Safe Computing Practices (aka How Not To Get Viruses, Hacks,

Computers, Gadgets and other Cool Shit

Moderator: Demon Hunters

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Safe Computing Practices (aka How Not To Get Viruses, Hacks,

Post#1 » Thu Jan 03, 2008 12:19 pm

Safe Computing Practices (aka How Not To Get Viruses, Hacks, and Keyloggers)

Introduction

Computer security is a serious issue. Malicious activity on the Internet costs billions of dollars annually in lost productivity, technical support, annoyance, and crime. It is a responsibility of every computer user to be aware of these issues and take proactive measures to protect him/herself, because nobody else can or will. Ignorance is no excuse, as these crimes know no geographic, cultural, or economic barriers, and cyber-criminals actively seek out gullible victims to prey on. All you need is a computer and an Internet connection, and you're vulnerable. Furthermore, your own ignorance costs others, as your computer may be enslaved by a hacker and used to pump out even more malicious crap.

Imagine yourself with tens of thousands of dollars in debt, your bank accounts bled dry, your credit score ruined, owing taxes on money you never earned, and helpless to do anything about it. (Yes, I know some of us live this way habitually, but that's a different issue.) Let's not mention the fact that, by some estimates, two thirds of the email on the Internet is spam, most of which is generated by zombie computers. These are the stakes, and they get higher every year. If you think I'm trying to scare you, you're right. If you aren't scared, you should be.

Put simply, if you think it's just your World of Warcraft account at stake, you're an idiot.

Here's a good reference, if you're into news media: http://redtape.msnbc.com/2007/12/tech-w ... html#posts

General Best Security Practices

Please note that none of these things guarantees your safety. Some are more extreme than others. Your best weapon against cyber crime is your brain, and the only way to guarantee that you won't be hacked is never to use an electronic device ever again (and even then, your records are out there in someone else's hands, waiting to be stolen). Since it's not practical to live without electronic records in the digital age, here are some things that you can do to protect yourself.

  • Update your operating system and security software.
    You know those warnings that pop up in your Windows System Tray from time to time that say, "There are updates available for your computer," or remind you to set up Automatic Updates? You should pay attention to those. Just because they are inconvenient doesn't mean you should ignore them. Always install all critical security updates as soon as they become available. Period. If you don't know if you have the latest security updates, go to http://www.update.microsoft.com/. (Note: you need a validly licensed copy of Microsoft Windows to download some updates.)

    There are still many hacks out there that take advantage of flaws in operating system security, and new ones come out all the time. If you don't take this simple step, you risk having your computer taken over without you ever knowing what's happened. Firewalls may defend against these types of attacks, but not if you don't update them too!

    Furthermore, make sure to update your antivirus, antispyware, and/or firewall software on a regular basis. Every major software product has an automatic update feature. Use it.
  • Install and maintain antivirus, antispyware, and firewall software.
    It's simple, cheap (many good products are completely free), and effective. It doesn't make you immune, but it does close off the simplest and easiest vectors of attack. Whatever you get, make sure it comes from a reputable vendor and has regular updates. Whether you get a commercial "all in one" product like Norton or McAfee or a patchwork of freeware products is entirely up to you; they all do the same basic thing with different bells and whistles.

    Despite claims to the contrary, Windows Firewall offers the same basic security features as any other firewall. It's just not as heavy on the advanced features.

    Also, you should not run more than one antivirus or firewall app on your computer at the same time, as they will conflict with each other, dramatically slow down your system, and may actually prevent each other from detecting threats.
  • Use strong passwords and good password security
    Passwords are an annoyance. They are also vital to protecting your computer and your personal data. "12345" and "password" are right out. In fact, one of the most basic tools available to any hacker is a so-called "dictionary attack", where they simply try out all passwords that are words in the dictionary, common names, basic sets of numbers, and combinations of the above. Slightly more sophisticated hackers will try your phone number, social security number, birthday, and any other personal information they can glean about you.

    • Use complex passwords containing no recognizable words or names, and made up of letters, numbers, and ideally punctuation.
    • Use different passwords for different resources. I'm not telling you to use a unique password for every site you visit (I sure don't). But don't use the same one every time! At least use unique passwords for high risk things like bank, mortgage, and credit card accounts. I, personally, use a code system to generate passwords that guarantees I'll be able to remember them later.
    • Never share your passwords with anyone. That means your best friend, your siblings, your spouse, your parents (unless you're a minor), your guildmates, and especially not that guy who promised he can get your character to 70 in a week!
    • In any public setting (such as an Internet cafe or public library), do not leave your accounts logged in or permit the computer to save your passwords. In fact, you may wish to manually clear all Internet history both before and after using a public or shared computer. (This is not necessary if you have a password-protected user account on the computer in question.)
  • Addon security in World of Warcraft.
    Many people worry that addons can have malware. That's not exactly correct. Addons by themselves are simply text files (with associated images and sounds) run by the WoW client, and cannot harm your computer in and of themselves. What can be harmful are "installer" or "updater" applications, which are in fact executables. You should pay the same scrutiny to these types of apps that you would to any other file you download. More importantly, if someone wants you to download or install an addon, make sure that they send you a simple .zip file with nothing but .lua, .toc, .xml, and possibly .txt, .tga, or .mp3 files. If they tell you it needs an .exe or .bat to work, tell them to shove it.

    Even the legitimate addon sites have been known to be vulnerable. In recent months, both incgamers and wowinterface have been compromised by hackers and used to distribute infected executables. They've since been cleaned, but be wary.
  • Do not click on banner ads, popups, or accept any unsolicited downloads.
    This may seem obvious, but it's apparently not. If you're browsing the web and you see a popup saying, "Your system is not secure, click here to install security software," or "Your system may not be optimized, click here for more information," please resist the temptation. If you just can't stop yourself from looking at the latest goat porn, and suddenly you see a warning from Internet Explorer that the site wants to install software or download files to your computer, beware. Such things are 99.9999999% scams. At best, they do nothing and waste your money. At worst, you're literally inviting the hackers into your home and handing them the keys.
  • Don't fall victim to phishing scams and other email hoaxes.

    NO LEGITIMATE BUSINESS WILL EVER SOLICIT YOUR PERSONAL INFORMATION VIA EMAIL.
    NO LEGITIMATE BUSINESS WILL EVER SOLICIT YOUR PERSONAL INFORMATION VIA EMAIL.
    NO LEGITIMATE BUSINESS WILL EVER SOLICIT YOUR PERSONAL INFORMATION VIA EMAIL.


    Okay, was I clear enough? Maybe I should say it a few more times. Phishing attacks (whereby a hacker attempts to trick you via social engineering into voluntarily giving them personal information) are on the rise and getting amazingly sophisticated. When in doubt, never click on any link in an email, period. Even if you have an account with the business in question, instead of clicking, manually copy and paste the URL into your browser. Or, better yet, go to the company's website manually and try to get to where the email tells you to go.

    Never give out your account name, password, credit card number, social security number, or any other personal information via or in response to an email. Not to your bank, your credit card company, Paypal, eBay, Amazon, George Lucas, World of Warcraft, or the Pope.

    Be especially wary of the following:
    • Sites with slightly misspelled URLs that look like the legitimate one (paypall.com, etc).
    • Any HTML email that hides the actual URL you are mousing over (note, it can be hard to tell for really good ones).
    • Any email that contains "urgent" language: a short-lived offer, a threat to take action against you if you do not reply immediately, etc. These are designed to trick you into acting without thinking.
    When in doubt, know that Internet Explorer with up-to-date security patches will always display the full site URL in the Address bar. Compare this URL with the one you're familiar with and look for variations.

    If you think you have fallen for a phishing scam, don't panic. (Well, maybe you should just a little.) The first thing to do is immediately log onto any account(s) whose information you may have compromised and change the password(s). Phishers don't use your information right away, so there's a window of time where you can remedy any damage. The second thing to do is inform the company(ies) with which you do business that you received a phishing email (include a copy) and ask them to put an alert for fraudulent activity on your account.

    Then there are the "standard" email scams, like the Nigerian (or Iraqi or Pakistani) money laundering scheme, chain letters, Ponzi schemes, ways to cheat on your taxes, little girls dying of cancer, etc. Delete 'em; they aren't worth the time it takes to read and they may cost you thousands of dollars (or even jail time) if you fall for them.
  • Never download anything from an email that you don't trust.
    Okay, so email viruses are soooo last year. That doesn't mean they can't or won't happen. If anyone sends you any attachment via email that you were not explicitly expecting, be very wary. Any "From" address can be faked. Any email can be copied and have a malicious attachment substituted for its real content. Your virus scanner won't always pick these up, either, as they get more sophisticated all the time. When in doubt, contact the sender to verify that they deliberately sent you the email. Even then, scan the attachment before opening it.
  • Be especially cautious with peer-to-peer file sharing software.
    Peer-to-peer networks like Bittorrent and Kazaa have become increasingly targeted by criminals because many users fail to utilize the security features of the clients and accidentally expose enormous amounts of personal data for anyone to download. If you absolutely must use this type of software (and really, do you need it that badly?), make absolutely certain that it is restricted to sharing specific folders on your computer, and that those folders do not themselves contain any sensitive data.

    Furthermore, many files seeded to P2P networks are themselves malware. Browse through the virus library on Symantec or McAfee's websites and you'll see a disproportionately large number that like to drop copies of themselves into folders commonly used by file sharing apps, with filenames that trick you into downloading them (examples include porn of popular celebrities, cracks to major software packages, and bootlegs of major movies). Exercise extreme caution when downloading any executable file from a P2P network.

    Also, make sure to update your P2P clients regularly, as many have been found to have security flaws themselves that can be exploited by hackers.
  • Be wary of other avenues for malware.
    So you are security conscious enough not to download random attachments from emails. You don't click on wacky web links and you run your antivirus scan every week. You don't have your entire C: drive shared on Bittorrent. So why in the hell would you download some random file sent to you by an AIM account you don't recognize?

    Any file someone sends you or wants to you to download can be malicious. Any "From" address can be faked. No security software is foolproof.
  • Your computer's performance can indicate a compromise.
    Computers accumulate a lot of cruft as they go through their lives. Just because your computer suddenly starts running poorly doesn't mean you got hacked. It can be a good indication, though, especially when it happens immediately after visiting a website or clicking on a suspicious link. Should something "not feel right" to you, your best bet is to immediately disconnect from the Internet (note that, for "always on" broadband services, this may mean disconnecting your network cable or unplugging your router) and run a virus/security scan.

    If your antivirus or security software crashes or fails to run (or appears to have been turned off when you swore you had it running), that's a very bad sign. Get thee to a professional.

    The most important thing, though, if you've been compromised, is not to log into anything - if you have a keylogger, it's just waiting to grab your passwords and send them off to Siberia. If you must access your accounts, do it from a different computer that you know to be safe.
  • Back up your important data.
    It's happened to me too. Something goes haywire and the only solution is to wipe your drives and start over. Guess what? You may have just lost years worth of valuable data. Only slightly better is the case where your data is recoverable but costs thousands of dollars to retrieve from a crashed drive.

    Backup drives may seem expensive but they are cheap for the security they offer. Make sure your software is set to run backups on a regular basis (at least once a week, but preferably with daily incremental updates). Also remember that whatever got to your computer may also be on your backup, so don't just restore the whole shebang and think that you're in the clear. Get it scanned first.
  • Check your accounts.
    This may seem obvious, but it apparently isn't. Look at your bank and credit card statements every month. If you see unexplained or unexpected charges, contact the bank immediately and have them investigate. Place a fraud alert on your accounts to contain any further losses, have new credit/debit card numbers issued, and contact the police as well. The sooner you act, the less damage will be done.

    You also have the right to contact the major credit bureaus and request a fraud alert or a complete freeze on access to your credit records. This may cost you a few bucks, but an ounce of prevention is sometimes worth a pound of cure. Note: a fraud alert will request that any credit issuer contact you personally to verify any request for new credit. A credit freeze will completely block any inquiries, and must be lifted before you can open any new accounts.

Common Attacks, Scams, Hacks, and Exploits

This is simply a run-down of the terms used. I covered a lot of this in the previous section, but it's worth revisiting.

  • Virus
    A virus is any software that propagates itself (with or without human intervention). A virus may be harmless in and of itself, or may carry a malicious payload, but the defining feature is that it attempts to transmit itself to other computers. Chain letters and their ilk are a form of social engineering virus.
  • Worm
    A worm is a program that attempts to break into a computer by exploiting security flaws. Worms gained notoriety a few years back when a rash of them brought down several major networks and wreaked havoc on home PCs. Again, the worm is simply a method of attack; what matters is the payload.
  • Trojan
    A Trojan Horse is a program that pretends to be something other than what it is in order to avoid detection. Trojan is a general term that encompasses viruses, worms, and anything you may be tricked into installing off of a website or email.
  • Rootkit
    A rootkit is a piece of software that buries itself within your operating system and rewrites low level drivers to hide itself and/or other files from detection. They are not only hard to find and eliminate, but are actually used in copy protection tools by some major software vendors, making this a great real life example of "What were they thinking?"
  • Payload
    The content of a malicious application, as distinguished from its method of intrusion. In many cases, the payload of a virus, worm, or trojan is a downloader that installs the real deal (backdoor, keylogger, spam emailer, web server) on your system.
  • Backdoor
    A favorite hacker tool, many malware apps open up a channel on your computer that a hacker may use to send remote commands to it. This may include downloading specified software, transmitting the contents of your personal files, or conducting denial of service attacks. A computer compromised in this way is known as a "zombie".
  • Zombie
    A computer under the control of a hacker. This computer may be used to host illegal websites, send spam, conduct denial of service or other flooding attacks, and attempt to crack other computers, all without their owner's knowledge. By some reports, up to 25% of the computers connected to the Internet may be zombies. Yes, one quarter of all Net-connected machines.
  • Botnet
    A network of zombie computers under the control of a single person or organization.
  • Crack
    To break through the security of a computer system for malicious or criminal purposes.
  • Phishing
    The scam of tricking someone into giving up personal information via social engineering. It is most commonly done via email, with the user receiving a message that appears to be from a company with which they do business. This email instructs the user to visit a website that appears to be the legitimate site, but is in fact a carefully crafted fake. The user is then prompted to enter personal information, including credit card numbers, bank account numbers, social security numbers, birth dates, account names, passwords, and anything else that the criminal can get away with. The site will then either appear to accept the information or claim that you improperly entered your password and redirect you to the "real" site.

    Phishing schemes may also include elaborate cons where the user is tricked into sending money or giving his/her bank account information to a criminal, who will then vanish without delivering the promised goods or money in return.

    Phishing is one of the most common and most successful scams today - as antivirus software becomes more sophisticated, criminals are attacking systems at their most vulnerable point: the user him/herself.
  • Spyware/adware
    Spyware is software that tracks your browsing or computing activity, usually sending that information to another computer. Spyware may be used by "legitimate" companies for marketing data collection, or may be used to gather data for use in criminal activity. Keyloggers are a form of spyware.

    Adware is software that serves advertisements to you while you engage in normal computing activities. The distinction is that these ads are generated by software on your computer, not by the websites you are visiting.

    Both spyware and adware are considered malware when they are installed without your knowledge or consent, and especially if they are intrusive (blocking or disrupting normal activity) or gather information for criminal purposes.
  • Keylogger
    A specific form of spyware that logs keystrokes you type as you use your computer. Keyloggers may be installed as the payload of a virus, worm, or trojan, and are frequently used to collect account names and passwords. Keylogging is rapidly growing in popularity as a method of cracking accounts, and not just in WoW.

What to do if you've been compromised
  • First, stop using the suspect computer. Most especially, do not log into any accounts, because you could be sharing your passwords with criminals. Disconnect it completely from the Internet.
  • Second, if you have access to another computer that you believe to be safe, use it to change the passwords on any accounts you may have compromised while on your infected machine. The faster you do this, the less damage is done.
  • Shut down your computer and boot into Safe Mode. Most antivirus packages will run scans in Safe Mode, and more importantly, the malware won't be able to mess with the AV tool and stop it from running. Windows XP offers a System Restore feature that can roll back your operating system to a previous good configuration; this can also help root out any baddies.
  • If you still suspect a compromise, have your computer serviced by a professional. You should back up any important files, because some infections can't be fixed without completely wiping your hard drive and starting over.


What to do if your identity may have been stolen

If you have any reason to suspect that your identity may have been compromised, immediately contact the holders of the affected accounts and place a fraud alert. Also contact the major credit bureaus. Have your credit card(s) cancelled and reissued. Don't forget your bank card(s)! See above for more information.
Image
Image

User avatar
Palehorse
Posts: 2031

Post#2 » Tue Jan 20, 2009 8:49 pm

bump especially for zeph's benefit ;)

User avatar
IMajorSmall
Posts: 108

Post#3 » Wed Jan 21, 2009 5:02 am

Excellent post. Should be sticky IMO.

One thing I would emphasize is that you should never even type a password on a public/insecure terminal. This includes terminals at the library, computers you don't need to log in to at work, etc. Even if you do have a password protected login at work, you're putting your trust in the administrators of the network, and nobody's infallible. But if you're on somebody else's network, consider anything you do to be public knowledge. Even clearing internet settings won't save you from keyloggers, packet sniffers, man-in-the-middle attacks, etc.

Also l337 sp34k in a password IS NOT as secure as you may think it is. An in-depth dictionary attack can find the words "CaT", "c@t", "C/\t", "(A7", etc. all just as easily as "cat". Sure, it includes numbers, which, in theory, increases the complexity of your password, but it doesn't really make it much more secure. Consider this--this sham of a language was engendered by script kiddies. Of course black-hat hackers would think to compensate for it.
Image

User avatar
Palehorse
Posts: 2031

Post#4 » Wed Jan 21, 2009 5:45 am

I agree.

I posted elsewhere about some *free* security apps =)

http://www.clanyawa.com/viewtopic.php?t=2060

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#5 » Wed Jan 21, 2009 9:04 am

So-called "dictionary" attacks are getting much harder these days, as many authentication systems will either lock after a certain number of attempts or impose a delay such that an automated attack is too inefficient. Even if you allow for hackers programming their cracking tools to attempt leetspeek variations, plus digits and caps, you've still more than doubled the potential character space, and that creates a logarithmic increase in the time required to perform a crack.

However, you're very right that it's a horrendously bad idea to use dictionary words, proper names, birthdays, etc. as a password, with or without caps and leet variations.
Image

Image

70
Ecnailla
Posts: 3624

Post#6 » Wed Jan 21, 2009 9:35 am

Easy way to come up with a random password - think of a sentance that you will remember pretty easy:
I Play World Of Warcraft Every Night. ipwowen - add a special charecter and a number ipwowen$13 - Very easy to remember, very hard to figure out.

I drive a 93 Honda Del Sol ida93hds
I hate my job, but it pays the bills ihmjbiptb
Why do huntards suck so bad? wdhssb?1

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#7 » Wed Jan 21, 2009 9:50 am

I use a code based on book titles and their relative position in a series.
Image

Image

User avatar
Gnomerman
Posts: 1814

Post#8 » Wed Jan 21, 2009 10:12 am

i think you guys are violating the line, never tell anyone your password, granted its hints, i now know how to get ecn's info... go to the "i forgot my password", hint, the first letter in every word of his hint, and some numbers. granted, some numbers and special characters provide more than three possibilites, which is the limit on most online logins before they make you wait some time to log in.

:P

just bustin on you cuz im a lil bored

not a bad plan thought, especially with caps and whatnot
Image


There is more to life than pew pew you know, like staying out of the fire so you can live to pew pew another day

70
Ecnailla
Posts: 3624

Post#9 » Wed Jan 21, 2009 10:19 am

Ah, thats just my suggestion for others- I use two passwords- one is a random pass that was given me as a temp pass when I was about 17 - it's totally random. The other I don't use anymore, but it was the product key for Cisco CallManager - I use to [use to, is that right? looks odd] load the thing over and over in a QA lab and had the key memorized- btoo vqes ccju iebi, I would use the first 8, the last 8, the first and third set - whatever. Now I keep it simple and just use the random one.

Most companies are stupid - the require you to change your pass so often that the commen person runs out of stuff and starts to put their password on a sticky pad on their monitor. If you don't think this is true, just take a little walk in any reasonably sized office and I bet you will find at least 1 password taped to the monitor.

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#10 » Wed Jan 21, 2009 10:25 am

"Used to" is the correct grammar. And Gnomer, if you can guess any of my passwords based solely on the hint I gave above, I'm going to accuse you of stalking me.

My company's ITS department recently implemented a strong password policy, requiring in most cases that all passwords meet minimum complexity rules. That combined with four to six separate systems (for the average user) and a no-reuse policy means that there are guaranteed to be a ton of calls to the helpdesk around every mandatory reset cycle.

I get away with it by using the same two passwords for everything and rotating the caps and special characters. Also, fortunately, my existing password stash was compatible with the new rules.
Image

Image

70
Ecnailla
Posts: 3624

Post#11 » Wed Jan 21, 2009 10:32 am

Yea, i use the same password at work and just rotate throught -
~1 ~2 ~3 up through 9, then !1, !2, !3.... I'm up to $6 - It helps me keep track of how many times I have ever had to change my password at work too lol. On my 46th password : )

User avatar
Brulan
Posts: 1643
Contact:

Post#12 » Wed Jan 21, 2009 10:39 am

Ecnailla wrote:Most companies are stupid - the require you to change your pass so often that the commen person runs out of stuff and starts to put their password on a sticky pad on their monitor. If you don't think this is true, just take a little walk in any reasonably sized office and I bet you will find at least 1 password taped to the monitor.



You should take a walk through my company here. I'm pretty sure just about everybody has their password on a sticky note. Being forced to change your password every 30 days is retarded, and whoever though that was a good idea should be kicked in the nuts/vagina.
No.

User avatar
Gnomerman
Posts: 1814

Post#13 » Wed Jan 21, 2009 11:13 am

the government is every 60 days. it sucks. granted now we have cards and a pin number that we don't have to change, (or at least i havn't yet). i like it, however some training modules require passwords for random crap.

eventually every computer will have a finger print scanner (most business machines do) and every network will support biometrics, and bam, you have to either cut off the persons finger, literally take their fingerprint from something and reconstruct the fingerprint in a way to fool the scanner, or have them scan their finger.

the card system is the same thing though.
Image





There is more to life than pew pew you know, like staying out of the fire so you can live to pew pew another day

User avatar
zephar
Posts: 1338
Contact:

Post#14 » Wed Jan 21, 2009 11:19 am

My password for my account is Brulan but don't tell anybody k?
I crit perception so hard that I could see why people love Cinnamon Toast Crunch.

" I saw a baby [ panda ] sneeze in a video and it telepathicly gave me a bonar. Cosmic Powers "

70
Ecnailla
Posts: 3624

Post#15 » Wed Jan 21, 2009 11:33 am

HA, so is mine!

Fingerprint is flawed like crazy - fingerprints are too easy to get copies of - its like if you walked around writing your password on every smooth surface you touch.

Return to “Technical Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest