• Blog

    Top 10 Things You Must Do to Avoid Getting Hacked

    Take steps today to protect yourself
    by iSecurityGuru

    Monday, August 23, 2021, 5:57 PM

This article was written for Peak Prosperity by Terence Kam, Founder and Cybersecurity Consultant at iSecurityGuru.com. You can follow his company on LinkedInOr subscribe to his writings on Medium, where he writes on a wider variety of topics.

One of the wonders of technology in this Information Age is that it allows for economies of scale that have never been possible before. It allows for Big Tech companies like Google, Facebook and Apple to scale up to serve billions of people.

But there is a dark side to technology as well.

It allows cyber-criminals to scale up their crimes as well, which massively increases the pay-off. Also, unlike ‘traditional’ crimes like bank robberies, cyber-criminals have a much lower risk of getting caught by authorities. They are often carried out from overseas, in places where the jurisdiction of your local law enforcement does not apply. In other words, technology helps make cyber-crime a very lucrative ‘business’.

With economic crises erupting all over the world, more and more people are falling into poverty and financial strife. Throughout history, whenever economically difficult times arrive, ‘traditional’ crimes like robberies and theft increase. But today, a lot more of these ‘traditional’ crimes are going to ‘migrate’ into the cyber realm. That means cyber-crimes are going to increase and as a result, cybersecurity is going to be more important.

Below are some of the basic steps you can take to improve your cybersecurity.

Invest in a password manager app

Let me be blunt.

If you don’t use a secure password manager app, you will eventually suffer some kind of data breach.

Remember the infamous Colonial Pipeline ransomware attack that caused extensive fuel shortages in the southwestern United States? It was caused by someone using a lousy password. Why was a lousy password used in the first place? Because someone didn’t use a password manager.

Why do you need a password manager?

Well, the password is an ancient authentication method used for thousands of years. This ancient method is no match for the astronomically powerful machines that hackers have at their disposal today. When you use your human brain to come up with passwords, it is like bringing a butter knife to a gunfight with hackers. That’s why, to win against the hackers, you need to bring a gun to a gunfight. That gun is the password manager.

A password manager can do powerful things that the human brain cannot (more scary details are explained here):

  • Generate extremely long and random passwords that cannot be guessed by machines (not even a futuristic quantum computer). Only such passwords are safe from hackers. But the human brain cannot remember such passwords. However, a password manager can do it for you.
  • Ensure all your passwords are unique. If you don’t ensure that all your passwords are unique across all your website accounts, then you are taking a risk with your cybersecurity. Nowadays, with too many digital accounts in our life (I have several hundred!), our human brain is not able to remember all these unique passwords. But a password manager can.

Furthermore, a password manager can do the following for you:

  • Warn you if you are using lousy passwords. If you use a lousy password, a good password manager is going to warn you about it.
  • Warn you of data breaches in websites. Some password managers will warn you if a particular website suffers a data breach and therefore, which of your passwords are in danger of being stolen.
  • Protect you from phishing attacks. Password managers have the facility where they can automatically pre-fill in your passwords on websites. They know which password to fill because they can match the web address in the web-browser address bar with the web address of your password stored in their database. If you go to a phishing website, the web address will not match. Therefore, they will not pre-fill your password on the phishing website. This will tip you off that something is not right.

I recommend the following password managers:

Set up 2nd-Factor-Authentication (2FA)

Password as an authentication method is broken. But unfortunately, we are still stuck with this ancient method today. Therefore, we need something more than the password to secure our digital accounts.

To do that, we need at least 2 of the following to ensure secure authentication:

  1. Something you know (i.e. password)
  2. Something you have (e.g. mobile phone, authentication token)
  3. Something you are (e.g. fingerprint, face, iris)

We already have (1). We also need either (2) or (3). That (2) or (3) is known as the 2nd-Factor-Authentication (2FA).

More and more websites are allowing you to set up 2FA to further protect your digital accounts. For example, Google allows you to use the following as the 2FA:

  • Text messages on your phone
  • Google Authenticator app
  • A prompt in your Gmail app
  • Physical tokens like the YubiKey or the Titan Security Key

Note that 2FA is called differently by different vendors:

  • 2-Step Verification
  • 2-Factor Authentication
  • Multifactor Authentication
  • Duo Verification

But they all mean the same thing.

Avoid text messages of 2FA wherever possible

Some vendors use text messages as a form of 2FA. If you can have a choice of 2FA, avoid it.

Text messaging is an old technology that is not designed with security in mind. It is not private and there are a lot of cases where hackers had used SIM port hacks to intercept their victims’ text messages.

Update your software and operating system

The IT industry has not figured out how to write secure code.

Every time hardware and software vendors released new products, more lines of computer code are released as well. More lines of code mean more cybersecurity holes. That means there are always holes to be patched.

Worse still, there are always massive backlogs of holes to be found and patched. For example, even today, Microsoft is still finding holes in code written a dozen years ago in their latest Windows operating system!

Therefore, vendors are always on the never-ending treadmill of releasing patches for security holes in their code. You will need to be always up to date with the patches to be secure.

That includes your web-browsers (Firefox, Chrome), operating systems (e.g. Windows, macOS, Linux, Android, iOS, iPadOS), email software (e.g. Outlook, Gmail). Also, don’t forget the software code in your hardware appliances (e.g. routers, Smart TV, Internet-of-Things).

