Security Consulting & Testing Services

For most of my professional career, I have been involved in security in one way or another. When I started my career in the Army, I trained as a Unix System & Network administrator. During that time, I often tinkered with security on our systems. In my first job outside the Army, one of my responsibilities was network security as well as managing offsite backups. Later in my career, I would be responsible for testing software applications for PCI compliance.

This year, I decided to start gaining certifications in the security realm. In March, I earned CompTIA’s Security+ certification. Then, in May, I took the Beta version of CompTIA’s PenTest+ version 2 exam. Today, I received notification that I passed that exam. These certifications shows that I am qualified to test systems for security issues and provide feedback to customers wanting to ensure their systems are as secure as possible.

In addition to computer security testing, I have previously studied locksmithing and physical security. Adding these two skills together gives me lots of avenues to approach security and vulnerability testing for clients – both on their networks and their physical facilities.

If you are interested in having your network security tested, please reach out to Talixa Software & Service, LLC for more information.

Simple Tips to Avoid Scammers

Gangster

It seems that every day criminals find new ways to separate victims from their money. However, most of these tricks can be avoid with three simple rules.

Assume all email is junk mail until proven otherwise

Email is the easiest way to scam people. It takes little effort to send out thousands of messages, and scammers win if even a small percentage of people act on their messages.

Don’t click on links. If you believe the email to be from a reputable source, go directly to their website instead of using the email link

Don’t open attachments. This is particularly true for unsolicited Microsoft Office documents such as Word and Excel, but equally important for any other attachment. If you believe the attachment to be valid, contact the sender by phone and confirm they sent it.

Contact the sender directly. If you get a message claiming to be from someone important in your organization and asking you to do something that seems odd, contact the person and verify authenticity.

Assume all phone calls are spam

Suspect local numbers. If a caller claims to be from your credit card company or the IRS, but their phone number is from your area, it’s a scam.

Ignore callers from India. Does the speaker have an Indian accent? It’s a scam. The overwhelming majority of spam calls originate from call centers in India.

Caller can’t provide you with information. Does the caller know your name, address, account number, or other information? If not, are they really your bank? I doubt it.

Avoid entering data in unencrypted sites

Check for the secure icon in your browser. If the web site you’re visiting isn’t encrypted, be skeptical. Particularly if they’re asking you to enter personal information. Never, under any circumstances, enter your credit card information in a non-secure site.

Conclusion

The simple answer for security in the modern age can be summed up “trust no one”. Assume everyone is out to scam you, and you’re probably not far from the truth. If you want to conduct business with an entity, go to their web page directly or contact them on the phone. Always assume the incoming solicitations you receive are from people trying to cheat you and you will likely avoid most scammers.

Classic Hacking

Security

I’ve been involved with technology since the mid 90’s. During the late 90’s, I worked on Unix systems. It was those experiences that lead me to love Linux, taught me to program in C, and helped me learn to automate tasks using various scripting languages. But the 90’s were a much different time for security. Nobody really worried much about hackers or social engineering. And now, over 20 years later, I see people in the workforce that have been robbed of some of the fun I had in the past due to increased security on machines. Of course, increased security is good, I’m not going to argue otherwise. But it has also made a lot of the ‘fun’ from the past no longer possible.

Remote Display

When I was working on old Unix systems, one of my favorite hacks was to set my display to another computer. Since Unix display works as a client/server model, you can actually set your app to appear on any computer monitor you want. So, it was common where I worked to find the most horrible graphic you could and display it on someone else’s machine. Always a good laugh. Other tricks would allow you to play audio on their speakers (great when the individual has fallen asleep at their desk) or turn their keyboard buttons on and off.

Password Files

Long before the /etc/shadow file, passwords were stored in the /etc/password file. And, since the file was readable by anyone, you could easily grab the entire password list and run it through a tool like John the Ripper. Even more fun, commands like ‘ypcat’ would allow you to get the passwords of all users on the network even if they weren’t on the local machine.

Email Overflow

My sister’s first experience with the internet was through a device called “WebTV”. This device was a small terminal that would turn your TV into an internet terminal. It was a cheap, easy alternative to a computer. It also suffered from a pretty simple flaw – you could only have a limited number of emails. (200, I believe.) I found an unsecured email relay – pretty common in the 90’s – and spammed my sister with enough messages to flush out all her email. As you might guess, she was mad.

A New World

How things have changed. Unsecured email servers are much more difficult to find, and Unix is now much harder to hack out-of-the-box. While most of the hacks of twenty years ago were mischievous in nature, today’s hackers are far more sinister. And, thankfully, the world has adapted to become a safer place. Nonetheless, I still look back to the simpler days of computing and the fun we had.

Scamming the Scammer

Day after day, I receive calls from thieves in India. For several months, they said they were with Microsoft and that my computer had a virus that they wanted to help me fix. Now, they claim to be with a credit card company wanting to lower my interest rate. What’s sad is that people fall for these tricks all the time. Often, the elderly are the most  vulnerable – not only because they tend to have a fixed income, but because they are also more easily confused and duped. Because of this, I have made it my civic duty to waste as much time as possible on the phone with the scammers. After all, the more time they waste talking to me, the less time they have to scam an elderly grandmother.

Just a few days ago, I received two calls in a single afternoon from hackers –  and I took them both for a ride. When they asked for a credit card number, I gave them one of the test credit numbers typically used by developers for application testing – just google ‘test credit card numbers’ for a list. They asked for a bank name, I said Wells Fargo. They asked for birthday, last four of SSN, and other information. I provided false – but believable – answers. Then, after providing the information, they asked me to stay on hold while they verified my data. After another minute or so, the scammer got back on the phone: “We contacted your bank and found out that you are an *********” and hung up on me. Few things are quite as fun as having a scammer call you names or swear at you because you wasted their time!

Google Alerts

One of Google’s most under-utilitized tools is Google Alerts (google.com/alerts). This service allows you to receive emails with new results for particular search strings. While this may not seem useful, it is an excellent tool for being notified of information that may appear on the net about you or your business. With the rise of identity theft and the harm that can come from negative posts about you or your business online, it’s imperative to know what information is being posted out there about you. In Google Alerts, you simply enter the searches you want, and Google will notify you of new results. I encourage anyone who wants to keep an eye on their online-footprint to setup searches for all possible variants of their name and let Google do the rest!

Clean Drive

Clean

In the early 2000’s, I purchased several Sun Microsystems computers for putting together a home network of Unix machines. Nothing particularly exciting, I had an IPX, an LX, a Sparc5, and a few others. This was my testbed for tinkering around with Unix system administration. These computers were all purchased from eBay. The IPX and LX were both purchased from the same seller. Typically, when you buy computers on eBay you will find that they do not include hard drives. This is to protect any data that may be on those drives from prying eyes. However, the IPX and LX still had their drives in them. I had assumed they were wiped clean, but that was not the case. Both were fully ready production systems complete with the entire company directory and password file intact! Since I did not have the root password, I removed the drive and placed it in my Sparc5. Then, I updated the password file to use my root password. Finally, I removed the drive and put it back in the original machine. Now, I could run the machine with the new admin password. When it was booted back up, I found all kinds of company data – and this was a fortune 500 company too! This was the stuff that could have been sold on the black market for a substantial sum of money. I took the password file and ran it through Jack the Ripper – a common password cracking program – and before long knew the passwords for all the employees on this system. That same procedure was done on both the IPX and the LX. Lesson learned? Protect your hard drives. Absolutely destroy them before you get rid of them. The cost to company that originally owned these machines could have been enormous – they lucked because all I did was tinker with the machine as a curiosity and then wipe the hard drive clean. You may not fare so lucky when you dispose of your hard drive insecurely.