Maybe you don't. I don't know who you are.
After I say users don't run web servers, you give an example of a web server vulnerability, kind of doesn't make your point for you.
Last edited:
How vulnerable are individuals to cyber attacks?
- Thread starter eytonxav
- Start date
After I say users don't run web servers, you give an example of a web server vulnerability, kind of doesn't make your point for you.
Tuirc
Recycles dryer sheets
Just to give you a terrifying example of what's really going on, the Chinese took this data and made a Facebook type site out of it. They filled in all the fields full of the information contained on each of the people who were in the data breach. Then, they started relating the people together. They put in who knows or works with whom, creating a web or network. Then they added publicly known information from Facebook, LinkedIn etc. to that information filling out further links between these people and adding others. Now, there have been previous breaches of sex sites, cheating sites, drug distro sites. Maybe the Chinese had nothing to do with those breaches and maybe they didn't connect that information into this current set of data from OPM. But I wouldn't count on it. The point of all this is to target individuals for compromise. The compromise could be to turn them to spies, agents for Chinese interests, or targeting for direct computer compromise. The latter is where the web of connection is most important. Once I know who your friends and associates are, I can successfully phish them and then you. The Chinese in this case would know your hobbies, interests, what you do for work, what you do for leisure and maybe a more private side of your life.
The Chinese treat all data like a vacuum cleaner it all gets sucked up and stored until it can be queried and put into structures. They don't care what it is or where it comes from.
Tuirc
Recycles dryer sheets
Most users don't run Linux as a personal OS. Less than 1.5% according to NetMarketShare. Linux machines used for personal use run e-mail programs and web browsers. Both of these allow carbon to make decisions about what's safe and what's not. Carbon based firewalls stink. So, your threat vector is not Linux is your Chrome browser you decided to put on your Linux based distro or Thunderbird, or Mozilla, it doesn't matter they all rack up vulnerabilities like they get paid by the dozen for them.
Few users is a feature not a bug, less reason to attack such a small user set. The vulnerabilities in web browsers are almost always related to weaknesses in Windows. Linux can't run .exes for Windows so those wouldn't impact it.
Tuirc
Recycles dryer sheets
I don't know who told you that, but you should stop listening to them. You pointed out yourself that most web servers run Linux, you think cyber criminals are not focused on attacking that infrastructure? You now run a machine, if you are running Linux as a personal machine, that is vulnerable to all of the same things those web servers are. The attack vector is merely different and more vulnerable with less defense in-depth protecting it.
At least I can stack Web Application Firewalls, CDNs, load balancers, reverse-proxies, UTM firewalls, and host-based protections (EDR/AV) in front of my Linux web servers. You're clicking e-mail, probably not running AV, clicking links that contain watering hole attacks in your web browser. Maybe you are super careful and skilled and never have a problem. I know. I ran Linux for years as a personal OS. I ran for years without AV on my personal computer. When I finally did put it on and scanned, there was nothing. So, I'm well aware that it can be done. It isn't scalable, as is demonstrated to me on a daily basis. My 5,000 + users manage to get themselves in enough trouble even with stacks of defenses in front of them that it keeps 6 people hopping full time to keep them up and running and the rest of the company malware-free.
jimbee
Thinks s/he gets paid by the post
- Joined
- Oct 11, 2010
- Messages
- 1,233
Apache Struts is a Java framework that is cross platform. Your example illustrates a Struts problem, not a problem with the underlying OS.
Sky is falling? So you should throw out all your computers then if everything is insecure and requires a 6 people team to be safe? What bunk. If I was super security afraid I would run each app in its own virtual machine, thus isolating any damage from an attack. But that is overkill and absurd.
Tuirc
Recycles dryer sheets
I think I said above in one of my several posts that being concerned about the underlying OS is an extremely legacy way of looking at the threat and indeed isn't even responsive to the threats in the current environment.
Threats that concern us now are all at the Layer 7 (Application layer). That's where the vulnerabilities are and that what the attackers are after. Protecting OS's is de rigeur, you have to do it, but that's not where the action is. Which is a way of saying, yes, you're right. But the point of all of this is to be able to defend your infrastructure and respond quickly and effectively if there is a breach. It doesn't matter whether that's a web server, a web browser, an e-mail app or a PDF reader, application vulnerabilities are providing the access to cyber criminals to take the next step, escalation of privilege, pivot, lateral movement. It doesn't matter what OS you have, the steps are the same. See Mitre Att&ck Framework for attacker behavior.
Tuirc
Recycles dryer sheets
Not what I said at all. I provided what to do to take reasonable precautions to maintain a reasonably safe computing environment for yourself on the first post that you took exception with of mine. Fairly simple. Not sure what all the drama is about.
Qs Laptop
Thinks s/he gets paid by the post
- Joined
- Mar 11, 2018
- Messages
- 3,625
Yes, I know what ransomware is. I would never pay ransomware.
"They charge you a fee for a key to get it back and the key *usually* works..."
Like I'm going to trust crooks and thieves to keep their word and give me a valid key? I'd wipe my hard drive and start over as anything I value is backed up elsewhere.
Sunset
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Thanks, I may look into this more, do they supply the physical device or do we buy it somewhere ?
I don't want to use my phone as I'm sure it will get stolen/lost/hacked one day.
One problem with many of these security techniques is what happens when that system fails.
The companies of course want to help the consumer, so it suddenly becomes easier to hack the system.
An attacker can phone schwab and pretend to be the customer, and get around the security of having a token.
Schwab says:
"My physical token or mobile device has been lost or stolen. What should I do?
Please call Schwab at 800-435-4000. We will provide you with a temporary security code to access your account."
OldShooter
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
My limited look at it seemed to show that they supported some third-party devices but they would also supply the device.
My wife had a device when she worked for the megabank and I had a device when I was treasurer of our flying club. In neither case was the device marked as being related to an institution or an account, so probably they would be of limited value to a thief.
Regarding calling Schwab, I'm sure they would apply their usual authentication process including security questions and, in many cases, voice recognition. They are also almost obsessive about sending email notifications when the customer does something like transferring money out of Schwab, changing passwords, etc. So I'm certain I'd get a notification if someone received a temporary code. Finally, they indemnify all customers, all accounts, against unauthorized access. So with all that I am a fairly happy guy.
If you want to do 2-factor, consider using a company like Authy rather than Google or Microsoft. I say this simply because neither of them support using a PC rather than a phone. Most 2-factor uses a standard that works with any of these. I happen to use Authy because I want to have it on my PC and not just my phone. Your Choice.
https://authy.com/features/multiple-devices/
YubiKey is another option, but you have to be sure it is supported and is costs $, you can lose it. the ones above have backups, not sure about YubiKey but you would need another physical key.
The ones you get from companies may not have their name on them, but this is a list of which companies use which devices. Still they are the same as the above software.
I wouldn't use a physical key provide by a company because now you have a bunch of physical keys to keep track of.
Did I mention it works on Linux... in addition to MAC, Windows, IOS, Android
https://authy.com/features/multiple-devices/
YubiKey is another option, but you have to be sure it is supported and is costs $, you can lose it. the ones above have backups, not sure about YubiKey but you would need another physical key.
The ones you get from companies may not have their name on them, but this is a list of which companies use which devices. Still they are the same as the above software.
I wouldn't use a physical key provide by a company because now you have a bunch of physical keys to keep track of.
Did I mention it works on Linux... in addition to MAC, Windows, IOS, Android
Last edited:
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
FYI, I've been using the Symantec VIP token with my account for about 5 years. It always works.
Of course one day the battery will fail, but maybe I will fail before then.
Tuirc
Recycles dryer sheets
Perfect response! That's exactly what everyone's situation should be. You have a back up and can just restore from back up if you are ever hit by ransomware. Unfortunately, too many are not in a position to restore and end up paying. So, we're stuck with these groups and they continue to improve their attacks.
What I'm really not looking forward to, and it just around the corner is AI driven malware that once on a computer begins using the computer's own resources against it as it exploits first the computer and then the network the computer is on at blinding speed without having to "phone home" to a command-and-control server to do it. I think we have about 2 years before we see the first examples of this. But I wouldn't bet money on it.
I have the Symantec VIP token on my phone and also have used it for about five years. Hasn't failed yet, and works with at least half a dozen different sites I use. For a couple of those sites, I have to get it reset when I get a new phone, but that only takes a couple of minutes and is easy.
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
My network manager friend in gov't texted me last night. "Seeing increase in dictionary attacks from outside U.S. Strengthen your passwords."
In the security world there's very little discussion of OS platform. It's about the current threat level.
In the security world there's very little discussion of OS platform. It's about the current threat level.
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I may go that way eventually. Problem there is finding my phone. Lol.
Tuirc
Recycles dryer sheets
I use all of the above. Hazards of the j*b I'm afraid. I use Authy for just one use case, my Amazon account. Authy allows my wife and I to share one account (thus pay for only one Prime account). We can each have Authy on our phones and the code produced works. Not a feature of any of the others.
I use YubiKeys for most of my top-level stuff. Protecting my Password Manager - LastPass, Google account, and I would use it for banking if any of my banks supported it (it's really past time they had this support).
I use LastPass Authenticator for as much as I can, Google Authentication, Microsoft Authenticator (because Microsoft requires it for some of its stuff), And Duo and PingID for work and I also have a work YubiKey.
I haven't had a problem losing the YubiKeys. I did get a tiny case for them and a backup thumb drive. I keep that in my w*rk backpack on a quick release. No problems and it's fairly convenient. Yubi does offer one-time codes in case you lose it (I keep them in LastPass). Then, you'd need to replace the key or downgrade your security.
I have a slight preference for keeping my authenticators on the phone. That way the cyber-criminal that hacked my PC does not have access to my authenticator. I put that risk at "Medium." It would require your computer to be thoroughly compromised to the point they are remote controlling it. Certainly, possible and your cyber hygiene would determine how likely an event that would be. Having the authenticators on your phone negates that possibility.
jimbee
Thinks s/he gets paid by the post
- Joined
- Oct 11, 2010
- Messages
- 1,233
Sounds like an AI-powered smart worm. I do not want that.
Qs Laptop
Thinks s/he gets paid by the post
- Joined
- Mar 11, 2018
- Messages
- 3,625
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
We graduated from LastPass individual plans to 1Password Family.
Our security manager put us on it.
Our security manager put us on it.
Hi, I thought I would clear up some misunderstanding. Google and Microsoft both use a "standard" for 2FA. That means you don't have to use their authenticators but anyone that follows that standard, such as Authy. I use Authy for my Microsoft and Google Accounts. Then the QR code is displayed use your phone or camera (on a PC) to read it.
Also, someone said that you are worried if you phone was lost, with I think most of the authentication apps you can disable any device. Authy makes is easy to replace a phone, a little harder with Microsoft and Google.
Tokens can be great but realize they too can be hacked. We had to replace every token at work due to this. Software is easier to replace.
Since password managers where mentioned, I thought I would share that I use KeyPass (open source) it is available for free and it or a version of it is available on every platform. My security has approved it and it supports Yubikey.
Also, someone said that you are worried if you phone was lost, with I think most of the authentication apps you can disable any device. Authy makes is easy to replace a phone, a little harder with Microsoft and Google.
Tokens can be great but realize they too can be hacked. We had to replace every token at work due to this. Software is easier to replace.
Since password managers where mentioned, I thought I would share that I use KeyPass (open source) it is available for free and it or a version of it is available on every platform. My security has approved it and it supports Yubikey.
Last edited:
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I think that was a lockmart employee compromised on RSA key, if my memory serves me well.
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
I've been using 1Password ever since it first came out and it has never disappointed me. Just keeps getting better and better as they continually add more functionality. A pleasure to use and I have confidence in it.
Similar threads
