Author Topic: Scarier than something really scary!  (Read 10943 times)

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Scarier than something really scary!
« on: May 28, 2016, 12:13:32 PM »
Read this about the new GozNym virus that apparently drain your bank account without you knowing.

Is there a virus scanner that will protect against this?

http://nbr.com/2016/05/27/serpent-like-malware-targets-your-bank-account/


Yipes!

matchewed

  • Magnum Stache
  • ******
  • Posts: 4329
  • Location: CT
Re: Scarier than something really scary!
« Reply #1 on: May 30, 2016, 07:20:04 AM »
One acronym, FDIC.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #2 on: May 30, 2016, 07:48:00 AM »
Not sure FDIC qualifies here.

If you're worried about stuff like this, get a cheap Chromebook for banking.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #3 on: May 30, 2016, 10:52:37 AM »
Yes and investment accounts are not covered by FDIC.

The Chromebook is not a bad idea as it happens.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
GozNym virus
« Reply #4 on: May 31, 2016, 06:06:33 PM »
So nobody got anything to say about this?

Any advice?

Its not even clear to me if current virus scanners work against this thing.

galliver

  • Handlebar Stache
  • *****
  • Posts: 1890
Re: Scarier than something really scary!
« Reply #5 on: May 31, 2016, 06:21:04 PM »
Don't click on links in emails, unless you're certain where they came from and where they go.

Activate mental "scam alert" red flags.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #6 on: May 31, 2016, 06:26:39 PM »
No virus scanner is worth a damned against aggressively mutating malware, which is basically all of it at this point.

Don't blindly click links in email, use Chrome, and don't worry about it that much.

If you're really worried about banking malware, do what I said above and buy a Chromebook to use for online financial work.  It won't run Windows viruses.  It's quite literally the best secured platform out there right now - I'm a huge fan of what they've done for trusted boot, and limiting themselves by not allowing users to run general applications has a major security benefit.

Most of that stuff targets businesses anyway.  They tend to have much larger bank accounts.

csprof

  • Stubble
  • **
  • Posts: 229
Re: Scarier than something really scary!
« Reply #7 on: May 31, 2016, 07:03:15 PM »
No virus scanner is worth a damned against aggressively mutating malware, which is basically all of it at this point.

Don't blindly click links in email, use Chrome, and don't worry about it that much.

If you're really worried about banking malware, do what I said above and buy a Chromebook to use for online financial work.  It won't run Windows viruses.  It's quite literally the best secured platform out there right now - I'm a huge fan of what they've done for trusted boot, and limiting themselves by not allowing users to run general applications has a major security benefit.

Most of that stuff targets businesses anyway.  They tend to have much larger bank accounts.

And stay completely up to date on the security patches for your applications and OS, if you're not on a completely auto-updating platform like a Chromebook.  This, combined with exercising paranoia when clicking on things, will protect you more than any virus scanner out there.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #8 on: May 31, 2016, 07:09:40 PM »
^^ Yet more reasons ChromeOS is awesome for things like this.

And you don't need a fancy Chromebook for just a few banking websites.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #9 on: May 31, 2016, 07:19:05 PM »
Yes I like the Chromebook idea.

I am super vigilent about not opening spam emails etc, but I can't gurantee my Wife is.. so a dedicated device for nothing but banking has appeal for sure.

mohawkbrah

  • Bristles
  • ***
  • Posts: 272
  • Age: 23
  • Location: Herefordshire, UK
  • every day they see me hustling those pennies away
Re: Scarier than something really scary!
« Reply #10 on: June 01, 2016, 05:10:53 AM »
Id imagine bank accounts would be covered. and luckily my investment account has a safeguard where if the money is withdrawn to a different bank account to the original one set up it takes 7 days minimum to transfer.

Rubic

  • Handlebar Stache
  • *****
  • Posts: 1080
Re: Scarier than something really scary!
« Reply #11 on: June 01, 2016, 01:46:19 PM »
The Chromebook is not a bad idea as it happens.

I got my Mom a Chromebook for Christmas because I was worried she would succumb to some nasty malware.  She loved it so much that I ended up getting her a desktop version too: http://promos.asus.com/us/chrome-os/chromebox/

Quote from: Syonyk
And you don't need a fancy Chromebook for just a few banking websites.

