Take Your Computer Security Seriously! YOU Are At Risk!

[GuestUser450]

Nice.
Runescape taught me how to buy and sell for profit at a young age.

I was joking but that's awesome to hear. I was going for an old reference and that's what popped out.

 

[The-J]

You on a MAC or PC?

PC, Windows 10.

PCs are more vulnerable than Macs, however Macs are still vulnerable.

Get yourself a brand new phone and brand new laptop exclusively for all activities where money is involved.
Trust me, it's worth it.

100%. You need a burner phone. A burner computer, I hadn't thought of that. It's excellent advice, especially if you do a lot of downloading.

Someone can get you, and all they need to know is your full name and your phone number. With a little bit of social engineering (basically calling your phone provider and claiming to be you), they can have YOUR SIM sent to their house.

Don't believe me? It happened to several Youtubers with over 1M subscribers. One of them is planning to sue Verizon over what happened... however, it wasn't only Verizon that did this.

* Use your phone's internet connection instead
of a public wifi whenever you can.

As far was I know, this is safer than using a
VPN + public wifi combination.

Public Wifi can never be guaranteed to be safe. If you have the amount of data to support it, then using data is a safer option.

I never do any money transfers or anything like this using my phone's applications.

Just wanted to add: physical security keys. Get one.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[ilrein]

That's quite unfortunate.

But I can already tell you did not treat your computer well. You had tons of random software, most of which, you probably got tricked into downloading, and then you never took the effort to clean your computer. I can slightly empathize, as most decent malware will resist being deleted. But every instance in my life where I was sure I had some illicit software installed on my computer, I went to the ends of the Earth to remove it. Regardless of the initial difficulties designed to prevent such actions. I must have been 12 when I learned about booting into Safe Mode in order to Add/Remove Programs. On Mac, you need to identify which applications are malicious and then

kill -9 PROCESS_ID

Of course, hindsight is 20/20, and I'm sure you beat yourself up more than anyone else would. 1200, all in all, is a pretty inexpensive lesson. Treat your computer like a third arm. There should be no blotches. You should recognize a malign tumour instantly.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Ultra Magnus]

Thanks for the heads-up, men.

I didn't click "like/thanks" on some of the posts because although valuable, they made me feel uneasy. Especially that con man paying with sheets of blank paper in New York (thank heavens for the fat guy getting out of a BMW i8 thread in the funnies section, did wonders to clear my mind).

It appears that the best course of action for securing online business activities is to get a cheap netbook with a LAN port (for wired connections only), then install Linux and the other apps and safety precautions that posters in this thread recommended. Get all the games, CAD software and everyday use stuff on your proper computer with less hardcore security to protect your sanity. As a matter of course, your business and private bank accounts should also be separate.

A burner phone is a great idea, but it might be a total PITA to pull off in today's world of ubiquitous "anti-terrorist" government spying.

How about TOR for browsing? I'm not much of an expert in computer security, but it makes your device almost untraceable, right? Does that help in terms of not getting your money stolen? I've never used it because it's supposed to make your connection slower.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Touseyd]

its so funny i found this thread because i got an email last night someone tried to hack into my google play account. google stopped the login and i changed my password, my contact phone number. feeling very paranoid now....

 

[amp0193]

Did Paypal get 2 step authentication? Because when I tried a few months ago they didn't have it. Which is one of the dumbest, most ignorant, stupid idiotic things NOT to have for an account that literally has full control of my bank account.

I added it yesterday. It prompted me for a security code via text today when I logged in.

 

[Doubly_Frank]

Wow, this is a great thread! I've taken a keen interest in computer security this year:

• I've been using a password manager for six months and have my drives protected by Bit Locker on Windows and File Vault on Mac.
• I use a dice ware passphrase for my password manager and have a separate complex, relatively high entropy password for my personal computer.
• I generally stay away from any site without SSL encryption.
• Everything that has two-factor authentication available is turned on and I use touch-ID on my 6S for everything that allows it.
• I have AVG running on all computers at the moment (will likely upgrade to a better program in the near future).

All that said, I think I need to seriously up my game. I have an account (and the application installed) with VyprVPN, but it's not active. I also could do a much better job with encryption. So I guess some next steps for me will be to:

• Activate and use the VPN (this is a little difficult because I need to find a way to get more money to my US accounts from VN to pay for it).
• Update and improve the encryption I'm currently using (and increase firewall protection)- I'll need to do some research into this in the near future.
• Look into running VMs when accessing more sensitive data.
• Do a focused search on possible backdoors and vulnerabilities in my current set-up.

As much of a risk as there always is- and as important as it is to take all precautions possible- I still feel somewhat safe knowing I've taken the precautions I have so far. Most, if not all, ITT are much more secure than the majority of the general public.

 

[VentureVoyager]

Great topic. By the way, can you recommend a reliable antivirus for windows that is not as incredibly annoying as most of them? Is there such a thing as an effective antivirus that won't make your life miserable?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[SquatchMan]

Great topic. By the way, can you recommend a reliable antivirus for windows that is not as incredibly annoying as most of them? Is there such a thing as an effective antivirus that won't make your life miserable?

Webroot.

 

[The-J]

It's probably not too hard to be self-employed, but it doesn't seem scaleable without having employees.

Any suggestions?

Yea: get employees. Lol

There are several IT contracting companies around. There are also LOTS of software suites that people aren't using correctly.

Basic IT and security infrastructure could be set up by low-level people (I was doing it at 16 for a car dealership, only a year of training from my high school, with an 18 year old and under the guise of a 20 year old). Advanced people could be the consulting arm.

It's easiest to get people who are recent victims of an attack, as they're on high alert. Everyone else doesn't think it'll happen to them.

You could even go real small, to Internet entrepreneurs who are some of the most at-risk people out there. Give them a suite and charge them a consulting fee. (PM me and something something soliciting message $100/hr I'll do it for ya, see my authority with a GOLD thread on the Fastlane Forum + some basic high school training in computer infrastructure and security lol)

I have Herjavec's book with me right now, it's all about sales + sales teams; nothing to do with computer security. He talks more about Dancing with the Stars than computer security.

 

[G-Man]

This news is a little late.

EQUIFAX, one of the Big 3 credit bureaus, just got hit with a data breach.

If you have ever checked your credit score with Equifax, your data may be compromised. IF you have used Equifax's online systems, your data may be compromised.

Massive Equifax data breach hits 143 million - BBC News

WHAT GOT STOLEN?

It's unclear at the moment, but it includes credit card numbers and personally identifying information. There isn't any evidence that commercial credit reporting has been compromised, but if it has: your business might be at risk.

WHAT DO YOU DO?

If you think your data has been compromised, you may benefit from putting a credit freeze on your account. Call up one of the credit bureaus and request a credit freeze. What this will do is prevent anyone (including yourself) from taking out additional debt in your name.

You may remove this freeze at any time.

https://www.equifaxsecurity2017.com/

Use this site (which is run by Equifax themselves) to check whether or not you have been affected. If you have, you will be provided free credit monitoring by Equifax, with the ability to request a credit freeze.

If your credit card info has been compromised, don't fear. Figure out which credit card you used by giving them a call (just ask for the last 4 digits) and report the card as lost or stolen. You'll get a new one in the mail in about a week or so. If you think you might be in trouble, don't F*cking wait!

If you try to call Equifax today, I guarantee you'll be put on hold and left there for several hours. You're not going to get a hold of a real person very easily just because of the size of this hit. Do it anyway.

NOTE: There is a chance that this hack is bigger than Equifax is willing to say. If that's the case, then we could be talking about an incident of cataclysmic proportions. We could be talking about a hit to the credit reporting system as a whole.

---

I guess I'll use this opportunity to talk about identity theft and how F*cking damaging it could be.

Identity theft is simply the use of someone else's identity in order to get something. Credit, loans, or even using one's name to commit a crime. Typically, identity theft is committed by the friends and family of the victim. However, data breaches are different.

Data breaches are like gold mines for identity fraudsters. Often times, the people who get hit are caught unaware because they don't know that their info has been caught in the breach!

Equifax announces that 209,000 customers were affected, however BBC estimated it could be up to 143 million people. That's more than a third of the population of the US. Is a 1 in 3 coinflip a chance you're willing to take?

If someone knows your legal name, DOB, and your social, they could take out loans in your name ranging from credit cards to mortgages. If they go delinquent, this affects your credit score and it could take years for it to recover (even after you get it all sorted out).

Identity theft insurance might help you, and Equifax is offering this to people affected. However it's not a foolproof solution.

---

Please don't WORRY. ACT. If you think you might be in trouble, go to https://www.equifaxsecurity2017.com/ and check to see if your information has been breached.

Other data breaches have happened recently. Check out Have I been pwned? Check if your email has been compromised in a data breach to see if your email has been compromised.

Also read: By signing up on Equifax’s help site, you risk giving up your legal rights

 

[AA1980]

Unreal that the scumbag INSIDERS stole their stock after they found about the hack.. SIX WEEKS AGO.

 

[eliquid]

Since I run a SaaS and I have a family, I have been more and more concerned about privacy not only for myself, but my clients ( freelance, agency, & SERPWoo ).

I've been looking at tools and such for sharing data and files and lot of them seem cumbersome having to install a certain app that you also have to pay monthly for. That ,or the app is free but cumbersome, maybe it's no longer maintained or you can't view the source to ensure its solid.

I wanted something I could send my mom and she could easily use for free with apps she might already have. Like Dropbox or some other public file sharing site.

I mean, why can't something be extremely easy and simple with already existing tools almost anyone has or can get easily for free too? Something that isn't a vault but still secure to pass to other people on already existing platforms like Dropbox or Box.com or even Amazon S3? Even just plain email....

So I came up with something that seemed secure enough for me to use until I find something better. Something that I didn't have to worry needed to stay maintained ( like other platforms ) and something that others could view the source of and trust to use.

privacy.zip

The way it works in a nutshell is:

1. You place items in the "base" folder.
2. You click the .bat file
3. You enter in 3 passwords
4. An embedded copy of 7zip archives whatever is in the "base" folder 3 times, each archive has the passwords you put in
5. 7zip password files are AES 256 encrypted
6. You must know all 3 passwords to get the file(s) you encrypted
7. Anything in the "base" folder is deleted now ( the original file ), but even in the "recycle bin" the copy is encrypted too, so no chance of prying eyes.
8. You can now share what you encrypted on Dropbox or some other public file share with another person without much risk of having what you encrypted read by someone else.
9. The other person does not need 7zip. They can open the archive with WinRar or another unzip/zip tool.
10. I'm sure someone can find a flaw. There is a flaw in everything, even paid tools. At least this is free and simple enough my mom can use quickly without more/other software. That was the goal of this.. easy, simple, free


If this works out, I'd like to make it a larger tool set for use by the masses publically. Right now, its just a "concept" without having to have a "vault" like other apps.

.

 

[eliquid]

Great idea but why have you never considered tools like VeraCrypt? It's the successor to TrueCrypt which for a long time was probably the most used encryption program to date.
It offers a bunch of different encryption algorithms, as well as tons of other features. It's also free and open-source.

The problem is it's a vault and thus another piece of software the end user has to install, use, and keep on their computer.

Then there is the learning curve with it if they use it for other things instead of JUST opening my files.

.

 

[The-J]

Is this still true/valid? xkcd: Password Strength

Sort of, although a brute forcer can narrow a password down to words in the dictionary.

Length = strength, but there's more to strength than length. A password should make the job of a brute forcer as hard as possible. So if you, for some reason, need to memorize a password (maybe it's a master password), you could use a phrase of 4 or more words that are rarely used together and segment each with some additional characters, while also including some capital letters. This increases the character set that a brute forcer needs to use.

So correcthorsebatterystaple becomes Correct2!horse2#battery8%staple (2/28 being the birthday, month and day of someone you know, the other characters being random), bringing the total character count to 36 and more than doubling the amount of characters a brute forcer needs to try.

Even so, there's more to security than a password as passwords can be acquired through other means. Ideally, people shouldn't be able to access your accounts even if they know your password.

 

[rogue synthetic]

Is this still true/valid? xkcd: Password Strength

That recommendation is very similar to Diceware, though there's less randomness if you just choose a pass-phrase from words you like or think you will remember.

Diceware passphrases are pretty hard to beat if you follow the recommendations. Even if the attacker knows what you're using and tries a brute-force attack they're still facing an astronomical difficulty:

The level of unpredictability of a Diceware passphrase can be easily calculated: each word adds 12.9 bits of entropy to the passphrase (that is, log (base 2) (6^5) bits). Originally, in 1995, Diceware creator Arnold Reinhold considered five words (64 bits) the minimal length needed by average users. However, starting in 2014, Reinhold recommends that at least six words (77 bits) should be used.

This level of unpredictability assumes that a potential attacker knows that Diceware has been used to generate the passphrase, knows the particular word list used, and knows exactly how many words make up the passphrase. If the attacker has less information, the entropy can be greater than 12.9 bits per word.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[papi016]

If it can happen to John Mcafee it can happen to anyone

View: https://youtu.be/N-h9ptiCXBU

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Kak]

Bump this...

What else is everyone using?

I am going through a big security upgrade. I have been the laziest person on earth about this. I had like 3 reused crappy passwords for 100 different services. I even had a google home (wiretap). I decided I needed to take this way more seriously.

I recently got NordVPN, which I try to use most of the time on browsing devices. When I get fiber soon, I will install Nord on the router.

I use Lastpass to make like 30+ character passwords. I am changing my old 5 year old passwords to these new lastpass passwords as I log into these services.

I force Firefox to forget everything and log me out of everything every time I close it. I use a 2 factor authenticator on several services that allow for it, I am adding more daily as I use them.

I have the regular Windows Defender that comes with 10 Pro.

I switched out my text message app with Signal a while back which is only as good as your network of peers that also have it.

 

[GMSI7D]

unless you are not connected to the internet, it is impossible to be absolutely safe.

for example, the NSA can do whatever it wants with your phone and computer because its technology is light years ahead of public technology.

so you should have a second PC with nothing important on it to do business and never visit websites outside your working online .

it means no video game online or things like that

only professional things.

 

[The-J]

Thanks for the wake up call, and I hope your situation gets cleared up quickly.

Unlikely. It seems I'm going to be out for the entire amount. Don't think my stop payment is going to go through. Sucks, but it is what it is.

This caused some added issues, since one of the payments was sent to an inactive account (which I did not remove in time) with a $0 balance.

Since you travel quite often, yes you absolutely need to keep your security top notch. You're a target. A VPN while travelling is a good start.

I have a previous history of losing quite significant amounts of money (much more than J) due to not complying with more advanced security measures.

Is this a story you want to tell? How did that happen?

A Linux machine for online banking sounds like it's the way to go. There's so many routes someone can take into your computer, it's quite frightening.

 

[Gary]

I didn't think it would happen to me.

...

3) Different, and strong, passwords for every single site you use. 16 characters minimum. Seriously. Brute forcing is no joke, especially on sites where they allow unlimited login tries. Not only that, they must be different so you're not caught with your pants down if a website's database gets leaked.

4) A way so you don't have to TYPE those passwords. Keyloggers are a bitch, and will steal your passwords, your credit card info, and more, right as your typing them. You can use an encrypted Notepad file stored on the cloud (not the safest thing in the world, because your clipboard could be at risk too), or you can use a password manager like Lastpass or KeePass. Password managers are excellent, because (1) you don't have to type passwords for every site you use, and (2) they're encrypted with a master password as your key. There's also programs like KeyScrambler which are reported to be pretty good.

...

As a LastPass user, I still hadn't created a new strong, random 16 character password for PayPal; I was still using the same one I've had for the last year. Thank you for the alert. I just updated my Paypal password with the LastPass engine.

 

[MTF]

After reading about it here, I looked for it and couldn't find it either.

It's called "Security Key" there. Article on how to enable it: https://www.turnon2fa.com/tutorials/how-to-turn-on-2fa-for-paypal/

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[jmusic]

I'm surprised that no one has yet mentioned using BitCoin for paying for the VPN. I actually do NOT use LastPass for financial sites (though I need to update/upgrade those passwords) because to me LastPass itself seems like an extremely attractive target for hackers.

I've been considering moving to Linux (or maybe BSD) wholesale for my web development stuff and other coding that I'm getting into, and after reading this thread I will proceed with a dual boot (there are a few Windows apps that do not have acceptable substitutes for me and don't run properly when virtualized).

Things to think about:
1. Full disk encryption (including Linux swap partitions) for both Linux and Windows.
2. VM within Linux with all the IDEs installed (I suspect those could present large security holes).
3. Root Linux partition should be ultra secure with general purpose stuff virtualized.

Virtualization is also NOT a holy grail:

VUPEN Method Breaks Out of Virtual Machine to Attack Hosts | SecurityWeek.Com

Similar to Qubes, you can use Virtual Machine's to containerize your activities. If you are a gamer who downloads a lot of risky "mods", you could do your banking/shopping inside a VM. Your games would still run fast, but your private data would be somewhat safe. If you just browse high-risk sites (*cough* pornhub *cough*), you could do that inside a VM. Qubes uses Linux Containers for everything.

Bad idea. Your root OS could have a keylogger and any passwords you enter into your high security VM could still be logged.

Edit: Also, the brand of computer matters...

Spy agencies ban on Lenovo PCs due to backdoor vulnerabilities

 

[Ninjakid]

Yup, and a huge market with tons of opportunity.

Web design and development has gotten a ton of attention in recent years, but cybersecurity is an extraordinarily valuable field which sometimes gets overlooked. Yet large firms such as Google and Facebook will pay mountains of cash to anyone who will help keep their data secure.

 

[journeyman]

Very useful thread.
I recently realized how unsafe public hotspots are and purchased a VPN subscription. The reduced speed sucks but safety above all... I even keep it on in my home connection now that I got used to it.

Also since I used the same passwords over and over, I decided to move to 1Password Manager. It took me absolute ages to move all my stored passwords there and create new, random ones but it was worth it. It really is a great service, by remembering just one password you are set.

 

[LiveEntrepreneur]

Best thing to do is store it on paper lets see them hack that lol. I am generally pretty good with computers don't need an antivirus software even though I got one but I should probably upgrade my security more.

 

[LiveEntrepreneur]

Great topic. By the way, can you recommend a reliable antivirus for windows that is not as incredibly annoying as most of them? Is there such a thing as an effective antivirus that won't make your life miserable?

Also have Malwarebytes as a backup or hitmanPro. If you can't login normally go through safe mode with networking so you can update the software then run a scan.

 

[alan3wilson]

Best way for me is to use Linux, at least it's safer to use than Windows.

 

[ddzc]

I need to stop procrastinating with this, I still have my pwds in a notepad. Thanks again for the reminder. I did recently lock my hdd down with bitlocker, highly recommended. For pwd, I know KeyPass is wideley used, even with big corporations. I might also purchase a secondary # with voipms and use it for two factor authentication.

 

[Bulgano]

I need to point out you might need to edit the .bat file a bit more. I left the path to my install hard coded in there in more than 1 spot. But then again, this is just a concept right now.

So for the 3 passwords, there are multiple reasons:

• A lot of people want to say only 1 password is needed if it's strong and secure. You know, those 84+ char. type passwords. If I zipped up a file and it had a 84+ char password and then I sent that file to my mom/client/journalist/lay tech person in TXT on cell phone or on a sheet of paper, you know how hard that is going to be to type manually on their desktop to unlock the file? It's gonna be a pain. My eyes cross at like the 10th char and I second guess myself what the last char was. I couldn't imagine doing that with 84+
  
  So I decided instead of 1 strong password of long length, 3 shorter passwords would do. Even at 16 char, you're talking a lot of computer power taking many years to crack. 3 shorter passwords would help with ease and simplicity.. a goal of this project.
  
  
• When other people encrypt the files to send off, it may be a lay tech person who creates them. They put in a 8-16 char password and it's "abcdef123456789". That's not gonna fly well for security, right? Easily cracked. However, now there are 2 more the hacker has to deal with that could be slightly better or stronger that could take a lot of computing power to crack and years. They might crack one, but possibly not the other 2. This is why I put in 3.. a bit better security in case the lay tech user has 1 or 2 weak passwords.. there will still be some security hopefully left.
  
  Think about it, if your customers use the same password for everything, the hacker might already know that password and that could be the first password the customers used for one of the archives. Now the hacker would need to figure out the other 2 still. Unless your customer just uses the same password 3 times, well there is not much that can be done other than for one of the archives to have an automatic password generated which I might add in to a later version.
  
  
• I thought about just 2 passwords. Since I couldn't do a 2FA after the 1st password ( like websites ), I thought I'd do 2 passwords back to back. When I accepted that would be good, I thought 3 would be even better for no real specific reason other than it might piss off a hacker if they actually did crack the first 2. Past 3 ( going into 4+ ), I thought it would just be a damn pain for the end user. 3 was just a good number it seemed to stay simple, but also secure.

The best way I use it, is to store files on Dropbox or S3. I deal with a lot of my customers data and I don't want it exposed when transferring or having it available.

Sometimes I also need to keep my very personal data on Dropbox ( like my bank info, credit cards, or drivers lic when I am traveling ) and I like knowing I can access it easily on Dropbox while it is still secure if needed in an emergency.

In regards to the first quote, 84 chars is overkill. Last I heard it's universally accepted that 16 with lower, upper, symbols, and numbers is a good minimum and going higher slowly depreciates ineffectiveness. That is if we are talking in terms of brute-forcing.
If we are, then to crack the password "37OVrmm7x!5@iN2o", it would take; "420805123888006 years, 6 months" estimated.

If we are talking about anything else, then I guess it complicates things. The main way accounts get hacked is via combination bruting.
AKA A hacker has a huge list of usernames and a huge list of passwords (Generally sourced from website database dumps), and they they bruteforce the combinations rather than every character of a password for 1 user.

Not sure how much of what I just said is useful or applies here, but guess it's still a bit of good knowledge to know at the end of the day.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.