Security Thread

What is the biggest security mistake that the average desktop or mobile user makes, and how can we avoid making that mistake?

Should we believe VPN companies that claim to not store logs?
 
What is the biggest security mistake that the average desktop or mobile user makes, and how can we avoid making that mistake?

Should we believe VPN companies that claim to not store logs?
Right of the bat with an AMAZING question!

1. Biggest security mistake for the average desktop user, is to not keep their windows machine updated. I'm talking about Microsoft's Updates. And if you're running Windows 7, update that shit right fucking now to 10. Windows 7 has been depreciated for years now, and you can download free exploits and start getting full access to windows 7 devices online within a few hours. There are still a shitload of Win7 boxes online, and all of them are extremely vulnerable.

Now let's say you got your Windows up-to-date. Now if you're just checking emails, (and not clicking on shady links), playing games via steam, etc. you should be fine. You're not nearly the lowest hanging fruit, and no one is going to waste an 0day on you or people like you.

But now let's say you're downloading cracked version of games or software. Now not all cracked software has malware in it, but it is an easy way to infect users. If you do use cracked software, if the software doesn't need the internet, you should put it in a virtual machine, cut the internet aka network interface of the VM, and you'll be probably be okay. Most botnets will try to establish a connection to the bot master, and if it can't, it just dies.

Sick, so you don't download cracked games, but you visit some PRETTY sketchy websites. There's something called drive-by malware, which can infect your computer just by visiting the website. Every time you visit a website, it checks your user-agent (i feel this community has a grasp on this, but if you don't google it), the website determines if it has an exploit for your system (based on your OS, its version, your browser, and its version), and sends it directly to your browser, which can get access to your computer immediately. So update your browser(s) too.

Mobile Users
A) Less security researchers have found bugs for iOS. More have been found for android. There is also significantly more android devices online, and the cost of those exploits are more than iOS 0days.

B) Downloading apks outside of Google Play is a poor choice. Malware authors reverse mobile apps and shove malware in there.

C) When at a friends house, airbnb, or public wifi, use a VPN. Looking up something you don't want your provider knowing you're looking at? Use a VPN.

D) If you do go to an Airbnb, the first thing I do, is connect to the wifi, and run an app called 'Fing'. Find is a network scanner and let's you know all the devices on the network. After that, I can connect to the router, I can see all the other devices that have connected which is interesting. But the best part about Fing, is you can find cameras on the property. Maybe you want to know if there's a ring or even hidden cameras in your airbnb.

2. VPNs. All US-based VPN providers are required by law to keep logs. The EU has something like this as well, but in certain countries, it's a bit more relaxed. This guy created a chart and some blog posts on VPN providers and the amount of privacy they provide. GREAT articles and information here. hxxps://thatoneprivacysite.net/
1599852404950.png
Here are some good ones that don't provide laws.
The Five Eyes are 5 countries who's intelligent agencies share information.
It's been extended to the Fourteen Eyes.

Unless the VPN is run by true hackers who care about your privacy and don't give a fuck about their government, it's unlikely they will put 1 or 2 users over all of their users. Many cases, LE in the US will contact a VPN provider and ask for 1 user (or all of them). If the company doesn't comply, the US will shut the company down. It's just not worth it from a business side. (at least in the US).

Also, don't use free VPNs. They collect your data and sell it.
Shared IPs can be good for masking who's using it at any given time, but if you're doing something like botting social media accounts, gonna look weird from their side.

Payments: Can use crypto. Suggest using Monero. Bitcoin is not anonymous, it's pseudo-anonymous. If we know userA's address is a drug dealer, one can monitor it and see where it pulls out money. Coinbase has been working with US law enforcement to do just this. They caught a ton of people when Silk Road, but even bigger, AlphaBay went down. Along with evolution and the other ones. I digress, use Monero. Or use your BTC to buy XMR.
 
How would you provide Rats which are undetectable by the Antivirus.How would you detect if it's undetectable by the antivirus,is there any other way?
1. I wouldn't.

But I have worked with malware researchers, and the way to craft your malware so it's undetectable, is to download VirusTotal, put it in a VM, cut the internet to that box, and throw your malware in there and see if it's caught. If it's not, then you know you're able to bypass 57 AVs.

There are plenty of techniques taught on how to do this, but it's against the rules here to mention other forums.

2. If you want to detect, undetectable malware....I suppose the question would be, are you already compromised, or are you wanting to determine if what you downloaded is malware?

If you're already compromised and want to know if there's an undetectable malware on your system...well by definition, you can't find it. It's undetectable. Now if you mean the AVs haven't detected it, you can take the binary apart by reverse engineering it, and looking to see what happens. Though, you have to know assembly and some deep level stuff to play around with this. Some great resources on Twitter for other researchers. If you want to determine if what you downloaded is malicious, one quick test is to run Strings. It's a program that gets all readable ASCII characters from the software. If the software isn't suppose to make outbound connections, but you see http://shadysite.com or and IP 84.57.1.22, you probably got malware.
 
1. I wouldn't.

But I have worked with malware researchers, and the way to craft your malware so it's undetectable, is to download VirusTotal, put it in a VM, cut the internet to that box, and throw your malware in there and see if it's caught. If it's not, then you know you're able to bypass 57 AVs.

There are plenty of techniques taught on how to do this, but it's against the rules here to mention other forums.

2. If you want to detect, undetectable malware....I suppose the question would be, are you already compromised, or are you wanting to determine if what you downloaded is malware?

If you're already compromised and want to know if there's an undetectable malware on your system...well by definition, you can't find it. It's undetectable. Now if you mean the AVs haven't detected it, you can take the binary apart by reverse engineering it, and looking to see what happens. Though, you have to know assembly and some deep level stuff to play around with this. Some great resources on Twitter for other researchers. If you want to determine if what you downloaded is malicious, one quick test is to run Strings. It's a program that gets all readable ASCII characters from the software. If the software isn't suppose to make outbound connections, but you see http://shadysite.com or and IP 84.57.1.22, you probably got malware.
I also have heard about some FUD's that they bypass the Antivirus,is this true?

If yes then how can a normal user avoid it?
 
Right of the bat with an AMAZING question!

1. Biggest security mistake for the average desktop user, is to not keep their windows machine updated. I'm talking about Microsoft's Updates. And if you're running Windows 7, update that shit right fucking now to 10. Windows 7 has been depreciated for years now, and you can download free exploits and start getting full access to windows 7 devices online within a few hours. There are still a shitload of Win7 boxes online, and all of them are extremely vulnerable.

Now let's say you got your Windows up-to-date. Now if you're just checking emails, (and not clicking on shady links), playing games via steam, etc. you should be fine. You're not nearly the lowest hanging fruit, and no one is going to waste an 0day on you or people like you.

But now let's say you're downloading cracked version of games or software. Now not all cracked software has malware in it, but it is an easy way to infect users. If you do use cracked software, if the software doesn't need the internet, you should put it in a virtual machine, cut the internet aka network interface of the VM, and you'll be probably be okay. Most botnets will try to establish a connection to the bot master, and if it can't, it just dies.

Sick, so you don't download cracked games, but you visit some PRETTY sketchy websites. There's something called drive-by malware, which can infect your computer just by visiting the website. Every time you visit a website, it checks your user-agent (i feel this community has a grasp on this, but if you don't google it), the website determines if it has an exploit for your system (based on your OS, its version, your browser, and its version), and sends it directly to your browser, which can get access to your computer immediately. So update your browser(s) too.

Mobile Users
A) Less security researchers have found bugs for iOS. More have been found for android. There is also significantly more android devices online, and the cost of those exploits are more than iOS 0days.

B) Downloading apks outside of Google Play is a poor choice. Malware authors reverse mobile apps and shove malware in there.

C) When at a friends house, airbnb, or public wifi, use a VPN. Looking up something you don't want your provider knowing you're looking at? Use a VPN.

D) If you do go to an Airbnb, the first thing I do, is connect to the wifi, and run an app called 'Fing'. Find is a network scanner and let's you know all the devices on the network. After that, I can connect to the router, I can see all the other devices that have connected which is interesting. But the best part about Fing, is you can find cameras on the property. Maybe you want to know if there's a ring or even hidden cameras in your airbnb.

2. VPNs. All US-based VPN providers are required by law to keep logs. The EU has something like this as well, but in certain countries, it's a bit more relaxed. This guy created a chart and some blog posts on VPN providers and the amount of privacy they provide. GREAT articles and information here. hxxps://thatoneprivacysite.net/
View attachment 145932
Here are some good ones that don't provide laws.
The Five Eyes are 5 countries who's intelligent agencies share information.
It's been extended to the Fourteen Eyes.

Unless the VPN is run by true hackers who care about your privacy and don't give a fuck about their government, it's unlikely they will put 1 or 2 users over all of their users. Many cases, LE in the US will contact a VPN provider and ask for 1 user (or all of them). If the company doesn't comply, the US will shut the company down. It's just not worth it from a business side. (at least in the US).

Also, don't use free VPNs. They collect your data and sell it.
Shared IPs can be good for masking who's using it at any given time, but if you're doing something like botting social media accounts, gonna look weird from their side.

Payments: Can use crypto. Suggest using Monero. Bitcoin is not anonymous, it's pseudo-anonymous. If we know userA's address is a drug dealer, one can monitor it and see where it pulls out money. Coinbase has been working with US law enforcement to do just this. They caught a ton of people when Silk Road, but even bigger, AlphaBay went down. Along with evolution and the other ones. I digress, use Monero. Or use your BTC to buy XMR.
Super detailed, great response! You should post this outside of the Lounge so you at least get post credit for very nice contributions like this!
 
Right of the bat with an AMAZING question!

1. Biggest security mistake for the average desktop user, is to not keep their windows machine updated. I'm talking about Microsoft's Updates. And if you're running Windows 7, update that shit right fucking now to 10. Windows 7 has been depreciated for years now, and you can download free exploits and start getting full access to windows 7 devices online within a few hours. There are still a shitload of Win7 boxes online, and all of them are extremely vulnerable.

Now let's say you got your Windows up-to-date. Now if you're just checking emails, (and not clicking on shady links), playing games via steam, etc. you should be fine. You're not nearly the lowest hanging fruit, and no one is going to waste an 0day on you or people like you.

But now let's say you're downloading cracked version of games or software. Now not all cracked software has malware in it, but it is an easy way to infect users. If you do use cracked software, if the software doesn't need the internet, you should put it in a virtual machine, cut the internet aka network interface of the VM, and you'll be probably be okay. Most botnets will try to establish a connection to the bot master, and if it can't, it just dies.

Sick, so you don't download cracked games, but you visit some PRETTY sketchy websites. There's something called drive-by malware, which can infect your computer just by visiting the website. Every time you visit a website, it checks your user-agent (i feel this community has a grasp on this, but if you don't google it), the website determines if it has an exploit for your system (based on your OS, its version, your browser, and its version), and sends it directly to your browser, which can get access to your computer immediately. So update your browser(s) too.

Mobile Users
A) Less security researchers have found bugs for iOS. More have been found for android. There is also significantly more android devices online, and the cost of those exploits are more than iOS 0days.

B) Downloading apks outside of Google Play is a poor choice. Malware authors reverse mobile apps and shove malware in there.

C) When at a friends house, airbnb, or public wifi, use a VPN. Looking up something you don't want your provider knowing you're looking at? Use a VPN.

D) If you do go to an Airbnb, the first thing I do, is connect to the wifi, and run an app called 'Fing'. Find is a network scanner and let's you know all the devices on the network. After that, I can connect to the router, I can see all the other devices that have connected which is interesting. But the best part about Fing, is you can find cameras on the property. Maybe you want to know if there's a ring or even hidden cameras in your airbnb.

2. VPNs. All US-based VPN providers are required by law to keep logs. The EU has something like this as well, but in certain countries, it's a bit more relaxed. This guy created a chart and some blog posts on VPN providers and the amount of privacy they provide. GREAT articles and information here. hxxps://thatoneprivacysite.net/
View attachment 145932
Here are some good ones that don't provide laws.
The Five Eyes are 5 countries who's intelligent agencies share information.
It's been extended to the Fourteen Eyes.

Unless the VPN is run by true hackers who care about your privacy and don't give a fuck about their government, it's unlikely they will put 1 or 2 users over all of their users. Many cases, LE in the US will contact a VPN provider and ask for 1 user (or all of them). If the company doesn't comply, the US will shut the company down. It's just not worth it from a business side. (at least in the US).

Also, don't use free VPNs. They collect your data and sell it.
Shared IPs can be good for masking who's using it at any given time, but if you're doing something like botting social media accounts, gonna look weird from their side.

Payments: Can use crypto. Suggest using Monero. Bitcoin is not anonymous, it's pseudo-anonymous. If we know userA's address is a drug dealer, one can monitor it and see where it pulls out money. Coinbase has been working with US law enforcement to do just this. They caught a ton of people when Silk Road, but even bigger, AlphaBay went down. Along with evolution and the other ones. I digress, use Monero. Or use your BTC to buy XMR.

