Top 10 Things You Must Do to Avoid Getting Hacked

For the truly paranoid (everyone today?) you could try the Insurgo Privacy Beast or the free but somewhat demanding Qubes OS. From what I understand “all” motherboards built in the last 10-12 years have the Intel ME chip on board running the Minix OS which is the “real” administrator of that system when it comes down to it.

This depressing article tells me that the white-vs-black arms race is hopeless. The sheer complexity of it all is the big issue. I don’t know if we’re at peak complexity now or will get there shortly. Sooner or later it’s going to fall over of its own weight. Maybe climate change will hurry things along.
The arms race has the side effect of generating mountains of electronic waste every year. It’s become a matter of international concern. The mountains get higher and higher as older equipment is discarded because it can’t run the latest security stuff. The waste is appalling.
That said, when it comes to discarding old disks, I reckon the best way is to apply a large mallet to the disk. If it’s a hard disk, unscrew and remove the top cover, and then make sure the platter is good and bent. If it’s solid state, pulverise it. This is also a great way to work off frustration!

I have some experience with this, so here it goes.

I'm trying to figure out the best way to present it succinctly, so if my efforts seem a bit simple, then I can live with that. There is a lot to say about this subject and writing a book is out of scope.

First of all I looked at the chart and it is misleading. Computing power is still changing rapidly in this area.

Bad News

  • You can build a dedicated password cracker for less than $10K.
  • Password crackers use GPU's, which do math way better than a CPU.
  • Usually you are limited by the motherboard slots to no more than 6 cards. (Heat is an issue too.)
  • In 2017 the Cracker we used had 6 Nvidia 1080 Ti cards. (11 GB GDDR5X Memory, 3584 Cuda Cores@1582 Mhz each)
  • As of August 2021. Newest Nvidia Card RTX 3090. (24 GB GDDR6X Memory, 10496 Cuda Core@1.70 Ghz Boost.)
  • You can combine crackers with GoCrack.
  • A 32 character password fell to us in less than 24 hours. It was a sentence with no spaces or upper case letters. (It was actually part of many thousands of passwords that fell in that period.)
  • Passwords are not stored in plain text, they are hashed with a one way algorithm. (The quality of the algorithm is part of the issue too.)
  • A password, say "Password1" (without quotes) is run through the algorithm and you get a bunch of junk. i.e. This is a SHA-256 hash of Password1 19513fdc9da4fb72a4a05eb66917548d3c90ff94d5419e1f2363eea89dfee1dd
  • You have a database of passwords from previous hacks from other folks that you find on the dark web.
  • Currently there are 2,692,818,238 rows. (Email/Password combinations)
  • Out of that there are 1,160,253,228 unique email/password combinations.
  • The kicker is there are 613,584,246 real world passwords on one site. (these last three courtesy of Have I Been Pwned. Go here to check if your password is part of it. https://haveibeenpwned.com/ Click on Passwords to enter yours.)
  • Database usually has many of the common hashes already created, if not you you create them yourself. So now you have a Rainbow Table. (You may also get email addresses and web sites where these passwords were used. If you use the same password and email to register accounts, this is how a hacker can pivot from one site and try others of interest, like banks.) We didn’t care about emails because we stole the ntds.dit file form a Windows Active Directory server. We extracted the hashes offline and used the rainbow table to match many of them and brute forced the rest. (Not all passwords fell. My regular user account of 8 characters and Administrative account of 16 character didn’t not crack.) Our test had 24 hour time limit. Had we let it run for longer we would have had more success. How much more, I don’t know. In the end we only got about 50% of the 200,000.
  • Since we had elevated privileges anyhow to steal ntds.dit, we pretty much had a golden key to the kingdom, which helped find other golden keys.
  • Using Password1 above, we also had iterations of it. P@ssw0rd1, passWord1, p@55W0r61 etc. So just adding special charters to substitute their look a likes isn’t a good strategy.
 

Good News

    • Adding special characters, numbers and upper case adds difficulty, but do not use easily predictable substitutions. (see above)
    • Use a GOOD Password Manager. Don’t use the same password with multiple sites.
    • Use Multi Factor. Try and avoid using SMS MFA. SMS can be hacked. SIM cloning, SMS Spoofing, which is easier than you would think. There is no way to authenticate where it came from and there is NO encryption. The Cloudflare hackers used this to gain a foothold. (There is debate on whether to use SMS only MFA. Using a very difficult 16 plus character password may be MORE secure than shorter password with SMS MFA.)
    • Keep in mind, the above scenario was targeted at a Corporation. The odds on a hacker targeting you personally is low, unless you are a high value person. Most likely you are part of a larger breach. (Not necessarily high value individual, i.e. “A rich person” but maybe a C level or someone who works in the Finance department or a bank.)
Side story. Back when the Ashley Madison breach took place, just for fun we got a hold of the database and searched it for any of our corporate emails. We had about a dozen hit, but one was someone we knew. A married co-worker had signed up to the service using his work email. Needless to say, there was much embarrassment on his part, and he left not too long after that. Don’t know if he was asked to leave or he was just that embarrassed. Edit: I didn't see iSecurtyGuru's comment #19 before this. What I described is similar to his linked article.

Let me see if I have this straight: There is a website that purports to tell you if your unique password has been picked up by some dark actors on the web, and all you have to do to find out is… enter your passwords? That really doesn’t sound like a good idea to me, for reasons that ought to be obvious.

For the HaveIBeenPwned.com website, you give them your email or phone number and they will inform you whether it has been involved in a data breach. It wouldn’t ask for your password and will not reveal any passwords.
HaveIBeenPwned.com is developed by Troy Hunt, a Microsoft Regional Director and MVP from Australia. So, he’s quite a well-known and reputable guy.
 

Overall the article was great. But not mentioned is a hacking technique that thieves are increasingly employing: hijacking your phone number, then using that ‘identity’ to get into your other accounts. This is called a SIM swap attack. Do a search on that and you’ll find dozens of horror story articles.
My recommendation to avoid this: check with your cellular company and inquire if you can set a flag on your account that requires increased security checks for any SIM changes. Such as showing photo ID or other documents to prove your identity.
The main way crooks operate is that they phone in or show up at a cellular company retail store and claim that they are you and that they have lost the phone. So they would like a new SIM issued with your number. Surprisingly, with many cell companies, this is relatively easy to do. Use a phone company that is pro-active in solving this giant loophole.
Regards,

In regards to data confidentiality, the article seems to make a distinction between internal and external storage devices. For internal storage, encryption for data at rest is suggested. For external storage devices cleartext storage in conjunction with secure delete is proposed.
I am wondering if this distinction is due to some perceived difference in threat level for each type of storage device, a difference in type of data assumed stored on a device, usage scenario, or some other factor?

A pitfall

A quick search for "password reuse statistics" suggests that more than 44-72 % reuse their password across multiple sites. As a baseless claim, I will add that there is some non-insignificant probability of different individuals "coming up" with the exact same password. Lists of most common password still exists in 2021, right? Knowing this, there is at least one counter measure that online service providers could implement as an attempt to contain the damage in the event of a data breach related to end-user passwords. In other words, one end-user’s password getting cracked should not have any direct compromising effect on other user accounts utilizing the same password. Example: Hypothetical breach at Peak Prosperity If Alice and Bob here at Peak Prosperity happened to use the same password, an adversary learning Alice's password here at Peak Prosperity should not automatically allow the adversary to infer anything about Bob's password. Likewise, even if Alice is reusing her password at some other site, a breach here at Peak Prosperity should not automatically allow the adversary to infer anything about Alice's passwords on other websites.

A counter

What some smart people came up with was the use of a so-called cryptographic salt. Roughly speaking one could think of a "salted" password as consisting of two components: one component which the user provides, like we do today, and a second component which a service provider randomly generates (and stores on their side). Why does this help? As Bheithir's post points out (#22), an adversary likely utilizes rainbow tables (~ a database) to lookup a precomputed hash (~ a unique fingerprint) for a password they have already come across. Given the degree of uniqueness that a salt adds to password, it is less likely that the hash of a salted password already exists in rainbow tables. One could perhaps say that password salting attempts to limit an adversaries accumulation of password-knowledge after each successful data breach as well as obscure obvious lateral movements within a (breached) data set. Returning to the above example with Alice and Bob, utilizing a salt would mean that different hashes would be produced for Alice and Bob even if they were in fact using the same password. Based on the hash values, however, this is not obvious.   PS Has changing password been mentioned?

Multiple posts seem to revolve around online privacy. Perhaps a dedicated write-up on that topic could be of interest. Here is an example with emails which some might be unaware of.
The “to”, “from”, and “subject” fields of an e-mail are always available to any party involved with routing an e-mail from sender to receiver. Writing confidential information in the “subject” field is like writing confidential info on the outside of an envelope or on a postcard. This is not a flaw per se, it is how e-mails were designed.

1 Like

But Microsoft should be targeted. We all should remember what happened to Dan Geer. Outlaw Windows and Outlook and the market would dry up. Vuln hunters at McAfee using Unix boxes at home. IBM’s Hursley think tank using Unix privately for over twenty years. IBM consultants getting new kit with Windows automatically wiped before delivery. Anyone using Windows is asking for trouble and deserving of it. But it’s worse. For Windows (l)users are spoiling the party for the rest of us.

Trusting MSFT staff that tout with ‘MVP’ is like turning to Anthony Fauci for advice on how to beat the pandemic.

Well not necessarily. Any website worth its salt and your trust will never store your actual password anyway.
As an aside: Twitter is one player (of many over the years) who have not practiced this. They were caught harvesting passwords, and not the encryption results, which are the only thing that’s needed, the only thing that should be stored. Caveat emptor. Websites take on responsibilities akin to a banker’s but have no acumen for it.

Software

Since I am developing an application for work, I needed to learn how to make video calls in it so that it would be easier for people to work. I found a website on the Internet where I could find the video API for conferencing. So I’m already in the process of adding video communication to my app and it will be ready soon, since I have all the APIs I need!

Server Is Not Accessible

In fact, that is the case with my computer too. The thing is that I have caught a virus and it affected my gaming performance. I simply could not access the gaming server because the firewall I installed blocked it.

Re:

To avoid getting hacked while gambling, ensure you’re using highly secure platforms, such as https://tower.bet/en-ca/all-games, which prioritize user safety with advanced security protocols. Additionally, use strong, unique passwords, enable two-factor authentication, and never share personal details. Being cautious with email links and ensuring your anti-virus software is always updated are also key steps in safeguarding your online gambling activities.