How I’d Hack Your Weak Passwords (onemansblog.com)

The author starts off with a list of the top ten passwords, and how he would go about finding the personal information needed. For example, number 1 is “Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)” and number 2 is “The last 4 digits of your social security number.”

The really interesting bits are when the author explains exactly how he would approach hacking your accounts, and how likely he would be to succeed. Unfortunately, the tools needed to engage in this kind of mischief are readily available and do not require great skill to employ.

Some key protection points include…

• Don’t use the same password for all of your online activities. Use different passwords for each site. That way, if your Facebook password is compromised, your Wachovia password is safe.
• Never use dictionary words, names, or other common passwords.
• Look for a trusted password management utility to help ease the pain of having a hundred different passwords.
• Your email is one of the most important and critical passwords—a criminal can use the “reset my password” feature on many shopping sites once they have access to your email account.

Take a look at the article and see if you can make some changes in the way you handle password security so that you don’t get hacked!

And the bits of the search string I saw had nothing to do with what I had copied. Clearly my Control-C did not “take” and I had pasted whatever stuff had been hanging around from the prior user.
My curiosity got the better of me and I opened Notepad and did a quick Control-V and watched in amazement as a young girl’s secrets were exposed before my eyes.

She is clearly struggling in her relationship with her boyfriend, because she had listed about fifty bad points about him in detail—and some were pretty bad. She then listed a dozen or so good points at the bottom. And I must admit that I read the whole story…and felt a voyeuristic guilt with each word.

I then closed Notepad and purged the clipboard and felt much better.
Of course, that doesn’t change the fact that I will feel uncomfortable the next time I see her. I feel like I snuck into her room and read her diary.

This is what she had done: She had written her personal note in Word or some other tool and then likely decided to email it to herself, so she copied and pasted the sordid details of her love life into Gmail, forgetting to purge the clipboard before going home.

And I, with no malice or intent, bumbled into her secrets.

Learn from the mistakes of others!

When was the last time you used a public computer at the library or worked on a common computer at school or work? Did you leave anything behind?

I never really considered that this book might raise eyebrows until some years later when I was in the Navy. We had just come back from a cruise and everyone was heading out to their dormant cars to go off base. One of my shipmates was quite surprised to find police surrounding his vehicle when he reached the parking lot. It seems that a few weeks prior, some night watchman had seen two curious items in the back seat with his flashlight: the butt of a BB pistol and … The Anarchist Cookbook. He sure had some ’splainin’ to do about that one. They were more interested in the book than the pistol.

What about today? Do we have to worry if our reading habits are known to others?

Though I chuckle at the thought that anyone would care that I have Clive Cussler in my Kindle, it’s not difficult to imagine situations where one might not want Kindle searches or eBook library contents known:

• People reading hotly political materials that might attract unwanted government attention.
• Folks who are reading materials that hint at their sexual orientation, a fact they might wish to keep private.
• Readers who are searching for materials on one of many different illnesses, that they might not want potential employers and insurers to know about.

Want to know how eBook vendors are treating your privacy? Here’s an article on the subject by Ed Bayley on the Deeplinks Blog:

An E-Book Buyer’s Guide to Privacy

This article provides a table with five key e-reader technologies—Google Books, Amazon Kindle, B&N Nook, Sony Reader, and FBReader—and provides answers to several key privacy questions for each product.

Even if you have nothing to hide, think about this: Considering how poorly Amazon chooses recommendations for me, I wonder how poorly our government might pigeonhole me based on my book collection. One thing is certain: somewhere in that list is one ancient copy of The Anarchist Cookbook!

Apparently this is not the case

It seems that the TSA has leaked their official document of airport security guidelines. ABC News says Online Posting Reveals a “How To” for Terrorists to Get Through Airport Security

A Rookie Mistake

Look at the screenshot of the document at the top of this post. Even though a certain part of the document has been blacked out, it is possible to select the text and copy/paste to find out what is hidden behind the black text.

What kinds of things are listed in this document?

• Photographs of all kinds of official ID cards. Ever wondered what a U.S. Senator’s ID card looks like?
• Procedures for calibrating equipment, such as where guns should be hidden for the testing and such.
• Guidelines for who gets searched and who doesn’t.
• Guidelines for what objects get searched and which don’t.
• And much much more!

In other words, this was a most unfortunate event.

See for yourself—ABC News (and others) have posted the document with redactions removed.

Easy as Pie

Here’s a screenshot of the original document, opened in Adobe Acrobat Professional.

As you can see, it was a trivial matter to use the TouchUp Object tool to gently slide the black rectangle off of the secret stuff (I have blurred the text here, though you can read it from ABC News if you wish).

If you are working with confidential documents that could potentially cause disaster if leaked, please learn how to redact your documents correctly!

Their network security department very kindly (and politely) informed me that they had received a “cease and desist” order from a particular game publisher. They had included the game publisher’s email, complete with the incriminating evidence.

There it was: logs showing the MAC address of my cable modem being involved in suspicious BitTorrent activities.

Considering that at any time during the week there can be from two to six or seven different teenagers hanging out in my humble abode, carrying virus-ridden machines, the message was clear: I had to get serious about locking down network access

The Problem

I would have liked to have bought some net filtering software to slap on the offending machine and been done with it, however I knew that this was insufficient.

Even if this one event could be traced to a youthful source, a more ominous danger comes from the inevitable malware and viruses that teenagers collect on their machines as they swap cool stuff with their friends.

Complicating things, there are many devices on our home network: Besides their school laptops, the kids have video game consoles and one has an iPod touch, all with wifi access. Think about how many different gadgets are on your home network.

And shutting off access altogether was not an option—there is still schoolwork to be done!

The answer: A Private Network for the Kids

My solution was to put together an unusual network configuration using a second wireless router; I wanted the ability to manage every single kid-owned device at the flip of a switch, while leaving the grownups untouched.

I hooked the cable modem (red) to the main router, shown in green. I then plugged a second wireless router, shown in blue, into the first.

By doing this, you can see that there is one single wire connecting the entire blue network (the kids) to the green network. It was trivial to then configure the green router with appropriate access control and filtering for that one single device: the blue router.

Some quirky details

Home routers like these are, by default, configured with a NAT firewall. They work sort of like one-way mirrors: someone on the network can see out, but nobody can see in. As a result of this, the kids (blue devices) can see any device on the main router (green devices), such as our print server and the NAS device, but no one can see into the kids’ network.

As paradoxical as it seems, this is exactly what I wanted. By making the kids’ network a private network, it appears to the green router as a single device. When I am configuring access restrictions, I only need to control access for the blue router’s IP address or MAC address.

Many consumer-grade routers have flakey firmware that just doesn’t really behave well when you start doing things like turning on filtering for multiple machines. I simplified things by bringing down the number of controlled devices to one. In addition, if one were to try filtering on the IP addresses or MAC addresses of individual machines, this can be easily defeated by manually changing the IP address or MAC address. With my configuration, the MAC address being filtered is the blue router, locked away safely.

The Finer Points

If you want to set up a network like this, do the following:

• (Recommended) Reset the kids’ router. Hold the hard reset button on the router in while you turn on power; hold the button for 15 seconds or so.
• Hook the kids’ router up to a spare laptop using an Ethernet cable. (Turn off the wireless of the laptop for the time being).
• Use the laptop to navigate to the configuration web page (usually 192.168.1.1).
• Set the router’s own address to a different network from the main network, such as 192.168.2.1. This is critical.
• Configure the router’s gateway and DHCP server entries to all point to the main router (192.168.1.1). This tells the kids’ router to use the main router as a source for its DHCP lookups and such, rather than going to cable modem.
• Navigate to the configuration web page at the new address (192.168.2.1). You may need to close the browser and replug the Ethernet cable.
• Set up your wireless security for the kids however you like. Make sure to choose a different channel and SSID from your main router.
• Remove the laptop and plug the WAN port of the kids’ router into one of the LAN ports of the main router. Restart everything.
• Test both networks to make sure things work the way you think they should.
• (Optional) You might want to connect to the kids’ router and set it’s external IP address statically. Make sure that this is set to a number on the home network (e.g. 192.168.1.2).

Some notes:

• You can only maintain the kids’ router from a machine connected to the kids’ network; the home network cannot see the management screens. If you wish, you could enable remote management for the kids’ network only, since the main home router is still protecting the whole network from intruders.
• Computers on the kids’ network can see all devices, but they aren’t on the same network. This means that network printers and NAS devices are accessible, but you will have to attach to them using IP addresses. I was able to easily set up the machines on the 192.168.2.1 network to use a print server on 192.168.1.100.
• For machines that should have full access (a.k.a. yours), make sure that you either set the green network to be a higher priority or remove the blue network SSID entry altogether. I found out the hard way that my iMac would randomly pick the green or the blue depending on which one it saw first when it woke up.
• This does not wall off your main network; it simply provides a single point of control to the entire kids’ network. In other words, don’t depend on this setup to prevent malware on the kids machines from seeing your machine. You can, however, set up your PC to not trust the kids’ network.

Wireless Network Security

Regardless of how you set up your network, make sure you use at least WPA encryption (Never use WEP!). Make sure your passwords are solid.

Using DD-WRT on my new wireless router

In addition to the new network configuration, I went one step further and chose a main router that lends itself well to installation of open-source firmware. I ordered a Linksys WRT54GL from Amazon for a little over fifty bucks. I chose this one because, as a direct descendent of the venerable WRT54G, this router is very well suited for running alternative firmware such as DD-WRT, giving substantial control over things like, say, access control…

Within a half hour after my new router arrived, I had gone to the Supported Hardware page, obtained the latest build of DD-WRT, and replaced the Linksys firmware with the far-better open source code.

I won’t go into the specifics of installation here, but it isn’t very challenging. Check out the DD-WRT site for details.

Closing Thoughts

Make no mistake: we are responsible for whatever goes on our home networks. Just like your home telephone; if someone dials up some 900 number and rings up a thousand-dollar phone bill, the phone company won’t care a whit who did it, you will still pay. Likewise, regardless of who did the BitTorrent download, there is a certain degree of responsibility of the homeowner to lock down the network.

Another point: Without some degree of personal responsibility on the part of the kids in the house, this sort of activity would simply be an arms race of filtering and blocking versus hacking. My goal is to help keep the honest people honest and to make life more difficult for the viruses and malware.

Another issue altogether is the spam email that is carefully crafted to appear as if it has come from your bank, saying cheerfully “Your statement for May is available online, just click here to access!” … but whoever clicks will inevitably be providing their secrets to some ne’er-do-well in New Zealand who will promptly empty their accounts.

Here is a simple, quick, and free way to avoid phishing attacks as well as casual/accidental exposure to unwanted adult content.

OpenDNS

The service I am referring to is OpenDNS, a free domain name lookup service that you can use in lieu of your Internet Service Provider’s own DNS servers.

When your computer goes to a web site, the name of the web site must be converted to a numeric address, in much the same way that you use a telephone directory to look up a friend’s number.

This lookup service is typically provided by a server owned by your Internet Service Provider. The address to this server is automatically configured when your cable modem connects to the network the first time.

The way OpenDNS works is you change the Domain Name Server (DNS) setting in your router to now point to the OpenDNS servers instead of your ISP servers. By doing this, you have changed the default telephone directory used by your home network.

A Phone book with the Bad Numbers Missing

To take the phone book analogy further, imagine that in your new phone book, all of the phone numbers for shady businesses such as escort services and massage parlors have been replaced with a special number. When you dial that number, a pleasant older woman gives you a gentle scolding for trying to call such a business.

This is pretty much what happens with OpenDNS: when your browser asks for a page from www.naughtystuff.com, the OpenDNS server points you to a different place, a nice page from OpenDNS that says that the page is blocked and explains why.

One fix for your Entire Network

There are many options available for “net nanny” style software that can be installed on individual machines, such as the kids’ machine. These features are also embedded in modern versions of Windows and OS X. But, what about all of the little portable devices that find themselves into kids’ hands? How about their gaming consoles?

Since you configure OpenDNS at the network entry point to your home, the router, any device attached to your network is automatically covered.

Customizable Blocking

You can use OpenDNS without an account, just by pointing your router to their servers, but the real power comes when you register with them (for free) and make your own choices about what you want to see.

You can choose which parts of the Internet you don’t want to see using their online configuration tool. You can either use their “High/Moderate/Medium/Low/Minimal” options or you can pick and choose individual bits of stuff to allow or block.

Here’s a look at the categories available when you choose the custom blocking level:

Basic Setup (about 20 minutes)

• Configure your router to use the OpenDNS servers for DNS lookups.
• Create a free OpenDNS account.
• Install their small updater program on one machine on your network.
• Log in to your OpenDNS Dashboard on the web and configure your blocking settings to taste.

Why do you need the updater utility?

In order to provide the custom blocking, the OpenDNS servers need to know your main IP address assigned by your Internet Server Provider. The desktop utility simply informs OpenDNS of your new IP address if it ever changes.

What do users see if they go to a blocked page?

They see a page that indicates the site that was blocked, along with a short reason and a link they can click if they want access to the page. If they click that link and fill out the short form, you will get an email from OpenDNS with the user’s request.

