Right of the bat with an AMAZING question!What is the biggest security mistake that the average desktop or mobile user makes, and how can we avoid making that mistake?
Should we believe VPN companies that claim to not store logs?
OWASP. hxxps://owasp.org/www-project-top-ten/Website security?
1. I wouldn't.How would you provide Rats which are undetectable by the Antivirus.How would you detect if it's undetectable by the antivirus,is there any other way?
I also have heard about some FUD's that they bypass the Antivirus,is this true?1. I wouldn't.
But I have worked with malware researchers, and the way to craft your malware so it's undetectable, is to download VirusTotal, put it in a VM, cut the internet to that box, and throw your malware in there and see if it's caught. If it's not, then you know you're able to bypass 57 AVs.
There are plenty of techniques taught on how to do this, but it's against the rules here to mention other forums.
2. If you want to detect, undetectable malware....I suppose the question would be, are you already compromised, or are you wanting to determine if what you downloaded is malware?
If you're already compromised and want to know if there's an undetectable malware on your system...well by definition, you can't find it. It's undetectable. Now if you mean the AVs haven't detected it, you can take the binary apart by reverse engineering it, and looking to see what happens. Though, you have to know assembly and some deep level stuff to play around with this. Some great resources on Twitter for other researchers. If you want to determine if what you downloaded is malicious, one quick test is to run Strings. It's a program that gets all readable ASCII characters from the software. If the software isn't suppose to make outbound connections, but you see http://shadysite.com or and IP 84.57.1.22, you probably got malware.
Also I meant avoid here,maybe I forgot or bymistakely wrote that.How would you provide Rats which are undetectable by the Antivirus.How would you detect if it's undetectable by the antivirus,is there any other way?
Super detailed, great response! You should post this outside of the Lounge so you at least get post credit for very nice contributions like this!Right of the bat with an AMAZING question!
1. Biggest security mistake for the average desktop user, is to not keep their windows machine updated. I'm talking about Microsoft's Updates. And if you're running Windows 7, update that shit right fucking now to 10. Windows 7 has been depreciated for years now, and you can download free exploits and start getting full access to windows 7 devices online within a few hours. There are still a shitload of Win7 boxes online, and all of them are extremely vulnerable.
Now let's say you got your Windows up-to-date. Now if you're just checking emails, (and not clicking on shady links), playing games via steam, etc. you should be fine. You're not nearly the lowest hanging fruit, and no one is going to waste an 0day on you or people like you.
But now let's say you're downloading cracked version of games or software. Now not all cracked software has malware in it, but it is an easy way to infect users. If you do use cracked software, if the software doesn't need the internet, you should put it in a virtual machine, cut the internet aka network interface of the VM, and you'll be probably be okay. Most botnets will try to establish a connection to the bot master, and if it can't, it just dies.
Sick, so you don't download cracked games, but you visit some PRETTY sketchy websites. There's something called drive-by malware, which can infect your computer just by visiting the website. Every time you visit a website, it checks your user-agent (i feel this community has a grasp on this, but if you don't google it), the website determines if it has an exploit for your system (based on your OS, its version, your browser, and its version), and sends it directly to your browser, which can get access to your computer immediately. So update your browser(s) too.
Mobile Users
A) Less security researchers have found bugs for iOS. More have been found for android. There is also significantly more android devices online, and the cost of those exploits are more than iOS 0days.
B) Downloading apks outside of Google Play is a poor choice. Malware authors reverse mobile apps and shove malware in there.
C) When at a friends house, airbnb, or public wifi, use a VPN. Looking up something you don't want your provider knowing you're looking at? Use a VPN.
D) If you do go to an Airbnb, the first thing I do, is connect to the wifi, and run an app called 'Fing'. Find is a network scanner and let's you know all the devices on the network. After that, I can connect to the router, I can see all the other devices that have connected which is interesting. But the best part about Fing, is you can find cameras on the property. Maybe you want to know if there's a ring or even hidden cameras in your airbnb.
2. VPNs. All US-based VPN providers are required by law to keep logs. The EU has something like this as well, but in certain countries, it's a bit more relaxed. This guy created a chart and some blog posts on VPN providers and the amount of privacy they provide. GREAT articles and information here. hxxps://thatoneprivacysite.net/
View attachment 145932
Here are some good ones that don't provide laws.
The Five Eyes are 5 countries who's intelligent agencies share information.
It's been extended to the Fourteen Eyes.
Unless the VPN is run by true hackers who care about your privacy and don't give a fuck about their government, it's unlikely they will put 1 or 2 users over all of their users. Many cases, LE in the US will contact a VPN provider and ask for 1 user (or all of them). If the company doesn't comply, the US will shut the company down. It's just not worth it from a business side. (at least in the US).
Also, don't use free VPNs. They collect your data and sell it.
Shared IPs can be good for masking who's using it at any given time, but if you're doing something like botting social media accounts, gonna look weird from their side.
Payments: Can use crypto. Suggest using Monero. Bitcoin is not anonymous, it's pseudo-anonymous. If we know userA's address is a drug dealer, one can monitor it and see where it pulls out money. Coinbase has been working with US law enforcement to do just this. They caught a ton of people when Silk Road, but even bigger, AlphaBay went down. Along with evolution and the other ones. I digress, use Monero. Or use your BTC to buy XMR.
Right of the bat with an AMAZING question!
1. Biggest security mistake for the average desktop user, is to not keep their windows machine updated. I'm talking about Microsoft's Updates. And if you're running Windows 7, update that shit right fucking now to 10. Windows 7 has been depreciated for years now, and you can download free exploits and start getting full access to windows 7 devices online within a few hours. There are still a shitload of Win7 boxes online, and all of them are extremely vulnerable.
Now let's say you got your Windows up-to-date. Now if you're just checking emails, (and not clicking on shady links), playing games via steam, etc. you should be fine. You're not nearly the lowest hanging fruit, and no one is going to waste an 0day on you or people like you.
But now let's say you're downloading cracked version of games or software. Now not all cracked software has malware in it, but it is an easy way to infect users. If you do use cracked software, if the software doesn't need the internet, you should put it in a virtual machine, cut the internet aka network interface of the VM, and you'll be probably be okay. Most botnets will try to establish a connection to the bot master, and if it can't, it just dies.
Sick, so you don't download cracked games, but you visit some PRETTY sketchy websites. There's something called drive-by malware, which can infect your computer just by visiting the website. Every time you visit a website, it checks your user-agent (i feel this community has a grasp on this, but if you don't google it), the website determines if it has an exploit for your system (based on your OS, its version, your browser, and its version), and sends it directly to your browser, which can get access to your computer immediately. So update your browser(s) too.
Mobile Users
A) Less security researchers have found bugs for iOS. More have been found for android. There is also significantly more android devices online, and the cost of those exploits are more than iOS 0days.
B) Downloading apks outside of Google Play is a poor choice. Malware authors reverse mobile apps and shove malware in there.
C) When at a friends house, airbnb, or public wifi, use a VPN. Looking up something you don't want your provider knowing you're looking at? Use a VPN.
D) If you do go to an Airbnb, the first thing I do, is connect to the wifi, and run an app called 'Fing'. Find is a network scanner and let's you know all the devices on the network. After that, I can connect to the router, I can see all the other devices that have connected which is interesting. But the best part about Fing, is you can find cameras on the property. Maybe you want to know if there's a ring or even hidden cameras in your airbnb.
2. VPNs. All US-based VPN providers are required by law to keep logs. The EU has something like this as well, but in certain countries, it's a bit more relaxed. This guy created a chart and some blog posts on VPN providers and the amount of privacy they provide. GREAT articles and information here. hxxps://thatoneprivacysite.net/
View attachment 145932
Here are some good ones that don't provide laws.
The Five Eyes are 5 countries who's intelligent agencies share information.
It's been extended to the Fourteen Eyes.
Unless the VPN is run by true hackers who care about your privacy and don't give a fuck about their government, it's unlikely they will put 1 or 2 users over all of their users. Many cases, LE in the US will contact a VPN provider and ask for 1 user (or all of them). If the company doesn't comply, the US will shut the company down. It's just not worth it from a business side. (at least in the US).
Also, don't use free VPNs. They collect your data and sell it.
Shared IPs can be good for masking who's using it at any given time, but if you're doing something like botting social media accounts, gonna look weird from their side.
Payments: Can use crypto. Suggest using Monero. Bitcoin is not anonymous, it's pseudo-anonymous. If we know userA's address is a drug dealer, one can monitor it and see where it pulls out money. Coinbase has been working with US law enforcement to do just this. They caught a ton of people when Silk Road, but even bigger, AlphaBay went down. Along with evolution and the other ones. I digress, use Monero. Or use your BTC to buy XMR.
I also have heard about some FUD's that they bypass the Antivirus,is this true?
If yes then how can a normal user avoid it?
Watching what you download is the biggest thing. Visiting certain websites that have ads that do malvertising also is a problem.Also I meant avoid here,maybe I forgot or bymistakely wrote that.
Where can I post this? Still kinda new here.Super detailed, great response! You should post this outside of the Lounge so you at least get post credit for very nice contributions like this!
Sure.PIA is based in the United States and they don't keep logs.
Sorry, I was more asking if the topic was about website security or security when browsing the internet etc.OWASP. hxxps://owasp.org/www-project-top-ten/
And here's a place you can practice how the attack works. hxxps://portswigger.net/web-security
What is the biggest security mistake that the average desktop or mobile user makes, and how can we avoid making that mistake?
Should we believe VPN companies that claim to not store logs?
Oh anything security really.Sorry, I was more asking if the topic was about website security or security when browsing the internet etc.
This! All VPN providers will say they don't log. And this is the same method I use to determine if they're lying. Check court records to see how hackers or others got busted. Many times, it's because a VPN provider was subpoenaed.Believe in VPNs that proves in court that doesn't have logs information, and not in a description or text in website saying "We don't store any logs", most of them is lying.
In this case OVPN is not lying
https://torrentfreak.com/ovpn-wins-court-battle-after-pirate-bay-data-demands-rejected-200911/https://torrentfreak.com/the-pirate-bay-ovpn-responds-to-movie-companies-court-injunction-200707/
They don't have logs, now others you can't trust in them. Even if they say, they don't log. How you can be sure of that? You can't.
The best is going to VPNs outside from US / UK countries.
1. For crafty hackers, most suck. I have friends that Reverse Engineer AVs for work, so for experienced hackers, they're trivial. But most hackers aren't experienced. For every 1 experienced hacker, there are an endless amount of skids.1.Which is a good antivirus according to you,I use quick heal so what are your thoughts on that?
2.Do adblockers block those malwertising websites?
3.And I have heard that when you visit a malicious website,they get our system information and run malicious scripts automatically according to the user agents,os and everything,How can you avoid it?
4.The most important question,what are your thoughts on making your own vpn with outline manager,also do you know any other method for making our own vpn?
You can trust someEven if they say, they don't log. How you can be sure of that? You can't.
Don't use google.How to evade Google from stealing data?
Ah this is a very interesting solution! If you can install it on a pi router, I'm sure you can install it on any linux-based router.About ad-blocking, you really need to use Pi-Hole on your entire network, then you don't have to worry about running adblockers on individual devices! Plus, there is no 'ad blocker' for a Samsung TV or other smart devices. A pi-hole is the solution. There is remarably little discussion about pi-hole here, I tried starting a thread on it last month but nobody cared
Ah excellent! Congrats to your nephew! If he's already working in the field, I think that's terrific! He'll be learning a ton at work. Security is actually a massive field, broken down into different sections. You should ask him what he wants to learn how to do, and what his dream job is. I'd feel bad about giving a general answer about what he should learn if he's interest in something very specific or niche. Web Application security is a very saturated market, but there are a ton of great resources in it. HackerOne and BugCrowd are free platforms where anyone can signup, start hacking LIVE websites/companies, and then get paid for their reports on how they got certain vulnerabilities. Companies will have what are called bug bounty programs, where they encourage hackers to find leaks, and then report them for money. It's one of the most whitehat things people can do. If he's looking to boost his career in finding vulnerabilities, this is one of the most ethical paths. There are others, but depending on the goal, depends on what to do.What an amazing experience you have! Very informative. Thank you for tanking the time to answer questions.
Where would one go to get more experience in internet security and hacking, I believe if you understand how’s hacking work, then you can do better in regard of Internet security.
My nephew wants to study Internet security online and later get a job in this field, what best sources for this in your opinion?
We get it, advertisements are annoying!
Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.