|
Welcome to the "Your Operating System has Poor Operational Security" thread. This is a guide written by those who have a clue about computer security for those who may not. However, we don't want to sugar coat things here and you must bear in mind that there are certain realities to the problems you face. Rule of thumb to consider in this thread: you are your own worst adversary. Chances are that a mistake of yours is going to lead to a problem on your computer. Keep this in mind at all times. Another thing: have backups and keep them up to date. This isn't going to be covered in the thread in terms of what is best, but ensure your backups are safe and are accessible in the event of a problem. Please do ask questions in here regardless of what you think the response may be--any good questions may just get added to the OP in this thread. If you want to offer help, please do but bear in mind at the same time that you may be called out on any bad advice. This guide is not perfect and will be changed and added to as time goes on. If you wish to contribute, respond what you want to add and I'll see about adding.  Let me open up by telling you that anti-virus is by far a dead technology and should never be your only line of defence against protecting you from malware. Back in the days of bulletin boards and floppy disks, anti-virus worked because it was able to keep up with emerging threats as the sophistication of spreading was limited to so few vectors. However, as time had passed and new attack vectors formed, anti-virus began to lag behind--regardless of what the industry tells you.  All anti-virus products at their core operate the same and how they all update is as well. Anti-virus typically relies on signatures to know what is potentially malicious from what is not. However, this is its biggest flaw as those signatures can easily be thwarted by malware creators. As such, a determined attacker can easily create 2,000 different copies (in a single day no less) of the same malicious software and that may require the anti-virus vendor to create multiple signatures in order to successfully thwart it. The vendors know this and last year, Symantec admitted that at best they detect up to 45% of threats although there are suggestions that catching any new threats is at best 5% successful. This is all on the backs of the AV industry's claims of having 'superb' features like suspicious behaviour detection and math-based anti-malware techniques--none of this really has made a dent in stemming the tide. Don't let sites and organisations like AV-Test, Gartner, and whoever suggest that vendor X has the advantage over others. Their methodology either relies on being paid to be put in some "magic quadrant" (Gartner) which allows CIOs et al to just rubber stamp their choices or testing "real world" situations that otherwise are far from such. What you need to consider besides common sense (most infections are the fault of users) is that there are other solutions besides anti-virus. These include simple things like network settings, popup and ad blockers, and keeping your system and browsers up to date. I hope that this explanation lets you know of the problem this section has in terms of protecting your computer using anti-virus software alone, but let's move on. No particular anti-virus engine is going to be recommended here but there will be links to what is available. Which anti-virus product should I use? Keeping in mind what was said before, there are plenty of options both paid and free that will allow you to get an anti-virus product installed on your machine. Here's a tip: are you a student or work at a large company? There is a good chance that your company's or school's AV licence will permit end-users to have a 'home-use' version installed for home. They may require some configuration locally (such as an updating source provided by the licence holder) and usually there is no direct support. If you know who the vendor is then it may be best to consult their knowledgebase or whoever is in charge of running it. The advantage of using a larger company for anti-virus software is that you have access to definitions that are sourced from a wider surface area. Most anti-virus vendors primarily rely on a combination of honeypots and customer submissions which means that there's a good chance the bigger guys have better coverage. If you're not looking to purchase anti-virus software, there are plenty of free options that will allow you to have some coverage on your machine. It is recommended that you stick with Microsoft for your anti-virus as it is built-in with recent versions of Windows. Don't spend money on anti-virus if you can help it; it is not worth any amount of money. Does anti-virus cause performance issues? All anti-virus products are equal but some more are more equal than others. It really boils down to two factors: how the engine is coded and what settings are configured. The settings part is easy to deal with: you need to know what you plan to do with your machine. If you play games, then set your anti-virus scanner to only scan on read. If this is a file server, then set the scanner to scan on write. For general purpose it doesn't hurt to set it to scan on read and write. You can also set up your scanner to scan on rename too, but it is likely worthless. Avoid whitelisting wherever you can. There have been cases where malware were able to read the configurations of anti-virus suites and then just left itself in whatever directory. I have an infection that anti-virus didn't catch. What can I do? Remember what was said earlier: 95% of all infections is user fault; this is an opportunity to learn here. Firstly, unplug the computer from the network. This is so just in case the machine is not under your control that any remote access is cut off. Secondly, you'll want to evaluate what action you'll want to take. If you believe that the infection is something minor like fake anti-virus or something that is creating popups, perhaps you should just do an offline scan of the machine. However, if the machine is severely infected where you are not sure what is going on, are you going to continue to trust that machine with details like your online banking, e-mails, and perhaps your SA forum account? If no, consider a wipe and restore here. If you do choose to do a scan, keep in mind that the scan may not necessarily remove the infection and thus you may need to consider my closing point in the last paragraph. The best advice is to do a completely offline scan. One option is from Sophos, as they provide a bootable solution that dynamically creates an ISO containing the most up-to-date definitions. The ISO created tends to support most environments but if you're in a situation where you have a RAID setup or some other atypical hardware configuration, the disc may not be for you. If you need to do an offline scan with the OS active, consider something like Stinger (McAfee) or Malwarebytes. But again, your machine is now compromised and unless you know what the state was of the machine before the infection occurred (not before you were aware of it), you cannot put any trust into it after attempting remediation. Enough about anti-virus, what is this network stuff you mentioned earlier? This is the one thing you can do without much work and is practically OS agnostic: change your DNS from what your ISP offers to something else. This is a really simple and usually free way to have protection from websites that may be otherwise malicious. The most popular service is OpenDNS, but there are also services from Norton and Comodo. Keep in mind that this may introduce ads if you have DNS failures and that you could have issues with CDNs, but it does the trick. What can I do to protect myself from exploits? Nothing is sure-fire for protecting yourself from exploits. Going back to anti-virus vendors, they'll claim that they'll detect suspicious behaviour and have some level of exploit mitigation, but overall they fail. If you're using Windows, you may want to consider the Enhanced Mitigation Experience Toolkit (EMET). It's tasked with blocking or at least mitigating common software exploits. It can be used to protect older software that predates EMET as well, but it's again not sure-fire. It's worth having on your system and any performance impact would be minor at best. What about using popup and ad blockers? Install uBlock Origin or uBlock, both of which do the same thing. The latter has Safari support. Lain Iwakura fucked around with this message at 20:02 on Mar 7, 2017 |
#
?
Jun 2, 2015 07:10
|
|
|
|
| # ? Apr 19, 2024 15:52 |
|
|
 Full disk encryption (FDE) is really the best anti-theft mechanism you can get for your machine. It won't necessarily prevent your device from being stolen or from an attacker reading your data while you're using your computer, but it will make it a pain in the rear end if not nigh-impossible to read anything if the drive is removed or read from an alternate boot source. Most operating systems that have been released in the past few years have it built in natively, which means that you likely don't have to shop around. As of this writing, the following is an incomplete list of mainstream operating systems that have built-in FDE:
Where's Truecrypt on this list? It should be noted that TrueCrypt is no longer in development, as the nameless developer left a parting message that the software is likely insecure and shouldn't be used. Said developer yanked all of their code from the website and left a tool to decrypt any volumes--the source code was also removed from the website although people had mirrored previous releases and as a result we now have forks. An audit of the source code had begun before the developer discontinued development and while flaws were found, there was no evidence of wrongdoing such as backdoors nor were these problems unfixable. Having said that, there have been two notable bugs since the audit that were missed because the audit itself focused on the cryptography and not other aspects of the application. Using TrueCrypt (or its forks, CipherShed and VeraCrypt for example) in light of the original developer's statement and the bugs found since the audit cannot be recommended. There is no support for Windows 8 or later with TrueCrypt either. OS X and Windows are closed source and thus cannot have their cryptography audited. What about that? If this is your concern, then why are you even using these two operating systems? There are more attack vectors than the FDE and backdoors can be inserted elsewhere if this is what you're concerned about. Should the above not satisfy you, then consider using Linux with dm-crypt and then run whatever in VirtualBox. Should that suggestion not be of help, then this thread is not for you. What about single/multiple file encryption? Use 7-Zip. The reason for this suggestion is that it works great if you're just trying to send files to other individuals as it uses AES to encrypt the files and you can also encrypt the filenames within to ensure no leakage of metadata--provided you use the 7z format. Because of its simplicity, you can send files to someone who's not very adept at using a computer and all you have to do is get them to install 7-Zip and then let them know of the password. It should be noted that its cryptography has yet to be audited but for the time-being it works. More to come...  Firewalls more often than not work like this:  If you're interested in knowing what process is connecting outbound, there is LitttleSnitch for OS X ($40 USD, sometimes cheaper as I got my copy for $23) or you could try Netlimiter for Windows--I do not endorse either application but LittleSnitch has been useful for testing things. However, these applications assume that you know what you're looking to permit and do not actually do much more than give you a confirm/deny for where a process is connecting. Other than that, an endpoint software firewall is more often than not useless. They're much easier to disable locally than anti-virus in some ways and really just provide a blinky icon in your system tray. At least for Windows' built-in firewall, configure it so it denies all inbound traffic regardless of what network you are on and only enable inbound ports if absolutely necessary. However, you more likely than not have a firewall in front of your network connection. Here are some things you should consider:
I'll add some more later on... Lain Iwakura fucked around with this message at 04:33 on Aug 11, 2016 |
|
#
?