The remainder of the “blocked” page is a search form with some sponsored links.

You can customize the message as well as the image shown on the web page. When someone reaches a blocked page in my network, they are greeted by a picture of our calico cat, Roxy.

Keeping the Honest People Honest

This approach to blocking unwanted web sites is not a complete solution for keeping your kids from where they shouldn’t go; it is more like a simple padlock: it keeps the honest people honest. A determined individual can easily get around this product using various techniques, but they have to make a conscious effort to do so.

The real strength of OpenDNS is that it helps avoid accidental exposure to unwanted web content and phishing sites.

Not everyone who works with documents in the home will run into this problem, but sooner or later you are probably going to find yourself in a situation where you would like to email someone a useful document that just happens to have your social security number embedded in it, or your full name and address, or some other info that you would rather keep private.

This process of editing documents to remove sensitive content is referred to as redaction—that’s the keyword you probably want to be searching for as you tip toe through Google for guidance.

In this article I discuss the obvious problems we face using the most naïve approach toward document redaction, and provide some resources for better options.

The only sure way

The only absolutely certain way of guaranteeing that you cut out secret information would be to print the document, physically cut out the bad bits, scan in the document, and send the scanned PDF to your colleague. This may seem a bit extreme, but if you were an anonymous tipster sending the media a document full of mob-related evidence, containing your name, you might go this route (You probably don’t want to send the email from your personal account. Try a throwaway email account at the library.)

Other options… Microsoft Word

Don’t even think about sending a raw MS Word document to your recipient. There’s loads of hidden stuff within those documents that you might forget. If you really must, you can look into some recommendations from Microsoft, and consider tools such as Microsoft’s free Office add-in for removing hidden data.

Danger lurking in PDF documents

Since my paperless life really revolves around PDF documents, this is the most likely kind of document that I would be sending via email. Unfortunately, PDF documents have even more hidden data within than MS Office documents. Many people have been burned when they tried simple attempts at obscuring parts of a PDF.

A Simple Demonstration

I started with a nice PDF of the Declaration of Independence.

Now, supposing that we needed to send this document to a colleague, but we must not reveal the name of the original signer, we might try opening up the PDF in our favorite PDF markup tool and slapping a big fat rectangle over the sensitive information.

Now, all is good. But the enemy is crafty and they exploit the huge flaw in our thinking: the information never left the document. All they need to do is copy and paste:

A quick copy/paste from the PDF viewer application to Microsoft Word lets the whole world see that John Hancock is to blame! Better let him know we slipped up so he can take appropriate actions.

This sounds trivial, right?

In February, the Associated Press was able to uncover the secret details of the Facebook/ConnectU settlement using this same technique.

Apparently, the U.S. military has been caught in the same trap.

Last year, Google founder Larry Page’s home address info was leaked in a similar fashion.

How about Scanned Documents?

Up to this point I was working with a document that had been printed to PDF, thereby preserving the document text perfectly.

What about a document that we scan in?

Here’s some honest-to-goodness missile plans…

This is an excerpt from a scanned copy of the U.S. patent for the venerable Sidewinder Missile, complete with a black square that I have added to obscure some special information.

As seen here, the copy/paste trick still worked.

But why does it still work? Because the document had OCR run on it in the past.

A brief look at Acrobat’s document inspector tool shows the hidden secrets:

All of the red text above is hidden text. The actual hidden text is displayed by itself in the box on the right side of the screen above. It isn’t very pretty, but it has all of the details.

Proper Redaction

If you are concerned about keeping your secrets secret, do a bit of research into the tools available. You want to be absolutely certain that you don’t pass along any more information than you intend to.

Adobe Acrobat Professional comes with tools to do just this, and I show their use here:

You can see that I have used a redaction tool to select scanned text. Acrobat is selecting the hidden text as well as the bitmap image of the page. Once I apply the redaction, you can see the result below:

Now when my enemy tries the old copy/paste trick, the stuff between 38 and said means is totally blank, as intended.

Summary

I covered a very simplistic form of redaction here as well as a very simple way of getting around someone’s naïve censoring. Don’t stop here. You should use your PDF editor to search the metadata and hidden text for any terms you don’t want made public. You may wish to strip all metadata from your documents.

This is a topic that has been covered in depth by many, particularly in the legal field. Here’s a few articles worth reading on the topic:

Control metadata in your legal documents (Microsoft)

Redaction and Metadata Removal eSeminar (Acrobat for Legal Professionals)

Redacting PDF files with Acrobat 8 (AcrobatUsers.com)