Internet Security

[AskWazzup]

Yesterday i read an article about some russian hackers, hacking millions of emails and their account information (then selling it to others) and it got me thinking about the whole issue of our personal information and internet. So i decided to look up some of my usernames and my real name to see what i could find. Well, i found quite a few old accounts from forums and whatnot and some scribd thing, to which i somehow passed on my facebook information... I deleted my facebook account over a year ago! And this scirbd thing still keeps my information and my "e-friend" list for everybody to see! It's not a huge thing for me, but now that the world is getting a bit crazier by the year and the prevalence of internet is only getting higher, i'm getting kind of cautious where i register, what information i provide and what i post.

At the moment i don't care all that much if my information is getting passed by some black databases to advertisers and whatnot, since i'm not that "interesting", but if in the not so far future one of these political lunatics (i wonder what would have happened if stalin had internet) takes over and they could create my citizen profile from internet alone, it would kind of suck. So i started to delete all the shit i could find and most importantly my email addresses with my real names.

Now as far as viruses and tracking trojans are concerned, it's a bit better since i'm on linux and most of the stuff is created for windows, but it would still be interesting to hear your opinions on this matter:

How do you protect yourself and your information? What do you use or do and what do you think about this whole topic?

 

[Korin]

I'd like to think I know a reasonable amount about security. I delved into the realm of ethical hacking several years ago (a very practical skill if you write web software, how can you protect your users and your site if you don't know vulnerabilities to cover for?) and what I've learned is that we're all a lot more vulnerable than we'd like to think we are. There's certainly the stuff you can Google. You can Google your known usernames and e-mail addresses and more often than not you'll be able to create some kind of profile for yourself... where you live, what you're interested in, who you know, etc. Then things like Twitter give more insight into your private life. If you find a Youtube account you can see what they comment on, what they're interested in and stuff about their life you can glean from videos they've posted. Find out someone's real name and then you've got Facebook, things like LinkedIN profiles (tell you where they work), Google Plus and etc. This is all the easy stuff you can find out about a person just from Google and making connections between known pieces of information. The longer you've been on the internet, the more that stuff starts to accumulate. Particularly if you started young, you may have posted information you shouldn't have about yourself. And the internet pretty much remembers everything. We've left footprints all over the place.

That's information anyone has access to. But what's real scary is the next level, which is how often that known information has been hacked. I think a lot of people have this idea of "getting hacked" like they would be targeted specifically and it's some guy typing away at a keyboard like in the movies but most of the time it's not anything like this. A lot of the time it's completely automated. You register for a forum in 2004, it's running an old version of some forum software with known vulnerabilities. You haven't used that account in 10 years maybe. Multiple times a day an automated 'crawler' script is downloading the user database through some SQL injection, including password hashes. Maybe it's a known MD5 hash or something and they're able to look up the pre-hash value (all automated). That gives them an e-mail address, possibly a name and more importantly a password. Maybe the password works for that e-mail address, maybe the password doesn't work. Maybe they find that same username on a more modern site and the password still works. Maybe it's the username and password of your World of Warcraft account, which they've now sold or used for nefarious activities. All kinds of stuff happens. Probably and I say this honestly, over 90% of the time these sites have no idea they've been hacked because who really is monitoring server logs 24/7, especially if you have a lot of traffic? It takes a large company with the money to actively monitor intrusions and most smaller sites don't or can't do this. Thusly, most action is taken retroactively after a problem has been discovered.

That makes sites running known software a double-edged sword because they have known vulnerabilities... if vulnerability X is in this version or earlier, then you know all sites running that software have that same access point. On the flip side, that also means these things get fixed and usually if you're running the latest version, you're safe (at least for the meantime, barring new vulnerabilities). Conversely, hackers can hack other sites that were developed from the ground up and these sites are the worst for vulnerabilities because most developers don't know what to look for. I have on several occasions sat down to a random website and toyed with it "just for kicks" and found myself will full admin access. Found myself dumping SQL tables or getting up to all kinds of nefariousness. I have web developer friends and have done this to their sites while they watched me type and they are literally blown away. It is scary, in how easy it can really happen and how most of the people making any website software know pretty much nothing about how to prevent it (I think the general user perception is that if you can make a website, you must be some kind of computer genius... if they can do all this stuff with databases and programming, surely my information is secure which couldn't be farther from the truth.). Hacking in itself is kind of like puzzle solving. Finding ways to make existing features do things they're not supposed to do. Finding the chink in the armour. It's a lot easier on software that has not yet been tested in the fire, so to speak.

