Yes, you - how to adult at online security

Place for topics not directly related to LTROI. This is not an invitation to spam. >:-|
Post Reply
User avatar
gkmoberg1
Moderator
Posts: 4245
Joined: Thu Dec 09, 2010 4:46 am
Contact:

Yes, you - how to adult at online security

Post by gkmoberg1 » Fri Jul 21, 2017 1:04 pm

I've been trying to raise the awareness of my family members and my work buddies when it comes so properly protecting themselves online. I want to share this with you too! Most near all of us ended up at this forum because we got infected, right? :P Well, in part, what I want to warn you about is the type of infection you DEFINITELY don't ever want to get. okie?

There are very dangerous & destructive malware things out there right now that are doing a very good job stealing from all of us. You need to pay attention, unfortunately, if you want to be safe on-line. And, unfortunately, there are many cases where you need to be aware of how companies and organization are being hacked and having their information about us stolen.

Start here:
https://www.engadget.com/2017/03/24/how ... -security/
Please both watch the vid and read the article.

Then be aware that there's not much you can do about things like this, which was posted last month:
https://www.engadget.com/2017/06/19/gop ... -citizens/
Or this:
https://www.engadget.com/2017/06/17/buc ... r-malware/
We hear about this weekly in the news... one company after another.

Basically, any company where you use your credit card or have an account has info on you. Hackers break into companies and steal that info. Yes, there's not much you can do about this, but you need to be aware of when it happens and when you see an article in the news, consider that it might apply eventually to you. Therefore, please always check your credit card and bank statements every month to ensure that all the transactions are things you did. If you have passwords that are easy to guess, please change them.

The last thing I want to do, at my house, is have a computer get locked up by something evil that is accidentally downloaded and encrypts all my files. And I want to avoid similar evil things that get on my computer and learn quietly (by watching me type and click the mouse) which banks I got to online, what bills I pay online, and what my account name and passwords might be. You do too! Finding out too late that this has happened to you would be disastrous (Gee, why did I buy 14 large flatscreen TVs two weeks ago and have them shipped to New Jersey in the US?) (Oh oh, all my files are locked on my computer and they want $800 from me so that I can get them back!) (Ummm, something went into my email accounts and erased all my contacts and all my emails. Totally gone.)

Please be safe! I started with my family as I know some of them hope to avoid any of this by only going to major websites and promising not to click on strange attachments to things sent to them in email. But mistakes happen. And it too easy to have something terrible occur to you, your online identity, your account, and so on if you are not vigilant. So, in the spirit of only wanting to help, I say please be safe.

User avatar
gkmoberg1
Moderator
Posts: 4245
Joined: Thu Dec 09, 2010 4:46 am
Contact:

Re: Yes, you - how to adult at online security

Post by gkmoberg1 » Sun Jul 23, 2017 4:04 am

I know you are ignoring this. "Oh, later," you say. "Not now, dude." Whatever! Sheesh guys. I'll not bug you on it again. But ... you know I'm right. Please check this stuff out. Be a little paranoid.

User avatar
PeteMork
Posts: 3781
Joined: Wed Nov 11, 2009 9:56 pm
Location: Menlo Park, California

Re: Yes, you - how to adult at online security

Post by PeteMork » Sun Jul 23, 2017 5:11 pm

Consider me just a bit more paranoid than I already was. Especially after finding this article on "smishing":

http://www.nbcnews.com/tech/security/ho ... es-n782671
We never stop reading, although every book comes to an end, just as we never stop living, although death is certain. (Roberto Bolaño)

User avatar
sauvin
Moderator
Posts: 3410
Joined: Sun Dec 06, 2009 5:52 am
Location: A cornfield in heartland USA

Re: Yes, you - how to adult at online security

Post by sauvin » Sun Jul 23, 2017 8:31 pm

PeteMork wrote:Consider me just a bit more paranoid than I already was. Especially after finding this article on "smishing":

http://www.nbcnews.com/tech/security/ho ... es-n782671
Some years ago, when the idea of a "checking card" was fairly new - a debit card that looks and acts like a regular credit card except that funds are transferred immediately out of your checking account when you use it - I got a call from some "travel agency" claiming that I'd won some kind of sweepstakes prize that involved fourteen days and nights in the Bahamas, all expenses paid. This guy went on and on for a little while about sunny days and steamy nights, white beaches and pretty young things in wet T-shirts. Got my motor going, I'm here to tell you! When it came time to discuss schedules and logistics, the first thing this guy wanted was my credit card number. When I said "Um, I thought you said it was 'all expenses paid'", the guy actually stammered.

Every penny I had was in that checking account.

Fyunch!

Just a couple years later, when PayPal and suchlike were fairly new, I'd do a fairish amount of ebaying using my paypal account. I'd occasionally get emails claiming to be from PayPal saying that I have to click on a link and re-enter all my personal details (because, if I remember properly, my account had been "compromised") or risk having my account frozen. The link pointed to a page that had PayPal colouring, PayPal fonts, PayPal look and feel. Heck, even the URL in the address bar sorta kinda looked like it originated from PayPal! The very first time I got such an email and clicked on that link, I was just about to start entering personal details before realising that since I'd just minutes before successfully logged into my PayPal account, all my personal info was still in their databases, and they certainly didn't need me to enter it all again. Angered, I forwarded the email to PayPal's security folk who confirmed just a few hours later this was what they called a "phish attack".

I'm not particularly "paranoid", but neither am I particularly "trusting". Usually, when some little voice in my head says "something about this page or this voicemail or this email or this text messsage is a little off", that's because there is, whether I can actually spot it or not. Maybe I'm sometimes wrong in claiming there's something wrong, and if so, so be it, and if I actually have missed out once or twice on sleepy days and hot, steamy nights with pretty young things with dark chocolate skin and long, flowing coffee black hair, well, all my bills are paid, and I still have my house and my car.

I sometimes see stories of personal computers at home being compromised by viruses or worms or some other purely technical means: some bit of computer code gets into your computer and calls home with whatever bits and pieces it can find on your hard drive. This happens, but people whose experience I trust say that this is the rarer case. Most of the time, they say, people lose their shirts because they didn't read the fine print, the address bars or ask that one critical question "I thought you said it was 'all expenses paid'". Most of the people who get taken aren't even stupid or gullible or anything, they're usually just technologically naive. It's gotten worse over the years - the "off-ness" is getting to be much harder to detect, even for folks who know what to look for.

I don't make a point of looking for this off-ness, lazily enough preferring to play the odds, but there are a few things I do to reduce my attack surface.

One of the first active lines of defense I started using years ago, while I still could, was to turn off java and javascript when browsing to places I wasn't too sure about. 999 times out of a thousand, JS enriched, enhanced and posed no threat, but there were some sites reported as doing some underhanded data collection. I don't think it's feasible anymore to turn off browser scripting because virtually every site you visit anymore has nonstatic content, but I continue to use ad- and script-blocking plugins to my browsers. There's another kind of browser plugin you might consider using that suppresses "forwarding" so that when you click on some link to whatever.com, whatever.com won't be able to transfer your connection to somewhere.else.xxx unless you specifically tell your browser to allow it. Sometimes, whatever.com gets taken over by bad guys, and somewhere.else.xxx isn't something any sane person would want anything to do with.

There's not much we can do about what tools we use when we're at work, but the computers in our living rooms belong to us, personally and exclusively. I stopped using Windows or Macintosh operating systems many years ago at home, preferring to use Linux or one of the BSDs instead. I had other reasons for making the switch, but a collateral effect was was in suddenly not being vulnerable a vast array of architectural weaknesses associated with browsers and email clients specifically and application level userspace generally. It also meant being completely immune to all known viruses at the time. This much appears to have remained the case. Unless you're specifically tied to a particular software that runs only on Windows or Macintosh (games, maybe, or something like CAD software), if all you really do at home is browse, do email and Facebook, installing something like Ubuntu on your computer at home wouldn't feel terribly strange, wouldn't hamper you much and would wipe out possibly more than 95% of your vulnerability to technical attack of various sorts.

While I was still using Windows, I also used firewall software, and learned how to allow or disallow specific kinds of traffic through given ports on the router. The latter was just to reduce my vulnerability to technical attack; I wasn't running any servers of any kind, so there was no point allowing anybody to try to access any database ports, P2P ports and the like. The personal firewall software was to inhibit outbound traffic - connections originating from my personal computer - because, for example, if something did get into my system and tried to open some kind of tunnel to something I want nothing to do with, the firewall would (theoretically) block it. Another thing I did was turn off IIS and suchlike when I found out about them. Also pretty much mandatory for all Windows users: antivirus software.

I still use the router's ability to screen traffic, but the firewalls on my *nix machines tend to be configured at install time reasonably without human intervention.

While I'm on a technical jag, if you're not doing anything that would make Big Brother grumpy, you might also consider using a VPN or tor. I'm told that using tor slows things down just a tad, but either approach means that most sites you'd browse to have no idea who you are or where you're calling from. If they don't know who you are, they can't try to log into your computer. Kindly note that this isn't a foolproof approach, because many sites store cookies in your browser if you've not disabled that capability, and those cookies can be used to find you. If you're doing some off-the-beaten-path browsing, in addition to turning off scripting languages and the like, you might also consider disabling cookies.

The major line of defense I use, though, is in just asking a few questions. I'll highlight links and see what they really point to, and will tend to decline to click on them if they make me uneasy for some reason - if I'm looking for more pictures of Lina to paint up in different ways, I won't click on a link to toddlers.are.us.xxx, and if I'm just trying to buy a couple pounds of self-threading black oxide wood screws, I won't click on a link that points to roadside.entertainment.xxx.

This major line of defense isn't just for computer browsing, for me. I won't answer text messages urging that my phone's browser needs updating, won't dial numbers given in voicemail messages (if they claim to be the gas company wanting to collect on an overdue bill, I'll find the gas company's phone number on that last bill), and I won't answer any incoming phone call with an unknown caller ID and/or for which I don't already have an entry in my contacts list - there's no point in letting scammers know there's a live person attached to my phone number. If you're calling me with legitimate business, you'll leave voicemail clearly identifying who you are and why you're calling, and you'll give me enough clues to find you in the phone book so I know (in theory) who I'm talking to.

I never speak my social security number, banking account number and routing info, credit card numbers or any other such info into any wireless device. I never type these things into anything on my phone. If something "interesting" comes up on my phone that looks like it needs attention, I'll wait until I get home and use my computer to address it. My phone, by the way, needs a password to unlock - if I drop it or if you steal it, you won't be able to unlock it without wiping it out, and while you might still be able to rack up a phone bill for me, you won't get my contacts list or have any idea where my bank is. Wireless phones at home and the cell phone you carry around in your pocket are little more than CB radios, and anything you say or do with them can potentially be heard by anybody nearby with the right kind of equipment; cell phones in particular have some of the same kinds of software-based vulnerabilities I associate with Windows.
Fais tomber les barrières entre nous qui sommes tous des frères

User avatar
gkmoberg1
Moderator
Posts: 4245
Joined: Thu Dec 09, 2010 4:46 am
Contact:

Re: Yes, you - how to adult at online security

Post by gkmoberg1 » Mon Nov 06, 2017 5:21 pm

Time for more encouragement if not perhaps scare-the-pants-off-you understanding.

https://www.cioinsight.com/security/wha ... words.html

https://www.ftc.gov/news-events/blogs/t ... tity-thief

https://identitytheft.gov/

Here is the scoop, if you want the short version:
1. Thieves can and will steal you passwords. Longer passwords are a small bit of defense against random attacks. But passwords, in general, are a poor approach to securing yourself.
2. Using SMS messages on your phone is a good addition. This is a form of multi-factor authentication. You should use this wherever you can. Now for the bad news: it's simply a hurdle and thieves can get around it in a number of ways such as simply stealing your phone account.
3. In the U.S., the burden of detecting identity theft and recovering yourself from it largely falls upon you. You cannot depend upon the carriers or the services you use online to keep yourself safe.
4. Persistent awareness of your online accounts and identity and being prepared to quickly react is the only way to proceed.

Post Reply

Return to “Off Topic”