Staying Safe Online: Passwords and Security (Part 2/2)
How Secure Are We?
There are 3 types of security. The two most common are Online security, and Offline security. The often unknown security is called the Personal Security. So what are they?
Online security is not so simple, it is often well out of our control. Online security is done on a server level. Some of the online web-based security interacts indirectly with the user, Such as SSL certificates and HTTPS redirection. On the other hand, Direct interactions are 2FA and Passwords. Password security is important, both the user and the server play a major role in this. Some websites store passwords in plaintext, which is really bad. Although it’s a very frowned upon practice; it’s still used. Just not as much. Some websites store passwords that are encrypted, Encryption isn’t hard. However most websites store passwords as MD5 which are beyond easy to crack, taking just seconds. Some websites store passwords as Blowfish which are nearly impossible to crack (Well, it would just take a really long time). The shorter your password doesn’t necessarily make it easier to crack, it’s balanced between the server and the user.
If you use:
as your password, but the web-server stores your password in plaintext/md5/Etc, it’s almost the same as using “ABC123” as your password.
However, If you use:
as your password, but the web-server stores your password as SHA256/Bcypt/Etc, it’s going to take a very long time to decrypt the password if I’m a hacker, taking me anywhere from months to years, making the whole thing useless to me.
Speaking of web-servers, if the owner does not keep their server up to date or use a reputable security service to keep the server secure, the server will be compromised. Over 37,000 Websites are hacked every single day. The most common attack is an SQL Injection (SQLi). It’s so easy a child can do it. Literally.
There also other vulnerabilities such as 0days and common attacks such as Shelling, Rooting, LFI, RFI, Ect. An 0day is a vulnerability in which developers are unaware of it’s existence, giving them 0 days to work on it (Hence the name 0Days). A popular and recent use of an 0day was done on Equifax Using the Apache Struts 0day (Although one may argue the vulnerability was discovered and patched, so it’s not really an 0day and Equifax could have prevented the breach by upgrading their software). Web servers can also be Brute forced, an attacker knows the the IP of a website and since all servers have a master account named “root” the attacker just needs to find the password, and they simply control the entire server. Getting into everyone’s account. This can be done by using a brute force script.
The second type of security, Offline security pertains to the computer use itself. Antivirus’s protect against Rats, Keyloggers, and Malware. But it doesn’t protect as phishing, Phishing is a common attack and very easy to setup. The attacker simply sets up a fake website that looks exactly like the real one, and then manipulating you into visiting the website thinking it’s the real deal, inputting your credentials, and then logging them. It can easily be prevented by making sure you look at the URL:
If you are visiting Coinbase.com, Make sure it’s not “c0inbaze.cc” or some shady clone.
The other type of offline attack is Man-In-The-Middle (MITM). This attack is done by someone on the same network either sniffing packets or redirecting you to a phishing site. This is a really easy attack to fight since if a web-server has an SSL certificate, the Attacker cannot view the data being transmitted as it would be encrypted. However, if the attacker redirects you to a website make sure there’s a green SSL certificate, as often times the URL would be Amazon.com but the actual website would be a phishing link, since traffic is manipulated by the attacker, you wouldn’t be able to tell. Ensuring the presence of an SSL certificate will give you a somewhat sense of security knowing the attacker cannot see the data. However, it is best that you do not use public connections or access any accounts at an internet cafe/open network.
The third and most important type of security, is personal security. In this case attackers can easily target you, as a person, individually. If someone knows you have a certain amount of Crypto stored on Blockchain, they can easily get you. Identity theft and fraud is very easy. Easier than you believe. The biggest exploit, is in ourselves as people. People like to brag, and socialize, which is the biggest tool that can be used against you. If an attacker is targeting you as a person, they can easily find your previously used passwords via websites that you’ve been registered on, and have been hacked. If you don’t change your passwords frequently, chances are you’re an easy target.
Say you were registered on LinkedIn, You used the same password for your email, on LinkedIn. As we all know, LinkedIn was hacked. The attacker simply finds your username in the dump which was made public, decrypt your password which takes seconds, and sign in your email. Now the attacker has control over all your internet accounts, getting into your Facebook, your private notes, stored documents, photos, and everything. Chances are, you’re also using that email as a backup/2FA for your Crytpo Wallet. Just like that, the attacker stole all your Crypto Currency. This could have been avoided had you not made yourself a target in the first place by speaking about how much Crypto you have. Or by simply changing your passwords or using a secure password storage such as LastPass with 2FA.
However, This is not the end of it. A common attack done is Brute forcing attacks; This is the longest and very improbable way to hack someone, but it still works and is easy to setup. A user simply needs a list of emails. This can be done by hacking BTC related sites for mailing lists or using previously hacked websites such as BTC-E. Then using a word list of common passwords and trying to brute force their way into all the accounts at once.
The other method is called Cracking, This has a much higher success rate. Since most people use the same passwords everywhere or a variation of the original, it makes hacking you much easier. An Attacker can hack many sites using SQLi or simply use previously dumped websites such a Bitcoin/Crypto Currency related website. For example, lets take BitcoinTalk which was hacked in May 2015, Revealing 500k Accounts. The attacker simply uses HashCat or a similar tool to decrypt all the passwords which will take a few days to a few weeks. After this the attacker has a “combolist” of 500k accounts. The attacker simply brute forces the accounts against Coinbase for example, this would take a matter hours. After 4 or so hours, the attacker makes off with thousands of Coinbase accounts logging into each one individually and transferring the funds.
This can be preventable if you use 2FA, but even that can be beat. If this was a targeted attack, The attacker can do as much information gathering on you as they could. They can find your name, age, address, phone number, and even social security number. This can be done through many services offered on the DarkNet. The attacker can easily answer your security questions, such as “What was your mothers maiden name” can easily be answered with a Whitepages search, “What is your favorite color” can be easily answered with a simple Instagram stalking session, “What is your favorite sports team” can be easily answered with a simple Facebook stalking session and so on.
The less information you post about yourself, the more secure you are. Even if you don’t willingly post this information to the public, it can still be found on websites which you have signed up and disclosed this privately. If the website was hacked and you used the same security questions, chances are the answers are already public on some shady underground forum.
Okay, So you use a Password Manager with 2FA, you change all your passwords to 16 randomly generated characters, you’re using the best antivirus software for your computer, your computer is encrypted, you deleted all your social media accounts, you’re using force HTTPS plugins to ensure you’re always on HTTPS, and you’re on a private WiFi. You’re safe, Right?
Not exactly. If the attacker has enough information on you already they can easily do things such as Sim Swapping. This attack is done by information gathering before hand, obtaining your SSN via shady websites, and calling your Carrier. The attacker pretends to be you, with enough information, such as your name, dob, address, SSN, and mobile number, the attacker proceeds to ask for a replacement Sim card due to your being faulty. The Carrier gives them a sim card copy that belongs to you. Now they can reset all your 2FA.
The best way to stay safe is to ensure you don’t become a target in the first place, and if you do plan on putting yourself out there, make sure you are safe. Use DeHashed to see which accounts are breached, Where, and When. DeHashed will automatically notify you of new breaches that may affect you. After all, we get our hands on source way before they are announce. Most websites don’t even bother notifying the users of the breach or only do so months to years in advanced. Take for example Yahoo, they didn’t disclose their 2014 breach until late 2015. Claiming only 1B people were affected, then in 2017 they again announced 3B people were affected. 3 Years after it happened.
Make sure attackers don’t have information on you, if you really can’t live without it, make your social media accounts private. Remove posts on the internet that have personal information. Ask for your information to be removed from services like Whitepages, Spokeo, Etc. Change all your passwords, Use 2FA, If possible use an Offline Wallet, If not, Ensure 2FA is enabled and use a secure new email, Ensure 2FA is enabled on all Websites. Use a password manager with 2FA. Password managers automatically generate long and secure passwords, then save them and automatically log you in whenever you visit the website. Run frequent virus scans, ensure you’re on the right website constantly, Do not use public connections. Call your carrier and setup a support pin, making it impossible for an attacker to sim swap you (unless they make a good guess).
Register on DeHashed.com accounts are free, breach monitoring is Free, it’s Free! You only pay to use our premium service. Our team monitors all corners of the internet for any breaches or dumps, and as soon as we get our hands on it, every one affected is notified immediately. We beat the owners themselves in notifying the users. With DeHashed, you can ensure which passwords need to be changed and which ones are public, what information is public, and take control over your personal security. Why wait until you lose all your Crypto coins? Why not secure yourself now. If you wish to use premium, we accept all Crypto Coins! (well most).