Search the Community
Showing results for tags 'Security'.
Found 14 results
How Secure are our Passwords
LSW posted a topic in CybersecurityI plan to add future posts to this as I come across anything worthwhile. As computers grow faster the ability to crack passwords improves. If you are still using 8 character passwords, it can be cracked in minutes. Add to that the eventual use of quantum computers by governments and one day maybe all of us... ANY password will be cracked in minutes. A computer can compare pre-listed common hashes at about 350 Billion a second. Also stay away from dictionary words. There are two primary attack types: Brute force: The attacker will just run his computer through combinations (a, ab, abc, abc1, abc2, etc.), literally using brute force of computing power to try every possible comination and for a average computer 8 characters is childs play. Dictionary attack: This is running through common words and includes modifying them (horse, Horse, h0rse, H0rse, H0r$3, etc.). Again, a really easy way to attack. So here are a few suggestions from me: The longer the password, the better. You really should be using 12 characters at a minimum and I would suggest more like 14 - 18/20. Use a password manager so you need not remember them all and can use randomly generated gibberish. Move away from Passwords and use Passphrases. Lyrics, Poem lines, Quotes, etc. These can be complete with spaces and you need not have special characters or numbers. It would also be more easily remembered than "C9bgTkYhd9dr". You can type them without dealing with special characters that can be a pain on a mobile device and you have really long lengths. Stay away from dates, those can be guessed like wedding date, kids birthdays etc. Stay away from pets or their names, breeds, etc. Stay away from children's information. Stay away from favorite things like authors, bands, hobbies as these may be guessed as well. Maybe use other uncommon languages, I have used Potawattomee, Tklinget, Gaelic. You need not even know the language, use a dictionary and see how your favorite animal is called in Gaelic "Winter Horse" in Gaelic will not be quickly broken, there are at least 4 forms of Gaelic, so I have to break not only what you like, but Irish, Scottish, Nova Scotian gaelic or Whales? And the name may include weird character groupings and special characters. If you remember what it was in English you can just look it up to remind yourself again. Never ever repeat passwords for other sites. Make each unique. Never give it out... to anyone. Hope you decide to get more secure and get some ideas from what I post here in the future. LSW
Media - On Cybersecurity
LSW posted a topic in CybersecurityHere I will be listing videos I come across on the subject of securit. There is now way to denote new one so you need to just keep coming back, I will add the dates as of all new ones: CIS / MS-ISAC (Center for Internet Security & Multi-State Information Sharing and Analysis Center) Sex, Lies and Mobile Devices: The Seedy Underworld of Mobile [in]security (58 min.) - You will be surprised and I hope disturbed by what all your "Devices" (some of those being devices you did not even know about) and what they are collecting about you and selling for their profit and you have no way to stop it anymore even if you know about it, and many times you will not! Assorted Media Blueborne - Android Take Over Demo (1:43) - This is a demo showing how in less than 2 min., using the BlueBorne attack, a pretend "Hacker" gets into a cell phone without the owners knowledge and activates the camera to watch her. The phone is an Android, put this attack is a Bluetooth vulnerability that affects ANY bluetooth device. It could also be your microphone or apps you use. does your phone sit where it can view your screen or your private activities? Does you Laptop sit open or is there a web cam on your PC and are these in your bedroom? Are sensitive files saved in a simple folder or are they at least in an encrypted container? [10/25/2017] Trape (10:33) - Trape is a so called people tracker. This video shows how to use it. Now this is a hacker tool, but I want you to understand how easy it is for you to be manipulated. I need but set this up and send you a link which you click and I have you. I can mess with you, I can get data about you. I can see all your social accounts id I want to stalk you. I just have to be creative and you have to be lazy just once. This tool creates the fake pages that look just like the originals. NOTE: The fake address for the victims is an IP address first, then the google address to fake you out. Remeber the top domain is always the first. [11/9/2017]
Australia is big in cyber news currently...
