|
OK I have a few opinions. First of all, please don't use chrome because gently caress google. Same goes for google search (you can use an anonymising service like startpage or disconnect) gmail, google docs, google analytics (can you even still block this?). At the least delete emails not "archive" them, if you think you might wish to view it later download via a secure protocol to an email client, and backup. Noscript is great! Also turn your phone off when you aren't using it, better yet remove the battery. Not only will you be saving yourself from cancer but I'm sure everyone has heard of the stingray by now. I also use D-VASIVE which disables the mic etc if I'm not using that functions. Finally, please get RedPhone, TextSecure, Signal, w/e, and advise your friends to do the same. More adoption of this tech is better for everyone, it's Snowden approved and from a couple talks I watched of his Moxie is p much top of the game right now and appears to be doing it for the right reasons. Related to that, don't trust SSL (padlock) as implemented right now. And pgp isn't great. Please don't use dropbox. Or Hola. If something is free, how do the developers profit and maintain servers? Same goes for pirated content - in this case though I'm not talking about the dev behind the content but the dev that's put some sneaky code into that pdf of some esoteric magazine or whatever where it's fairly unlikely there have been enough downloads / educated users to leave a warning that you've been owned. If you're still using WEP it might be time to consider suicide, but WPA is vulnerable too now because Moxie has generously offered WPA/WPA2 cracking as a cloud service for 30 dollars or something, you get results in 20 mins or 40 iirc (if vulnerable). If your housemates are idiots it might be a good idea to disable all incoming / outgoing connections on your router because if you are reading this thread you quite possibly already have malware and aren't the best educated on it. Oh and if you are paying rental for some plastic poo poo your isp provides (with a modem too!) try and return it and invest in an actual router. (disclaimer: I'm no security expert but i love my  hat, and I think information security is equally or even more important for many people than pure focus of viruses etc)
|
#
¿
Jun 2, 2015 18:01
|
|
|
|
| # ¿ May 3, 2024 00:50 |
|
|
Thanks for the criticism people, hopefully I can learn something from it. I'll respond to a post now and another later otherwise these posts will be too large.Rufus Ping posted:general windows advice: fixed. Wiggly Wayne DDS posted:Sounds like you're using a third-party email provider and don't have your emails encrypted. Don't know what you're gaining from deleting them - they've already been processed or have been stored elsewhere. What would you consider a secure protocol and which client would you use to download these emails? What makes Noscript better than the alternatives (uBlock, etc)? Yeah to be honest I think email in its current form is pretty hosed. I actually have an email account setup on a trusted personal friend's server - who is skilled enough to run a secure mail server for a few people (I'm not skilled enough to maintain one, but my friend contributed some pretty major stuff to linux back in the day and apparently is fairly fluent in this type of stuff). They are encrypted on the server and when I delete them there isn't a secret backup on a vault somewhere. What you get from deleting them is if someone hacks your gmail acc they prob don't have access to googles vault so they can't steal your ID. Nevertheless not many people have this option so it breaks anyway if I send / receive any unencrypted email to abc@gmail.com as it will be stored there. Mailpile looks very nice for DLing emails, and I think that going forward much better protocols are being developed (LEAP or w/e, look at mailpiles security roadmap too). I never claimed NoScript was better than uBlock, just that it was great (I stand by that). I honestly haven't really followed uBlock, I didn't really look that much into and thought it was more an adblock alternative rather than providing the other features in NoScript. In fact, looking at the webpage it doesn't actually tell me if it has the same features, like actually blocking.. scripts, and providing XSS protection (ABE). for example, using this website I got tabnabbed using uBlock open with default settings, and with setting strict blocking. I had to enable reader view, and I'll probably forget to do that for every website I visit. OTOH NoScript blocked it instantly with default block all settings. Rufus Ping posted:What are you trying to prevent by disabling js? v8 is sandboxed and there hasn't been an RCE vuln reported in it since 2009 Tabnabbing for one? Still works in latest ff and chrome as far as I can tell. quote:First off if you've got an adversary prepared to tap your mobile you've got bigger problems. Secondly that's not how stingray works, and removing your battery is advice given for a different attack - wrong advice that's useless these days anyway. Let's leave the cancer part to the side and stick to technical discussion. Relying on a third-party app to disable your microphone is amusing, but recommending RedPhone/TextSecure/Signal is correct (specifically those three products). This is getting into more privacy matters than strictly endpoint security, but it could be worth discussing. Can you explain what precisely you mean about your comments on SSL and PGP? Can you explain how it's wrong / useless? How can an attacker remotely turn on the mic without power? I also factory reset my phone regularly, and occasionally buy new sim cards with cash and don't register my details to the network operator. Given it is powerless most of the time and whatever data does exist is wiped at least bimonthly, there isn't that much data useful or available for the average attacker - maybe after a long targeted campaign they would be able to collect some, but half the year I live in an area that has literally no base station coverage so my phone just sits on a shelf, and don't have wifi. I see my friends face to face in general. Yeah using a 3rd party app is perhaps a little dodgy, but my phones generally off anyway and the guy who made it (McAfee) is even more paranoid than me. Regarding SSL I was really talking about the flaws with CAs (ie "padlock" symbol). The thing is meant to prevent mitm attacks but fails when you can buy your own CA for yourself and make your own certs, or hack / exploit a website and get it that way e.g. look at comodo, here is a great talk about how flawed the current implementation is. PGP requires too much user education (tried to get my mum to use it but she gave up), and doesn't have forward secrecy or deniability. Compared to something like pidgin and OTR, which is like 3 clicks (install pidgin, click addons, enable OTR) or TextSecure. quote:None of this information is very helpful advice. How should a wifi network be configured? Can you explain your rationale in detail? quote:What routers would you recommend? How do you "disable all incoming / outgoing connections" on your router? Why would doing this improve security at all? Remember that your housemates still need to go online, and you don't have authority over a shared line/their machines. Disable with a jammer or some scissors on the cable coming from the modem(/router combo). I find these tools empower me with authority over the network. It would improve security by limiting the attack vector to like USB drives or something and the attacker has a hard time controlling the infected machine. I should point out as it apparently wasn't obvious I wasn't really being serious with that comment. quote:It's hard enough to clear misconceptions without people giving, at best, half-true advice. You seem to be learning based off of headlines rather than anything of substance, but it's a start. If you could provide explanations this could prove to be a learning experience for everyone. I began my last post with this and I'll end this one with the same. If something looks like an opinion, it probably is one. If something looks like advice, do your own research rather than blindly following the advice of some guy on an internet forum (probably the best advice in general, especially as time passes and the tech changes). I am not a security expert, work in the security industry, or have consulted anyone that does, so anyone looking for security advice please do not take anything I say in any of my posts (apart from the preceding sentence) as informed, educated or up to date genuine security advice. I am primarily posting in this thread to learn and try to get people to at least think about privacy and information security as issues in addition to just viruses or whatever.
|
|
#
¿
Jun 4, 2015 02:23
|
|
|
Wiggly Wayne DDS posted:You have mental problems and should not be near an electronic device. Please avoid giving any advice or opinions in the future. Haha I really shouldn't have posted in the first place. Being awake for extended periods tends to change your perspective on things, especially 70+hrs in (with some 2hr naps sprinkled in), and there were other actors at play which may have intensified and "loudmouth". Try it, I guarantee your posts will be quite different.Honestly, half the things I said I did were BS, I still mostly rely on gmail for day to day stuff although I'm trying to transfer all my useful stuff to fastmail - I do recommend using a paid for non ad scanning email service (sorry about still giving advice). I use my friends server email for stuff I don't want directly tied to my identity, and tend to use gpg for that. I would use encryption for all email, but people generally don't wish to learn it, and companies don't offer it, so it's a bit of a dead end. And no, I don't factory reset my phone every 2 weeks. I still believe some of the stuff I posted, maybe in a less aggressively paranoid way, but maybe I'm a little paranoid in general regardless. You probably aren't going to be a victim of an ssl mitm attack but I still think you should delete old wifi AP's or disable wifi if you aren't using it in public spaces, especially on certain devices. I will rise to the challenge though if you will (not