Dancing the Two-Step

With the recent Adobe security breach we should all be reminded how vulnerable our data really is in the hands of hundreds, sometimes thousands of data providers and online businesses. We are relying on others to keep our information safe and out of the hands of these bad guys. Going back 20 years, would you ever have thought to trust so much personal information to so many? Not me. It has almost become 2nd nature for us to hand over personal info without a  thought. It is a little scary to think how complacent we have become with not only our own personal information, but also our employer’s and client’s information.

I have the pleasure of being in great communities of investigators and security professionals, who for the most part will give you free advice that for many is invaluable. Most professional groups have some type of Listserve or online group through which they communicate. But, being a member of a Listserve can come at a price. Listserves are a convenient way for malware to be spread to thousands of people via one single email address. When one person is complacent and allows their email account to be hacked, it puts many of us at risk. Not to mention yours and your client’s data. What should be done?

There is something called Multi-Factor or Two-step authentication that has been around for years, but has just in the recent few become mainstream and widely available. Multi-factor authentication provides a second layer of security to online accounts in addition to your standard password. This 2nd layer could be a hardware device like Yubikey, or a 4 digit code that is sent to your cell phone. I use both. Multi-factor authentication is now available through most major online service providers such as; Google, Yahoo, MSN, Facebook, Twitter, PayPal, etc.

My question is…why not? It’s very much like your bank asking you for your telephone password in addition to your name or locking the deadbolt on your front door in addition to the handle lock. These two things have become acceptable to us, and so will securing your online accounts. We just need to place the same importance on those accounts as we do our homes and finances.

This Gizmodo article does a good job at getting you started: How to Enable Two-Factor Authentication on All Your Accounts

Stay safe and keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Spying? There’s an app for that.

In the detective profession, you will undoubtedly one day have a client or prospective client who is so paranoid they think their neighbor can hear inside their house or their ex-boyfriend can secretly access their mobile phone. A person would usually assume that this is just paranoia brought on by some rivalry between two former friends or ex-lovers. Afterall, how easy is it to bug a house or surreptitiously monitor a mobile phone? Well the latter just got a little easier. A new Spyware program, created by mobile app developer DLP Mobile, was recently released called Secret SMS Replicator. This Spyware may be downloaded and installed on smart phones running Android OS. Once installed on the target mobile phone, the software is programmed to forward every text message received on that phone to a phone number of choice by the installer. To top it off the program runs silently and remains undetected in menus and processes. Apparently the only method of removing this malicious software is to delete the contents of the phone, or the “installer” must text the target phone with digits “000” (or a predetermined code), but must be done from the phone the texts are being forwarded to.

Here is the advertisement seen on YouTube:

This intentionally malicious program is available for purchase to the public on Handango.com at this link Secret SMS Replicator for $19.99. As an Android phone user, I perused the Android marketplace and found software that advertises removal of the above, but it seems relatively untested. So next time a person tells you that someone is intercepting their phone calls or text messages, don’t be dismissive, ask first if they have an Android phone. ~TheHiTechPI

*UPDATE- The Secret SMS Replicator is no longer available at the above link. It may be available somewhere else on the net, but since I do not condone its use, I am not going to search it out. (shame on you for trying 😉

Heeere’s Johnny!

This is a repost of a very informative article from Lifehacker.com on 12/16/2010. The author is the CEO of web company iFusion Labs, and blogger John Pozadzides.

 

 

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forumyou frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutuswwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

READ THE ENTIRE ARTICLE HERE ~TheHiTechPI