Take Your Computer Security Seriously! YOU Are At Risk!

[ljb7]

If it can happen to John Mcafee it can happen to anyone

View: https://youtu.be/N-h9ptiCXBU

McAfee is a pos. Would not believe a word he says

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[JAVB]

I didn't think it would happen to me.

A few days ago, I woke up with about ~$1200 USD (in different currencies) taken from various bank accounts via Paypal transactions I didn't make.

Upon calling Paypal to rectify the solution, they told me that those transactions were properly authorized by me, from my computer (!), from my IP address.

That's impossible, I said. I wouldn't do that. I would know!

"Sorry, you're out of luck. Call your bank and have them stop the transactions. That's all you can do."

I kept saying "f*ck Paypal" over and over, until I realized what had happened.

My computer was hacked.

I'm not quite sure how they did it. It could have been a banking trojan. Or a remote access backdoor into my computer. Or they had my password and simply spoofed both my MAC and IP addresses. Could have been a botnet, too. I don't know.

All I know, is that I was vulnerable... and they got me.

It's not Paypal's fault, and Paypal isn't responsible. It's my fault, and I'm responsible.

After several virus scans with different software, I found out that I was, indeed, infected.

I could still be infected right now. I don't know. Many viruses and backdoors remain undetected, and they could be on your computer right now.

Yes, YOU are at risk.

I was lucky that all they took was $1200. They could have cleaned me out. And, after calling my bank, I might only stand to lose $300. Time will tell.

You, however, might not be so lucky.

I took several hours to watch Youtube videos, read articles, and scour interviews with security professionals and experts to figure out 2 things: (1) Why did this happen to me, and (2) How can I make sure it doesn't happen again?

Well, the answer to the first question was clear. It happened to me because I was an easy target. My computer was on overnight. I hadn't run a virus scan in months. And, worst of all, I did not have the proper security on my Paypal account.

The second question weighed heavily on my mind, though, and after some searches I found a lot of 'duh, common sense' kind of answers. I quickly figured out that even though I thought it was common sense, I was not following those rules.

My passwords sucked, and were shared among many sites (remind me to change my FLF password too). I didn't have 2 factor authentication on anything (even my Paypal! I thought I did, but I did not.) I wasn't paying attention to what I was downloading.

So, if you think you're not an idiot, let me run you through a checklist of things you must have.

1) An active antivirus. Yes, that includes you, Mac users. (Linux users, you're pretty much fine.) That should be on your phone, too.

2) 2 factor authentication, on everything that supports it. If you have a spare phone that you can use for it (that you don't give to anyone and, preferably, is not connected to your name), then that should be your 2FA phone. (Two factor authentication would have been my saving grace in the Paypal situation, but it wont always be.) Google Authenticator is also an awesome tool.

3) Different, and strong, passwords for every single site you use. 16 characters minimum. Seriously. Brute forcing is no joke, especially on sites where they allow unlimited login tries. Not only that, they must be different so you're not caught with your pants down if a website's database gets leaked.

4) A way so you don't have to TYPE those passwords. Keyloggers are a bitch, and will steal your passwords, your credit card info, and more, right as your typing them. You can use an encrypted Notepad file stored on the cloud (not the safest thing in the world, because your clipboard could be at risk too), or you can use a password manager like Lastpass or KeePass. Password managers are excellent, because (1) you don't have to type passwords for every site you use, and (2) they're encrypted with a master password as your key. There's also programs like KeyScrambler which are reported to be pretty good.

5) An active firewall on both your computer and your router. Yes, firewalls for routers are different than firewalls for computers, and you should have both.

6) A secure autofill program for when you need to enter your credit card or Paypal info. Lastpass does this pretty well. Preferably, this autofill should be protected by a password (again, Lastpass does this pretty well).

7) A strong password on your computer, and, preferably, a 2nd factor (like a biometric scan or a phone/USB unlock) for your computer. (Also, keep your computer OFF when not using it, and preferably, disconnect it from power so it can't turn on without your control!)

8) As many backdoors closed as possible. Some backdoors on Windows computers include Universal Plug n Play, Teamviewer, and allowing remote access protocols. I understand TeamViewer is an important tool; however, it should not ever be running when you're not using it.

After speaking with some people, I also found out that it's very, very likely to get hacked while travelling. Hotel Wifi, Starbucks Wifi, plane Wifi, all of these networks are often more vulnerable than you think! For your safety, use a VPN while travelling. HideMyAss is a popular one. There are several others. You could even make your own, if you wanted.

However, keep in mind: even while following these tips, you could still be vulnerable. People can spoof your phone so they can get into your 2 factor sites. People can take advantage of database breaches and steal your login info. Hackers are always coming up with new ways to steal info and money. (There are also more tips that might help, so please, feel free to add anything! I'm not a computer expert!)

Your job, though, is to lower the likelihood of something ever happening to you. There is no magic armor, but you could at least be wearing a bulletproof vest.

Protect your a$$.

To you list I'd add installing, learning, and heavily using a password manager... something like LastPass or 1Password.

Unfortunately, being a bit sophisticated when it comes to cybersecurity takes effort, learning, and a bit of extra work.... and I say unfortunately because as long as this is the case, there will always be people that, even knowing all this, will be lazy enough not to do it... taking a huge risk.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Consolation]

Went through this thread so many times. Instead of taking any preventive measures, I bashed it off:

"Nah. It won't be me".
"BS. I'm a power user."
"Screw all this victims."

Now, I have to start my 2k Likes Facebook Page from scratch.

 

[tommyz7]

Posts here are quite old but I wonder if any of you guys would consider crypto as a solution. Hear me out.

Long story short:
You can use a hardware wallet with USD stable coin and spend money directly from that wallet. This separates money management from your computer and removes the risk of viruses, unauthorized transactions etc.

I wonder if all website accepted crypto USD as they accept CC payments, would you guys use it for its superior security? Would you guys pay with USD using the crypto wallet in day to day life?


Long story for those not familiar with crypto.

The device - let's call it a wallet

You can connect it to your phone or computer with Bluetooth. It works right away like a headset.

How do I transfer USD to my wallet?
Ask someone to send you USD directly from their wallet. Alternatively, you can go to currency exchange like Uphold and exchange your bank USD to digital USD. and transfer USD to your wallet. This process is like going to ATM and depositing cash into your account, only digital. From now on, you are the only person in the world that can access and spend this money. I mean it, no hacker, no bank, no government can take it. They really can't, I know because they tried many times already

How can I spend the money?**
You go to any website and do your shopping as usual. At checkout, you connect your wallet to your computer. A payment request will be automatically sent to your wallet, check the amount, and confirm if everything is ok. That's it, paid, done.

What if I have a Virus on my computer?
The approval process happens inside the device so even if you have a virus on your computer, it cannot pull your key from the device. It's never recommended but you can use it on a computer with a virus present with no worries.

What if someone steals my wallet like they do with Credit Cards?
With this particular wallet, it's impossible as your wallet key is stored on the device itself and it never leaves it. It's never sent to a merchant nor to your computer so there is nothing to steal. Without that key, your money cannot be accessed.

What if I lose my wallet?
When you start the wallet for the first time, you need to write down 12 random words that the wallet generates for you. This is your way to recover the wallet if you lose a physical device. Keep them on paper in a safe place just in case! Remember, on paper, it's impossible to hack paper

No 2 factor authentication?
The wallet itself is already 2 factor authenticator itself. Forget SMS, emails. It's already proven you can hack accounts even with 2FA enabled so why bother.

What about passwords?
Ahh, passwords, forget about passwords, you no longer need them. You can set a PIN for your wallet if you want, tho.

It's all already available except spending.
**that part is still missing from the puzzle.

Again, I wonder if all website accepted crypto USD as they accept CC payments, would you guys use it for its superior security? Would you guys pay with USD using the crypto wallet in day to day life?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Guest84834]

Thankfully I use linux and don't execute shitty EXEs from Unknown sites.
If you really want security while travelling, buy a USB. Fine, if you already have one. Install TAILS on your usb and boot to it. Don't use any personal info while travelling. Only use Firefox for personal credentials. Use Tor for non sensitive things. These are all built in inside TAILS. TAILS changes your IP so that it won't be possible to trace back to you (except the ISP can see if you are using VPN or TOR). Use VPN if you want your hardearned cash to go down the drain. Always use open source software. Don't visit HTTP only sites. If you want a really good password manger, there are only two: Keepass or Bitwarden. Bitwarden is simple to use. If you are using Lastpass or any other stupid managers, you can simply export your passwords in a csv file and import it into Bitwarden. You can keep both lastpass and bitwarden. If you use bitcoin for purchases, use Electrum wallet - also built in app inside TAILS.

Quit Windows. It's is the source of all computer-borne illnesses. Install linux. Like right now.
Go here :

Fedora Linux

An innovative platform for hardware, clouds, and containers, built with love by you.

getfedora.org

Install fedora workstation
Read the freaking documentation.
Don't follow youtube videos.


Double check if you are at the right sites. Bookmark all the sites you use, and don't use search to find a website. Example, you know that you are on the original paypal site if you see the bookmarked icon. Aside from that. Just use common sense.

EDIT: Don't use antivirus. Does more harm than good.

 

[EmotionEngine]

EDIT: Don't use antivirus. Does more harm than good.

I'll have to disagree with that and I've worked in tech for large companies 20 years. It really depends on what software you're using.

 

[I Am I Said]

I can already tell you did not treat your computer well. You had tons of random software, most of which, you probably got tricked into downloading, and then you never took the effort to clean your computer.

nonsense.

consider this, just happened on my network.

We lock everything up very tight, users have no admin rights on their PCs, constant virus scans, no software unapproved, etc.

But we're a very good target. Busy, profitable, just big enough, privately owned, growing fast, etc. Being targeted trumps every possible precaution.

Our A/R user got email-bombed. Over 1000 spam in 2 minutes. One OCD IT technician (beyond reproach: he part owns the business) went through every email and found the one that was being hidden: a confirmation from a customer that they had received our instructions to change banking information.

Obviously, we never sent the email they were confirming receipt of.

Scanning email headers revealed that the spoofed address was one character different than our domain. That domain was registered in Vietnam 5 months ago. It's unique enough to be useful for no other purpose.

We have mfa on every MS365 account. Our A/R user went back and checked every login. Nothing strange. We checked MS365 logs. Surprise! They were disabled a few days earlier.

Conclusion: despite excellent practices, mfa, all kinds of precautions, somebody got into our MS365 account. Then they monitored our email, and chose a customer - or more, we're still investigating - and brute-forced THEIR email, and spoofed an email from us, 30 minutes after we sent our banking info.

Here's the thing: neither my user nor my customer are capable of installing software on their computers. We use mfa. Customer doesn't, and didn't have a good password - but they were targeted BECAUSE we were targeted.

And then I read this:

MFA Bypass PSA - Phish Kits Are Evolving | Proofpoint US

As multi-factor authentication becomes a standard practice, phish kits are evolving. Proofpoint breaks down how these phish kits are used to bypass MFA.

www.proofpoint.com

We're still investigating, but it looks like this is how they got us.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[vladikcm]

Try Bitwarden for password management. It is free and Open Source. Great post!

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[MattL]

I think it is a little like covid, everyone will get hacked at some point. To make it harder you need better passwords AND 2FA for sure.

Now for the kicker - who has access to your 'digital estate' when you die?

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.
- John Chambers, Cisco's CEO

Another good tip is to change the username or email account instead of focusing on passwords. For important stuff, have one email account that you don't use for anything else. Just sign up for that one service with it and then leave it be.

 

[ilrein]

I've fixed countless computers. I've removed tons of viruses. I did this shit for money back in high school, and I still got caught unaware.

Many zero-day threats remain undetected for some time. You are not immune. No one is.

I actually did not have tons of random software. I don't install much software. I don't do a lot of Internet piracy (not like I used to). I don't have a single cracked program on my computer, not a single keygen, nothing of the sort.

I don't play very many online games. The only programs I use on a regular basis are Skype, Office programs, Chrome, and Slack.

There's not a single Task Manager process currently running that I do not recognize.

I'll likely end up doing a clean install on this computer.

I really don't know what you're trying to prove with your post?

Truthfully, this would be the first instance of such an occurrence I've heard where the end user has a reasonable amount of security awareness. A bit scary, I suppose.

 

[OldFaithful]

the NSA can do whatever it wants with your phone and computer because its technology is light years ahead of public technology.

I think you've seen too many movies...

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[amp0193]

@The-J or anyone else:

In light of this discussion, does anyone know of a good service/program of storing customer CC info? I have retailers who pay for orders over the phone. I input their info directly into the Shopify payment processor. Shopify doesn't save their info for future use, encrypted or otherwise. I don't want to keep a file of this info on my computer, for obvious reasons.

What's a good solution people are using?

 

[SweetTooth]

Did Paypal get 2 step authentication? Because when I tried a few months ago they didn't have it. Which is one of the dumbest, most ignorant, stupid idiotic things NOT to have for an account that literally has full control of my bank account.

 

[SweetTooth]

@The-J or anyone else:

In light of this discussion, does anyone know of a good service/program of storing customer CC info? I have retailers who pay for orders over the phone. I input their info directly into the Shopify payment processor. Shopify doesn't save their info for future use, encrypted or otherwise. I don't want to keep a file of this info on my computer, for obvious reasons.

What's a good solution people are using?

Stripe supposedly has something like this that destroys Paypal.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Sanj Modha]

What about Mac users? Is it the same level of risk for us and what can we do?

Thanks.

 

[TheNextTrump]

Yup, and a huge market with tons of opportunity.

I couldn't agree more, and if I can come up with a pursuable solution, I'm diving in.

It's been a growing concern of mine, and while taking the steps I felt were "safe enough" (which weren't nearly enough)
I can't tell you how many times I thought "why is this still such a major issue in 2016?"

Were damn near, fully converted to digital currency using (cards, internet banking, paypal, shopping online etc) yet when it comes to safety and securing those funds its like the wild wild west.

 

[daru]

So there is a potential market for a banking only super secure computer? Should be doable with something like beaglebone black and OpenBSD pretty cheap but very robust. Altough somewhat slow but in this case it's actually a good thing so that you don't start using that machine for other stuff online.

For "better" passwords: xkcd: Password Strength

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[VentureVoyager]

@SquatchMan thank you for this recommendation. I think I will buy it.
How about VPNs? There's so many I have no idea which to chose. Are some of them faster than others while granting the same level of security?

 

[lowtek]

damn, I've been pwnt.

Going to change my passwords. Moving to a new system of:

Core Phrase + site name

Where the core phrase contains 3 - 4 highly uncommon words and a special character in an unusual position ( i.e. not substituting a @ for an "a" )

And also, I switched to Linux months ago .... so viruses are a much smaller concern.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Gray Blimp]

What does everyone recommend for PC backup services?

 

[eliquid]

What does everyone recommend for PC backup services?

I was using CrashPlan a long time ago, had like a 5 year plan with them. When it expired I didn't renew up.

I am looking into BackBlaze atm though. Very cheap and highly recommended.

I am also using a version of BitSync ( now known as resilio.com ) to do "backups" in a dropbox type fashion for certain files I want on different computers. but not in the cloud.

 

[The-J]

NOTE: Canadian and UK customers may be affected too

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[G-Man]

Has anyone here invested in ID theft insurance? Opinions?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[The-J]

If you're an Equifax customer, you may be entitled to a cash settlement due to the breach.

If you're not an Equifax customer... you still may be entitled to a cash settlement.

The arbitration clause mentioned earlier is bullshit as this is obviously Equifax's fault.

Baltimore law firm leads class-action lawsuit against Equifax

Keep in mind that this story is still developing. This could be one of the biggest stories of the century (or it'll fizzle out in favor of what Trump did at Mar-a-lago... smh)

It could change the face of credit reporting.

 

[The-J]

Experian Site Can Give Anyone Your Credit Freeze PIN — Krebs on Security

This is a different level of incompetence. It's systematic incompetence. You absolutely, positively, CANNOT trust anyone but your own a$$.

What's insane is that we never actually trusted these companies (TU, Eq, Ex) with our information. We trusted our BANKS and everyone else to trust the right people. Next thing you know, your bank is gonna have a huge data breach.

And let's not even get into social engineering and the possibilities behind that. Do you really think some schmo making $10/hr REALLY gives a F*ck about the sensitive information that you dictate to him over the phone? F*ck no.

I don't wanna live on this planet sometimes.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[eliquid]

I should point out that in the batch file ( .bat )

Line 21 I have this setup as "C:\Encrypt\"

If you uninstall this elsewhere on your system, you have to change that line. Users you send the file to will not have to do anything.

Next version I will put in code to detect/use without a direct folder path

 

[The-J]

@eliquid why 3 passwords?

I love the concept. I'll give it a go. Maybe I can use it for some of my clients.

You know what's funny now that you mention it? My clients have such shit security. Their passwords are almost always the same for everything, and they're so bad. I don't wanna school them on security but I feel like I should.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Bulgano]

Since I run a SaaS and I have a family, I have been more and more concerned about privacy not only for myself, but my clients ( freelance, agency, & SERPWoo ).

I've been looking at tools and such for sharing data and files and lot of them seem cumbersome having to install a certain app that you also have to pay monthly for. That ,or the app is free but cumbersome, maybe it's no longer maintained or you can't view the source to ensure its solid.

I wanted something I could send my mom and she could easily use for free with apps she might already have. Like Dropbox or some other public file sharing site.

I mean, why can't something be extremely easy and simple with already existing tools almost anyone has or can get easily for free too? Something that isn't a vault but still secure to pass to other people on already existing platforms like Dropbox or Box.com or even Amazon S3? Even just plain email....

So I came up with something that seemed secure enough for me to use until I find something better. Something that I didn't have to worry needed to stay maintained ( like other platforms ) and something that others could view the source of and trust to use.

privacy.zip

The way it works in a nutshell is:

1. You place items in the "base" folder.
2. You click the .bat file
3. You enter in 3 passwords
4. An embedded copy of 7zip archives whatever is in the "base" folder 3 times, each archive has the passwords you put in
5. 7zip password files are AES 256 encrypted
6. You must know all 3 passwords to get the file(s) you encrypted
7. Anything in the "base" folder is deleted now ( the original file ), but even in the "recycle bin" the copy is encrypted too, so no chance of prying eyes.
8. You can now share what you encrypted on Dropbox or some other public file share with another person without much risk of having what you encrypted read by someone else.
9. The other person does not need 7zip. They can open the archive with WinRar or another unzip/zip tool.
10. I'm sure someone can find a flaw. There is a flaw in everything, even paid tools. At least this is free and simple enough my mom can use quickly without more/other software. That was the goal of this.. easy, simple, free


If this works out, I'd like to make it a larger tool set for use by the masses publically. Right now, its just a "concept" without having to have a "vault" like other apps.

.

Great idea but why have you never considered tools like VeraCrypt? It's the successor to TrueCrypt which for a long time was probably the most used encryption program to date.
It offers a bunch of different encryption algorithms, as well as tons of other features. It's also free and open-source.

 

[eliquid]

I decided to implement a new password system into the product though ( haven't implement yet ) that should eliminate user error and using of simple passwords.

 

[daru]

Is this still true/valid? xkcd: Password Strength

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.