Divemedic – Page 229

Two Is One

In our discussions of securing our information, we have discussed that there are multiple ways to authenticate a user. There are actually three main ways to authenticate someone:

Things in your possession, such as a badge or smartphone
Things you know, such as a password or PIN
Things you are (inherence), such as fingerprints, facial or voice recognition
Where you are. Some forms of MFA use your location. If your IP address isn’t correct, the system will reject you.
What you are doing. This is called Risk based authentication. The system looks at a host of attributes about the login attempt (time of day, IP address, device identification, etc.) and assigns a risk score. If the score is too high, the login attempt is denied unless it can be authenticated using one of the other methods above. A day shift employee logging in from Starbucks at 2am on a Sunday and attempting to access files he normally wouldn’t would trigger an MFA request from the system.

Multifactor authentication is simply a method of using more than one of the above methods to secure your stuff. In order to gain access to your information, a black hat would need to possess or have knowledge of more than one of them. A couple of examples:

At the hospital, to gain access to patient medical records, I need to know my password and swipe my identification badge and the RFID tag inside of it. A thief would have to get an authorized employee’s password and my ID badge in order to gain access to medical records. Even then, only the patients who are assigned to me (or my department) are visible to me, and even then only if I am on an IP that belongs to my hospital or a partner organization.

What many companies do: you need the password, and the company sends a text to your cell phone containing a 6 digit PIN that expires relatively quickly, say 2 minutes or so. This is to verify that the person logging in not only knows the password, but is in possession of the legitimate user’s cell phone.

There are weaknesses to all of the above methods. The employee’s badge RFID code be read or intercepted and spoofed, and since it doesn’t change unless a new badge is issued, is not as secure as we would like.

The problem is that SMS isn’t a secure way to perform MFA.

This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.

Biometric MFA data has one large weakness- your retina, voice, and finger prints never change. If the hash of the image can be spoofed or copied, the black hat has your data forever. That isn’t secure.

The most secure MFA is a hardware key. There are many out there, and the way that they work is both simple and complex. Currently, the most secure method of hardware key MFA is carried out with a protocol called Universal 2nd Factor, or U2F. The method used here is something very familiar to old school Internet fans who remember the PGP encryption software: public-key cryptography.

In public-key cryptography, instead of using just one key, we use a pair of keys — one key is used to lock something away digitally and only the second key in the pair can unlock it. I can keep one key — my private key — and put the public key out there for you to use. Since only my private key can unlock anything locked up by the public one, once you lock it, no one else can use the key I left out there but the person in possession of the private key.

These keys are called a key pair and are mathematically linked. I can create as many public keys from a private key as I want, but you no one can recreate my private key from a public key. Genius, right? So how does this apply to MFA?

Key pairs can be created using software, but in the case of U2F, the private key is generated using a unique secret that is embedded during the manufacturing process and is hardwired into the circuitry of the hardware key, which is what makes it so secure.

So how it works is that you register for an account using the system that we are all familiar with- a user ID and password. Don’t forget to use a strong password. Then you register your hardware key. The server then sends a challenge consisting of a random number and an AppID to the user’s device. The hardware key then generates a nonce and hashes it together with the AppID and the secret key that is hidden in its electronic brain using HMAC-SHA256 to create a private key that is specific to that AppID. From this private key, a public key is derived, along with a checksum. This is returned to the server, who stores it for later. The next time you go to that website, the server will verify that the hardware key is the same one that it has dealt with before by sending you the public key, thus making sure that the server is valid and securing you from a man in the middle attack. Why? Because the domain is hashed together with the device secret password, so if you’re on a phishing website, the token will generate a different key, and the checksum will fail.

If the information was sent from a legitimate server, it should result in the same public key since the secret inside the device didn’t change. The device will then encrypt the challenge sent by the server with the private key and send it back to the server. Now both parties have verified that they are indeed talking to the people they think they are.