Remember: Anti-malware software is just the starting point for cybersecurity

There is a myth out there that says that all you need is anti-virus software and you will be digitally secure. This is NOT true!

That may be true 20 years ago. But hackers and cyber-criminals are getting smarter and smarter over the years. For one, anti-virus software cannot catch and detect every malware. Also, it cannot prevent sophisticated hackers from exploiting security holes deep in the operating system. In other words, sophisticated hackers can bypass anti-virus software.

Today, at best, anti-virus software is merely only the STARTING POINT of keeping yourself digitally secure. Having one is better than none. But do not let its presence lull you into complacency.

Don’t go installing software/apps that you are not looking for

This is a simple rule of thumb to follow.

If you are asked to install a software or app out of the blue, don’t do it. For example, a website may suddenly warn you that you need to install particular software to avoid being hacked. Or you need to install a particular video player software to view certain videos. There is a high chance that you may end up installing malware on your computer or device.

This is related to one of the 10 Immutable Laws of Cybersecurity:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

Before you install any software or apps, always stop and ask yourself whether you trust whoever wrote the software. If in doubt, don’t.

Don’t forget web-browser extensions

Your web browser will also contain many third-party extensions (sometimes called “add-ons” and “plug-ins”), which are third-party computer instruction code that modifies or adds functionality to your web browser (e.g. help it perform specific functions like viewing special graphic formats or playing multimedia files).

They can be given permissions to access the ‘inner plumbings’ of your web browser, which can mean that they are permitted to access your private information in your web-browsing session. Therefore, you need to audit the extensions’ permissions from time to time to ensure that they are appropriate. If you are not comfortable with an extension’s permissions, you should disable it.

The general rule is to avoid installing web browser extensions wherever possible. If you have to, only install the ones from developers you trust.

Always check the web-browser address bar

A phishing attack is a scam in which the attacker pretends to be from a legitimate business such as a bank, telephone or internet service provider.

Usually, the scammer sends you a legitimate email that tries to induce you to click on a link to his website. That website looks almost indistinguishable from the legitimate website of an entity.

Except for one thing.

The web address of the phishing scam is not from the entity. Most phishing scams can be thwarted if their victims look carefully at the web browser address bar.

There are, however, more sophisticated phishing scams that try to fool people who check the address bar. I have listed some of them here. But most scams can be avoided by simply checking the address bar.

Ensure that the internal storage of your devices and computers are encrypted

Consider this news report from a recent news article,

Criminal networks are feeding off Australians’ lust for new technology by skimming data from computers dumped in Africa and Asia – and using it for blackmail, fraud and identity theft.

They will pay as much as $200 on the black market for discarded computer hard drives, which they mine for bank details, credit card numbers and account passwords.

These hard drives are among the mountains of electronic waste earmarked for recycling here. Instead, they are illegally shipped to developing countries by operators seeking bigger profits.

Before you resell, dispose or recycle your device, computer and disks, you have to take precautions to ensure that your personal information does not fall into the wrong hands. If not, you may find yourself to be a victim of identity theft later on. The best way to do that is to ensure all your data in your devices and computers are encrypted beforehand.

The latest Windows PC and Macs have encryption turned on by default. But older PCs and Macs may require you to turn on the encryption manually. All iPhones and iPads are encrypted.

But only some Android devices are encrypted. You need to check the settings and may have to turn on encryption manually.

Don’t forget to securely erase all your external drives and USB sticks

Do you know that when you ‘erase’ files or ‘format’ your external disks, the data is not removed? What happened is that the operating system merely marked the area that stores the ‘erased’ files and ‘formatted’ disks to be ready for reuse later on.

There are lots of data recovery software in the market that helps you recover ‘erased’ files and ‘formatted’ disks. If you store confidential data on such disks and lose/dispose of them, someone else can easily recover your confidential data.

Therefore, you need specialised secure erasure software like DBAN and iola DriveScrubber to truly scrub off confidential data from your ‘erased’ and ‘formatted’ disks.

Alternatively, you can encrypt your external disks beforehand so that you don’t need to secure erase your disks before disposal.

One last thing. Because cyber-criminals are opportunists, you do not need absolute cybersecurity.

To understand why let me tell you a joke:

Two men were chased by a bear. The first man told the second man, “Why bother to run? We can never ever outrun the bear!”

The second man answered, “I don’t have to outrun the bear. I only have to outrun YOU!”

The principle is this: If you are much more cyber-secure than most other people, cybercriminals, being the opportunists that they are, will find some other easier targets. As long as you are not specially targeted, it is easier for cybercriminals to target someone else.

That means you don’t have to fall into the paranoia of absolute cybersecurity.

Have cybersecurity tips to share? Join the conversation below…

 

Related content
» More

31 Comments

  • Tue, Aug 24, 2021 - 1:04am

    #1
    skipr

    skipr

    Status: Bronze Member

    Joined: Jan 09 2016

    Posts: 210

    3

    doubly paranoid

    I might be a overly paranoid when it comes to passwords.  I use the password manager extension for the Trezor cryptocurrency hardware wallet to log into LastPass with a monster password (+100 characters) and a Yubikey.  Then LastPass logs into the sites with another monster password.  The nice thing about the Trezor is that a master password is not entered on the keyboard.  Entering the Trezor's pin number on its touchscreen activates its manager.  I continue to use it with LastPass since LP works with a lot more complicated login screens.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 1:18am

    #2
    Jamie Mason

    Jamie Mason

    Status: Member

    Joined: Jan 02 2012

    Posts: 27

    1

    A few others

     

    Great list! Here are some others.