Not sure what you consider fancy about a Chromebook.  You can get them used/refurbished for about $100 on ebay.  When I travel, I'm not worried about my Chromebook getting lost or stolen, since there's no personal data on it to retrieve.  (I'm aware that most security-minded individuals will encrypt their hard drives, but it's still breakable.)

We also issue Chromebooks to our clinical staff so we don't have to worry about patient data being carried around on laptops.

Spork

  • Walrus Stache
  • *******
  • Posts: 5753
    • Spork In The Eye
Re: Scarier than something really scary!
« Reply #12 on: June 01, 2016, 02:05:01 PM »
As has been said: Virus scanners are really not worth much.  I took an advance penetration class and one exercise was to take a known piece of malware that is properly identified by a scanner, re-wrap it and try again.  No scanner in the class flagged it after wrapping it.

I'll also tell you that viruses targeting banks/financial institutions are taken seriously by the FBI (and equivalent organizations in other countries.)  I used to sit on a once-a-week call with FBI/ISPs/Banks/various security companies.  They're in pretty constant firefights to cripple/disable the various botnets and criminal organizations out there.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #13 on: June 01, 2016, 03:05:34 PM »
Not sure what you consider fancy about a Chromebook.  You can get them used/refurbished for about $100 on ebay.

Well, I'd argue my Pixel LS is a fancy Chromebook. ;)

I use it in Developer Mode with Ubuntu in a chroot as a general portable development workstation, though.  The monitor is amazing.

CowboyAndIndian

  • Handlebar Stache
  • *****
  • Posts: 1484
  • Location: NJ, USA
    • KOWines: Deep discount wine/spirits store.
Re: Scarier than something really scary!
« Reply #14 on: June 01, 2016, 04:34:29 PM »
I use it in Developer Mode with Ubuntu in a chroot as a general portable development workstation, though.  The monitor is amazing.

Syonyk, how difficult is it to do this?

My development is mostly on a Linux box and I use a mac book (6 years old, bought to program my app) to login in when I need to.
I have been considering a Chrome book, and will gladly switch if I can access the Linux box and tools on it

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #15 on: June 01, 2016, 07:38:07 PM »
Trivial to do, but requires a beefier-than-usual Chromebook if you want to do anything useful with it.  Crouton is the tool to use.

I had a Pixel (1st gen) with 4GB RAM, and that was tight.  I'm a tab-heavy user, and with Linux running in the chroot, memory pressure was very noticeable.

The Pixel LS (16GB RAM) is perfect - no memory pressure at all, even with tons of tabs and Linux running in the chroot.

I typically have a web development stack going - Apache, MySQL, Netbeans, and various other things running, so my environment has a high memory footprint.  Or a C++ development stack - similar.

I looked for other options when I bought my Pixel LS, and couldn't find anything else that I wanted to use.  The high res display with good scaling is just amazing for getting work done, I love the dual USB C ports (with dual USB A ports - so no adapters needed like the Macbook), and that ChromeOS is auto updating and works very nicely on the hardware just makes it a joy to use.

The only downsides I've found are that the kernel doesn't support some esoteric corners or hardware virtualization - you can replace the kernel if you want, but I don't need to do those on this box, so it doesn't bother me.

Rubic

  • Handlebar Stache
  • *****
  • Posts: 1080
Re: Scarier than something really scary!
« Reply #16 on: June 01, 2016, 07:53:35 PM »
@Synonyk:

We're drifting far afield from recommending a Chromebook as an platform for casual users, but since we're on the subject ...

I used Crouton for a while on an Acer (4GB, 128 SD) Chromebook for a while, but found it unreliable for development work (services would die unexpectedly, e.g. network, database).  However, once I flashed the native BIOS with SeaBIOS everything stabilized nicely.  It's a sweet $200 Linux machine that runs on battery life for ~6 hours.

FWIW.


Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #17 on: June 01, 2016, 08:25:04 PM »
You probably were running into memory pressure issues.  I assume you didn't boot from SeaBIOS into ChromeOS/Crouton, and instead used Linux natively.

ChromeOS doesn't handle memory pressure very well - it's sort of designed assuming you can kill and resume things, which is true of tabs, and less true of Apache/MySQL/etc.  That's why I went to 16GB - things just work much, much better.  Though it was a good bit more than $200.  The screen, though...

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #18 on: June 02, 2016, 12:38:38 PM »
I just ordered my 11.6" Lenovo Chromebook with 2GB of memory for $127 from Best Buy.

Should I use this for nothing but financial stuff.. no email etc or is that a little too paranoid assuming unknown email links are not opened?

Thanks..:)

brute

  • Pencil Stache
  • ****
  • Posts: 691
Re: Scarier than something really scary!
« Reply #19 on: June 02, 2016, 12:42:30 PM »
I just ordered my 11.6" Lenovo Chromebook with 2GB of memory for $127 from Best Buy.

Should I use this for nothing but financial stuff.. no email etc or is that a little too paranoid assuming unknown email links are not opened?

Thanks..:)
If you're buying it to make banking more secure, then nothing but the banking sites. No surfing, no email, no social media. Those sites, keep it updated, and keep it off the network. Should probably only use a hardwired connection too.

Thats overkill, but again, if you're buying this for marginally increased safety, use it safely.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #20 on: June 02, 2016, 12:52:24 PM »
I just ordered my 11.6" Lenovo Chromebook with 2GB of memory for $127 from Best Buy.

Should I use this for nothing but financial stuff.. no email etc or is that a little too paranoid assuming unknown email links are not opened?

Thanks..:)
If you're buying it to make banking more secure, then nothing but the banking sites. No surfing, no email, no social media. Those sites, keep it updated, and keep it off the network. Should probably only use a hardwired connection too.

Thats overkill, but again, if you're buying this for marginally increased safety, use it safely.

Thanks.. I don't think it supports ethernet so I think that means wifi only.. But yes I want it as secure as possible..

brute

  • Pencil Stache
  • ****
  • Posts: 691
Re: Scarier than something really scary!
« Reply #21 on: June 02, 2016, 02:00:26 PM »
I just ordered my 11.6" Lenovo Chromebook with 2GB of memory for $127 from Best Buy.

Should I use this for nothing but financial stuff.. no email etc or is that a little too paranoid assuming unknown email links are not opened?

Thanks..:)
If you're buying it to make banking more secure, then nothing but the banking sites. No surfing, no email, no social media. Those sites, keep it updated, and keep it off the network. Should probably only use a hardwired connection too.

Thats overkill, but again, if you're buying this for marginally increased safety, use it safely.

Thanks.. I don't think it supports ethernet so I think that means wifi only.. But yes I want it as secure as possible..


It's pretty unlikely that anyone would get much from your wifi, so no worries there. As long as you're using a password on your router and it isn't ancient, you'll be fine.


Rubic

  • Handlebar Stache
  • *****
  • Posts: 1080
Re: Scarier than something really scary!
« Reply #22 on: June 02, 2016, 02:42:59 PM »
@Exflyboy:

Since you're justifiably paranoid and have already ordered a Chromebook, you might consider using a compatible password manager:

https://lastpass.com/

In addition, you can increase your security vigilance if you combine this with multi-factor authentication:

https://helpdesk.lastpass.com/multifactor-authentication-options/

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #23 on: June 02, 2016, 03:02:36 PM »
@Exflyboy:

Since you're justifiably paranoid and have already ordered a Chromebook, you might consider using a compatible password manager:

https://lastpass.com/

In addition, you can increase your security vigilance if you combine this with multi-factor authentication:

https://helpdesk.lastpass.com/multifactor-authentication-options/

Interesting I always shyed away from these things in case the last pass was hacked.... But I guess with multilayer authentication it should be OK.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #24 on: June 02, 2016, 04:45:11 PM »
Thanks.. I don't think it supports ethernet so I think that means wifi only.. But yes I want it as secure as possible..

Then no email, and don't sign into it - use "guest mode" on it once you set it up (no auto sync of extensions or such).

It probably won't run malware anyway, but if you're concerned about malware spread through email, not accessing email on the system is the way to go.

Interesting I always shyed away from these things in case the last pass was hacked.... But I guess with multilayer authentication it should be OK.

LastPass encrypts your password database with your master password - so make sure you have a decent master password.

