Forum and internet security

[Sublimewind]

Hi all, I was just reading another thread and it made me thing "Genvibe should have a running security thread" So I made this post... I know some of you are IT guys and a lot of us are complete tools when it comes to todays web security... (at least I am)I was thinking/hoping that I could get a discussion going on todays security issues AND recomended fixes... maybe lists of progs being currently used and whatnot? Maybe even this could be stuck to the top, and once in a while info could be compiled into the first post... (IF updating the site happens...lol)What say GenVibe... ??? Thanks for lookin.... Aaron

[Sublimewind]

Quote, originally posted by joatmon »You now control the first post in the thread, so you just volunteered to be responsible for incoporating subsequently posted info into the first post in the thread. Can do... if it goes anywhere..

[coldmm803]

I think its a great idea Sublime.i think the first think that should be done is make sections to list related programs like belowInternet BrowsersFirefoxOperaAvantSlimbrowser - i'm not sure if this is still available/updated because it is based of Netscape which is no longer madeAnti-virus SoftwareAvast - freeKasperskiTrend MicroAnti-spyware SoftwareSpybot S&DXoftspy - not freeCounterSpy - not free - very similar to the microsoft program but with better definitions and searches more areas. Microsofts Bit-defender? is based off this but they reduced some of its functionality

[northvibe]

Well...ie. can work if tweaked properly. Otherwise mozilla based browsers are the way to go.imo trend sucks, we use it at work and it just hogs resources like its no ones business. AVG free should win hands down for free.I think we maybe should have a free/opensource list at least because I think they are way better than having to pay for some pos software that only is good for 1 yr and is a rip off. These are all free and work with XP maybe even vistaWindows:browser:Firefoxsafarioperaspyware apps:spyware blasterspyware guardccleanera squared freeaimfix (removes known aim viruses)spybot ad-awareadvanced spyware removerspyware doctor starter edition (free one)superantispywareFirewalls:ZoneAlarm Free (used it once, locked the crap out of my connection, must be tweaked to work great)PC tools firewall plus (never used but its popular) Virus scanner: AVG freeAvast! Home edition

[Sublimewind]

Off to a great start guys... thanks... I see a lot or repeats though... Which is logical, good progs get remembered...

[bull77]

I use a few of those already listed (Firefox, SuperAntiSpyware, Spybot) and Hijackthis and the Vista FW. I've seen the Vundo Trojan plenty of times and use the tools from this site:http://www.bleepingcomputer.co....html

[joatmon]

For forum related security, I hide my email address. This can be done using the options in the User Options section of the My Profile page. There is a setting titled "Hide Email Address" with self explanatory settings of "Hide Email Address" and "Do Not Hide Email Address"Setting this to hide your email address will cause your email address to not be displayed when anyone looks at your profile.The reason I hide my email address is because GenVibe is crawled by search engines, easy to follow links to profiles, and spammers may even have specialty crawlers that seek out email addresses. If you used an email address here that you don't want to get spammed, then go into your profile and hide it, if you haven't already. Another good reason to hide your email address is that already there are some people out there who will ask questions via IM that should be posted in the appropriate thread, so there can be group input on the answers. If you are free with your email address, then even lurkers who won't bother to sign up can pester you with email questions. This happened to me when I had posted an email address for a genvibe contest I was involved in. The user controlled option to show or hide email address is very common on internet forums, so genvibe is not unusual in allowing members to choose to share this information................................................................In general, it is a good idea to not share too much personal infomration in public forums, there are bad guys out there inventing ways to screw us with what they can piece together off the internet. That is why a number of people even retouch car phots to blur out license plates. If you do want to tell someone something individually identifiable, an email address, a phone number, an address, stuff like that, better to do it with a forum Instant Message, so you can control who gets the information.

[northvibe]

joatmon - oh yes! excellent post, very good idea...i actually just checked and mine wasnt hiddent. which would explain why my hotmail was full of junk all the time and the random emails from genvibe members.....

[altimar]

