Security and privacy Q&A

A thread for discussing occasional security and privacy concerns. First question: going to a dodgy streaming site using Firefox to watch a tennis match, I get a single Windows Firewall popup stating that a program is asking to be let through the firewall. It looked real, and I selected cancel before even reading the dialog in detail. The question, what kind of nefarious actions could a page take when it’s given access? Can’t a page already send info back and forth?

Cool topic, I’m looking forward to the various responses.

The scariest thing we’ve seen recently was a security hole in Apples safari (since patched BTW) where the hole allowed a memory dump/snapshot of the entire contents of RAM

The vulnerability potentially was that If you were at any site that was lax in their own security the info exposed could then potentially be harvested. For example the old TPCR site sent and received user name and password info in plain text.

Aaaahhh!! That is very frightening. Another one discussion I’d like to have later is how easy it is for apps to get to passwords stored in the browser. I mentioned on here a while ago that I was pretty shocked that Firefox could slurp all my passwords from Edge without so much as a UAC prompt. Maybe I should get one of those newfangled password managers after all…

I wonder what’s up with Yahoo lately. I know there was a major data leak with yahoo a few years ago, but a few weeks ago I changed my Yahoo password and yesterday Apple already warned me that the password was leaked. I only used that password on one other website, which I’m very carefull to only use in my iphone and never saved password, I wonder which is the side that caused the leak.

1 Like

It may have leaked, but I think you also get that warning even if it wasn’t you who used that password. If the password itself (no matter who used it) is available in online lookup tables, any account that uses that same password is now more vulnerable. So there might not be a leak, it might just be that the password was not as unique as you thought.

1 Like

I’m starting to think that since umpteen millions of passwords have “leaked” over the years, and are “out there”, it’s becoming meaningless unless there’s also a “leaked” connection to your log-in for that particular password.

I still take note of the occasional haveIbeenpwned email, and check if that account matters to me. In that case it often is your actual account that has been leaked.

Aside from actual account info leaks, using passwords that are “out there” carries real risk: if some company (say ashleymadison) leaks their entire encrypted (one would hope) but unsalted (not scrambled additionally by the site) password database, hackers can very quickly look up the password belonging to the encrypted version (the ‘hash’). So one screwup by a major company could lead to hackers getting into your account faster than you can change your password.

On that note, after the breach/leak, people are working hard to brute-force decrypt any other passwords in the dump that aren’t yet tabulated, so now the clock is ticking on securing your account. Long story short: use unique complex passwords, and keep an eye on reports of database leaks.

And maybe… “don’t ever store passwords right in the browser”, but I’m still trying to figure that last one out. :slight_smile:

1 Like

Thanks for the perspective.

As to saving passwords in the browser or places like Apple keychain, I have had weak, old, repeated passwords show in “leaks” but in the years since I started replacing them with 12-digit unique passwords—always saved, too—not a single one has ever shown up ”leaked”.

FWIW

1 Like

BTW regarding the brute forcing of passwords contrasted with the “random” passwords that for example Safari offers up, we believe that just making the passwords significantly longer is 95% as effective as a string of random characters due to the way the cracking methods work.

As long as you avoid obvious keywords like “password” or family members names, something like “thiswhatIusetoaccessthiswebsite!” is virtually as effective as “gddhf6rew>” or whatever and the benefit for a lot of people is that they are a lot easier to remember.

You also should change them on a periodic basis.

And don’t do what one of our customer did which was to create a note file on his system called “password list” :frowning:

3 Likes

I did that, but instead write hints that only I understand. I know it’s a bad idea, but it’s hard to make an easy to remember password when many of those site force you to " make a password longer than 8 characters with number, unccapped and capped words and a special symbol". I can’t remember what site require it and what doesn’t, then the requirement to "change password every six month, and making it different from your last 5 password " further making it a big hassle. It’s just easier said than done. I would sooner be locked out of my own account than being hacked :frowning_face:

Oh, and my file wasn’t called “password list” :rofl:

3 Likes

Duck Duck Go browser coming to the Mac.

I like what they are trying to do, but they will never get at the root of the actual problems as long as it’s Webkit/Chromium based as there are lots of ways for someone determined to track you, to do so.

OTOH it’s very fast especially compared to Google Chrome which is a dog on the Mac.

DuckDuckGo Browser for Mac Launches in Beta With Emphasis on Privacy and Speed - MacRumors

1 Like

I hate what we have to do with passwords but it’s a necessary evil I suppose. I have a paper book at home with all my passwords in - all usually 18+ characters long and never the same for more than one website.

My partner however is the constant source of problems - she has a tendency to click WhatsApp links from friends before she realises what she’s done. Recently a farmer friend known for sending lambing videos fell for the Cadbury’s Easter Egg scam and her WhatsApp account started sending spam Easter Egg emails - at least 5 in her associates and friends group clicked the link despite a preview of the contents clearly showing that it was the now infamous Easter Egg scam and not a new set of baby lamb videos.

I’ve tried everything I can to educate Sarah… she now uses different passwords for different accounts although she does fall for links from friends emails. What is scary is that many of her friends at work all use simple passwords for their work and pay accounts - I’ve at least managed to get Sarah to use online banking with a very specific second email account on her own iPad where she has no other accounts or contact with friends.
Her phone however… I dread to think what goes on there.

Congrats! I know the challenge. The upside of the current situation is that I know how to log into almost any service that my gf uses, without ever having to look up the password. :vb-grin:

1 Like

Another question for the thread where @JoeS shares his ignorance… Decades ago I got the feeling that it was a bad idea to leave your computer on and connected to the internet overnight. But is that actually true? Best case you halve the number of port scans that reach your machine, and you save some electricity. Downside is your machine might not get those overnight security updates, and doesn’t perform those occasional OS optimization tasks. What’s the best practice?

That’s actually an interesting conundrum. With our work systems, we leave them on which allows updates, scans etc. to proceed, but we are also behind a corporate firewall and security system.

At home I always shut my systems down at night. The downside is that I have to frequently update my system with app and OS updates. However that definitely comes from experience combined with paranoia.

I unfortunately had one of the Xfinity/comcast modem routers a few years back that had an un-patchable exploit which gave root access to the device including admin privileges. I’m also because of the job, a compulsive sniffer pro user.

So one morning very early, I noticed far more apparent network traffic than I by myself should have been generating. Come to find out, both my son and daughters systems had been hijacked in to being bots for a denial of service attack.

After remedying that, which included basically reloading from scratch my sons system, I’ve been paranoid and the thinking is that if it’s on I can see what’s going on, at least in the broad sense.

And of course my son’s HP was one that had the HP health check app vulnerability that allowed the installation of rogue BIOS images to be installed.

1 Like

This is not helping my paranoia! :sweat_smile: Still though, even in that case, is there any benefit to turning the machine off at night other than delaying the inevitable? Would any of these remote accessible exploits do anything that the user would see, like visible powershell or cmd windows flashing etc? Or are most attacks stealth anyway?

And if “they” get into your router, is it game over, or will they mostly be able to use it as a DDOS bot? They could try to sniff unencrypted traffic I guess, not sure if that’s something that’s common.

Basically my security approach is “keep laptop and apps updated, don’t install random executables, pray that the router doesn’t get hacked”. I don’t have a regular “check for router firmware udpates / monitor all internet traffic” reminders set up. Should the average consumer do that? (aside from the discussion ‘who should ideally be responsible’).

@JoeS I think so for one simple reason. Casual users wont likely notice but hardcore users like us more often than not can tell when something on our system is “off” for lack of a better term.

I had an uncanny knack /reputation among some of my customers for noticing a “troubled system” It really was not me doing anything other than being observant as in “why is the hard drive thrashing like that” or “why is the UI stuttering doing basic things.”

1 Like

And BTW; they wont love you for it, but I insist on my provider updating/replacing my router on a regular basis. They may be reluctant to do it at first but when I remind them of all of the bad things that could happen to their own network (and could be liable in some cases) they usually agree to do it.

1 Like

On a positive note, I am pleased that the age of passwords looks to be ending with the Google, Microsoft, and Apple cooperation on passkeys. I agree with Leo’s comment on the MacBreak Weekly podcast that this iOS/iPadOS 16 feature is the most important one and will have the most effect on our daily lives. Imagine life without the need for 2fa! I hate them.

Apple just announced another quality of life security improvement:

Just “supported apps and websites” at first, but hopefully it’s the first step in eliminating CAPTCHAs forever. I hate those things, too.

2 Likes

Our security experts have told us repeatedly, that more than virtually the rest of the security flaws combined, exploiting the user/password paradigm is by far the number one method that bad actors start with when attempting to hack into systems.

Awhile back, if you’d asked me, I would have put the majority of blame for this on user laziness and lack of good practice. But with the rise of everything from online banking to HR systems at work to streaming to managing your 401k, the sheer volume needed to keep track of it all has simply become overwhelming IMHO. In fact many of the former in branch services of my bank are now handled through their online portal only.

I have been doing this long enough that I would like to think I’m at least adequate in this regard, but I’ll admit that I have a master user/password doc that I keep to help me remember. This of course , security experts would be the first to point out, creates a SPOF, but practically speaking, I haven’t come up with a better alternative.

BTW: I’m old enough to have gone through part of the cold war and the associated nuclear strike drills. And one thing that always intrigued and disturbed me is the concept of an EMP attack. I believe, that because of all of the above. a successful EMP attack would wreak far more havoc today.

1 Like