|
WattsvilleBlues posted:Is there any virus that formatting and reinstalling Windows doesn't get rid of? https://blog.kaspersky.com/equation-hdd-malware/ There are reasons why I poo poo all over anti-virus and malware re-mediation steps in the OP. One being the link I just posted and the other being that I used to work for an AV vendor.
|
#
?
Jul 6, 2015 21:27
|
|
|
|
| # ? Apr 19, 2024 00:19 |
|
|
OSI bean dip posted:https://blog.kaspersky.com/equation-hdd-malware/ Jesus, that's frightening. The vast majority of the time I can expect a format to take care of things though, right? People I know tend to ask me to sort their computers out when they muck them up, my default action is to format their machines.
|
|
#
?
Jul 6, 2015 21:33
|
|
|
WattsvilleBlues posted:Jesus, that's frightening. The vast majority of the time I can expect a format to take care of things though, right? People I know tend to ask me to sort their computers out when they muck them up, my default action is to format their machines. Yes. In general, most reformatting and destroying of bootsectors (this part is important) will weed out a large chunk of malware you'll encounter. It does not mean that it's 100% effective but it should be sufficient in most cases.
|
|
#
?
Jul 6, 2015 21:34
|
|
|
gay picnic defence posted:Might be a silly question but what is the best way to get rid of persistent malware/adware? Even if you already fixed it by reinstalling Chrome: Sometimes malware changes the shortcut to include an URL in the file path, so it opens up their lovely search engine when you first open the browser, but not on new tabs. I've only seen it once before, but it's something scanners apparently overlook. Might also be why you were missing options.
|
|
#
?
Jul 7, 2015 21:31
|
|
|
The worst browser malware I've seen was an extension that installed itself via Group Policy. If you deleted it, it would just reinstall. That was combined with a change to the Chrome shortcut so it started some random crap page every time.
|
|
#
?
Jul 8, 2015 12:35
|
|
|
Anyone have experience with this (Is this legit?) https://www.reddit.com/r/TronScript/ It doesn't seem popular. I'm having a minor freakout about malware bundled with sourceforge programs (that I just found out about) and want to make sure as best I can.
|
|
#
?
Jul 9, 2015 06:46
|
|
|
Relin posted:Anyone have experience with this (Is this legit?) https://www.reddit.com/r/TronScript/ It doesn't seem popular. I'm having a minor freakout about malware bundled with sourceforge programs (that I just found out about) and want to make sure as best I can. No matter what tool you use (CCleaner or whatever that thing is), you're never going to know for certain what was left behind so as a result it doesn't really matter how effective it is. What got installed on your system?
|
|
#
?
Jul 9, 2015 07:04
|
|
|
I don't think anything, honestly. This is the level of awareness I'm at. AFAIK I have only used the legit download links (not the trick ones), plus I use noscript+ ABP (with a uni mcafee sub), but the row between GIMP and sourceforge was bothering me.
|
|
#
?
Jul 9, 2015 07:13
|
|
|
Relin posted:I don't think anything, honestly. This is the level of awareness I'm at. AFAIK I have only used the legit download links (not the trick ones), plus I use noscript+ ABP (with a uni mcafee sub), but the row between GIMP and sourceforge was bothering me. I do suggest asking questions after reading the OP as you should be able to come to a conclusion on what to do. If something is missing I'll edit it.
|
|
#
?
Jul 9, 2015 07:18
|
|
|
So is there some internet-based shock collar I can put on my aunt to keep her from forwarding every useless POS infected chain letter to my mother? Also for my equally clueless mother who will download and open everything my aunt sends? Because I swear to god if I have to drive over and clean one more Cryptolocker variant off of my parents' computer I'm going to rip the drive out and tell them they can't have a computer any more.
|
|
#
?
Jul 10, 2015 06:25
|
|
|
grack posted:So is there some internet-based shock collar I can put on my aunt to keep her from forwarding every useless POS infected chain letter to my mother? Also for my equally clueless mother who will download and open everything my aunt sends? It's called an admin account.
|
|
#
?
Jul 15, 2015 23:11
|
|
|
Odd question: I bought a ThinkPad T450s and decided what the hell, I'll spring for the fingerprint scanner. Are there any password managers that will use it, or is it strictly Lenovo proprietary? Just curious, great thread, really useful information.
|
|
#
?
Jul 29, 2015 03:37
|
|
|
ArgaWarga posted:Odd question: I bought a ThinkPad T450s and decided what the hell, I'll spring for the fingerprint scanner. Are there any password managers that will use it, or is it strictly Lenovo proprietary? Just curious, great thread, really useful information. If it's Windows Biometric compatible, LastPass can use it, but it'll need the binary component for things like Chrome in-browser compatibility (and installing that is complicated now that Chrome's changed the rules on extensions and plugins). I have my issues with LastPass*, and I don't know how you'd switch back to normal passwords/2factor if at some point you couldn't use your fingerprint scanner anymore, but hey it's an improvement over a moleskine in a 4-digit PIN safe, and a drat sight better than a post-it on a display frame. Still, don't jump in unless you know how to get back out without the fingerprint scanner (like in an emergency where the laptop is stolen/busted/lost). After all, sure it doesn't compromise your identity if you get locked out of all your stuff, but it'd still clearly be a catastrophic security failure. KeePass needs it to be password-field or command-line ready and I have no experience with fingerprint scanners in general and the T450S's in particular, so it's worth a shot but LastPass may still be the better option. Keep in mind there's a real good chance that different fingerprint readers won't convert your patterns to passphrases the same way. Google is talking about fingerprints for Android M (5.2? 6.0?), but it's probably not going to be accessible in Chrome's password management (good on Google for making Smart Lock Google-wide instead of just in Chrome, though), let alone accessing Google accounts through a general-purpose computer, until/unless Chromebooks start showing up with fingerprint scanners. I don't know about other password management services. *Admittedly your recourse if poo poo Happens with your data has gotten better since last I looked. However, they - and basically every other online password management service - is still operating under limited licensing/bonding/auditing; that is, they still aren't accredited like you'd probably want someone entrusted with the keys to ... well, YOU to be accredited (think how an accountant or attorney is qualified and regulated). v v v I don't know if I'd say that as an absolute, but yeah LastPass is pretty grandpa-tier and someone simply reading this thread is probably an indicator they can pull off KeePass. dont be mean to me fucked around with this message at 05:03 on Jul 29, 2015 |
|
#
?
Jul 29, 2015 04:30
|
|
|
ArgaWarga posted:Odd question: I bought a ThinkPad T450s and decided what the hell, I'll spring for the fingerprint scanner. Are there any password managers that will use it, or is it strictly Lenovo proprietary? Just curious, great thread, really useful information. Fingerprint readers are garbage and shouldn't be used with managing passwords--and they don't work very well so don't bother. If you're paranoid about your passwords, use this: http://keepass.info/help/kb/yubikey.html The key is $25 each. If that doesn't work, make sure to just use a strong passphrase that is strictly for that KeePass file (or whatever password manager you use) and nowhere else. Do not use LastPass.
|
|
#
?
Jul 29, 2015 04:49
|
|
|
I genuinely can't wait to see the op completed. I recently got a new hard drive an did a fresh I install of windows and made sure I had everything up to standard but it looks like some of my knowledge was out of date. So I replaced a few things I used previously with the new suggestions. So the last area I need to secure further would be password security. What are the general suggestions for that? I don't use the same password for anything and have a password manager but I am sure there are newer, or at least better ways than I have currently. I ask because I was using lastpass in the past because it was so easy to use with chrome addons but I am aware of the security risks that it carries and want to move to something better.
|
|
#
?
