• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!

Online security practices

Cardinal

Respected On All Sides
DP Veteran
Joined
Jun 20, 2008
Messages
106,256
Reaction score
97,641
Gender
Male
Political Leaning
Independent
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?
 
Last edited:
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

Most likely the NSA and other US agencies that have been hacked into, despite their 512 bit encryption systems with firewalls out the wahzoo, can that question for you. The Russians aren't the only hackers around that's gotten inside of US agencies.
 
Most likely the NSA and other US agencies that have been hacked into, despite their 512 bit encryption systems with firewalls out the wahzoo, can that question for you. The Russians aren't the only hackers around that's gotten inside of US agencies.

Well, yeah, I guess I would file that problem away under "problem that's bigger than me."

I already assume that the NSA, having resources that dwarf my own, can access my pgp encryped Signal Private Messenger and Mailvelope and see my bank account info just fine. I'm not happy about it, but at that level it just feels like complaining that the sun's gravitational pull "isn't fair."

I'm more interested in what I, as an individual, can actually do to mitigate the active threats in cyberspace.
 
Most likely the NSA and other US agencies that have been hacked into, despite their 512 bit encryption systems with firewalls out the wahzoo, can that question for you. The Russians aren't the only hackers around that's gotten inside of US agencies.

And yes, the fact that American intelligence agencies have been hacked into does add a "Welp, I give up" element to it.
 
I'm more interested in what I, as an individual, can actually do to mitigate the active threats in cyberspace.

Limit the information you share on cyberspace.

You can't control the security on the multitude of servers and storage devices your data passes through, so unless you are some grade-A, Anonymous level hacker... you're **** out of luck.
 
Limit the information you share on cyberspace.

You can't control the security on the multitude of servers and storage devices your data passes through, so unless you are some grade-A, Anonymous level hacker... you're **** out of luck.

So don't share the fact that I was born on January 1st, 1995, that my mother's maiden name is Manischewitz and that my first pet's name is Snickers.

Check.
 
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

I always laugh at the standard of "Your password must contain at least one uppercase, one lowercase, one number and one special character.", since they don't increase security one bit. In fact, they make your password less secure, since they eliminate a whole slew of possible passwords. The most secure passwords are simple ones. A password like "treebluenight" is one of the most secure passwords possible. Also, if someone wants your password, the first place they'll go to is your password manager, so having one (and I have one) actually lessens your security. Also keep in mind that the amount of effort someone is going to put into hacking your account is proportional to the amount of benefit they think they can get. If all they can access is $20-30,000 of your funds, they're not going to go to that much effort to hack your accounts, since it will take the same amount of effort to hack someone with $2-300,000. Most people aren't going to get their personal passwords hacked. The risk is in people accessing your banks records and going after your data through those systems.
 
I always laugh at the standard of "Your password must contain at least one uppercase, one lowercase, one number and one special character.", since they don't increase security one bit. In fact, they make your password less secure, since they eliminate a whole slew of possible passwords. The most secure passwords are simple ones. A password like "treebluenight" is one of the most secure passwords possible. Also, if someone wants your password, the first place they'll go to is your password manager, so having one (and I have one) actually lessens your security. Also keep in mind that the amount of effort someone is going to put into hacking your account is proportional to the amount of benefit they think they can get. If all they can access is $20-30,000 of your funds, they're not going to go to that much effort to hack your accounts, since it will take the same amount of effort to hack someone with $2-300,000. Most people aren't going to get their personal passwords hacked. The risk is in people accessing your banks records and going after your data through those systems.

The danger of a password manager is on-site (physical access to your device), especially when the data isn't kept on the manager's servers.
 
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

Your wife will give them your password.
 
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

Spearphishing is probably one of the worst ways to get infected. Your email inbox is one of the few real targets out there for hackers to find a way in through. Relative obscurity provides you with a degree of protection.

https://www.us-cert.gov/ncas/tips
 
Your wife will give them your password.

You may be joking, but at the heart of it you're not entirely wrong either. It's the challenge of everybody to bring their spouse "up to code" where it comes to online security. She can't roll her eyes hard enough, but she's going along with it just to make me happy.
 
You may be joking, but at the heart of it you're not entirely wrong either. It's the challenge of everybody to bring their spouse "up to code" where it comes to online security. She can't roll her eyes hard enough, but she's going along with it just to make me happy.

I wasn't joking.
 
I wasn't joking.

Well, regardless of whether or not you were joking, I was still aware of the security flaw there and have been doing my best to patch it.
 
Spearphishing is probably one of the worst ways to get infected. Your email inbox is one of the few real targets out there for hackers to find a way in through. Relative obscurity provides you with a degree of protection.

https://www.us-cert.gov/ncas/tips

Those emails have finally started to look genuinely convincing. Email phishing has been around since the dawn of the internet and I'm more than familiar with it. So the fact that it's gotten so good that it looks convincing to me means that there are a whole lot of grandmas out there getting their asses kicked in cyberspace.

It's now so bad that literally the only way you can tell anymore that a site isn't kosher is the absence of the https or the lock in the address bar.
 
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?




:lol:


3risbcx.jpg
 
And yes, the fact that American intelligence agencies have been hacked into does add a "Welp, I give up" element to it.

This issue is disturbing, really. I'm glad you brought it up, actually. I need to try to revamp my network security. I haven't made any changes in over a year and as you know, hacking abilities seem to grow at an exponential rate.

Malwarebytes has a page on its site that gives information on different security boosting techniques that helps prevent things like "ransom emails", etc. But all in all, I think most anti-virus, malware type companies offer suggestions. I don't know how well they work, but I think by doing nothing - is asking for future problems.

Some people go through several proxy servers to protect themselves. I don't know just how hack proof that is.

I think we're all vulnerable (especially in our home type networks in ways most people don't realize). There's was site that was up for a while that gave information on how hackers get through to home networks via televisions (some TVs have Android software and I'm sure other forms of OS), security systems, streaming equipment, etc, etc, etc. The site did give some information on how to reduce being hacked through the common home type electronics.
 
So don't share the fact that I was born on January 1st, 1995, that my mother's maiden name is Manischewitz and that my first pet's name is Snickers.

Check.

Besides all that stuff, just remember back a couple years ago when Heartbleed was a thing. It didn't matter how good a yahoo user's password was since yahoo itself got hacked.

It's like having an undestructible lock on the front door of your rental storage unit, while there is a giant hole on the back of the unit put there by the storage company. What you do won't really matter. I mean, it would if you could personally inspect and judge the security protocols of any online service you would use, but that would take the aforementioned hacker knowledge, not to mention a butt load of time.
 
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

I do it on my 401K and out there somewhere is the guy who has my usuall username who probably freaks out once a month thinking he is being hacked when they send him the security code because I once again tried to log in under that name.
 
Yes, my wife fell for a phone scam. She's no dummy, she was a programmer and had security clearance before, but if they get you in the right frame of mind at home, and they seem legit because its something you were legitimately dealing with, they get in. Weakest link is always something you forgot about or are unaware of. Especially with people so big into social media.

Everyone should get fake scammed a few times and take some basic training on it, for real scams not just "hacking" issues.

But what is a *hacker* going to hack you for exactly? Identify theft? Credit card info? What of these things isn't recoverable?

It's like Battlestar Galactica. Safe = unconnectable. Short of that, you're safe from serious damage, and that's usually all that matters.
 
This issue is disturbing, really. I'm glad you brought it up, actually. I need to try to revamp my network security. I haven't made any changes in over a year and as you know, hacking abilities seem to grow at an exponential rate.

Malwarebytes has a page on its site that gives information on different security boosting techniques that helps prevent things like "ransom emails", etc. But all in all, I think most anti-virus, malware type companies offer suggestions. I don't know how well they work, but I think by doing nothing - is asking for future problems.

Some people go through several proxy servers to protect themselves. I don't know just how hack proof that is.

I think we're all vulnerable (especially in our home type networks in ways most people don't realize). There's was site that was up for a while that gave information on how hackers get through to home networks via televisions (some TVs have Android software and I'm sure other forms of OS), security systems, streaming equipment, etc, etc, etc. The site did give some information on how to reduce being hacked through the common home type electronics.

I wish I had bookmarked it, but one internet-protocol literate person explained quite reasonably how people who use multiple proxies keep getting busted.

The obvious answer is logging into your facebook account while you're busy doing your nefarious deeds on www.superillegalcrap.com.

Basically, first you commit your misdeed while proxied out the butthole, whereupon you've officially attracted the interest of law enforcement. At that point with their gigantic resources they can start to narrow does the times at which different people have logged on until their list of usual suspects is whittled down to you.

The main problem that at the end of the day, you have an ip address, and hiding that mother****er requires Mission Impossible level shennanigans. Internet protocol is so fantastically complicated that anybody who would try to break the law over the internet without a firm grasp of how it works is basically a legal Darwin Award in the works.
 
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

Hackers are likely to have Brute Force programs in their tool boxes, yet seldom find the need for them. Reversing is the studied method of cracking passwords. In order for encryption to work, when you enter a character of your password, your computer goes to a place in memory and Xors your entry with the char in memory. Then it goes to another place in memory to do a compare. If the compare is successful it will go on to the next char that you enter.

For the hacker it's all about finding those two locations in memory where the strings are held. Programs like Winice and Blackice make it easy. It lets you look at the assembly code and will point you to the place where the password programming starts. Once you find that you can identify the first character of the password, it doesn't matter how many lower, caps, numbers and symbols the victim used, they will all roll out one by one to the hacker. Assembly language knowledge is required.

This is how your password can be hacked on sites that limit the tries. There is no alarm to the site because the login is still from your computer and your IP address. This is why keeping up with the new Trojans and the worms is so important. I use a subscription to AVG.
 
Hackers are likely to have Brute Force programs in their tool boxes, yet seldom find the need for them. Reversing is the studied method of cracking passwords. In order for encryption to work, when you enter a character of your password, your computer goes to a place in memory and Xors your entry with the char in memory. Then it goes to another place in memory to do a compare. If the compare is successful it will go on to the next char that you enter.

For the hacker it's all about finding those two locations in memory where the strings are held. Programs like Winice and Blackice make it easy. It lets you look at the assembly code and will point you to the place where the password programming starts. Once you find that you can identify the first character of the password, it doesn't matter how many lower, caps, numbers and symbols the victim used, they will all roll out one by one to the hacker. Assembly language knowledge is required.

This is how your password can be hacked on sites that limit the tries. There is no alarm to the site because the login is still from your computer and your IP address. This is why keeping up with the new Trojans and the worms is so important. I use a subscription to AVG.

Does two step authentication address that technique?
 
Does two step authentication address that technique?

That would require two additional places in memory to be located. Usually the JNZ (jump not zero) command will take the hacker where he needs to go.

Unless you are referring to having a text sent to your phone, or answering a favorite question. I use those methods for any access to my $.

Still hackable (as anything is), but much, much harder. Your port sniffer would probably move on to an easier target.
 
That would require two additional places in memory to be located. Usually the JNZ (jump not zero) command will take the hacker where he needs to go.

Unless you are referring to having a text sent to your phone, or answering a favorite question. I use those methods for any access to my $.

Still hackable (as anything is), but much, much harder. Your port sniffer would probably move on to an easier target.

Yes, a text to my phone is really what I'm referring to.
 
Yes, a text to my phone is really what I'm referring to.
It's a good move. It would require the reverser to access the server that you are connected to. Much harder than a home PC or MacPro.
 
Back
Top Bottom