Abstracts about hacking LJ and general security
The people of something got excited - breaking LJ, guard.
Well, garbage and all this. Recipe from pisma_izdaleka:
1) Do not let Trojans on your car. For this, it is enough in 99% of cases to simply not use IE. Use marginal browsers. Marginal - in this case - good, but not on the IE engine and not very common. My choice is Opera. IE leave to trusted sites exclusively. Put the antivirus (optional, on an amateur), turn on the firewall at last, or rather sit behind the NAT. Lovers of Varese and Porno take additional measures - for example, to get a virtual machine and download exclusively there. In general, a virtual machine can solve a lot of problems. It can be easily backed up. It can be transferred to a flash drive. It can be quickly destroyed if required. All the above software can pick up quality and free.
')
Explanation: why you should not use IE. The fact is that this browser is the only one (if I remember correctly) that uses ActiveX technology and others close to it. The ActiveX object is actually a full-fledged mini-program that is downloaded from the server and runs on your machine with the same rights as you yourself have. Sometimes it is necessary. But: this thing gives you full access to your car and at the same time detects solid holes, so that they do not have time to patch. You will not have time to look around, as you pick up some rubbish, even if just advertising. Another thing is that IE is installed in the system by default (it is part of the system at the same time), it is used by an absolute majority of untrained users and this particular browser is the number one object for researching vulnerabilities. There are sites that do not work without IE (for example, the same ActiveX support is needed) or work poorly (the page layout is visually corrupted). If this is a site that I trust - for example, my internet banking or gmail, I work through IE. In all other cases, the categorical requirement to use it is IE "and then you will not get all the pleasure" - a direct indication for me to this site no longer go _nogda_.
Yes, also about the IE engine. It is also used when displaying HTML emails in mails like Outlook, Outlook Express. You can get Kaku even simply by opening a letter from a well-wisher.
2) Encrypt email traffic - keep your mail on gmail and receive it via pop3 via SSL (not via the web, it is not encrypted, but via pop3 through your favorite email program). mail.ru is good, but pop3 is “naked”, without SSL (all your passwords and letters fly across the grid in the clear) + mail.ru is a native system. Do not think anything bad, I am a patriot of Russian chocolate, but here is a different case: our, dear, Russian people work in the Russian system - they are very sociable and they have many friends, including who bought the book as a hacker. It is through the mail that the LJ breaks down. If you are bogged down on mail.ru and so on - anyway, move to gmail, and for the period of migration to mail.ru set automatic forwarding of letters to your new address. About the fact that the passwords need to come up with different and complex - already somehow inconvenient to say. About the fact that the secret question "What is the name of your dog," it is not necessary to write the real or common name of the dog - already somehow uncomfortable to say. Mother's maiden name is also not required to be truthful. Bad passwords are remembered? There are programs for storing passwords. Ctrl + C, Ctrl + V.
Mail.ru in the above paragraph is conditional. Applicable to any local postal service. So far, only in the decadent West are they seriously considering privacy.
Surprised how a hacker found the email address specified in your LJ? Easy peasy. As a rule, you have only one address and during the years of your stay in the network you lit it wherever possible - on classmates' websites, on ICQ, on forums, on LJ, finally. Yandex - there is everything.
Surprised how a hacker found out your IP and attacked your computer? Well, for example, commented on his LJ. Or sent him a letter from his car. Or used the old version of ICQ. In general, this is not interesting. The protection is not to hide such information. Better close your computer.
Surprised how a hacker found your password? Remember how many related friendly resources like ljplus, photo hosting sites and forums you used the same set of letters and numbers, moreover, it is sometimes easy to guess? Why break directly LJ? You can start with a less secure resource.
3) Always clearly understand how your traffic is going. Use WiFi without (good) encryption - your traffic can be read by a neighbor behind the wall or anyone who is inquisitive with a laptop or PDA on a bench at your door. Do not encrypt content - everything is available to your home, regional, city provider and other SORM. This is not paranoia. This is reality.
4) Control access to your machine - physical and network (shared folders of various types - including peer-to-peer networks).
5) Watch for announcements - there is already software for a back-up LJ, it is technically easy to write a restoration - they will write it quickly if they want. Do not forget to back up. Automate this process because a person is prone to forget.
A lot of scary items? No more than the rules of personal hygiene. New times - new rules. Get used to it.
What is the difference, why lose data - from the evil hackers or the cleaning lady Aunt Masha with a mop? Than to brand enemies, it is better to minimize the risk in advance and treat everything as an inevitable evil.
All the catch-on elemental disorder. There is no debugged system - otherwise they would have thrown all the necessary ones, and not the one who succeeds.
I know it all firsthand - on the one hand I am engaged in developing software for network security + a former good system administrator, and on the other I once had a lot of fun about the same thing as the current storm of all times and peoples of Hell. Just then there was still a LJ. Nothing fundamentally original and new has since been invented. Is that wifi added interest. But a hacker who is able to raise his ass and geographically approach this particular victim at a distance of radio sniffing is still necessary to search among civilians.
Update : If it is interesting to someone, in principle, one could develop a theme - instead of a stream of paranoid and terminally-intensive tips, present the view from the other side: write an approximate algorithm for hacking this particular LJ, as I myself would have done. So, step by step, following the course of events, one can understand where the weak points are. It seems to me that it will be clearer. Although it will push someone to the exploits, unfortunately.
Update2 : Or open the topic with separate postings - because there are a lot of nuances.
From myself (via pisma_izdaleka) I want to add, along with the above, about the secret question that needs to be written when recovering the password. All and write - the name of the dog and the name of the mother. Should not be doing that. Social engineering has not been canceled yet.
well, a textbook lifebuoy - use Mac OS X or Posix systems to work :-)
PS: in the updates made suggestions for future posts, which may not be. Plsuing the topic and sensible comments can invite the author here, give him karma and wait for high-quality, relevant and useful articles - it is clear that the author has something to say and he can easily explain it.
PPS: Comrade. Hell, I wonder what you will do here.
Well, garbage and all this. Recipe from pisma_izdaleka:
1) Do not let Trojans on your car. For this, it is enough in 99% of cases to simply not use IE. Use marginal browsers. Marginal - in this case - good, but not on the IE engine and not very common. My choice is Opera. IE leave to trusted sites exclusively. Put the antivirus (optional, on an amateur), turn on the firewall at last, or rather sit behind the NAT. Lovers of Varese and Porno take additional measures - for example, to get a virtual machine and download exclusively there. In general, a virtual machine can solve a lot of problems. It can be easily backed up. It can be transferred to a flash drive. It can be quickly destroyed if required. All the above software can pick up quality and free.
')
Explanation: why you should not use IE. The fact is that this browser is the only one (if I remember correctly) that uses ActiveX technology and others close to it. The ActiveX object is actually a full-fledged mini-program that is downloaded from the server and runs on your machine with the same rights as you yourself have. Sometimes it is necessary. But: this thing gives you full access to your car and at the same time detects solid holes, so that they do not have time to patch. You will not have time to look around, as you pick up some rubbish, even if just advertising. Another thing is that IE is installed in the system by default (it is part of the system at the same time), it is used by an absolute majority of untrained users and this particular browser is the number one object for researching vulnerabilities. There are sites that do not work without IE (for example, the same ActiveX support is needed) or work poorly (the page layout is visually corrupted). If this is a site that I trust - for example, my internet banking or gmail, I work through IE. In all other cases, the categorical requirement to use it is IE "and then you will not get all the pleasure" - a direct indication for me to this site no longer go _nogda_.
Yes, also about the IE engine. It is also used when displaying HTML emails in mails like Outlook, Outlook Express. You can get Kaku even simply by opening a letter from a well-wisher.
2) Encrypt email traffic - keep your mail on gmail and receive it via pop3 via SSL (not via the web, it is not encrypted, but via pop3 through your favorite email program). mail.ru is good, but pop3 is “naked”, without SSL (all your passwords and letters fly across the grid in the clear) + mail.ru is a native system. Do not think anything bad, I am a patriot of Russian chocolate, but here is a different case: our, dear, Russian people work in the Russian system - they are very sociable and they have many friends, including who bought the book as a hacker. It is through the mail that the LJ breaks down. If you are bogged down on mail.ru and so on - anyway, move to gmail, and for the period of migration to mail.ru set automatic forwarding of letters to your new address. About the fact that the passwords need to come up with different and complex - already somehow inconvenient to say. About the fact that the secret question "What is the name of your dog," it is not necessary to write the real or common name of the dog - already somehow uncomfortable to say. Mother's maiden name is also not required to be truthful. Bad passwords are remembered? There are programs for storing passwords. Ctrl + C, Ctrl + V.
Mail.ru in the above paragraph is conditional. Applicable to any local postal service. So far, only in the decadent West are they seriously considering privacy.
Surprised how a hacker found the email address specified in your LJ? Easy peasy. As a rule, you have only one address and during the years of your stay in the network you lit it wherever possible - on classmates' websites, on ICQ, on forums, on LJ, finally. Yandex - there is everything.
Surprised how a hacker found out your IP and attacked your computer? Well, for example, commented on his LJ. Or sent him a letter from his car. Or used the old version of ICQ. In general, this is not interesting. The protection is not to hide such information. Better close your computer.
Surprised how a hacker found your password? Remember how many related friendly resources like ljplus, photo hosting sites and forums you used the same set of letters and numbers, moreover, it is sometimes easy to guess? Why break directly LJ? You can start with a less secure resource.
3) Always clearly understand how your traffic is going. Use WiFi without (good) encryption - your traffic can be read by a neighbor behind the wall or anyone who is inquisitive with a laptop or PDA on a bench at your door. Do not encrypt content - everything is available to your home, regional, city provider and other SORM. This is not paranoia. This is reality.
4) Control access to your machine - physical and network (shared folders of various types - including peer-to-peer networks).
5) Watch for announcements - there is already software for a back-up LJ, it is technically easy to write a restoration - they will write it quickly if they want. Do not forget to back up. Automate this process because a person is prone to forget.
A lot of scary items? No more than the rules of personal hygiene. New times - new rules. Get used to it.
What is the difference, why lose data - from the evil hackers or the cleaning lady Aunt Masha with a mop? Than to brand enemies, it is better to minimize the risk in advance and treat everything as an inevitable evil.
All the catch-on elemental disorder. There is no debugged system - otherwise they would have thrown all the necessary ones, and not the one who succeeds.
I know it all firsthand - on the one hand I am engaged in developing software for network security + a former good system administrator, and on the other I once had a lot of fun about the same thing as the current storm of all times and peoples of Hell. Just then there was still a LJ. Nothing fundamentally original and new has since been invented. Is that wifi added interest. But a hacker who is able to raise his ass and geographically approach this particular victim at a distance of radio sniffing is still necessary to search among civilians.
Update : If it is interesting to someone, in principle, one could develop a theme - instead of a stream of paranoid and terminally-intensive tips, present the view from the other side: write an approximate algorithm for hacking this particular LJ, as I myself would have done. So, step by step, following the course of events, one can understand where the weak points are. It seems to me that it will be clearer. Although it will push someone to the exploits, unfortunately.
Update2 : Or open the topic with separate postings - because there are a lot of nuances.
From myself (via pisma_izdaleka) I want to add, along with the above, about the secret question that needs to be written when recovering the password. All and write - the name of the dog and the name of the mother. Should not be doing that. Social engineering has not been canceled yet.
well, a textbook lifebuoy - use Mac OS X or Posix systems to work :-)
PS: in the updates made suggestions for future posts, which may not be. Plsuing the topic and sensible comments can invite the author here, give him karma and wait for high-quality, relevant and useful articles - it is clear that the author has something to say and he can easily explain it.
PPS: Comrade. Hell, I wonder what you will do here.
Source: https://habr.com/ru/post/14476/
All Articles