How to check for a password breach, involving you.

Email I received. (Email hidden)

This morning, while going through some very old emails that I had somehow overlooked (not good, I know), and found a notice of a breach, from a site I had used while taking a security course online. Of all the places I would not have guessed it would be, it was “Gravatar” when I had originally signed up with them years ago, before WordPress acquired it. While some of you may already be aware of this breach, I thought I would share it for those who are not. I hope some of this information, on how hackers get, and use your password helps you understand the importance of a strong password.

Apparently in October 2020, Gravatar suffered a data breach which exposed 113,990,759 accounts.

In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars. 167 million names, usernames and MD5 hashes of email addresses used to reference users’ avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.

If you’re ever curious

Way back then, when starting my Blog, I was rather dumb and had used a simple password. While this site, alerting me to the breach, doesn’t know your password, they just notify you when your email is involved with a breach. I learned how passwords are cracked while taking a cybersecurity class. The password I had chosen, back then, was a pretty weak one that would probably be found in a word-list used by most security auditors and hackers. I changed it this morning. If you’re ever curious if your information has been “possibly” compromised, you can visit the site, and test your password. Basically, when you test your password, it is compared to all the lists (word-lists that hackers use) and if found, it lets you know what breach it was found in, and the date, so you can go change that password to something stronger. The site is “Have I been Pawned”. Pawned being a slang word used by hackers to denote a compromise of something.

I have used this site for years, and the man running it is a well known security speaker.

Many users are unaware of how hackers work to get passwords. So here is a crash course, on what a word-list is, and how it can be used by nefarious persons.

Your password is known only to you, unless you share it. A password, you create for a site, is then “encrypted” as a “hash”. A hash is a result of the encryption and looks more like a string of numbers. For instance, if I were to use Superman as a password, and the site used MD5 hash encryption, it would now look like this 527d60cd4715db174ad56cda34ab2dce. No one would glean “Superman” from that.

One hash at the time.

However, when a data-breach occurs, The bad guys get the password hash. Sometimes they even get the username as well. While this in itself is unusable, because all they see is the “hash” for the password, they then utilize a program that is capable of taking huge lists of words, turning them into “hashes”, and then comparing each “word hash” to see if it matches your password hash, in this case “Superman”. One hash at the time. Now, this may sound time-consuming, but computers are fast. My computer, during the security course, processed 138,000+ hashes or “hash comparisons” per second. Or 102 hashes every millisecond. “Superman” can be found in standard word-lists in about milliseconds. Imagine what several computers linked together could do. This is why, choosing a good password is important. Never use a regular word, such as a name, object, or subject, in other languages, unless the words are strung together, such as our example here, Ihabcouch@2endtables

Where do these word-lists come from? Word-lists, are simply a file of words, one word per line. They are generated from Dictionaries, Bibles, Foreign languages, names, events, anything a person might use for a simple password. Added to the list are passwords that have been cracked and leaked online by hackers. Sometimes a website (even large ones) have been found to have forgotten to encrypt the passwords, and they were stored in the database in “plain text”. Those are found, leaked, and added to the circulating word-lists. So if your account was involved in a data-breach, and you used a simple password found in a list, then they now have your email maybe your username, and password. They go to your email account, plug in your password and wreak havoc using your account for spam.

How big are the lists? Amazingly small, and large. I’ve seen pretty effective lists of about 120 MB that contains around 10,937,952 words. Then you have lists that are 5+ GB and larger, so use your imagination of how many words and combinations of words would be in that list.

passwords like 12345678

Many times while working on someone’s machine, they had to provide the password for me, at which time I always counseled them to change it, when the work was done. No one, not even me, should have that password. It is yours and yours alone. I would find passwords like 12345678, password, iloveyou, ilovebob. Yes, these were actually seen by me. Or a person on a website about flowers using Rosebud, Camellia, etc. I worked on my brother-in-law’s computer once, and he had his first name, as his email password! Although it was long enough, it was simply a name in any list of people’s names.

I hope this helps understand why it is important to have a good password. Not just something simple for the sake of “senior moment” memories, of which I have. Michelle describes my attributes as, “The compassion of a rock at times, attention span of a gnat, and memory like a leaky bucket.”

Password Tip

I sometimes use my home and items to make up an easy, strong, memorable password. Like, I have a brown couch & 2 endtables
Ihabcouch&2endtables Comes out to 20 characters, upper and lower case, a symbol, and a number. Yet after using it several times, repeating it as I type, and remembering to use the & symbol for the “and”. Since it’s not in a word-list, a brute-force cracking would take 42 quintillion years.

If you have questions, please feel free to ask them in the comments.

Note: information contained herein, is for educational purposes only, to assist others in a more secure online experience.

Update: 12/06/21 8:46pm

The service, “Gravatar” has stated they don’t consider this a “breech” of user data.

Many Gravatar users were not satisfied with the service’s explanation that all of the information users entered was public, which disqualified the incident from being labeled a breach. In the same explanation, however, the service claims the API was abused, instead of admitting that it was vulnerable and could have been better protected.

Source

It would appear to me, that even though they claim, the information of users entered is public. Yet in the same breath state the service API was “abused” which means it was used for other than its intended function by someone without permission to do so. I call that a hack or breach, by any other name. You can follow the source link above, and make your own determination.

DIY Wi-Fi Extended Range Yagi. (Trailerhood Style)

Okay, when you have a lot of time on your hands, you start acting like a mad scientist, or I’m watching too many Sci-Fi shows. Which reminds me, Svengoolie comes on this Saturday. “Curse of the Werewolf” will show, but I digress.

Living in a park, (Trailerhood) for new readers. Wi-Fi signals can sometimes be temperamental. When you have several neighbors close by, the amount of signals can saturate the air, this can make it hard to get good range from the office here, back nearly 70 feet to the master  bedroom. Or in your yard.

I tried buying a Wi-Fi Yagi antenna off eBay, and the thing was so poorly made, as far as measurements and spacing, it was just a paper weight. There was no surprise there. After all, at $12 you get what you pay for. I found plans for a DIY antenna from a Google search. Here is a picture of one someone made with paperclips, clothes pins, popsicle sticks, a very small Wi-Fi dongle (under all that tape). Diagrams, measurements, and pictures can be found at the link below. This is not step by step, but if you are technically inclined, you can follow the directions in the link. As always, practice safety when doing projects. 
Easy to Build WIFI 2.4GHz Yagi Antenna

Gathering parts and tools.

  • Superglue  It works better on skin than it does most parts, be careful.
  • Micrometer for measuring the paperclips. You have to be as precise as possible with the length, since you are working with microwave frequencies.
  • A plastic rod from a pair of cheap blinds I had lying around, which I cut to my length needed. (Lets not repeat that, Michelle doesn’t know yet).
  • Box of Jumbo paperclips I already had. 
  • Some Tinfoil From my protective conspiracy hat.
  • A waxed Dixie ‘snack-size’ plate, Tinfoil covered as an added reflector.
  • A Medium plastic Dixie cup.  (Southern Champagne Glass) in case of light rain, if used outdoors for experimenting.
  • A spare Alfa USB Wi-Fi adapter One I had an extra of. 
  • A RP-SMA female wire pigtail from an old router to connect the Alfa Unit to the driven element on the antenna.
  • Soldering Iron and solder
  • Some ointment for any burned fingers I usually get from my soldering skills.
  • Small wire cutters for trimming the paperclips.  (Band aids if your clumsy like me)
  • Spray can of flat-black paint Already on hand. I picked black, as the only other flavor was fluorescent orange, and I look horrible in that color.
  • Some spare parts from my Go-Pro drawer to mount it to a tripod, or flat piece of wood for table-top use.
  • Patience, LOTS of patience.

Pictures from the build.

Results: With just the signal from the router I was getting a power reading of -80 to -90 (lower numbers are better)  in the back bedroom. Now using the Antenna, we’re getting -30 to -40! No more drop-outs from interfering signals. I can use my laptop or tablet out in the backyard shop. I can also use this to pick up open wireless sources if needed should the Internet go offline here at home.

This is not a detailed instructional, but has link/s needed for detailed instructions. Construction time was about 3 hours. Cost was free as all items were on hand.

Comments, always welcome.

My Custom Computer is finished. Whew!

After waiting 16 years since my last brand-new computer, I decided to build, rather than buy one. I searched YouTube for budget builds. There were several in the $500 budget build range. You might buy the parts for $500 if you’re lucky to get them at the price when the video was made, but they leave out the fact that if you want warranty protection on some components, that can run you another $50-$100. Not to mention the budget builds use the very small cases, and bare components. I needed a mid-sized case, so I could get my big hands in there to work. Plus, larger case, more air, cooler components.

Using the list from a budget build, I upgraded some of the items (most) and began building. I won’t go into detail of where and how much, as the prices change, and even many components get discontinued. I found this out, trying to follow many parts lists.

In the picture below, I had just installed the motherboard, power supply and routing cables. Yes, the label looks upside down on the power supply, the label on the other side is right side up, that is so you can install it either way and the label appear correct through the window on the other side.

The case came with three led fans pre-installed in the front, and one plain fan in the back. There is a tempered glass pane covering the other side of the case. This is a view of the cabling cavity (opposite side from window) of the case. I will install two more led fans in the top, and replace the plain one in the rear with a led fan. Sorry, I like my bling at times. 🙂

20200511_151310.jpg
Just getting started

Finished at Last!

I installed led light strips, recessed out of sight, and behind the white foam strip I added (to diffuse the light), to illuminate the main component area behind the glass. 

