Very interesting read

[tone]

My background is information security and within my job I have to study numerous standards, policies and guidance documents.
whilst reading a few cloud security documents I came accross this article which is an eye opener!

I'd be happy to suggest a few ways to avoid getting into this situation if required but it requires some organisation!

Have a read.

Tone

http://www.wired.com/gadgetlab/2012/...rd-hacker/all/

[andy222]

Scary tone.

[Terpe]

Thanks Tone.
I read it carefully and for sure it's alarming. But, I'm no techie. I have no idea just how true that information is or how widespread or what I'm going to do.

The writer intimates that nothing can be done. After all, we are required to input passwords to gain access to our own data etc. What is the simple alternative? Or put another way, as consumers and owners of our data how can we protect given that the sytems we use demand us to pick and use a password?

Confused from a secret location

[joebloggs]

maybe the guy got caught out by a keylogger or some other Trojan, they shouldn't be able to use 'brute force' to hack a password, with the use of catcha's if you get the password wrong once or twice makes it alot more difficult, or 3 attempts and the account is locked out for 15mins or whatever..

as on here someone tired to guess my password, i think after 3 failed attempts i got an email from the forum s/w stating that and i think the ip address of the person.

[tone]

I think there are a couple of key points here.

We all have logins galore - and I'll bet within those you use the same password? Once a password has been gleaned as long as the attacker has one email address he/she can sit and try each one every other week.
What you have to remember is if you use Google Play for example - you may use that every day or week, if I was going to attack this account I would try once a week thinking you may be using the account and logging in successfully and therefore resetting my one bad login (one for you Keith). Eventually I may break the password - the key thing here is I know your password and I could utilise a tool I could buy on the internet to create a brand new virus and email it to you.
That virus or malware would sit on your computer undetected and just relay whatever I want back to me.
You may be thinking - what about my Anti Virus - well these AV programs use anomoly detection and static signatures to find known viruses. The virus I created is brand new and known as a "zero day attack" no virus software knows about it.
So I could sit there grabbing data from RAM and using it to login into various sites masquerading you. I could make the program pretty stealthy so it took information when I wanted it to.

So the point is dont use the same passwords for all your web based accounts.

Then if you forget your password there is a way to reset but again if you use only a single email address for everything you have out all your eggs in one basket. So it is best to use another email address that is not linked to any other email address - for example I could say with Amazon if I forget my password send the reset code to an email address just used for recovery purposes - its not linked to your existing email address. Again to clarify if I knew your username for a web site - I simply click on the "forgot password" and it send the same code to your primary email - I have that account and I can set the password on it to lock you out of the email and the store web site. If you have a credit card associated with that I can spend!

What I am doing myself is organising all my on line logins - I listed down every single one and its password on a piece of paper (not on computer) and then set about changing every password and where possible using secondary authentication - where when I login to an account they send me a SMS to my phone and type in that code as the password (not my actual password). Why?
If there was a key logger running on my laptop - sure it would get the username but the password is a "one time password" only good for 1 go!

Think I may have gone on a bit here but hope this highlights a couple of key points!

Use different passwords
use different email accounts for different on-line activities.
Use secondary authentication, GMAIL, FACEBOOK use it now and soon MS Outlook will use this.

patch your computer - when there are MS updates - apply them, and whilst I said AV isnt as useful as it was its still mandatory!

Any questions....

[tone]

Thanks Tone.
I read it carefully and for sure it's alarming. But, I'm no techie. I have no idea just how true that information is or how widespread or what I'm going to do.

The writer intimates that nothing can be done. After all, we are required to input passwords to gain access to our own data etc. What is the simple alternative? Or put another way, as consumers and owners of our data how can we protect given that the sytems we use demand us to pick and use a password?

Confused from a secret location

Hello Peter
He was pretty peeved at losing pics of his daughter (I would be too) but he leveraged Apples technology too much and when his apple account was hacked he lost everything.

Whilst there is no silver bullet I kind of think that everyone of us needs a computer that doesnt do anything other than store personal data! Its not connected to the internet - there is an old saying that the most secure machine is one that has no internet connection.
Vast parts of Government have such machines - they cant be hacked easily but what people do here is when they becaome aware the attack is via physical access so I may leave a usb stick or 20 lying around outside a said facility all with a few nasties on them, I can guarantee one plum will plug that into a computer and hey presto I am in. problem is how do I get stuff out - and along with that I may need to do something quite extraordinary to get data off that computer onto that stick and the stick back in my hands...alternatively I just use the stick as a transport mechanism and when that person goes home - my virus infects his computer (which is internet connected) and sends me the info I want.

So passwords hmm - first thing keep them all different, then use long passwords - 14 characters is good combine a lot of different strings but make sure its not a dictionary word - for example use two different number plates of two different cars (erm not your cars either ) or use something like a national insurance number or serial number or model number of a thingy..

does this help?

Tone

[grahamw48]

I store my pictures on 3 different hard-drives and 3 different online storage sites (as well as having the originals and negatives of any non-digital ones).

My online banking requires 3 different 'passwords', and for instructing payments out of it requires inputting a SMS code that has been sent to my phone.

Hopefully that should be enough.

Fortunately I've usually got sod all in there anyway.

[Terpe]

Hello Peter
He was pretty peeved at losing pics of his daughter (I would be too) but he leveraged Apples technology too much and when his apple account was hacked he lost everything.

Whilst there is no silver bullet I kind of think that everyone of us needs a computer that doesnt do anything other than store personal data! Its not connected to the internet - there is an old saying that the most secure machine is one that has no internet connection.
Vast parts of Government have such machines - they cant be hacked easily but what people do here is when they becaome aware the attack is via physical access so I may leave a usb stick or 20 lying around outside a said facility all with a few nasties on them, I can guarantee one plum will plug that into a computer and hey presto I am in. problem is how do I get stuff out - and along with that I may need to do something quite extraordinary to get data off that computer onto that stick and the stick back in my hands...alternatively I just use the stick as a transport mechanism and when that person goes home - my virus infects his computer (which is internet connected) and sends me the info I want.

So passwords hmm - first thing keep them all different, then use long passwords - 14 characters is good combine a lot of different strings but make sure its not a dictionary word - for example use two different number plates of two different cars (erm not your cars either ) or use something like a national insurance number or serial number or model number of a thingy..

does this help?

Tone

Thanks Tone for your reply. Appreciated

[somebody]

Smart phones and tablets are the weak points now. Amazing how people will seek out free WiFi..

Also bear in mind https does not always mean you are secure but is in most cases a lot harder and more complicated for hackers to read your data..