Jul 29, 2015 05:13
|
|
|
Teaches of Peaches posted:I genuinely can't wait to see the op completed. I recently got a new hard drive an did a fresh I install of windows and made sure I had everything up to standard but it looks like some of my knowledge was out of date. So I replaced a few things I used previously with the new suggestions. OP update is still in the works. Blame work, DEFCON, and my personal project. I can easily answer questions however. I do have some help from others on the OP too. To be honest, let your password manager generate the passwords. A while back I was using my own tool to generate the passwords in the event I ever have to manually type them in, but it's getting less and less common for me to have to do so. I recommend using KeePass as a solution followed by 1Password should it not meet your requirements. KeePass is multi-platform, free, and it's pretty easy to synchronise the file using any file sharing service (Dropbox, Box, OwnCloud, whatever). The Android and iOS versions of the application work great and I have never had issues with the file getting corrupted, et cetera. I use KeePass across Windows, OS X, Linux, and Android with no problems--although on OS X I do recommend MacPass as it is a native application and doesn't rely on Mono. LastPass is complete garbage and the reason for that is that it is entirely cloud-dependent with some exception and the developers cannot seem to get its poo poo straight. KeePass does have some limitations as its browser integration is flakey, but I do suggest using it over LastPass as if you can keep the file secure, then you know you're okay. Keeping the file secure really primarily consists of not having a lovely password for the file to begin with (don't reuse it and make sure it cannot be generated easily) as a primary and then keeping the file away from others as as secondary. 1Password gets a mention as it is as good as KeePass except that it does cost money.
|
|
#
?
Jul 29, 2015 05:30
|
|
|
OSI bean dip posted:OP update is still in the works. Blame work, DEFCON, and my personal project. I can easily answer questions however. I do have some help from others on the OP too. Alright thanks for the info dump. I am going to give KeePass a shot and see how that works for me. I mostly used Lastpass for junk account with junk websites that I only needed to sign into on rare occasion so I wouldn't remember the passwords for that stuff but even then I want to make sure I keep everything together now and more secure than what Lastpass has been.
|
|
#
?
Jul 29, 2015 16:12
|
|
|
Star War Sex Parrot posted:Could you elaborate on this? What's bad about uBlock and/or better about uBlock Origin? I never understood the fork, but both are being actively developed right now.  please stop posting in this thread. you don't even have a avatar and your opinions are garbage. OSI bean dip posted:OP update is still in the works. Blame work, DEFCON, and my personal project. I can easily answer questions however. I do have some help from others on the OP too.
|
|
#
?
Jul 29, 2015 19:22
|
|
|
the official keepass download links lead to sourceforge, which ublock blocks, because, ya know, malware. lol
|
|
#
?
Jul 29, 2015 20:37
|
|
|
A friend of mine uses the Panda antivirus which is some kind of cloud-based thing. Anyone know anything about it?
|
|
#
?
Jul 30, 2015 14:02
|
|
|
froward posted:Thank you for taking the time to do this; it's rare that people have free time AND post on forums AND aren't shitheads. bless & double bless, friend. Not a problem.  ThermoPhysical posted:A friend of mine uses the Panda antivirus which is some kind of cloud-based thing. Anyone know anything about it? Read the OP on anti-virus before you ask this question again.
|
|
#
?
Jul 30, 2015 15:40
|
|
froward posted:the official keepass download links lead to sourceforge, which ublock blocks, because, ya know, malware. Ninite offers a copy of it through its silent download, so you can get it that way. It does this for a few programs that are usually only available through sourceforge.
|
|
|
#
?
Jul 30, 2015 15:59
|
|
|
OSI bean dip posted:Read the OP on anti-virus before you ask this question again. Yes, I read it twice before asking and it says nothing about cloud-based AVs or if they're even worth anything. Basically it starts out how antivirus programs are outdated and not worth buying and then some settings for traditional AVs that arent cloud-based. I wanted to know if anyone's tried Panda and seeing if it's worth it. Maybe put something about cloud-based AVs in the OP?
|
|
#
?
Jul 30, 2015 16:12
|
|
|
ThermoPhysical posted:Yes, I read it twice before asking and it says nothing about cloud-based AVs or if they're even worth anything. Basically it starts out how antivirus programs are outdated and not worth buying and then some settings for traditional AVs that arent cloud-based.
|
|
#
?
Jul 30, 2015 16:16
|
|
ThermoPhysical posted:Yes, I read it twice before asking and it says nothing about butt-based AVs or if they're even worth anything. Basically it starts out how antivirus programs are outdated and not worth buying and then some settings for traditional AVs that arent butt-based. Anti-virus in general is security theater these days. Whether the heavy lifting is done on the PC itself or some server farm is irrelevant.
|
|
|
#
?
Jul 30, 2015 16:41
|
|
|
ThermoPhysical posted:Yes, I read it twice before asking and it says nothing about cloud-based AVs or if they're even worth anything. Basically it starts out how antivirus programs are outdated and not worth buying and then some settings for traditional AVs that arent cloud-based. Please tell me how cloud-based anti-virus is different from traditional anti-virus.
|
|
#
?
Jul 30, 2015 17:28
|
|
|
I guess it's better for this HP Stream I have (with a 16GB drive).OSI bean dip posted:Please tell me how cloud-based anti-virus is different from traditional anti-virus. http://www.pandasecurity.com/usa/homeusers/solutions/free-antivirus/ LIGHT Panda Antivirus protects while you browse, play or work online, and you won´t even notice it's there. It is extremely light as all the work is done in the cloud. EASY This is a truly 'install and forget' solution. You won't have to worry about updates, or complex settings and decisions ever again. It works for you. SECURE It delivers maximum and fast protection against the latest viruses, thanks to cloud-scanning from the Collective Intelligence servers. There's no need for massive signature files on your PC or daily updates.
|
|
#
?
Jul 30, 2015 17:50
|
|
|
doctorfrog posted:I guess it's better for this HP Stream I have (with a 16GB drive). You've absolutely managed to avoid answering my question. That isn't any different from traditional AV other than it uses ~*~  the cloud ~*~.
|
|
#
?
Jul 30, 2015 17:58
|
|
|
Yep. "Traditional" boo, "cloud" yay!
|
|
#
?
Jul 30, 2015 18:06
|
|
|
storage pisses me right the gently caress off bc bandwidth is more expensive than storage. Too many idiots think paying $10/month to upload everything to is better than duping things to hard drives (which are cheap as hell and don't disappear when has a hickup or goes under). So we have consumer bandwidth saturated with netflix -- instead of just using the service as America's Mail Order Swap Drive -- and mobile bandwidth saturated with Spotify et al because licensing be hard, waaaaaaah. Makes me sick. Sick I tell you!ThermoPhysical posted:A friend of mine uses the Panda antivirus which is some kind of cloud-based thing. Anyone know anything about it? This was hinted at, but since nobody's getting it: antivirus is garbage, it does nothing well, because the weakest link is the users. Computers are pretty great 99% of the time and they require user intervention -- help, if you will-- to get a virus installed most of the time. NO KIND OF ANTIVIRUS REPLACES GOOD TRAINING Listen, if I can teach basic operational security (don't install weird apps, use long passwords, never give sensitive information to anyone who calls you) to my SEVENTY YEAR OLD MOTHER than YOU can be arsed to teach whoever you care about to not infect themselves, too. Many OMG SCARY EXPLOITS/viruses aren't game changers: they just reduce the amount of work the user has to do to infect themselves. one can even argue antivirus is BAD because it provides a false sense of security.
|
|
#
?
Jul 30, 2015 20:25
|
|
|
The only reason I'm okay with my shop selling anti virus is because it provides peace of mind and return customers, along with the bill for buying and installing the AV.
|
|
|
#
?
Jul 30, 2015 21:24
|
|
|
Switched from Lastpass to KeePass, and from a long and complex password to a pretty long passphrase. 200 bits entropy, come at me hackers
|
|
#
?
Aug 1, 2015 13:05
|
|
|
OSI bean dip posted:Do not use LastPass. Can you elaborate on the reasoning for this? Any theoretical vulnerabilities with LastPass? Assuming you have a strong pass-phrase that isn't used anywhere else and use TFA what is wrong with LastPass that local password management like KeePass solves? I understand that ideally you would want an attacker to need access to your password database and that you can control that if you don't hand it to a third party but if you aren't dealing with a nation state level attacker I don't see how they are going to get through AES-256 with a 30 character passphrase and TFA. Keepass alone without more stringent browser security isn't going to keep you from entering you password on a XSS compromised page while LastPass has that functionality built in. * For the sake of argument lets say that an attacker can pwn your personal computer just as easily as they can pwn LastPass's server so they have access to your password DB either way. If we go from that assumption what advantages does KeePass have over LastPass in terms of security? Carthoris fucked around with this message at 21:30 on Aug 6, 2015 |
|
#
?
Aug 6, 2015 21:25
|
|
|
Carthoris posted:Can you elaborate on the reasoning for this? Any theoretical vulnerabilities with LastPass? Assuming you have a strong pass-phrase that isn't used anywhere else and use TFA what is wrong with LastPass that local password management like KeePass solves? Constant incompetence: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ quote:We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/ quote:The most serious of the defects was uncovered in LastPass, a manager that had at least one million users as of 2011. A bug in a "bookmarklet" feature used to automatically enter passwords into websites made it possible for malicious code planted on one site to steal credentials for other sites. An attacker might exploit the vulnerability by compromising a site a user was using LastPass to access. As soon as the user clicked on the bookmarklet, the attacker could surreptitiously steal plaintext passwords belonging to other sites that were also secured by LastPass. https://blog.lastpass.com/2011/05/lastpass-security-notification.html/ quote:We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password. It isn't so much that the application itself could be compromised but the LastPass guys are reckless with their own internal security--two breaches in five years and one vulnerability are the ones I can recall right this moment. There are theoretical attacks on the service but none have yet to surface. I cannot at all recommend their service.
|
|
#
?
Aug 11, 2015 03:27
|
|
|
Did anyone mention the importance of keeping software up to date? I assume that's fairly important, heck I'd guess out of date software is in top 5 reasons systems get compromised? Is secunia PSI well regarded for informing about updates? Something else these days?
|
|
#
?
Aug 11, 2015 13:00
|
|
|
Crankit posted:Did anyone mention the importance of keeping software up to date? I assume that's fairly important, heck I'd guess out of date software is in top 5 reasons systems get compromised? I got fed up with Secunia PSI, since it kept going unresponsive or being unable to update things. Someone recommended PatchMyPC, and it's worked really well so far (about a month).
|
|
#
?
Aug 11, 2015 14:34
|
|
|
Carthoris posted:Can you elaborate on the reasoning for this? Any theoretical vulnerabilities with LastPass? Assuming you have a strong pass-phrase that isn't used anywhere else and use TFA what is wrong with LastPass that local password management like KeePass solves? To provide a second point of view, its not that LastPass is bad per se, just that there are plenty of better choices, including a completely free one, that lack a lot of the worries around LastPass that theres no good reason to use it over the alternatives.
|
|
#
?
Aug 11, 2015 15:12
|
|
|
Any advice for momputing? I've got a mom with a 'puter and she's not good at internet, what do I do that makes her less likely to get malwares.hooah posted:I got fed up with Secunia PSI, since it kept going unresponsive or being unable to update things. Someone recommended PatchMyPC, and it's worked really well so far (about a month). Thanps I'll try that out!
|
|
#
?
Aug 12, 2015 13:45
|
|
|
Crankit posted:Any advice for momputing? I've got a mom with a 'puter and she's not good at internet, what do I do that makes her less likely to get malwares. To be honest, in your situation, just install any AV and hope that she never gets the machine compromised. For people who are computer-illiterate, I've been recommending that people just simply get tablets (iPads if you can help it) or Chromebooks if you know that they'll be fine with that. If they've already bought a computer, then just protect it with AV and ensure that it automatically installs updates. Additionally, keep them away from any admin account and just offer to install applications for them.
|
|
#
?
Aug 12, 2015 15:43
|
|
|
|
| # ? Apr 19, 2024 00:19 |
|
|
OSI bean dip posted:To be honest, in your situation, just install any AV and hope that she never gets the machine compromised. I agree about getting her an iPad out of preference. However if she's using a full computer, I think there are easy additional precautions you should take beyond the ones OSI Bean Dip mentions. The greatest risks she faces are probably: - clicking poo poo in spam email - malware from ad networks: both those clicked on manually and those delivered by exploits - getting phished To that end, in addition to AV (MSE is fine): - Replace IE with Chrome; install uBlock; make plugins click-to-play if you think she can handle that - Remove the JRE and adobe reader; make PDFs open in Chrome - Install EMET - Use a password manager I got my parents a copy of 1Password a couple of years ago and it was a great decision. Not just because they don't have to remember tons of credentials any more, but because they will never get phished because they always log into sites using the browser extension. If you make it automatically save all credentials she submits to websites, you can then go back a couple of weeks later and change all the passwords to unique ones. By far my #1 momputing tip.
|
|
#
?
Aug 12, 2015 18:42
|
|
