TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2016
Information is still somewhat fuzzy on this, but indications are that a severe vulnerability in TeamViewer is being actively exploited in the wild (Apologies for the source link, but it's the most comprehensive list I could find that's current). Most information at present seems anecdotal, with the official devs blaming weak user passwords and password reuse as the culprit. Some details contradict such possibilities (including people using unique and long passwords getting compromised).
Regardless of root cause, if you are currently using TeamViewer, please consider yourself at risk.
Also, just a reminder that vulnerabilities like this are why stored passwords are a bad idea, even on private computers.
So I don't know if this is the appropriate thread for this, but it seems my gmail account has been compromised again
Got a changed password notification just now and managed to panic reset the password to an incredibly strong password (I didn't follow links in the email just in case, went straight to gmail and reset, even though the emails seem legit and links seem to go to legit google links).
Nothing on my PC, because I don't download anything, and run virus and spyware scans nightly.
I'm about as close to 100% confident as you can be that its not my system that's compromised, Regardless, I've run additional scans and found nothing and when I checked the IP logs on gmail it shows the only location that was being logged in from was my home, so.. I'm confused? Recommendations for a next move?
The fact that gmail says the only IPs are yours would indicate to me that the problem is local. I'm not aware of any means by which an attacker could spoof or alter the IP records that google is keeping.
Keep in mind that you don't necessarily have to download something to get an infection. Simply having out-of-date software (most usually Java or Flash) and navigating to the wrong site can do it. Also, AV scanners are not perfect. It is entirely possible for a scan to come back clean despite malware being present. Another possibility might be that your router or another computer on your local network is compromised.
2 factor authentication will most likely prevent your account from being hijacked again, but I would personally be more worried about how they managed to route the attack through your IP address. There are other things besides your email account they could get into.
edit: I had another thought. I can't confirm whether or not google logs an activity when the password is reset. If they don't, it's possible the attack originated elsewhere but you reset it before they could log in. In that case, changing your password and enabling 2 factor should be sufficient. Though you should also review your security questions/answers and any backup email addresses that are attached to the account. They had to reset your password somehow.
Also, there IIRC there was a slew of hashed passwords from the 2012 linkdin breach that were released to the wild a week or two ago.
+2
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
There have been a high number of credential breaches lately that were very high profile. Tumblr, Linkdin, and a few sites of ill-repute. The credentials are hitting the web fast, regardless of when the breaches initially were.
Two Factor Auth is highly recommended on all services that provide it. I'd at the very least suggest everyone reading this right now turn it on for any GMail account you have, and additionally Amazon accounts and PayPal. It's nothing bulletproof, but it's a much needed second layer of protection.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Just to touch on this point, people are already aggressively attempting to circumvent Google's two factor auth with phising attacks. Perhaps transparent to most, but to some (like myself) it could be panic inducing enough to impair judgment.
Hello, Teamviewer account activation email in mostly Chinese! I'll just reset that password without activating and delete the account for ya. Flicking through my mail account I see some failed logins from ... China....Russia....Vietnam...what an annoyance.
0
Options
IceBurnerIt's cold and there are penguins.Registered Userregular
edited June 2016
Wrong thread, mistakenly thought I was in PC Build.
I apparently recently got a virus from an image on imgur linked off reddit.
Looks like my antivirus caught it but still, what the hell, imgur? I thought you were safe.
Also my antivirus listed Firefox as being a "vulnerable program", so I'm not sure what to make of that. Is there something better?
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Imgur is a big target for cross-site scripting, and redirect attacks. They've had a few high profile vulnerabilities in the past, and given the exposure they have, you can bet that more will be coming in the future.
No website is safe. That should ever and always be our mentality as end users. The days of being infected only from "sketchy" sites are long gone, and the people launching these attacks will focus their efforts to hit popular, well trafficked, "safe" targets.
As for your A/V calling Firefox vulnerable, are you running the most recent version of the browser? It could be that your A/V is flagging it for being out of date, perhaps? There are other browsers, of course, but I'm not sure if I'd call any of them more secure than any other. Except, you know, ancient versions of IE.
+1
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
It might also just be being bitchy about FF still supporting npapi plugins though.
Imgur is a big target for cross-site scripting, and redirect attacks. They've had a few high profile vulnerabilities in the past, and given the exposure they have, you can bet that more will be coming in the future.
No website is safe. That should ever and always be our mentality as end users. The days of being infected only from "sketchy" sites are long gone, and the people launching these attacks will focus their efforts to hit popular, well trafficked, "safe" targets.
As evidenced by the ransomware attacks that ran through ads on sites like New York Times and Drudge Report.
As for your A/V calling Firefox vulnerable, are you running the most recent version of the browser? It could be that your A/V is flagging it for being out of date, perhaps? There are other browsers, of course, but I'm not sure if I'd call any of them more secure than any other. Except, you know, ancient versions of IE.
I'm reasonably sure it's up-to-date. Auto-update is enabled and I haven't received any notifications that it needs to be updated, at any rate.
What's the generally accepted best practices for USB drive security? As in, I have a USB stick that I use on several pieces of equipment for sharing data but I've come to realize this can be a security problem. Is disabling autorun enough? (I'd think not)
So I just updated to Windows 10, are there any things I should be sure to turn off for privacy/security? When it went through its initial install I think I turned pretty much all of the tracking features off, but just wanted to double check. Also is there any harm in keeping the voice inking and typing personalization toured on in order to use Cortana?
And lastly, my current browser set-up is Firefox with Adblock (I don't think I'm savvy enough to use no-script as well), is edge a safer option? Or is there anything I should do with edge to make it better than my Firefox setup?
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2016
I'm uncertain as to the proper methods of hardening a Windows 10 install, as I've been putting off the upgrade for a while myself. If anyone has tips on that front, I'd love to hear them too. I know there's bound to be a bunch of things that should be done that aren't standard.
On the topic of Firefox, though, one thing I would suggest for certain is to run a scriptblocker of some sort. Basically anything that will allow you to ensure that Javascript runs on a whitelist basis is a must. That way even if a malicious item gets embedded in a trusted webpage, you have a good chance of neutering the attack before it can launch. In terms of Edge being more secure than Firefox, I'm not sure that's the case.
For even higher security on the browser side, I recommend running the browser in a sandbox or VM environment.
So I just updated to Windows 10, are there any things I should be sure to turn off for privacy/security? When it went through its initial install I think I turned pretty much all of the tracking features off, but just wanted to double check. Also is there any harm in keeping the voice inking and typing personalization toured on in order to use Cortana?
And lastly, my current browser set-up is Firefox with Adblock (I don't think I'm savvy enough to use no-script as well), is edge a safer option? Or is there anything I should do with edge to make it better than my Firefox setup?
but this is not for the faint of heart, because it is rather exhaustive. I haven't tried to harden a Win10 box yet, but we apply the Win7 equivalent at work. I work for state gov't and we get reviewed by the IRS every 3 years since they share federal data with us and they require that any machine that touches the data gets hardened. I can get to about 97 percent compliance before things start to break. The other disclaimer is that I've never tried to harden a home PC...just work PCs with known software
So I just updated to Windows 10, are there any things I should be sure to turn off for privacy/security? When it went through its initial install I think I turned pretty much all of the tracking features off, but just wanted to double check. Also is there any harm in keeping the voice inking and typing personalization toured on in order to use Cortana?
And lastly, my current browser set-up is Firefox with Adblock (I don't think I'm savvy enough to use no-script as well), is edge a safer option? Or is there anything I should do with edge to make it better than my Firefox setup?
but this is not for the faint of heart, because it is rather exhaustive. I haven't tried to harden a Win10 box yet, but we apply the Win7 equivalent at work. I work for state gov't and we get reviewed by the IRS every 3 years since they share federal data with us and they require that any machine that touches the data gets hardened. I can get to about 97 percent compliance before things start to break.
Holy shit. You are not exaggerating in the slightest.
So I just updated to Windows 10, are there any things I should be sure to turn off for privacy/security? When it went through its initial install I think I turned pretty much all of the tracking features off, but just wanted to double check. Also is there any harm in keeping the voice inking and typing personalization toured on in order to use Cortana?
And lastly, my current browser set-up is Firefox with Adblock (I don't think I'm savvy enough to use no-script as well), is edge a safer option? Or is there anything I should do with edge to make it better than my Firefox setup?
but this is not for the faint of heart, because it is rather exhaustive. I haven't tried to harden a Win10 box yet, but we apply the Win7 equivalent at work. I work for state gov't and we get reviewed by the IRS every 3 years since they share federal data with us and they require that any machine that touches the data gets hardened. I can get to about 97 percent compliance before things start to break.
Holy shit. You are not exaggerating in the slightest.
Despite the 300+ settings. It's far easier to build a group policy to harden workstations and servers than it is to convince fellow IT staff that those settings need to be applied. It took forever to get all of our systems hardened, not because it broke anything (well, that's not true, it did break some things we had to figure that stuff out)....just the FUD surrounding it. I think I had hardened my workstation and others for over a year with no issues and there was still a lot of "gosh, golly, well gee whiz, I dunno if we should take that step." for a long time. We still get a lot of FUD even now...anytime anything doesn't quite work right, the first reaction is always "must be the hardening, we have to turn it off"
The goosey thing is that the pushback is pure 100 percent FUD and/or ideological objections to doing anything IRS asks us to do. Yes, the irony of state employees, objecting to the actually very reasonable guidelines of a federal agency is amusing/scary. One of our DBAs is an avid Drudge Report reader so I'll give you that picture to imagine.
The FIPS algorithm enforcement setting is what causes us the most headache since there are a lot of programs out there that don't use AES or 3DES....but that setting only enforces what encryption Windows uses, if the program in question has it's own encryption engine, the setting doesn't affect that.
As for the password settings, that only affects local accounts, not domain, but we set our domain accounts to match the same requirements. Combine that with KeePass, and users only need to remember two passwords, their domain account and their keepass password.
They need to whip up a program to do all those settings for you, probably get a lot more people to try them then. :P
What I would love to do, if I knew anything about programming is take all those hardening settings and build a program similar to IISCrypto with templates and saved profiles, etc.
I use KeePass to track and manage my passwords but I have a question concerning security. I usually use the built in generator to make my passwords, but they are gibberish. Are there any increased risks if I use a string of words and punctuation? Basically is there any way I can turn my 40 character Gmail gibberish password into a sequence of legible words without sacrificing a ton of safety? I use 2 factor of course.
I use KeePass to track and manage my passwords but I have a question concerning security. I usually use the built in generator to make my passwords, but they are gibberish. Are there any increased risks if I use a string of words and punctuation? Basically is there any way I can turn my 40 character Gmail gibberish password into a sequence of legible words without sacrificing a ton of safety? I use 2 factor of course.
I actually got the idea from that exact comic years ago but as the number of passwords I use increases my willingness to type out gibberish on my phone is waning.
There's a password generator website, based on that comic. Maybe that's a place to start? Maybe think of a story or experience that reminds you of a given site, then pick words from that?
0
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
That does work but the playstation store website and app runs like shit so it is much faster to use the PS4 itself. I guess I was really just curious more then anything. I had seen the comic but did not want to hold an opinion based on a comic. Thanks for letting me know that it is in fact not a terrible idea. Although obviously 2FA is the biggest priority.
Security question: Originally my gmail account was just used for email, but that was a long time ago and since it's now tied to my smart phone, a ton of other accounts and all that I worry about security. I have two factor authentication and haven't seen any weird activity but I wonder - would it be worth creating two new Google accounts, using one only as a private one for accounts and the other just as an email address I give out and sign up for things with? (and then eventually deleting the old original one) Or is that just overkill?
Steam Profile | My Art | NID: DarkMecha (SW-4787-9571-8977) | PSN: DarkMecha
I do that and I'm not really worried about security. Having a spam email account is a good idea in general. Then you can even more for specific other things. I say go for it.
Same here. I have a separate email account that I use for signing up on sites that I don't care about, or if I'm concerned they will likely sell my information (like, say, a Boingo hotspot in Miami International Airport.......you dirty bastards and your not-free wifi)
Posts
Regardless of root cause, if you are currently using TeamViewer, please consider yourself at risk.
Also, just a reminder that vulnerabilities like this are why stored passwords are a bad idea, even on private computers.
Got a changed password notification just now and managed to panic reset the password to an incredibly strong password (I didn't follow links in the email just in case, went straight to gmail and reset, even though the emails seem legit and links seem to go to legit google links).
Nothing on my PC, because I don't download anything, and run virus and spyware scans nightly.
I'm about as close to 100% confident as you can be that its not my system that's compromised, Regardless, I've run additional scans and found nothing and when I checked the IP logs on gmail it shows the only location that was being logged in from was my home, so.. I'm confused? Recommendations for a next move?
Keep in mind that you don't necessarily have to download something to get an infection. Simply having out-of-date software (most usually Java or Flash) and navigating to the wrong site can do it. Also, AV scanners are not perfect. It is entirely possible for a scan to come back clean despite malware being present. Another possibility might be that your router or another computer on your local network is compromised.
2 factor authentication will most likely prevent your account from being hijacked again, but I would personally be more worried about how they managed to route the attack through your IP address. There are other things besides your email account they could get into.
edit: I had another thought. I can't confirm whether or not google logs an activity when the password is reset. If they don't, it's possible the attack originated elsewhere but you reset it before they could log in. In that case, changing your password and enabling 2 factor should be sufficient. Though you should also review your security questions/answers and any backup email addresses that are attached to the account. They had to reset your password somehow.
Two Factor Auth is highly recommended on all services that provide it. I'd at the very least suggest everyone reading this right now turn it on for any GMail account you have, and additionally Amazon accounts and PayPal. It's nothing bulletproof, but it's a much needed second layer of protection.
Just to touch on this point, people are already aggressively attempting to circumvent Google's two factor auth with phising attacks. Perhaps transparent to most, but to some (like myself) it could be panic inducing enough to impair judgment.
PSN: theIceBurner, IceBurnerEU, IceBurner-JP | X-Link Kai: TheIceBurner
Dragon's Dogma: 192 Warrior Linty | 80 Strider Alicia | 32 Mage Terra
Looks like my antivirus caught it but still, what the hell, imgur? I thought you were safe.
Also my antivirus listed Firefox as being a "vulnerable program", so I'm not sure what to make of that. Is there something better?
No website is safe. That should ever and always be our mentality as end users. The days of being infected only from "sketchy" sites are long gone, and the people launching these attacks will focus their efforts to hit popular, well trafficked, "safe" targets.
As for your A/V calling Firefox vulnerable, are you running the most recent version of the browser? It could be that your A/V is flagging it for being out of date, perhaps? There are other browsers, of course, but I'm not sure if I'd call any of them more secure than any other. Except, you know, ancient versions of IE.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
As evidenced by the ransomware attacks that ran through ads on sites like New York Times and Drudge Report.
I'm reasonably sure it's up-to-date. Auto-update is enabled and I haven't received any notifications that it needs to be updated, at any rate.
And lastly, my current browser set-up is Firefox with Adblock (I don't think I'm savvy enough to use no-script as well), is edge a safer option? Or is there anything I should do with edge to make it better than my Firefox setup?
On the topic of Firefox, though, one thing I would suggest for certain is to run a scriptblocker of some sort. Basically anything that will allow you to ensure that Javascript runs on a whitelist basis is a must. That way even if a malicious item gets embedded in a trusted webpage, you have a good chance of neutering the attack before it can launch. In terms of Edge being more secure than Firefox, I'm not sure that's the case.
For even higher security on the browser side, I recommend running the browser in a sandbox or VM environment.
CIS Benchmark for Win10. https://benchmarks.cisecurity.org/downloads/show-single/?file=windows10.110
but this is not for the faint of heart, because it is rather exhaustive. I haven't tried to harden a Win10 box yet, but we apply the Win7 equivalent at work. I work for state gov't and we get reviewed by the IRS every 3 years since they share federal data with us and they require that any machine that touches the data gets hardened. I can get to about 97 percent compliance before things start to break. The other disclaimer is that I've never tried to harden a home PC...just work PCs with known software
Enlist in Star Citizen! Citizenship must be earned!
Holy shit. You are not exaggerating in the slightest.
Despite the 300+ settings. It's far easier to build a group policy to harden workstations and servers than it is to convince fellow IT staff that those settings need to be applied. It took forever to get all of our systems hardened, not because it broke anything (well, that's not true, it did break some things we had to figure that stuff out)....just the FUD surrounding it. I think I had hardened my workstation and others for over a year with no issues and there was still a lot of "gosh, golly, well gee whiz, I dunno if we should take that step." for a long time. We still get a lot of FUD even now...anytime anything doesn't quite work right, the first reaction is always "must be the hardening, we have to turn it off"
The goosey thing is that the pushback is pure 100 percent FUD and/or ideological objections to doing anything IRS asks us to do. Yes, the irony of state employees, objecting to the actually very reasonable guidelines of a federal agency is amusing/scary. One of our DBAs is an avid Drudge Report reader so I'll give you that picture to imagine.
Enlist in Star Citizen! Citizenship must be earned!
Make it customizable for a non-corporate environment and I'm right there with you.
Huge swathes of it either aren't appropriate for or aren't relevant to me-as-the-end-user trying to secure my machine.
Their password rules for one are guaranteed to make people either write them down or rely on the ol' incrementing password trick.
As for the password settings, that only affects local accounts, not domain, but we set our domain accounts to match the same requirements. Combine that with KeePass, and users only need to remember two passwords, their domain account and their keepass password.
Enlist in Star Citizen! Citizenship must be earned!
What I would love to do, if I knew anything about programming is take all those hardening settings and build a program similar to IISCrypto with templates and saved profiles, etc.
Enlist in Star Citizen! Citizenship must be earned!
PSN:Furlion
https://xkcd.com/936/
In short: yes
PSN:Furlion
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
It does but occasionally I need to type it into other places, like my PS4 to make purchases.
PSN:Furlion
PSN:Furlion
Enlist in Star Citizen! Citizenship must be earned!
oh, shit.