Social hacking in everyday life (defending ourselves from stupid things)
I know that many habrazhiteli read memoirs of remote hackers, where it is very clearly stated that the weakest link in the information security chain, as a rule, is not a protocol, a program or a machine, but a person (admin, user, or head ).
I also read, I was even indignant: “No, how can you tell your password on the phone to someone there”. But, alas, the rake hit on your own forehead is best remembered. So it happened. Over the past couple of months, I have witnessed and even participated in several situations, which are embarrassing, but socially useful.
All of us are well aware of everything in general and in theory, but in particular cases and in practice, we often ignore knowledge. Here the best way to save experience (ideally: negative, but alien). I want to share them, and I invite you to do the same in the comments (some simple, but very useful tips - there have already been heard).
')
Of course, there are shredders and combines for the destruction of optical and even hard drives . But they have a place in the enterprise (where safety instructions should not only be written and signed, but also carefully read and executed by all employees), and at home, as a rule, you have to do everything with your hands.
With optical disks, everything is simple: they are perfectly scratched with the corner of any USB plug (look for it on a USB flash drive or any cable, yes). The photo in the teaser illustrates the result of 10 second manipulations. Although the disc is not readable after one deep scratch along the radius (I checked some seven thousand of some kind on the NEC drive). From sin away: make a lot of scratches. In the comments Levsha100 and sproson doubt the reliability of this method and recommend discs to break or deeply scratch on both sides (otherwise polish and read). Well, I propose to proceed from the real value of information and choose a proportional measure of damage to the media.
It is not enough for a hard disk to break only the controller, it is necessary to spoil the plates, just as a flash drive it is not enough to break only the plug (it is necessary to destroy the memory chips). Or, as grey_one reasonably advises, format the media so that it is impossible to restore anything from there (fast formatting, clearing only the structure - certainly will not work). HDD and flash drives are certainly not often thrown away, but the latter are often lost.
The paper (if you are too lazy to tear) can be poured with water or better with some kind of detergent: even on packs of 20-30 sheets, everything is very famously corroded and spreads.
Horror story : I recently threw a pack of DVD-discs with backup sites for 2008. There were no user passwords in the database dumps (there were hashes with salt), but in the CMS configs there were passwords for access to the database. Yes, I changed them. Yes, almost all hosters prohibit the default connection to the database from a remote host. But still.
If the provider, hoster, payment system or the owners of a web service ask you for a password, then do not trust them, it’s not them at all, but the attackers.
If someone else must have access to your passwords, familiarize him with all the potential dangers. Explain so that you understand (for example, wives convinces the danger of embezzlement of the family budget in the accounts from the provider).
Scary first: a friend works for the provider in support. He is too lazy to climb into the billing, so he asks the client for a password on the phone to check whether he entered it correctly. And the provider actively uses the callback service. If you call back in time, then the unsuspecting person will dictate his passwords to you. At least, a friend has never been denied this.
Second horror story : once I, sending a letter to the hoster, trusted autocomplete mail client. As a result, the letter went to the wrong recipient. So quickly I have never changed passwords. By the way, now my hoster has also come to his senses: he no longer asks (and even probably doesn’t recommend) specifying a password when contacting, when a letter is sent with mail authorized in the account.
In general, I do not think that the audience of Habr is so crazy that it is possible to set the passwords for the birth dates of your children or to do something similar. But there are more subtle moments. An example is in scare.
In addition, in terms of passwords, you should consult the people around you, if you care about their privacy (and it may be yours - for example, some family photos are not intended for public viewing).
Scary: while the project is being developed to protect there is nothing special, right? Therefore, usually at the time of development, a password is put just in the spirit of "abcd1234". So I checked: of the last 4 projects launched in production on one, we defaulted the admin password - we have not changed. It’s good that the default password is known to everyone, but it is invented for each project separately.
Better wherever possible, configure key authorization. And keep the private key on a local server (and a copy on a flash drive in a safe). For less working purposes, there are password management programs ( RoboForm or cross-platform KeePas most actively advise in the comments), you should try to remember the master password in your head and never write it anywhere. In the simplest case, save the passwords in a text file and encrypt it with a password from your head.
If you save passwords in your mail or FTP client, then take care of normal anti-virus protection; any trojan or backdoor will be happy to drag off the file with your passwords.
Separate advice for those who store the password in the browser (from the alfsoft commentator): use the master password in those browsers that support it.
Horror story one: the elderly or just far from IT people often scratch their PIN-code directly on a plastic card (this is folk folklore, but nonetheless).
Horror Two: there was a case, the Trojan stole the password stored in the FTP client (it seems that it was not the most recent Total Commander, but many other clients in this regard are no better) from the admin from the local computer and stitched frames with infection to the live websites of partners where potential customers went (as a result, visitors either got infected, or got screams from the antivirus). By the way, now the sites with Yandex Trojans are marked in a special way in the output - besides, you can kill the Trojan now, but the mark will disappear only after another re-indexing, for example, a week later.
Do not store anything important on a netbook or phone.
On netbooks, put passwords (normal) and encrypt the file system.
On flash drives, store everything (or at least everything important) in an encrypted form (for example, in a RAR archive with a normal password).
If you have several flash drives that look alike, stick some labels on them so that you don’t give it to the tax flash drive with a backup of the whole black bookkeeping of your office instead of a quarterly report (tax will be glad, but the manager is unlikely).
The user panaslonik told a piquant story from which it follows that flash drives from cameras should be cleaned especially carefully if you are going to give them to someone.
Scary: well, you yourself have read many times how military and departmental officials, clerks and bankers of different levels and in different countries lost laptops in different ways with military secrets and private data of thousands of citizens.
Yes, yes, everyone knows that: protect passwords, make backups. I know, you know. But do we implement all that is known in practice?
Convince living examples. Share them in the comments, please.
I also read, I was even indignant: “No, how can you tell your password on the phone to someone there”. But, alas, the rake hit on your own forehead is best remembered. So it happened. Over the past couple of months, I have witnessed and even participated in several situations, which are embarrassing, but socially useful.
All of us are well aware of everything in general and in theory, but in particular cases and in practice, we often ignore knowledge. Here the best way to save experience (ideally: negative, but alien). I want to share them, and I invite you to do the same in the comments (some simple, but very useful tips - there have already been heard).
')
Careful disposal: do not discard or lose information
Of course, there are shredders and combines for the destruction of optical and even hard drives . But they have a place in the enterprise (where safety instructions should not only be written and signed, but also carefully read and executed by all employees), and at home, as a rule, you have to do everything with your hands.
With optical disks, everything is simple: they are perfectly scratched with the corner of any USB plug (look for it on a USB flash drive or any cable, yes). The photo in the teaser illustrates the result of 10 second manipulations. Although the disc is not readable after one deep scratch along the radius (I checked some seven thousand of some kind on the NEC drive). From sin away: make a lot of scratches. In the comments Levsha100 and sproson doubt the reliability of this method and recommend discs to break or deeply scratch on both sides (otherwise polish and read). Well, I propose to proceed from the real value of information and choose a proportional measure of damage to the media.
It is not enough for a hard disk to break only the controller, it is necessary to spoil the plates, just as a flash drive it is not enough to break only the plug (it is necessary to destroy the memory chips). Or, as grey_one reasonably advises, format the media so that it is impossible to restore anything from there (fast formatting, clearing only the structure - certainly will not work). HDD and flash drives are certainly not often thrown away, but the latter are often lost.
The paper (if you are too lazy to tear) can be poured with water or better with some kind of detergent: even on packs of 20-30 sheets, everything is very famously corroded and spreads.
Horror story : I recently threw a pack of DVD-discs with backup sites for 2008. There were no user passwords in the database dumps (there were hashes with salt), but in the CMS configs there were passwords for access to the database. Yes, I changed them. Yes, almost all hosters prohibit the default connection to the database from a remote host. But still.
Social Phishing: Do not pass on passwords to anonymous or open channels
If the provider, hoster, payment system or the owners of a web service ask you for a password, then do not trust them, it’s not them at all, but the attackers.
If someone else must have access to your passwords, familiarize him with all the potential dangers. Explain so that you understand (for example, wives convinces the danger of embezzlement of the family budget in the accounts from the provider).
Scary first: a friend works for the provider in support. He is too lazy to climb into the billing, so he asks the client for a password on the phone to check whether he entered it correctly. And the provider actively uses the callback service. If you call back in time, then the unsuspecting person will dictate his passwords to you. At least, a friend has never been denied this.
Second horror story : once I, sending a letter to the hoster, trusted autocomplete mail client. As a result, the letter went to the wrong recipient. So quickly I have never changed passwords. By the way, now my hoster has also come to his senses: he no longer asks (and even probably doesn’t recommend) specifying a password when contacting, when a letter is sent with mail authorized in the account.
Banal cryptographic strength: qwerty is not a password
In general, I do not think that the audience of Habr is so crazy that it is possible to set the passwords for the birth dates of your children or to do something similar. But there are more subtle moments. An example is in scare.
In addition, in terms of passwords, you should consult the people around you, if you care about their privacy (and it may be yours - for example, some family photos are not intended for public viewing).
Scary: while the project is being developed to protect there is nothing special, right? Therefore, usually at the time of development, a password is put just in the spirit of "abcd1234". So I checked: of the last 4 projects launched in production on one, we defaulted the admin password - we have not changed. It’s good that the default password is known to everyone, but it is invented for each project separately.
Do not write down passwords (at least, on those pieces of paper that you throw out or keep near logins)
Better wherever possible, configure key authorization. And keep the private key on a local server (and a copy on a flash drive in a safe). For less working purposes, there are password management programs ( RoboForm or cross-platform KeePas most actively advise in the comments), you should try to remember the master password in your head and never write it anywhere. In the simplest case, save the passwords in a text file and encrypt it with a password from your head.
If you save passwords in your mail or FTP client, then take care of normal anti-virus protection; any trojan or backdoor will be happy to drag off the file with your passwords.
Separate advice for those who store the password in the browser (from the alfsoft commentator): use the master password in those browsers that support it.
- In Opera: Tools - Settings - Advanced - Security - Set a password.
- In FF: Tools - Settings - Protection - Use master password.
Horror story one: the elderly or just far from IT people often scratch their PIN-code directly on a plastic card (this is folk folklore, but nonetheless).
Horror Two: there was a case, the Trojan stole the password stored in the FTP client (it seems that it was not the most recent Total Commander, but many other clients in this regard are no better) from the admin from the local computer and stitched frames with infection to the live websites of partners where potential customers went (as a result, visitors either got infected, or got screams from the antivirus). By the way, now the sites with Yandex Trojans are marked in a special way in the output - besides, you can kill the Trojan now, but the mark will disappear only after another re-indexing, for example, a week later.
Can steal others, can lose or give by mistake
Do not store anything important on a netbook or phone.
On netbooks, put passwords (normal) and encrypt the file system.
On flash drives, store everything (or at least everything important) in an encrypted form (for example, in a RAR archive with a normal password).
If you have several flash drives that look alike, stick some labels on them so that you don’t give it to the tax flash drive with a backup of the whole black bookkeeping of your office instead of a quarterly report (tax will be glad, but the manager is unlikely).
The user panaslonik told a piquant story from which it follows that flash drives from cameras should be cleaned especially carefully if you are going to give them to someone.
Scary: well, you yourself have read many times how military and departmental officials, clerks and bankers of different levels and in different countries lost laptops in different ways with military secrets and private data of thousands of citizens.
Instead of conclusion
Yes, yes, everyone knows that: protect passwords, make backups. I know, you know. But do we implement all that is known in practice?
Convince living examples. Share them in the comments, please.
Source: https://habr.com/ru/post/79449/
All Articles