Online security practices

Absentglare · Dec 20, 2016

d0gbreath said:
It's a good move. It would require the reverser to access the server that you are connected to. Much harder than a home PC or MacPro.

Or they could hack both the phone and the computer. I'm not sure how secure the sync mechanisms are.

Cardinal · Dec 20, 2016

Absentglare said:
Or they could hack both the phone and the computer. I'm not sure how secure the sync mechanisms are.

If I'm reading your post correctly, that would come down to whether the messages for the verification were encrypted, the primary weak points being whether the servers of, say, google and imessenger themselves could be allowed to decrypt the info.

Absentglare · Dec 20, 2016

Cardinal said:
If I'm reading your post correctly, that would come down to whether the messages for the verification were encrypted, the primary weak points being whether the servers of, say, google and imessenger themselves could be allowed to decrypt the info.

I'm not terribly familiar with the encryption schemes, but my limited understanding is this: the text message is only encrypted in transit, so once it is received for display, there is unencrypted data somewhere in memory.

Further, i'm not terribly familiar with how phone operating systems work, but it stands to reason that, somewhere in the phone, there's data in memory that represents the pixels displayed on the screen, so it could be rather doable for the hacker to get an image of the text as displayed on your phone.

Cardinal · Dec 20, 2016

Absentglare said:
I'm not terribly familiar with the encryption schemes, but my limited understanding is this: the text message is only encrypted in transit, so once it is received for display, there is unencrypted data somewhere in memory.

Further, i'm not terribly familiar with how phone operating systems work, but it stands to reason that, somewhere in the phone, there's data in memory that represents the pixels displayed on the screen, so it could be rather doable for the hacker to get an image of the text as displayed on your phone.

Well, once a device is in the hands of an evil doer, all bets are off. Until then I like to do what I can.

As far as end-to-end encryption goes, even though we've had that technology for a super long time it's still not in a terribly user-friendly format. Mailvelope still requires a lot of steps most people (coughmywifecough) won't go through, and Signal (both of whom use gpg, by the way) is extremely user friendly...when it works. It's still quite buggy. Why a normal, user-friendly end-to-end encryption method hasn't been completely smoothed out for Joe Public by now is beyond me.

Absentglare · Dec 20, 2016

Cardinal said:
Well, once a device is in the hands of an evil doer, all bets are off. Until then I like to do what I can.

As far as end-to-end encryption goes, even though we've had that technology for a super long time it's still not in a terribly user-friendly format. Mailvelope still requires a lot of steps most people (coughmywifecough) won't go through, and Signal (both of whom use gpg, by the way) is extremely user friendly...when it works. It's still quite buggy. Why a normal, user-friendly end-to-end encryption method hasn't been completely smoothed out for Joe Public by now is beyond me.

Well, i think your precautions go above and beyond the average layman. The hacker who is trying to make money probably isn't going to waste his time trying to make it into your accounts when there's so much more low hanging fruit out there.

RAMOSS · Dec 20, 2016

Cardinal said:
Does two step authentication address that technique?

It can. For example, there are tokens that change every minute.. and you have to type your 'pin' number, and the token you have. That means, you do not know what your 'one minute token' will be minute by minute.... and it changes every minute.

Lord of Planar · Dec 20, 2016

Cardinal said:
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

Any regular password cypher can be hacked by people with the right knowledge, unless you and your distant end use a private key.

No matter how much people claim, public key incription is not secure from an expert hacker.

beerftw · Dec 25, 2016

faithful_servant said:
I always laugh at the standard of "Your password must contain at least one uppercase, one lowercase, one number and one special character.", since they don't increase security one bit. In fact, they make your password less secure, since they eliminate a whole slew of possible passwords. The most secure passwords are simple ones. A password like "treebluenight" is one of the most secure passwords possible. Also, if someone wants your password, the first place they'll go to is your password manager, so having one (and I have one) actually lessens your security. Also keep in mind that the amount of effort someone is going to put into hacking your account is proportional to the amount of benefit they think they can get. If all they can access is $20-30,000 of your funds, they're not going to go to that much effort to hack your accounts, since it will take the same amount of effort to hack someone with $2-300,000. Most people aren't going to get their personal passwords hacked. The risk is in people accessing your banks records and going after your data through those systems.

