Author: Jason

Deep Dive on Password Best Practices

On Tuesday, I attended a wonderful talk by Roger Grimes. The title of the webinar was A Master Class on Cybersecurity: Password Best Practices. Roger is very knowledgeable and a great resource for this information, but he talks fast. I really enjoyed the webinar, but it was an hour long and Roger fit a lot in that hour. For those that watch the above free webinar provided by BightTalk and (ISC)2. I thought I would provide some helpful links and videos to follow along in the webinar. First be sure to download the slides from Roger’s talk via BrightTalk.

Roger shows several Kevin Mitnick hacks during the webinar. Here is the No Link or Attachments Necessary hack link, unfortunately its not on youtube, so no embedding. Kevin is the “Chief Hacking Officer” at KnowBe4, the same company that Roger Grimes works at.

After the talk I also looked up my email address on haveibeenpwned.com. No surprises here. My email was in several breaches.

If they have your username they have half the puzzle (assuming you are not using any kind of 2 factor authentication, 2FA, which most are not). Now all they have to do is guess your password. If your password is on this list, Top 200 most common passwords, your screwed, this is exactly the kind of list that hackers will use first.

How do you make a more secure password then. I’ll let Kevin touch on this:

How Easy It Is to Crack Your Password

It is really even easier than that! If you ask chances are people will freely give you their password:

What’s Your Password?

Okay, so let’s assume you are smarter than these folks and you can keep from freely telling people. But can you? You may be doing it, indirectly. According to a research paper from Google, 20% of recovery questions, those you answer when you use the Forgot Password link on every website, can be guessed by a hacker. But while the hacker can do it, 40% of users can’t remember their own according to the paper! When all else fails just review your social media, as 16% of answers can be found there!

My suggestion use a password manager. Then you say, what about LastPass. You have a point, but how often are password managers breached? Not as often as the other 100 sites you use a password to get into. Password managers are still a good choice. In addition to your password manager, why not try some 2FA hardware?

You Should Be Using Yubikeys!

Be safe out there folks!

Weekly Cyber Security Wrap Up

My weekly roundup of my continued learning in cyber security. What webinars I attended, podcast I listened to, the articles I read and projects I’m working on.

Webinars

  • Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist – (ISC)2 – A Master Class on Cybersecurity: Password Best Practices01/24/23 – What really makes a “strong” password? And why are you and your end-users continually tortured by them? How do hackers crack your passwords with ease? And what can/should you do to improve your organization’s authentication methods? Password complexity, length, and rotation requirements are the bane of IT departments’ existence and are literally the cause of thousands of data breaches. But it doesn’t have to be that way! –

Security Briefings Webinars | (ISC)²

  • Rachel Tobac, CEO of SocialProof Security – Webinar: Personal Data’s Role in Enterprise Social Engineering Attacks – 01/25/23 – During this webinar, Rachel and Rob will share their unique perspectives on: The state of privacy: Why individuals are losing control of their digital identities and how that’s driving business risk. The state of social engineering: How hackers use data found by data brokers to hack. The future of hacking: How new AI-based technology like facial recognition and voice-cloning will open up new pathways for bad actors

DeleteMe Webinar

Articles

Podcasts

Projects

TryHackMe – Completed Linux Fundamentals Parts 1-3. Completed Windows Fundamentals 1-3.

Implementation of Secure Solutions for CompTIA Security+ – 6 hours of prep training for the Security+.

This Week in Cybersecurity – Wrap Up

Educational Recommendations

This week I attended two webinars:

Interesting Articles this Week

Great Podcasts from this Week

Learning Projects

TryHackMe – I’m adding in some rooms from TryHackMe here and there to increase my overall understanding of cybersecurity. I’m focusing on Unix commands right now.

Kali Linux – I’ve installed a Kali Linux virtual machine on my MacBook Pro M1, which took a little more doing as the Apple silicon is still fairly new in the industry.

PluralSight – I’m still working through the 6+ hour long Implementation of Secure Solutions for CompTIA Security+ by Christopher Rees.

Changing Mastodon Servers

What is Mastodon?

Mastodon is free and open-source software for running self-hosted social networking services. It has microblogging features similar to Twitter, which are offered by a large number of independently run nodes, known as instances, each with its own code of conduct, terms of service, privacy policy, privacy options, and content moderation policies.

I would argue it is better that Twitter primarily because it is not owned by Elon, but also because there is no algorithm choosing what you see, there are also no ads.

Why Change Servers?

Since each server is like it’s own community, you want to find like minded people on your server. Since I have been so absorbed in cybersecurity I initially chose to join ico.exchange. They had an instant join policy at the time, which means, no one had to manually review my application to join the server.

However, since joining I’ve followed more and more of what is going on at infosec.exchange. I follow more people there as well. So I finally decided to switch over. Which is not hard.

How I did it

I followed these step-by-step directions, which worked without issue for me. Since I hardly had anything on the server, I’ve only been on for a few months and I don’t post as much as many others, I don’t really find the downloading archive step necessarily, although it was nice to have a copy of my avatar image for the new server. What was necessary was the CSV of the followers, so I could follow the same people at the new server I was at the old server. Your followers are automatically notified that you have moved and follow you on the new server. There is nothing more you have to do. One big caveat is that you lose all your old post. They do not make the move over with you. So if you are thinking of moving servers do it before you have to many post or at least post you care about. Good luck!

Kali Linux and PicoCTF

Update…

This youtube video that I posted before worked absolutely beautifully on my M1 Mac. Absolutely no problems or troubleshooting. It’s not often you get a youtube tutorial that runs that seemlessly! UTM is new to me, I had always used VirtualBox in the past, but this was perfect. I’m very happy with my newly installed Kali VM!

I just ran through PicoCTF “Python Wrangling” using the install. Python was already installed, so nothing to do there, just downloaded the files and used them. Insanely easy. That was fun!

PicoCTF

What is PicoCTF?

picoCTF is a free computer security education program with original content built on a capture-the-flag framework created by security and privacy experts at Carnegie Mellon University.

It has training available for those who want to learn more about computer security. I just signed up today and followed along with this youtube to do the first challenge. For me it was VERY easy, so don’t be afraid to dive in. You don’t have to have any prior knowledge or experience to jump in. You can use any operating system (Windows, Mac, Linux). They have everything you need to do this first CTF.

Kali Linux

Disclosure: I used ChatGPT to assist in writing parts of this post. I like paying with it to see how it does. Really impressed so far!

What is Kali Linux?

Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It is a popular choice for ethical hackers and cybersecurity professionals because it comes pre-installed with a wide range of tools for tasks such as network reconnaissance, vulnerability scanning, and exploitation. These tools can be used to identify and exploit vulnerabilities in systems, networks, and applications, which is important for understanding how to secure them. Additionally, Kali Linux is free and open-source, making it accessible to anyone interested in learning about cybersecurity.

How can Kali Linux help me learn about Cybersecurity?

Using Kali Linux can be helpful in learning cybersecurity for several reasons:

  1. The tools: Kali Linux comes pre-installed with a wide range of cybersecurity tools that can be used to perform tasks such as network reconnaissance, vulnerability scanning, and exploitation. This can give you hands-on experience using the same tools that cybersecurity professionals use in the field.
  2. The community: Kali Linux has a large and active community of users and developers who share information, tutorials, and resources. This can be a valuable source of information and support as you learn about cybersecurity.
  3. The environment: Kali Linux is designed to be used in a penetration testing environment, which simulates a real-world scenario where an attacker is trying to find and exploit vulnerabilities. This can give you a better understanding of how attackers think and operate, which can be beneficial in understanding how to secure systems and networks.
  4. The flexibility: Kali Linux is Open-source, which means you can customize the operating system to your needs and you can also build and test your own tools and scripts.
  5. The availability: Kali Linux is free and easy to download and install, making it accessible to anyone interested in learning about cybersecurity.

Overall, Kali Linux can be a useful tool for learning cybersecurity, as it provides a practical environment for experimenting with different tools and techniques. However, it should be used with caution and under guidance, as it can be dangerous to use without proper knowledge and understanding.

How do I install Kali Linux on a Mac?

Installing Kali Linux on a Mac computer can be done using virtualization software, such as VirtualBox or VMware Fusion. Here are the general steps to install Kali Linux on a Mac using VirtualBox:

  1. Download and install VirtualBox on your Mac from the official website.
  2. Download the Kali Linux ISO image from the official website.
  3. Open VirtualBox and click the “New” button to create a new virtual machine.
  4. Give the virtual machine a name and select “Linux” as the type and “Debian” as the version.
  5. Allocate memory and create a virtual hard disk for the virtual machine.
  6. On the virtual machine settings, click on “Storage” then click on the empty CD icon and select the Kali Linux ISO image you downloaded
  7. Start the virtual machine, it will boot from the ISO and you will be prompted to install Kali Linux. Follow the on-screen instructions to complete the installation process.
  8. Once the installation is complete, you can start using Kali Linux on your Mac in a virtual environment.

It’s also worth noting that you will need to have at least 4 GB of RAM and at least 20 GB of free space on your hard drive to run Kali Linux Virtual Machine smoothly. It’s also important to note that running Kali Linux on a virtual machine may not provide the same level of performance as running it on a dedicated machine, and some of the more advanced features of the tools may not be available.

Installing on a Mac with Apple Silcon (M1/M2)

My requirements are a bit different so I’m going to try using UTM as outline in this youtube. Wish me luck.