Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31

Thread: The Internet Attacks!

  1. #16
    Join Date
    31st March 2005 - 02:18
    Bike
    CB919, 1090R, R1200GSA
    Location
    East Aucks
    Posts
    10,425
    Blog Entries
    140
    Two main forms of hacking/attacks etc.

    The scatter gun, where they're just trying anything and everything to see what gets through, which then either reports back, or gets in, and invites all it's friends for a party in your network (that's not a good thing btw). I could easily show you firewall logs, as admin/admin, root/root, user/password etc all get attempted, multiple locations, multiple times a minute, if not every second, via various services a typical business might use.

    Targeted. This is way more dangerous. Either they're a market leader, or have an enemy that either personally doesn't like them, or wants them out of business (for whatever reason). I have both of these categories as clients. Unfortunately for the client, we spend more on security than another typical client, but this is all open discussion (as best possible, I like to enable clients to make knowledge based decisions). Sometimes they're quite aware who is after them, but either geographically we can't do anything, or proving it all the way back through layers, is very tricky to do.

    Ultimately, people are the problem. As noted above, some have no idea about security. Yeah, we want open access to our device. Sure, your office address? Oh no, from any mobile etc. A client has exactly this, so all those devices have their own separated network - as best possible, coz staff also want to access.... yay. Btw, if any of you still have open RDP, turn it off. Please... changing the external port from 3389 to 33389 or 3390 is not even close to smart or secure. If you can access from anywhere, so can someone else.

    Oh, and understand the stakes we're playing with, when we tell you, you can't have p@ssw0rd. Even something like https://www.dinopass.com/ (using a strong password of 10 characters or more) makes it relatively easy to type, while still being completely random and different to anything else you have.

    [slightly more geek mode]
    Use this to discover if a website you've used was compromised: https://haveibeenpwned.com/
    Your passwords are for sale (or freely available), and they will try that password on every logical site, because so many people re-use the same password over and over. If they get access to your email, now they can re-set the password to a website and get the new password.
    Quote Originally Posted by Jane Omorogbe from UK MSN on the KTM990SM
    It's barking mad and if it doesn't turn you into a complete loon within half an hour of cocking a leg over the lofty 875mm seat height, I'll eat my Arai.

  2. #17
    Join Date
    31st March 2005 - 02:18
    Bike
    CB919, 1090R, R1200GSA
    Location
    East Aucks
    Posts
    10,425
    Blog Entries
    140
    Quote Originally Posted by pete376403 View Post
    The balcmail being referred to in the (eg) DHB case is just another point of force the crypto people use
    1. We have locked up your systems , give us money and we will unlock (maybe)

    if the victim says no, we will rebuild from backups, then

    2 We have also copied alot of your sensitive data. Give us money or we will release this to the internet
    The 3rd vector now is direct contact to victims/clients of the company breached. We'll release your data, if you don't pay up.
    Quote Originally Posted by Jane Omorogbe from UK MSN on the KTM990SM
    It's barking mad and if it doesn't turn you into a complete loon within half an hour of cocking a leg over the lofty 875mm seat height, I'll eat my Arai.

  3. #18
    Join Date
    16th January 2010 - 17:09
    Bike
    VFR400, Frankenbucket
    Location
    Otorohanga
    Posts
    2,665
    Quote Originally Posted by Gremlin View Post
    Two main forms of hacking/attacks etc.

    The scatter gun, where they're just trying anything and everything to see what gets through, which then either reports back, or gets in, and invites all it's friends for a party in your network (that's not a good thing btw). I could easily show you firewall logs, as admin/admin, root/root, user/password etc all get attempted, multiple locations, multiple times a minute, if not every second, via various services a typical business might use.

    Targeted. This is way more dangerous. Either they're a market leader, or have an enemy that either personally doesn't like them, or wants them out of business (for whatever reason). I have both of these categories as clients. Unfortunately for the client, we spend more on security than another typical client, but this is all open discussion (as best possible, I like to enable clients to make knowledge based decisions). Sometimes they're quite aware who is after them, but either geographically we can't do anything, or proving it all the way back through layers, is very tricky to do.

    Ultimately, people are the problem. As noted above, some have no idea about security. Yeah, we want open access to our device. Sure, your office address? Oh no, from any mobile etc. A client has exactly this, so all those devices have their own separated network - as best possible, coz staff also want to access.... yay. Btw, if any of you still have open RDP, turn it off. Please... changing the external port from 3389 to 33389 or 3390 is not even close to smart or secure. If you can access from anywhere, so can someone else.