The uppercase,lowercase and special character thing is meant to protect against keyloggers, since only a tiny few can log special characters.

But most passwords though are not hacked by keyloggers or trojans, like you said with the example pw, most secure is what no one expects. A large amount of hacked computers and accounts use passwords like password, cat, and god, this makes it easy even without bruteforce for hackers to gain stuff, why spend hours weeks and days hacking an account when too often typing password or something easy gives you access.

SocialD · Dec 29, 2016

Cardinal said:
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

Most account hacks are done at the business level. ( they don't usually hack your account they hack the retail or bank or whatever and get your account there )
Of hacks that are of individuals.. the vast majority of them are done through phishing where people open attachments or are duped and give away their account information.

You as an individual, ( or me or most anyone ) are not worth the time to focus a hack on your system.

Cardinal · Dec 29, 2016

SocialD said:
Most account hacks are done at the business level. ( they don't usually hack your account they hack the retail or bank or whatever and get your account there )
Of hacks that are of individuals.. the vast majority of them are done through phishing where people open attachments or are duped and give away their account information.

You as an individual, ( or me or most anyone ) are not worth the time to focus a hack on your system.

What you're saying certainly appears to be the consensus. And not just in this thread, but in my conversations with other people irl.

Mycroft · Dec 29, 2016

SocialD said:
Most account hacks are done at the business level. ( they don't usually hack your account they hack the retail or bank or whatever and get your account there )
Of hacks that are of individuals.. the vast majority of them are done through phishing where people open attachments or are duped and give away their account information.

You as an individual, ( or me or most anyone ) are not worth the time to focus a hack on your system.

Bingo!

And to illustrate...I have a story about a friend of mine who does a lot of online shopping. She ordered something from some site. Next thing she knows, her bank is calling her to verify some strange charges from strange places. Well, after checking things out, it is revealed that the site got hacked about SIX MONTHS AGO, didn't tell any of their customers and the hackers...using the card info they got...spent a lot of money from a lot of people.

On my advice to her, she now takes steps to protect herself. She got one of those VISA gift cards. She transfers money into it just before she places an online order...using only that gift card. That way there is no connection to her bank card at any online site.

Nilly · Dec 30, 2016

Cardinal said:
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

xkcd: Security

Porchev · Dec 30, 2016

If you are worried about the Russians [I thought they were our friends since the early 90s], then you should stop using Kaspersky anti-virus and that Kaspersky password link you posted...Russian company.

Cardinal said:
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

SocialD · Jan 1, 2017

Mycroft said:
Bingo!

And to illustrate...I have a story about a friend of mine who does a lot of online shopping. She ordered something from some site. Next thing she knows, her bank is calling her to verify some strange charges from strange places. Well, after checking things out, it is revealed that the site got hacked about SIX MONTHS AGO, didn't tell any of their customers and the hackers...using the card info they got...spent a lot of money from a lot of people.

On my advice to her, she now takes steps to protect herself. She got one of those VISA gift cards. She transfers money into it just before she places an online order...using only that gift card. That way there is no connection to her bank card at any online site.

Not a bad idea with the prepaid visa card idea. and yes a lot of the retailers etc.. don't say anything. that recent yahoo hack announcement was like 2-3 years ago.

CrabCake · Jan 17, 2017

Cardinal said:
Alright, so in light of the fact that Russian hackers are regularly cutting through people's online security like a hot knife through butter, I've changed a lot of my online security habits this year. First step was getting a password manager and changing all my passwords so that it would take a supercomputer at least a century to brute force attack by maxing out the password size for what each site allows. I've used a couple password strength sites to determine the relative strength of said passwords (essentially, anything short of 18 randomized characters made of upper and lower case letters, numbers and symbols is kind of crap):

Password Strength Checker
https://password.kaspersky.com/

Finally, I've turned on two-step authentication for all sites that are in the least bit important and offer it. Of course, I don't download and execute files from sources I don't trust, and I use a vpn in public wifi spots to protect against man-in-the-middle attacks.

So, short of on-site weaknesses (person getting a hold of my device, leaving devices logged in, etc), how will a Russian hacker see my layers of defense and just hack through them anyway?

I think what you are doing is sensible. Assuming you are using some other common sense approaches you didn't actually mention (like using a good anti-virus), I wouldn't do much else if I were you. Maybe install no-script if you want to be extra paranoid.

Having said that, let's get theoretical about what I would do if I were a hacker who was after you.

1. Find a cross site scripting (XSS) vulnerability on this forum.
2. Send you a private message that exploits said XSS vulnerability.
3. XSS vulnerability redirects you to a page that detects your browser/OS type, matches it to an exploit, exploits your browser, and delivers a rootkit.
4. Your PC reverse shells back to me.
5. I wait until your password manager is open at which point I do a memory dump so I can grab the password for the password manager from memory.
6. Grab the password manager database from your PC and the memory dump that contains the password to open it.
7. Delete the rootkit and log out since I have what I was after.
9. ?
10. Profit

Obviously, steps 4-7 could be automated using a script if I didn't want to be hands on.

Oh, one more thing you should do is ignore this guy:

faithful_servant said:
I always laugh at the standard of "Your password must contain at least one uppercase, one lowercase, one number and one special character.", since they don't increase security one bit. In fact, they make your password less secure, since they eliminate a whole slew of possible passwords. The most secure passwords are simple ones. A password like "treebluenight" is one of the most secure passwords possible.

CrabCake · Jan 17, 2017

Removable Mind said:
Some people go through several proxy servers to protect themselves. I don't know just how hack proof that is.

It doesn't help at all. In fact, it can only hurt.

CrabCake · Jan 17, 2017

d0gbreath said:
Hackers are likely to have Brute Force programs in their tool boxes, yet seldom find the need for them. Reversing is the studied method of cracking passwords. In order for encryption to work, when you enter a character of your password, your computer goes to a place in memory and Xors your entry with the char in memory. Then it goes to another place in memory to do a compare. If the compare is successful it will go on to the next char that you enter.

For the hacker it's all about finding those two locations in memory where the strings are held. Programs like Winice and Blackice make it easy. It lets you look at the assembly code and will point you to the place where the password programming starts. Once you find that you can identify the first character of the password, it doesn't matter how many lower, caps, numbers and symbols the victim used, they will all roll out one by one to the hacker. Assembly language knowledge is required.

This is how your password can be hacked on sites that limit the tries. There is no alarm to the site because the login is still from your computer and your IP address. This is why keeping up with the new Trojans and the worms is so important. I use a subscription to AVG.

That isn't even remotely true. You are describing the way copy-protection used to work in the late 90s. Authentication doesn't work this way (and didn't work that way back then either).

The entire passphrase is salted and hashed and the result is stored in a database. When you want to access the website, you supply your password which is then salted and hashed and the results compared to what is in the database.

CrabCake · Jan 17, 2017

beerftw said:
The uppercase,lowercase and special character thing is meant to protect against keyloggers, since only a tiny few can log special characters.

This is not true. Keyloggers log every key pressed.

The purpose of using special characters and uppercase/lower case mix is to increase the complexity of the password in order to prevent brute force attacks. Let's use small numbers to illustrate what's going on. Using a two character password without digits or special characters, there are 650 possible passwords. If you iterated through all of them at a rate of one per second, it would take you 650 seconds to try every possible combination. Now, let's add digits. With the addition of digits, it's now a permutation of 36 objects with a sample of 2, giving you 1,260 possibilities. It would now take you 1,260 seconds instead of 650 because you added digits. Real life works the same way as this illustration except that in real life "haschat" (the most often used software for this purpose) will chew threw billions of passwords per second on home hardware (tens or even hundreds of billions if you are willing to rent time on a cloud computing service), thus your passwords really do need that added complexity.

d0gbreath · Jan 17, 2017

CrabCake said:
That isn't even remotely true. You are describing the way copy-protection used to work in the late 90s. Authentication doesn't work this way (and didn't work that way back then either).

The entire passphrase is salted and hashed and the result is stored in a database. When you want to access the website, you supply your password which is then salted and hashed and the results compared to what is in the database.

Please explain "salted and hashed".

CrabCake · Jan 17, 2017

d0gbreath said:
Please explain "salted and hashed".

Google it. Probably throw in the word password as well so you don't end up with articles on hashed browns.

Cardinal · Jan 17, 2017

CrabCake said:
I think what you are doing is sensible. Assuming you are using some other common sense approaches you didn't actually mention (like using a good anti-virus), I wouldn't do much else if I were you. Maybe install no-script if you want to be extra paranoid.

Having said that, let's get theoretical about what I would do if I were a hacker who was after you.

1. Find a cross site scripting (XSS) vulnerability on this forum.
2. Send you a private message that exploits said XSS vulnerability.
3. XSS vulnerability redirects you to a page that detects your browser/OS type, matches it to an exploit, exploits your browser, and delivers a rootkit.
4. Your PC reverse shells back to me.
5. I wait until your password manager is open at which point I do a memory dump so I can grab the password for the password manager from memory.
6. Grab the password manager database from your PC and the memory dump that contains the password to open it.
7. Delete the rootkit and log out since I have what I was after.
9. ?
10. Profit

Obviously, steps 4-7 could be automated using a script if I didn't want to be hands on.

Oh, one more thing you should do is ignore this guy:

Er...how would I know an "xss vulnerability" if it was staring back at me?

d0gbreath · Jan 17, 2017

CrabCake said:
Google it. Probably throw in the word password as well so you don't end up with articles on hashed browns.

I see why you didn't try to explain it to me. It's somewhat complicated these days to crack a good password.

Thanks for the enlightenment.

CrabCake · Jan 17, 2017

Cardinal said:
Er...how would I know an "xss vulnerability" if it was staring back at me?

You wouldn't. Your browser would react automatically without prompting you. You can install something like no-script to provide some protection, but it accidentally blocks legitimate scripts quite often.

Best practice is to make sure your browser and all underlying technologies (flash, Java, etc.) are regularly updated so that step that exploits your password doesn't work. But if you are dealing with a state actor (Russian spies for example) they probably have "zero days" at their disposal (exploits for which no patch yet exists because they haven't been publicly disclosed).

Cardinal · Jan 17, 2017

CrabCake said:
You wouldn't. Your browser would react automatically without prompting you. You can install something like no-script to provide some protection, but it accidentally blocks legitimate scripts quite often.

Which is precisely why I removed no-script. It basically broke the internet for me.

CrabCake · Jan 17, 2017

Cardinal said:
Which is precisely why I removed no-script. It basically broke the internet for me.

What you need to understand about security is that you don't need to be Fort Knox. Just like your house could always be more secure, there is a point at which it is no longer worth the effort. If you are a high value target living in a dangerous part of the world, maybe it makes sense to have a wall with razor wire, a team of security guards monitoring the surveillance system, barred windows, and reinforced steel doors. But if you are a regular Joe living in the suburbs of Kentucky, a good lock on your door and a basic alarm system is probably fine.

Your goal isn't to make your computer hacker-proof. Your goal is to ensure you aren't the low hanging fruit.

If you are more than just an ordinary Joe trying to stay safe online, hire a security consultant. If you are a regular Joe just trying to be safe online, just do what you already said you were doing and in addition make sure you keep your core internet software updated (always applying all of the Microsoft updates immediately in addition to updates of Java, Flash, Acrobat, and your web browser).

Online security practices

Absentglare

Cardinal

Respected On All Sides

Absentglare

Cardinal

Respected On All Sides

Absentglare

RAMOSS

Lord of Planar

beerftw

proud ammosexual

SocialD

Cardinal

Respected On All Sides

Mycroft

Genius is where you find it.

Nilly

stb

Porchev

SocialD

CrabCake

CrabCake

CrabCake

CrabCake

d0gbreath

Yellow Dog Democrat

CrabCake

Cardinal

Respected On All Sides

d0gbreath

Yellow Dog Democrat

CrabCake

Cardinal

Respected On All Sides

CrabCake