Author Topic: Ethical Hacking - Self Defense.  (Read 2762 times)

Offline I.L.W.

  • Dedicated Contributor
  • ******
  • Posts: 1004
  • Karma: 203
Ethical Hacking - Self Defense.
« on: February 16, 2016, 12:07:08 AM »
Security Questions are a farce.
They don't improve your security, as the name seems to suggest. They destroy it. Take this scenario:
               
You want to take over an account. You know the person's email address. Just search their address on Facebook. Common Security Question Answers like "Date of Birth", "Where were your born", or "Mother's Maiden Name" can be easily ascertained by glancing at the profile there. A positive answer is often all you need to reset a password on an email account. Once you have the email account, you can browse the mail and follow "forgot my password" links on any sites the victim is registered with. A moron could hack you in 10 minutes. Not a super-elite NSA genius hacker... you're security will fall before someone with the intellectual depth of a Pauly Shore movie.


Defense: Type one letter to the left. If the Question is "Mother's Maiden Name", and her name is Smith, type one key over for "Anurg". Nobody will guess that, especially if they did the research and know what the correct answer is.



Using the same Password for every site....
If I compromise your password on one site, and every other site is the same password, I have access to everything. Take this scenario:

               I start a website about free recipes, but require people to log in. They set a password (which as site operator, I can view directly in the database). Knowing that many people use the same password for everything, there's a good shot I can use that, in conjunction with the email address you registered with to gain access to your email and every other online account associated with it.

Defense: So you use the same password because you have trouble remembering a thousand different passwords for each site you go to. Bookmark all the sites you log into in your browser.
  • Amazon
  • Pandora
  • PizzaHut

Now grab a piece of paper and a pen. Walk to your fridge. Make a shopping list.
  • Ground Beef
  • 2% Milk
  • Sauerkraut

This list is your password list. Match site #1 to Shopping list Item #1. Your Password for Amazon is "Ground Beef". This violates the rule of never writing your passwords down. However, if the list is compromised, it's camouflaged as a simple shopping list. Nobody would make that connection to your login details. If I manage to compromise your Amazon Password, it's different from your email password, so the damage is significantly reduced.



Sometimes, the Best Defense is a Good Offense.
We all make mistakes. Perhaps you were duped by a pop-up window recommending a credit check, or you entered your credit card info hastily  into a payment site which now looks suspicious. It happens.

There's nothing preventing you from "Poisoning the data". That is filling out the same form thousands of times with invalid info. Enter the first 4 digits of your credit card number, and the rest will be random. Just set it up in a spreadsheet to generate a huge list of random credit card numbers. Now go back to the site and submit those fake numbers.
Don't worry about one of them possibly being someone's real number, it won't match the name or security number, even if you do accidently guess a real CC#.

Now the hacker has a database with your valid credit card number, and potentially hundreds of thousands of fake numbers. When they try to process them and get failures on hundreds of attempts, some red flags go up with the company processing the transactions and they freeze them all. You rendered that list useless, saved your own data, and probably helped out a lot of other people in the process.



Honeypots
A "Honeypot" is a trap for a hacker. Imagine you bring your PC into the Geek Squad for repairs. You want them fixing your PC, not copying your personal files. But how do you know if they were accessing them? How about a script disguised as naked selfies, which when clicked will log the exact time of the access? Just save the script and create a shortcut to it on the desktop. Name the shortcut "My Naked Pics", and change the icon to a folder icon. If they click on it, you got 'em.

Here's the script:
Code: [Select]
Set WshShell = WScript.CreateObject("WScript.Shell")
sLogFileName = WshShell.SpecialFolders("Desktop") + "\log.txt"
Set objFsoLog = CreateObject("Scripting.FileSystemObject")
Set logOutput = objFsoLog.OpenTextFile(sLogFileName, 8, True)
dateStamp = Now()
logOutput.WriteLine(cstr(dateStamp) + " -" + vbTab + "Files Accessed!")
logOutput.Close
Set logOutput = Nothing
Set objFsoLog = Nothing
Just save that in Notepad as "honeybot.vbs"



Services that can help you.

Just Delete Me
http://justdelete.me/
Provides links to delete online accounts you may have had in the past, but no longer use. Cleaning up this data will go a long way towards protecting your information in the future.

Have I Been Pwned?
https://haveibeenpwned.com/
Enter your email address and User Names commonly used. This site collects data dumps from hackers, and checks if your information is among the compromised accounts. If it is, you will be notified that your information has been made public.

National Association of Attorneys General
http://www.naag.org/naag/attorneys-general/whos-my-ag.php
If you are the victim of Identity theft, Ransomware or cyber-stalking, The Attorney General will want to know about it. This is your first contact after your bank. This site tells you who to contact, and how to get ahold of them.



