Category Archives: Security

The password file

A while back I talked about how users have ids and how we can find out what they are using a command.  Remember, Linux loves files, so this information must be kept in a file somewhere.  It’s called the password file.  It should be called the ‘here are the users’ file, but it’s the password file.

You can actually look at this file.

Alpha:~ computerlamp$ more /etc/passwd

Here’s an example of what that can look like:

root:x:0:0:root:/root:/bin/tcsh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:

There’s 7 different parts to each line of this file and they’re separated by a colon (:).  Each part is:

  1. username
  2. password
  3. user ID
  4. group ID
  5. real name
  6. home directory
  7. login shell

Let’s pull apart each part of this file.  We know what the user name is, mine’s computerlamp.  What’s yours?

The next one is the password.  It looks weird in that file, there’s an x where you’d think we’d see the encrypted password.  That’s because it isn’t in this file, that’s actually what we call a placeholder.  It’s a ‘one used to be here, but isn’t any more’.  That’s because the actual encrypted password is now in a different file, /etc/shadow that only root can read.

Then there’s the user ID and group ID, we know what those are too and I’d assume you know what your real name is, right?

The last two are the home directory and login shell.  That’s the directory you’re dropped in when you first log in and the shell that you’re going to use.  My home directory is /home/computerlamp and my shell is /bin/bash.

There’s something weird in that result though, right?  For example, the user mail has a login password that’s /sbin/nologin.  If someone tries to login to that account, then they’ll get a polite ‘no, you can’t do that’ message and will be logged out.  Another way of doing this is by putting /bin/false as the shell.

Keylogger — Stealing your Typing for Fun and Profit

The last post about the last command got me think about security again and how people can get your password to log into your system.  Passwords on the Linux® system are one-way cryptography, so a bad guy shouldn’t be able to break it.  There is a tool a bad guy can use to get your password, it’s called a keylogger.

A key logger is a program that records every single key stroke you make.

A keyboard

A keyboard

Imagine someone sitting inside your keyboard and recording every command you type.  It could also record you entering your password and then it would have your password.

That’s a scary thought, right?   How do you get hit with key loggers?

They’re a virus.   Bad guys use them for more than just stealing your password, they’re also used for stealing credit card information and social security numbers.  They really want to steal money, your identification, and anything else they can sell.

They’re also often installed as a hardware addition.  The program is on a USB stick, is stuck into a slot on to your computer, and then the keylogger saves all it can onto the USB stick and waits for someone to come and get it.

If someone has physical access to your computer, they have all the time in the world to break into it.  They need the physical access to put the keylogger on, so all they have to do is walk up, slip it on, and walk away.  They do hope that you won’t find it.

If they steal the computer from you, they also have all the time in the world to get your information off of it. It’s one of the main tenets of computer security, keep your computer physically secure.  Imagine if a CEO’s laptop walked off?  CEOs have lots of information on their computers about the company, if the bad guy has it, then all that information is up for grabs.

 

last

Every time you log in to your Linux® system, a log entry is made.  It is important for security, what if you logged in while you were asleep?  Either you were sleep typing or someone got your password.  Either way, that’s important information.  Lucky for us, Linux® logs this and there’s an easy way to see when you logged in.  That command is last.

If someone does log in and pretend to be you, then that person who isn’t you wants you not to know that you logged in when you didn’t actually log in.

Wait, let me try that again.

If the bad guy logs into the system, he wants to hide from you that he logged in.

Ultron went traipsing around the Internet and he didn’t care if anyone knew what he was up to.

Ultron up to no good

Ultron up to no good

Other bad guys do care so their first attempt is to remove these messages.

Linux® tries to make this hard.  Most log files are straight boring plain text.  That means you can look at them and even edit them and no one will know the difference.

The file that last reads from isn’t like that. It’s a binary file, which means that you an’t edit it at all without mucking things up.

