Author Topic: Computer security bullshit  (Read 22054 times)

0 Members and 1 Guest are viewing this topic.

Offline jc101

  • Frequent Contributor
  • **
  • Posts: 613
  • Country: gb
Re: Computer security bullshit
« Reply #25 on: January 05, 2017, 10:46:58 pm »
Forced regular password changes are no longer deemed beneficial, the UK National Cyber Security Centre published advice to that effect a year ago.

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

The use of https makes it harder for a third party to perform traffic analysis, without it all sorts of handy data is in plaintext so it makes it easy to work out what is going on.  By effectively hiding that information it makes it much harder to work out what is going on.  It's more of a deterrent that anything else, if there are easier pickings around then why expend the time and effort on the more complex ones - unless the end result justifies it.


For info, the UK NCSC is the merging of Communications-Electronics Security Group (CESG), Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK), and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). 
 

Offline newbrain

  • Super Contributor
  • ***
  • Posts: 1714
  • Country: se
Re: Computer security bullshit
« Reply #26 on: January 05, 2017, 11:28:38 pm »
A couple of nitpicks :blah::

In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.
Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

If I sniff your connection over HTTPS, I can tell that you're accessing the forum
In case of eevblog, not even that: only the FQDN is visible, the rest of the URL is encrypted...
Nandemo wa shiranai wa yo, shitteru koto dake.
 
The following users thanked this post: rs20

Offline slicendice

  • Frequent Contributor
  • **
  • Posts: 365
  • Country: fi
Re: Computer security bullshit
« Reply #27 on: January 06, 2017, 12:16:43 am »
In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.
Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

Thanx for the correction, that didn't come out right.

My point is still valid though. I don't know a single Windows user who use other than the Admin account at home, except for a few server admin who knows what theyre doing.
« Last Edit: January 06, 2017, 12:22:29 am by slicendice »
 

Offline David Hess

  • Super Contributor
  • ***
  • Posts: 16547
  • Country: us
  • DavidH
Re: Computer security bullshit
« Reply #28 on: January 06, 2017, 06:11:22 am »
Also, a lot of state actors record absolutely every possible traffic, even for later decryption, so very strong transport encryption is necessary.

How do you know the "state actors" aren't running the certificate authorities and passing out false certificates? Have you even checked the source code of your web browsers?

If they did this, and it has occasionally happened, then the forged certificate provides undeniable proof that the certificate authority was compromised and it amounts to suicide for the certificate authority as some have found out.  There are applications which check for consistency of certificates and flag suspicious ones.

This is a threat only against individuals who are not sufficiency paranoid.  If it was used for dragnet surveillance, it would be widely known within hours.

A larger threat would be the state actor gaining the private key for the original certificate allowing them to impersonate the site completely but normally only the server has access to that and not the certificate authority.
« Last Edit: January 06, 2017, 02:40:47 pm by David Hess »
 

Offline newbrain

  • Super Contributor
  • ***
  • Posts: 1714
  • Country: se
Re: Computer security bullshit
« Reply #29 on: January 06, 2017, 08:13:53 am »
In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.
Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

Thanx for the correction, that didn't come out right.

My point is still valid though. I don't know a single Windows user who use other than the Admin account at home, except for a few server admin who knows what theyre doing.
Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!
Nandemo wa shiranai wa yo, shitteru koto dake.
 

Online Halcyon

  • Global Moderator
  • *****
  • Posts: 5632
  • Country: au
Re: Computer security bullshit
« Reply #30 on: January 06, 2017, 11:17:35 am »
Most of what law enforcement looks at is through pattern matching, which can get caught up so easily by the wrong keyword. EEVblog does not use https, so all it takes is for someone posting child porn (as happened recently) for everyone on the forum to come to the attention of law enforcement. I can be certain that some server at the NSA has now flagged me for posting this.

Not at all. Without going into details that aren't publically available, so-called "pattern matching" (and whatever else you read about on Wikipedia) is only a very low-level method. There is MUCH more at play including legislation.

If you're being even somewhat targeted, be it this forum as a whole and it's users or otherwise, an actual human is sitting there going through the material. Law enforcement isn't "guess work", it's about providing evidence and proving things beyond a reasonable doubt. Agencies have far better things to use their resources on than going on a fishing expedition based on the crap that goes around the internet on a daily basis.

(Also no, the NSA probably doesn't give a crap about you.)
 

Offline XynxNet

  • Regular Contributor
  • *
  • Posts: 185
  • Country: de
Re: Computer security bullshit
« Reply #31 on: January 06, 2017, 11:43:18 am »
Agencies have far better things to use their resources on than going on a fishing expedition based on the crap that goes around the internet on a daily basis.

(Also no, the NSA probably doesn't give a crap about you.)
Nevertheless they do the bulk fishing. Whether they will analyze all data (in the future) remains to be seen. Unfortunately than it's to late to do anything about it.
Our only defense is making this bulk data collection as expensive as possible by using (transport) encryption.
« Last Edit: January 06, 2017, 11:47:00 am by XynxNet »
 

Offline eugenenine

  • Frequent Contributor
  • **
  • Posts: 865
  • Country: us
Re: Computer security bullshit
« Reply #32 on: January 06, 2017, 12:46:22 pm »
A couple of nitpicks :blah::

In Windows on the other hand every default user added is an Admin, unless specifically changed in settings.
Not true in Windows 10, and AFAICR since Windows 7. Only the first user added at installation is given administrative rights (you need one, after all...), the following ones will be standard users.

Its a moot point anyway, I've taken the time to make people be non admins and they just run IE so they still get malware.  That was one of the reasons I quit running windows myself.  When IE got integrated all hardening everywhere else became of less use because there was a big huge open back door through the web browser.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: Computer security bullshit
« Reply #33 on: January 06, 2017, 12:55:32 pm »
This. It also hides what your username is -- if I sniff your connection over HTTP, I can tell that you're IanMac and you posted this message. If I sniff your connection over HTTPS, I can tell that you're accessing the forum something at www.eevblog.com, and by looking at the site, I can tell that someone, somewhere called "IanMac" posted this message, but how would I tie those two facts together? Obviously timing attacks remain an interesting way to figure out what's going on ("this connection created some traffic at the exact instant IanMac's message was posted"), but there's no harm in making the task considerably more difficult for the attacker.

Actually you won't see that the client is accessing http://www.eevblog.com since the complete http traffic is encrypted, including the request for an URL. What you see is traffic to a specific IP address. If a server hosts several web sites the user could access any of them without revealing which one. Of course, for a server running just a single web site it's easy to guess the right one. But there is still a problem, it's called DNS. DNS is cleartext. If the user types www.eevblog.com into his browser it resolves the server part of the URL to an IP address. If you sniff that too, you got the web site.

And there are more problems. Several internet security suites and more professional products are running MITM attacks vs. HTTPS to check that traffic too, mostly for malware scanning. I bet a lot of users don't got any idea of this and will never detect it. Another big problem are CAs. Some are lazy or rogue, and law enforcement might have special rights to get valid certs for impersonating some website. CDNs are also a topic. On the other side there are things like DANE which could mitigate some issues.

SSL/TLS, the certs and the CAs are a mess. But this mess is better than no encyption at all, because that would make things much more easy for attackers.
 

Offline David Hess

  • Super Contributor
  • ***
  • Posts: 16547
  • Country: us
  • DavidH
Re: Computer security bullshit
« Reply #34 on: January 06, 2017, 02:55:23 pm »
Several internet security suites and more professional products are running MITM attacks vs. HTTPS to check that traffic too, mostly for malware scanning. I bet a lot of users don't got any idea of this and will never detect it.

This is a special case where a custom root certificate is installed onto the user's computer, hopefully by the company the user works for, allowing the security proxy to create certificates as needed and impersonate HTTPS connections to other sites.  The same software which detects forged certificates would detect this.

Quote
Another big problem are CAs. Some are lazy or rogue, and law enforcement might have special rights to get valid certs for impersonating some websites.

If any agency did this on a large scale, then the forged certificates would be detected and provide undeniable proof that the certificate authority in question was compromised with dire results.  This could work against a specific target *if* the target did not monitor for forged certificates which is a trivial exercise.
 

Offline Simon

  • Global Moderator
  • *****
  • Posts: 17728
  • Country: gb
  • Did that just blow up? No? might work after all !!
    • Simon's Electronics
Re: Computer security bullshit
« Reply #35 on: January 06, 2017, 03:26:05 pm »

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.
 

Offline f4eru

  • Super Contributor
  • ***
  • Posts: 1086
  • Country: 00
    • Chargehanger
Re: Computer security bullshit
« Reply #36 on: January 06, 2017, 03:33:27 pm »
If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password.  >:D

If the password has been properly hashed before sending, that would not arise.

The password hashing needs to be on the siver side.
Client side hashing can be used aditionally for more protection, but does not bring any big security advantage in a web application, because the server side sends the code for hashing, so a server resident malware can modify this code and acess the raw password anyway.

Offline JiggyNinja

  • Regular Contributor
  • *
  • Posts: 52
  • Country: us
Re: Computer security bullshit
« Reply #37 on: January 06, 2017, 06:36:06 pm »
:palm:

Seems like I need to spell this out.. The issue is that if a password is sent unhashed with HTTPS, then as soon as it arrives on the server it is automatically converted back to plaintext. If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password.  >:D

If the password has been properly hashed before sending, that would not arise.
How often does that actually happen? Every time I've heard of account breaches it's been when the hackers have made off with a database of already hashed passwords to reverse offline. I understand that there is bias in what gets reported, but I would like to know what really is the dominant method of stealing passwords. The big breaches might get all the attention because they're big and infrequent ("man bites dog" and all that).
 

Offline RGB255_0_0

  • Frequent Contributor
  • **
  • Posts: 772
  • Country: gb
Re: Computer security bullshit
« Reply #38 on: January 06, 2017, 07:48:44 pm »

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.
Modern apps won't work on the built-in admin account. That's a security feature as they are meant to be sandboxed. Likewise, it's the same if you force UAC off in the registry.

There are ways to install the old Windows 7 image viewer in Windows 10. Same for the calc and even Windows Media Center.

Instead of whinging though, the length of your post implies you spent more energy on that than using Google to learn how  |O
Your toaster just set fire to an African child over TCP.
 

Offline slicendice

  • Frequent Contributor
  • **
  • Posts: 365
  • Country: fi
Re: Computer security bullshit
« Reply #39 on: January 06, 2017, 08:08:08 pm »
I'd say the biggest amount of security breaches happens on the client side, not on the server side. Biggest issue is that many people have no clue what is safe surfing and what is not.

If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.

Don't download illegal stuff, or stuff from a site that is not the owner of the content.

The probability of a user being hacked is millions of times greater than a quality server/service being hacked.

If you ever think there is a slight chance that HTTPS is not good enough, you can add a lot of additional security layers to your login procedure to ensure no one can impersonate you nor the server. One added layer as an example would be 2-stage (two-factor) verification.

It is easy to blame servers and security tech to be flawed and the root of the problem when the biggest issue actually is the behavior and under-education of the users.
 

Offline Simon

  • Global Moderator
  • *****
  • Posts: 17728
  • Country: gb
  • Did that just blow up? No? might work after all !!
    • Simon's Electronics
Re: Computer security bullshit
« Reply #40 on: January 06, 2017, 08:20:42 pm »

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.
Modern apps won't work on the built-in admin account. That's a security feature as they are meant to be sandboxed. Likewise, it's the same if you force UAC off in the registry.

There are ways to install the old Windows 7 image viewer in Windows 10. Same for the calc and even Windows Media Center.

Instead of whinging though, the length of your post implies you spent more energy on that than using Google to learn how  |O

All of two lines worth, and the topic is security and the usefulness or not of measures taken,
 

Offline Lockon Stratos

  • Regular Contributor
  • *
  • Posts: 52
  • Country: hu
Re: Computer security bullshit
« Reply #41 on: January 06, 2017, 08:41:59 pm »
If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.
Unfortunately no, the ads on the site still could infect your PC... And if someone runs win10 its even worse, the OS itself is a spyware.
 

Offline RGB255_0_0

  • Frequent Contributor
  • **
  • Posts: 772
  • Country: gb
Re: Computer security bullshit
« Reply #42 on: January 06, 2017, 08:45:06 pm »

Sad but true...
Even at work, a large multinational company, people inR&D are given local admin rights more or less by default.
When I asked to have a separate account for that (I actually need them), I was told it was too costly...after all even Linux users are sudoers by default!

