Requiem for a Disk

--Originally published at TC2027 – Blog will Tear us Apart

How to properly say farewell to your hardware.

Perhaps we might know how to properly use our data storage devices, we know how to keep them safe, encrypt and take care of their physical health. And thanks to that this devices outlive our expectations spans; and we found ourselves with the necessity of improving our setup.

Sure, you might just RAID your PC, but most of the time improving means replacing. Perhaps it’s time to change that old HDD and replace it with a new SSD, or perhaps your USB memory is no longer big enough. And we immediately embark ourselves into deciding, reviewing and Zero-Moment-Of-Truthing the available technology.

Then we procede to install the new, shiny and beautiful hardware into our systems et voilà, we procede to enjoy the pleasures of capitalism; naturally, we fulfill our consumerist  responsibilities by choosing the path of our late hardware.

I know, disposal is not your first option, don’t worry, neither mine. Perhaps use it as cold storage might be useful, or perhaps you can sell it, lend it, give it away, or mod it to work as an external drive.

Independently of how you decide the future of your device, you might want to format it. According to Wikipedia, formatting is:

Disk formatting is the process of preparing a data storage device such as a hard disk drive, solid-state drive, floppy disk or USB flash drive for initial use. In some cases, the formatting operation may also create one or more new file systems.

By creating a new file system it appears as if your data has been wiped out from the drive, you’re good to go and it becomes just one idle piece of metal. That’s what most of the formatting tools do. I don’t want to break

Continue reading "Requiem for a Disk"

Quick Tip: SUDO timeout

--Originally published at TC2027 – Blog will Tear us Apart

So, you’ve been playing with your Ubuntu distribution around, and suddenly you require sudo privileges in order to change or install a special feature. Thus, you enter your password and grant that privilege access to your computer.

I believe I don’t have to remind you that being logged as root is dangerous and you should only run commands and programs as root when you’re 100% sure of what you’re doing. In the default terminal, after you enter the password once, it allows you to run the next commands with the root privileges without password prompt.

On my Linux experience I have typed commands that weren’t mean to be on root access or finding someone (my hacker girlfriend) accessing my root folders without having to input any password.

After digging around I found a, surprisingly easy, way to modify the default sudo settings in order to change the timeout of the root access.

Let us access the configuration file.

 user@pc~$sudo visudo

This command is absolutely necessary in order to modify the file, even on the file it says so:

#This file MUST be edited with the 'visudo' command as root.

Don’t worry, the editor is not vim, it opens it with nano. Almost at the beginning of the file one can see preformed default variables, the one that matters to us is the following:

Defaults env_reset

This is where we can modify the value of timeout, notice that the variable is not even defined at the file. On the same line, we need to append the timeout variable with the following syntax:

timestamp_timeout=x

Now, instead of the x we can add any integer value. This value represent the time in seconds that the terminal will wait before asking for the password again.

If you want the computer to ask for the password

Continue reading "Quick Tip: SUDO timeout"

Measure this.

--Originally published at TC2027 – Blog will Tear us Apart

After a much needed password therapy let’s take on the generals of what are we protecting. We may know some techniques, and we already know that we want to be safe, but how can we measure it?

giphy (2).gif
Measure like its hot

 

Luckily for us, there are already some guidelines to measure how a safe a system is. But before, just like Rick Lehtinen stated on his book, Computer Security Basics:

No man, or computer is an island.

Nowadays everything you have is connected, even just to properly work and be up to date so don’t start shouting out load that you’re a not a potential target, because you definitely are.

So in order to measure safeness, we can stick to the core C-I-A  three pillars concept, which states that in order to be safe, a system must guarantee:

  • Confidentiality
  • Integrity
  • Availability

Pretty straight forward, no? Lets tackle one by one. Again, I’m talking user/client-side, so don’t expect server-side practices.

Confidentiality

Here is where privacy is at play. As you may remember from my first post, security and privacy are not the same, and that security makes privacy possible.

And that’s precisely what confidentiality is all about, keeping what you want secret in secrecy and what you want public, public. You definitely want you bank accounts, passwords, chats, and perhaps some of yours spicy pictures secret (which you shouldn’t be sending to anyone, by the way); meanwhile you definitively want everyone to know your spoiler free (I wish) Game of Thrones death -rant tweets.

How can my confidentiality be compromised?

Easy, there are some really easy steps in which anyone interested, without even having to be a hacker can destroy your confidentiality, here are some possible breaches.

What’s the deal with passwords?

--Originally published at TC2027 – Blog will Tear us Apart.

Passwords, oh passwords. The keys to our everything, definitely a pain in the arse.

This is my approach on the defense/user side of passwords, if you’re interested on the attacking approach, read Miss F’s post.

I’m sure we’ve all heard hundreds of times how insecure our passwords are, every year or so, another security blog or company sends in their updated new rules and minimal security measures, but as today, there are some basic principles.

  • Never use your name, birth date, security number, house address or telephone numbers. Neither your past ones, or a family ones
  • Never use sequential numbers. 123456Seven sucks, (ping me if you got that reference)
  • Never use words like “password”, “admin”, “qwerty” as a password. Please.
  • Never repeat passwords. Really, that’s just dumb.
  • Keep them long. Try to use at least 12 characters.
  • Add capital letters and symbols.
  • Do not share them, lass.

I know it’s kinda complicated to remember every password ever, so here I gathered some password making techniques.

Prefix-Suffix method.

I used to give a middle school digital crash course, and normally I used this method of password making. I call it the prefix-suffix method, this method is great for memorizing complicated-ish passwords and becomes an easy way to never use the same password. It’s great for defending against brute force attacks, and might help a little with dictionary attacks. Here are the steps:

  1. Choose the name  TV show, movie, character, song; anything you really like, the obscurer the better. For example, the name of a semi-obscure Jedi master: Plo-Koon.
  2. Now grab that name and scramble it in a way you can easy remember, give it a little twist, add some l33t, you name it; just keep it easy to remember, here’s with our Jedi: P1O^Kunn (Notice that I even misspell it). This
    aint.gif
    Continue reading "What’s the deal with passwords?"

My thoughts on the talk with Maggie

--Originally published at Mental Droppings of a Tired Student

For our second session, we had guest speakers come in and talk to us about different experiences they have had in their careers, predominantly with a focus on hacking and security of course.

Maggie shared with us her experience speaking in front of 2000+ people at Defcon about her  studies regarding GFCIs, disabling hairdryers using signals from a walkie-talkie.  She shared with us how she got her internship at Intel, how she worked with amazing people and how she was fortunate enough to transition to a job in the US under Intel as well. She even shared a bit of humorous personal experiences that related to her work and inspired her to continue to work on what she loved.

The only fault I found in her talk was that it was hard for me to relate, her story seemed like a fairy tale and I’m sitting over here like “wow it must be cool to have your life together”. So I started thinking, why would the teacher ask us to stand up and scream “It’s okay to fail”, and follow it up with a story of success?

cpqir25vuaa6b34
Maggie at Defcon (taken from her twitter account)

In the q&a session, I decided to take the opportunity to ask her to share a story of failure, so that an underachiever such as myself could relate. I think my delivery of such request came off a little more coarse than I intended. It wasn’t my intention to come off as such a Debbie downer, but it kind of comes natural to me. Hopefully my question wasn’t as memorable.

tumblr_lk8lx0z2ty1qe9igxo1_1280

In response to my request she spoke about how it’s okay to feel like a failure because it means you are constantly improving and shows your will to keep learning and bettering yourself. I had never thought

Continue reading "My thoughts on the talk with Maggie"

{Beginnings.exe}

--Originally published at TC2027 – Blog will Tear us Apart.

So, I’m starting this blog from scratch, fresh out of the [wordpress] oven. Initially, the purpose of this blog is to become an active participant of Ken Bauer‘s #TC2027 security course, be ready to read a lot about the topic.  Now, this blog wont be exclusive to the topic I’ll be talking about different topics, so don’t worry.

I’m was not quite sure to reveal my identity, but as i’m linking this to my personal twitter account, it was going to be just matter of time to lose that privilege.

I really don’t have much to say at this point, so relax, be patient with my writing skills and enjoy the ride.

P.D. My twitter interactions are most of the time in Spanish. Perdón.