But the common threat these days is sites losing their password database when it's not well secured (say, LinkedIn, with plain unsalted SHA1).

Having LastPass makes it trivial to use a unique, random, long password for each site - so, for instance, I generate 12 or 16 character upper/lower/numeric passwords (no symbols since too many sites don't let you use those), unique for each site.  If one such site is hacked, it's going to be difficult to find my password from the hashed version, but even if it's plaintext, it doesn't help anyone gain access into my other accounts.

Here are some of the passwords I generate (freshly generated, these won't get you access to anything...):
5GWAEnSYgrnQm8Rf
gWxFDWG3uaKCN9u6
9dP9p77Xc5rYXeJC

For your email accounts, set up two factor (and if your mail provider doesn't support two factor, use another one).  Same for LastPass.  Then don't worry about it much.

Rubic

  • Handlebar Stache
  • *****
  • Posts: 1080
Re: Scarier than something really scary!
« Reply #25 on: June 03, 2016, 06:39:06 AM »
Then no email, and don't sign into it - use "guest mode" on it once you set it up (no auto sync of extensions or such).

Do you think accessing Gmail from a Chromebook poses much of a risk?

I would find this too restrictive to be practical.

Spork

  • Walrus Stache
  • *******
  • Posts: 5753
    • Spork In The Eye
Re: Scarier than something really scary!
« Reply #26 on: June 03, 2016, 08:08:14 AM »
I just ordered my 11.6" Lenovo Chromebook with 2GB of memory for $127 from Best Buy.

Should I use this for nothing but financial stuff.. no email etc or is that a little too paranoid assuming unknown email links are not opened?

Thanks..:)
If you're buying it to make banking more secure, then nothing but the banking sites. No surfing, no email, no social media. Those sites, keep it updated, and keep it off the network. Should probably only use a hardwired connection too.

Thats overkill, but again, if you're buying this for marginally increased safety, use it safely.

Another way to go:
1) first and foremost, keep "admin" and "user" accounts separate.  The account you use day-to-day should not have admin access.  Anything that requires admin access should require a (good) password.  This probably won't be the default install, but google and set it up that way.  This is a standard IT industry practice.
2) keep "surfing" and "financial" accounts separate.  Don't let either of them have read/write access to the other.  Now: I'm not a windows person.  (The last time I used it day-to-day was windows 3.1).  But I suspect there is an easy way to do this.  In linux, it is trivial.  You can have multiple accounts for multiple purposes and have them all running at the same time.

Minimally: if you don't do #2 above, you can use separate firefox profiles.  Keep surfing profiles very strict (turn off javascript, toss your cookies at exit, etc.).  Allow more scripting/cookies/etc on the banking profiles so the sites will work.  This isn't optimal... as if you really do download/run some executables surfing, they will have read/write access to banking... but it does at least keep threats from within the browser separated.  (I.e., some clickjacking, tab stealing, etc.  And if you see "mybank.com" in the same browser instance as facebook... you KNOW something has gone amiss.)

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #27 on: June 03, 2016, 08:43:09 AM »
Then no email, and don't sign into it - use "guest mode" on it once you set it up (no auto sync of extensions or such).

Do you think accessing Gmail from a Chromebook poses much of a risk?

I would find this too restrictive to be practical.

I don't think accessing email from a Chromebook poses much of a risk.  The chances of someone developing an 0day against ChromeOS for deploying random banking malware (when you can just target Windows and get the bulk of businesses, who have much larger bank accounts typically) are nearly zero, and it's unlikely to survive the next reboot (ChromeOS has a very impressive trusted boot sequence, and I say this as someone who plays in that field and understands the details of what it's doing).

But if you've gone off into the paranoid weeds based on a news article, you may as well go all the way, and accessing email on a device you're using because you're concerned about malware spread through email seems a bit goofy.

IMO, the safest way to be at this point is "As much Google as you can."  They have the scale to detect weird attachments, they've got some very good security teams working on email, web, and ChromeOS, and if you're on a Windows or Mac platform, you should probably be using Chrome - well sandboxed, auto updating, ties into their site scanning services for malware detection, etc.  And ChromeOS is just awesome, security-wise.

... except for Android.  You're fine on a Nexus device (updated by Google, regularly), but nobody else ever updates their devices, so most of the Android fleet is running around with local exploits available.  I'd suggest either running a Nexus phone that's still in the supported period, or an iOS device that's still in the supported period.

brute

  • Pencil Stache
  • ****
  • Posts: 691
Re: Scarier than something really scary!
« Reply #28 on: June 03, 2016, 08:51:14 AM »
Honestly, i just run a fedora VM for stuff like this. Free (the best price) and I can lock it down hard, never use the admin accounts, take all rights away from the "internet" user and go about my day.


Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #29 on: June 03, 2016, 09:59:45 AM »
Thanks to you guys for giving freely of your expertise around this issue.

This is totally not my field.. Heck I can design a complex airhandling system for a silicon chip manufacturing plant in my sleep.. but as far as I am concerned a laptop is a box that connects me and my portfolio to all and sundry.

My portfolio represents my entire life's work so you can bet I get pretty paranoid when I hear of a new supervirus that can drain the contents!

I also have a friend who is a prof in the compter science group at Oregon State.. He thought the Chromebox was a great idea..:)

So thanks again, I can sleep better now..:)

Rubic

  • Handlebar Stache
  • *****
  • Posts: 1080
Re: Scarier than something really scary!
« Reply #30 on: June 03, 2016, 10:44:00 AM »
I appreciate that everyone has been respectful in their replies on this thread, though each of us has different approaches to securing our data.

@Exflyboy:  You should be able to sleep at night knowing that you'll probably be in the top 1% of users who are vigilantly proactive.  Unless you've been personally targeted, you should be pretty safe.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #31 on: June 03, 2016, 12:18:59 PM »
Unless you've been personally targeted, you should be pretty safe.

Yup.  And if you are personally targeted, you're screwed.  Period.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #32 on: June 06, 2016, 11:48:40 AM »
OK I have my Chromebook!..:)

So far I have set it up and now logged out so will only "surf as guest".

Now need to look at the password vault thingy..

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #33 on: June 06, 2016, 01:29:28 PM »
Thanks.. I don't think it supports ethernet so I think that means wifi only.. But yes I want it as secure as possible..

Then no email, and don't sign into it - use "guest mode" on it once you set it up (no auto sync of extensions or such).

It probably won't run malware anyway, but if you're concerned about malware spread through email, not accessing email on the system is the way to go.

Interesting I always shyed away from these things in case the last pass was hacked.... But I guess with multilayer authentication it should be OK.

LastPass encrypts your password database with your master password - so make sure you have a decent master password.

But the common threat these days is sites losing their password database when it's not well secured (say, LinkedIn, with plain unsalted SHA1).

Having LastPass makes it trivial to use a unique, random, long password for each site - so, for instance, I generate 12 or 16 character upper/lower/numeric passwords (no symbols since too many sites don't let you use those), unique for each site.  If one such site is hacked, it's going to be difficult to find my password from the hashed version, but even if it's plaintext, it doesn't help anyone gain access into my other accounts.

Here are some of the passwords I generate (freshly generated, these won't get you access to anything...):
5GWAEnSYgrnQm8Rf
gWxFDWG3uaKCN9u6
9dP9p77Xc5rYXeJC

For your email accounts, set up two factor (and if your mail provider doesn't support two factor, use another one).  Same for LastPass.  Then don't worry about it much.

Ok so dumb question time.. I'm assuming I go to each of my financial websites and set up the 12 to 16 digit PW first.. then come back to Last Pass and enter the same pasword there for that website??

Is that how you do it?

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #34 on: June 06, 2016, 03:48:40 PM »
LastPass makes the most sense as an extension. Which is not doable in guest mode unless you install it every time. Normally it just sees a password change and prompts you to store it.

A sheet of paper on your desk with bank passwords is also probably fine.

Spork

  • Walrus Stache
  • *******
  • Posts: 5753
    • Spork In The Eye
Re: Scarier than something really scary!
« Reply #35 on: June 07, 2016, 08:36:23 AM »
LastPass makes the most sense as an extension. Which is not doable in guest mode unless you install it every time. Normally it just sees a password change and prompts you to store it.

A sheet of paper on your desk with bank passwords is also probably fine.

An observation: 
If you would set $1M in cash on your desk and think it's fine, then it's also fine to have your bank password (with $1m in the bank) sitting on your desk.  I don't know your level of risk/comfort...  But that would really bother me.  Is it likely a robber or guest will steal it?  Probably not.  But that seems unacceptable risk, IMO.

Rubic

  • Handlebar Stache
  • *****
  • Posts: 1080
Re: Scarier than something really scary!
« Reply #36 on: June 07, 2016, 10:36:53 AM »
I don't use LastPass (though I recommended it to @Exflyboy and others) because I have a different method.  However, I do access my accounts in non-guest mode.  The benefits of using LastPass should outweigh the negatives (if any) of logging on in non-guest mode.

For me, the only benefit of guest mode is when a guest or co-worker wants to use my Chromebook to search for something on the Internet.  I log off, switch it to guest mode, and let them use it.

The manual notebook method is actually reasonably secure according to Bruce Schneier because you've reduced your attack vector by not having the information stored anywhere online.  Unless you're concerned about "black bag" ops, the people who burgle your home aren't likely to be the same group who are trying to hack into your accounts.

Pro-tip:  If you're writing down random characters for passwords, try to avoid:
  • Lowercase 'L' because it resembles with the number '1' digit.
  • Uppercase letter 'O' because it resembles the number '0' digit.
If my auto-generator produces passwords with either of the above characters, I retry for another password. 

Syonyk

  • Magnum Stache
  • ******
  • Posts: 3874
    • Syonyk's Project Blog
Re: Scarier than something really scary!
« Reply #37 on: June 07, 2016, 11:25:00 AM »
If you would set $1M in cash on your desk and think it's fine, then it's also fine to have your bank password (with $1m in the bank) sitting on your desk.  I don't know your level of risk/comfort...  But that would really bother me.  Is it likely a robber or guest will steal it?  Probably not.  But that seems unacceptable risk, IMO.

If your concern is banking malware that will allow the Russian hackers to extract stuff from your bank account, then always browsing from a freshly rebooted Chromebook and keeping the passwords nowhere online is probably the best you'll manage.

There are other risks from having the password stored around your desk, but they all involve physical presence of an attacker.  And, generally, "smash and grab" types are more likely to grab your whole computer than go snooping around for passwords.  I strongly suspect the overlap between "people who would break into a random house looking for things of value" and "people who will go snooping about an office to find the password list for bank accounts" is the null set.  Besides, you don't have to give them the username on the same sheet of paper.  And you can obfuscate things such that someone with no additional knowledge will have a hard time figuring out the details.  Perhaps start your password with a sequence you memorize, or end it with the same, and only write down the random part.

Really, anything is better than using the same password everywhere or a small selection of passwords for most places.

Spork

  • Walrus Stache
  • *******
  • Posts: 5753
    • Spork In The Eye
Re: Scarier than something really scary!
« Reply #38 on: June 07, 2016, 11:34:06 AM »
If you would set $1M in cash on your desk and think it's fine, then it's also fine to have your bank password (with $1m in the bank) sitting on your desk.  I don't know your level of risk/comfort...  But that would really bother me.  Is it likely a robber or guest will steal it?  Probably not.  But that seems unacceptable risk, IMO.

If your concern is banking malware that will allow the Russian hackers to extract stuff from your bank account, then always browsing from a freshly rebooted Chromebook and keeping the passwords nowhere online is probably the best you'll manage.

There are other risks from having the password stored around your desk, but they all involve physical presence of an attacker.  And, generally, "smash and grab" types are more likely to grab your whole computer than go snooping around for passwords.  I strongly suspect the overlap between "people who would break into a random house looking for things of value" and "people who will go snooping about an office to find the password list for bank accounts" is the null set.  Besides, you don't have to give them the username on the same sheet of paper.  And you can obfuscate things such that someone with no additional knowledge will have a hard time figuring out the details.  Perhaps start your password with a sequence you memorize, or end it with the same, and only write down the random part.

Really, anything is better than using the same password everywhere or a small selection of passwords for most places.

I agree with you.  But fending off Russian hackers isn't the only thing you want to fend.  I cannot tell you how many passwords (including important server root passwords) I have "hacked" by simply looking around a desk and under a keyboard.  Probably the null set.  But an easy risk to avoid.

And yes, use a different userid / password / email address for every single account.  Not being a chromebook sort of guy, I don't really know the best way to manage that.  My personal method is a script that generates (or searches) all of that and stores in an encrypted filesystem.  I suspect doing my method on a chromebook requires a little more hacking than is desired.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #39 on: June 07, 2016, 12:28:57 PM »
My problem is I have too many accounts and as such there are too many duplicate passwords.

On balance it sounds like using the Chomebook in non guest mode and lastpass is the way to go.

I am also a little paranoid about people breaking into the house. My Wife stupidly (and yes I don't like calling my Wife stupid but this was an act of extreme DUMB-assity) left her bag under a bench at a public swimming pool on Sunday.

You can guess the rest.. Now we have theives with our address and a working remote to her fancy car. Add to the fact we are leaving the country for 7 weeks and lets just say I'm a little amped up about security.

House locks have been changed but some meth addict could come kick down the door.. I just hope he does it while i'm at home!

File containing investment info will be removed from the filing cabinet.


Spork

  • Walrus Stache
  • *******
  • Posts: 5753
    • Spork In The Eye
Re: Scarier than something really scary!
« Reply #40 on: June 07, 2016, 03:07:30 PM »
My problem is I have too many accounts and as such there are too many duplicate passwords.

I just did a quick linecount in my password file.  I have 704.  Each userid unique.  Each password unique.  Each email address unique.  If it asks for password reset questions, each of those is unique.  This is just personal passwords... before I FIRE'ed, I had a separate file for work passwords.  There were a crap ton in that file too.

It is do-able to make them non-duplicate.  The first step is to just stop duplicating from here on. 

Rubic

  • Handlebar Stache
  • *****
  • Posts: 1080
Re: Scarier than something really scary!
« Reply #41 on: June 07, 2016, 03:25:40 PM »
[I just did a quick linecount in my password file.  I have 704.  Each userid unique.  Each password unique.  Each email address unique.  If it asks for password reset questions, each of those is unique.  This is just personal passwords... before I FIRE'ed, I had a separate file for work passwords.  There were a crap ton in that file too.

It is do-able to make them non-duplicate.  The first step is to just stop duplicating from here on.

This is good advice.  @Exflyboy: It would probably make sense to prioritize your accounts (banking, investment, credit cards, merchants) and get those passwords updated as soon as possible.  Then start changing passwords for less critical activities (e.g. this forum) until you finally have every account assigned with a strong/unique password.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #42 on: June 07, 2016, 04:23:57 PM »
Yup I am about halfway through setting up my accounts.

Lastpass won't work for one of my 401k accounts as it does not populate the username and password windows when the login page comes up.

But 5 out of 6 are winners with Lastpass generated passcodes.

robartsd

  • Handlebar Stache
  • *****
  • Posts: 2400
  • Location: Sacramento, CA
Re: Scarier than something really scary!
« Reply #43 on: June 07, 2016, 04:39:57 PM »
Having LastPass makes it trivial to use a unique, random, long password for each site - so, for instance, I generate 12 or 16 character upper/lower/numeric passwords (no symbols since too many sites don't let you use those), unique for each site.  If one such site is hacked, it's going to be difficult to find my password from the hashed version, but even if it's plaintext, it doesn't help anyone gain access into my other accounts.
I've had password systems REQUIRE a symbol (most annoying when they also restrict the set of symbols). I wish all sites expressed clear password rules before asking to create a password so I could set a password generator to use all the entropy available without generating passwords that will break the rules. At one point I used passwords generated by a hash of a master password and the site the password is for; but the encoding the hash in a way that worked for one site might not work for other sites. I use a single relatively weak password on low value sites (like this forum) and a array (though not always unique) of strong passwords on high value sites (like banks).

Spork

  • Walrus Stache
  • *******
  • Posts: 5753
    • Spork In The Eye
Re: Scarier than something really scary!
« Reply #44 on: June 07, 2016, 07:12:10 PM »
Having LastPass makes it trivial to use a unique, random, long password for each site - so, for instance, I generate 12 or 16 character upper/lower/numeric passwords (no symbols since too many sites don't let you use those), unique for each site.  If one such site is hacked, it's going to be difficult to find my password from the hashed version, but even if it's plaintext, it doesn't help anyone gain access into my other accounts.
I've had password systems REQUIRE a symbol (most annoying when they also restrict the set of symbols). I wish all sites expressed clear password rules before asking to create a password so I could set a password generator to use all the entropy available without generating passwords that will break the rules. At one point I used passwords generated by a hash of a master password and the site the password is for; but the encoding the hash in a way that worked for one site might not work for other sites. I use a single relatively weak password on low value sites (like this forum) and a array (though not always unique) of strong passwords on high value sites (like banks).

Yeah, I've seen the same.  I just let my homebuilt generator make a good password... then tweak it to fit.  I copy/paste, so the lack of a working browser built-in isn't annoying to me.

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #45 on: June 07, 2016, 07:18:08 PM »
Now have all the accounts set up but still want the dual authentication and they all see to need a smart phone app... We only have one Republc smart phone (Wife's) that only works when connected to wifi.

But then again there is really no reason that we need to poke around in out accounts unless we are connected to wifi anyway.. I mean the Chromebook (or the android tablet if we are travelling) would need to be connected to the web in order to access the accounts.. Duh!

Thanks all for the help.


slowsynapse

  • Stubble
  • **
  • Posts: 101
  • Age: 47
Re: Scarier than something really scary!
« Reply #46 on: June 07, 2016, 07:40:16 PM »
Lots of good suggestions, including lastpass.  I also use two factor log in whenever possible.  I have also seen different accounts that will text you every time a withdrawal is made.

robartsd

  • Handlebar Stache
  • *****
  • Posts: 2400
  • Location: Sacramento, CA
Re: Scarier than something really scary!
« Reply #47 on: June 08, 2016, 09:32:30 AM »
Banks are required by US laws to use two-factor authtentication; a cookie in your browser and your password counts. Banks do like to set the two-factor authentication bar a little higher using codes texted to your phone or smartphone apps; however all of these methods usually contain the same flaw; they simply require your password and answers to your security questions (so both factors are the same: something you know - sometimes they also use ability to retrieve an email which boils down to something you know that is verified by someone else). Stronger two-factor authentication would require the bank to provide you a device capable of generating a response to a challenge using a secret contained in the device - I imagine this will become the norm when the technology is small and cheap enough to put into bank cards. The key is that the secret is embedded in the device in such a way that it can respond to a challenge proving that the secret is there, but the secret itself cannot be retrieved making the device a factor of "something you have"

Exflyboy

  • Walrus Stache
  • *******
  • Posts: 6333
  • Age: 57
  • Location: Corvallis, Oregon
  • Expat Brit living in the New World..:)
Re: Scarier than something really scary!
« Reply #48 on: June 08, 2016, 10:50:53 AM »
So I finished putting all my funds ind they all work except one.. The sign in form is not auto-populated from Lastpass.

Secondly.. I thought when I added the extension (it says Chrome has installed Lastpass) I thought I would get a little icon on the toolbar at the bottom.. but its not there.. that would be handy.

Also looks like that the two factor authentication requires the use of a smart phone.. I have a dumb flip phone.. I guess I could use the Wife's Republic phone.. I'm assuming I can't an Android tablet or Skype somehow?

Would be nice if if lastpass simply sent a text to my dumb phone like the banks do.

arebelspy

  • Administrator
  • Senior Mustachian
  • *****
  • Posts: 27954
  • Age: -999
  • Location: Seattle, WA
Re: Scarier than something really scary!
« Reply #49 on: July 02, 2016, 03:45:29 AM »
Lastpass was bought out by a scummy company a few months back.  I sure don't trust them.  I used to be a big fan of LastPass (example 1 & 2).  Now, I wouldn't touch them with a 10-foot Ethernet cord.

I'd export your data from there to KeePass or 1Password, and delete your LastPass data.

YMMV.  :)
We are two former teachers who accumulated a bunch of real estate, retired at 29, spent some time traveling the world full time and are now settled with two kids.
If you want to know more about us, or how we did that, or see lots of pictures, this Business Insider profile tells our story pretty well.
We (rarely) blog at AdventuringAlong.com. Check out our Now page to see what we're up to currently.