And this is stuff that an amateur like myself is capable of. When you get into professional hackers, you're into a whole new level of scary. They'll bring a whole world of knowledge to bear on anything they can get access to (software level, server level, your home network or maybe even creeping over your shoulder at an internet cafe). If you want to go to an even higher level, state and corporate funded hacking is the kind of stuff movies are made about. The stuff Chinese state-funded hackers can and will do scares the shit out of me.

How do you protect yourself and your information? What do you use or do and what do you think about this whole topic?

A lot of different usernames and a lot of different passwords. Most importantly my passwords are long and very complicated, so I feel reasonably confident that when they are hashed a hacker will not be able to look up the pre-hash value in some existing database. They're different because even in this day and age, some places don't hash passwords when they put them in the database and I don't want them re-used on another site. You occasionally see it in the news how passwords get stolen but they weren't hashed (so basically they're stored exactly as they were submitted). But I wouldn't say I feel particularly safe. I know I've slipped up somewhere. I know I haven't been as private with my information as I should have been and now it's stored forever on the internet. I don't feel safe at all, I mostly feel "untargeted" for more aggressive hacking. But I've already seen my usernames, e-mails and hashed password show up in several dumps of these headline hacker stories (Bethesda forums, for instance).

 

[AskWazzup]

Oh shit Korin, i'm changing my bank account password . I kind of thought that this kind of thing is going on, but you cleared the mist from my eyes. I think i will create a real notebook for passwords from now on - and all them will be different.

I wonder what would be an efficient way to create passwords? I'm now learning a bit of c programming, so if i create a random number generator i wonder if these hacking systems can actually deduce that this number has a base seed? Or should i just use some humanly stuff?

Also, i think i need to brush up on networking. I'm completely green at it...

 

[Korin]

Oh shit Korin, i'm changing my bank account password . I kind of thought that this kind of thing is going on, but you cleared the mist from my eyes. I think i will create a real notebook for passwords from now on - and all them will be different.

Haha, long as you don't leave that notebook somewhere.

I wonder what would be an efficient way to create passwords? I'm now learning a bit of c programming, so if i create a random number generator i wonder if these hacking systems can actually deduce that this number has a base seed? Or should i just use some humanly stuff?

If you want long/easy passwords, you can subscribe to the XKCD password philosophy:

Most hacking that happens to home PCs usually happens one of two ways. You either downloaded some illegal software that has a viral payload attached to it or you're browsing some malicious websites (usually porn) that exploit vulnerabilities in Flash or Java to infect the machine. I don't think Windows being hacked specifically happens all that often but there's no reason not to keep the software updated.

If you want to read about some state-funded (not confirmed, of course) hacking you may find the Stuxnet virus of interest:
http://en.wikipedia.org/wiki/Stuxnet

 

[Gizmojunk]

A lot of different usernames and a lot of different passwords. Most importantly my passwords are long and very complicated, so I feel reasonably confident that when they are hashed a hacker will not be able to look up the pre-hash value in some existing database.

I tend to use the GUID utility for my passwords; but really all one needs is a long password that is not made of common words... Or one can just have a mental procedure for all their passwords ~whatever they are.

If the password is "monkey" (which it should never be!), then a procedure could be to memorize that the password is entered in alternating caps, and three dashes in the front and trailing at the end... SOMETHING (certainly more complex than dashes, if desired) to make the password as long as possible; preferably with characters from each character set, and high ascii as well.

Soon we'll have Sqrl to use, and that might make a real change in the password landscape.
https://www.grc.com/sqrl/sqrl.htm

 

[AskWazzup]

If you want long/easy passwords, you can subscribe to the XKCD password philosophy:

What if i use strings of words written in ASCII decimal numbering? I would assume that the website would write the password as an array of integers (as opposed to one int holding the whole number), or is this a false assumption?

Most hacking that happens to home PCs usually happens one of two ways. You either downloaded some illegal software that has a viral payload attached to it or you're browsing some malicious websites (usually porn) that exploit vulnerabilities in Flash or Java to infect the machine. I don't think Windows being hacked specifically happens all that often but there's no reason not to keep the software updated.

Well i don't use flash, but i wonder if html5 has the same vulnerabilities? Also, are those java script blockers any help? Though i'm running linux, now that i think about it, android shares the same kernel, i wonder if android viruses are easily portable to linux?

 

[Korin]

Well i don't use flash, but i wonder if html5 has the same vulnerabilities?

That's a good question, I haven't been up on the modern dev game for a long time and I'm not real familiar with what HTML 5 is capable of. Maybe? So far it sounds more secure than Flash or Java.

Also, are those java script blockers any help?

