There are some simple things that mitigate most common attacks. Exploits: Keep your shit up to date. Run a software firewall. Passwords: Long passwords are best, ideally you will throw some randomness in there too. Store these in KeePass which is encrypted and can be synced to mobile devices so you can carry them safely everywhere. Encryption: use truecrypt to encrypt a mountable volume or thumbdrive for your super secret (porn) documents. Also encrypt your whole hard disk for when you inevitably leave it on the plan/train/bar. This can actually improve your disk I/O, don't worry about decreased performance. Browsing: This is a huge threat vector today. Be careful what you browse, check certificate chains and always browse anything but your most trusted sites from a virtualmachine, also use software to sandbox your browser in your main machine and virtual machine. Registration practises: don't register sites with information (like your date of birth) which could be used for pivilege escalation. Do not use public WiFi ever, it is just so easy to create rogue access points that look real. If you have to do so make sure you are using a VPN tunnel for your traffic. it all sounds like a pain but it is about 4 work to setup and from then on it is no problem.
Remember to do these scans in safe mode. Many of the more professional virusses and what not are able to hide from scans when you're not in safe mode. In the past this was the only thing preventing me from having to format my pc every month. Thank god it's much easier and safer to get porn these days.
Ideally get a boot cd so you aren't loading the os of the infected system. Remember to turn off system restore too. tbh I always rebuild from scratch as soon as I think there is a virus on a pc.
still better then the first one which is prone to a dictionary attack aswell - thats the point of the picture. also itd be a very sophisticated dictionary attack where you try 4 word combinations of your dictionary wouldnt it? for a really "secure" password youd need as many random bits as possible, but who'd remember, let alone want to input, dunno lets say 32 random characters? i could use my quake3 cd key - lww3d2rhgbtdsbj3 (that was out of memory - still only 16 chars) - i remembered it by inputing it a felt million times till now - but now its social engineerable and this is the best attack vector anyway
How is browsing such a huge security risk? As long as your browser is updated i don't see much risk, yes even with JavaScript on. Also lol @ checking certificate chains, you only need to do this, if you work at an uranium enrichment facility in Iran. Personally, i have one password i use for all low-security things like Youtube and all those fucking situations when you need to register somewhere. One password for higher risk things like e-mail and one very long password for my Truecrypt system encryption. Recommending people to use d7cy8ö01d+e31da style passwords for every forum they sign up does not help. The only thing that was ever hacked was my YouTube account. Yes, the password was weak, but still i was surprised that it happened. It happened after i posted a Youtube comment saying something like that only Apple should use white colour for their devices, a day later my account was accessed by a South Korean IP...
How is browsing such a big risk? Seriously? name a more prolific threat vector, physical access withstanding only the lowest hanging fruit can be compromised with a brute force of password or a simple nmap/metasploit. These days all the real compromises come from xsite scripting, browser exploits etc. Basically you don't usually just fire off a root exploit at an open port. You need to exploit an application and hope the user is running with admin, then subvert uac, then do some kind of privilege escalation or keylog/capture to get to the shit you want. For most people it doesn't matter, the stakes are low. But if you don't think client side exploit is the highest threat at this point in time, that it can't easily bypass heuristic and signature detection then you are like 5 years out of date. simply you can get the most penetration for the least investment by attacking a single poorly wrritten application on a client pc. Once you have that and you are on the lan, you may as well have physical access, simple shit then gets you what you need to compromise the rest of the network. also you read too much into my comment on passwords and then picked it apart. I'm not suggesting people have 26character, totally random passwords for everythng. I am suggesting normal, sensible passwords that are cycled periodically and recorded securely and accessible. I know the risks, limitations and compromises involved in securing networks without hindering productivity. I may be bias on the side of paranioa, but I worked through an incident response at an ATM card processor, which came in through a user who was victim to a pdf exploit (which only required mouse over in windows explorer tool tips, not even opening the file) and used the same password for everything... No-one slept for like a week. also if you don't check your certificate chain, and you think you never need to then great. I hope that green padlock makes you feel safe and warm and fuzzy, because that's all it does.
A lot of this stuff seems impractical though, or at the least very difficult. I'll take a look at KeePass though.
I can vouch for KeePass, it's what we use at my job to hold OETC serial keys, current and past admin passwords, and as part of the chain for securing PII. I will admit, I'm one of the luckiest motherfuckers when it comes to security. I use the same password for almost everything, no firewall or anti-virus/malware/spyware, pirate all day 'erry day. For most companies, I'd be a ticking information security timebomb. EDIT: I suppose part of it is that the only things I pirate are videos and music, and I don't do much browsing outside of news, Empires forums and Wikipedia.
trickster: it really isn't once it is setup. It is all very little time to do. Not complicated at all even if it sounds itl It all depends on risk evaluation. Not necessary for everyone but i do it all and it really costs me no extra time at all. Wait a minute.... No its not, its all really super easy which is why I suggested it. There is nothing there that is hard to do, the hardest thing would be encryption of your entire computer which takes ~25-30 clicks including downloading and installing the application. but keepass and good password practise is the best place to start. Also look at sandboxie to protect the browsing at the very least. Browsing is highest risk activity most people do, so if you can sand box the browser and DEFINITELY DON'T RUN AS ADMIN. use another account to install shit and give it a strong password. This is probably the smartest easiest shit to do, because when you get an exploit on an app you ran as admin, it now has admin, atleast if you are a limited privilege user it can't (very easily) run stuff with admin privilege. also be real careful of pdf, it has a terrible security record with its handling of embedded JavaScript.
Ding ding, we have a winner...especially since certificates can be bought for around £20 per year atm
Yes, and there are many ways to make a man in the middle attack which strips a site's SSL certificate then adds one of your own to give the impression of a secure transaction/login. So easy that it is trivial, even for me to do. I usually check certificates before I put in my valued credentials, but if you cannot be arsed to do that because you don't work in an Iranian Uranium Enrichment Facility (I'm looking at you McGyver)... And you use Firefox then try https://addons.mozilla.org/en-us/firefox/addon/certificate-patrol/ which will tell you when certificates change on sites you visit.
Yeah but surely you can check the URL in the nav bar. You can't spoof Natwest.com's certificate with their own domain. It'll become obvious you're not on their site. I salt my passwords for each site with a key from the website itself. That way I only need to remember my password and the key and then I have a unique password for every site. The only thing that will get me is a targetted attack on my identity, otherwise the link is not going to be found. And who would want my identity specifically... Password example: ETricksterismterriblep27 Password: Tricksteristerrible27 Key: Emp (first 3 letters of the domain) The hash: <Firstletterofkey>Tricksteris<secondletterofkey>terrible<thirdletterofkey>27
The days before: My Windows Movie Media player was not working. Now it is working fine. My Sony Vegas pirated copy that I stole crashed a lot. Now it is working fine.
My brother just had the most crazy attack I have ever seen. Went to the kitchen comes back and sees the mouse moving around deleting shit in his dropbox and scrambling trying to open the ATI catalyst center and other shit. I think they couldnt control it because he used 3 screens :p Nothing was really lost before we cut the connection but that was some weird shit.
Only 3 passwords, one for email, another one for everything, and a third one for everything where the second one isn't allowed to be used.