being near an electronic device), for maybe 5 days or something? That of course includes cars, credit cards, electric ovens, electric lights etc - although maybe a gas hob is alright as long as you light it with a match and not use the clicker thing. Digital camera (not phonecam) is also good for evidence / journaling. I think it sounds like a fun challenge, maybe enlightening on how hard it is to "not be near an electronic device". Let me know if you're up for it or are a puss. Apologies to OP for inadvertently threadshitting a bit, I'm happy to trim / cut my posts if you wish as they are long, especially as this is the 1st page and you've already said you will update the op in time with the relevent stuff. I know you know much more than me anyway given your gang tag while my copy of Applied Cryptography still languishes on the bookshelf. On password managers take my advice and stick to one. a few years ago I decided it was a good idea to have keepass on my desktop, and 1password on my macbook. It's a bit of a nightmare, I consolidated them but now I have a ton of duplicate entries with different passwords after updating one pw manager with a new password but not the other. Don't do this. e: genuinely can't help myself with the rambly posts. Crack fucked around with this message at 08:55 on Jun 6, 2015 |
|
#
¿
Jun 6, 2015 08:52
|
|
|
crack mayor posted:Not quite sure if what I'm about to ask fits the thread, but here goes. How big of a problem is it if a website uses obsolete encryption, or is certified but doesn't have publicly audited records? I get it if it's hard to answer in a concrete way. It almost strikes me as paranoid to think that if a website is not using the latest encryption and has third party verification (in the sense of publicly audited records), then the website is 100% compromised and shouldn't be used. On the other hand, some the websites that aren't exactly up to date are numerous and varied. It would seem impossible to avoid non-vulnerable websites entirely. Should someone be afraid to create a login for a business' website to apply for a job if that website isn't using the latest and greatest? Or is network vulnerability blown out of proportion? How real and/or immediate is the threat of identity theft on the internet in general? I know I came across as a bit paranoid earlier but really it's about balancing risk. I'm not sure if you mean ssl encryption or stored data encryption but I guess in the end its not really relevant. It's not true that a non perfectly secured website is 100% compromised, unless it's a particularly juicy target. There have been examples of banks for example that have been told they have an exploit and need to patch (maybe with a risk of $60k loss from hackers per few months) and the patch takes a day, but the bank rakes 1mil+ per day so it's inconsequential and they don't patch because it doesn't actually make financial sense. So just think when submitting info on a website, do I need to use real info (it's easy to lie in many fields), how sensitive or valuable is this info - especially to a crim, and what is the companies track record regarding breaches (type example.com exploits or similar in google if it's fairly large and you will probably find how long they took to implement a patch). Also it almost goes without saying but the fewer companies that store your data the less chance of compromise. https://www.ssllabs.com/ssltest/index.html plug it in here if it's https, look at the results and make a decision. If it's F, maybe it isn't so great and you should email the webmaster the ssltest results.
|
|
#
¿
Jun 11, 2015 19:41
|
|
|
But what about uMatrix?!
|
|
#
¿
Jun 13, 2015 00:09
|
|
|
|
| # ¿ May 3, 2024 00:50 |
|
|
gay picnic defence posted:Well thanks for mentioning the incognito mode, I went to try it and the option wasn't there when I right clicked the Chrome icon. I though that was a bit odd so I reinstalled Chrome and the home page is what it was supposed to be again. I guess the icon was corrupted or something, if so its a bit annoying that multiple scans with malware detectors couldn't find it. You should also change passwords of any accounts you used in fake chrome (on another machine). tbh any data that was stored or entered on that computer since you first launched fake chrome should be considered as compromised and you shouldn't use it for anything now as there may well be a keylogger. Unless you can identify exactly what the infection(s) was IMO you should assume the worst. fdisk format reinstall will probably clean it. I'd say back up essential data to a usb stick but there's a non-zero chance the stick will get infected. Hopefully you already kept backups of anything important offline and anything of potential value to a thief was encrypted. Hopefully at least this incident will make you use better security practice in the future anyway - follow the advice in the OP, keep offline backups and keep networked data secure. I would also check router settings to make sure the DNS is correct and stuff if you had access to it before or left the default password, but I may well be paranoid.
|
|
#
¿
Jul 6, 2015 16:19
|
|