I take my computer security fairly seriously as do a lot of people on this forum but I wonder at times whether I'm being over cautious or just making things more difficult for myself.

I have a relative and she uses Vista with no AV and she does everything online: banking, ebay, she even runs an online business. Despite not taking any precautions she's never been hacked or had any problems.

I also remember talking to someone at work and she was telling me how she downloads films and tv from illegal sites. I asked her if she was worried about trojans and she rather condescendingly explained how she has a Mac and how they don't get viruses.

While of course I appreciate the care I take with my computer ensures I'm less likely to get a virus, I can't help wondering based on these two examples and other people I know that I'd be ok without taking security measures.

So what does everyone else think? Does anyone else find that they know people with poor security habits that have no problems?

You've discovered 2 sheep. Their computers will be hacked eventually.

I've had a 17 yr old relative crying because her PC was virus infected and the only solution was to wipe the HDD and reload. It had Vista and I refused to touch it, but I sat next to her and talked her through the reload. Before she was 100% finished, 100% patched, 100% AV installed and working, she decided to visit facebook.

At the end, we reran an AV scan and found a new virus that could not be cleaned. I had her restart from the beginning. It taught her a lesson that she would never have learned any other way.

My next visit, her younger brother had a virus that prevented his laptop from booting at all. It was bad. I made the same offer, but he decided it was easier to fail his classes - then his parents would buy a new PC for him.

For 80% of the computing world, if the PC boots, it is like a car that needs a oil change. It still works, so what's the issue? Your friends fall into that group. They don't know how dangerous the internet is, so they don't worry about the risks.

My 80 yr old Mother used WinXP happily for many years. I had her setup with ad blockers, huge /etc/hosts files to block bad parts of the internet, and she was trained to never click on links from unknown people. One day, she got an email from a grandchild with a link. The email subject was relevent to current things happening in her life, so Mom clicked the link. Before she could do anything, 50 other popup windows were displayed and lots of viri were installed, downloading, it was bad. This was 2010.

We are all 1 click from this.

Mom switched to Linux in 2010. No more viri have been seen, but that is part of why we all run Linux, right? Linux is less likely to get normal viruses, but it can be hacked. I've been hacked twice over the years, so the danger **is** real for Linux users.

I know plenty of people with poor security habits who don't have problems. However, for me, I would rather be overly protective and not even risk it.

You've discovered 2 sheep. Their computers will be hacked eventually.

I've had a 17 yr old relative crying because her PC was virus infected and the only solution was to wipe the HDD and reload. It had Vista and I refused to touch it, but I sat next to her and talked her through the reload. Before she was 100% finished, 100% patched, 100% AV installed and working, she decided to visit facebook.

At the end, we reran an AV scan and found a new virus that could not be cleaned. I had her restart from the beginning. It taught her a lesson that she would never have learned any other way.

My next visit, her younger brother had a virus that prevented his laptop from booting at all. It was bad. I made the same offer, but he decided it was easier to fail his classes - then his parents would buy a new PC for him.

For 80% of the computing world, if the PC boots, it is like a car that needs a oil change. It still works, so what's the issue? Your friends fall into that group. They don't know how dangerous the internet is, so they don't worry about the risks.

My 80 yr old Mother used WinXP happily for many years. I had her setup with ad blockers, huge /etc/hosts files to block bad parts of the internet, and she was trained to never click on links from unknown people. One day, she got an email from a grandchild with a link. The email subject was relevent to current things happening in her life, so Mom clicked the link. Before she could do anything, 50 other popup windows were displayed and lots of viri were installed, downloading, it was bad. This was 2010.

We are all 1 click from this.

Mom switched to Linux in 2010. No more viri have been seen, but that is part of why we all run Linux, right? Linux is less likely to get normal viruses, but it can be hacked. I've been hacked twice over the years, so the danger **is** real for Linux users.

The last computer I had which was ten years ago pretty much got wiped out by viruses and other nasties which is why I take my security so seriously now. People who see my security set up think I'm excessive but it's pretty standard for most people on the forum.

It's pretty shocking that your young relative thought the solution was just to have a new computer bought for him. Thanks for sharing examples with me about how people's carelessness has led to them getting viruses as it indicates that I'm right to take security precautions. Still I find it quite worrying that you've been hacked twice, but I guess you have been running Linux for quite a while.

I know plenty of people with poor security habits who don't have problems. However, for me, I would rather be overly protective and not even risk it.

I totally I agree. I just experience people mocking me for the FF addons I use such as NoScript and Request Policy where I have to configure my pages.

My answer is "No not at all". many many times I have seen a customer that had little to no knowledge of computer security that lost thousands of dollars due to identity theft. and as fare as windows goes, if you don't run anti virus software on it, it is definitely infected, just because it is running OK don’t mean that there are not serious issues and possible consequences involved.

I don't think you can be too paranoid the way the internet is, I think multiple layers of security is the way to go. Firewall on, no script, adblockers, fully updated and of course use Linux :)

I use the same with my Windows machines, anti virus, malwarebytes, spybot, update everything, firewalls, use a non admin account, it's an ongoing battle.

There are millions of people who will likely never have a virus in their lifetime. It's just the chances, they'll miss the exploit pages and never get tricked.

The issue is there's no way to say who will get lucky and who won't. So while some people may not bother to keep their systems secure, and they may be completely fine, others won't be fine. I don't want my security to be based on chance, on the odds, I want it to be based on an attackers skills.

My answer is "No not at all". many many times I have seen a customer that had little to no knowledge of computer security that lost thousands of dollars due to identity theft. and as fare as windows goes, if you don't run anti virus software on it, it is definitely infected, just because it is running OK don’t mean that there are not serious issues and possible consequences involved.

I think that's the big and something that never occured to me, just because a computer is running ok doesn't mean it's not infected. I guess I assumed that a sure sign of getting a virus would mean that your finances would be infected in someway.


I don't think you can be too paranoid the way the internet is, I think multiple layers of security is the way to go. Firewall on, no script, adblockers, fully updated and of course use Linux :)

I use the same with my Windows machines, anti virus, malwarebytes, spybot, update everything, firewalls, use a non admin account, it's an ongoing battle.

I'm exactly the same as you using all the relevant security Firefox addons and enforcing the apparmor profiles. I find myself very reassued in Windows from using Sandboxie.


There are millions of people who will likely never have a virus in their lifetime. It's just the chances, they'll miss the exploit pages and never get tricked.

The issue is there's no way to say who will get lucky and who won't. So while some people may not bother to keep their systems secure, and they may be completely fine, others won't be fine. I don't want my security to be based on chance, on the odds, I want it to be based on an attackers skills.


HungryMan I really like how you describe it and your absolutely right. Two people could visit the same web ppage yet only one could end up getting their system infected. Your also right about not leaving things to chance as it's just not worth it.

Merisi, paranoid or not?


If you take regular backups of user created data and validate backups by restoring and looking at results.
If you harden your browser via addons.
If you keep sensitive data in truecrypt containers or their ilk and only mount when required.
If you use fde and take physical care of your kit.
If you trust your backups then re-install OS and backups when required.



Some may consider you paranoid but your kit may well continue to function when others does not.

I know guys in the security branche who make a complete reinstall of their system every half year.
- no system related back-ups
- be careful with firefox add-ons
- truecrypt comes with a poor license. Take a look at the Fedora contra truecrypt discours on their forum.

The last computer I had which was ten years ago pretty much got wiped out by viruses and other nasties which is why I take my security so seriously now. People who see my security set up think I'm excessive but it's pretty standard for most people on the forum.

It's pretty shocking that your young relative thought the solution was just to have a new computer bought for him. Thanks for sharing examples with me about how people's carelessness has led to them getting viruses as it indicates that I'm right to take security precautions. Still I find it quite worrying that you've been hacked twice, but I guess you have been running Linux for quite a while.

It has been over a decade since I was hacked. I've described both situations on here before.

Once was in 1993, before anyone really had firewalls. and the other time was in 2000 when I was running a 3 month out of date BIND version.

The 1st time I was on a government network using an early, very easy to use linux with X/Windows install. They came into my machine, changed the root login and deleted my user account. It was probably an internet script searching for default root logins. I was much younger and much less informed back then. No data was lost and the remote machines I was connected into were not impacted in any way either.

The 2nd time, ZERO damage was done - I'm 100% positive because backups proved all other files to be unchanged. I was running a name server for my home network, but had allowed it to be seen from the internet. At the time, Bind and Sendmail were the most likely remote attack vectors into any UNIX system. I was just a few months behind on the Bind patches, but that was enough. They script that got in never broke out of the bind userid and only wrote files under /tmp. Then it tried to escalate privileges using a perl timing bug that the system had been patched to prevent. Every attempt caused an email to be sent to me - over 140,000 in a few hours. I disconnected from the internet and started my research using a 7 day old backup. It was pretty enlightening.

Versioned backups is the single best and most important solution for computer security. Nothing, NOTHING can solve all the problems that daily, weekly, monthly backups can solve. AV is nice, but never 100%. Most seem to be 50% in real world use, though the AV companies will claim 80-95% coverage. I think that is the marketing people.

A simple mirror backup is better than nothing, but doesn't handle all the times when file corruption occurs or all the times that many weeks pass before anyone notices a virus infestation.

Versioned backups are the best answer.

ahhh the old "never had a problem" most people who havent had one, dont know if they have or havent and wouldnt know what to look for anyways, not all security breaches result in damage to ones machine or software.

It is a process not a product, take the necessary steps whatever you run, keep an eye on logs etc etc and dont be paranoid but be prepared !

Peace

the following is an interesting read:

http://news.techworld.com/security/3413574/91-of-cyberattacks-begin-with-spear-phishing-email/

a couple quotes:


The most commonly used file types for spear phishing attacks accounted for 70% of them. The main file types were .RTF (38%), .XLS (15%) and .ZIP (13%).
Executable (.EXE) files were not as popular among cybercriminals because emails with .EXE file attachments are usually detected and blocked by security systems, said Trend.
I'm fond of noting that it is critical today to treat all modern documents (web pages, word processing, spread sheets, flash etc ) as executables.

This is why I run Firefox in that "AppArmor" profile (I am using the one supplied by Canonical ) .

I'm pretty satisfied right now that a script will have a hard time updating Linux or any installed app


"Security is a function of the resources your adversary is willing to commit," said Julian Sanchez, an attorney with the Cato Institute in Washington, D.C.I think our biggest risk right now is that a script might corrupt a browser, most likely by adding some kind of plug-in. I'm told this is not allowed on the Linux version of Firefox ... what worries me is simple: If I can install a plug-in why can a script not do it ? obviously it has the needed file permissions ...

I have a relative and she uses Vista with no AV and she does everything online: banking, ebay, she even runs an online business. Despite not taking any precautions she's never been hacked or had any problems.
I can think of few things as dangerous, except perhaps this:


I also remember talking to someone at work and she was telling me how she downloads films and tv from illegal sites. I asked her if she was worried about trojans and she rather condescendingly explained how she has a Mac and how they don't get viruses.With such cavalier disregard for security it's likely neither of these users can say with any confidence that they don't have a keylogger on their system right now.

Security is like backups: no one thinks it's important until they suffer a loss, and only after an otherwise-preventable loss do they start taking it seriously.

Does anyone else find that they know people with poor security habits that have no problems?

I cleansed my dad's computer twice and he hasn't had problems since. It may be because of the automatically updating freeware I installed.

But I think he's stopped visiting nasty site. He visited some nasty, nasty sites.

Nasty.

Nasty sites.

I just saw this related article at Wired: http://www.wired.com/business/2012/08/hackers-walk-all-over-you/

Good read. The sad part is it is true - convenience vs security wins in the end.

I find myself going overboard with security regardless of the operating system that I am using at the time. I reinstalled Ubuntu 12.10 64 bit from scratch and I have not done one single thing to harden it or secure it yet. I have been busily downloading and installing my paid software applications from trusted sources and I have been doing anti-malware scans using BitDefender for Unices Free with updated definitions. So far, I am clean in terms of the installed software applications. I think that I will begin the process of hardening later this week and I hope to be able to do one thing at a time per day.

One specific thing that I want to know is if ninja has been fixed for Ubuntu 12.10 64 bit. I followed Bodhi Zazen's guide to install and setup ninja only to find out that my administrator account gets locked out every time using Ubuntu 12.10 64 bit. I don't want to get locked out of my administrator account again by re-installing this ninja and setting it up over again. I copied my specific guid properly in the ninja configuration file and I keep getting locked out of my administrator account every time I reboot my System76 PC.

Can someone enlighten me on this specific topic?

-edit by sandyd-
(please respond in http://ubuntuforums.org/showthread.php?t=2089284)

ahhh the old "never had a problem" most people who havent had one, dont know if they have or havent and wouldnt know what to look for anyways, not all security breaches result in damage to ones machine or software.

It is a process not a product, take the necessary steps whatever you run, keep an eye on logs etc etc and dont be paranoid but be prepared !

Peace
Totally agree here, myself i am not computer smart enough to know if i have been hacked or not. Paranoid or not i never bank online.

Security is never completed until:
http://berkeley.intel-research.net/arahimi/helmet/ali2.jpg

Security is never completed until:
http://berkeley.intel-research.net/arahimi/helmet/ali2.jpg


I will add to that

https://lh3.ggpht.com/_lxacT3VoPoQ/SVHo18IHW0I/AAAAAAAAAEI/PwdShcIvo3g/s400/tinfoil-computer.jpg

Totally agree here, myself i am not computer smart enough to know if i have been hacked or not. Paranoid or not i never bank online.

but the bank does

I know guys in the security branche who make a complete reinstall of their system every half year.
- no system related back-ups
- be careful with firefox add-ons
- truecrypt comes with a poor license. Take a look at the Fedora contra truecrypt discours on their forum.

Soul-Sing, I have been aware of the Truecrypt problem for quite some time, the launchpad entry #109701 (https://bugs.launchpad.net/ubuntu/+bug/109701) attempts to bring things together but I find it all sooooo easy to use. It may not bee the best tool but until somethings else comes along I think I'll stick with it.

I would say


Security is never completed until:
#apt-install purge amazon-lens

I would say


#apt-install purge amazon-lens

Security and privacy are not the same thing.

and Security is never completed, it is a continual process.

And that command doesnt exist.

I would say


#apt-install purge amazon-lens

That will get you a nice message about how your system can't find any command called 'apt-install'

'apt-get purge amazon-lens*' perhaps?

Still, the Amazon thing is not a security issue and it's barely got the potential for a privacy issue.

I have a relative and she uses Vista with no AV and she does everything online: banking, ebay, she even runs an online business. Despite not taking any precautions she's never been hacked or had any problems.

I also remember talking to someone at work and she was telling me how she downloads films and tv from illegal sites. I asked her if she was worried about trojans and she rather condescendingly explained how she has a Mac and how they don't get viruses.
I'm betting those people also have the same password for every site, "inexplicable" spam on their facebook and gmail accounts, and perhaps their computers are loyal slaves in a botnet.

I'm not sure what people think a hacked computer looks like. Do they think a photo of a skull pops ups and laughs at them? Why would the hacker make a grand show to ensure the victim knows he was hacked? What would be the point of hacking if you got caught right away?


http://www.norulak.com/calicojack.jpg (http://www.norulak.com/calicojack.jpg)


Oh God! I can see the skull & crossbones! I must be hacked!!!

I'm betting those people also have the same password for every site, "inexplicable" spam on their facebook and gmail accounts, and perhaps their computers are loyal slaves in a botnet.

I'm not sure what people think a hacked computer looks like. Do they think a photo of a skull pops ups and laughs at them? Why would the hacker make a grand show to ensure the victim knows he was hacked? What would be the point of hacking if you got caught right away?


http://www.norulak.com/calicojack.jpg (http://www.norulak.com/calicojack.jpg)


Oh God! I can see the skull & crossbones! I must be hacked!!!



You mean that doesn't pop up!?!?

Good read. The sad part is it is true - convenience vs security wins in the end.

This is very true. One of my good friends is always telling me security is a mindset. You have to be constantly be thinking about what is secure and what isn't. This also holds true for life outside the digital world. Be aware of what is going on around you so you can be prepared to take action when it is necessary.

I found this site http://www.metasploit.com/ for penetration testing.

I installed and ran Nexpose, very interesting results.
Needs 8 Gig RAM, ports 5432 and 3780
and needs minimum of 80Gigs HDD to run.

Appears to be Windows centric but also has Linux vulnerabilities as well. The site appears to have hackers who are able to exploit weaknesses in the networking and then write their own modules to add to and update the ability to harden the network machines.

regards

I found this site http://www.metasploit.com/ for penetration testing.

I installed and ran Nexpose, very interesting results.
Needs 8 Gig RAM, ports 5432 and 3780
and needs minimum of 80Gigs HDD to run.

Appears to be Windows centric but also has Linux vulnerabilities as well. The site appears to have hackers who are able to exploit weaknesses in the networking and then write their own modules to add to and update the ability to harden the network machines.

regards

Metsaploit has been around for 10 years. It is a staple in the Pen test/Sec Audit toolkit.

Nexpose is similar to Nessus who also do a free community edition, or OpenVAS, Personally I use OpenVAS and Nessus, but prefer Nessus

Vulnerabilities in Linux are as plentiful as other OS, they tend to be patched quicker though, and are generally service or Admin related as oppose to built into OS

A decent pen tester or IS manager will use 2 or more of these tools, as what they find are different across tools and database etc. Remember a vulnerabilty scanner and management tool is just that and not a penetration or hacking tool, it is typically used more by the IS Security team or at least should be.

You can see a recent comparison of latest versions here http://hackertarget.com/nessus-openvas-nexpose-vs-metasploitable/

I'm betting those people also have the same password for every site, "inexplicable" spam on their facebook and gmail accounts, and perhaps their computers are loyal slaves in a botnet.

I'm not sure what people think a hacked computer looks like. Do they think a photo of a skull pops ups and laughs at them? Why would the hacker make a grand show to ensure the victim knows he was hacked? What would be the point of hacking if you got caught right away?


http://www.norulak.com/calicojack.jpg (http://www.norulak.com/calicojack.jpg)



Oh God! I can see the skull & crossbones! I must be hacked!!!




I have never been hacked, I dont usually run an AV, it is turned off and i turn it on for a scan once a month, Never found anything.
I download and facebook and bank. I have never had an issue.

Computer security is more about the "user" than the tools the "user" has.

AV is like this, I would not bring my car down a dark alley way in the busy city and leave my door unlocked and windows down and the keys in the ignition.
dumb people install the alarm and gps and flashing lights to protect there car, then go down and park it in the alley way. it will get stolen.

ME: dont go down the dark alley way, stay in the nice area with very low crime and if a stranger says hey can i borrow the keys to your car, " I SWEAR I WONT STEAL IT" i still say no..

Hi haqking

That was a very informative read. Thanks for the link.

regards

I have never been hacked, I dont usually run an AV, it is turned off and i turn it on for a scan once a month, Never found anything.
I download and facebook and bank. I have never had an issue.

I think you have been lucky. Reputable websites have been vectors for virus installations more than a few times. Facebook has as have a few very well know newspapers and TV channel websites. You've been lucky.

Running AV is not a license to be reckless on the internet. Most AV tools are not really that effective. Brian Krebs says https://krebsonsecurity.com/ that we should all use the internet like we don't have any AV installed, yet run one to stop bonehead "drive-by" attacks.
Three based rules: https://krebsonsecurity.com/2011/05/krebss-3-basic-rules-for-online-safety/

Still, I'd rather be lucky than "good." I wish you continued luck, but I know security experts who have been hacked through drive-by attack vectors.

I have never been hacked, I dont usually run an AV, it is turned off and i turn it on for a scan once a month, Never found anything.
I download and facebook and bank. I have never had an issue.

Computer security is more about the "user" than the tools the "user" has.

AV is like this, I would not bring my car down a dark alley way in the busy city and leave my door unlocked and windows down and the keys in the ignition.
dumb people install the alarm and gps and flashing lights to protect there car, then go down and park it in the alley way. it will get stolen.

ME: dont go down the dark alley way, stay in the nice area with very low crime and if a stranger says hey can i borrow the keys to your car, " I SWEAR I WONT STEAL IT" i still say no..

I hear this all the time, how do you know ? ;-) or did you mean you have never had any visible or noticeable performance or software related issues that you can put down to a compromise ? ;-)

Hi haqking

That was a very informative read. Thanks for the link.

regards

Welcome

I'm not sure what people think a hacked computer looks like.

I lol'ed. That would certainly make things easier, wouldn't it?

In investing, there's a truism "past performance is no guarantee of future results". Same thing applies to computer security, methinks.

I have never been hacked, I dont usually run an AV, it is turned off and i turn it on for a scan once a month, Never found anything.
I download and facebook and bank. I have never had an issue.

Computer security is more about the "user" than the tools the "user" has.

AV is like this, I would not bring my car down a dark alley way in the busy city and leave my door unlocked and windows down and the keys in the ignition.
dumb people install the alarm and gps and flashing lights to protect there car, then go down and park it in the alley way. it will get stolen.

ME: dont go down the dark alley way, stay in the nice area with very low crime and if a stranger says hey can i borrow the keys to your car, " I SWEAR I WONT STEAL IT" i still say no..
If it were easy to identify & avoid the dark alleys, then yeah, that would be a good approach. But it's not easy. You can encounter malware when only surfing main-stream "reputable" sites.

If it were easy to identify & avoid the dark alleys, then yeah, that would be a good approach. But it's not easy. You can encounter malware when only surfing main-stream "reputable" sites.

This thread is becoming a bit of an eye opener for me in some ways as I thought my security practises were quite solid but I wasn't aware you could find maleware on sites that you think might be safe.

Your other point as well has got me thinking in that I've no idea what being hacked looks like unless it's obvious. I just assumed being hacked would mean that your finances might be in jeoparday. I imagine a lot of people think that.

This thread is becoming a bit of an eye opener for me in some ways as I thought my security practises were quite solid but I wasn't aware you could find maleware on sites that you think might be safe.

Your other point as well has got me thinking in that I've no idea what being hacked looks like unless it's obvious. I just assumed being hacked would mean that your finances might be in jeoparday. I imagine a lot of people think that.
Yup, that's what I thought 18 months ago. I also thought the only email attachments that could be malicious were pdfs. LOL

I was looking into how vulnerable Macs can be and I found this:

http://www.justanswer.com/mac-computers/6n03g-someone-hacked-mac.html

A person has had their card details stolen and said this:

"Not sure. They have only used one debit account so far.. I didn't use the account to pucchase anything since early March. New activity was showing up as of April 26.

I am also sitting here watching my cache fill up with sites I haven't gone too."

And an "expert" responded with this at one stage:

"Then turn on the Firewall and I would not worry about that. You probably made a purchase and someone stole it. It has happened a couple times to me I am very careful about computer security. Macs are far less vulnerable than Windows machines. I would change your pasword on shopping sites also."

I find the sense of denial quite bizarre in someways.

Yup, that's what I thought 18 months ago. I also thought the only email attachments that could be malicious were pdfs. LOL

There was a time when they thought the earth was round !

Yup, that's what I thought 18 months ago. I also thought the only email attachments that could be malicious were pdfs. LOL

I'm beginning to think almost anything you do online can lead you into some sort of trouble.

I remember a friend telling me about a free film site so I thought I'd see what it was like and it literally had layer after layer of scripts running and a couple of direct ip addresses that wanted to connect to my pc. Funny as it was rated fine by WOT, Google and McAfee Site Advisor.

It has been over a decade since I was hacked. I've described both situations on here before.

Once was in 1993, before anyone really had firewalls. and the other time was in 2000 when I was running a 3 month out of date BIND version.

The 1st time I was on a government network using an early, very easy to use linux with X/Windows install. They came into my machine, changed the root login and deleted my user account. It was probably an internet script searching for default root logins. I was much younger and much less informed back then. No data was lost and the remote machines I was connected into were not impacted in any way either.

The 2nd time, ZERO damage was done - I'm 100% positive because backups proved all other files to be unchanged. I was running a name server for my home network, but had allowed it to be seen from the internet. At the time, Bind and Sendmail were the most likely remote attack vectors into any UNIX system. I was just a few months behind on the Bind patches, but that was enough. They script that got in never broke out of the bind userid and only wrote files under /tmp. Then it tried to escalate privileges using a perl timing bug that the system had been patched to prevent. Every attempt caused an email to be sent to me - over 140,000 in a few hours. I disconnected from the internet and started my research using a 7 day old backup. It was pretty enlightening.

Versioned backups is the single best and most important solution for computer security. Nothing, NOTHING can solve all the problems that daily, weekly, monthly backups can solve. AV is nice, but never 100%. Most seem to be 50% in real world use, though the AV companies will claim 80-95% coverage. I think that is the marketing people.

A simple mirror backup is better than nothing, but doesn't handle all the times when file corruption occurs or all the times that many weeks pass before anyone notices a virus infestation.

Versioned backups are the best answer.

Sorry it's taken a while to reply to your post particularly as you made quite a big effort with it.

I guess 12 years of not being hacked is pretty good going. You say that firewalls weren't much used in 1993; I don't recall using one until 2003. I can only just imagine what my computer would have been like running Windows Millennium and Internet Explorer.

140,000 emails in a few hours. I think I'd have broken out into a cold sweat but still you stopped any damage.

Thanks for sharing that info with me, it's always good to learn about another persons experiences.

I remember a friend telling me about a free film site so I thought I'd see what it was like and it literally had layer after layer of scripts running and a couple of direct ip addresses that wanted to connect to my pc. Funny as it was rated fine by WOT, Google and McAfee Site Advisor. That's why you layer your defences (as detailed in the Basic Security Wiki). It's a sane approach that protects you from the attacks you're most likely to encounter.

A person has had their card details stolen and said this: We can't know if that attack even involved a computer. A waiter could have stolen the card information, the card reader at some store could have been compromised, etc. etc.

There was a time when they thought the earth was round !I found a photo of you, haqking:

http://t1.gstatic.com/images?q=tbn:ANd9GcTgz1BDdxMxWIgSGgniRNdMZALyh-tByT2t5grqeJclviuX3qcD

We can't know if that attack even involved a computer. A waiter could have stolen the card information, the card reader at some store could have been compromised, etc. etc.

Yes that is true, and I should have considered that it's just that I've been annoyed too many times by Mac owners...

I found a photo of you, haqking:

http://t1.gstatic.com/images?q=tbn:ANd9GcTgz1BDdxMxWIgSGgniRNdMZALyh-tByT2t5grqeJclviuX3qcD

I have grown my hair a little since then, and on my head !

Good read. The sad part is it is true - convenience vs security wins in the end.
I think this is called the "Dancing Pigs Effect (https://en.wikipedia.org/wiki/Dancing_pigs)". Security should focus more on educating people for common sense rather than constantly hunting for 0days (not the people shouldn't try to patch vulnerabilities). Simply disabling browser scripts does a hell of a lot more than running antivirus.


There was a time when they thought the earth was round !
Are you being serious?

http://www.pictureshack.us/images/22007_IM_CONFUS.jpg

This thread is becoming a bit of an eye opener for me in some ways as I thought my security practises were quite solid but I wasn't aware you could find maleware on sites that you think might be safe.

Your other point as well has got me thinking in that I've no idea what being hacked looks like unless it's obvious. I just assumed being hacked would mean that your finances might be in jeoparday. I imagine a lot of people think that.
The thing is - most people would trust a reputable site and "let their guard down" which makes it the perfect vector of attack.

The thing is - most people would trust a reputable site and "let their guard down" which makes it the perfect vector of attack.
That's exactly what exploit packs take advantage of. If a hacker buys an exploit pack and hacks a "reputable" site, he can put the exploit pack in that site and anyone who visits it has the potential to be infected. Theoretically this could even happen to Ubuntu Forums, but because this site has good security, and because many people who visit this forum are using a computer with GNU/Linux, it would be a very poor attack vector. But many innocent sites (especially blogs) can become zombies spreading malware. So don't trust anything 100%, even if you know the owner of the site would never put up malware!

I think this is called the "Dancing Pigs Effect (https://en.wikipedia.org/wiki/Dancing_pigs)". Security should focus more on educating people for common sense rather than constantly hunting for 0days (not the people shouldn't try to patch vulnerabilities). Simply disabling browser scripts does a hell of a lot more than running antivirus.


Are you being serious?

http://www.pictureshack.us/images/22007_IM_CONFUS.jpg

I am always being serious apart from when I'm not !

That's exactly what exploit packs take advantage of. If a hacker buys an exploit pack and hacks a "reputable" site, he can put the exploit pack in that site and anyone who visits it has the potential to be infected. Theoretically this could even happen to Ubuntu Forums, but because this site has good security, and because many people who visit this forum are using a computer with GNU/Linux, it would be a very poor attack vector. But many innocent sites (especially blogs) can become zombies spreading malware. So don't trust anything 100%, even if you know the owner of the site would never put up malware!

It's not just legit/reputable sites being compromised directly. What I see most often when I'm actively monitoring are malicious ads. Sure, there are many, many small and large sites with out of date web applications, db flaws, server software, things like that, and they do frequently get compromised. But from an ROI standpoint, nothing beats getting a malicious ad onto a widely-used legitimate platform, and it happens to the biggest ones all the time. Individually they may be relatively short-lived, but during their lifetimes they could compromise every visitor to every site that the ad platform has cycled that advertisement onto, no additional clicks necessary. And nothing the site owners can do except report the ads and hope they are removed, or stop running that ad platform.

I always advise users to block ads.

It's not just legit/reputable sites being compromised directly. What I see most often when I'm actively monitoring are malicious ads. Sure, there are many, many small and large sites with out of date web applications, db flaws, server software, things like that, and they do frequently get compromised. But from an ROI standpoint, nothing beats getting a malicious ad onto a widely-used legitimate platform, and it happens to the biggest ones all the time. Individually they may be relatively short-lived, but during their lifetimes they could compromise every visitor to every site that the ad platform has cycled that advertisement onto, no additional clicks necessary. And nothing the site owners can do except report the ads and hope they are removed, or stop running that ad platform.

I always advise users to block ads.

Agreed. I remember a (semi) popular forum that got tagged as malicious because of their ads. I know this is a popular method because it bypasses the main site completely and puts the blame on the company serving the ads.

It's not just legit/reputable sites being compromised directly. What I see most often when I'm actively monitoring are malicious ads. Sure, there are many, many small and large sites with out of date web applications, db flaws, server software, things like that, and they do frequently get compromised. But from an ROI standpoint, nothing beats getting a malicious ad onto a widely-used legitimate platform, and it happens to the biggest ones all the time. Individually they may be relatively short-lived, but during their lifetimes they could compromise every visitor to every site that the ad platform has cycled that advertisement onto, no additional clicks necessary. And nothing the site owners can do except report the ads and hope they are removed, or stop running that ad platform.

I always advise users to block ads.

Right, but those ads are often "legit", but were compromised at some stage, aren't they? I seem to remember reading somewhere that more malicious ads are malicious because the were compromised than malicious to start out.

And I always block ads, but not because of malware but because they are annoying as hell! I just disable JavaScript, Java, and Flash in Chromium (I'm still waiting for Chrome's extensions API to be improved so that the NoScript developer can port it to Chrome) to protect from malicious scripts.

Right, but those ads are often "legit", but were compromised at some stage, aren't they? I seem to remember reading somewhere that more malicious ads are malicious because the were compromised than malicious to start out.

And I always block ads, but not because of malware but because they are annoying as hell! I just disable JavaScript, Java, and Flash in Chromium (I'm still waiting for Chrome's extensions API to be improved so that the NoScript developer can port it to Chrome) to protect from malicious scripts.

I don't think legitimate ads themselves get compromised so much as fraudulent "companies" place ads with platform providers, sometimes going as far as to submit one advertisement for review that is harmless and switching to the malicious ad later. There's just not a very robust review process at a lot of platforms, and I wouldn't be surprised to find that submission is automated.

And yes, even the ones that aren't malicious are annoying.

Ok, so by now everyone here has read about the Tumblr Blog worm. http://www.nbcnews.com/technology/technolog/tumblr-glitch-tosses-cookies-blog-visitors-825075

A reputable website. Hacked. End-user data (and perhaps worse) released. A few hours later, the fix was made, but some fairly high-traffic blogs like CNET and Verge were defaced. What happened beyond that is unknown.

So I guess the moral to this thread that it's not paranoia to be security conscious but more of a case that you can never be too careful.