Where I work we have a number of R and D and testing computers that have full admin access. Unfortunately some of the software we use does not allow you to use it properly without admin access. Given the amount of trouble this has caused I had to insist on admin access as our IT department is the other side of the country and I have to keep ringing up to deal with computers that are often in containers without Internet access or otherwise need moving so I can get to the phone whilst using them. This is in fact very unwise as the very people using these computers are often our newest recruits and people with no idea really of what they are doing. They are given the machine and told to monitor the equipment and record results.

I think Microsoft try to prevent people from using admin accounts by preventing certain things from working as an administrator. For example the image viewer won't work if you're an administrator and neither will we news viewer or the calculator. This is extremely annoying but when I did try and work out how to create another account I didn't get very far. Windows 10 seem to work great when it first came out but they have now rendered it completely bloody useless.

Regarding passwords and the use of punctuation characters et cetera although in theory, mathematically this adds no extra security it actually does not that I particularly use them. If you are a hacker trying to brute force somebody's password how would you go about it? Presumably you generate every possible combination of characters in the hope of finding the correct one. Now as a hacker would you know that most people don't use punctuation characters in their passwords? Yes of course. So if as a hacker you were writing a program to brute force a password which characters would you go for first? Obviously you would run through all the numbers and letter combinations and then start adding punctuation marks. So if you don't want a longer password then yes adding punctuation would give some benefit but it's not mathematical. However indeed adding characters to passwords exponentially increases the amount of combinations available with or without punctuation marks so it is ultimately safer. The need to continually change passwords is in fact pretty stupid. We have this at work and naturally our passwords are very predictable everybody ends up using the same word with a number that just goes up once every time. So if somebody new your password at any point in time it would not take them long to brute force your new one. Again we have a laptop that goes around the company with the password written on the bottom of it. On another laptop is taken out on committing trips with the username and password take to it in case our technical director who was never used a laptop before doesn't know what it is or forgets. Usual laptop and all related cables are collected up and given to him at the last minute.
Modern apps won't work on the built-in admin account. That's a security feature as they are meant to be sandboxed. Likewise, it's the same if you force UAC off in the registry.

There are ways to install the old Windows 7 image viewer in Windows 10. Same for the calc and even Windows Media Center.

Instead of whinging though, the length of your post implies you spent more energy on that than using Google to learn how  |O

All of two lines worth, and the topic is security and the usefulness or not of measures taken,
What you encountered (Universal Windows Platform apps) was a security issue. Most obvious one is rogue code being executed to get privileged access to the Windows kernel and memory - the Secure Boot exploit of Surface RT was down to rogue code IIRC and Microsoft went hard on securing it.
Your toaster just set fire to an African child over TCP.
 

Offline slicendice

  • Frequent Contributor
  • **
  • Posts: 365
  • Country: fi
Re: Computer security bullshit
« Reply #43 on: January 06, 2017, 10:17:03 pm »
If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.
Unfortunately no, the ads on the site still could infect your PC... And if someone runs win10 its even worse, the OS itself is a spyware.

Hahhah, Windows 10 is no spyware, what a load of BS. A bit unstable it is still, and yes MS collects some info from time to time to improve the overall experience, but you, the user must give it permission for it to do so.

How many HTTPS secured and infectious ADS have you experienced lately?

 

Offline Nerull

  • Frequent Contributor
  • **
  • Posts: 694
Re: Computer security bullshit
« Reply #44 on: January 06, 2017, 10:40:15 pm »
This thread is a great example of why a lot of people don't like engineers - the tendency to believe that being an expert in one field makes you an expert in every field, fit to make sweeping proclamations which are usually complete bullshit.

If you don't understand computer security, don't give advice on it.
 

Offline Nerull

  • Frequent Contributor
  • **
  • Posts: 694
Re: Computer security bullshit
« Reply #45 on: January 06, 2017, 10:42:58 pm »
:palm:

Seems like I need to spell this out.. The issue is that if a password is sent unhashed with HTTPS, then as soon as it arrives on the server it is automatically converted back to plaintext. If malware is resident on the server, say a CMS vuln having been exploited to inject a Trojan, then it is too late to apply protection because... GOTCHA! the malware has the password.  >:D

If the password has been properly hashed before sending, that would not arise.
How often does that actually happen? Every time I've heard of account breaches it's been when the hackers have made off with a database of already hashed passwords to reverse offline. I understand that there is bias in what gets reported, but I would like to know what really is the dominant method of stealing passwords. The big breaches might get all the attention because they're big and infrequent ("man bites dog" and all that).

There's a popular firefox addon that lets you steal sessions and log into other people's accounts on public wifi, and an android version of the same. Session hijacking does not require stealing passwords, so websites that show a login prompt over HTTPS and then drop to normal HTTP for browsing are still vulnerable.

Malicious routers can be an issue as well. Honeypot hotspots pose as public wifi, and many devices will autoconnect to a wifi network if it has the right name - 'attwifi' is common. Devices such as the wifi pineapple are purpose built for this.
« Last Edit: January 06, 2017, 10:51:20 pm by Nerull »
 

Offline slicendice

  • Frequent Contributor
  • **
  • Posts: 365
  • Country: fi
Re: Computer security bullshit
« Reply #46 on: January 06, 2017, 11:01:14 pm »
I don't even remember when was the last time my computer got compromised even a bit. It's many years ago.

What I do remember is that I got an infection that came from a dodgy site I visited on purpose. Sometimes I like to play with those nasty infections in a sandbox environment and show who's the boss  ;). The malware did not get that far and after around 30 minutes of manual cleaning everything was returned to normal again.

On my main PC with all my important stuff I would not experiment with malware. But as I said this was a sandbox (completely isolated).


 

Offline Gary350z

  • Regular Contributor
  • *
  • Posts: 240
  • Country: us
Re: Computer security bullshit
« Reply #47 on: January 07, 2017, 02:37:15 am »
I would like to add to that, NEVER use an Admin account for anything else than Administration.

Absolutely true, but most people don't know this.

For every computer I ever bought, the instructions did not tell you this. You follow the instructions and it sets you up as the admin. The computer manufacturers (or whoever writes the instructions) are idiots. I've been using home computers for 38 years, and only 4 years ago found out not to use the admin account for everything.

As a side note. I set a friends computer up to use it as a "user account", but he did not like that and switched it back to an admin account. ::)
 

Offline Lockon Stratos

  • Regular Contributor
  • *
  • Posts: 52
  • Country: hu
Re: Computer security bullshit
« Reply #48 on: January 07, 2017, 06:43:29 am »
If you get attacked by a JS injection or whatever malware, you are most likely already surfing in dangerous waters. Stay on trusted domains, trusted sites, keep away from unknown hosts, don't click on web links that look suspicious and never ever click on any dodgy looking pop-ups or any pop-ups for that matter, unless you specifically requested the site to give you that window, and you should stay relative safe.
Unfortunately no, the ads on the site still could infect your PC... And if someone runs win10 its even worse, the OS itself is a spyware.

Hahhah, Windows 10 is no spyware, what a load of BS. A bit unstable it is still, and yes MS collects some info from time to time to improve the overall experience, but you, the user must give it permission for it to do so.

How many HTTPS secured and infectious ADS have you experienced lately?
I disabled all telemtry with several tools then i run wireshark, guess what i discovered:
https://dl.dropboxusercontent.com/u/1201829/OCN/wireshark_win10/K%C3%A9pkiv%C3%A1g%C3%A1s2.PNG
Sending data behind my back and resetting some settings quietly to default(on of course) pretty much justifies the spyware classification...
(Before someone jumps on it, i didnt installed any of the crappy updates sincethe fiasco with a certain IE update...)

Regarding ads idk since im running adblock and noscript, but the threat is real:
http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
« Last Edit: January 07, 2017, 06:48:26 am by Lockon Stratos »
 

Offline kalleboo

  • Regular Contributor
  • *
  • Posts: 99
  • Country: jp
Re: Computer security bullshit
« Reply #49 on: January 07, 2017, 07:32:20 am »
Actually you won't see that the client is accessing http://www.eevblog.com since the complete http traffic is encrypted, including the request for an URL. What you see is traffic to a specific IP address. If a server hosts several web sites the user could access any of them without revealing which one.
With SNI (which is pretty much required in these days of IPv4 crunch and CDNs, if you don't want to pay thousands of dollars), this is no longer true, and the host name is sent in plaintext (the specific file URL is still encrypted)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf