How Accounts Get Hacked & How to Protect Yourself

Please use this forum to ask our resident IT geeks advice.
Post Reply
User avatar
VTRDark
Posts: 20010
Joined: Sun Mar 18, 2012 9:24 pm

How Accounts Get Hacked & How to Protect Yourself

Post by VTRDark »

OK folks after recent events with a fellow forum members eBay account being hacked a lot of you are probably wondering how this happens, no this is not a How To Guide to Hacking :lol: that would be irresponsible of me. This is a story of how a Journalists digital life got turned upside down by a hacker in the space of 1hour, and being a journalist he decided to publish his experience.

More on that later I promise, first of all….

The Why’s and How's of Creating a Good Solid Password

Image

Hopefully we can all learn something from this. A lot of people don't take their online security seriously enough for various reasons. Mostly because they don't understand the technology and the consequences that can occur from things like weak passwords and/or put too much trust into the site/company they are registering with. How many people use the same or similar password for most of their accounts. How many people use some form of password that contains info that can be sourced from elsewhere, possibly from public records. Things like your name, date of birth, children's name, wife or other family members name, even your pets name are all weak passwords. Any password that contains only letters or numbers or contains any dictionary words can be broken under a brute force and/or dictionary attack. There are automated software's that can do this quicker than you may think, depending on how many characters the password consists of and the computing power a hacker has at hand. Having a good solid password is the first step in your online security.

The best password would consist of a minimum of 8 characters and be made up of mumbo jumbo/nonsense, total gobbledygook, a combination of letters and numbers should be used along with some symbols. Beware that some symbols cannot be used as they clash with server file systems/scripts. Stay away from the following symbols " / \ [ ] : ; | = , + * ? < > (note this is also good practice for naming files locally on your computer), use a combination of alphanumeric strings consisting of upper-case and lower-case letters, numbers and throw in the odd symbol here and there and don’t leave any spaces. By now you are most likely wondering “but how do I remember my passwords” Well, there are various ways to go about this. There are password software's/safes on the market that can be used to store and access passwords or ultimately the best and most convenient way is to come up with your own system where you keep these passwords safe in your own head. Lets eliminate having to put our trust in a third party as our extra layer of security. I shall start with your own random access memory in your head. The key here is to use something that can easily be remembered, so one method is to take a line or sentence from a favourite song, book, poem, pretty much anything you won’t forget. You could even use with the name of the site you're registering with if suitable and it helps you remember. For our example I shall start with Follow the Yellow Brick Road. I should also add that this is only an example that I am thinking of on the fly, off the top of my head as I write this, this is not a password that is or should be actively used.

So method one, so far we have Follow the Yellow Brick Road I shall also add The Wonderful Wizard of Oz because because because because because…….at first glance I noted that Follow the Yellow Brick Road is a little short to work with. Now lets start breaking this down and converting this into a secure password. Take Follow the Yellow Brick Road and start converting this by taking the first letter from each word so we then end up with the following FtYBR I already have some capitals in there so I have left them, and now lets take The Wonderful Wizard of Oz so we have TWWoO. So far we have FtYBRTWWoO This is not a bad password but can be improved upon greatly. So lets take this further by converting some of the letters to numbers and symbols. First off I shall add an underscore between the two for convenience as it divides the two sentences up FtYBR_TWWoO, I will also convert the W (Wonderful) to the number 1 as it sounds right and also I don’t like to have the same two characters alongside each other like that. If a brute force dictionary attack is being run it won’t take long to find the next letter in the sequence when they are both the same. So far we have the following FtYBR_T1WoO, I’m also going to remove the oO as this is a little messy and I may want to add something else to the end, so we have FtYBR_T1W (Follow the Yellow Brick Road The Wonderful Wizard). We are getting there now but I would like to throw another symbol in there somewhere and have a few more lower-case letters. I shall keep the upper-case F as this is the beginning of the sentence and I shall keep the Y as this is the name of a colour and it would normally be capitalised if writing good English. So lets see what we have now FtYbr_T1w On second thoughts, I shall add the oO (of Oz) back in and convert the capital O to a closing bracket, as previously said I don’t like two the same alongside each other and as the closing bracket is close to the o on a QUERTY keyboard it keeps things simple and makes it more difficult for anyone peering over your shoulder to see what you have typed. We now have FtYbr_T1wo) a very secure password. And best of all you are not having to rely and put your trust on a third party software for storing it in and it will travel with you everywhere.

There are some really easy ways to remember some words and characters, for example if you happen to have the word ate, as in eat, in your sentence then this could be changed to the number 8, if you have one, as in, the one and only, this could be changed to the number 1, to or too could be changed to 2, at could quite simply be the @ symbol, though I prefer to stay away from the @ symbol as some sites won’t allow the use of this. sea or see could be the letter C, the letter O could be changed to a zero ( 0 ), you could be U, negative could be -, and could be replaced with an ampersand ( & ) etc. This I guess is easy for the younger generation as it is similar to text talk. Or you could go with even more obscure ways of doing things like sleep could be changed to Zzz as in snoring/sleeping. Anyway you get the idea. The main thing is that you remember your original sentence, this makes the connections in the brain like someone that can remember playing cards when shown a whole bunch of them one after the other. They visualise things, take themselves on a trip, an imaginative dream if you like in their own head. For those of you that remember, this tactic is perfect for the Generation Game if you Play Your Cards Right. What you don’t want is a Blankety Blank, it don’t take a Mastermind.

I would advice using the above method for you're really important passwords where security is absolutely vital and for passwords you need to have with you while travelling around. There may times when you don’t have a computer and want to use a friends computer or a cybercafe. I would also advice this method for any master passwords you create for a password manger software.