PIA is based in the United States and they don't keep logs.
 
I also have heard about some FUD's that they bypass the Antivirus,is this true?

If yes then how can a normal user avoid it?

By definition, FUDs bypass AV. If it's a FUD that bypasses Windows Security and AVs, then there's not much you can do.
As a normal user, do the following in my first post.

Also I meant avoid here,maybe I forgot or bymistakely wrote that.
Watching what you download is the biggest thing. Visiting certain websites that have ads that do malvertising also is a problem.

Super detailed, great response! You should post this outside of the Lounge so you at least get post credit for very nice contributions like this!
Where can I post this? Still kinda new here.

PIA is based in the United States and they don't keep logs.
Sure.
 
OWASP. hxxps://owasp.org/www-project-top-ten/
And here's a place you can practice how the attack works. hxxps://portswigger.net/web-security
Sorry, I was more asking if the topic was about website security or security when browsing the internet etc.
 
What is the biggest security mistake that the average desktop or mobile user makes, and how can we avoid making that mistake?

Should we believe VPN companies that claim to not store logs?

Believe in VPNs that proves in court that doesn't have logs information, and not in a description or text in website saying "We don't store any logs", most of them is lying.

In this case OVPN is not lying
https://torrentfreak.com/ovpn-wins-court-battle-after-pirate-bay-data-demands-rejected-200911/https://torrentfreak.com/the-pirate-bay-ovpn-responds-to-movie-companies-court-injunction-200707/
They don't have logs, now others you can't trust in them. Even if they say, they don't log. How you can be sure of that? You can't.

The best is going to VPNs outside from US / UK countries.
 
1.Which is a good antivirus according to you,I use quick heal so what are your thoughts on that?
2.Do adblockers block those malwertising websites?
3.And I have heard that when you visit a malicious website,they get our system information and run malicious scripts automatically according to the user agents,os and everything,How can you avoid it?
4.The most important question,what are your thoughts on making your own vpn with outline manager,also do you know any other method for making our own vpn?
 
Sorry, I was more asking if the topic was about website security or security when browsing the internet etc.
Oh anything security really.

Believe in VPNs that proves in court that doesn't have logs information, and not in a description or text in website saying "We don't store any logs", most of them is lying.

In this case OVPN is not lying
https://torrentfreak.com/ovpn-wins-court-battle-after-pirate-bay-data-demands-rejected-200911/https://torrentfreak.com/the-pirate-bay-ovpn-responds-to-movie-companies-court-injunction-200707/
They don't have logs, now others you can't trust in them. Even if they say, they don't log. How you can be sure of that? You can't.

The best is going to VPNs outside from US / UK countries.
This! All VPN providers will say they don't log. And this is the same method I use to determine if they're lying. Check court records to see how hackers or others got busted. Many times, it's because a VPN provider was subpoenaed.

1.Which is a good antivirus according to you,I use quick heal so what are your thoughts on that?
2.Do adblockers block those malwertising websites?
3.And I have heard that when you visit a malicious website,they get our system information and run malicious scripts automatically according to the user agents,os and everything,How can you avoid it?
4.The most important question,what are your thoughts on making your own vpn with outline manager,also do you know any other method for making our own vpn?
1. For crafty hackers, most suck. I have friends that Reverse Engineer AVs for work, so for experienced hackers, they're trivial. But most hackers aren't experienced. For every 1 experienced hacker, there are an endless amount of skids.
But to answer, any of the major free brands are fine. Avast, Symantec, etc. Just use their free shit, run, then uninstall.

2. That's a great question. I THINK most yes. According to Malwarebytes, "You should seriously consider using ad blockers, which can filter out a lot of the malvertising noise, thereby stopping dynamic scripts from loading dangerous content." hxxps://www.malwarebytes.com/malvertising/ . That said, back to question 1, don't use MalwareBytes for an AV.

3. To avoid drive-by malware, any spoofing of your browser-agent should defeat it. Let's say for example, I have an old version of macOS, and am running an old old version of chrome. If I have a chrome extension that changes my user-agent when requesting websites and it spoofs it to, let's say, Windows 95, and says I'm using Internet Explorer, the malicious site will believe it, and auto-send an exploit based on Win95 or IE. Since my computer doesn't understand how to execute those binaries, you won't get infected. Side-quest: Reverse Engineering Windows malware on a Mac is chill for the same reason. Can't infect your device if it can't execute the binary.

4. Interesting! Never heard of outline manager before. I'd say it depends on your threat model? Like, if you're trying to prevent your government from reading your shit, and you setup outline manager or a VPN server at your buddy's place a few blocks away, you're still getting your shit sniffed once it leaves his/her home. If you have a friend outside your country, then that could be better to avoid your own government. I think having a VPN provider outside the Fourteen Eyes that doesn't keep logs is still a better setup, since you can bounce around VPN locations.
For additional privacy, you can use VPN > Tor. Or if you still don't trust your VPN provider, buy your vpn with Monero, then Tor > VPN > Tor.
 
About ad-blocking, you really need to use Pi-Hole on your entire network, then you don't have to worry about running adblockers on individual devices! Plus, there is no 'ad blocker' for a Samsung TV or other smart devices. A pi-hole is the solution. There is remarably little discussion about pi-hole here, I tried starting a thread on it last month but nobody cared :)
 
What an amazing experience you have! Very informative. Thank you for tanking the time to answer questions.
Where would one go to get more experience in internet security and hacking, I believe if you understand how’s hacking work, then you can do better in regard of Internet security.
My nephew wants to study Internet security online and later get a job in this field, what best sources for this in your opinion?
 
How to evade Google from stealing data?:p
Don't use google. :p

But seriously, if you don't want Google knowing your activity, it's PRETTY complex to setup.
QubesOS is a great way to segment all your traffic, but it's not the easiest to configure.
You can create a VM per application, so you might have 3 browsers, but each of them can have a different VPN or output of traffic, such as tor.
It's complex, but depending on what you want to do, can be pretty useful.
It's very hard to avoid Google though. I'm not sure what use case one would have to avoid Google all together, but this is my suggestion.

About ad-blocking, you really need to use Pi-Hole on your entire network, then you don't have to worry about running adblockers on individual devices! Plus, there is no 'ad blocker' for a Samsung TV or other smart devices. A pi-hole is the solution. There is remarably little discussion about pi-hole here, I tried starting a thread on it last month but nobody cared :)
Ah this is a very interesting solution! If you can install it on a pi router, I'm sure you can install it on any linux-based router.
I hadn't even thought about TV ad traffic, but setting up something that blocks it on a network level is best, yes.

What an amazing experience you have! Very informative. Thank you for tanking the time to answer questions.
Where would one go to get more experience in internet security and hacking, I believe if you understand how’s hacking work, then you can do better in regard of Internet security.
My nephew wants to study Internet security online and later get a job in this field, what best sources for this in your opinion?
Ah excellent! Congrats to your nephew! If he's already working in the field, I think that's terrific! He'll be learning a ton at work. Security is actually a massive field, broken down into different sections. You should ask him what he wants to learn how to do, and what his dream job is. I'd feel bad about giving a general answer about what he should learn if he's interest in something very specific or niche. Web Application security is a very saturated market, but there are a ton of great resources in it. HackerOne and BugCrowd are free platforms where anyone can signup, start hacking LIVE websites/companies, and then get paid for their reports on how they got certain vulnerabilities. Companies will have what are called bug bounty programs, where they encourage hackers to find leaks, and then report them for money. It's one of the most whitehat things people can do. If he's looking to boost his career in finding vulnerabilities, this is one of the most ethical paths. There are others, but depending on the goal, depends on what to do.
If he likes securing networks, then there's other tools and things to learn. Forensics, same thing. Take a hard drive or computer, and find all the valuable things on it. Exploit dev, take a vulnerability, and create an exploit to leverage it. Most people build a lab in their home and try to craft an exploit for a known vulnerability. Malware research, there are tons of shit malware out there. Same idea, create a lab, throw the malware in there, record what it does, kill the VM. That's dynamic analysis. There's also static analysis where you take the malware apart by Reverse Engineering it. Hacking games as well, companies have bug bounty programs. Lots of resources, YouTube "Defcon [insert interest]" and you can find some great videos. Would also suggest he go to Defcon if he hasn't been before. This last year, it was canceled due to COVID, but it's about 30k attendees in Vegas for 4-6 days, talks, and good times. [to put it mildly]
 
Back
Top
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock