Opinion POTWR 2019 Vol 6: Internet Security Basics

[Cubo de Sangre]

PLEASE READ THIS ENTIRE OP BEFORE POSTING.

Greetings War Room Sherbros,

Welcome to the next installment of the Presidential sticky-threads. Here we'll take a look at something we should all agree on, that it's good to protect your privacy and security when using the internet. Being no expert, I've enlisted the aid of two more knowledgable posters to answer some questions and offer some tips. So thanks very much to @Falsedawn and @King of Fists.

Each have provided answers in advance to some basic questions in order to facilitate discussion. Please see the next two posts for their replies to the following.

• What are your qualifications and experience in the realm of internet security?
• What should people be most concerned over when it comes to protecting their data and privacy?
• What are the most basic security steps that everyone should take?
• What are some more advanced security measures that you'd strongly recommend?
• What's the worst thing you or someone you know has experienced due to a security breach?

Cheers,

Cubo

***IMPORTANT***​

These are in addition to normal War Room Rules.

• No insulting the other posters
• Certain words should be avoided to describe someone's position/ideas (stupid, dumb, retarded)
• Don't refer to groups using demeaning terms such as libtards, conservatards, etc.
• Stay on topic
• Humor is fine, but if your post is a joke that doesn't add to the topic then don't post it
• Posts that don't comply will be removed and the poster may be issued a reply ban
• All questions over deleted posts and reply bans please direct privately to @Cubo de Sangre

***This is an ongoing series of sticky-threads that will take on various topics in varying ways. If you're interested in leading a discussion on something please take a look at this thread and then send me a PM with your ideas.

POTWR 2019 Vol 1: Shots Fired! Examining Police Shootings In America
POTWR 2019 Vol 2: Happy Happy Joy Joy
POTWR 2019 Vol 3: Examining Opioid Addiction In America
POTWR 2019 Vol 4: Repeal Or Respect the 2nd Amendment?
POTWR 2019 Vol 5: Based On Known Facts, Would You Remove Trump From Office?

 

[Cubo de Sangre]

@Falsedawn's thoughts.

What are your qualifications and experience in the realm of internet security?

5 years full time InfoSec Analyst, 8 years Tier 1/2/3 support before that.

Currently a credentialed CISSP in good standing, and pursuing OSCP and CFCE.

What should people be most concerned over when it comes to protecting their data and privacy?


The weakest link in a security system is always the people. Always. Security systems are like a really good lock, but if you can kick the door in, your lock is useless. That's people.

Your OpSec is largely dependent on how well you can maintain it across the domains you encounter. All the technical controls in the world won't save you if you aren't paying attention to what you're doing.


What are the most basic security steps that everyone should take?

This is probably going to seem like a broken record but here you go

- Use complex passwords that can't easily be guessed

- Consider a VPN if you're concerned about being tracked or want to access a site that's inaccessible to you (Hi GDPR!)

-Verify the security certificate of any HTTPS site you log into. Certification Authorities exist for a reason.

-Use different passwords for different sites for obvious reasons


What are some more advanced security measures that you'd strongly recommend?

-Understand password entropy, it will make your passwords more memorable

L33thaX0r15! has 52.6 bits of entropy.

JackVSavageIsTheMan! has 92 bits of entropy

JackVSavageIsTheMan! is the more secure password, despite being simpler.
-Understand file extensions. Are you aware .msi is an installer file like .exe? Did you know the office file types (.xlsx, .pptx, .docx) are container files that can be opened and explored with WinZip? Did you know .pdf files can have layers? Understanding what you're opening can tip you off when things are out of the ordinary.

-Stop posting your damn pictures lmao. Those can be easily traced.

-Don't underestimate heuristic profiling. You'd be surprised how much info can be gleaned from seemingly unrelated elements.


What's the worst thing you or someone you know has experienced due to a security breach?

A colleague of mine got divorced because someone discovered his dating profile and forwarded that and a compromised webcam video of him and his mistress to his wife.

 

[Cubo de Sangre]

@King of Fists' thoughts.

What are your qualifications and experience in the realm of internet security?

Full stack software developer for large global safety organization. Mainly work in Bluetooth, mobile, desktop, and web development.