Password Managers

Image

Lets move on to method two. Password managers, softwares that lock your passwords inside an encrypted safe. As you most likely know it can become more difficult to manage various passwords in the modern day digital age and one could soon have many various passwords for different uses. You could have one password for everything but this is not good practice. What happens if that one password then gets compromised by a hacker. They then have access to all your accounts which is not a good situation to be in. Password managers have they pro’s and con’s and vary from software to software with some being better than others. I can’t really comment on them all individually as there are far too many and I have not tried them all, but what I can do is explain the common features amongst them including encryption. Some password managers have a more secure, harder to break encryption than others.

Right, shall we start with the encryption as this in my opinion is the most important feature in all of them. Most of you will have heard the term data encryption but wonder exactly what it is and/or understand it. So I shall try and explain the basis of it. Encryption comes from cryptography which involves the coding and decoding of messages for the purpose of protecting it’s contents by hiding the true message. Modern computer technology has taken this to another level with very complex mathematical algorithms. To gain access to this data one needs the key or in this case with password managers it would be your master password. Think of the password manger as being the safe and your master password the key to gain access to it. By unlocking the safe it is also decrypting the data within it so it can be accessed. The software will automatically encrypt the contents in the safe as it is locked securely back up.

I can’t really go into detail on the various different kinds of encryption here as first of all it would turn this write up into another subject altogether. It’s far too deep a subject to go into detail and to be honest I would struggle as some of it is beyond me. And second I would have to start with the science of how computers work and data is written for you to understand it. What I will say is that the more bits as in 8 bit, 16 bit, 32 bit, 64 bit and so on, right up to 2048 bit encryption (at this present time) that are used, the more complex the encryption and the harder to crack, or if you prefer to go back to the days of cryptography the harder to decode. In the case of password manager software's 512 bit would most likely be the highest but 128 bit or 256 bit is more than enough for these purposes. Personally I would try and stay away from anything under 256 bit encryption.

The following PDF’s will give you an idea of the security levels of popular password managers available, but I warn you now they are technical.

“Secure Password Managers” and “Military ... - Elcomsoft

The Security of Password Manager Database Formats

Shall we move on then, lets talk about some of the popular features amongst password managers. With the increase of having passwords for various websites there is a trend for password managers to include a plug-in that links directly to you web browser. This has it’s pro’s and cons like everything. For the pro’s its convenience as when you register with a site you can automatically store your details/data within the software and access this data automatically. Some can even create a secure password for you and also allow the storage of other details, not just passwords but user names, addresses, credit card details or pretty much anything that you require. The cons to this are that your password manager is linked to your browser and a lot of the time unlocked unless you are constantly locking and unlocking all the time and only accessing the data as and when you need it. Your probably "thinking what’s bad about this". Well, your browser is an open doorway to the outside world, it would be like stepping outside your front door and walking down the road with an open safe in you hands full of valuables. The same principle applies to a browsers built in facility for storing passwords, only this is far worse as often a browsers built in password manager is constantly open while browsing and stored either unencrypted and/or with a weak encryption and stored in a file locally on your machine. If your machine gets hacked or stolen then this data is then easily accessible.

Some password managers will install items within your main system files (the same as some browsers actually) this is not the most secure solution as it can lead to a back-door into your password manager. Yes, it does have a lock with everything inside encrypted but what if it’s unlocked and your machine happens to, without your knowledge been hacked and the hacker has remote access. By remote access I mean the hacker has an invisible control behind the scenes over the network and can pretty much wander around looking at things depending on how deep the hacker has got into your system. They may have even installed malware which is a malicious software to help them achieve this. The more secure password managers are the ones that are an independent application and don’t require the use of anything within your system for them to operate. Your probably wondering how they get onto your network. Well, your network is only ever as secure as you router, which brings me onto the next section.


Network Router/Modems

Image

Your router is the main gateway into your local area network (LAN) where you could have multiple different devices connected. This could be Computers (desktops and laptops), Tablets, Mobile Phones, Games Stations, TV’s and more and more items these days either work off or can connect to the Internet your Wide Area Network (WAN) the super highway to other Local Area Networks. These devices will be either hard wired into your router via an RJ45 Ethernet cable which is always the better option from a security point of view and also a faster cleaner connection, or they will be connected via a wireless connection which from a security point of view is not as safe and will be slower. Your probably thinking, well hold on, if my wireless is indoors on my LAN how is this not safe. Well, wireless by its very nature transmits data across the airwaves. This is like going out into no mans land and there could be a hacker sitting in his car or even your neighbours within range of your network scanning the networks and sniffing out data being transmitted across the airwaves. Unless this data is encrypted through the use of a Virtual Private Network (VPN) then it is going out there openly for all to see. Note it is especially unsafe to be using wireless connections when outside of your LAN and even more so if your on a public network/hotspot, and if this public network is open and a free for all network then the danger levels increase dramatically. My advice would be to stay well away from open networks unless you use some form of encryption.

Back to your router. Your router will have an address along the lines of 192.168.0.1 where you can access the control panel via a web browser. This will then present you with a login screen to enter a username and password to gain access. The default username and password on new routers is something along the lines of admin, admin or password, password or admin, password, it wouldn’t take too long to work out. In fact one could quite easily go online and get a list of default usernames and passwords for all router brands. So what’s the first thing you should do when you get a new router. Change you router password in the settings to a more secure password, a really secure password, this is absolutely vital otherwise its like leaving the key in your front door and which would you prefer to use, a Yale or a Chubb. You would be surprised how many people don’t bother to change the password on their routers. Your wireless network should also have a password key, this should be either a WPA or WPA2, some older routers will also offer the option of WEP. This should never be used as it is old technology and can be cracked very easily in minutes. WPA2 would be your best option and you can create up to, and should, enter a 64 digit key.

The following link can be used to help you create a secure wireless key.
https://www.grc.com/passwords.htm

Unless you use speech to text, then it can be really frustrating typing these into devices especially mobile phones with small keyboards, but it only has to be done once and then allow the device to remember the network. It can also be frustrating when friends and family come over and want to access your LAN with their own devices and ask you for your wireless password. Most modern day routers will have the option of enabling a guest network, totally separate from your own, so you can create a slightly less secure password in these cases for convenience but do make them aware of this and the reasons. Though saying that, the majority of people would not know the difference between a good and bad password and most likely don’t care so much. You can laugh at them then when they get hacked. A certain breed of hackers love these kind of people just to prove to them how easy it is and how vulnerable they are. It teaches them a lesson. It is also a reasonably safe training ground for the hacker to practice his or her skills on. That is as long as they don’t stumble upon a politicians or high powered businessman’s device, they can be targeted later. So don’t think that there is no point in them hacking you, that is total naivety. You are as much of a target as anyone else.


Your Browser and the Internet Part 1

Image

There is a lot to cover here so this is going to be split into two parts. I shall start with the web browser and the Internet in general but this is a vast area so I will only cover the essentials. Ok lets make a start then. When you visit a website you should be aware whether or not the page your on is a secure page or not. Most importantly on registration pages or pages where you enter personal details. Ignore any images that are on the site to say it’s secure, but take note of the Uniform Resource Locator (url) in the address bar. The Hyper Text Transfer Protocol (http) is the standard protocol for browsing a website but this is insecure and data is being transferred unencrypted. If the url is Hyper Text Transfer Protocol Secure (https) then as the name suggests this is encrypted and often assigned an individual public key and running through a secure shell which encrypts any data that is being transferred. In which case you should also notice a lock icon somewhere and if you click on this lock it should give more details on the kind of security that is being used and by who, including the certificate of authentication. These certificates will have ether been created by the companies who’s website you are visiting in which case sometimes they need downloading and installing first or they are made by third party security companies such as Thawte. You will find the more popular certificates come pre-installed along with your browser. There are times when you maybe have to update the certificate and/or give permission for access but this is usually with the less professional ones that are created by the site you are visiting. You should also note that there are various grades of encryption that come with these certificates for example your bank will more than likely be using a pre purchased certification from a security company such as Thawte with a higher quality encryption than others.

Cookies, there are some real cookie monsters out there. A cookie is a small script that is placed in your browser to allow a website to remember specific details individual to each user. How many times have you seen a Remember Me checkbox under a Sign In box. Well, this is where cookies come in. The cookie will hold the snippet of information that you have given and remember it for the next time your visit. Another example would be form fields, when you fill in an online form and hit the Submit button there are times when you have made a mistake or missed a required field and are taken back to the form. Sometimes these fields will all be blank and you have to start all over again which can be frustrating. Other times a cookie will have been placed on your computer so that it remembers what you have previously filled in so you only have to go and fix what was wrong and/or add the missing information in the required field and re-submit. Cookies are not something that would likely be used by a hacker or for a way to install malware on your computer but they are used greatly by advertising and data collection companies. This can have huge consequences on your privacy and security, not to mention the money they make off the back of you selling your details on to other third party companies around the world. Tracking cookies are often installed through advertisements so that they know exactly what pages you have visited and which advertisements you have clicked on and build up a record over time of you're browsing habits and the types of sites you visit, where you go to next, your intrests etc. “Commercial spam anyone” Then there is the advertisements online that will be targeted towards you as they think they know what your interests are. A little bit of gentle persuasion, a tease, to make you spend money somewhere; I say sarcastically. That is just some examples. You may be thinking, "how do we take control of all this then". Well, that’s the easy bit. Disable the automatic install of cookies and set your user preference to ask you for permission first before installing them. It’s also a good idea to clear all cookies on quitting you're browsing session, though this can be irritating as some cookies are actually useful. So you can go in and view the cookies installed and delete the ones you don’t want manually. Luckily the more useful are often labelled with the site name on. Other’s may be total gibberish, a string of letters and numbers. Better still use a third party add-on/plugin to take more control over them and lock from deleting the more useful ones. If your unsure then delete them all as this does no harm and they will only come back again the next time you visit the site.

Social networking, I am reluctantly going to briefly mention this as it’s an extremely high security and privacy risk. With the advent of social networking sites we are freely giving away more and more personal info about ourselves and our lives. Social networking sites are like a hackers playground especially as sites like Facebook who have such knowingly bad security policies. Yes, they tell you when a machine has logged into your account but how do you know that a hacker is not viewing your account at the exact same time you are or has gained access via one of the 1000’s of friends you have on your list. Not only that but there are remote ways, back-doors for getting around this stuff. You maybe giving personal info about yourselves away but you’re also giving info and pictures of your children and other members of family and friends away and unknowingly putting them at risk too. So be careful what you post. How many of you know that if your logged into you Facebook account and then decide to not log out by either keeping it open for convenience, closing the tab or navigating away to another site that has a Facebook Like, Dislike button on its page that the info about that site your on is then associated with you and sent back to Facebook for advertising and tracking purposes. It’s not only Facebook but its most of them, some are worse than others, and some have better security policies than others. Google and Google +, massive data collection, monitoring and tracking going on. Take a look in your account at how they know everywhere you have been right down to the minute via your computer and/or mobile phone and other devices, and I don’t only mean on the web but literally, you where at this location north of the country at whatever time and then 30mins later you where 3 miles away at this location. Go into your account, it’s all mapped out for you to see, and disable these things that they don’t tell you about, or you have overlooked in the terms and conditions (small print) that you didn’t bother to read. A lot of these services are enabled either by default or you have enabled them to use a particular service offered. Talking about services offered if one service gets hacked into, this then leads to another service. Nothing is free in this world and these companies have to make money from somewhere to survive. But you have to ask yourselves how much info you want to freely give away and how much do you trust them to keep this info safe and secure in first place, especially when all they are concerned about is commercial gains.


Email Communications

Image

Email can be full of scams, you may get an email advertising the sale of pharmaceuticals or the next get rich quick scheme and the majority of us see this as spam and delete. Do not be the tempted to reply to any of these emails or bounce them back. All this does is confirm to the sender that you are real and have a valid email address and you will receive even more spam. Some of them are getting clever and include an unsubscribe from this mailing list link. Unless these emails are from a known company that you know you have previously purchased or subscribed to, do not click on the link. Mark as spam, trash, and be done with it then move onto you next email. Often what these kind emails are advertising are not real and in reality a trojan horse and have an ulterior motive behind them, literally. You go clicking on a link out of curiosity maybe, and next nothing happens and it appears to be a dead link or your browser launches with a blank screen 404 not found or takes you to what appears to be a genuine website. But you have activated this link that may have a hidden script behind it that places malicious code and/or a virus on your machine. Email and you web browser are very closely related as they both connect to the Internet and link to the outside world, some of you may even access you email via a web browser. In the old days when email was text based only, it was far safer, but these days we can receive html styled email that can look like a web page and be full of multimedia content and interactivity. Some email applications will allow you to view a website directly in you email application. This is all designed to be more convenient but personally I prefer to keep my web browsing and email separate and use my browser for web pages where I have a lot more security blocks already in place aimed towards web browsing. I’m not referring to web based email here where you go direct to your mail server, I’m referring to email in you mail application that shows a web page. It is safer to copy and paste a link into your web browser directly and browse from there.

One thing that really bugs me about emails is when a friend, family member, colleague sends an email from they're mailing list where they have used the CC Carbon Copy function to send to multiple recipients all at once. This gives everyone's email address away for all to see that are on the mailing list. Often these emails are part of a chain and have originated from social networking sites with some joke or video that is doing the rounds. This is like going and giving out someone's telephone number or address to a stranger without asking their permission first. Would you go out into the street and give your best mates telephone number or address to somebody. These email are simply forwarded on most of the time and spread like a virus within themselves. This is one way to start email harvesting and then sell them address on that you have collected to advertising companies or whoever. "But the CC function is so convenient and easy" I hear you say. There is an often overlooked alternative. Very often hidden away in you email application, maybe a preference that needs enabling, will be a Bcc Blind Carbon Copy function so enable this. please make use of it, do not forward email using the CC function, switch this off, disable it. Simply add you recipients into the Bcc field, copy the contents of the original email into this new email and send, break the chain. But, and this is a big but, there is also a darker side to this as scammers/hackers have all moved along with the technology and now make clever use of social networking as a container for transporting their malware/viruses. Some of these are quite sneaky and will even pull on the heart strings, an image or video that contains some story to make you feel sorry for something or someone and please Facebook “like” to offer your support or approval. There could be hidden code contained inside these images and/or video that’s possibly collecting/harvesting all these email addresses or worse, could be placing malicious software/viruses on the machines of all these recipients. Video is getting more interactive these days with links to other places/content elsewhere so be careful. Were unknowingly doing the work for them because we like to have a joke or view worthless silly things from the Internet. Well, the jokes on us.

Lets talk about Phishing which is the masquerading of someone else, a person or website, bank, ebay and many others out there by creating an email that looks like it is from someone else. They will often spoof (fake) an email address to look like it is from the source in question. At first glance it looks real but under closer inspection the address will have some other characters in it that are not usually in the email that the person or company would send you. These are usually created for the purposes of trying to get you to give away personal details, user names, passwords, credit card details or whatever they are after. Other times it may be malicious software/viruses. You could click on a link that asked you to login to an account which then takes you to a fake site, you login and give your details away. Never click on any links in emails that look like they are from your bank, paypal, ebay, social networking sites etc. It is always best to go directly to these sites in your web browser by using your bookmark or a search engine and login to your account as you would do normally. This is why ebay have the online messaging system. Yet again social networking sites are often being used for this kind of thing. Are these friends of yours, do you know these people. Login here to accept this person as your friend. Yeh right...


Your Browser and the Internet Part 2

Image

Here we go again. As briefly mentioned earlier some browsers install files in the main system folder as part of the installation process, this like with the password managers is a security risk and with your browser an even bigger one because of scripts that run from your browser. I shall talk more about these in a bit. For a more secure browser you want one that is an independent install and does not require the use of any system files to be able to run. When browsing the Internet you will come across all kinds of sites and various different types of media. Some of this media requires the use of third party media plug-ins and, or the use of various scripts to be able to view it. These may include the use of Adobe Flash, Java and Javascript amongst many others but these are the ones I shall mention as they are in particular a security and privacy risk and something that many hackers will utilise for nefarious activities.

Lets start with the Adobe Flash plugin as this has had many security vulnerabilities as of recent and Adobe have had to release new versions on a regular basis to keep up with the exploits that have come about from various hackers installing malicious software. Flash primarily is an animation software but you will have seen Flash being used mostly for online video. It can also be used for advertisements, online games, and for gaining access to your webcam. Some websites will be completely Flash based content though these are not as common now as they used to be as web design has progressed over the years. Where you will see the most Flash content used is with online video and I would advice using an alternative media player for viewing online video in the form of a html5 media player. This is becoming more popular now as an alternative and is much more secure. It also abides by the W3C web standards even YouTube are now switching to the html5 player by default. W3C, "who’s the W3C" I hear you say. The W3C stands for the World Wide Web Consortium, the web governing body if you like, that create a standard set of guidelines for web designers to follow and keep the Internet as safe and as accessible as possible. They basically have your back, but note these are only guidelines and not regulations. There is an incentive for designers to abide by these guidelines as a website that passes the validation tests for these standards will score a higher rating with search engines and get moved higher up the list and are considered to be a better quality website. Flash in these later years is also being used as an alternative carrier for advertisement tracking cookies (LSO’s), not to be confused with the standard cookies, as users have caught onto and are taking more control over cookies installed. These are sneaky and evil as they allow the advertisers more info and certainly allow an easy way of installing malicious code. Lets not forget that anyone can make a Flash based animated advertisement web banner and pose as a genuine advertisement.