Jun 2, 2015 07:11
|
|
needs, set BitTorrent to use a static port and do not do anything else.
|
 There are a couple of solutions for password management, all of which can be done without spending any money. There are two products I can personally vouch for:
1Password is available for Windows, Mac, iOS, and Android--no version for Linux exists but there are tools to decrypt the password file--it has been noted that the application works fine under Wine. It also costs $50 USD for a single platform or $70 for a Windows/Mac licence. Keep in mind that if you have an older copy of 1Password, you'll want to ensure that you are using the most recent file format as there are substantial security issues with the older format. KeePass (professional version to be exact) is available for a bunch of platforms, with the general release being written in .NET/Mono. If you're using OS X, it is suggested that you use MacPass, which is native to OS X. In both cases, you can safely synchronise the file using a variety of services including OneDrive, Dropbox, and other cloud-hosting services. In KeePass' case, I can tell you that it will know when you write to the file elsewhere, allowing it to synchronise at your request--MacPass does not do this as of this writing. It is not suggested to use LastPass as there have been constant problems with them keeping internal security at bay and a vulnerability in the past that resulted in exposure of passwords. 
Lain Iwakura fucked around with this message at 19:36 on Nov 4, 2015 |
|
#
?
Jun 2, 2015 07:11
|
|
|
OSI bean dip posted:What about using popup and ad blockers? What's the difference between them?
|
|
#
?
Jun 2, 2015 12:28
|
|
|
An on-going spat between Origin's absentee dev and the guy he gave his trademark to when he got bored of maintaining it. I haven't been paying close enough attention since it started to tell who's the bigger douche.
|
|
#
?
Jun 2, 2015 12:39
|
|
|
dis astranagant posted:An on-going spat between Origin's absentee dev and the guy he gave his trademark to when he got bored of maintaining it. I haven't been paying close enough attention since it started to tell who's the bigger douche. I heard about the developer poo poo fight, but I'm wondering what the actual difference is between Origin and the other uBlock, and why the OP suggests one over the other.
|
|
#
?
Jun 2, 2015 12:52
|
|
|
Looks like Origin just annoyed a bunch of people by requiring new permissions in Chrome so it can turn off prefetching (apparently prefetch can't be filtered). Other than that it looks like a smaller but directly referenced set of bug fixes vs some UI changes and "many smaller fixes" in every changelog. e: I guess both versions have the Chrome permissions thing. dis astranagant fucked around with this message at 13:11 on Jun 2, 2015 |
|
#
?
Jun 2, 2015 13:04
|
|
|
One of the best pieces of software ever created (IMO) and great for system protection is Sandboxie, I've been using it for a few years now and it's definitely been one of the if not thee best 40~ bucks I've ever spent on software. Setting it up becomes a real breeze once you get familiar with how it works, and once you do you won't even need to think about it as it will run passively and all your stuff will run just like it normally would. I try to run all my program sandboxed when I can, and have my browser set in its own dedicated sandbox as well, with it I don't think you can get infected or it is very hard to. Even if your cheap and don't want to spend the money the free version will get you by when you just need to run stuff but don't want it touching your system, though personally I couldn't live without the multi-sandbox capacities. Check it out. http://www.sandboxie.com/ It's really great at preventing Winrot too. Okay end shilling.
|
|
#
?
Jun 2, 2015 16:50
|
|
|
OK I have a few opinions. First of all, please don't use chrome because gently caress google. Same goes for google search (you can use an anonymising service like startpage or disconnect) gmail, google docs, google analytics (can you even still block this?). At the least delete emails not "archive" them, if you think you might wish to view it later download via a secure protocol to an email client, and backup. Noscript is great! Also turn your phone off when you aren't using it, better yet remove the battery. Not only will you be saving yourself from cancer but I'm sure everyone has heard of the stingray by now. I also use D-VASIVE which disables the mic etc if I'm not using that functions. Finally, please get RedPhone, TextSecure, Signal, w/e, and advise your friends to do the same. More adoption of this tech is better for everyone, it's Snowden approved and from a couple talks I watched of his Moxie is p much top of the game right now and appears to be doing it for the right reasons. Related to that, don't trust SSL (padlock) as implemented right now. And pgp isn't great. Please don't use dropbox. Or Hola. If something is free, how do the developers profit and maintain servers? Same goes for pirated content - in this case though I'm not talking about the dev behind the content but the dev that's put some sneaky code into that pdf of some esoteric magazine or whatever where it's fairly unlikely there have been enough downloads / educated users to leave a warning that you've been owned. If you're still using WEP it might be time to consider suicide, but WPA is vulnerable too now because Moxie has generously offered WPA/WPA2 cracking as a cloud service for 30 dollars or something, you get results in 20 mins or 40 iirc (if vulnerable). If your housemates are idiots it might be a good idea to disable all incoming / outgoing connections on your router because if you are reading this thread you quite possibly already have malware and aren't the best educated on it. Oh and if you are paying rental for some plastic poo poo your isp provides (with a modem too!) try and return it and invest in an actual router. (disclaimer: I'm no security expert but i love my  hat, and I think information security is equally or even more important for many people than pure focus of viruses etc)
|
|
#
?
Jun 2, 2015 18:01
|
|
|
Crack posted:OK I have a few opinions. First of all, please don't use chrome because gently caress google. Same goes for google search (you can use an anonymising service like startpage or disconnect) gmail, google docs, google analytics (can you even still block this?). At the least delete emails not "archive" them, if you think you might wish to view it later download via a secure protocol to an email client, and backup. Noscript is great! This stuff will be addressed in the OP(s) so don't worry. I just needed to get the AV part out of the way since there's a lot of misinformation floating about.
|
|
#
?
Jun 2, 2015 18:37
|
|
|
Crack posted:OK I have a few opinions. First of all, please don't use chrome because gently caress google. Same goes for google search (you can use an anonymising service like startpage or disconnect) gmail, google docs, google analytics (can you even still block this?). At the least delete emails not "archive" them, if you think you might wish to view it later download via a secure protocol to an email client, and backup. Noscript is great! quote:Also turn your phone off when you aren't using it, better yet remove the battery. Not only will you be saving yourself from cancer but I'm sure everyone has heard of the stingray by now. I also use D-VASIVE which disables the mic etc if I'm not using that functions. Finally, please get RedPhone, TextSecure, Signal, w/e, and advise your friends to do the same. More adoption of this tech is better for everyone, it's Snowden approved and from a couple talks I watched of his Moxie is p much top of the game right now and appears to be doing it for the right reasons. Related to that, don't trust SSL (padlock) as implemented right now. And pgp isn't great. quote:Please don't use dropbox. Or Hola. If something is free, how do the developers profit and maintain servers? Same goes for pirated content - in this case though I'm not talking about the dev behind the content but the dev that's put some sneaky code into that pdf of some esoteric magazine or whatever where it's fairly unlikely there have been enough downloads / educated users to leave a warning that you've been owned. quote:If you're still using WEP it might be time to consider suicide, but WPA is vulnerable too now because Moxie has generously offered WPA/WPA2 cracking as a cloud service for 30 dollars or something, you get results in 20 mins or 40 iirc (if vulnerable). quote:If your housemates are idiots it might be a good idea to disable all incoming / outgoing connections on your router because if you are reading this thread you quite possibly already have malware and aren't the best educated on it. Oh and if you are paying rental for some plastic poo poo your isp provides (with a modem too!) try and return it and invest in an actual router. quote:(disclaimer: I'm no security expert but i love my
|
|
#
?
Jun 2, 2015 20:31
|
|
|
Crack posted:First of all, please don't use chrome because gently caress google. What specifically do you feel is wrong with chrome? Giving them the finger for their relationship with In-Q-Tel doesn't count. If you have a proper reason, what browser would you suggest instead? Crack posted:Noscript is great! What are you trying to prevent by disabling js? v8 is sandboxed and there hasn't been an RCE vuln reported in it since 2009 Crack posted:turn your phone off when you aren't using it [...] stingray This isn't how stingrays work - are you thinking of OTA baseband exploits? Not that you can avoid those Crack posted:get RedPhone, TextSecure, Signal yes Crack posted:Related to that, don't trust SSL (padlock) as implemented right now. This isn't helpful advice and it's not clear what you mean Crack posted:And pgp isn't great. Please elaborate on this Crack posted:If your housemates are idiots it might be a good idea to disable all incoming / outgoing connections on your router because if you are reading this thread you quite possibly already have malware and aren't the best educated on it What are you talking about
|
|
#
?
Jun 3, 2015 02:26
|
|
|
general browser advice for security and privacy: - disable 3rd party cookies - set plugins to 'click to play' - install ublock - install https everywhere + privacy badger general windows advice: - UAC on max - DEP set to opt-out - install EMET - configure the windows firewall properly using the MMC snap-in
|
|
#
?
Jun 3, 2015 02:40
|
|
|
Thanks for the criticism people, hopefully I can learn something from it. I'll respond to a post now and another later otherwise these posts will be too large.Rufus Ping posted:general windows advice: fixed. Wiggly Wayne DDS posted:Sounds like you're using a third-party email provider and don't have your emails encrypted. Don't know what you're gaining from deleting them - they've already been processed or have been stored elsewhere. What would you consider a secure protocol and which client would you use to download these emails? What makes Noscript better than the alternatives (uBlock, etc)? Yeah to be honest I think email in its current form is pretty hosed. I actually have an email account setup on a trusted personal friend's server - who is skilled enough to run a secure mail server for a few people (I'm not skilled enough to maintain one, but my friend contributed some pretty major stuff to linux back in the day and apparently is fairly fluent in this type of stuff). They are encrypted on the server and when I delete them there isn't a secret backup on a vault somewhere. What you get from deleting them is if someone hacks your gmail acc they prob don't have access to googles vault so they can't steal your ID. Nevertheless not many people have this option so it breaks anyway if I send / receive any unencrypted email to abc@gmail.com as it will be stored there. Mailpile looks very nice for DLing emails, and I think that going forward much better protocols are being developed (LEAP or w/e, look at mailpiles security roadmap too). I never claimed NoScript was better than uBlock, just that it was great (I stand by that). I honestly haven't really followed uBlock, I didn't really look that much into and thought it was more an adblock alternative rather than providing the other features in NoScript. In fact, looking at the webpage it doesn't actually tell me if it has the same features, like actually blocking.. scripts, and providing XSS protection (ABE). for example, using this website I got tabnabbed using uBlock open with default settings, and with setting strict blocking. I had to enable reader view, and I'll probably forget to do that for every website I visit. OTOH NoScript blocked it instantly with default block all settings. Rufus Ping posted:What are you trying to prevent by disabling js? v8 is sandboxed and there hasn't been an RCE vuln reported in it since 2009 Tabnabbing for one? Still works in latest ff and chrome as far as I can tell. quote:First off if you've got an adversary prepared to tap your mobile you've got bigger problems. Secondly that's not how stingray works, and removing your battery is advice given for a different attack - wrong advice that's useless these days anyway. Let's leave the cancer part to the side and stick to technical discussion. Relying on a third-party app to disable your microphone is amusing, but recommending RedPhone/TextSecure/Signal is correct (specifically those three products). This is getting into more privacy matters than strictly endpoint security, but it could be worth discussing. Can you explain what precisely you mean about your comments on SSL and PGP? Can you explain how it's wrong / useless? How can an attacker remotely turn on the mic without power? I also factory reset my phone regularly, and occasionally buy new sim cards with cash and don't register my details to the network operator. Given it is powerless most of the time and whatever data does exist is wiped at least bimonthly, there isn't that much data useful or available for the average attacker - maybe after a long targeted campaign they would be able to collect some, but half the year I live in an area that has literally no base station coverage so my phone just sits on a shelf, and don't have wifi. I see my friends face to face in general. Yeah using a 3rd party app is perhaps a little dodgy, but my phones generally off anyway and the guy who made it (McAfee) is even more paranoid than me. Regarding SSL I was really talking about the flaws with CAs (ie "padlock" symbol). The thing is meant to prevent mitm attacks but fails when you can buy your own CA for yourself and make your own certs, or hack / exploit a website and get it that way e.g. look at comodo, here is a great talk about how flawed the current implementation is. PGP requires too much user education (tried to get my mum to use it but she gave up), and doesn't have forward secrecy or deniability. Compared to something like pidgin and OTR, which is like 3 clicks (install pidgin, click addons, enable OTR) or TextSecure. quote:None of this information is very helpful advice. How should a wifi network be configured? Can you explain your rationale in detail? quote:What routers would you recommend? How do you "disable all incoming / outgoing connections" on your router? Why would doing this improve security at all? Remember that your housemates still need to go online, and you don't have authority over a shared line/their machines. Disable with a jammer or some scissors on the cable coming from the modem(/router combo). I find these tools empower me with authority over the network. It would improve security by limiting the attack vector to like USB drives or something and the attacker has a hard time controlling the infected machine. I should point out as it apparently wasn't obvious I wasn't really being serious with that comment. quote:It's hard enough to clear misconceptions without people giving, at best, half-true advice. You seem to be learning based off of headlines rather than anything of substance, but it's a start. If you could provide explanations this could prove to be a learning experience for everyone. I began my last post with this and I'll end this one with the same. If something looks like an opinion, it probably is one. If something looks like advice, do your own research rather than blindly following the advice of some guy on an internet forum (probably the best advice in general, especially as time passes and the tech changes). I am not a security expert, work in the security industry, or have consulted anyone that does, so anyone looking for security advice please do not take anything I say in any of my posts (apart from the preceding sentence) as informed, educated or up to date genuine security advice. I am primarily posting in this thread to learn and try to get people to at least think about privacy and information security as issues in addition to just viruses or whatever.
|
|
#
?
Jun 4, 2015 02:23
|
|
|
Crack posted:fixed. You're just coming across as a loudmouth idiot with all this stereotypical smartass "IT guy" hurrrrr micro$haft bluster Crack posted:Tabnabbing for one? Still works in latest ff and chrome as far as I can tell. So your concern is that a malicious or compromised site could switch to a phishing page while you aren't looking. Why are you logging into websites manually to begin with? This problem is solved completely by using a password manager. Disabling JS to prevent phishing is like trying to kill a fly with a mallet and suggests you have bigger problems.
|
|
#
?
Jun 4, 2015 04:29
|
|
|
Crack posted:Thanks for the criticism people, hopefully I can learn something from it. I'll respond to a post now and another later otherwise these posts will be too large.
|
|
#
?
Jun 4, 2015 15:32
|
|
|
Rufus Ping posted:You're just coming across as a loudmouth idiot with all this stereotypical smartass "IT guy" hurrrrr micro$haft bluster Using a password manager is good advice. Any recommendations? I've been using KeePass for ages, but seeing as I am not a security expert I'd be welcome to suggestions for alternatives.
|
|
#
?
Jun 5, 2015 22:52
|
|
|
Mo_Steel posted:Using a password manager is good advice. Any recommendations? I've been using KeePass for ages, but seeing as I am not a security expert I'd be welcome to suggestions for alternatives. Keepass is the one I do recommend. The one catch is that the application is written using .NET so when you run it under Linux or Mac OS X, there's all sorts of headaches that come with it. At least on the Mac there is MacPass which makes use of the native Cocoa libraries.
|
|
#
?
Jun 5, 2015 23:19
|
|
|
I use 1Password, it has windows/osx/android/ios clients and plays nicely with various Dropbox-like syncing programs. Bit expensive but you can sometimes find a coupon online or they do educational discounts.
|
|
#
?
Jun 5, 2015 23:36
|
|
|
Wiggly Wayne DDS posted:You have mental problems and should not be near an electronic device. Please avoid giving any advice or opinions in the future. Haha I really shouldn't have posted in the first place. Being awake for extended periods tends to change your perspective on things, especially 70+hrs in (with some 2hr naps sprinkled in), and there were other actors at play which may have intensified and "loudmouth". Try it, I guarantee your posts will be quite different.Honestly, half the things I said I did were BS, I still mostly rely on gmail for day to day stuff although I'm trying to transfer all my useful stuff to fastmail - I do recommend using a paid for non ad scanning email service (sorry about still giving advice). I use my friends server email for stuff I don't want directly tied to my identity, and tend to use gpg for that. I would use encryption for all email, but people generally don't wish to learn it, and companies don't offer it, so it's a bit of a dead end. And no, I don't factory reset my phone every 2 weeks. I still believe some of the stuff I posted, maybe in a less aggressively paranoid way, but maybe I'm a little paranoid in general regardless. You probably aren't going to be a victim of an ssl mitm attack but I still think you should delete old wifi AP's or disable wifi if you aren't using it in public spaces, especially on certain devices. I will rise to the challenge though if you will (not being near an electronic device), for maybe 5 days or something? That of course includes cars, credit cards, electric ovens, electric lights etc - although maybe a gas hob is alright as long as you light it with a match and not use the clicker thing. Digital camera (not phonecam) is also good for evidence / journaling. I think it sounds like a fun challenge, maybe enlightening on how hard it is to "not be near an electronic device". Let me know if you're up for it or are a puss. Apologies to OP for inadvertently threadshitting a bit, I'm happy to trim / cut my posts if you wish as they are long, especially as this is the 1st page and you've already said you will update the op in time with the relevent stuff. I know you know much more than me anyway given your gang tag while my copy of Applied Cryptography still languishes on the bookshelf. On password managers take my advice and stick to one. a few years ago I decided it was a good idea to have keepass on my desktop, and 1password on my macbook. It's a bit of a nightmare, I consolidated them but now I have a ton of duplicate entries with different passwords after updating one pw manager with a new password but not the other. Don't do this. e: genuinely can't help myself with the rambly posts. Crack fucked around with this message at 08:55 on Jun 6, 2015 |
|
#
?
Jun 6, 2015 08:52
|
|
|
The OP and his advice have been helpful and interesting, the rest of the thread has been a big ole bucket of paranoid crazy.
|
|
#
?
Jun 6, 2015 20:10
|
|
|
Not quite sure if what I'm about to ask fits the thread, but here goes. How big of a problem is it if a website uses obsolete encryption, or is certified but doesn't have publicly audited records? I get it if it's hard to answer in a concrete way. It almost strikes me as paranoid to think that if a website is not using the latest encryption and has third party verification (in the sense of publicly audited records), then the website is 100% compromised and shouldn't be used. On the other hand, some the websites that aren't exactly up to date are numerous and varied. It would seem impossible to avoid non-vulnerable websites entirely. Should someone be afraid to create a login for a business' website to apply for a job if that website isn't using the latest and greatest? Or is network vulnerability blown out of proportion? How real and/or immediate is the threat of identity theft on the internet in general?
|
|
#
?
Jun 10, 2015 21:33
|
|
|
crack mayor posted:Not quite sure if what I'm about to ask fits the thread, but here goes. How big of a problem is it if a website uses obsolete encryption, or is certified but doesn't have publicly audited records? I get it if it's hard to answer in a concrete way. It almost strikes me as paranoid to think that if a website is not using the latest encryption and has third party verification (in the sense of publicly audited records), then the website is 100% compromised and shouldn't be used. On the other hand, some the websites that aren't exactly up to date are numerous and varied. It would seem impossible to avoid non-vulnerable websites entirely. Should someone be afraid to create a login for a business' website to apply for a job if that website isn't using the latest and greatest? Or is network vulnerability blown out of proportion? How real and/or immediate is the threat of identity theft on the internet in general? I know I came across as a bit paranoid earlier but really it's about balancing risk. I'm not sure if you mean ssl encryption or stored data encryption but I guess in the end its not really relevant. It's not true that a non perfectly secured website is 100% compromised, unless it's a particularly juicy target. There have been examples of banks for example that have been told they have an exploit and need to patch (maybe with a risk of $60k loss from hackers per few months) and the patch takes a day, but the bank rakes 1mil+ per day so it's inconsequential and they don't patch because it doesn't actually make financial sense. So just think when submitting info on a website, do I need to use real info (it's easy to lie in many fields), how sensitive or valuable is this info - especially to a crim, and what is the companies track record regarding breaches (type example.com exploits or similar in google if it's fairly large and you will probably find how long they took to implement a patch). Also it almost goes without saying but the fewer companies that store your data the less chance of compromise. https://www.ssllabs.com/ssltest/index.html plug it in here if it's https, look at the results and make a decision. If it's F, maybe it isn't so great and you should email the webmaster the ssltest results.
|
|
#
?
Jun 11, 2015 19:41
|
|
|
Crack posted:I know I came across as a bit paranoid earlier but really it's about balancing risk. I'm not sure if you mean ssl encryption or stored data encryption but I guess in the end its not really relevant. It's not true that a non perfectly secured website is 100% compromised, unless it's a particularly juicy target. There have been examples of banks for example that have been told they have an exploit and need to patch (maybe with a risk of $60k loss from hackers per few months) and the patch takes a day, but the bank rakes 1mil+ per day so it's inconsequential and they don't patch because it doesn't actually make financial sense. So just think when submitting info on a website, do I need to use real info (it's easy to lie in many fields), how sensitive or valuable is this info - especially to a crim, and what is the companies track record regarding breaches (type example.com exploits or similar in google if it's fairly large and you will probably find how long they took to implement a patch). Yea. I definitely try to keep my info confined to a few sites. It's difficult in a situation like job hunting though. I'm phone posting right now, but I'll check that link out later.
|
|
#
?
Jun 12, 2015 03:57
|
|
|
OSI bean dip posted:Install uBlock Origin and never look back. Don't bother with anything else (even regular uBlock).
|
|
#
?
Jun 12, 2015 04:14
|
|
|
Star War Sex Parrot posted:Could you elaborate on this? What's bad about uBlock and/or better about uBlock Origin? I never understood the fork, but both are being actively developed right now. I am going to change this once I have a few minutes to change the post and add a few extra things, but to be honest there is no difference except one has a Safari port.
|
|
#
?
Jun 12, 2015 06:26
|
|
|
But what about uMatrix?!
|
|
#
?
Jun 13, 2015 00:09
|
|
|
Crack posted:But what about uMatrix?!
|
|
#
?
Jun 13, 2015 15:51
|
|
|
 So LastPass was sorta breached 3 days ago, might be a good time to change that Master Password if you use this.
|
|
#
?
Jun 16, 2015 00:28
|
|
|
Just use Keepass. I cleaned up the post a bit and will add another section later this week. I'll also include links to actual products this time around.
|
|
#
?
Jun 16, 2015 06:09
|
|
|
I agree with just using keepass, but apparently the lastpass password vaults are encrypted with a super slow hashing algorithm that the breach is almost a non issue. At least that is how arstechnica explained it.
|
|
#
?
Jun 16, 2015 18:24
|
|
|
OSI bean dip posted:Enough about anti-virus, what is this network stuff you mentioned earlier? quote:What about using popup and ad blockers?
|
|
#
?
Jun 23, 2015 15:17
|
|
|
Erwin posted:If I'm already using Adblock Plus, is it worth switching?
|
|
#
?
Jun 23, 2015 15:32
|
|
|
Erwin posted:Out of curiosity, why not Google DNS? Obviously I'm giving Google statistics on what domain names I'm resolving, but let's say I don't care? https://developers.google.com/speed/public-dns/docs/intro quote:Google Public DNS is a recursive DNS resolver, similar to other publicly available services. We think it provides many benefits, including improved security, fast performance, and more valid results. See below for an overview of the technical enhancements we've implemented.
|
|
#
?
Jun 23, 2015 15:44
|
|
|
Might be a silly question but what is the best way to get rid of persistent malware/adware? I've got rid of most of the problem after running adwcleaner and Malwarebytes, reseting Chrome, and uninstalling a few unwanted programs but I can't seem to stop chrome loading 'feed.helperbar.com/etc etc' and snapdo search as the home page (but only when I open Chrome for the first time, new tabs are fine). I've gone through the extensions and settings for Chrome, can't find anything there that isn't meant to be there. Internet Explorer doesn't have this issue when I open it.
|
|
#
?
Jul 6, 2015 05:58
|
|
|
gay picnic defence posted:Might be a silly question but what is the best way to get rid of persistent malware/adware? Here's the thing that is covered in the OP: if you cannot get rid of it through normal means do you think that you'll be able to get rid of it at all? Does this problem persist across multiple sessions? Does it happen in incognito mode? What happens if you change your Google account?
|
|
#
?
Jul 6, 2015 06:17
|
|
|
Well thanks for mentioning the incognito mode, I went to try it and the option wasn't there when I right clicked the Chrome icon. I though that was a bit odd so I reinstalled Chrome and the home page is what it was supposed to be again. I guess the icon was corrupted or something, if so its a bit annoying that multiple scans with malware detectors couldn't find it.
|
|
#
?
Jul 6, 2015 07:22
|
|
|
gay picnic defence posted:Well thanks for mentioning the incognito mode, I went to try it and the option wasn't there when I right clicked the Chrome icon. I though that was a bit odd so I reinstalled Chrome and the home page is what it was supposed to be again. I guess the icon was corrupted or something, if so its a bit annoying that multiple scans with malware detectors couldn't find it. You shouldn't trust your computer FYI.
|
|
#
?
Jul 6, 2015 15:27
|
|
|
gay picnic defence posted:Well thanks for mentioning the incognito mode, I went to try it and the option wasn't there when I right clicked the Chrome icon. I though that was a bit odd so I reinstalled Chrome and the home page is what it was supposed to be again. I guess the icon was corrupted or something, if so its a bit annoying that multiple scans with malware detectors couldn't find it. You should also change passwords of any accounts you used in fake chrome (on another machine). tbh any data that was stored or entered on that computer since you first launched fake chrome should be considered as compromised and you shouldn't use it for anything now as there may well be a keylogger. Unless you can identify exactly what the infection(s) was IMO you should assume the worst. fdisk format reinstall will probably clean it. I'd say back up essential data to a usb stick but there's a non-zero chance the stick will get infected. Hopefully you already kept backups of anything important offline and anything of potential value to a thief was encrypted. Hopefully at least this incident will make you use better security practice in the future anyway - follow the advice in the OP, keep offline backups and keep networked data secure. I would also check router settings to make sure the DNS is correct and stuff if you had access to it before or left the default password, but I may well be paranoid.
|
|
#
?
Jul 6, 2015 16:19
|
|
|
|
| # ? Apr 19, 2024 15:52 |
|
|
Crack posted:You should also change passwords of any accounts you used in fake chrome (on another machine). tbh any data that was stored or entered on that computer since you first launched fake chrome should be considered as compromised and you shouldn't use it for anything now as there may well be a keylogger. Unless you can identify exactly what the infection(s) was IMO you should assume the worst. Is there any virus that formatting and reinstalling Windows doesn't get rid of?
|
|
#
?
Jul 6, 2015 21:18
|
|