Got hacked, need advices

[Bill_Bright]

I don't like password managers that are software installed on one machine. I don't use one machine. I use many machines, over different OS's, and in many different locations. Laptop A, desktop B, phone C, Work A, Work B, House A, House B, Friend C, Client D, etc. And can you imagine the grief if your password file got lost or corrupted?

Why do people keep recommending password managers that are local, and are not cloud based? It makes no sense unless you are chained to your mum's basement.

Well, my mom passed 25 years ago, so that's not it.

Just because you don't understand something, that does not mean it makes no sense.

If you regularly use multiple devices in different locations and regularly need access to your passwords, then a cloud based manager might make sense for you. But don't think for a second that cloud based managers are just as secure as local managers. If you think that, see this: LastPass security breach was worse than you’ve heard. Here’s what to do. (msn.com)

Also, just because a manager is local, that does not mean it can only be used on a single computer. The Password Safe program I mentioned above (like most others) can easily be installed on multiple computers. Then the user simply needs to copy (or export/import) the database file on to the other systems. I do this with my password manager on my 3 primary systems here. Piece of cake. In fact, since my 3 computers are on my network, I can simply drag and drop the databases. But it is not hard to copy it to a thumb drive and carry it to the office, for example (which is what I did before I retired from my old job and actually "went" to a place of word).

Yes, it means one manager might eventually get out of date, but, even with 500 entries in my manager, I am NOT constantly adding or changing passwords every day. So I can easily go months without needed to "resync", as it were.

 

[Upgrayedd]

@DuxCro Well the point of asking about your grammar is that if you have a period in your Gmail then your account is not the master account.



Example. DuxCro@gmail is the master account for Dux.Cro@gmail. I learned about this because someone had made a Gmail identical to mine but with a period. I got all their emails and they got none of mine.

 

[Chomiq]

@DuxCro Well the point of asking about your grammar is that if you have a period in your Gmail then your account is not the master account.



Example. DuxCro@gmail is the master account for Dux.Cro@gmail. I learned about this because someone had made a Gmail identical to mine but with a period. I got all their emails and they got none of mine.

That is so f... stupid on Google's part.

Edit:

Your Gmail address is unique. If anyone tries to create a Gmail account with a dotted version of your username, they'll get an error saying the username is already taken.
For example, if your address is johnsmith@gmail.com, no one can sign up for j.o.h.n.s.m.i.t.h@gmail.com.

Your account is still private and secure. Emails sent to any dotted version of your address will only go to you.
For example, johnsmith@gmail.com and j.o.h.n.s.m.i.t.h@gmail.com are the same address and go to one inbox.

 

[lemonadesoda]

... it is not hard to copy it to a thumb drive and carry it to the office, for example

Please don't advocate putting paswords on keysticks and carrying them around or inserting them into 3rd party computers!

Security as a Service: zscaler and carbon black

Does anyone have any experience with these two, or similar, security software services? They seem to become more and more prevalent on corporate laptops. My understand ing is they work like this: laptop...internet...security service provider server....internet...WWW or corporate network. They...

www.techpowerup.com

 

[Frick]

Yeah, that's really the worst advice - ever.

Years ago I was at a security seminar and one of the guest speakers was a [hopefully - supposedly] reformed house burglar. He said there are several types of burglars. One the most common is just someone looking for cash, or something he/she can sell/pawn/fence quickly for cash so they can score their next fix. These types typically are in and out quickly.

Another type is one (often working pairs) who take a little more time, looking for more high-value items, like computers. He explained one of his common practices was to sit down at the victim's computer desk, and take a quick look around at everything that was within arm's reach - such as desk drawers, under keyboards, index card boxes, binders, etc. looking for written down passwords. He said they found them a lot - along with credit card numbers, PINs, social security numbers and more.

What is better for a mostly tech-illitirate but very much security focused (meaning security doors and sensible practices when it comes to unknown visitors and being generally paranoid about security) elderly person with fingers that don't work well with touch interfaces: having one easily remembered password for everything or generate and print an a4 worth of random strings and write down next to those strings what it belongs to, and having that paper tucked away in a non-obvious place? In that persons case it was absolutely the latter. Writing stuff can be fine, but it also depends on where you live and what it is. If you live in a barbaric country where SSN's are authenticators and banks use passwords instead of proper hardware 2FA, sure don't.

 

[lemonadesoda]

^this, real world, situation.

Please teach elderly/anyone that if they WRITE DOWN passwords on paper, they need to add a cypher or added secret.

e.g. I write down lemonade but my private cypher is that every e is a 3 and a L is a 1, ie. write down lemonade but the actual password is 13monad3

If that is too difficult for said user, than get them to add .1A at the start or end of each password they write down, ie. write down lemonade actual password is lemonade.1A

Never never write down full and complete passwords!

 

[A Computer Guy]

^this, real world, situation.

Please teach elderly/anyone that if they WRITE DOWN passwords on paper, they need to add a cypher or added secret.

e.g. I write down >>lemonade<< but my private cypher is that every e is a 3 and a L is a 1, ie. write down >>lemonade<< actual password is #13monad3#

If that is too difficult for said user, than get them to add .1A at the start or end of each password they write down, ie. write down >>lemonade<< actual password is lemonade.1A

Never never write down full and complete passwords!

Another way to look at it is if you need to write it down (or store it somewhere questionable) insert a part into the password that you know and can recognize is incorrect.

 

[Bill_Bright]

Please don't advocate putting paswords on keysticks and carrying them around or inserting them into 3rd party computers!

Of course not!!! I would never do that. I was referring to my specific scenario where my work computer was specifically assigned to me, and only I used it, and only I had the log in credentials to use that specific computer. And in my case, my office was in a secure building, NOT open to the public either - with only a small handful of coworkers having access to that office, each of whom had their own work computers. So in that respect, it was NOT a 3rd party computer.

Also, for every password manager I have seen, used or would ever recommend (and I have used and/or tested and evaluated many for other clients), the database is always encrypted. So even if that memory stick did fall into the wrong hands, if the file format could be determined (not necessarily a simple feat), the password database would still be encrypted - typically with 256-bit AES encryption.
HOWEVER - I was remiss for not making that clear and I thank @lemonadesoda for pointing that out. And I agree completely. Never, as in NEVER EVER insert any thumb drive/memory stick into a 3rd party computer, especially if it has public access, or if you don't have full knowledge of its security stance.

Well the point of asking about your grammar is that if you have a period in your Gmail then your account is not the master account.

That is so f... stupid on Google's part.

Not really. In fact, it is not necessarily a bad thing at all because users/owners of these account can take advantage of that to create almost an infinite number of unique email addresses that all go back to the master account. And it is not just with the period either.

Here's how that works. Let’s assume you created a Gmail account using the address of bilbo.baggins@gmail.com. Simply add the plus sign (+) after the username and Gmail will ignore everything after the + in the address. Example, bilbo.baggins+xyzsite@gmail.com or bilbo.baggins+zyxsite+account@gmail.com. Gmail will also ignore any plus sign (+) or dot (.) in the username. For example, bil.bo+bag.gins@gmail.com, bi.lbobaggins@gmail.com, and bilbobaggins@gmail.com all work. Any email sent to any of those address will come to your real address, but will also show which variation was used.

So, let's say you want to finance a car at "Bubba's Reliable Used Car Emporium" and they insist you give them your email address. You are hesitant because you believe they will sell your email to a bunch of spammers, even though Bubba promises they would never do that. So instead of giving them your master address, you can give them bil.bo.baggins+BRUCE@gmail.com. It will work. And if you start getting a bunch of spam to that +BRUCE address, you will know Bubba lied.

In effect, you can use a different email address for every site you join, yet view and manage them all with your master account. Pretty cool, actually.

The "f... stupid" part is retailers and other sites who fail to verify email addresses before adding new addresses to their mailing list. For example, and this is true, someone bought a brand new Hyundai car from Hyundai of Chantilly in Chantilly, Virginia. Like Upgrayedd, they used a gmail email address similar to mine. I started to get all kinds of emails from Hyundai of Chantilly and Hyundai Corp. thanking me for my business, and several other auto related businesses offering me service package deals and more.

It would not have happened if, like a lot of other places, they (easily programmed in their system) sent an email to that registered address requiring me to click a link to verify (or ignore to cancel) before their system completed the registration process and added that address to their databases. But they failed to do that.

 

[Upgrayedd]

@DuxCro know what a period is now?

 

[lemonadesoda]

Another way to look at it is if you need to write it down (or store it somewhere questionable) insert a part into the password that you know and can recognize is incorrect.

Yep. I do that with bank card and credit card PIN numbers. e.g. 4 digit PIN. Write down 7 digits. The first middle and last are bogus. Put an area code in front of it, and people will think it is a telephone number.

 

[Dux]

days of struggle it took me. Even got locked out of this site couldn't get back because my email for this site was hacked as well. Outlook adress. Got back to my gmails, my twitch was hijacked as well so had to get it back with twitch support. Just got back on outlook. Looked at activity i see it has been tried to get into since december. My phone number somehow intercepted. Via SIM swap method or whatever. Broken into everywhere where it was used for 2FA. I ran avira rescue from thumb drive with linux to scan entire disk to make sure nothing in MBR, Malwarebytes premium full scan with rootkit scan and ESET NOD full system scan. and that was AFTER i deleted and reformated all partitions on drive and installed new windows. Now I am super paranoid about security. hikad14796@v3dev(dot)com <<< fuckers mail. sent him a mail from disposable alias mentioning him and some goats.

Edit.
How can i make sure that my router's firmware hasn't been messed with? I did reset it and i changed the password. Unfortunately for this router i cannot find firmware on manufacturers site. Only option i see in the routers configuration page to check online for update, which it says is not available. I see only 1 device connected to router and it is my MAC address. But still not sure if i can check somehow to be 100% sure firmware hasn't been modified to intercept my data and send it to attacker. I remember huawei was doing that by design in their routers and other devices and are/were? banned from USA market AFAIK.

 

[1freedude]

You ever figure out the different IP address prob?

 

[Dux]

You ever figure out the different IP address prob?

What do you mean? Different adresses in screenshots. Remind me if we talked about something else.

 

[1freedude]

Speaking about cookies, is there a way to permanently reject that garbage?

Also i see my IP keeps changing betweed 2 deifferent IP's. Same country, but i can just refresh "what is my Ip" web site and it will alternate between the 2. This normal since i have no static IP?

First page

 

[Count von Schwalbe]

I believe all extant router malware cannot survive a reboot. Best to keep all previously infected devices off of the network until you have done so, otherwise you risk reinfection.

 

[Dux]

First page

idk. I use 4G router. I think it's something with that. When i check my ip, location jumps all over the country. That is normal and has always been like that with this provider.

Btw, does anyone know if there is some method af automatically clearing all cookies and browsing data upon closing web browser? firefox in this case.


Edit.
Answered my own question in the meantime. Private browsing in firefox does exactly that.

 

[1freedude]

It is in settings. Where exactly, nit sure