I do consulting work for the cybersecurity branch of our organization when it comes to Bluetooth because that's my biggest area of expertise, but I have some experience in many areas.

My group tests a lot of smart home products and automotive infotainment units and we do some limited cybersecurity testing on a lot of different products in those 2 areas.


What should people be most concerned over when it comes to protecting their data and privacy?

Lax security practices, both personally and by the admins of websites and services you use.

Personally: NEVER download or sideload an app from somewhere other than the Google Play store or Apple App Store unless you're 100% sure of its origin. Both Google and Apple run sophisticated analyses of every app uploaded to their store before they allow it for public download, and even then things still slip through sometimes. Other ''app stores" not from Google or Apple are chock full of malware-laden apps.

On that topic of personal responsibility, simply posting everything about yourself on social media is a security risk; people can easily know your whereabouts at any given time when you're posting it online for the world to see

Admins of websites you use: there's no way to prevent them from using bad security practices (things like using the default port and server admin name for SQL server, or allowing SQL injection attacks by constructing inline queries from textboxes rather than using stored procedures), so your best bet is to simply limit the personal information you give to websites.


What are the most basic security steps that everyone should take?

Some of the common ones that get a lot of people:

1. Always set a strong password for your phone. If it's lost or stolen, your entire life may be accessible if you don't have a strong password on it.

2. Never use your credit card outside at a gas station pump. Skimmers are very common and easily allow your CC info to be stolen.

3. Don't autosave passwords. It's easy to do because of convenience, but that means your browser or device has a central location for all your passwords.

4. Always have some anti-virus program installed on your PC. I recommend Avast for a good free solution.


What are some more advanced security measures that you'd strongly recommend?

1. Cover up your computer's webcam when not in use. Many webcams are very easy to hack into; there's places you can go on the web and simply watch people through their hacked webcam, unbeknownst to them.

2. Don't make your passwords TOO complex. An 8 character password with a combination of upper/lowercase letters/special characters contains sufficient entropy so that it can't be brute-forced. Websites now days can make password requirements unnecessarily complex, which means you need to write it down somewhere or autosave it to remember, which then becomes a bigger risk than a shorter password in the first place! Key takeaway, never write it down or autosave it. In a world where cybersecurity is a big issue, people forget about physical security such as writing your password down.

3. Might be more basic, but use different passwords for different sites/services. Studies have shown people largely tend to reuse passwords, so someone doesn't necessarily need to hack your bank to get your password if you use the same password for your bank as you do for some small, insecure website.

4. Never enter any passwords while on an unsecured WiFi network. Also never use an unsecured WiFi network unless a last resort.


What's the worst thing you or someone you know has experienced due to a security breach?

Most of my colleagues and myself are pretty saavy when it comes to this stuff so we don't have too many horror stories, although in my younger days before I knew this stuff I got a laptop infected with some keylogger malware where I got all my bank and CC info stolen. Source of attack was cross-site scripting attack from some porn site (ended up downloading something that was a virus, not a video).

 

[luckyshot]

Is it a good idea to have my Sherdog password tattooed on my biceps?

Asking for a friend.

 

[Cubo de Sangre]

Is it a good idea to have my Sherdog password tattooed on my biceps?

Asking for a friend.

I'll leave this as an example of how not to post in this thread. Replies to it will be deleted.

 

[JDragon]

Good stuff.

Always have some anti-virus program installed on your PC. I recommend Avast for a good free solution.

Not sure I agree with this one. I believe anti-virus increases the attack surface.

Some examples (I can come up with more):

Microsoft puts anti-virus into sandbox

North Korea hacks South Korea via anti-virus

Mass spread of malware via anti-virus

 

[Cubo de Sangre]

Good stuff.




Not sure I agree with this one. I believe anti-virus increases the attack surface.

Some examples (I can come up with more):

Microsoft puts anti-virus into sandbox

North Korea hacks South Korea via anti-virus

Mass spread of malware via anti-virus

Hackers even get in through the anti-hack software?

You don't run any anti-virus software?

 

[laz0001]

• What are your qualifications and experience in the realm of internet security?

Some security training, but lots of real world experience with setting up infrastructures, working with enterprise customers and other security experts. Have personally implemented ISO27001 standards.

• What should people be most concerned over when it comes to protecting their data and privacy?

Irreversible encryption hacking, and blackmailing.
Everything other than that - and you're just one of 500 million people who's details have been 'leaked', you're a needle in a huge haystack, and you'd be very unlucky to be 'targetted'

If your data gets encrypted - consider it lost forever - like, seriously, you will never ever get those files that are so important to you back. Even if you pay the ransom, you'll be lucky.

If you get hacked and the intruder finds something interesting, you could get blackmailed. This could be something as simple as you sent saucy messages to an ex, anow they are leaked - to something more complex such as your email account is hacked and the intruder finds you have an 'Ashley Madison' account, and threatens to email your partner. People on the internet are mostly very difficult to trace - so assume that those private things are now going to 'get out'.

• What are the most basic security steps that everyone should take?

Don't use an easily guessable password. Don't use the same damn password for every site. Consider using a password manager. Be aware of what you download. Have backed up versions of your files with a history that you can recover from. System updates, AV signatures. Only download from 'trusted' sources.

• What are some more advanced security measures that you'd strongly recommend?

Security by obscurity and the 80/20 rule. Most attacks are 'drive-by' by automated bots, i.e., every system on the internet is always being poked and prodded by bots, if you close up all the commonly targetted routes, you will fade away into the background. Hackers only pay attention when they get a 'positive' hit - then they log into the system to see if there's anything 'interesting' and 'easy'. If there's nothing easy, they'll move on. Alternately, if you've been specifically targeted by a hacker, nothing you do will really stop them.

More secure group policies - prevent files from 'auto executing' without stronger UAC. Have natted public ports (don't use the common ports). Use VPN. Use clientside server certificates. Disable ALL common account names (admin, user, guest etc). Have a virtual machine to run 'suspect' SW in first, see what happens. Use IP whitelisting/blacklisting, block all IPs based in Russia/Asia by default, open by exception. Update 'hosts' file to block common adware sites. Consider different email accounts for differnet sites (aliases work well)

• What's the worst thing you or someone you know has experienced due to a security breach?

Encryption attacks from an unsecured remote desktop service. Years of data (luckily, none of it 'production') lost, never to be recovered.

 

[Cubo de Sangre]

Alternately, if you've been specifically targeted by a hacker, nothing you do will really stop them.

Damn. That's somewhere between scary and depressing.

 

[JDragon]

Damn. That's somewhere between scary and depressing.

If somebody wants to break into your house, he will. But you can make it more difficult.

 

[Fawlty]

What are your guys' thoughts on: https://haveibeenpwned.com/ ?

Obviously it's a security risk to do what everbody does there, which is enter both usernames and passwords they have used, to check if they have been compromised. But on the other hand the site is very high-profile and the man behind it is very publicly forthcoming, and if he was lying or being sneaky, it would already have been exposed.

Is it worth it for people to use that, or should they just change up their shit if they are concerned enough that they would check that site in the first place?

 

[Cubo de Sangre]

@Falsedawn, @King of Fists, @laz0001,

What's the best way to dispose of old computers and hard drives?

 

[Falsedawn]

What are your guys' thoughts on: https://haveibeenpwned.com/ ?

Obviously it's a security risk to do what everbody does there, which is enter both usernames and passwords they have used, to check if they have been compromised. But on the other hand the site is very high-profile and the man behind it is very publicly forthcoming, and if he was lying or being sneaky, it would already have been exposed.

Is it worth it for people to use that, or should they just change up their shit if they are concerned enough that they would check that site in the first place?

Troy Hunt is very much a good actor if that's what you're wondering.

All that site is doing is comparing your email to a database of compromised accounts and passwords gotten from cracker forums. If you hit, you hit. I tend to go full paranoia and change every password, but that's just me.

@Falsedawn, @King of Fists, @laz0001,

What's the best way to dispose of old computers and hard drives?

Just sanitize any storage media basically.