    1. Don't click the link.  Hackers often try to get your computer to download malicious software by tricking you into clicking a link (usually in an email or text). JavaScript code can be embedded in the html code in webpages and your web browser will run whatever code it downloads from a malicious website. Antivirus software helps with this but better not to run it in the first place. Be suspicious of all links sent to you that you didn't ask for, and avoid shady websites (you know the ones I'm taking about).  If you are not sure about a link, you can test it out by copying it and pasting it in a website reputation checker such as www.urlvoid.com.  If you are sent a file you are unsure about, you can upload it to virustotal.com to check it out before opening it.  These links are ok 😉

    2. Do not log into your computer as an administrator unless you need to do administrator tasks. Make your daily use account on the computer a standard user account and use a separate administrator account for administration.  If you are logged in as an administrator and get compromised by clicking that bad link or myriad other oopsies, you just gave the attacker way more power to take over your machine.  On very secure networks, admin accounts are very locked down (e.g. web browsing not permitted...log into your standard account to surf web).

    3. Use a VPN service if you are using public wifi (or honestly any wifi other than your own).  WiFi is very vulnerable to snooping and the access points and routers you connect to may not be trustworthy. VPN services ensure that your connection between your computer and your VPN service provider is encrypted so even if someone is snooping the wifi traffic or you are connected to a compromised access point, the data you are sending out cannot be deciphered or tampered with. I like PIA but there are many cheap reputable VPN services out there.

    4. The biggest cybersecurity problem for every organization is people because we tend to be lazy, greedy, and easily tricked by social engineering. Don't give anyone your password. No legit organization will ever ask you for your password on the phone (except for special phone password or PINs that are separate from online account passwords). If a prince in Africa wants to wire you money and let you keep a few grand in exchange for helping get the money out, it's a scam!  If someone on craigslist wants to have their local representative come pay you way too much for your *exact title of your posting*, it's a scam. If someone wants to send you a code that you read back to them on the phone to confirm your identity, they are trying to break into one of your two factor authentication accounts and trick you into giving them the code for the 2nd factor.  If it sounds too good to be true, it is! Bad grammar and misspelling is a common sign something may not be legit (since many hackers are not native English speakers).

    5. Most banks have configurable notification settings for financial transactions.  I have text notifications sent for all banking and credit card transactions so I know immediately if there is unauthorized activity.

     

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 7:50am

    #3
    lastfirst

    lastfirst

    Status: Member

    Joined: Oct 17 2020

    Posts: 21

    0

    Some erasure software do not work the way one might assume

    Don’t forget to securely erase all your external drives and USB sticks... Do you know that when you ‘erase’ files or ‘format’ your external disks, the data is not removed? ... you need specialised secure erasure software like DBAN and iola DriveScrubber to truly scrub off confidential data

    The suggested alternative "...you can encrypt your external disks beforehand..." should also be considered as the primary approach for an external storage device containing confidential data. Here are two reasons:

    • In the event the device/USB stick is lost, at least you know it was encrypted.
    • Secure erasure software are not created equally.

    Regarding the second bullet, storage devices are designed with some degree of wear protection in mind to prolong its lifespan. A number of erasure software work by (repeatedly) attempting to overwrite the "space" where a file used to be. Given the fact that flash memory devices (SSDs, USB sticks, SD-cards, etc.) utilize wear leveling techniques, an instruction from erasure software to overwrite a file with random data most likely just result in some other part of the device having that data written to it. I.e. some erasure software might just be wearing down the device without accomplishing the intended goal.

    I am not familiar with DBAN, which is one of the suggested secure erasure tools in the article, but a quick look at https://dban.org/ reveals that it does not support erasure of SSD drivers. In round numbers, if you bought your PC within the last ten years, DBAN is not your friend.

    Regarding storing confidential data, for instance privates keys for a crypto wallet on an external device, applying early security measures beforehand sounds more reasonable to me - as opposed to opting for a later secure clean-up approach. If the second option is utilized e.g. before disposing the device, consider deleting all files on the drive and then filling it up completely with other data. Rinse and repeat if necessary. If the storage device contains outright secrets, this approach will not suffice.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 8:07am

    #4
    lastfirst

    lastfirst

    Status: Member

    Joined: Oct 17 2020

    Posts: 21

    0

    Are text messages as 2FA really that bad?

    Avoid text messages of 2FA wherever possible... Text messaging is an old technology that is not designed with security in mind. It is not private and there are a lot of cases where hackers had used SIM port hacks to intercept their victims’ text messages.

    The explanation is not wrong. In my opinion this attack vector belongs to a different category compared to the others on the author's list. Here's the nuance:

    • In this case a 'specific' individual is being targeting.
    • If an attacker is targeting your 2FA, it probably means that your credentials to some "valuable" account (e-mail, online shopping, etc.) which the 2FA is associated to has already been compromised.

    This is, for an attacker there must be an incentive of a certain size before targeting a specific individual and their 2FA. This is in comparison to utilizing a broader attack, e.g. phishing where a big net is cast and attempting to catch whomever might step into the trap.