Since each nonce and checksum is unique to that login request, they change every time. This makes sure that your key cannot be spoofed. It’s like using a one time pad for MFA. All cryptographic operations happen inside the token. By the time the private key leaves the token, it already has been hashed using SHA-256, so even if the user doesn’t know that the client is compromised, it’s still safe to use the token.

Because of the nature of this system, it ensures that you are protected from:

Phishing
Spear phishing
Keyloggers
Credential stuffing
Brute force and reverse brute force attacks
Man-in-the-middle (MITM) attacks

No matter how you keep your passwords, they are vulnerable to being discovered or stolen. A hardware key that is properly setup will make the possession of the password irrelevant without possession of the key. If you lose the key, it is worthless without the password. The key also prevents you from logging into phishing sites, because it confirms for you that the site you are giving your credentials to is the legitimate one.

When you use a hardware key, always register two of them to each account, then lock one away in your safe. This insures that, should you lose the hardware key that you carry around, you aren’t permanently locked out of your accounts.

For right now, the most secure method of authentication is to use a unique user ID and password for each account you have. The password should consist of the four character types, random, and be at least 16 characters. Your passwords should change periodically. You should enable hardware key MFA for any sites and applications that support them, and use SMS MFA for any that do not. Although SMS MFA is flawed, it is better than not using MFA at all.

Internet crime is increasing, and the best defense is to harden your systems to the point where others are easier targets than you.

By Divemedic, 3 yearsJanuary 13, 2023 ago

Uncategorized

Pushback

Some Illinois sheriffs are refusing to comply with the state’s new assault weapons ban.

By Divemedic, 3 years ago

Cops

Eat Your Gun

The Uvalde Police Chief was interviewed the day after the school shooting. During that interview, he admitted that – well, you can read it for yourself:

When I opened the [school] door, I saw the smoke,” he recalled, saying “shots started firing” again as he and a colleague started nearing the classroom where Ramos was holed up with kids and teachers. “Obviously, I backed off and started taking cover,” the lead officer said, which CNN noted was in clear defiance of training that insists officers risk their own lives to “neutralize” active shooters.
“I know there’s probably victims in there and with the shots I heard, I know there’s probably somebody who’s going to be deceased,” he acknowledged of the room he backed away from.
But he felt the “priority” was the “preservation of life” of those not under the “immediate threat.”
“Once I realized that was going on, my first thought is that we need to vacate” the rest of the school, he said, telling arriving officers that “we’re taking [other] kids out first.”

You know what else would have saved the lives of those who weren’t under imminent threat? Enter the room and shoot the murdering bastard in the fucking face!

If he had any scruples at all, he would eat the barrel of his service pistol. Then again, if he had any scruples at all, this would never have happened.

Sorry, but cops are seldom heroes and when push comes to shove, they back out and hope someone else will take care of it. Parkland, Uvalde, and others have proven this to be the case.

By Divemedic, 3 yearsJanuary 12, 2023 ago

Account and INFO Security

Traps

This is yet another installment of the passwords series that I have been working on. I recently asked some of the people in comments how they secure their passwords. I got a few variations of “I don’t use technology” as an answer. They fell into the following general categories, with most people falling into more than one of them:

I use secure passwords for important stuff, but I use one common password for everything else
I write my passwords in a notebook, using a special code that only I am privy to.
I don’t use a computer or a smartphone to do financial stuff
I am too smart and/or savvy to get sucked into a phishing/spoofing scheme. I never click on or answer anything that looks odd. Instead, I call the number on the back of my credit card.
I am a small fish. No one is going to waste time with me when there are so many businesses out there to rip off, and they are the big payday.

Let’s talk about them one at a time. The first one: “I use secure passwords for important stuff, but I use one common password for everything else.” This is a trap that I myself fell into at one point. Here is the basic pitfall: All the black hat needs is to access one of your “unimportant” accounts to access so many others. Back in 2014, Home Depot was compromised when credentials stolen from one of the retailer’s vendors were used to access their computer system. The files of their customer database were stolen. It was a gold mine, containing point of sale records, credit card numbers, names, addresses, login information, and passwords. The breach cost Home Depot nearly $180 million.

Now the black hats have your name, address, telephone number, zip code, the name of your credit card company or bank, credit card number, user name, and password. They enter your login name and password into the computer database that they are using to crack other accounts, and they can now gain access to your other accounts. In fact, stolen credentials are often the most valuable things stolen during a data breach. Do you want to see if your credentials are being distributed on the Internet? Click here. The email that I use for day to day business has been compromised in 8 different data breaches. This information is very useful in spear phishing attacks like this one.

The use of computer assistance in breaching systems makes it easier, cheaper, and faster than ever before. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. This allows your life to be attacked with easy profits. Passwords that are invented by you using some code that you think is clever is easily cracked by a black hat with a computer.

Even in the event that you don’t use a computer or a phone, you are still vulnerable to social engineering scams that use the information from large data breaches like the Home Depot breach. The attacker contacts the victim disguised as a representative of some institution, trying to get as much personal info as possible. There’s also a chance that by posing as a bank or Google agent, he or she might get the password or credit card info right away. Contrary to other techniques, social engineering can happen offline by calling or even personally meeting the victim. 22% of all cyber crime is the result of social engineering.

Think you are too small of a fish to be a target? Think again. Targeting individuals is fast becoming the trend. A black hat can set up a computer to target you, having selected you from the list obtained from a previous company data breach, and can empty your bank accounts with less than a weeks’ work. What’s in your bank account? Twenty grand? More? Would a thief find that amount to be fair in exchange for a week’s effort?

Watch the show “To catch a thief.” People on that show always think that they are clever because they hide valuables, but the thief in this show always manages to find the hiding spots because they don’t search in the same way a homeowner does. Electronic information and its security works the same way.

No matter how you decide to do it, take the time to secure your accounts and your information using the best practices we have discussed here. You make think you are clever and have invented a system that no one else has ever thought of, but you are probably wrong.

Or continue to play the odds. Just remember the statistics:

the top 6 hackers in the US made more than $6 million in 2022 by stealing from individuals
600,000 people a year report that they are the victims of cybercrime.
70% of data breaches are on site breaches, not breaches of cloud assets
The top internet crime reported to the FBI in 2022 was phishing.
More than 80% of breaches that used hacking involved brute force or the use of lost or stolen credentials.
The most impersonated brand in phishing attacks is Outlook at 19%. In second place is Facebook at 17% while Office365 ranked third at 10%.
In 2020, the state with the most number of internet crime victims was California, with 69,541 victims and $621.5 million in losses as a result of internet crimes. Next is Florida with 53,793 victims, followed by Texas with 38,640 victims.

Here are some password security statistics:

Only 24% of US adults aged 16 to 50+ use a password manager.
53% of users around the globe have not changed their password in the last 12 months despite hearing about data breaches
42% consider an easy-to-remember password as more important than a very secure password.
In the same survey, 80% of people said that they will be concerned when their password is compromised. Yet, 48% said that they will not change their password if it’s not required.
42% of people think that their accounts aren’t worth a hacker’s time.

You carry a gun to secure yourself from armed robbers, yet you are 200 times more likely to be the victim of internet crime. Think about that for a minute.

By Divemedic, 3 yearsJanuary 12, 2023 ago

Crime

Why Do We Tolerate This?

Frederick Douglass once said: “The limits of tyrants are prescribed by the endurance of those whom they oppress.” This is a universal truth. We get as much tyranny as we are willing to endure without taking action. That’s what caused me to write the post about workplace violence from today.

It’s also caused me to write my opinion on the Taqueria shooting in this post. We all know the story. A man is sitting in a restaurant enjoying dinner when an armed robber comes in. The armed robber takes everyone’s money, and our hero pulls his weapon and smokes his ass. Now the law is talking about prosecuting the hero.