LSW posted a topic in CybersecurityDo we have any members down under? I believe we used to. Well Australia has me on the fence this week. One one side they made what I consider a bad call, and have weakened Australians rights to privacy to support fear mongering (Assistance and Access Bill 2018) by making it easier for law enforcement and government to crack your encryption and access private user data. On the other they have decided that e-voting is a bad call and have turned it down. I think it is easier to manipulate voting per computer than is is paper ballots shipped in armored cars like we used to do back in the day. So here are some links on the subjects, you can find your own if you wish, there is a lot on this new Assistance and Access Bill 2018. E-voting: Pencil manufacturers rejoice: Oz government doesn't like e-voting https://www.theregister.co.uk/2018/12/06/evoting_off_australias_agenda/ Assistance and Access Bill 2018: Australia now has encryption-busting laws as Labor capitulates https://www.zdnet.com/article/australia-now-has-encryption-busting-laws-as-labor-capitulates/ Australia Passes Encryption-Busting Law https://www.databreachtoday.com/australia-passes-encryption-busting-law-a-11812 Australia Passes Anti-Encryption Bill—Here's Everything You Need To Know https://thehackernews.com/2018/12/australia-anti-encryption-bill.html Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time https://www.theregister.co.uk/2018/12/07/australias_crypto_legislation/
General Holiday Security Tips
LSW posted a topic in CybersecurityAs You Read This, It's Cyber Monday. How To Avoid The Top 10 Security Threats https://blog.knowbe4.com/as-you-read-this-its-cyber-monday.-how-to-avoid-the-top-10-security-threats
Shopping tips for your Internet connected "Things"
LSW posted a topic in CybersecurityTop Tactics for Researching IoT Technology Security This Holiday Season https://blog.rapid7.com/2018/11/19/top-tactics-for-researching-iot-technology-security-this-holiday-season/
Let’s discuss Windows 10
LSW posted a topic in CybersecurityI have mentioned this before and must do so again so that you understand what we are speaking about when discussing Security vs. Privacy. Also let me state that I often come across a bit judgmental, that is not my intention here. Win 10 is a very solid and well secured OS, but not good for those looking for privacy and anonymity. Privacy vs. Security At a quick glance you will think that they are more or less the same, and that would be the case if we were speaking of material privacy. If your Laptop is secure than your Private photos remain private. But in cyber security we are speaking of privacy as a concept, not a thing. In this case it breaks down like this: Security: This generally speaks to your machine, hardware and software. It deals with Trojans, worms, viruses, adware, malware, ransomware, as well as system vulnerabilities like un-patched or old software, old anti-virus signatures. Keeping permissions tight, keeping access blocked, etc. Privacy: In this case we are talking about you rather than your things. Privacy is about protecting your data, not giving out your SSN, not posting embarrassing photos, not letting other know what you are doing. It is about the information and actions and beliefs that make up you. The basis of all cyber security considerations is which of these two things is most important to you? It is not about choosing one or the other, they are very much entwined, but you will always have to choose between which one weights more in your worries. That decision will often form your choices. If you are a political dissident, if you have a secure PC, but you announce your name online you will be arrested and jailed and any adversary with your hardware will eventually crack it. If you protect your identity online, the government will not who to arrest and not get your machine. So, Privacy is more important, though you would protect your PC too. Windows 10 – Go for it or hold off? So, we come back to Windows and my question above: What do you care more about? If you go out and get a new PC, it will likely have Win 10. The question is then, do I simply accept IU am forced to have Win 10? Do I wait until the next generation of Windows? Or do I simply purchase or change my OS to another type, Like Linux? Here is a break down for you and why the question is so important. I will go Positive first as I am not trying to influence you as it is a personal choice, you just need to understand what is at stake. Security Win 10 is getting some praise by the traditionally anti-Microsoft security experts. 10 is proving to be a major change for Microsoft, it is solid and far more secure than any other Windows in history. Remember that Windows has always been “Dumbed Down” for the users. They want it ridiculously easy to use so you’re the user do not have to think, just point and click. This however has resulted in decisions that, although making your life easier, also made the system massively insecure. Granted, it was also conceived in a time period where nobody saw a real need for security. Here are just a couple reasons I can think of off the top of my head why Windows has finally become more secure. Security and ease of use rarely go hand in hand. Virtualization-based security: Greatest thing to hit Windows since they started using Windows. Most of you know what virtualization is. You install a Virtual Machine and then you can run any type of Operating System (OS) on that machine. So, you boot into Windows, open your VM and you can run a Linux computer on your Windows machine as an example. Win 10 uses a version of this to run much of it’s security virtually, so even if a hacker gets into your admin account, that does not give them the needed permissions to change many major settings. This is a major change for Microsoft and something the security field has been preaching for years. Virtualization is one of the keys to security keeping different parts of the system separate from each other. You