    In regards to text message as 2FA, I am not sure if this is currently an issue for general applications. However, from a privacy perspective I see the author's point.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 8:15am

    #5
    IAMMichael

    IAMMichael

    Status: Bronze Member

    Joined: Mar 10 2021

    Posts: 104

    5

    Password managers

    OK, I agree with the concept of using a password manager. The problem that I see came up in the Solar Winds fiasco. Even the password manager is software and therefore it can also be hacked, or in the case of Solar Winds have a compromised update that opened all of it's client to hacking.

    I would suggest using a password generator and keeping a cheatsheet under your keyboard or in a safe.

    Also- for systems that security is paramount such as SCADA control systems for Electrical grids, water supplies, etc. do not connect them to the internet in the first place. That is the best security.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 9:34am

    #6

    travissidelinger

    Status: Bronze Member

    Joined: Nov 17 2010

    Posts: 301

    1

    Use browser script blockers

    I would strongly suggest including the use web browser script blockers like NoScript.  You can then enable scripted content on a per site basis.  This also defeats most web advertising.

    If you start seeing the sites you visit have a lot of third party scripting, then it's a hint you might want to rethink using those sites.  Or at least keep all that other stuff blocked.

    -Travis

     

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 10:09am

    #7

    travissidelinger

    Status: Bronze Member

    Joined: Nov 17 2010

    Posts: 301

    4

    Password Entropy

    Entropy is the measure of how hard a password is to break.

    Password Entropy = Log2( symbols ^ length )

    Example:
    Number of symbols = 26  (a-z)
    8 Characters long
    ln( 36 ^ 36 ) / ln( 2 ) = 38

    That is not very difficult to defeat with brute force processing.

    Yes, you can add lots of symbols and mixed case, but as the math shows, longer passwords are exponentially better.

    Here is a good password example, a typical md5 checksum ( 846c83175aef6c5dc1ce42e9e4c300e2 )

    At 16 characters, the entropy value is: ln(16^36)/ln(2) = 144

    Those are great for password managers, but what about us mere mortals?

    Then try a password like this: "peakprosperityisanawesomewebsite2visit".
    At 39 characters with a number, that's 201 entropy points and easy to remember.

    -Travis

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 10:51am

    nyhetersverige

    nyhetersverige

    Status: Platinum Member

    Joined: Mar 21 2020

    Posts: 594

    3

    Chapter 8

    Don't forget what Assange used with David Leigh: a loooong phrase with one obvious word missing that is never written down, anywhere, ever.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 11:07am

    #9
    Stph

    Stph

    Status: Bronze Member

    Joined: Jul 01 2021

    Posts: 233

    4

    Password software ignores the Elephants in the room - ACTIONABLE alternatives

    I am not saying buying a password manager is "wrong". I am saying it is grossly unnecessarily and will give you a very false sense of security. You can do approximately as well by using an algorithm to calculate a semi-unique password for each site or computer based upon, for example, the name of the website. Brute force attacks at the individual password level are very rare because they are not profitable enough.

    In the real world most dangerous hacks don't work by breaking passwords (brute force). Or, if they do, they do it at a site level – out of your control.

    They work because "everything is broken":

    https://medium.com/message/everything-is-broken-81e5f33a24e1 and, as an example, just yesterday:

    Hopefully that second article brings it home: the whole USB model, is intellectually bankrupt -- especially on Windoze. Find access to a Windoze machine, plug in a USB stick with ransomware, and you are off to the races. If the machine -- any Windoze machine -- is connected to the network, your network is toast. Under Linux (which I recommend) this can be better ameliorated (the OS can be made to only allow SPECIFIC USBs), but not entirely.

    So, some basic things which will give you vastly higher levels of security than a software password manager:

    (1) Figure out an algorithm simple enough for you to calculate passwords on the fly. If a site doesn’t contain “top secret” information use a throw away password with, perhaps, a really simple modification based on the name, and don’t worry too much about security on throw away accounts.

    (2) Avoid using the internet when unnecessary. Use a dedicated machine for internet browsing, or a dual boot, vs your working machine. Use hardware and/or software to allow you to easily turn on the internet when you actually need it – and, WHEN YOU DON’T EXPLICITLY NEED INTERNET, KEEP INTERNET OFF!!!! Don’t ever allow automatic software “upgrades”.

    (3) Avoid “the cloud” absolutely as much as possible. The cloud is, fundamentally, a low security, money making exploit, foisted on us by our Masters who want to own anything – including your body and your thinking. Don’t cooperate more than you have to. There are security breakins being reported virtually every day, in the cloud. That will never stop, because of the nature of tech.

    (4) Use lots and lots of ad and tracking blockers (or use Brave) on the internet. Don’t let them turn your computer into THEIR “Skinner Box”. Don’t watch ads.

    (5) Avoid software monocultures, of all sorts. In particular, Windoze IS the attack surface for nearly all serious security exploits. Avoid Windoze, and your security concerns go down dramatically. Absolutely, don’t use Windoze in your business. Don’t use Android. Don’t us Gmail or Microsoft Live. Don’t use Chrome, nor Edge – Brave or Chromium or Firefox work just fine and don’t pimp you. If you have to use something (e.g., Gmail) use it absolutely minimally. For God’s sake, respect yourself, yourself, your family, and your friends enough to not pimp out mind, body, and privacy for nothing. The world is stratifying into Eloi and Morlocks. Being a Time Traveller is a choice. Tor is nice. The Morlocks don’t like Tor too much.

    Well, those are some obvious things you can do relatively easily. Focussing on passwords is really, really, misleading. The insecurity is in the fundamentals Your Masters don’t want you to know about – seldom is it the password. If your password is “password”, maybe get a new brain.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 11:13am

    #10
    westcoastjan

    westcoastjan

    Status: Platinum Member

    Joined: Jun 04 2012

    Posts: 1465

    1

    Password hacking - a useful chart

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 11:22am

    westcoastjan

    westcoastjan

    Status: Platinum Member

    Joined: Jun 04 2012

    Posts: 1465

    0

    Not good for regular folks

    @Stph, I appreciate your input and while I cannot speak for others, I think some of what you are saying is not useful for your average user.

    Figure out an algorithm simple enough for you to calculate passwords on the fly.

    Seriously?!?

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 11:37am

    #12
    nordicjack

    nordicjack

    Status: Bronze Member

    Joined: Feb 03 2020

    Posts: 774

    1

    password chart

    This is not correct in the real world -  though a computer could generate every single possible combination of those characters in the time on that chart,  no server would allow or could lookup and serve a response for all those combinations within that time.  Not even close.   Most will kick you out by the time you have missed a password after 4 attempts.   The hacker would have to switch machines, networks or reset every few attempts.   If that chart was virtually true, we would all have to have 15 character passwords.  ( also you would have to have username as well )

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 11:56am

    Stph

    Stph

    Status: Bronze Member

    Joined: Jul 01 2021

    Posts: 233

    2

    Password Entropy (and why brute force attacks aren't the problem).

    Hi Travis!  I just gave you a thumbs up for showing the math.

    That said, what you didn't address were the elephants in the room -- and why worrying about passwords is pretty much worrying about the wrong things.  I wrote (maybe) too much about that in my other post, but I wanted to point out something even more fundamental.

    ANY DECENT WEBSITE AND ANY DECENT OPERATING SYSTEM AND ANY DECENT APPLICATION DOESN'T ALLOW BRUTE FORCE ATTACKS.  Try "brute force" attacking anything decent (intelligently constructed) and the account will be locked down after a mere handful of "guesses".  So the whole math issue of 32 bit "random" characters is almost entirely moot.

    Where it ISN'T moot is if you are encrypting a long message and the message is the treasure.  If someone intercepts your whole message, and has all the time in the world to run a cracker, they are going to get in no matter how many "random" characters is in the password. It may take them a day or three, but they will get in.

    For most of us, except for maybe access to bit-coin, that isn't the issue.   For most people, security of financial and related personal information is the authentic concern.  For that, site level, OS level, application level, and hardware level security is what matters.   Avoid Windoze and reserve non-obvious passwords on financial information sites you have done 90% of what can be done.  Use due diligence to assure, as best you can, that the vendor of the site is intelligent, diligent, and isn't running Windoze nor doing other really-really fundamentally dumb things, and you should probably put your worry energy into something else:  NOT a longer password.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 12:42pm

    travissidelinger

    Status: Bronze Member

    Joined: Nov 17 2010

    Posts: 301

    2

    travissidelinger said:

    Oh I agree.  Good passwords are like number five on my list.  The elephants in the room are junk software.  Decrypting is hard and hackers will always try to go around if possible.

    1. Patch your software

    2. Don't get socialy engineered

    3. Don't use bad software that give away your info and access.

    4. Use 2FA

    5. Use good passwords

    6. Use encryption

    7. Just use Linux

    There are a lot of hacks where the bad guys get go through a back door and are able to get the full password database.  That's where good passwords and encryption are important.  If you are using both, even the NSA would be challenged to decrypt the data.

    Yes, systems like Gmail and Facebook, quality passwords do matter to an extent.  But, yes, they will lock out the failed attempts after only a few tries.

    And remember too, don't be that guy:  https://nypost.com/2021/01/15/man-who-lost-password-to-220m-worth-of-bitcoin-says-hes-made-peace/

    -Travis

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 3:42pm

    #15
    nyhetersverige

    nyhetersverige

    Status: Platinum Member

    Joined: Mar 21 2020

    Posts: 594

    1

    Criminal absurdity

    A lot of this applies to any platform.

    https://sneak.berlin/20201112/your-computer-isnt-yours/
    https://sneak.berlin/20201204/on-trusting-macintosh-hardware/
    https://sneak.berlin/20210202/macos-11.2-network-privacy/

    If you're on mobile, you've already given the farm away - for free.

    As Peter Gutmann pointed out years ago, the only secure computer hardware in the future might be produced in China for the Chinese market (although there's reason to believe he might want to alter that statement today).

    Build it yourself. That's where you are. Nothing on your hardware is fully secure, and any daemon can be phoning home at any time. Particularly see the third and final URL in that list.

    PS. It's a criminal absurdity to overlook the fact that there's a ginormous gap between Windows and non-Windows. Anyone who doesn't appreciate this can never be taken seriously.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 4:07pm

    #16
    nordicjack

    nordicjack

    Status: Bronze Member

    Joined: Feb 03 2020

    Posts: 774

    2

    maybe total roll back

    I have some great older machines,  stuff I built.   Only reason, dont use them is WINDOWS GOD , doesnt like it.   perhaps time to roll back some old hardware with linux.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 5:25pm

    #17
    westcoastjan

    westcoastjan

    Status: Platinum Member

    Joined: Jun 04 2012

    Posts: 1465

    5

    Other, more serious & nefarious tech concerns

    Dr. Vernon Coleman lays it all out for us re where we are heading - and much, much  faster than most realize.

    https://dailyexpose.co.uk/2021/08/23/if-you-want-to-know-the-sort-of-society-authorities-are-trying-to-create-for-you-and-your-children-to-live-in-then-just-look-at-china/

    ....So far around 4.5 billion people around the world use the internet and most have social media accounts.

    A fairly scary survey found that two thirds of individuals are willing to share information about themselves or others to get a shopping discount while half are willing to do so if it helps them skip queues at airports. One in two individuals say they are happy for the Government to monitor everyone’s social media behaviour if it means keeping the public safe.

    Of course, it will be impossible to find out what your social credit score is, to find out exactly how scores are made up or to correct any error. And scores will be changed in real time. So you could join a queue thinking you are entitled to hire a car or board a train and find, when you get to the front of the queue that your rating has changed and you can’t do either of those things.

    Governments, big companies and local authorities are already gathering information about you from facial recognition cameras, biometric studies at airports, drones, surveillance planes and social media. This is the technocratic state in full fly. Using a silly name or avatar on social media will provide you with absolutely no protection. They know exactly who stinkyfeet of Weymouth really is and they know the name, address and inside leg measurement of bumfluff from Colorado.

    You can forget about privacy, freedom or rights. ...

    Geotracking is the new normal now. Your financial records are combined with your criminal record, academic record, medical record and shopping patterns. They’re keeping an eye on the type of friends you have, the videos you watch, the people you date or marry or meet.

    This is Big Brother on speed

    In the brave new world, those with a low credit score won’t be able to move an inch.

    ...

    I leave you with this fact.

    There are public loos in China which won’t let you in without first checking your face and identifying you. Only then will the machine dispense the small quantity of loo paper you are allowed.

    How many sheets will you be allowed if you have a low credit score? Two? One? None at all?

    You may be smiling now.

    But see if you’re still smiling in twelve months’ time.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 7:54pm

    iSecurityGuru

    iSecurityGuru

    Status: Member

    Joined: Mar 21 2020

    Posts: 16

    0

    SSD more tricky to secure erase

    Yes, I agree that SSD is much more tricky to secure erase than hard disk.

    The DBAN software that I mentioned has a free version and a paid version. The paid version, called Blancco Drive Eraser has the added functionality of secure erasing SSD.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 8:47pm

    iSecurityGuru

    iSecurityGuru

    Status: Member

    Joined: Mar 21 2020

    Posts: 16

    1

    "peakprosperityisanawesomewebsite2visit" does not contain enough entropy

    Hi Travis!

    Regarding "peakprosperityisanawesomewebsite2visit" as a password, I'm afraid there's not enough entropy despite its length.

    You may want to read this article: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.

    It has come to the point where passwords that are easy for the human brain to remember no longer contain enough entropy.

    Login or Register to post comments

  • Tue, Aug 24, 2021 - 8:56pm

    #20
    One-Horse

    One-Horse

    Status: Bronze Member

    Joined: Jun 11 2021

    Posts: 30

    1

    Alt Systems

    For the truly paranoid (everyone today?) you could try the Insurgo Privacy Beast or the free but somewhat demanding Qubes OS. From what I understand "all" motherboards built in the last 10-12 years have the Intel ME chip on board running the Minix OS which is the "real" administrator of that system when it comes down to it.

    Login or Register to post comments

  • Wed, Aug 25, 2021 - 9:27pm

    #21
    ezlxq1949

    ezlxq1949

    Status: Bronze Member

    Joined: Apr 29 2009

    Posts: 125

    2

    Peak complexity

    This depressing article tells me that the white-vs-black arms race is hopeless. The sheer complexity of it all is the big issue. I don't know if we're at peak complexity now or will get there shortly. Sooner or later it's going to fall over of its own weight. Maybe climate change will hurry things along.

    The arms race has the side effect of generating mountains of electronic waste every year. It's become a matter of international concern. The mountains get higher and higher as older equipment is discarded because it can't run the latest security stuff. The waste is appalling.

    That said, when it comes to discarding old disks, I reckon the best way is to apply a large mallet to the disk. If it's a hard disk, unscrew and remove the top cover, and then make sure the platter is good and bent. If it's solid state, pulverise it. This is also a great way to work off frustration!

    Login or Register to post comments

  • Thu, Aug 26, 2021 - 4:09pm

    Bheithir

    Status: Bronze Member

    Joined: Nov 02 2008

    Posts: 28

    0

    Password Cracking

    I have some experience with this, so here it goes.

    I'm trying to figure out the best way to present it succinctly, so if my efforts seem a bit simple, then I can live with that. There is a lot to say about this subject and writing a book is out of scope.

    First of all I looked at the chart and it is misleading. Computing power is still changing rapidly in this area.