There has been a lot of debate as to whether or not the man should have taken as many shots as he did. I will grant you that the law says shooting someone who is down and out of the fight is illegal. That’s where I have a problem. See, the dirtbag who was killed had already murdered one person while committing a similar robbery in 2015. He shot and killed a man and saw his charges pled down to aggravated robbery, for which he was sentenced to 15 years in prison. He served only about a third of that reduced sentence. For killing someone, he served about 5 years in prison. Keep in mind that there are people who committed the crime of trespassing in the US Capitol during the J6 protests that are still in prison awaiting trial two years later.

We as a people should decide that we have had enough. The law is not there to protect law abiding people from criminals. There are many more law abiding citizens than there are criminals. No, police are there to protect accused criminals so that they are ensured of getting a fair trial.

That system is broken. Now the criminals are getting more lenient punishment than are the law abiding.

I will never get put on a jury because I am a gun owning, employed white male. However, if I ever was, no one who takes out the trash like this would EVER be found guilty. I wouldn’t care if he had tied his hands behind his back and put a bullet behind his ear. As far as I am concerned, that would have been a public service.

Perhaps his lawyer can make the case that the critter, having been shot 8 times was already dead, and therefore his client’s only violation of the law was abuse of a corpse, then plea it down to something else like vandalism.

By Divemedic, 3 yearsJanuary 11, 2023 ago

Gaming the Courts

Violence at Work

I firmly believe that no employee should have to sit at work and be threatened with physical violence. While at work, I am threatened with violence against my person and family several times per week. Since I was suspended for the patient’s accusations the week before Christmas, I have been threatened at least three more times.

A Baker Act said that she would follow me home to see where I lived, then return to my home while I was at work to murder my entire family. She kept saying “you just wait until I catch you out in public.” I demanded that management call the cops. They did, but the police did nothing but take a report. That’s fine. At least there is a record if I have to smoke the crazy bitch at the end of my driveway. I carry nearly everywhere when I am not at work. “Catching” me outside of work and attacking me would be a critical, terminal failure in her victim selection process, but still expensive and time consuming for me.
The very next day, a patient came in with a complaint that aliens mutilated his genitals and he wanted them removed. When the Doctor discharged him, he said that if I didn’t let him stay, he would kill me. I had security remove him. He came back in 3 hours later and security refused to do a thing about it. Finally, four days later, he was Baker Acted and sent to a mental health facility.
Later that same night, a man came in and demanded to be permitted to see his wife, who had been brought in by ambulance and was off at radiology getting an X ray. I told him that she would be back in about 10 minutes, but he wanted to be taken to her NOW. I told him to have a little patience, and he replied that if I didn’t take him to her, we were gonna have a problem. I told him that if he wanted to issue threats and cause a scene, I would have security remove him. He kept yelling, so I had him tossed out.

One of the nurses that I work with told me that I have too short of a fuse when it comes to threats, and I need to understand that most people are just venting and don’t really mean it. I agree that most people don’t mean it, but how do you really tell the difference? Why should I have to? If a person has so little impulse control that they can’t stop themselves from issuing threats of death or physical violence every time something doesn’t go their way, when does it stop?

My hospital, like most employers, doesn’t permit concealed carry for employees. So what happens when one of these people who doesn’t mean it comes in and decides that they DO mean it? The one who pays the price for misjudging the idiot’s ill intent is me, but certainly not my employer.

It’s the attitude displayed by this fellow nurse that results in no one saying anything when a mass shooter turns out to have been saying all sorts of disturbing things, and people inevitably say “Why didn’t anyone report this before he snapped and killed half a dozen people?”

That’s my problem with the cop who threatened to kill me before physically attacking me. The police wouldn’t press charges because they said that the man had a medical problem and was delusional, therefore wasn’t responsible for his actions. OK, I can see that. But then why does someone who isn’t and can’t be responsible for their violent actions still permitted to carry a weapon under LEOSA because he is a retired cop?

It isn’t just my employer, it’s most employers. They have taken the attitude of “the customer is always right” to the extreme, and now we see attacks and threats by customers becoming commonplace. Why is that? Because our legal system absolves employers of liability for customers’ actions while at the same time punishing employers by making them liable for the actions taken by employees in self defense. It sets the stage for making employees more easily and cheaply being replaced than violent customers.

By Divemedic, 3 years ago

Account and INFO Security

Password Cracking Tools

When I was younger, I was told that locks are there to keep honest people honest. I look at passwords the same way. Make your passwords as secure as they can be, but know that a thief can target you and take your stuff with enough effort. Just try to make your stuff harder to steal than other people’s stuff. They will move on to more easily stolen loot.

Hackers have advanced to using computers to crack passwords. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. When you have to guess from billions of combinations, computer assistance is required, and they are very good at it. These tools are easily downloaded from the Internet, and each tool has its pros and cons.

Here is a list of the most popular password cracking tools.

1. John the Ripper

Featured in many popular password cracking tools lists, John the Ripper is a free, open-source, command-based application. It’s available for Linux and macOS while Windows and Android users use a version of the software called Hash Suite.

John the Ripper supports a massive list of different cipher and hash types. Some of those are:

Unix, macOS, and Windows user passwords
Web applications
Database servers
Network traffic captures
Encrypted private keys
Disks and filesystems
Archives
Documents

There’s also a Pro version with extra features and native packages for supported OS. Word lists used in password cracking are on sale, but free options are available as well.

2. Ophcrack

Ophcrack is a free and open-source password cracking tool that specializes in rainbow table attacks. To be more precise, it cracks LM and NTLM hashes where the former addresses Windows XP and earlier OSs and the latter associates with Windows Vista and 7. NTLM is also available, to a certain degree, on Linux and freeBSD. Both of these hash types are insecure – it’s possible to crack a NTLM hash in less than 3 hours with a fast computer, but there are still companies out there that use this hash, simply because they are too cheap to upgrade to newer, more secure software.

As you can see in the screenshot above, it took Ophcrack merely six seconds to crack an 8-symbol password while using a rainbow table that includes letters, numbers, and uppercases. An 8 symbol password using upper, lower, and numerical characters has 62^8 combinations (218.3 trillion possible combinations) doing nothing more than adding in symbols and increasing the number of characters to 10 would make the password 500 million times more difficult to crack. That six seconds becomes 5,700 years.

The password 9136668099 is 10 characters long and only made of numerical characters, and took 4 days to crack. Imagine how much longer that would have taken, had upper, lower, and special characters been added.

This tool comes with free Windows XP/Vista/7 rainbow tables and a brute force attack feature for simple passwords. Ophcrack is available on Windows, macOS, and Linux.

3. Cain and Abel

Downloaded almost 2 million times from its official source, Cain & Abel is another popular tool for password cracking. But contrary to John the Ripper, it uses GUI, making it instantly more user-friendly. That and the fact that it’s available on Windows only makes Cain & Abel a go-to tool for amateurs, also known as script kiddies.

This is a multi-purpose tool, capable of many different functions. Cain & Abel can act as a packet analyzer, record VoIP, analyze route protocols, or scan for wireless networks and retrieve their MAC addresses. If you already have the hash, this tool will offer a dictionary or brute force attack option. Cain & Abel can also display passwords that are hiding beneath the asterisks.

4. THC Hydra

The biggest selling point of THC Hydra is the large number of protocols it supports. This is an open-source network login password cracking tool that works with Cisco AAA, FTP, HTTP-Proxy, IMAP, MySQL, Oracle SID, SMTP, SOCKS5, SSH, and Telnet, to name but a few.

The methods available with THC Hydra include brute force and dictionary attacks while also using wordlists generated by other tools. This password cracker is known for its speed. It can even run checks on different protocols simultaneously. THC Hydra is available on Windows, macOS, and Linux.

5. Hashcat

The world’s fastest password cracker, Hashcat is a free open-source tool that’s available on Windows, macOS, and Linux. It offers a number of techniques, from simple brute force attack to hybrid mask with wordlist.

Hashcat can utilize a computer’s CPU and GPU at the same time. This makes cracking multiple hashes simultaneously much faster. But what makes this tool truly universal is the number of supported hash types. Hashcat can decipher MD5, SHA3-512, ChaCha20, PBKDF2, Kerberos 5, 1Password, LastPass, KeePass, and many more. In fact, it supports over 300 hash types.

But before they can crack your passwords, black hats need to have the password hash. Here are some of the most popular tools for getting hash:

Mimikatz. Known as a password audit and recovery app, Mimikatz can also be used for malign hash retrieval. In fact, it might as well extract plaintext passwords or PIN codes.

Wireshark. Wireshark enables packet sniffing. It is an award-winning packet analyzer used not only by hackers but also by business and governmental institutions.

Metasploit. This is a popular penetration testing framework. Designed for security professionals, Metasploit can also be used by hackers to retrieve password hashes.

The best defense against password cracking is using a strong password. Using enough symbols and different types of characters ensures that even the fastest computer won’t crack your account in this century. And since remembering multiple strong passwords is unlikely, the best bet is to use a reliable password manager. Multi-factor authentication (MFA) is still a pain in the rear for any hacker, so adding that to your arsenal will go a long way to making things more secure. More on MFA later.

By Divemedic, 3 yearsJanuary 11, 2023 ago

Antigun

Illinois Makes All Semiauto Rifles Illegal

How did they do that? Because of the overly broad wording of their new assault weapons ban (edited to clean up the text to make it more readable, but not change the wording):

(3) "Assault weapon" means:
(snip of irrelevant sections A and B)
(C) A semiautomatic rifle that can accept or can be modified to accept a detachable magazine and has at least one of the following:
(i) A folding, telescoping, or collapsible stock.
(ii) Any grip of the weapon, including a pistol grip, a thumbhole stock, or any other stock, the use of
which would allow an individual to grip the weapon, resulting in any finger on the trigger hand in
addition to the trigger finger being directly below any portion of the action of the weapon when firing.
emphasis added

Now picture any semiauto rifle you can think of. Now tell me which one, if any, sees the pinkie finger of the trigger hand not being below the action of the rifle.

Thus, all semiauto rifles in Illinois are now legally defined as assault weapons and are thus illegal to possess, transfer, or own.

By Divemedic, 3 yearsJanuary 11, 2023 ago

Guns

Disappointing Range Day

So I decided to take the new 1911 with me to range morning. I arrived at the range with my EDC pistol, the new 1911, 100 rounds of 9mm, and some CCI Blazer in .45ACP. I setup my lane, loaded a magazine with 5 rounds of .45, and squeezed off the first mag full of ammo when I felt a tap on the shoulder. It was the range officer telling me that only brass cased ammo is permitted at the range. But if I wanted to buy some .45 ammo, they had some for sale at $40 a box.

American Eagle at 80 cents per round? I can buy that elsewhere for 54 cents per round, and can buy PMC brass cased at 46 cents per round. No thanks. I don’t want to sound like an old man, but I remember when .45ACP was $8 a box, and that wasn’t all that long ago.

I had to switch to the 9mm and finish my shooting for the morning. After I was done, I asked the RSO why the ammo restriction. It’s because the range sells the used brass to a recycler, and they can’t sell steel or aluminum cases. So not only do they sell the ammo at nearly double the going rate, but they are selling the brass and making more money there.

I would love to find another gun range, but this one is only 20 minutes from my house, and there is only one other range within a half an hour’s drive. That second range is owned by a dishonest meatsack that I wouldn’t trust to sell me a stick of gum. So I can either suck it up and get fleeced by the brass recycling buttheads at the range 20 minutes away, or I can make the 40 minute drive to the third closest range and see if they are any better.

At any rate, I am going to have to order me some brass cased .45 and try to shoot the new 1911 some other time.

By Divemedic, 3 yearsJanuary 11, 2023 ago

Gaming the Courts

Improper Storage

So are we ready to throw Presidents in jail for retaining classified documents after they leave office? Or is that no longer a thing, now that Biden and Obama did it?

By Divemedic, 3 yearsJanuary 11, 2023 ago