20200515_055014.jpg
There is a mesh air filter over the top fans
20200515_055046.jpg
A mesh air filter is located at the bottom of case for power supply air intake
20200515_055114.jpg
Front view

I LOVE this keyboard! It clicks/clacks like the old keyboards in bygone days. It is preferred by gamers (which I am not) The body is made of steel, so it has weight and feels sturdy. Slender and so easy to type on. The colors being the constant rainbow, seem to help focus quickly if I need to glance at the keyboard. Three levels of brightness, 9 modes of light movement if you’re into that. The grandkids love watching it when I put one of the modes active. 

20200515_070657.jpg
Red Dragon Rainbow keyboard

Components were picked for what I needed and budget. Not for highest performance. :)

  • Motherboard: ASRock B450M PRO4 AM4 AMD Promontory B450 SATA 6Gb/s USB 3.1 HDMI Micro ATX AMD Motherboard
  • CPU: AMD Ryzen 5 1600 6-Core, 12-Thread Unlocked 65W Desktop Processor with Wraith Stealth Cooler
  • Ram: 16 GB GeIL 16GB (2 x 8GB) EVO Potenza DDR4 PC4-24000 3000MHz 288-Pin Desktop Memory
  • GPU: Gigabyte Geforce GTX 1050 Ti 4GB GDDR5 128 Bit PCI-E Graphic Card (I have wanted a 1050ti for years).
  • Main Drive (Boot/OS): Crucial BX500 240GB 3D NAND SATA 2.5-Inch Internal SSD
  • Storage Drives: 1TB Seagate HDD 5900 rpm  /  Hitachi Deskstar 3TB 32MB Cache CoolSpin SATAIII 6.0Gb/s 3.5″
  • Power Supply: ThermalTake Smart 500Watt
  • Keyboard: Redragon K551-R Mechanical Gaming Keyboard with Cherry MX Blue Switches “Vara” 104 Keys USB Wired  Steel Construction.
  • Operating System: Linux of course! It’s free!

Have questions about choices of components, please feel free to ask that is how we all learn.

Now, it’s time to enjoy it.
Comments always welcome,

Cover that Webcam, Before you’re a Star!

Webcams, are a subject that I have covered before with friends and family. This is an opportune time to share some of my knowledge, with blogging friends. While they are a great tool in visiting one another during this worldwide shelter-in-place, they can be an embarrassment, perhaps even a danger without the proper precautions. Remember, once somethings out there on the Internet, it’s out there forever.

Why should I be worried

During this time of boredom, you will have kids home from school, others that no longer have to work and have a lot of time on their hands. Some will entertain themselves with video games. Some, will entertain themselves with the sport of hacking into your devices. Most of the time, it is just to see if they can accomplish the exercise of gaining control of something they aren’t supposed to. Thrill of the game type of thing.

Your security is important

Most webcams are plug and play. This is nice for those of us that don’t care for complication in setting up devices. Most, if not all webcams, come preconfigured with “default” user and password settings. They can range from user=admin or simply user=user. Then we have the password. They can generally on the simple side from the factory. Password=password, or Password=(nothing, blank).

If for whatever reason you don’t take the time to change those items of security, then someone may be watching your baby cam, or your home, or seeing whatever the webcam on your desk, or built into your laptop can see. There may be moments, that might be embarrassing. If you do opt to change your password, make it a decent one. There’s no guarantee this will happen to you, but erring on the side of caution is best.

They can do that?

When I bring this subject of webcam security up (which by the way I’m no expert at), the first question is usually,”They can do that? How”. Without getting into the technical geek speak, the method is out there. With Google, you can find “anything”. There are other research types of search engines, that are not generally used by the normal public. These can be used to search for certain “strings” that have to do with webcams that have admin, and password set to default.

]There are the websites that do auto searches using these search engines and compile lists for people who would like to see the world. Some webcams are purposely set, so hotels, or venues can share their beauty or location. These search engines, also find other webcams that have factory set passwords and list them.

Examples for you to see.

There is a site called insecam. While it says that all cameras are filtered as having no password set, or requested to be added to the directory, there have been some spotted that obviously were from laptops and home webcams. Now, there are cameras of birds, aquatic life, locations of beauty, all of them have one thing in common. No password set.

Things to do.

  1. First and foremost, set a password for your webcam, if it is connected to the Internet. If you use it for security, or perhaps video conferencing then it has access to the Internet.
  2. Purchase or make a cover for your webcam. It can be as simple as a post-it note, or piece of frosted scotch tape, or one purchased from online.

This is where I keep my webcam for my desktop. Pointing away toward a wall, when not in use. I use a small piece of post-it or opaque scotch tape for my laptop and tablet (Yes, I’m cheap). If you have questions, or more tips to help others secure their webcams, please share them with everyone.

Comments always welcome,