    Bad News

    • You can build a dedicated password cracker for less than $10K.
    • Password crackers use GPU's, which do math way better than a CPU.
    • Usually you are limited by the motherboard slots to no more than 6 cards. (Heat is an issue too.)
    • In 2017 the Cracker we used had 6 Nvidia 1080 Ti cards. (11 GB GDDR5X Memory, 3584 Cuda [email protected] Mhz each)
    • As of August 2021. Newest Nvidia Card RTX 3090. (24 GB GDDR6X Memory, 10496 Cuda [email protected] Ghz Boost.)
    • You can combine crackers with GoCrack.
    • A 32 character password fell to us in less than 24 hours. It was a sentence with no spaces or upper case letters. (It was actually part of many thousands of passwords that fell in that period.)
    • Passwords are not stored in plain text, they are hashed with a one way algorithm. (The quality of the algorithm is part of the issue too.)
    • A password, say "Password1" (without quotes) is run through the algorithm and you get a bunch of junk. i.e. This is a SHA-256 hash of Password1 19513fdc9da4fb72a4a05eb66917548d3c90ff94d5419e1f2363eea89dfee1dd
    • You have a database of passwords from previous hacks from other folks that you find on the dark web.
    • Currently there are 2,692,818,238 rows. (Email/Password combinations)
    • Out of that there are 1,160,253,228 unique email/password combinations.
    • The kicker is there are 613,584,246 real world passwords on one site. (these last three courtesy of Have I Been Pwned. Go here to check if your password is part of it. https://haveibeenpwned.com/ Click on Passwords to enter yours.)
    • Database usually has many of the common hashes already created, if not you you create them yourself. So now you have a Rainbow Table. (You may also get email addresses and web sites where these passwords were used. If you use the same password and email to register accounts, this is how a hacker can pivot from one site and try others of interest, like banks.) We didn’t care about emails because we stole the ntds.dit file form a Windows Active Directory server. We extracted the hashes offline and used the rainbow table to match many of them and brute forced the rest. (Not all passwords fell. My regular user account of 8 characters and Administrative account of 16 character didn’t not crack.) Our test had 24 hour time limit. Had we let it run for longer we would have had more success. How much more, I don’t know. In the end we only got about 50% of the 200,000.
    • Since we had elevated privileges anyhow to steal ntds.dit, we pretty much had a golden key to the kingdom, which helped find other golden keys.
    • Using Password1 above, we also had iterations of it. [email protected], passWord1, [email protected] etc. So just adding special charters to substitute their look a likes isn’t a good strategy.

     

    Good News

      • Adding special characters, numbers and upper case adds difficulty, but do not use easily predictable substitutions. (see above)
      • Use a GOOD Password Manager. Don’t use the same password with multiple sites.
      • Use Multi Factor. Try and avoid using SMS MFA. SMS can be hacked. SIM cloning, SMS Spoofing, which is easier than you would think. There is no way to authenticate where it came from and there is NO encryption. The Cloudflare hackers used this to gain a foothold. (There is debate on whether to use SMS only MFA. Using a very difficult 16 plus character password may be MORE secure than shorter password with SMS MFA.)
      • Keep in mind, the above scenario was targeted at a Corporation. The odds on a hacker targeting you personally is low, unless you are a high value person. Most likely you are part of a larger breach. (Not necessarily high value individual, i.e. “A rich person” but maybe a C level or someone who works in the Finance department or a bank.)

    Side story. Back when the Ashley Madison breach took place, just for fun we got a hold of the database and searched it for any of our corporate emails. We had about a dozen hit, but one was someone we knew. A married co-worker had signed up to the service using his work email. Needless to say, there was much embarrassment on his part, and he left not too long after that. Don’t know if he was asked to leave or he was just that embarrassed.

    Edit: I didn't see iSecurtyGuru's comment #19 before this. What I described is similar to his linked article.

    Login or Register to post comments

  • Fri, Aug 27, 2021 - 8:22pm

    green_achers

    green_achers

    Status: Member

    Joined: Jan 03 2009

    Posts: 55

    1

    "haveibeen..." NOT YET!

    Let me see if I have this straight: There is a website that purports to tell you if your unique password has been picked up by some dark actors on the web, and all you have to do to find out is... enter your passwords? That really doesn't sound like a good idea to me, for reasons that ought to be obvious.

    Login or Register to post comments

  • Sat, Aug 28, 2021 - 7:31am

    iSecurityGuru

    iSecurityGuru

    Status: Member

    Joined: Mar 21 2020

    Posts: 16

    0

    iSecurityGuru said:

    For the HaveIBeenPwned.com website, you give them your email or phone number and they will inform you whether it has been involved in a data breach. It wouldn’t ask for your password and will not reveal any passwords.

    HaveIBeenPwned.com is developed by Troy Hunt, a Microsoft Regional Director and MVP from Australia. So, he’s quite a well-known and reputable guy.

     

    Login or Register to post comments

  • Sun, Aug 29, 2021 - 3:25pm

    #25
    William Croft

    William Croft

    Status: Member

    Joined: Apr 05 2020

    Posts: 7

    0

    SIM swap attacks -- hacker takes over your phone number / protection against

    Overall the article was great. But not mentioned is a hacking technique that thieves are increasingly employing: hijacking your phone number, then using that 'identity' to get into your other accounts. This is called a SIM swap attack. Do a search on that and you'll find dozens of horror story articles.

    My recommendation to avoid this: check with your cellular company and inquire if you can set a flag on your account that requires increased security checks for any SIM changes. Such as showing photo ID or other documents to prove your identity.

    The main way crooks operate is that they phone in or show up at a cellular company retail store and claim that they are you and that they have lost the phone. So they would like a new SIM issued with your number. Surprisingly, with many cell companies, this is relatively easy to do. Use a phone company that is pro-active in solving this giant loophole.

    Regards,

    Login or Register to post comments

  • Tue, Aug 31, 2021 - 7:51am

    lastfirst

    lastfirst

    Status: Member

    Joined: Oct 17 2020

    Posts: 21

    0

    What is the difference between internal and external storage devices?

    In regards to data confidentiality, the article seems to make a distinction between internal and external storage devices. For internal storage, encryption for data at rest is suggested. For external storage devices cleartext storage in conjunction with secure delete is proposed.
    I am wondering if this distinction is due to some perceived difference in threat level for each type of storage device, a difference in type of data assumed stored on a device, usage scenario, or some other factor?

    Login or Register to post comments

  • Tue, Aug 31, 2021 - 8:11am

    #27
    lastfirst

    lastfirst

    Status: Member

    Joined: Oct 17 2020

    Posts: 21

    0

    Service providers have an opportunity at containing damage in the event of data breach

    A pitfall

    A quick search for "password reuse statistics" suggests that more than 44-72 % reuse their password across multiple sites. As a baseless claim, I will add that there is some non-insignificant probability of different individuals "coming up" with the exact same password. Lists of most common password still exists in 2021, right?
    Knowing this, there is at least one counter measure that online service providers could implement as an attempt to contain the damage in the event of a data breach related to end-user passwords. In other words, one end-user’s password getting cracked should not have any direct compromising effect on other user accounts utilizing the same password.

    Example: Hypothetical breach at Peak Prosperity
    If Alice and Bob here at Peak Prosperity happened to use the same password, an adversary learning Alice's password here at Peak Prosperity should not automatically allow the adversary to infer anything about Bob's password. Likewise, even if Alice is reusing her password at some other site, a breach here at Peak Prosperity should not automatically allow the adversary to infer anything about Alice's passwords on other websites.

    A counter

    What some smart people came up with was the use of a so-called cryptographic salt. Roughly speaking one could think of a "salted" password as consisting of two components: one component which the user provides, like we do today, and a second component which a service provider randomly generates (and stores on their side).

    Why does this help? As Bheithir's post points out (#22), an adversary likely utilizes rainbow tables (~ a database) to lookup a precomputed hash (~ a unique fingerprint) for a password they have already come across. Given the degree of uniqueness that a salt adds to password, it is less likely that the hash of a salted password already exists in rainbow tables.
    One could perhaps say that password salting attempts to limit an adversaries accumulation of password-knowledge after each successful data breach as well as obscure obvious lateral movements within a (breached) data set.

    Returning to the above example with Alice and Bob, utilizing a salt would mean that different hashes would be produced for Alice and Bob even if they were in fact using the same password. Based on the hash values, however, this is not obvious.

     

    PS Has changing password been mentioned?

    Login or Register to post comments

  • Tue, Aug 31, 2021 - 8:21am

    #28
    lastfirst

    lastfirst

    Status: Member

    Joined: Oct 17 2020

    Posts: 21

    2

    Write-up on online privacy?

    Multiple posts seem to revolve around online privacy. Perhaps a dedicated write-up on that topic could be of interest. Here is an example with emails which some might be unaware of.

    The "to", "from", and "subject" fields of an e-mail are always available to any party involved with routing an e-mail from sender to receiver. Writing confidential information in the "subject" field is like writing confidential info on the outside of an envelope or on a postcard. This is not a flaw per se, it is how e-mails were designed.

    Login or Register to post comments

  • Wed, Jan 05, 2022 - 3:31pm

    nyhetersverige

    nyhetersverige

    Status: Platinum Member

    Joined: Mar 21 2020

    Posts: 594

    0

    But Microsoft

    But Microsoft should be targeted. We all should remember what happened to Dan Geer. Outlaw Windows and Outlook and the market would dry up. Vuln hunters at McAfee using Unix boxes at home. IBM's Hursley think tank using Unix privately for over twenty years. IBM consultants getting new kit with Windows automatically wiped before delivery. Anyone using Windows is asking for trouble and deserving of it. But it's worse. For Windows (l)users are spoiling the party for the rest of us.

    Login or Register to post comments

  • Wed, Jan 05, 2022 - 3:36pm

    nyhetersverige

    nyhetersverige

    Status: Platinum Member

    Joined: Mar 21 2020

    Posts: 594

    0

    nyhetersverige said:

    Trusting MSFT staff that tout with 'MVP' is like turning to Anthony Fauci for advice on how to beat the pandemic.

    Login or Register to post comments

  • Wed, Jan 05, 2022 - 3:41pm

    nyhetersverige

    nyhetersverige

    Status: Platinum Member

    Joined: Mar 21 2020

    Posts: 594

    0

    nyhetersverige said:

    Well not necessarily. Any website worth its salt and your trust will never store your actual password anyway.

    As an aside: Twitter is one player (of many over the years) who have not practiced this. They were caught harvesting passwords, and not the encryption results, which are the only thing that's needed, the only thing that should be stored. Caveat emptor. Websites take on responsibilities akin to a banker's but have no acumen for it.

    Login or Register to post comments