In addition to software, there are many simple things you can train yourself to do to be more secure.1. Be suspicious! Don't go clicking on everything you find online. If it sounds too good to be true, proceed very carefully. Be super careful if you seek out (you know you probably do) pirated software, movies, music, porn, free stuff that shouldn't be free, etc. They are very often used as lures to malware. If you are on a website you don't totally trust, hover the cursor over any link before you click it. The link URL will show in the bottom left corner of your browser window. Make sure it looks legit. It just takes a while to develop a sense of safe URLs. Learn how to find the real site name and domain. It can be very difficult to determine exactly where an obfuscated link goes, but the point is that legitimate sites don't obfuscate their links. Be *very* wary of sites with foreign domains, especially .ru, .be, .cn.2. Any information that you want to stay secret needs to go over SSL (encyption). On most browsers, there will be a little lock symbol next to the address bar or at the bottom of the window. Or you can check that the URL includes https. Don't enter any sensitive info on a page not using SSL! *Many* sites do not use it by default when you log in. If that's the case, try changing http to https, hit go, then enter your login if it's secure. Make sure to change your bookmarks to include https. Oops, I just checked some of mine, and I had missed a couple. 3. Purge cookies, history, and cache. These can be used to track everything you do on their sites. The one I am particularly worried about is google. If you sign in to gmail, they can associate your name with every google search you perform and youtube video you watch (google owns Youtube) until you clear your cookies. I set firefox to clear cookies, history, and cache every time I close it. You can set exceptions to keep cookies from certain sites, eg. your banking website. At home, I use an email client to download my messages from Gmail (which won't set cookies), but at work I can only check it from the website, so I clear all my google cookies, then sign in to gmail. I do what I need to, then sign out and clear google cookies again. I'm probably a little more paranoid than most people, but even if google themselves don't do anything with the data they can collect about you, the FBI has already tried to demand stuff like that from them. I'm really considering just switching to my own email server.4. If you want to secure information on your computer (password lists, banking, tax info, etc) there are several encryption solutions. The one I recommend is Truecrypt because it is open-source (and free as in beer) and runs on Windows, Mac, and most importantly Linux. Check out the beginner's tutorial under Documentation to get started. Make sure you use a really long passphrase like himynameisbobandilikewatermelonchewinggum or something equally ridiculous. Maybe your favorite movie quote.5. Choosing passwords is probably one of the hardest things. Obviously never use just numbers or dictionary words (which includes asdf, qwerty, abc123, etc). You should not use the same passwords for multiple accounts for obvious reasons. My method is to have a small strong "base password" that I add a few characters to for each site. For instance, a base password could be Pen6u1n$ (maybe a bit long) and then for gmail, you add GmL to the end. For Genvibe, maybe GVb. So you just memorize the base password and if you can't remember the site suffixes, you can keep a list electronically (encrypted of course!) or a note in your wallet. The problem with this is, of course, that some web sites will restrict your password to not include symbols (especially =+-, because they are used in database queries) or maybe restrict the length too much. I really don't have a solution to this. I literally have a list of passwords that use my base password and then an ever-growing list of random "whatever would actually work" passwords. I think I may choose a new base password without characters, so I can just use a symbol in the suffix if the site permits it.Wow, sorry this was so long, but I figured some of this stuff may not be obvious to those of you who are not computer geniuses *cough*, I mean programmers.

[tribalman]

password:yeah, strong passwords are annoying to try and remember. a typical strong password should be at least 8 characters long, contain upper and lower case letters, a number, and a special character( such as !@#%^&_-). sometimes there is an extra rule where you cannot have more than 3 or 4 letters in a row. now it seems that something like P@1ssW0rd could be a decent password but it is still a dictionary word and possibly susceptible to a dictionary attack cause everyone knows l33t now. what the programmers would like to have your password be something like D4b**kc#iifcsQ1 but who can remember that? in one of my classes an instructor was telling us about one of his experiences where somebody used the first letter of each word from a poem as their password and either add a special character or chance some of the letters to numbers.. 2b0N2bT1tq#. or "to be or not to be that is the question" plus a special character of #.at work more than at home i defiantly recommend not writing down your password on paper and leaving it at your desk.wireless:in the other thread i recommend using WPA over WEP, but i also know that some routers and access points are older and don't support WPA. or if you connect your Nintendo DS you need to use WEP. while yes it can be cracked a bit easier it can be ok to use if you aren't really using it for excessively long times. if you use it for about 30 minutes, then shut down your computer it might be ok. or even better would be to just use a wired connection.Security:for firewall on my desktops i use Zone Alarm along with Windows Defender. i also use the task manager to see what programs are running and then eliminate anything i notice manually. if you have a spare old computer around and are willing to try something, install FreeBSD on it and turn that old computer into a firewall. Programs:do not use Aries, kazaa, or etc. there is soooo much spy ware.as for computers that aren't built by you, remove as much of those garbage programs as possible. cause a lot of them run at startup even if you don't use them ever and steal resources.for good PC health run a good AV program. as for which, it's mostly preference. i personally don't use any free ones other than Defender. and go ahead and defrag every few months and do a clean up too. also do a registry cleaning. if you can, shut it down when you aren't using it. it saves on power(and therefor $$) and it's just a good practice because if it's not on can't be hacked. i personally do a complete format every year.

[tribalman]

one more thing. don't post your email. if you have to for some forum or such either use a new email that won't have any personal information and be used just for that forum. this way you can keep the spam out of your personal email box. if you are having correspondence with another forum member and you need to exchange e-mails do it in PM's or some other method like a trusted instance messaging program. and if you absolutely need to and have no other method, email at whatever dot com. or email-remove this- at what-remove this-ever dot com. cause there are sniffer programs out there looking for email@whatever.com and will start automatically start spamming them. by keeping your email not public on the internet or at least not posted in the standard format you can help keep your spam down.

[Sublimewind]

Quote, originally posted by joatmon »Personal Profile section of the My Profile page. There is a setting titled "Hide Email Address" with self explanatory settings of "Hide Email Address" and "Do Not Hide Email Address"That is under "User Options" I had to look for a few to find it, then I found that I had set it up when I registered... to not show it that is.. Well, this is turning out very nicely..

[kunkstyle]

Quote, originally posted by altimar »Learn how to find the real site name and domain. That's a biggie right there. I've been using PC-cillin for the last year or so (not freeware). Works really well for virus/spyware/malware. One of the better all-in-one suites I've used. @North - have you tweaked zone alarm much? I've got a heck of a time using it and networking any of my pc's together.

[Sublimewind]

bump back to page one...

[bull77]

has anyone used GhostWall?http://www.ghostsecurity.com/ghostwall/I'm looking for a FW to use with vista64