The output of the command looks like this:

computerlamp    pts/2        console Thu Mar 15 20:53   still logged in
computerlamp    pts/2        console Wed Mar 14 20:52 - 20:53  (00:00)
computerlamp    pts/2        console Fri Mar  9 21:24 - 21:34  (00:10)
computerlamp    pts/1        console Sat Feb 24 15:56 - 17:13  (01:17)
computerlamp    pts/0        console Fri Feb 23 14:30 - 15:47  (01:17)
reboot   system boot         console Fri Feb 23 13:59         (20+05:53)
computerlamp    pts/2        console Wed Feb 21 20:06 - 20:16  (00:09)

It shows you when I logged into the system, when I logged out, it shows you that there was a reboot of the system as well.  If I looked over this and said ‘now wait a minute, I was out of town February 23, what happened there?’ then I would be investigating a possible break in of my system.

Encryption and Cryptography

Encryption and cryptography are two words we hear all the time. We want to hide our information from prying eyes. Cryptography is the math that makes it work, encryption is the process that does the work. We’re not going to talk math, I promise. We’ll talk encryption instead, that’s more fun.

Encryption and cryptography are two words we hear all the time. We want to hide our information from prying eyes. Cryptography is the math that makes it work, encryption is the process that does the work. We're not going to talk math, I promise. We'll talk encryption instead, that's more fun. <KEY/Lock> Let's start with two kinds of encryption. One way encryption and two way encryption. If I encrypt something with a one-way method, then I can't get it back. It's like locking a padlock then throwing away the key. That sounds silly, right? Why on earth would I lock a padlock and throw away the key? Well, this being computers it's not exactly like locking a padlock and throwing away the key. When you use one-way encryption, what you get back is a unique combination of characters that means eactly what you encrypted. You can't decrypt it to find out what it was to begin with, but you can encrypt a word and see if it matches that weird looking string of characters you have.

Lock and Key

Let’s start with two kinds of encryption. One way encryption and two way encryption. If I encrypt something with a one-way method, then I can’t get it back. It’s like locking a padlock then throwing away the key.

That sounds silly, right? Why on earth would I lock a padlock and throw away the key?

Well, this being computers it’s not exactly like locking a padlock and throwing away the key. When you use one-way encryption, what you get back is a unique combination of characters that means eactly what you encrypted. You can’t decrypt it to find out what it was to begin with, but you can encrypt a word and see if it matches that weird looking string of characters you have.

Sounds weird, right? It’s actually the method used for passwords. That way no one has any idea what your password is, they just know what the hash looks like. You type your password in, the system encrypts it and compares it to what they have on file. If it matches, then bingo, you’re in.

Here’s an example, suppose Tony Stark’s password is ShellHead. Then the password could look like:

$_OIhfVvnK$.UYVFlACkTI

That doesn’t look anything like ShellHead, does it? So figuring out what the password is just by looking at that is impossible.

Suppose I type in ShellHea instead of ShellHead. Then the password could look like:

$_jCoO/YKY$GeTermseGL2

That isn’t anything like ShellHead’s password, so I’m not getting in.

How do people break passwords then? It’s called a dictionary attack. They run through all the words in the dictionary in various combinations and encrypt each one. Then they compare it to the password string of characters and if it matches, they have your password.

That’s why choosing a good password is so important! You don’t want people breaking into your system, do you? Imagine the damage someone could do if they broke into Batman’s computer.

Botnets

A phrase often heard on the news is a botnet. That’s another scary name, like ransomware. It sounds like there’s lots of robots lurking on the Internet as a great big network of trouble.

That’s true and not so true. It is a scary sounding name but the truth is that a botnet is a collection of computers, all of which were infected by the same malware to do the same thing for a controller.

It would be more fun if there were actual robots on the Internet, but since the Internet is a network of information and there’s currently no way for robots to run around on it, instead we have infected computers.  Though imagining R2D2 and BB-8 running around on the Internet is awfully fun.

BB-8 and R2D2 are not part of a botnet

BB-8 and R2D2 are not part of a botnet

The main controller for these computers use botnets to do their bidding.  They send spam, attack with a DDOS, or any other way they can make money.

Your computer can be part of a botnet and you won’t even know it. That’s a dangerous thing. You become a part of a botnet when your computer  by you clicking on a link and downloading software that adds you to the botnet. The scary thing is that your computer can also be hit because it’s on the same network as an infected computer. If your sibling’s computer is part of the network, it’s going to try to infect yours and it might happen without you knowing it. A good firewall configuration can help.

There’s several famous botnets, they’re famous (or infamous) for the damage they’ve done or the size of them.  These include Grum, ZeroAccess, Windigo, Cutwail, Conficker and Kraken.  I have one question about these botnets… who names these things? I think if I named one I’d name it ‘TeamAwesome Botnet’.

There’s another famous one known as the Mirai botnet.  The reason it was so scary is that it wasn’t computers that were part of the botnet, it was the devices in your home that are on the Internet that were part of the botnet. Things like routers, heating controllers, refrigerators, and even lightbulbs. It was the first major attack that used these devices and it took down a lot of important websites.

So, in summary, there are no robots running amok on the Internet, but there are a lot of computers acting bad.

Ransomware

Ransomware has a nice scary name, which is good, because it can be really scary. It’s how the bad guys hold your computer hostage until you pay a ransom. If you don’t pay, you can lose everything on your computer.

How does it work? Well, first of all, it encrypts your computer. There’s two kinds of encryption, one way and two way. One way encryption is where your stuff is encrypted, but there’s no way back from it. Once it’s done, it’s done. Passwords are usually one-way encrypted, that way no one can reverse them and find out what your password is.

The other method of encryption is two way. I can encrypt something and turn around and un-ecrypt it (also known as decrypt). Two-way encryption uses a key to decrypt the encrypted string. If you don’t know the key, you can’t decrypt and your data stays encrypted forever. Unless you can figure out the key.

An Encryption Key

An Encryption Key

The hard part is you don’t know how long the key is, what is in the key, what isn’t in the key, you could spend the rest of your life trying to decrypt it by trying every possible string you can come up with… and still never do it.

Ransomware takes advantage of that. They encrypt your system and then demand a ransom so that they’ll give you the key. Pay them or… no more pictures, no more computer code, you lose everything on your computer, never to be seen again.

How do you get attacked? Well, the usual method is by spam. Despite what they show on tv or the movies, you generally have to let the bad guys in.

Click on that link in the spam or download a strange attachment or even find yourself surfing in a dangerous part of the Internet and you can be attacked too. Try not to let it happen! Don’t click on the link or download anything unless you’re absolutely sure it’s safe.

Spear-phishing

Fred goes spearfishing when he wants to catch that one particular fish. He picks up his spear and dives into the water and goes after that one fish for dinner. Similarly, a bad guy goes spear-phishing when they want to catch that one particular person.

Most phishing is spam.  It’s sent to as many people as possible in hopes of getting people to click on those links and get their information. It’s like what fishers do when they put nets down in the water and try for as many fish at once.

A net for fish (not phish)

A net for fish (not phish)

The phishers (those guys sending out the emails) are after any kind of person, rich people, poor people, they aren’t going to be picky. They just want the login credentials so they can steal as much as they can.

Sometimes, though, there’s that one person the bad guy wants to go after. The head of a corporation, an Admiral, a General, someone with lots of power and access to information. Sending a wild ‘click on this link, give me your banking information!’ doesn’t get the bad guy access to that information the good guy has. It just gets them the banking information. So, they craft emails to send to these people and entice them to either click on a link in the email or download an attachment.

Once they click on the link or download the attachment, they’re infected with malware and then it can go to town. It can replicate itself, spread itself around, and generally be a nuisance. Like Ultron did.

The Ultron Threat

The Ultron Threat

It wants to hang around as long as possible and steal as much information as it can. These are Advanced Persistent Threats, which isn’t a really exciting name, is it. I think we should go for the Ultron Threat, but they never asked me.

Protecting yourself from spear-phishing is similar to protecting yourself from phishing.  Don’t click on any links (even if they promise you your very own Iron Man!) and don’t download any attachments (even if they claim to be the code that Tony Stark uses to operate Iron Man).

Phishing

If I want to catch a fish, then I go fishing. If I want to use social engineering and catch a user in my web of deceit, I go phishing.

 

A Fish not a Phish

A Fish not a Phish

In both cases I set out bait and hope for a bite.

Before I go further, let’s talk about what social engineering is. TV shows like to show the hacker sitting at their keyboard, clicking away and the magic occurs. They’re in the system and causing trouble.

It doesn’t always happen like that. What happens more often is that the hacker tricks the person (not the computer) into doing something that gives the attack an edge into hacking into the system. This is social engineering. It isn’t nearly as cool as the hacker sitting at the keyboard and clicking away, but it’s more effective.

In phishing, the hacker sends emails that have URLs in them they want you to click. So they have to bait you into clicking them. A common email is they pretend to be your bank and send you an email saying ‘You must log into your account because if you don’t, all the gerbils will eat your money!’ (That’s not exactly what they say, but they do give you a scary reason why you should do it). Then there’s a helpful URL in the email that you can click to log in.

A vicious money eating gerbil

A vicious money eating gerbil

This is where the attack happens. The URL may look like your bank, the page it sends you to may look like your bank, but it probably isn’t your bank. Especially if the email talks about gerbils. Once you go to that page and try to log in, you’ll probably get a ‘oops, something went wrong, bye!’ message. Or it might even send you to your real bank page and tell you to try again. Or it might just go away.

Now the bad guys have your information on how to log into your bank account, and there’s nothing stopping them from using that information to steal money from you. They didn’t even have to break into your computer to do it, they just stole it all.

How can you protect yourself? If you get an email that claims to be from your bank and wants you to do something, never ever click on any URL in the email. Or if it wants you to log into an account of any type, don’t click on that email either. If you want to check if it’s true, call your bank and ask. Or, you can type in the URL for your bank at your keyboard (NOT using the one in the email) and log in that way.

Spam … not that stuff in a can

We all get email we don’t want. That email from your teacher telling you your assignment is late? Unwanted! Spam is email that is unwanted and is sent to multiple people.

Spam spam spam spam

Spam spam spam spam

The name came from the British Comedy group Monty Python. They had a song that talked about the meat in a can called spam and repeated the word an awful lot. The people who dealt with this in the early days of the Internet were fond of the song and the name just stuck. It’s spam.

It’s annoying and it can be dangerous. Spam can deliver malware to your system, and isn’t that just too rude for words. There’s two ways it can do it. One is to have an attachment and hope that you download it. If you download it, there’s a good chance you might get malware from it.

The other way is to hope you click on a link in the email. If you do that, you’ll probably download malware.

Either way, they want you to install malware on your system so that they can use your system for their own means.

So now comes the hard part, how do you recognize spam? Well, there are programs that do that for you. Most places that provide email have these in place, because they don’t like spam either. Gmail has one that puts all spam email into a quarantine area to keep it separate from your safe email.

Spam Quarantine

Spam Quarantine

It only keeps spam email around for 30 days before deleting it. That’s because these programs aren’t perfect. They do their best to detect spam from not spam, but they aren’t perfect.

We know spam contains URLs for you to click on, but what if your friend sends you a link to an Imgur photo album for you to check out? Then the spam program could send your friends email to the quarantine area.

On the other hand, sometimes spam doesn’t get sent into the quarantine area. If you get an email with a random link on it, don’t click! If you’re not sure that the original sender sent you that, call (or text) and ask! Same for attachments. It’s better to be safe than infected.

Viruses!

A virus is that nasty little organism that can give you the cold or the flu, or any number of other diseases. It’s a horrdendous little critter that makes you feel awful. Good thing that there are vaccines for many of these viruses, right? I don’t want to get the flu every winter.

Viruses are not fun

Viruses are not fun

Computer viruses are similar. They’re nasty little programs that can make your computer do things you don’t want it to do. They can search for information on your computer, make your computer send spam, make your computer be part of a DDOS, all sorts of things you don’t want your computer to do. In other words, viruses are bad.

Computer viruses

Computer viruses

Which is true for both people and computers, they’re just different things. You can’t get a cold and give it to your computer and if your computer gets a virus, it won’t give it to you, I promise.

On the other hand, your computer can have a virus and you’ll never know. It’d be doing things you don’t want it to and without a monitoring program, your computer will be happily being bad. That’s why antiviruses are good for your computer.

A vaccine will stop one virus (and maybe some mutations of it). Antivirus programs try to stop all kinds of bad software, not just one kind. Without antivirus software, your computer could get that virus and did I mention how you might never know? Some computer viruses are really bad and try to make your computers useless, but most just try to make your computer do things that it wants you to do.

Computer viruses are also known as malware, which is short for malicious software. In fact, that’s the most common name for computer viruses. They’re used by bad guys to make money and we’ll talk more about the different ways they do that.