also compromised, namely our DNS systems).  Comodo could only verify that one of the certificates generated was actually received by the attacker.  Comodo reported, "Our systems indicate that when this one certificate was first tested it received a 'revoked' response from our OCSP responders.  The site in Iran on which the certificate was tested quickly became unavailable."


It is believed that "this was likely to be a state-driven attack".

At least it looks that way.  Of course - in cyberspace - things aren't always what they seem.  The attack could have just as easily been conducted by an American Warhawk, who compromised a system in Iran, and launched the attack from there.  However, Comodo reported that, "The Iranian government has recently attacked other encrypted methods of communication."

In order to use these certificates maliciously, there would have to be additional DNS tom-foolery.  Do the attackers already have that piece of the attack 'in the bag'? 

You may recognize some of these domain names.  It looks like this was an attack against communications, as opposed to banks or online-shopping sites, as a criminal might attempt.


In any event - even though the certificates in question were revoked, Microsoft released a patch.  If you are running windows, you should apply that patch.


From the comodo release:

Fraudulently issued certificates

9 certificates were issued as follows:
Domain:  mail.google.com    [NOT seen live on the internet]
Serial:  047ECBE9FCA55F7BD09EAE36E10CAE1E

Domain:  www.google.com  [NOT seen live on the internet]
Serial:  00F5C86AF36162F13A64F54F6DC9587C06

Domain:  login.yahoo.com  [Seen live on the internet]
Serial:  00D7558FDAF5F1105BB213282B707729A3

Domain:  login.yahoo.com    [NOT seen live on the internet]
Serial:  392A434F0E07DF1F8AA305DE34E0C229

Domain:  login.yahoo.com     [NOT seen live on the internet]
Serial:  3E75CED46B693021218830AE86A82A71

Domain:  login.skype.com     [NOT seen live on the internet]
Serial:  00E9028B9578E415DC1A710A2B88154447

Domain:  addons.mozilla.org     [NOT seen live on the internet]
Serial:  009239D5348F40D1695A745470E1F23F43

Domain:  login.live.com     [NOT seen live on the internet]
Serial:  00B0B7133ED096F9B56FAE91C874BD3AC0

Domain:  global trustee     [NOT seen live on the internet]
Serial:  00D8F35F4EB7872B2DAB0692E315382FB0
Posted by at No comments: Links to this post
Reactions: 

Thursday, March 10, 2011

New Definition: TMH is Too Much Help

 TMH:  Too Much Help

Every now and again we need to come up with new words to describe something in our ever-changing world.  In the Digital Age, we often use abbreviations.  Some abbreviations, such as "LOL", for "Laughing out Loud" and "BRB", for "Be Right Back" have moved from what we might call "geek-space" into everyday use.  Cell phones, and their ability to send text messages have spread these sort of practices far and wide.  This new abbreviation is derived from an already popular abbreviation used in verbal communications: "TMI", which stands for "Too Much Information".

Because many of us have become very impatient, as well as very reliant upon spell checkers, some "auto-correct" features have been built into many mobile phone text message clients.  The "auto-correct" features, as anyone who has used them will attest, sometimes offer "too much help". 

It is because of this shortcoming that I have the distinct honor of bringing you a new abbreviation.  TMH

TMH stands for too much help.  The reason it is a useful abbreviation is because the person who has become a victim of the helpful auto-correct feature is often oblivious to the fact that their text messages was auto-corrected into obscurity.

Here is an example text message session to illustrate the point:

Bridget:  we'd paper

Metajunkie: tmh

Bridget:  We need paper

Metajunkie: OK, I'll pick some up on way home

Here is another example text message:


Bridget:  Innuendo and her husband can't come out on Friday
Metajunkie:  Who is innuendo?
Bridget:  Bonnie
Metajunkie:  why do you call her innuendo?
Bridget:  tmh
Metajukie: oic

and one last one for good measure:

Bridget:  pick up milk
Metajunkie:  tmh?
Bridget: ha ha. no - really - pick up milk

I think we will all be able to put the abbreviation "tmh" to good use.

Happy texting!

Metajunkie
Posted by at No comments: Links to this post
Reactions: 

Friday, January 28, 2011

Qwiki Entries for some Malware related terms

Rather than searching with Google, to get an understanding of some key terms regarding cyber-jutsu, and the threats to your computer, check out these links to Qwiki.com articles.


Qwiki.com is a new way to learn about a topic quickly. Perhaps best of all, for many of us who have tired eyes from reading our computer screens all day – or those of us who are just plain lazy... Qwiki.com reads the entry to you. It should be noted that the pronunciation of all words is not quite “spot on” yet. The site is very cool – but unquestionably - “in the works”.


Some terms all computer users should be familiar with:


http://www.qwiki.com/q/#!/Malware


http://www.qwiki.com/q/#!/Botnet


http://www.qwiki.com/q/#!/Trojan_horse_%28computing%29


http://www.qwiki.com/q/#!/Keystroke_logging


http://www.qwiki.com/q/#!/Rootkit




Posted by at No comments: Links to this post
Reactions: 
Subscribe to: Posts (Atom)