Help me protect...me

15 posts / 0 new
Last post
filterhappy
Offline
Last seen: 8 years 2 months ago
Help me protect...me

So recently(last night) I fell victim to a nice little hack job, he got my facebook and msn accounts, well actually info for all my accounts, but those are the only 2 he messed with. Now through my own system of knowledge I tracked him down and got my stuff back. Does anyone here have any advice as to how, if at all, I can avoid this kind of situation in the future. (After a short while of talking to him it became apparent that he has thousands of peoples account information and can obtain a lot of info about you in minutes.)

Medic
Offline
Last seen: 8 years 9 months ago

delete your facebook and msn accounts, hehe

Then there will be no problems

Spidey01
Offline
Last seen: 3 months 2 days ago

Use a strong password on all accounts.

Passwords should not be words

Passwords should not be in the dictionary

Passwords should contain alphanumerics and special symbols

Passwords should be > 8 char long.

Scale passwords to account security, i.e. use better passwords for more important accounts, weaker ones for less ones.

Never give out the password to anyone

No one but you should ever be able to figure out the password without brute forcing it (trying every possible password).

use a screen filter to prevent people reading your pw's as you type.

When possible set apps to use multiple *'s instead of one. Great apps would allow setting it to a random number that is > n but

Delete all cookies and logout/close all sessions when finished, do not use password managers or remember me's.

Use a secure browser

I would suggest links with graphics mode enabled or Opera personally...

Keep all running software up to date in regards to security, e.g. OS, Browser, Security software (AV, FW, PF, etc), including browser plugins.

Do not use Adobe Flash or Acrobat

Only allow your browser settings to accept cookies from the originating site (no third party cookies).

Disabling images and using an external viewer is not a bad idea if you are paranoia (I am).

Use secure connections where possible, i.e. SSL, HTTPS, SFTP, blah blah.

You may wish to disable JavaScript -- good browsers allow you to define what the JS Engien is permitted to do, better browsers would also allow you to selectively block/allow websites.

Never place identifiable information in public or private online that may compromise you unless totally necessary.

Use a secure E-Mail client.

Disable HTML e-mail, send and receive in plain text only.

Do not allow Javascript or external images in e-mail.

Install a proper firewalling and filtering package and keep your network secured behind it. I prefer stateful packet filters.

Refuse all inbound traffic by default, you may also wish to control outbound.

My favorite setups allow combing state with requested connections to ease headaches or setting rulesets on an app by app basis and take a shot at blocking all other outbound traffic as well.

Do not surf porn

Do not surf for wares

Do not download files from websites you can't trust

Do not install and use programs that you have not read the source code (recommended but not practical due to the size and complexity of larger programs, 100,000s of PLOC)

Scan regularly for viruses and malware

Be ever viliglent for fake resources and traps

Be aware of windows scripting host.

Remove any plugins you do not need / use.

For example -- I don't use quick time or real player on my laptop, I use MPlayer.

I could go on and on but I've got to eat now Blum 3

[SAS]_Paranoid_Spider

Valroe
Offline
Last seen: 8 years 9 months ago

Seems like you have been very unlucky there Filter.

I wouldn`t worry too much though.. The chance of this happening to a random person is 1 > 11000000.

You still don`t stop flying do you? Smile

PS : These statistics goes for any person with an Internet IQ over 80!

Grishenko
Offline
Last seen: 8 years 6 months ago

I think the question is: how did that person get access in the first place and how did you find out who did it, i.e. what is the real story? It sounds like a local problem.

If it isn't, then the advice already given on using secure connections whenever possible, etc. should be good enough. I'll add one more thing: don't bother with sites that are unsecured and not encrypted (such as these forums... at least for regular users like me) since those cookies/passwords/sessions/etc can be sniffed.

It really depends on how paranoid you are (imo) with anything on the Internet.

filterhappy
Offline
Last seen: 8 years 2 months ago

Thank you very much, extremely helpful.

as for your question Grish, last nite around....this time I tried to log onto facebook, it told me my password wasn't right, I just snuffed it off thought I'd try for tomorrow. Today my girlfriend shows me my profile and everything has been changed to say "evilzone.org. So I jump on the schools computer and check out the site. It's a site to teach kids how to hack, and all about hacking. I find the thread about a guy who has loads of facebook, myspace, ect. user names and passwords and will hand them out for people to deface their accounts. Send the info I have to my friend and he tracks down the guys I.P. adress, name, city, all that info. Contacted him through my msn account on the schools computer and after a bit of talking he decided to take my msn too. Go on through an old account and add him, after informing him that I have all his info he finally released my accounts to normal. Best part, it's not near to local. I'm in Canada, he's in Norway

SAS_Webmaster
Offline
Last seen: 1 year 3 months ago

The point Grishenko is trying to make is: the only way people can get acces is if you have left your password lying around or used something too obvious.

I have a password I use for the websites I visit the the most that is 11 characters long and contains random numbers and letters. It's not written down anywhere, I'm the only one that knows it. no problems so far.

there's a question I have tough: is it possible for webmasters to see your password on their sites, like php constructs etc...

SAS_Leon
Veteran
Veteran
Offline
Last seen: 5 years 6 months ago

Do not use Adobe Flash

Hehe. Not having Flash enabled in 2008 sounds like a boring web experience.

Grishenko
Offline
Last seen: 8 years 6 months ago

there's a question I have tough: is it possible for webmasters to see your password on their sites, like php constructs etc...

Depends how evil they are.

Personally, I use a set of passwords for secure connections and a different set for unsecured/potentially a liability/etc sites.

SAS_DeCapi
Lieutenant Colonel
Lieutenant Colonel
SAS_DeCapi's picture
Offline
Last seen: 1 hour 8 min ago

The point Grishenko is trying to make is: the only way people can get acces is if you have left your password lying around or used something too obvious.

I have a password I use for the websites I visit the the most that is 11 characters long and contains random numbers and letters. It's not written down anywhere, I'm the only one that knows it. no problems so far.

there's a question I have tough: is it possible for webmasters to see your password on their sites, like php constructs etc...

Yes it is.
Good/safe websites encrypt their password. If the password is not encrypted, it takes 2 seconds to find it, if you have access to the database.
So I always use another password to websites I don't trust.

SAS_LtCol_DeCapi 
Commanding Officer

GCHQ
22nd [SAS] Elite Virtual Regiment

Spidey01
Offline
Last seen: 3 months 2 days ago

You might also want to audit your system for programs that are, 'less' then legit. Some could contain useful points of entrance.

Do not use Adobe Flash

Hehe. Not having Flash enabled in 2008 sounds like a boring web experience.

Well, since WebTV I've never needed Flash for more then YouTube and that, I can really live without >_>

Dallers
Offline
Last seen: 8 years 10 months ago

Facebook is a killer mate but ive turned all my privacy setting up to the maximum!

Myspace stay well clear!

MSN just dont add anyone you dont know and always used a stong password!

Get a Firewall like a Nuclear Bomb as well always helps '-) as MSN just doesnt work with a strong firewall

HEHE

If a million people say a foolish thing, it is still a foolish thing. Anatole France [Jacques Anatole Thibault] (1844-1924)

SAS_WIZ
Veteran
Veteran
Offline
Last seen: 5 months 2 weeks ago

Rasa...In Nuke the answer is Nada.
I wont tell you why, but i do know its not possible to read..if its hacked, then its a guess

SAS_WIZ

Spidey01
Offline
Last seen: 3 months 2 days ago

And better passwords take the NSA a long time to guess Wink

Grishenko
Offline
Last seen: 8 years 6 months ago

You could also just enable/limited/disable different technologies for specific sites.. it's pretty useful imo.

there's a question I have tough: is it possible for webmasters to see your password on their sites, like php constructs etc...

Yes it is.
Good/safe websites encrypt their password. If the password is not encrypted, it takes 2 seconds to find it, if you have access to the database.
So I always use another password to websites I don't trust.

Not exactly. Most elementary databases, at the very least, would store these kind of things as hashes. And even then, using brute force could end up with several keys.

Rasa...In Nuke the answer is Nada.
I wont tell you why, but i do know its not possible to read..if its hacked, then its a guess

Not exactly. A simple example could be to log all successful attempts. Like I said, it depends on how evil they(admins) are.