can imagine it as a virtual sandbox. Defender Application Guard for Edge: This is another example of Virtualization. Cyber security is a technical field mostly and I try to keep from getting to deep in the technical stuff with you as most of you may want to be safer but now follow the technical stuff. Basically, Application Guard decides if the web site you visit can be trusted. If it is Edge shows it as usual, if not, you still see it as usual, but the web site is shown in a virtual browser and anything bad it includes is unable to infect your browser or the machine. Here is a Happy & Bubbly video on how it works for users. Device Guard: Virtualization again shows its power with this tool. It uses the “Zero Trust Model” where everything is considered untrustworthy. You then “Whitelist” apps you trust or know where they came from. Traditional security counts on having a signature of “Bad” software, so new threats are not recognized as threats. This way everything is considered a threat until proven otherwise, so new threats do not get through. All software must be signed, from Microsoft, the developer, or now you can vouch for software you trust. Using virtualization keeps any malware that reaches the system from running code that will write or change code to the Kernel of the OS programming. Device Guard will also work hand in hand with AppLocker which is in Windows since Vista and can be used to limit permissions to applications. How Windows Defender Device Guard features help protect against threats NOTE: Currently Device Guard only works on High-end editions like Enterprise, Business and maybe Education editions. It does require some hardware etc. that supports the technologies used. Many producers have signed on to support this technology, but they have not shipped such machines, so at this time the average Home edition user will not be able to take advantage of this tool. High-end computers may be able to if they run high-end editions. There are more things making Win 10 the most secure operating system form windows yet, these are just a few real worthwhile mentions. You can see more at: What's new in Windows 10. Privacy This is a completely different matter. As mentioned above, ease of use & security rarely works well together, nor does ease of use and privacy. Here I look at it from both a security point of view and generationally. I am an old guy, so I come from a different world and cannot understand all this linking of stuff. A Phone and a camera are two different things, so why combine them, which was my opinion with the iPhone 1 announcement. Along those lines, why would I go on Facebook and post a selfie of me and my dinner while telling everyone following me what I am eating and at what restaurant at this moment. Who cares? And why would I want to follow anyone anyways? But the millennials and later, it is simply the way things are and what you do. Win 10 is made in the image of Millennials, or at least what Microsoft thinks they want (rather than need). The result is, we get things like the required addition of a Microsoft controlled email to use the OS fully. More and more Microsoft in creeping into our private lives. Win 10 is riddled with Apps that identify you, they track you, they call home and let MS know where you are, what you like, and much more data about you which MS then uses to target you for advertising and among other uses, makes a profit off you. This is why you must decide what is more important, a secure OS or an OS that phones home without your knowledge and permission to tell businessmen everything about you just so you can use Skype with fewer clicks. That is the reason it all depends on you, if you want security and do not care about secret communications between your machine and MS, you just want easy access to all your social tools, then Win 10 will work for you. If your privacy is important and you don’t like this idea of MS possibly spying on you, then go with another OS or wait and see if we privacy advocates can force MS to back off and respect our privacy in the next OS. Here are some privacy examples for you: Synchronization is the default. Everything synchronizes with Microsoft to include, web sites you visit, passwords, personal data, browser history, hotspots, software settings etc. Do you trust MS with your user IDs and passwords? Do you visit sites that maybe you do not want others, especially strangers to know you visit? Each instance of Win 10 gets a unique Advertising ID to customize advertising you receive to your interests. They do not do this to be nice, advertisers pay them good money to target you with their advertising based on what you surf to or for. Cortana Data Collection, seriously, was your life so difficult before Cortana? To serve you it must learn about you. To work and meet your requests Cortana (and Siri etc.) collect data such as device location, information & location history, your contacts, voice input, search history, calendar details, content & communication history from messages and app, key strokes, debit & credit card details, movies you watch and music you listen too, as well as info about your device to name a few. When you agree to use Win 10 you are agreeing with sharing your data with Microsoft and how they will track you. Read their privacy statements and service agreements. You have some great services to gain, but it will cost your privacy, so be sure it is worth it for you. https://www.microsoft.com/en-gb/servicesagreement/default.aspx https://privacy.microsoft.com/en-us/privacystatement/ So, decide if you want an Easy to use/Semi-secure/Gadget driven link to your online life or if you are more worried about Security AND Privacy. Many of you do are not much worried about your privacy and that is fine if it works for you and you can feel more secure with Windows 10 than you should feel with whatever Windows you use today. If however your privacy is important to you, stay away from Win 10 as long as possible and seriously consider Linux or even Mac.
How to Start a Career in Cybersecurity: All You Need to Know
LSW posted a topic in CybersecurityHow to Start a Career in Cybersecurity: All You Need to Know https://thehackernews.com/2018/10/cybersecurity-jobs-salary.html
Your Windows Security Updates Might Stop!?
LSW posted a topic in CybersecurityYour Windows Security Updates Might Stop!? https://www.stationx.net/windows-security-updates-might-stop/ The the Excel sheet he links to to see if your AV is covered or not.
You might want to pass this to any soldiers you know regardless of the country. Internet of Things (IoT) people, the Internet and your friends do not need to know where you are and what your are doing. Fitness apps, GPS geo-logging on photos you take, it all gives out info bad guys do not need to know. US soldiers are revealing sensitive and dangerous information by jogging https://www.adn.com/nation-world/2018/01/28/us-soldiers-are-revealing-sensitive-and-dangerous-information-by-jogging/
On The Lighter Side...
LSW posted a topic in CybersecurityEven serious subjects can get a laugh out of the best of us, so welcome to the lighter side of cyber security. My first installment Cat-mapping, Warkitten or simply how to weaponize your cat. Is your wifi cat proof? How to Weaponize your Cat to Hack Neighbours’ Wi-Fi Passwords
Add-ons to control scripts used by your browser
Important: New Wpa2 Vulnerability Found, Effects Everyone.
LSW posted a topic in CybersecurityI think this is important enough to warrant it's own thread. A vulnerability has been found in the WPA2 standards for wifi security. This is the standard security you all should be using on your access points/routers. This is also a vulnerability in the standards, not in a proiduct, so it effects everyone using WPA2 regardless of what systems you are using. I should also add that this is a proof of concept. That means researchers have found this flaw and already announced it to manufacterers so they can work on patches before it goes public as not only do we now know it exists, but so do our adversaries so they can now use it to attack targets. Most importantly with this is that it effects more the clients, so laptops, tables, phones and towers etc. you should keep an eye open for patches as of right now from your OS developer as well as your router/hardware developer and apply it as soon as possible. New WPA2 Attack (KRaCKs) - How To Prevent It https://www.stationx.net/new-wpa2-attack-kracks-prevent/ KRACK Demo: Critical Key Reinstallation Attack Against Widely-Used WPA2 Wi-Fi Protocol https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping http://www.zdnet.com/article/wpa2-security-flaw-lets-hackers-attack-almost-any-wifi-device/ Wi-fi security flaw 'puts devices at risk of hacks' http://www.bbc.com/news/technology-41635516
What Makes Up Cybersecurity For Me?
LSW posted a topic in CybersecurityThis is a loaded question, because it is dictated by you and what angle you are looking at it. So, the very first question before you go further is: “What/Who am I?” then you follow that with “Who do I think I am up against?” Private Folk: This is the primary target for this forum. Who – You, your kids, family & friends Opposition – Cyber Crime, Hacker Groups, Lone Hackers, or Script Kitties, Government Business person at home: Looking at more mom & Pop to smallish business for our readers. Who – Shall we say for argument small business like you doing web design or the businesses you design for. Opposition – Cyber Crime, Hacker Groups, Lone Hackers, or Script Kitties. Travelers, Big Business or Press: Again, rather big league for my purposes. Who – Big businessmen or Press traveling to questionable areas. These folks can expect to be hacked within 1 hour of signing into their hotel in places like Russia or China. You would not want to have a laptop full of business secrets or notes on where you will meet a dissident. Opposition – Secret police, law enforcement, nation state government backed cyber units. The Dissident/Activist: I am not going to cover this person much as I doubt any of you fit the bill. Who – The Dissident we will say is risking their freedom or life to fight for justice. Security for them is life & death for them and their loved ones. They have to stay smart, extremely paranoid and on edge. Opposition – Secret police, law enforcement, nation state government backed cyber units. Common sense will tell you that You want to protect your computer, phone, tablet and computer from hackers, malware, ransomware, viruses etc. and you’re up against medium to minor threats. The dissident does not want to die so needs aliases, deep covers, saves nothing on a PC. Encrypts hard drives, what you see spies do in movies and are up against well-funded professionals with great skills and tools and the “Law” on their side. Now ask yourself: What is important to me? What am I protecting? What is important to me? - Security or Privacy? This is confusing at first, I know. If my PC is secure… my Personally Identifiable Information (PII) is private. But let us take Google Chrome as an example. Now for the first time the most popular browser in use and many of you use it. I did until I got into security. But look at it from a purely security stand point, shall we? Chrome: Security: Google is a very secure browser. It has had fewer vulnerabilities found than Firefox and they were fixed quickly. Chrome has a form of sandboxing built in. It has a big organization behind it. Google offers rewards to hackers who find vulnerabilities in its products. Privacy: Google is everywhere. It tracks everything you do. The moment you come to Killersites, Google knows you are here and ads that data and you can be profiled by it. KS uses Googleanalitics, so google knows you are here and can surmise how often and what other web sites you go to and before you know it they guess you are a web designer. Google owns many sites now like YouTube, and analytics are everywhere. Google has a corporate monetary interest is tracking you, learning your likes and dislikes and selling it as well as feeding us targeted advertisements. Firefox: Security: Firefox has more of a history of vulnerabilities, but they have all been fairly minor and quickly patched. Firefox has been around longer with a bigger following so a better target for hackers. Now Chrome will be targeted more often. Firefox also has more available security and privacy extensions to make it more secure. Privacy: Mozilla Just makes a browser (OK, email, colander etc.) and has no monetary interest in tracking you. So, as you can see, Chrome may be the more secure browser in theory, but it is a nightmare if you don’t like being tracked. So, Security is about protecting your application. machine etc. from unauthorized changes while Privacy can be about you. What am I protecting? These we call “Cyber Assets”. This is up to you. Here are some ideas, starting with the obvious: Passwords, especially Master Passwords Banking, Stock and other financial info data PII data like SSN, birth date, medical data etc. Questionable Photos & Video Questionable materials How about personal photos, not adult, just simple photos that can identify you, help identity thieves, help people pose as you How about your interests than can be used to profile you Tracking Websites you visit that can profile you Cookies and other things that can track you for a profile Your OS, browser, browser plugins, and cookies can all be used to “fingerprint” you. You could be identified by this data These are some things you will need to consider as you read anything else I post in this forum. You will need to consider these things as you decide for yourself just how far you wish to go with YOUR security. You may have no problem with Google tracking you and making money off your data.
Cybercecurity For Killersites Followers
LSW posted a topic in CybersecurityWelcome to the Killersites Cybersecurity forum. Many of you likely give only minor thought to security in general. You online banking and maybe email and figure you are relatively safe. You are not and I will get into that eventually. Everyone here should take an interest in security and if you really don’t, read it anyways, maybe you will change your mind. But consider this, we are most all web developers of one type or another here, and you should be interested in security as not to compromise your customers systems and maybe give them some good security tips as well. Feel free to ask questions you may have or leave comments. Suggest areas you would like to see discussed and if I can I will. I will give you tips on Security and Privacy after I explain the difference. I will also suggest tools and ways to harden your browsers and discuss how you may be attacked and why. Here at Killersites we have always tried to teach our members best practices and this will continue. This is a subject I feel strongly about, but in the end, it is up to you to decide just how strict you wish your security to be. I will also post interesting news I come across. I am learning a lot on the subject so I won’t be posting every day, but I will post what I can as soon as I can. Enjoy! Cheers! P.S. - I also want to add that this forum will mostly be about defense, protecting yourself, and not a guide to how to hack, so I won't get much into the tools of the trade for Hacking and Pen testing, just protecting yourself,