One for the FOH Cyber Security Troopers.

[El Presidente]

One for the FOH Cyber Security Troopers. 

Picture that you are talking to Ken and giving him 5 things he should be doing today to protect himself from cyber attack/hacking/fraud etc. 

I received an email last week where $2000 was siphoned off from a friends bank account  via his debit card. $20 test withdrawal...$30...$40....bang, the big one. 

This stuff is rife.

How do the experts here protect themselves? 

Remember.....picture you are talking to ken.  I think it will help plenty on FOH. 

 

 

 

[rolaand]

I actually wrote an article on this a few years ago. Some of the most impactful things you can do are

1. Use a unique password for each site and a password vault/manager if you can. Try and update password at least annually. You can use haveibeenpwned to see if any of your accounts show up in data breaches.

2. Plan to update your devices at least weekly or whenever updates are available. Don’t keep putting this off because people reverse engineer the patches to figure out what the vulnerability was.

3. Review applications you have installed and any permissions you may have granted them to other services (Facebook, Twitter, etc).

4. Uninstall services and applications you no longer use.

5. Enable multi factor authentication whenever possible. Authenticator apps are better than text messages but hardware tokens are the best.

[gustavehenne]

1. Disable spend from your debit card, transfer money into a prepaid card or use a credit card (then pay off every month!)

2. Enable Multi-factor authentication on everything

3. Never do anything that starts with a requests from an SMS. If it looks semi-legit, call the company using a phone number from the official web site

4. Check the e-mail address when receiving e-mails from banks etc. most phishing and fraud e-mails come from weird domains. Follow point 3 if in doubt

5. Zero trust, for everything. Always assume it's fake until you double/triple verify.

[Edicion]

I will write a few points later, but first I need to make an urgent bank transfer to a prince who is a bank manager and lawyer, in order to secure a huge inheritance since I am the sole beneficiary of long lost uncle who owned a large oil company worth billions of dollars. So lucky to have received this email today, and to think I could have missed it since it went to my spam inbox!

 

[NSXCIGAR]

This kind of fraud comes from skimming or simply dumps of POS data. There's very little you can do about it if you're making purchases from international vendors for example. In fact I was using my credit card in St. Martin this year and a few days after I left I had three charges of $400 or $600 on my card. Those merchants and/or employees constantly steal CC info from their POSs. You can do everything right and it can still happen.

The key is 1) don't make purchases with your debit card or check card and 2) if you do never use your PIN. 

As @stevenhaugen suggests use a credit card for purchases and pay it off in full within the grace period. Find a good card that offers points or miles and it's much better than using your bank debit card. 

And once a thief has your PIN and withdraws actual cash it can be quite difficult to get your money back. If it's just a credit transaction it's much easier to report and get reimbursed. If a PIN is used the bank could claim it was you or you gave your PIN to someone, etc. and can turn into a big headache. 

[rolaand]

3 hours ago, therealrsr said:

Chart of how long it takes to brute force a password, most use woefully simple and then complain about a website's complexity requirements. 
Also, use 2 factor whenever available.  VPN is a must on public/shared networks and rarely hurts on private.  Pay a service to monitor and scan dark web for data if within budget.

Sorry this might be really nitpicky, but I think this chart might be slightly outdated now since some crackers don’t just use random strings to brute force but use more targeted wordlists and phrases to cut down on time. Password advice has migrated to using longer, memorable passphrases if you need to remember them or a password manager otherwise.

For example, when i do vulnerability assessments I use a tool called Cewl that builds a custom wordlist for me to use based on some corpus I give it.

I will make some assumptions here and say some members here may actually be higher valued targets based on personal wealth so attackers may use more customized attacks since the benefit is there. Normal population advice is brute forcing actual logins is very unlikely and much more likely are credential stuffing attacks — where a password is found in a breach and used on a different site — or password hash cracking which can vary w i l d l y based on the rig and methodology.

Just my $.02 but I’m just excited to have a cyber thread!

[Cigar Surgeon]

Most of these breaches are old fashioned social engineering. Social engineering remains the easiest way to succeed in a scam or attack.

1. Distrust, and verify.

Don't assume that a stranger is telling you the truth. The onus is on them to provide proof and legitimacy. I can recall having a disagreement when my bank called me and asked for information to verify my identity. I know who I am, I cannot verify your identity. I will call back using the bank's website to determine your service number.

2. Question everything.

Most social engineering attacks revolve around creating an emergent situation and urgency. Both things are designed to override your sense of reason and ability to question. Your daughter has been arrested in Mexico, she needs bail money or she'll go to jail and we don't know which jail! 

Was my daughter in Mexico? Do I have a daughter? Who is this person calling? How do I know this person calling is who they say they are?

3. All requests for money should be put on hold.

This one is easy. I have to jump through multiple hoops just to withdraw MY money from MY bank account. If someone, especially someone I don't know, is requesting money then they should be going through many hoops before I agree to it.

4. Don't accept requests over the phone.

This one has always stood for me. Why would I need to provide money over the phone? I do business in person. 

5. Find your own answers

As with the above example about my bank calling me. Look the bank up yourself. Don't assume the link or phone number in an email is correct. 

[NikoB]

Also one thing that was missed regarding multifactor, try to avoid SMS-based 2factor at all costs. These messages can easily be intercepted by attackers (there have been multiple talks about this over the past few years). Ideally you will want to use a U2F token like a yubikey or solokey but another good option is using an authenticator app like Google Authenticator. Check out this site to see what types of 2fa are supported by the services you use: https://2fa.directory/int/

Happy to answer any other questions - I hack for a living and also teach hacking at university  I also take payment for any consulting in CCs (lol)
https://solokeys.com/
https://www.yubico.com/products/yubikey-5-overview/

[Chas.Alpha]

They hit my account for $1.00. Then they made a play at $10. The bank immediately knew something was up...

[Bijan]

Don't use a password manager without understanding how the specific one works:

https://www.reviewgeek.com/137819/lastpass-security-breach-worse-than-initially-reported/#

You're better off writing the passwords in a notebook or on post-its than having them stored on the cloud, by companies that don't actually care about your security.

[rolaand]

Allow me to retort…

First I will lead off by saying a password manager is infinitely more secure than not using a password manager. If you can write your passwords down for all your sites and keep it sorted, and unique, then congratulations you have an offline password manager. There are others you can run yourself to offer similar functionality.

Now for some shop talk. The lastpass data breach is not an indication of how secure your passwords are with them. Ultimately in cryptography the algorithm for encryption is publicly known and tested but the secrets used are not. As long as you protect the secrets (likely a password/hash and a salt/pepper) there isn’t much the attacker can do with the data.

This was an attack against lastpass operational systems which exploited a vulnerability in their organizational IT infrastructure. It was not an attack against their cryptographic protocols afaik. The most valuable information attackers likely received were personal information (not even to the level of PII imo) like name, email, etc.

Even if the source code was know the algorithm is public so not much new information there. There are organization and trade secrets that may be interesting but nothing should be new pertaining to the cryptographic algorithm. Now to be thorough they need to do a full digital forensics and incident response run down looking for indicators of compromise, determining asset compromise, etc. that will yield the full scope of what assets may have been leaked during this breach.

It is true that security incidents and public exploitation are bad but they happen and will continue to happen. Good on lastpass for their visibility through the incident and communication to members to change their master passwords. There are a lot of scenarios I won’t get into about how breaches are basically inevitable especially at high value companies like password managers.

I implore you to consider revisiting your views on simply breach = bad. Sure, do your due diligence in selecting a company but take everything into consideration.

[Bijan]

3 hours ago, rolaand said:

I implore you to consider revisiting your views on simply breach = bad. Sure, do your due diligence in selecting a company but take everything into consideration.

That is not my view. I don't know the specifics in this case. And I am sorry if nothing of value was leaked.

But there are password managers that will store user passwords in a form that they can decrypt themselves, so that database leaks are password leaks.

Others will allow users to use a weak password to encrypt all their passwords and store those weakly encrypted passwords. And so leaks are also password leaks (with minimal effort by attackers to try all 8 character passwords, and passwords of the form 12345678 and TinyKitten347). Offline attacks on passwords can be very effective.

I would be interested to know the percentage of online password managers that if they leaked their entire database of "encrypted" passwords, would not be leaking the passwords of a significant percentage of their users.

 

3 hours ago, rolaand said:

Ultimately in cryptography the algorithm for encryption is publicly known and tested but the secrets used are not. As long as you protect the secrets (likely a password/hash and a salt/pepper) there isn’t much the attacker can do with the data.

I agree in theory, but disagree in practice.

People are not using 128 bit or 256 bit random keys. They are using master passwords. And a lot of these master passwords, that protect all the passwords stored in the online manager, don't have that much entropy, and offline attacks can crack a good number of them reasonably quick.

 

Here's an interesting way to manage/generate passwords offline/online with recovery using a physical crypto fob:

https://support.ledger.com/hc/en-us/articles/360017501380-Passwords?docs=true

(I happen to have one lying around from when I owned crypto)

[rolaand]

2 hours ago, Bijan said:

I agree in theory, but disagree in practice.

People are not using 128 bit or 256 bit random keys. They are using master passwords. And a lot of these master passwords, that protect all the passwords stored in the online manager, don't have that much entropy, and offline attacks can crack a good number of them reasonably quick.

I think this is the part of password managers that users really need to do their due diligence on. I don't think many of the major password managers would be using a straight hash for how they use the master password. I don't really want to get into the weeds on this but most guidance (look at the NIST SP800 series wrt salting and password use) requires a minimum salt length which obscures entropy and password length.

As per LastPass, they use a one way salted hash with aes256 encryption https://support.lastpass.com/help/what-makes-lastpass-secure-lp070015 

If we are straight up storing hashes than you can just use rainbow tables (these are essentially lookup tables that are created by taking values and passing them through the one way hash function so you can compare to the password hash) to crack them but I would assume this is in the extreme minority of online password managers. If we are talking about offline password managers then there are a few more steps attackers would need to execute correctly before even getting to the hashes so the risks/threat model/etc are different. 

I think it is important to have public discourse in this stuff since a lot of vendors and cyber companies are opaque for their own benefit. 

 

2 hours ago, Bijan said:

I agree in theory, but disagree in practice.

^^ This is also how I keep a job. Most of cyber security is understanding any compromises, usually due to business objectives, have been made and if there are improper risk calculations that were made on their part. Most of time technical debt, lack of documentation/understanding, personnel changes, etc have lead to misalignment between assets and their protections over time. The fundamentals of the technology are usually sound but the devil is in the details and those details are implementation. 

That's why you need your annual cyber checkup! lol

[Bijan]

2 minutes ago, rolaand said:

As per LastPass, they use a one way salted hash with aes256 encryption https://support.lastpass.com/help/what-makes-lastpass-secure-lp070015 

What is described here is only useful if attackers try to get access to the lastpass stored data through the online API.

If they steal the encrypted data at rest directly from the database or the database disks then it's a simple offline brute force attack. The difficulty/effectiveness of which is practically only a function of the KDF used and the entropy of the password.

What I am talking about is not reversing the master password hash. It is brute force guessing the master password and trying different combinations until the attacker has cracked that. If the master password is weak, and the attacker has stolen lastpass's cloud data, then they can attack offline and once the mater password is cracked, all the users passwords are cracked.

[rolaand]

Hmm, without knowing their encryption scheme it would be hard to know but at rest it should always be stored in conjunction with the salt. What you are describing is similar to PRISM (https://en.wikipedia.org/wiki/PRISM) where you would opportunistically exfiltrate data an unencrypted points within the network. Assuming that the master password is unencrypted in transit on their system at some point.

In practice, this would be extremely difficult and require intimate knowledge of the inner workings which could possibly be gleaned by the source code, but would still rely on a bunch of other security problems to occur. 

In practice, there is a separate, unique salt kept for each password that is added to the end of the password, then hashed, and finally stored. Without leaking the salts, all the salts, the password hashes would be useless. 

[Bijan]

In the end since most website the user will want to log don't have any protocol to use the last pass data without it being fully decrypted on the user's machine, and most user's want to be able to use any device (any of their computers, their tablet, their phone, etc.), in practice the only secret info is the user's master password. So the entirely of the online password manager depends on the strength of that password. (being also protected by how well the password manager company guards their database, though we both agree that leaks will inevitably happen, so that's no strong guarantee, and also the computational difficulty of making a single offline attempt to decrypt a password, but since users are not going to be willing to wait minutes while their password manager decrypts their passwords, and computational power is mainly a function of money and time, that too is no strong guarantee, so we are back at the strength of the master password).

 

2 hours ago, rolaand said:

In practice, there is a separate, unique salt kept for each password that is added to the end of the password, then hashed, and finally stored. Without leaking the salts, all the salts, the password hashes would be useless. 

At the end of the day, the user can buy a new phone, enter their "lastpass" username and password to log into the password manager, and then enter their master password and log into any website they have a saved password for.

Between the password manager company's databases and the user's master password, there is all the data required to get the plaintext of all the user's passwords.

Now we're arguing how likely it is all the database data will be leaked. It's enough that it's possible. We are no longer relying on algorithms, but good IT infrastructure practices on the part of lastpass.

[BrightonCorgi]

On 12/1/2022 at 8:14 PM, Chas.Alpha said:

They hit my account for $1.00. Then they made a play at $10. The bank immediately knew something was up...

All of my banks and credit institutions are on the look out and are quick to decline and verify.

One thing I recommend beyond what is mentioned is do not use any free services like gmail, yahoo, and do not use social media services like facebook.  Free services come at a high cost; you.  If you have dropbox or the like, only use a paid version.  Get your own email domain and host it on proton.  Use one time dynamic user accounts for shopping that obfuscate your true identity.

[Bijan]

2 minutes ago, BrightonCorgi said:

If you have dropbox or the like, only use a paid version.

One thing I have found useful, when using cloud storage, is to encrypt any sensitive data myself and then store the encrypted data on the cloud.

If the key is secure, one can use any cloud provider, without depending on anything from their end.

(of course many files in my account such as ebooks, and videos of movies and tv shows, I don't bother encrypting, since they're very much public information, but I encrypt my email backups and store them on the cloud)

[rolaand]

33 minutes ago, Bijan said:

At the end of the day, the user can buy a new phone, enter their "lastpass" username and password to log into the password manager, and then enter their master password and log into any website they have a saved password for.

Between the password manager company's databases and the user's master password, there is all the data required to get the plaintext of all the user's passwords.

Here I will nitpick and caveat by saying that MFA is an option for your master password. In addition to that, there is a protocol for new devices where you simply cannot just enter the master password on a new device (at least on LastPass) without verifying through email. There are also lockouts for password attempts so I don't believe bruteforcing is a viable attack. 

33 minutes ago, Bijan said:

Now we're arguing how likely it is all the database data will be leaked. It's enough that it's possible. We are no longer relying on algorithms, but good IT infrastructure practices on the part of lastpass.

Except in the case of credential stuffing, I believe the compromise of the company database is more likely than an individual's account unless that is a very high risk individual. It simply isn't worth the effort for an individualized attack imo. To fully understand this we can reference the chart @therealrsr posted previously and see how long it takes to brute force certain lengths. In addition to this, you don't know the length of the password being used since a hash is a one way function that takes in a variable length input and produces the same length output. I would argue that lastpass could publish the master pw hashes without any ramifications although it would be business suicide. Similar to how the etc passwd hashes on a Linux machine are useless without the shadow file. 

We can get into quantum computers and post quantum crypto but I think we should save that for another day. 

[Bijan]

30 minutes ago, rolaand said:

There are also lockouts for password attempts so I don't believe bruteforcing is a viable attack. 

I am talking about offline bruteforcing.

Imagine this. lastpass is acquired by an enemy government, and they shut down the service, and all last pass employees are assigned to cracking their previous customers' passwords. How secure should the customers feel?

30 minutes ago, rolaand said:

I would argue that lastpass could publish the master pw hashes without any ramifications although it would be business suicide.

I am entirely ignoring master password hashses. Imagine they don't exist for a minute, it doesn't change anything about the attack I'm describing..

I am talking about brute force decrypting the encrypted user passwords (for the user's email, bank, etc., etc.) that are stored and which can be decrypted with the master password. They need to be decryptable because the sites the user wants to log in will need plaintext passwords on the user's machine.

If you have those encrypted passwords (i.e. you have dumps of the lastpass databases) and whatever "salts" are used (which lastpass has to store somewhere in their databases), then it's just offline bruteforcing of the master password that is involved.

There is no protection provided by hashing, this is entirely reversible encryption, with a key entirely derived from the master password, and known data stored somewhere in the lastpass databases.

[BrightonCorgi]

42 minutes ago, Bijan said:

One thing I have found useful, when using cloud storage, is to encrypt any sensitive data myself and then store the encrypted data on the cloud.

If the key is secure, one can use any cloud provider, without depending on anything from their end.

(of course many files in my account such as ebooks, and videos of movies and tv shows, I don't bother encrypting, since they're very much public information, but I encrypt my email backups and store them on the cloud)

Avoiding the free is mostly due to having little autonomy since it is free.  Other is the marketing of your entity since it is free.  Password protecting office files should be enough or putting them in a password protected archives.  File level encryption tools are available as well.  Save sensitive information files (those that are just needed for viewing) as a jpeg, png, or bmp.  Makes content inspection nearly impossible.  Very few technologies do OCR against image files that we are likely to be subject to.

[Bijan]

1 hour ago, BrightonCorgi said:

Very few technologies do OCR against image files that we are likely to be subject to.

That's a bit more secure.

But an easy hack is to upload all the images to google photos.

I often have photos of my cigars purchases in google photos and can find boxes, by searching not only for the name, but even for the box code on the bottom... (if I happen to have a photo of the bottom, which I often do to later note the box code in my records)

I just found that I got a box of Monte Joyitas on June 29th 2021, by searching for: MOL ABR 18

Edit: this was the photo:

 

1 hour ago, BrightonCorgi said:

Password protecting office files should be enough or putting them in a password protected archives.

Current versions of MS office do have proper encryption support (assuming good passwords). Even things like permission sharing within and outside organizations is no longer crackable by cracking the app itself.

[Ruben133]

For strong website passwords, I use a word that I pick up by looking around. One capital letter is required and there must be numbers. Of course, it is impossible to remember such passwords, but there are not many sites that are of interest to scammers. For the other sites, you can use simple passwords.  Your credit cards and bank accounts are a target for scammers. Passport or social security cards data have long been no secret for them. The easiest way is not to believe everyone who asks for credit card details on the phone and never give the code that comes in SMS. Using the code, scammers change your password to enter your bank account. 

[BrightonCorgi]

1 hour ago, Bijan said:

That's a bit more secure.

But an easy hack is to upload all the images to google photos.

Don't use anything Google.  Close your google account, make sure to do a google takeout - https://takeout.google.com

Run this to see how much Google has on you; scary stuff. 😢

[El Presidente]

4 minutes ago, BrightonCorgi said:

Don't use anything Google.  Close your google account, make sure to do a google takeout - https://takeout.google.com

Run this to see how much Google has on you; scary stuff. 😢

.....and Apple    

 

.....and Facebook

 

.... and Tik Tok

 

....and add any social media platform here