Got any defense tips? Share them below.

Offline scoob

  • Senior Survivalist
  • ****
  • Posts: 287
  • Karma: 24
  • Chicken-farming knuckle-dragger
    • Marksmanship, History, Civic Engagement
Re: Ethical Hacking - Self Defense.
« Reply #1 on: February 16, 2016, 06:16:04 AM »
Great stuff as always, ILW !

Offline Nicodemus

  • HooHa Man! AKA Docs Whipping Boy
  • Moderator On Leave
  • Survival Veteran
  • *
  • Posts: 8429
  • Karma: 182
  • Wake up and smell the cat food n your bank account
Re: Ethical Hacking - Self Defense.
« Reply #2 on: February 17, 2016, 03:38:26 AM »
I'm digging the password idea.

Offline Russkie

  • Senior Survivalist
  • ****
  • Posts: 289
  • Karma: 18
Re: Ethical Hacking - Self Defense.
« Reply #3 on: February 17, 2016, 09:53:05 AM »
So much here that I've never thought about. Thanks!

Offline Gamer

  • Senior Survivalist
  • ****
  • Posts: 245
  • Karma: 6
  • New TSP Forum member
Re: Ethical Hacking - Self Defense.
« Reply #4 on: February 18, 2016, 03:17:43 AM »
Incidentally is there any foolproof arrangement we can make with our bank to stop hackers getting at our cash?
For example how about telling our bank to block ALL withdrawals etc until we've personally confirmed that it's legit?
For example if a hacker then tried to withdraw our lolly, the bank would automatically notify us so that we could then say either "Yes, it's legit, go ahead", or "NO! it's a hacker!"
Do some banks have such "Confirmation Options", or is it an impractical idea or what?

PS- the best security measure I can think of at the moment is to make a point of withdrawing most of my cash from my bank account and keeping it in boxes at home where no hackers can get their hands on it. I leave a small working amount in my account so that even if hackers get it it wont be too much..:)

Offline I.L.W.

  • Dedicated Contributor
  • ******
  • Posts: 1004
  • Karma: 203
Re: Ethical Hacking - Self Defense.
« Reply #5 on: February 18, 2016, 10:19:05 AM »
Banks don't really get hacked in the sense most people think of it. TV and Movies take some liberties with that. It's the individual account holder who is exploited when they fail to secure their information, or use debit cards with retailers who get hacked. Target, Sony, Home Depot...

The lesson here, don't use a debit card. They're not reimbursed for fraud as a credit card is (at least in the US, not sure about your area). Personal checks are dead. Every once in a while, you'll get in line at the grocery store behind a 90 year old woman who still uses personal checks... but they are mostly for business to business transactions these days.

Personally I deal in cash, not as a matter of security, but out of respect for merchants who don't need to pay transaction fees (and may choose not to report the sale to avoid taxes). You'd be shocked how many will give cash discounts if you just ask, especially contractors and service jobs.

Some banks do have multifactor authentication for ATM withdrawals. Basically, your account has a password which changes every 10 seconds. Your phone is synced with that changing password, so you need to have both the ATM card and the phone (or their own authenticator) to make a cash withdrawal over $40.

Keeping cash at home is not the wisest idea if you're afraid of theft. Cash in a bank is insured against fraud and theft, in a box, it's not. Home robberies are more common than people like to admit. Even a safe is no guarantee, I've seen people yank them out with tow chains and carry them off.

For longer term wealth, look at physical items you can buy. Wine can be purchased for $200 a case in futures, and often ends up at $200 per bottle. Even if it increases 5%, that's better than any interest rate you're getting at the bank. It's also a consumable item. Nobody knows if you drank it or not, so it's easy to "forget" to report the sale, and hard to prove you sold it at any profit. There are many things you can do this with, not just wine. Just keep a detailed inventory list for insurance reasons.

To avoid hackers in online purchases, you can use a service like "Blur". It will generate a 1-time use credit card number for you, then bill your real card. They have your actual card on file, but you never give the real number out online to anyone else. You can also use pre-paid credit cards, loaded with money in the exact amount of the purchase. Then after the transaction is complete, the account is at $0, and won't be used again.

Offline theBINKYhunter

  • Does not fall well with plastic guns...
  • Moderator On Leave
  • Survival Veteran
  • *
  • Posts: 5847
  • Karma: 181
  • Not a tactical baddass
Re: Ethical Hacking - Self Defense.
« Reply #6 on: February 18, 2016, 11:05:34 AM »
:popcorn:

Good stuff.