For safety, and to keep control of what a web page loads I would advise disabling Adobe Flash via a browser add-on/plug-in and disable/enable as and when you need. Not only is this far safer but it will increase the page load time and give you a faster browsing experience. You can then decide for yourself if the content that appears is trustworthy or not, and if you want to enable Flash on particular page content to be able to view it, ie. allow that video but don’t allow those advertisements. You take control of your browser and what you want to view, don’t let it control you.

Javascript and jQuery which is a form of Javascript is massively on the increase with modern day web design. This is used for a lot of animation effects that we see like smooth scrolling and the easing in and out, which is the slowing down and speeding up of a scroll or opening and closing tabs, drop down navigation menus, accordion style opening and closing boxes, fade effects on navigation buttons, links, form fields etc and various types of image gallery effects from zoom to lightbox effects, which is when you click on a thumbnail image a larger pop up preview image opens up in front and also slideshow effects. Way too many too mention. The jQuery market is massive and there are many many scripts out there. The majority of these effects are safe and generally add to the user experience by enhancing the page, though too many can slow the page load time down.

On the other hand Javascript is another entity and is used mostly for things like Google analytics, the monitoring of the pages you are viewing, how long you are there, where you go to next, advertising, pop up’s and some online interactive animation effects from dragging things around the screen to filling in human verification Captcha’s before sending a form or email. Yet agin too many to mention. These you have to be a little more careful about as malicious code, malware and/or viruses plus tracking software can be added into these, not that is can’t be added to jQuery but it’s not as common, and is especially bad in advertising pop up’s that include download links or a link to something else. Your probably thinking well how the heck can I tell what is good and bad. Well, you have to use your own judgement according to the kind of site your on and what they show. Do you trust its source. If your on a file hosting site or visiting porn sites then these are not as trustworthy as say a software site to a well known branded software or news media site. A lot of file hosting sites now don't directly download the files and download a downloader software to install locally which then links to their servers and downloads the larger files. Stay well away from these as they are most of them well known malware. I'm not talking about Torrent sites here, this is file hosting sites which are different. Torrenting is another animal altogether and I wont discuss that here as you should all be aware of those dangers already if your into that scene. There are softwares out there that one can use to take a peek inside installer packages so you can then decide whether they are safe to install or not. One gets the feel and has an instinctive feeling after a while to what is risky and what is not. It’s a bit like shopping on eBay. Tread carefully and trust your instincts, or disable javascript or use browser add-ons to block/control them especially the advertising and tracking scripts.

You must be getting bored of this now, bare with me. Last one now is Java, not to be confused with javascript even though they share a similar name, Java is a totally different language “and the others are not” I hear you say, ok, ok I shall make this quick. Java can be real nasty, this is dangerous from a security point of view as often java will get you to install what is known as a Java applet to help you interact with something online. It may be an online game or some gambling casino style sites, or even one of those virtual reality style chat rooms or porn sites. Visiting these kind of sites to begin with is a clue to the dangers. Don’t mess with any java that requires you to allow it to install something unless you know what you are doing. Often it will require you to give it root (admin) privileges by entering your password first to allow the installation of a Java applet. This alone should be a warning to you. Luckily you won’t come across Java very often. Java is the perfect carrier for a back-door into installing malicious software and/or viruses, key loggers etc so be very careful. If you have Java installed I would recommend disabling it.

From what I have said here may sound quite scary in some places but please be aware this is concentrating on the security side of things so therefore I am highlighting the areas where it is possible for hackers to get in and do bad things. Generally the Internet is reasonably safe as long as your sensible. Yes, there are many trackers and commercial items/scripts that may impose on your privacy and/or target advertisements at you but these are generally not malicious and will do you no real harm.


Anti Virus and Spyware

Image

Everyone should run anti virus software especially PC owners. If your on a Mac then you can breath as to this day there are no known virus’s that have infected Mac’s this is not to say that there will not be any in the future as they become more popular, but they can get trojans so it is a good idea to run and anti spyware software. It’s also a good idea to run anti virus software so you don’t act as a carrier and pass infected files onto PC users.

OK I have used quite a few technical terms so far, malware, trojans, viruses and spyware, so lets make things a little more clear. Malware is a general term for malicious software, scripts with intent to intrude, bug, annoy or find ,dig out other info. Trojans and spyware could also fall into this category. A trojan is like the Greek trojan horse with something hidden inside a carrier usually with intent of harm and finding, digging out info by misdirecting users into giving this away. Trojans are often disguised as something that is of interest or fun to entice you in and can run in the background without you ever knowing until it’s to late. Viruses, these can change/rewrite code, attach themselves to files and attack other files and spread like a disease often with the user spreading/passing this disease on to others. Some viruses will require the file or link to be opened before attaching themselves while other virus can be self contained and move around on their own like a parasite. The purpose of a virus is to disrupt, damage and spread with the intention of, usually exploitation and/or extortion or to generally damage, bring down, and kill machines and/or companies. Viruses are often used as a form of modern day warfare for either political or commercial purposes or even out of spite.

Ironically, some anti virus and spyware softwares are considered malware within themselves. These are often seen as popups, adware while browsing and trap you into purchasing and/or hog your system resources and generally try to cause disruption. Some of these will even try to/or install themselves, especially if a link is clicked on and/or downloaded and opened and can be extremely difficult to remove from your system and will pester you. They may even offer a free trial in which case the user installs. Their main purpose is to get you to purchase their software and often what they offer is way over priced for what it is, and is not the best quality software. It often does not contain anything that cannot be got for free from the open source/freeware market or purchased from more reputable companies with much better morals and software that does what it it supposed to do. Stay well away from the anti virus and spyware softwares that advertise all over and flood the Internet.

I should also mention that there are no guarantees with anti virus and spyware softwares to catch everything. They are no way a fail safe system and software companies are at war if you like, its like a game of Cat and Mouse. A software can only bring out an update to catch these things as the very latest, newest viruses and trojans are discovered. This often means that someone somewhere has to have been caught out by it and made the target as they machine gets taken over. It may even take more than one person to get caught out as the software companies have still yet to find out it exists and then break down, reverse engineer the virus and work out how it works before they can introduce preventative measures. Some say that some of these may even be introduced by the anti virus software companies, the use of scare tactics to make you buy their softwares. It’s important that you keep on top of any updates and I would recommend in this case that you allow your anti virus and spyware softwares to automatically download and install any updates including new anti virus definitions that are released, but there are no guarantees to anything so the best thing you can do to protect yourself is do regular backups.


Cloud Storage and Backups

Image

I can’t stress enough the importance of doing regular backups. Not only could you have hardware failure but if you did by some means happen to get severely hacked or get an extremely bad virus you may end up having to blank your main startup drive, zero all data so there is absolutely nothing left and start fresh from a clean slate. You should keep at least three separate backup’s possibly more, but at a minimum, one complete backup of everything including you're operating system so you can then get back up (no pun intended) and running again quickly. Then another one for all you real important files, photo’s, movies, music library etc, and then one more stored off-site somewhere else in case you have a fire or get burgled. If you're running a business then it may even be worth considering a mirrored RAID setup where everything that you do is mirrored onto another drive on the fly as you work. This should then all be backed up onto another drive on a daily basis. This probably won’t help if your hacked but at least all your important files will have been backed up at least on a daily basis.

We seem to be entering into an era where what they call cloud storage as means for backing everything up off site to the cloud, which is basically storing all your data on some companies hard drive storage system. They will offer you so much space free of charge but once you reach you limit they will start charging for storage space. This is basically a system created to make money on a commercial level not solve a problem, though it does make it real simple to sync data across multiple devices, but there are other ways. Why trust all your data with someone else when you can rely on and do a better job yourself to keep your data safe. Keep control of it within your own hands. Not only that, they have started integrating cloud, conveniently forcing it upon us to use their services by syncing it into our operating systems. There is a dark side to all of this in that to sync data in this way means they have to monitor and scan what is going on in our machines. This I feel is a step too far and intrusive, borderline with malware.


Right folks, we have reached the end of this little write up and I hope you have all learnt something. You may think all of this is over the top and maybe a little paranoid and/or it could never happen to you. Well, maybe one day you will find out for sure but why take that risk when it comes to both your own security and privacy plus keeping all you valuable data safe. Otherwise you could be in for a whole technical nightmare when things go wrong.

Now as promised and if you still don’t believe me and how bad things can get, here’s the link to the article on how a journalist’s digital life got turned upside down within the space of 1 hour. He did manage to get everything back up and running again eventually but only after a complete technological nightmare and much expense.

How Apple and Amazon Security Flaws Led to My Epic Hacking

Stay safe folks :thumbup:

(:-})
Last edited by VTRDark on Mon Mar 23, 2015 7:20 pm, edited 2 times in total.
==============================Enter the Darkside
User avatar
Watty
Posts: 5583
Joined: Sat Apr 20, 2013 11:35 pm
Location: Barnard Castle, Co. Durham.

Re: How Accounts Get Hacked & How to Protect Yourself

Post by Watty »

Amazing write up and advice Carl :thumbup: . I had previously read the Mat Honan story, scary sh1t 8O
SH#T HAPPENS!!!!!!!!
User avatar
agentpineapple
Posts: 15123
Joined: Sat Mar 26, 2011 9:16 pm

Re: How Accounts Get Hacked & How to Protect Yourself

Post by agentpineapple »

so can I safely watch porn on my laptop?????????????
HEY YOU GUYS!!!!!!
User avatar
VTRDark
Posts: 20010
Joined: Sun Mar 18, 2012 9:24 pm

Re: How Accounts Get Hacked & How to Protect Yourself

Post by VTRDark »

so can I safely watch porn on my laptop????????????
Of yourself yes :lol:

(:-})
==============================Enter the Darkside
User avatar
Watty
Posts: 5583
Joined: Sat Apr 20, 2013 11:35 pm
Location: Barnard Castle, Co. Durham.

Re: How Accounts Get Hacked & How to Protect Yourself

Post by Watty »

cybercarl wrote:
so can I safely watch porn on my laptop????????????
Of yourself yes :lol:

(:-})
:sick: sorry Marty :lol:
SH#T HAPPENS!!!!!!!!
User avatar
agentpineapple
Posts: 15123
Joined: Sat Mar 26, 2011 9:16 pm

Re: How Accounts Get Hacked & How to Protect Yourself

Post by agentpineapple »

that's why I don't masturbate whilst looking in the mirror................ :eek2
HEY YOU GUYS!!!!!!
lumpyv
Posts: 3392
Joined: Mon Sep 06, 2010 6:54 am
Location: ipswich

Re: How Accounts Get Hacked & How to Protect Yourself

Post by lumpyv »

is that a record for the longest thread intro post thingy ?? :clap:
3 out of 4 people make up 75% of the worlds population.
User avatar
VTRDark
Posts: 20010
Joined: Sun Mar 18, 2012 9:24 pm

Re: How Accounts Get Hacked & How to Protect Yourself

Post by VTRDark »

I don't do anything by half's. :biggrin

(:-})
==============================Enter the Darkside
User avatar
sirch345
Site Admin
Posts: 21672
Joined: Mon Aug 25, 2003 10:35 pm
Location: The West Country.

Re: How Accounts Get Hacked & How to Protect Yourself

Post by sirch345 »

cybercarl wrote:I don't do anything by half's. :biggrin

(:-})
You ain't kidding :thumbup:

This must have taken you ages to put together Carl. I'm reading only a bit at a time, when I can sort of thing, but even so I'm less than half way through it yet. It's very interesting, and I keep going off to look up more on certain parts I've been reading about if it's something new to me, so of course that takes even longer :lol:

Internet Security is something many take too lightly as you say, one of the reasons I know this is by the number of hacked email accounts belonging to contacts I have. The clue from the email I get sent by a hacker is usually in the email title, it's out of character from what the title would normally be from one of my contacts.

