Friday, April 12, 2013

Microsoft: Please Avoid Security Update KB2823324

Microsoft released a security update KB2823324 in april which for some resulted in a continuous reboot loop. This patch updated windows 7s kernal-mode driver. (Source: http://www.tomshardware.com/news/KB2823324-Windows-7-Security-Update-Patch-Tuesday-Infinite-Reboot-Loop,22016.html)

Saturday, March 30, 2013

The I in IT

I had a friend recently ask how I knew so much about computers (he was in a bachelors program for Infosec) and the only thing I could tell him is that I've been learning for the past decade on subjects that interest me. I didn't wake up on day and just know how to computer, it took years of RTFM and JFGI. Which is exactly what the "I" in IT is for INFORMATION!

We live in an era where information is free and every where. The fact that people still don't take full advantage of this befuddles me. Hell even Ivy league schools have open courses you can take absolutely free. Now this doesn't have to just be about technology but literally you can find information about any subject on the internet; however since this is an infosec based blog I'll keep to that subject.

Ever hear of google data mining? It's pretty f'ing sweet! You can dig up data by parsing strings, characters, and operations with google. This is helpful in pinpointing exactly what you want to look up. For instance you need the manual for something in pdf format adding filetype:pdf to your search will bring up only links that end with a file type of... yup you guessed it .pdf.

Example: google mining filetyp


Another great resource of learning you ask? Forums, and learning from others has taken me so much further then I imagined. I started out on binrev long ago with my quest for more information security knowledge. There is also irc which has helped me a lot since you have specific channels for specific things. For instance for help in linux, there is always an irc for that distro that you're running with people there to help you. One of my favorites is reddit. Reddit (for those of you living under a rock) is a collaboration of articles, self posts, images, etc from millions of people. There are sub "reddits" for almost anything you can think of. Information and it's free! I might not always know the answer but I surly know where to find it.

Last but not least don't forget there are physical books still available.

P.S. - Don't worry more interesting articles are coming in the future

Monday, March 18, 2013

Diagnosing hardware Part 1

I've fixed more computers than I can count, or then I care to remember. I figure I should write an article on how I go about it, maybe some people will leave me alone and fix their own computer (hint, hint).

First lets start with the tools I typically use:
There are many more tools available for each cause, plus some I use once in a great while for various things but this is the basics of what I use almost everytime.

Moving on. When you're diagnosing a problem you always want to check EVERYTHING even if you think it's fine. Sometimes double checking isn't a bad idea either. For instance when I run Memtest86+ I often let it run 2-3 passes just to make sure it didn't miss anything. This is especially true when you get new hardware, just to make sure it wasn't DOA (Dead on Arrival) so you can exchange it before the exchange policy is up. 

Protip: It's never a bad idea to apply new thermal paste to your heatsink/processor once a year. It's also a good idea to replace the OEM heatsink/fan with an Aftermarket.

Start with anything physically wrong. Open the box and look for dust, bulged capacitors, burn marks, unplugged cables, etc. I always blow the dust out of any box I work on, you'd be amazed how much quieter the fans get after they're clean and the box isn't over heating from dust anymore.

Next go after the basic hardware of both the memory and hard drive. Most hard drives don't simply die, usually the motor that spins the disk burns out or sectors go bad. Hard drives have what is known as S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology) which continuously monitors your hard drive for failures. S.M.A.R.T. is great in the fact that it usually catches a failure in time enough to save the data before it becomes catastrophic. Drive Fitness Test starts with a S.M.A.R.T. test before testing the hard drive. As I stated above use Memtest86+ for 2-3 passes before you determine good or bad memory.

I'll continue a part 2 in the coming weeks with more detail on everything. Hopefully this helps someone. Feel free to ask any questions you might have, or note anything I might have left out. 

Wednesday, March 13, 2013

Passwords are Dinosaurs

I have never met anyone that likes using passwords, nor for that matter likes remembering 20 different passwords. If you're like me you've got different passwords for everything (i.e. Email, Social Medias, Bank, Debit card, Blog sites, Different boxes, Smart Phones, etc) it becomes overwhelming and hard to not reuse the same password. Not to mention "secret questions" because they ask us personal questions that anyone could find out with a few google searches.

I remember reading an article on what a "secure" password consists of assuming there was such thing as a secure password. This article based "secure" passwords on the basis of brute forcing and rainbow tables. With todays technology and the ability to tap into the ungodly power of a GPU it wouldn't take long to crack an 8-12 character password. The moral of the article was that you need a 20+ character password, and no it doesn't even need to be mixed cases with numbers and special characters. You could simply have a password like "ThisPasswordIsSuperCool" and it would suffice as what that article would consider a secure password. While based on only brute forcing and using rainbow tables would be true, there are other variables to consider. The article was interesting but failed to touch on other important issues.

Another of my favorite blog posts I've read on this very subject is titled Fuck Passwords. This guy has gone above and beyond what I do for generating passwords, but in the same respect the fact we have to just use passwords makes us just as insecure as the next guy.

Aren't passwords all we have?
No! For basic security there should be at minimum 2-form authentication. For good security there should be 3-form. For security measures based on the level of security you need it should go in this order: Something you know; something you have; something you are.

-------------------------------------------------------------------------------------------------

Something You Know: A user name, password, pin
Something You Have: A smart card
Something You Are: Biometrics (Finger print, retina scan, face recognition, etc)

-------------------------------------------------------------------------------------------------

Now we all know this is a bit extreme for what most people do on the internet. Could you imagine having to use a finger print, user name, password and smart card just to log into Facebook? I certainly don't see why we can't have something more for even Facebook though. Google sure thinks so, they recently have been looking into a the development of a secure ID ring that proves you are who you say you are online. You can check that article out here: Google aims to replace passwords with ID ring

In conclusion, passwords have been rendered useless in todays age. They're no longer secure, and no longer protect us as they were set out to do.

An intoduction

My love and passion for technology and information security began before I owned, or my parents owned a computer. I remember using AOL at my cousins house and staying up all night messing with sub7. The thought that I could control another box somewhere else in the world with a few keystrokes intrigued me. The years that have followed turned into the best hobby I could have asked for.

The focus of this blog is not just going to be information security; however that will be a big aspect. I have dabbled in all aspects of computers, and have a lot of information to both share and rants to make. I'll update my blog as often as I chose (it's been sitting idle for the past 2 years) but I'll try to maintain good content and update it more often. I hope you all will enjoy and share my love and passion for technology and security and maybe you'll learn something as well.