Hard disk drives: If you plan to reuse or sell them, a program like Parted Magic or Eraser have secure erase functions. I usually use DoD 5220.22-M with 7 passes, but that's overkill. 1 pass (British HMG IS5) is probably enough for most people, 3 if you want to be incredibly sure. If you don't plan to reuse or sell, 9 or 10 holes drilled straight through the platter get the job done just as well. Drill at different levels in the platter, and make sure you're actually hitting the platters and not the disk controller.

SSDs: Use ATA Secure Erase or whatever utility your manufacturer has for a crypto erase. Using normal erasure utilities for HDDs can degrade the drive and leave data untouched. Alternatively, shredders work nice too.

Here's NIST Special Publication 800-88 if you're interested in what our standards are for secure media erasure.

 

[Falsedawn]

@Fawlty

Slight correction, haveibeenpwned only takes emails (as is good practice). If you're putting in your password, you're gonna have a bad time.

 

[Fawlty]

@Fawlty

Slight correction, haveibeenpwned only takes emails (as is good practice). If you're putting in your password, you're gonna have a bad time.

There's a password tab also. You're right it's emails, not usernames, but it does have password checking too.

 

[Falsedawn]

There's a password tab also. You're right it's emails, not usernames, but it does have password checking too.

Aha, go figure lol. I usually use pseudorandom passwords, so that makes sense that I wouldn't see it. Should be good to use though.

 

[Cubo de Sangre]

Could anti-virus software police each-other? For example, instead of relying on one program you have three of them. Among the outside attacks they'd keep the others on check.

 

[laz0001]

Damn. That's somewhere between scary and depressing.

What are your guys' thoughts on: https://haveibeenpwned.com/ ?

Yes. I'd imagine pretty much everyone on this thread, Sherdog and everywhere has had their data leaked. It's pointless worrying about it. The most important thing you can ensure is that you don't use the same password on multiple sites.
Hacking is not done by 'people', it's done by bots. The bots essentially try two things.
- Firstly, reusing credentials leaked through other sites. So, if you adobe username and password was [email protected] and p@ssword, then the bots will also try logging into iTunes using [email protected] / p@ssword or variations like [email protected] / p@ssword
- Secondly, they try brute forcing usernames and passwords. admin/Welcome1 user/letmein admin / abc123 and millions of other combinations.

So basically - passwords are important. My theory - either use a password manager, or use a 'pattern'. Something obscure, but related the account you are logging in with. Example - take out the letters from the domain, and add a personal message to it. So your Hotmail password would be "HTML!is!a!7!letter!domain" Just html (from Hotmail) and then is a (number of letters in Hotmail) letter domain separated by !. Apple would be:

"PPL!is!a!5!letter!domain"

It's 20+ characters long, secure, but super easy to remember, even for all the random sites you log into.

What's the best way to dispose of old computers and hard drives?

It depends on what you're looking to dispose of. Just a standard windows FULL format would suffice in 99% of cases.
If you actually have sensitive information on your HDD - you shouldn't be on sherdog asking how to dispose of it. Go find a certified data sanitisation company, or buy some proper software/get a hammer.



FINAL THOUGHTS
A lot of people start looking into really complex security schemes, weird Linux distros with complex network routing, obscure browsers with NOSCRIPT, a VPN, and then continue using Google and Facebook the same as everyone else.

Forget about the hard, complex stuff. Implement the basics correctly. You only need to go beyond that if you actually have data WORTH securing.

HACKING VS ADVERTISING

We've concentrated a lot on security and hacking, but not spoken about advertising. If you use anything from Google, Facebook, and partly Amazon, then finding yourself on haveibeenpwned doesn't really matter.

Google, Facebook doesn't sell products. They sell YOU. Your data, browsing habits. If you don't want to have your data spammed all across the internet, then stop using those services.

 

[VivaRevolution]

Is PGP encryption still the gold standard for truly secure communication?

 

[GSP_37]

Could anti-virus software police each-other? For example, instead of relying on one program you have three of them. Among the outside attacks they'd keep the others on check.

Installing one will force you to uninstall the other. Too many cooks in the kitchen.

From what I've read: disable java/javascript/cookies, don't open .exe, .zip and similar email attachments, don't click on disguised email weblinks, use a router because worms won't get forwarded to you.

I have zero faith in businesses where you can guarantee the majority don't know how to safely use the computer and will click phishing email file attachments, etc. and not care.