I fully appreciate you putting this altogether Carl, thank you for taking the time :clap: :clap:

Chris.
User avatar
Wicky
Posts: 7895
Joined: Sat Feb 11, 2006 2:43 pm
Location: Colchester Essex
Contact:

Re: How Accounts Get Hacked & How to Protect Yourself

Post by Wicky »

[youtube][/youtube]
It may be that your whole purpose in life is simply to serve as a warning to others.

ImageVTR Firestorm and other bikes t-shirts
User avatar
VTRDark
Posts: 20010
Joined: Sun Mar 18, 2012 9:24 pm

Re: How Accounts Get Hacked & How to Protect Yourself

Post by VTRDark »

I watched half of that but then got bored. Pretty good, though they missed out the most important thing. The biggest threat to children these days is the parents. It's no good only asking the kids what's this do? what are you doing? who's that your talking too? The majority of kids like to keep secrets from their parents and get their own way as they boundary push their way up into their teens and beyond.

Parents should not be taking advice from their kids on the tech and how it works, and what does what, they should find out for themselves. They become the parent teaching the kids, not the other way around. That's half the problem with this country. And then when they do ask their kids questions for the purposes of interaction and bonding with the children, the parents can then check up and validate whether what that child has said is true, rather than have the wool pulled over their eyes.

If I had kids I would be installing keylogges and other spyware on the digital life. Plus monitor the household router logs to see who's looking at what and and what time.

They go on about the security and privacy settings on Facebook with having friends, friends of friends etc. But that is all made far too complicated for the average user and once the average user has learnt what is what. Facebook will then go and change the layout of their site around and/or add new features so it all starts over again. Facebook is like the new bikeshed where kids these days basically solicit themselves so they can go and buy their next £10 bag of weed for a lot of them. Not all kids admittedly, but that is a huge problem these days along with the bullying. Some of that bullying maybe even generated from raunchy selfies of each other and the competition, I heard no mention of that. Maybe I should watch it all but I got the gist of what angle that video is coming from.

That Black kid made me laugh "I don't have many pictures of myself on the internet but me and my friends have loads on Facebook" Now there lays the biggest problem. They feel so comfortable in their own little Facebook world that they feel they are safely locked in there. Totally unaware and vulnerable.......just like the majority of parents.

One things for sure, the tech is constantly changing and its up to us to move along and understand it and stay safe.

(:-})
==============================Enter the Darkside
Virt
Posts: 6793
Joined: Wed Dec 12, 2012 12:35 pm
Location: Leicestershire

Re: How Accounts Get Hacked & How to Protect Yourself

Post by Virt »

Gonna revive this thread, because I'm a deity and sh1t.

As a counter point to Carls' creation of a strong password, this is how I do mine. Throwing numbers and symbols in is always good, but use as a substitution is generally best avoided these days due to people making smarter brute-force (now there's an oxymoron) applications. If you're ever in doubt, longer passwords are better.

Image
Here's an explanation if that makes no sense to you

The type of password abovewould be susceptible to a dictionary brute force attack (although those things are damn heavy), so why not customise it a bit more (taking a bit of advice from Carl).

Add some capital letters, numbers and symbols.

coRRecthoRsebatteRystaple is still a good password, you've only got one capitalised letter to remember and because of the stupidity of brute-force attacks, it most likely won't even consider that only one letter is capitalised.. It will just try every permutable combination possible.. This will pass validation on most websites.. (and is no more complex than CoRecThoRseBatTerYstaPle in terms of password entropy)

But you want numbers and symbols right? I mean, they are pretty sexy and an extra character set for the cracker to include within their program... So, we can add some in:
When including numbers or symbols, you can put them wherever you want. Personally I put them in the middle of words, and not as replacements, because that kills the possibility of a dictionary brute force attack. They HAVE to do it based on a character set, which means your password is only going to be cracked by sheer luck of the cracker ordering their character set array in a strange order (normally it's something like abcdefghijklmnopqrstuvwxyABCDEFGHIJKLMNOPQRSTUVWXY0123456789 and a random assortment of symbols afterwards).

coR2RecthoRsebat&teRystap8le is what the password would end up looking like if I did it. I only added 3 extra characters, but they are within words and can be remembered relatively easy (for me at least).

Also, anywhere that states passwords are non case-sensitive, can be sent to via email or have a maximum length should be avoided. Those places are storing your password in plain text, rather than salting and/or hashing it so that it is not human readable without the use of a rainbow table. As to what algorithms they use, you just have to hope. Some like SHA256 are very strong (but slow to create) and some like MD5 are significantly weaker (but also much faster). If you're ever provided the option to log in via an existing platform (google, facebook, twitter etc.) you should take the opportunity if you value online security. Doing passwords correctly is very difficult, but big companies such as those will always be at the forefront of password security. At that point it's more of social engineering than cryptography, to gain access to somebodies account.

Beware that some symbols cannot be used as they clash with server file systems/scripts. Stay away from the following symbols " / \ [ ] : ; | = , + * ? < >
This is largely incorrect, also. The symbols contained in your password are irrelevant. The only logic that should be running on your password is a hashing/salting method. These do not really care what characters are contained in the string, unless they're badly coded. If a site is going out of it's way to stop you using some characters, it sounds like they aren't using prepared statements for interacting with their databases and thus are vulnerable to all kinds of SQL injection attacks.. So, stay away.

Image

I skimmed through the rest of the post, I will admit. I didn't see anything that needed correcting though, I'll probably come back when I can actually use my brain to think properly and correct or append to anything else :thumbup:
Slowly approaching the more bikes than birthdays achievement
Virt
Posts: 6793
Joined: Wed Dec 12, 2012 12:35 pm
Location: Leicestershire

Re: How Accounts Get Hacked & How to Protect Yourself

Post by Virt »

Right, I'm reviving a dead horse (yet again) here. Thank me later.

[youtube][/youtube]

[youtube][/youtube]

Right, I'm not expecting you all to watch the both of these videos (I have, multiple times, but I get a bit of a hard on for software/cryptography stuff soooo....), however you are more than welcome to do so as it's only a short amount of time that will be a wise investment.

If you don't wish to watch those videos, or you have an didn't understand a word of it, I'll attempt an explanation\TL;DW.

That guy is basically a guy with a PhD in Computer Science and for reason that gives him access to a machine with 4 nVidia TITAN Graphics Cards, deep learning or something. Basically an irrelevant reason. Graphics cards are great for items that involve mathematical equations, brilliant use case of this is (coincidentally) hashing passwords!

Hashing, what does that mean virt?
Well, to be simple (and possibly somewhat incorrect) hashing is what happens when you give encryption steroids. Encryption needs to be able to be run both ways, to encrypt $x data and then decrypt it again so you can use it.. Hashing does not need this, it's an entirely one way process.

There are multitudes of hashing algorithms to use (MD5, SHA128, SHA256, SHA512 etc) that will all provide a nice bit of irreversible gibberish for you to store in your database against a username/email/thing.

Unfortunately, over time people began amassing collections of passwords and their known hashed values due to their own attempts at gaining access to peoples accounts.. These have become known as Rainbow Tables.

Rainbow Tables? Yeah, something sinister never sounded so beautiful. A rainbow table will basically just search for any hashed value you give it, and if it contains it it return an unhashed value..

For example, I could probably search any Rainbow Table for MD5 for the value '5f4dcc3b5aa765d61d8327deb882cf99'.. Anything worth their weight will tell me that's the hashed value for 'password'.. Just to show how utterly gibberish they are, 'password1' is '7c6a180b36896a0a8c02787eeafb0e4c' and '1password' is '01ee9547a3f708f8fd986216bffd1eb7'. Despite the fact they're all almost identical in English the values associated with them are nothing alike. This has lead to a practice known as salting.

Salting is the act of merging (usually just a simple concatenation) a completely random set of characters with your password before hashing it. This is a good way to counter rainbow tables because suddenly 'password' could be something such as 'password^z£0-'.. Usually salts should be specific to each user so that it becomes much harder to attack the overall database, however when attacking a single user in a database this literally has no effect because the salt is always stored with your password so they can just update their program to end everything with your salt..

So, how do you protected a specific user (such as your fine selves) when a database is breached? You used strong as sh1t passwords.

What defines a strong password? Well, quite frankly anything the attackers' dictionary cannot create is a strong password.. But you don't know that ahead of time, or during.. or even after really.. So that's not useful!

Cryptography is an area of computer science that deals with this kinda of stuff basically, and their definition of a strong password is something with high 'password entropy'. Feel free to google that, can't really think of a nice way to explain it. I'm going to ignore that and just go off of the maximum number of attacks it will take to guess a password, it's not the same but it gets a picture across.

Say for example I'm using the password 'bbbbbb' (if that's your password I am literally writing this for you). You're using one character set (lowercase characters, so 26 possible values) 6 times, that means there are only 308,915,776 (26^6) possible combinations of password there.. You can crack that in a fraction of a second, the first video shows the guy managing to attempt nearly 40 BILLION passwords per second. You could add a few more characters to the password to make it 8 characters long and suddenly there are 208,827,064,576 (26^8) possible combinations. It would last a few seconds but you're still a tad screwed.. You could keep adding characters but honestly it's just not worth it, algorithms may not favour those passwords but a human might so there is still a weakness.

This is where the whole 'replace numbers with letters and throw a few symbols' thing came from.. And to be fair, it's still not an entirely bad practice.

The password entropy of something like 'myP3Tf1Sh&' is not bad, using that exact ruleset there are over 839,299,365,868,340,200 combinations (assuming & is separate from other symbols, I realised I wouldn't be able to list all of them so I went worst-case scenario), if an attacker was capable of 40B attacks per second it would take a maximum of 7 weeks and 4/5ish days. Pretty good, not perfect. This method of creating passwords has not been completely recommended for some time, although you can do much worse..

This is where password managers have come in. We've reached a point where computers are getting so powerful that we are the limit for passwords, I can give you 3 strong passwords and I reckon you won't be able to memorise any of them... (courtesy of http://passwordsgenerator.net/)
When calculating possible combinations I will once again just be going off of any symbols within the password (as above), numbers/characters I will use a full set(10 for numbers, 26 for lowercase characters and 26 for uppercase characters).

Tu8H~4LEJD&'}Trg (1.2962923816305026e+29 combinations, 103045220100.61356 years to crack)
w9t8e7HVB.v$]6KD (1.0153451678210142e+29 combinations, 80712089169.7362 years to crack)
d=,g/78FT$N:)-29 (2.6398876956551398e+29 combinations, 209850657532.61887 years to crack)

See? Pretty much impossible to remember, we're not computers. This is where password managers come in.. You use one really strong password to secure all those passwords.. As you can see, creating a strong password really is just using as many character sets as possible for as long a string as you can. You can combine words together and throw in an extra few character sets (preferably in the middle of a word, not between the words as that's basically expected behavior) and get a decent amount of protection, but then you're at the mercy of an attackers' dictionary so hopefully you'll aim to use uncommon words, this bit is actually covered in a lot more detail in the second video (it's the shorter video, you have no excuse for not watching it) because I've been typing this for an hour now and quite frankly I'm bored.

Oh, and as to why I'm doing this? I got an email through earlier that one of my old accounts for something had someone attempt to log in from Jakarta, because it's using old passwords as I never even visit that website anymore..
Slowly approaching the more bikes than birthdays achievement
zakisbak
Posts: 77
Joined: Fri Jul 16, 2021 9:56 am
Location: London

Re: How Accounts Get Hacked & How to Protect Yourself

Post by zakisbak »

When I log in,the site is not https,ie,not encrypted (I think).

I added HTTPS Everywhere to my browser (Firefox) and enabled it before logging in.
Post Reply