Friday, December 21, 2012

Hack Yourself---before someone else does---Twitter

In my previous post, I mentioned my attempts to hack my own Gmail account.

I entered a bad password 26 times, and Google Mail didn't blink---it just continued to display an error message indicating that either the user id or password was incorrect.

After eventually entering the correct password, I logged in successfully.

I was hoping that Google would alert me to the fact that someone had unsuccessfully attempted to log into my account 26 times.

No such luck.

I had decided to try this again with Google Mail, entering a bad password up to 1,000 times but I was distracted.

A friend of mine had forgotten her Twitter password, and I was assisting her with getting back into her Twitter account when I learned that Twitter has the best security I've seen so far.

After trying to log into Twitter a third time unsuccessfully, the next time Twitter displayed one of those graphic displays where there's a graphic of a word or a number that you need to enter to prove that you're not some kind of robot trying to hack an account. This is sometimes called CAPTCHA

In my previous post, I mentioned my attempts to hack my own Gmail account.

I entered a bad password 26 times, and Google Mail didn't blink---it just continued to display an error message indicating that either the use rid or password was incorrect.

After eventually entering the correct password, I logged in successfully.

I was hoping that Google would alert me to the fact that someone had unsuccessfully attempted to log into my account 26 times.

No such luck.

I had decided to try this again with Google Mail, entering a bad password up to 1,000 times but I was distracted.

A friend of mine had forgotten her Twitter password, and I was assisting her with getting back into her Twitter account when I learned that Twitter has the best security I've seen so far.

After trying to log into Twitter a third time unsuccessfully, the next time Twitter displayed one of those graphic displays where there's a graphic of a word or a number that you need to enter to prove that you're not some kind of robot trying to hack an account.

http://en.wikipedia.org/wiki/CAPTCHA

Wikipedia defines it this way:

A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a human being. The process usually involves a computer asking a user to complete a simple test which the computer is able to grade. These tests are designed to be easy for a computer to generate but difficult for a computer to solve. If a correct solution is received, it can be presumed to have been entered by a human. A common type of CAPTCHA requires the user to type letters and/or digits from a distorted image that appears on the screen. Such tests are commonly used to prevent unwanted Internet bots from accessing websites.

The term "CAPTCHA" was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford (all of Carnegie Mellon University). It is an acronym based on the word "capture" and standing for "Completely Automated Public Turing test to tell Computers and Humans Apart".

This was the first time that a bad password had been challenged in any way. Yahoo and Google both failed to do it.

I have several Twitter accounts, and so I decided to test Twitter's security by logging in with bad passwords several times.

I logged in with a bad password twice, and then a screen was displayed with two CAPTCHA boxes.

I entered a bad password again, but with the 2 correct CAPTCHA answers.

A screen was displayed saying bad user id or password, but no CAPTCHA.

Again I entered a bad password. This time, a screen saying bad user id or password, but no CAPTCHA.

Looks like it only displays the CAPTCHA after 3 bad attempts.

Eventually I had entered 26 bad passwords before finally entering the correct one and logging successfully into Twitter.

No message was displayed warning me that someone had tried to hack my account.

I checked the email address associated with the account.

No email warning me about a possible hacker.

Of the 3 accounts I've tried to hack, Yahoo, Google, and Twitter, so far Twitter has been the only one to put any sort of road block in my way.

Having to enter the CAPTCHA challenge answers sure does slow down a manual attempt to repetitively guess passwords. However, despite this added hurdle, Twitter does not seem to disable the account, nor does it send an email warning the user that someone is trying to log in with a bad password.

My next attempt will be with Facebook.

More to follow.

If I don't post again before 2013, I want to wish you all a Happy New Year!

Friday, December 14, 2012

Hack Yourself---before someone else does. Google Mail...

If you've been following my blog, you know that I've been intrigued lately by the notion of hacking my own email account.

I know it can be done by someone who really wants to do it---that's not the issue.

The issue is suppose someone I know: a friend, a not-so-friend, a neighbor thought it would be fun to try to guess my email password.

Surely my mail provider would let me know?

Or not?

It's been a few weeks since I last tried to hack my own Yahoo email account.

I was unsuccessful, but most importantly, once I successfully logged into Yahoo, Yahoo never once told me about the suspicious activity against my Yahoo account.

I guess Yahoo doesn't consider hundreds of attempts to guess my account password significant.

Perhaps this happens all the time?

I figured I would try one of my Google accounts---surely Google would be a bit more vigilant.

Well, my first attempts went this way---

Try to log into my Google account with a valid user id, but successively provide the letters 'a' through 'z; as password.

As was the case with Yahoo, all I received was a message indicating that my password was incorrect.

25 additional attempts with a bad password produced the same result.

When I logged in successfully, I anticipated that I might have an email in my Google email account indicating suspicious activity on my account.

I didn't.

My next attempt will be a bit more persistent---1000 attempts with a bad password.

Interestingly, this Google account I'm trying to hack is an account that I hadn't used in a while.

When I used it last week, Google prompted me for an alternate email address in the event my account became disabled or locked out.

So it does happen--but apparently not for 26 bad password entries.

More to follow :)


Sunday, December 2, 2012

So you'd like to work in Computer Forensics

 
According to Wikipedia

Computer forensics (sometimes known as computer forensic science[1]) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.

Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high profile cases and is becoming widely accepted as reliable within US and European court systems.

One of my current students is a Computer Forensic Examiner, and responded recently to a question from another student in the class about the field and how to break into it.

His answer was so good I decided to include it here at a blog post---here it is

It's ever changing and always challenging.  However, it's not cheap. A typical course ranges from $2,500 to $4000 dollars. 

If you're truly interested in this then go to some of the big job sites like Monster.com and put in computer forensic examiner, which is my title, and see what comes up. 

Many provide certifications they are looking for and the're typically from one of the few major companies and/or groups:

Guidance Software (EnCE - EnCase Certified Examiner)
http://www.guidancesoftware.com/

AccessData (ACE - Access Data Certified Examiner)
http://www.accessdata.com/

International Association of Computer Investigative Specialists (IACIS)
(CFCE - Computer Forensic Certified Examiner)
https://www.iacis.com/

International Society of Forensic Computer Examiners (ISFCS)
(CCE - Certified Computer Examiner)
http://www.isfce.com/

Sans (GFCA - Certified Forensic Analyst & GFCE - Certified Forensic Examiner) http://www.sans.org/

The list goes on and on. 

Two books you might want to check out are

Guide to Computer Forensic Investigations 
http://www.amazon.com/Guide-Computer-Forensics-Investigations-Nelson/dp/1435498836

and

File System Forensic Analysis 
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172

Saturday, December 1, 2012

Email of the week (December 1, 2012)

I just received this email from a fan of my Learn to Program with Visual C# book

Hello Mr. Smiley,

I recently purchased your book Learn to Program with Visual C# Express.
I know you've probably received many many Emails, letters, etc. saying thank you,
well here is another one... Lol.

I have read many many programming book in the last 30 years of my programming life.
But yours is so well done and was so great it was hard to put it down.  Most authors
write in a method that is so dry.  Your book was wonderful and engaging.  I enjoyed the
interaction with the students in the book.  You did a wonderful job of making me feel as
if I was part of the class. Thank you.  I hope all of the students from the class are doing well.

C# is not my first Visual programming experience.  But it is surely my favorite so far.

Anyway,  (Sorry to bore you) I was wondering if you have the C# intermediate class book published?

Sincerely,

Brad
Fort Worth, TX.

My Response...

Hi Brad

Thank you for your very kind email---I really appreciate it!

Actually, few people take the time to email me, but when they do it really makes my day!

Interestingly, I got the opportunity to write my first book when I emailed the publisher of a book I was using in my class to tell him how much I enjoyed using it, and offered a few suggestions to make it even better.

I don't have an Intermediate C# book that I've writen---I stick to introductory topics---but I can highly recommend the Murach C# book.

I'm currently using a Head First book in my HTML/CSS class, and I find the tone of the book (not dry, not too serious) to be very similar to mind. I'd recommend you check out the Head First C# book also.

As far as the students, the students in the book were based on actual students I taught at Penn State. Once in a while I'll hear from them, and I keep in contact with a few of them on Linkedin.

Thanks again for your email, and keep me posted on your C# progress.

John Smiley

-