    Oh, and understand the stakes we're playing with, when we tell you, you can't have p@ssw0rd. Even something like https://www.dinopass.com/ (using a strong password of 10 characters or more) makes it relatively easy to type, while still being completely random and different to anything else you have.

    [slightly more geek mode]
    Use this to discover if a website you've used was compromised: https://haveibeenpwned.com/
    Your passwords are for sale (or freely available), and they will try that password on every logical site, because so many people re-use the same password over and over. If they get access to your email, now they can re-set the password to a website and get the new password.
    Yup the one about the ports cracks me up, I've had IT professionals say to change ports to the closest thing possible to the service ie
    4433 for https
    50600 for sip Etc

    If you want to go random, go random ffs. Better still get a router with built in VPN and don't open anything, a Mikrotik can do it and its 88 bucks.

    I have a security firm with port holes for days for cameras, I always make sure such requests are in emails and I reply back that I don't feel comfortable doing it etc, don't want to be dipping into public liability for something that I warned about.


    Sent from my SM-G991B using Tapatalk

  4. #19
    Join Date
    22nd June 2005 - 13:13
    Bike
    Rocket 111 Touring (2010)
    Location
    Te Awamutu
    Posts
    165
    Everyone knows that 1234 is bad. You have to get smart and reverse it to 4321.

    Seriously though, the comment about companies forcing password changes too often is true. 'An acquaintance' had a 17 character random generated password to login to his work laptop. His employer changed the system to force a password change every week. He argued that his own password was more secure but they insisted on the weekly change with at least 8 characters including uppercase, lowercase, number and special character. He started with Idiots-01 and is now up to Idiots-37. He knows that this is common practice in the company but they know best.

    Needless to say, he keeps or accesses nothing personal on his work laptop or mobile. He carries a seperate personal tablet and mobile everywhere and each have their own SIM card.

    He keeps all of his passwords within an encrypted wallet that is accessed by a 23 character random password that he has memorised. I'm guessing that there's not much more that he can do?

  5. #20
    Join Date
    8th January 2005 - 15:05
    Bike
    Triumph Speed Triple
    Location
    New Plymouth
    Posts
    10,079
    Blog Entries
    1
    I used to use one password for all websites that didn't involve money. I've now been advised several times that password has been compromised, so it only applies now to sites I haven't visited in ages. The longest passwords I use are for the bank, otherwise I'm starting to trust technology. I'd be more comfortable if I trusted it more than I do.
    There is a grey blur, and a green blur. I try to stay on the grey one. - Joey Dunlop

  6. #21
    Join Date
    14th June 2007 - 22:39
    Bike
    Obsolete ones.
    Location
    Pigs back.
    Posts
    5,393
    Manopausal.

  7. #22
    Join Date
    7th January 2014 - 14:45
    Bike
    Not a Hayabusa anymore
    Location
    Not Gulf Harbour Either
    Posts
    1,460
    Quote Originally Posted by Autech View Post
    Yup the one about the ports cracks me up, I've had IT professionals say to change ports to the closest thing possible to the service ie
    4433 for https
    50600 for sip Etc

    If you want to go random, go random ffs. Better still get a router with built in VPN and don't open anything, a Mikrotik can do it and its 88 bucks.

    I have a security firm with port holes for days for cameras, I always make sure such requests are in emails and I reply back that I don't feel comfortable doing it etc, don't want to be dipping into public liability for something that I warned about.


    Sent from my SM-G991B using Tapatalk
    I personally hate changing from Default Ports - As if anyone with a Port Scanning tool isn't going to find that open port in a few milliseconds longer than it would take than if it was on the default port.

    If your security solution is to change the port - the question I'm asking is 'Why don't you properly secure the application?'

    Definitely agree on if it doesn't need to be public, do it on a private network with a VPN.
    Physics; Thou art a cruel, heartless Bitch-of-a-Mistress

  8. #23
    Join Date
    31st March 2005 - 02:18
    Bike
    CB919, 1090R, R1200GSA
    Location
    East Aucks
    Posts
    10,425
    Blog Entries
    140
    Quote Originally Posted by FLUB View Post
    Needless to say, he keeps or accesses nothing personal on his work laptop or mobile. He carries a seperate personal tablet and mobile everywhere and each have their own SIM card.

    He keeps all of his passwords within an encrypted wallet that is accessed by a 23 character random password that he has memorised. I'm guessing that there's not much more that he can do?
    In terms of passwords, I've got most websites (got 100+ logins just for personal stuff, doesn't even include my internal home network) on unique randomised 16-20 character passwords. This means if any website is hacked/compromised, nothing else is affected. But how do I keep those passwords? I sure as hell can't remember a single one, let alone all of them. Well, it's a passworded excel file at home, remote access only through VPN, plus Firefox/Chrome accounts sync'd, as I've also got a massive bookmark list of folders in sub-folders in a toolbar etc. They of course also have separate passwords for them. Probably not ideal, but I don't overly like trusting lastpass etc, because I've watched colleagues try to change the access password, then lose all access. The excel file has tabs for personal stuff, family, the 2 internal networks complete with multiple servers etc. If an app or system loses it's password, then it waits until I get home, unless I really want to dick around with VPN, reaching into the file storage etc. Waiting for a more complete v3 of Teampass, we use this internally at work for a self hosted solution (but v2, which is a bit clunky), plus it supports MFA.

    At a minimum, I suggest tiers of passwords. Banking/IRD gets the most secure. Websites with your credit card next, lastly the junk websites with no risks like credit card details, and arguably, the most likely to be compromised.

    As for password policies, we have to change our password every 3 months. I always have to be careful another engineer is around to reset if needed. Once or twice, despite being careful, it just hasn't played nice. Microsoft has now changed to suggest no expiry, and I do see the benefits, but again, comes down to humans. We had an engineer we later uncovered (after they'd left), that loved Welcome123$ for a password. It was fucken everywhere and multiple staff in the same client had it!

    Every user gets a dinopass strong password, especially when I set up new starters. Most actually keep it, some laugh and wonder where on earth I get such random passwords, then more critique when I show it to them and they say it's for kids. Then I show them the random password generator I use for the more secure stuff and say, would you like a 16 character of this? Stops em pretty quick
    Quote Originally Posted by Jane Omorogbe from UK MSN on the KTM990SM
    It's barking mad and if it doesn't turn you into a complete loon within half an hour of cocking a leg over the lofty 875mm seat height, I'll eat my Arai.

  9. #24
    Join Date
    5th December 2009 - 12:32
    Bike
    It was on the good
    Location
    ship Venus, by Chri
    Posts
    3,154
    This sums it up quite well.
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	password_strength.png 
Views:	91 
Size:	90.8 KB 
ID:	349130  

  10. #25
    Join Date
    16th January 2010 - 17:09
    Bike
    VFR400, Frankenbucket
    Location
    Otorohanga
    Posts
    2,665
    Quote Originally Posted by TheDemonLord View Post
    I personally hate changing from Default Ports - As if anyone with a Port Scanning tool isn't going to find that open port in a few milliseconds longer than it would take than if it was on the default port.

    If your security solution is to change the port - the question I'm asking is 'Why don't you properly secure the application?'

    Definitely agree on if it doesn't need to be public, do it on a private network with a VPN.
    It's better than using the default port though as it at least keeps the casual scans at bay as they generally are only trying the common ports or the variations which are well known.

    Of course if someone points it at the IP and scans every possible port they'll eventually find it, Better than nothing, but give me no port forwards any day of the week, or at least only ones that can be locked down to IP.

    Sent from my SM-G991B using Tapatalk

  11. #26
    Join Date
    7th January 2014 - 14:45
    Bike
    Not a Hayabusa anymore
    Location
    Not Gulf Harbour Either
    Posts
    1,460
    Quote Originally Posted by Berries View Post
    This sums it up quite well.
    Yep - we recently made a move to Passphrases over Passwords.

    Certainly made typing passwords into a console (when you can't copy/pasta) a whole lot easier than the randomized 20 character passwords we were using.
    Physics; Thou art a cruel, heartless Bitch-of-a-Mistress

  12. #27
    Join Date
    3rd February 2004 - 08:11
    Bike
    1982 Suzuki GS1100GK, 2008 KLR650
    Location
    Wallaceville, Upper hutt
    Posts
    5,049
    Blog Entries
    4
    Opinions on 2FA? - Good, ok, waste of time? I have it for the bank login, they send a code to the phone via txt. Not too annoying.
    it's not a bad thing till you throw a KLR into the mix.
    those cheap ass bitches can do anything with ductape.
    (PostalDave on ADVrider)

  13. #28
    Join Date
    31st March 2005 - 02:18
    Bike
    CB919, 1090R, R1200GSA
    Location
    East Aucks
    Posts
    10,425
    Blog Entries
    140
    Quote Originally Posted by Autech View Post
    It's better than using the default port though as it at least keeps the casual scans at bay as they generally are only trying the common ports or the variations which are well known.
    Easy enough to scan internet packets and get ports for communication. Changing the port doesn't change the risk. Simple.

    Quote Originally Posted by pete376403 View Post
    Opinions on 2FA? - Good, ok, waste of time? I have it for the bank login, they send a code to the phone via txt. Not too annoying.
    Depends on the 2FA. Some methods have already been proven to be beatable (reddit breach was it?). SMS particularly can be defeated by intercepting the SMS, either further down with sim copy, or further up inside the network - as said, this isn't just theoretical, it's already been used.

    Much better is the apps and registration, usually through QR, which give you push auth, OTP (one time password) or similar. Push obviously being pretty easy, it pops up on your mobile and you approve or decline.

    That all said, depends on your profile. Joe Blogs, unlikely to be targeted. CEO, CFO of large organisation, yeup, more protection, more training etc. On that note, we've run Security Awareness campaigns for some clients. Ran it on ourselves first, several staff failed... On the other hand, you know where to focus your resources.
    Quote Originally Posted by Jane Omorogbe from UK MSN on the KTM990SM
    It's barking mad and if it doesn't turn you into a complete loon within half an hour of cocking a leg over the lofty 875mm seat height, I'll eat my Arai.

  14. #29
    Join Date
    7th January 2014 - 14:45
    Bike
    Not a Hayabusa anymore
    Location
    Not Gulf Harbour Either
    Posts
    1,460
    Quote Originally Posted by pete376403 View Post
    Opinions on 2FA? - Good, ok, waste of time? I have it for the bank login, they send a code to the phone via txt. Not too annoying.
    I have a love/hate relationship with 2FA.

    In some settings, 2FA is a very wise precaution:

    - Infrequently accessed platforms
    - Platforms with sensitive information
    - Platforms that have a large number of users accessing it
    - Privileged Actions

    Then yeah, 2FA makes perfect sense. Having 2FA for things that are regularly accessed makes it a chore - we had a system that I would login to multiple times a day, each time my session timed out, I'd have to login, pull out my phone, wait for the text, copy the code etc.

    It was a pain in the arse. That system has now been migrated so that it has no internet facing component, only accessible via an internal VPN and there's no more 2FA.

    On the flipside, For things like a Google account, most operations by default don't require 2FA, but elevated account actions (such as changing passwords, managing payment details) will require 2FA - and I think this is a good balance - since those operations aren't frequently used.

    In addition as Gremlin pointed out - the higher the profile, the more likely that additional layers of security should be used (such as the Celeb Nude hack a while ago)
    Physics; Thou art a cruel, heartless Bitch-of-a-Mistress

  15. #30
    Join Date
    31st March 2005 - 02:18
    Bike
    CB919, 1090R, R1200GSA
    Location
    East Aucks
    Posts
    10,425
    Blog Entries
    140
    Quote Originally Posted by TheDemonLord View Post
    - Privileged Actions
    Haha, in contract network management, as a Microsoft Partner, the number of privileged areas, MS, firewalls, remote access, the list is only growing.
    Some have limited concurrent licences, so if you're not actively using someone else kicks you off. Then someone calls, and in the midst of the call you're also using your mobile to log into the console etc.

    The password management doesn't stay logged in for over an hour at a time, but holds all the passwords including for the highest levels of access. Sometimes I think I use my mobile for MFA more than calls (one app for business use, another for personal)...

    But, as for profile, with the amount of admin and/or unattended access we have, there is no choice for us.

    Oh, the really fun one is clients that we've deployed MFA, we need MFA to login, but then we need it on more than one mobile, in case an engineer isn't around. For stuff like Microsoft's ancient licencing portal, we had it on a company mobile that was always in the office. Worked real good when we were all working from home...
    Quote Originally Posted by Jane Omorogbe from UK MSN on the KTM990SM
    It's barking mad and if it doesn't turn you into a complete loon within half an hour of cocking a leg over the lofty 875mm seat height, I'll eat my Arai.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •