security

Protect your password

You should always protect your passwords. Most people know that, but do you know that you should have a complex password?

I was reminded of this when a client of mine was hacked. I'm not sure how it happened, but someone accessed his account, changed the password, and began sending emails requesting money.

Your password should have a number, an upper case letter, and be at least 8 characters. You should also include a special character, if the account holder will let you.

Topics: 

Recovering deleted files from NTFS image

Sometimes, it becomes necessary to recover deleted files from an NTFS image. Using linux, a free utility called ntfsundelete can be used.

If the image is still mounted, you will need to unmount it:

$ sudo umount tmpmount

Then, you will want to use the losetup utility to associate a loop with a regular file (our image):

$ sudo losetup -o 15443968 /dev/loop0 /media/2Big/hd.img

The -o is the offset calculated from the last post (the start of the partition listed in fdisk * 512). The ntfsundelete utility can then be used:

$ ntfsundelete -s /dev/loop0

Examining an image

You can either copy the image to a hard drive, or mount it in Linux and examine it. To mount an image of an entire drive, first examine the partitions using fdisk:

$ sudo fdisk -u -l /media/2Big/hd.img

In this example, hd.img is an image file created earlier on a USB drive named 2Big.

You should see something similar to this:

Disk /dev/sdc: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0004034f

Device Boot Start End Blocks Id System

Imaging a drive

It is very important when investigating a security incident to work with a copy of the hard drive, and not the original. It is equally important to work with an unaltered copy of the drive. All that is needed is a place to store the image, a USB or system drive, and a working Linux setup. This can be an Ubuntu live CD.

First, you must see where your drives are:

$ sudo fdisk -l

Disk /dev/sda: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0008558e

The importance of complex passwords

An incident at the popular web service called Twitter has brought to light the importance of complex passwords. A hacker decided to try to break into a popular user's account at the service. He did so by writing an automated tool that used what's called a dictionary attack to try and guess the user's password. He went to bed and let the tool run all night. The next morning, he found he had broken into the user's account, finding the user's password was set to the word "happiness."

Securing Linux: process limits

This tip was found at http://aymanh.com/tips-to-secure-linux-workstation.

An old school attack on Linux systems is called a fork bomb. There is demonstration code at the fore-mentioned website, but essentially, it is a command that will spawn an unending number of processes, eventually killing the system.