Yeah, I'd say... probably? So many pages have a reliance on Javascript now that having that on would probably ruin their functionality, unless you have it off for known sites (like Facebook or this site for instance). I don't think Javascript itself has all that much access to the OS but it does or has had connection to the inner workings of Flash/Java (making calls to and from either add-on). Some viral websites may have a reliance on Javascript being enabled for a number of reasons. A recent Java update essentially neutered Live Connect, which was the connection between Java and Javascript in the browser and they had done this for security reasons. Disabling Javascript does prevent things like cross-site scripting. Anything more directly insidious from Javascript I'm guessing has some relation to Internet Explorer as there may be more functions that connect outside the scope of the browser, like to Windows Media player or something like that. Once you get into hacking the operating system I don't have a whole lot of experience in that field. That's usually something a hacker develops and leads you to, rather than exploits your site with.

Though i'm running linux, now that i think about it, android shares the same kernel, i wonder if android viruses are easily portable to linux?

Not real familiar with either of those things as it falls outside my expertise. I work mostly with web-based software. Start talking about Kernel's and I couldn't even feign to understand, haha.

 

[zegh8578]

You either downloaded some illegal software that has a viral payload attached to it or you're browsing some malicious websites (usually porn)

My dad, who presumably only ever browses El Pais always has viruses.
"I have no idea how it keeps occuring!"
"Save it, dad -.-"

 

[Crni Vuk]

I would not worry about the internet or security. The internet is just a temporary fashion afterall.

 

[TheWesDude]

well, here is a diatribe on computer security.

get and use a password database program.

i have lots of experience with one on sourceforge called "password safe" and i know it has been reviewed several times by several security firms and found to be good.

anyone involved with actual security will always tell you to stay the fuck away from "cloud" password services. while they can be made somewhat secure, there are several issues.

1) your passwords are under someone else's control
2) if you lose access to the cloud service for whatever reason, what damage would that cause you

the cloud is a nice idea, but the key to remember is what the cloud IS. the cloud is your data stored on someone else's server under their control that they grant you access to.

now, what is the most effective form of security? its quite simple. the most effective form of security is called "security by obscurity" because if people dont know who you are, then they cant target you. in reality this is extremely difficult to pull off without a concentrated effort.

you would need multiple independent email accounts for different purposes and you would have to assume that any one of the services tied to that email address will be linked together. yes, it sucks, but it is true. you have heard of the snowden leaks where the NSA and FBI and even other foreign ( to the US ) governments are running programs to link user accounts and information to you. while they may be really lax or ignored, there are supposedly laws curtailing how far they can go.

private companies have no such compunctions or restrictions or guidelines.

i am sure you have heard of the story of the the father in some north eastern state who got coupons in their target ad flyer for diapers and such and when he complained, he found out that they were tracking his daughters purchases via her credit card, and based on what she purchased based on statistics determined her shopping profile indicated she was pregnant. so they included diaper and baby coupons on their monthly flyer.

it becomes much easier to track you for systems like this when you get/use the store provided "discount cards" or credit cards.

here is another one.

a guy at work has his android galaxy S4, and he had recently gotten a new bank card so he went to put it in his google wallet. he started typing in his house code for the billing address and it filled the whole thing out for him once he got the house # in the address. he was shocked as hell when that happened. so i asked him, do you have gps/geolocation/location services on? he said all the time. i said thats how google knew, because google tracks address/locations where you are frequently and for extended periods of time, and had automatically flagged that as his home address.

here is another one. one of my aunts has an iphone and constantly posts up pictures, i told her to stop. and to make sure to turn off location services. she said fuck that she likes that. so i took one of her pictures, and then in one of her "public" posts on facebook, tore the meta-data out of her picture, found it on google maps, and even included a link to the street view of her house, and started commenting on how good the location she lived was but how the schools sucked for her area so its a good thing she didnt have elementary aged kids. then i proceeded to do the same thing on bing maps. and then said oh this is your friend? found the geolocation for them, commented on how one of her friends was kinda hot, then posted up her address, street view of her friend of where she lives, and then asked to verify a phone number i found for her was her home phone number.

my aunt went fucking ballistic and calling me and bitching me out. i said, im not the one that gave out that information, she did by using gps and geolocation and location tagging in her photos. i asked her why the fuck SHE was giving that shit out in public facebook posts. she still wanted to blame me.

 

[AskWazzup]

Interesting story. You should have clocked your aunt with your palm for not listening.

This smartphone thing concerns me, as i'm going to buy one this year (my old one is kind of smartphonish, but it has an ancient version of android), and i'm not really familiar with the new versions. Are there any semi/hidden options that gather your area data and are they easy to turn off?

Also, i completely forgot that stores gather the purchase data of your credit card, thanks for that reminder.