Advice from an I.T. professional.. (I.T. related).

  • Thread starter Thread starter Bash_Man
  • Start date Start date
Bash_Man

Bash_Man

Well-known member
This is simply an advice based on what I come across having been in the I.T. industry for 20+ years.

Aside from my full time job in I.T. as a senior network and security Analyst, I do work on the side where I visit homes, small and medium business to assist with various I.T. related tasks.

However, more and more frequently I've been coming across issues with folks having their email hacked due to weak password and/or no MFA/2FA (Multi-Factor Authentication/ 2 Factor Authentication).

My advice is:
- setup MFA/2FA on any account service that allows you to set up. Whether it's a text message or using an Authenticator app such as Microsoft Authenticator or Google Authenticator.

- use a complex yet memorable password. Complicated passwords don't have to be made up of a complicated pattern. Using a familiar name and number as a combo and mixing some odd characters in there would be a good idea. Something like B@$hMan23 is more complex and secure than simply using bashman23.

- use a password manager to store passwords you don't use often and are complicated password. There's free products such as Bitwarden, which are unlimited free for personal use. Can be used in mobile and desktop/laptop platforms.. and uses strong encryption to store and sync across their platforms.

- do not use the same password on both non critical and critical services. Example: don't use the same password you use for rig-talk.com on your online banking or email services.

- use a tracking blocker and/or ad blocker on your browser. My favorite is "Malwarebytes browser guard".

- backup your data to a secure location like cloud storage such as Google drive, OneDrive or iCloud drive... of course, ensure your password is strong and have MFA/2FA enabled.

- last but not least, never click on links from email you're not sure who from. Even if the name on the email shows a familiar name, check the email address it's coming from. If you're unsure, always call that person and ask if they've sent it. You'd be protectinf your self and bringing awareness to some one else who's account could've been compromised by a cyber attack.

Technology now days unfortunately doesn't stop at android vs iPhone, mac vs windows or whether you have antivirus on your computer or not.. The technology and the services are only as secure as the end user setting them up and using them.

I hope that gives some folks some helpful info.

Please feel free to ask questions.

Cheers
 
Last edited:
Bash_Man said:
However, more and more frequently I've been coming across issues with folks having their email hacked due to weak password and/or no MFA/2FA (Multi-Factor Authentication/ 2 Factor Authentication).
Click to expand...
Thanks for the suggestions. As a tech pro, let me pick your brain. Almost every online service requires at least an eight digit password, and the more sophisticated providers, like Google/Facebook/Twitter/etc. detect and thwart brute force attacks. My iPhone is set to erase after 10 attempts. So how are people getting hacked, apart from literally giving their password to bad actors?
 
denialist said:
Thanks for the suggestions. As a tech pro, let me pick your brain. Almost every online service requires at least an eight digit password, and the more sophisticated providers, like Google/Facebook/Twitter/etc. detect and thwart brute force attacks. My iPhone is set to erase after 10 attempts. So how are people getting hacked, apart from literally giving their password to bad actors?
Click to expand...
Is “bad actors” an industry term? I always hear that in the tech training videos we have to watch at work like every month
 
Great post Bash_Man :cheers: and good to see you 'back' :yes:

I am in the IT Services & Consulting biz and everything you said looks accurate to me and a great baseline. The 2 Factor fix is a great method IMO as a 'bad actor' would have to have your password and probably your laptop AND your phone. I like MS Authenticator. I use Kaspersky on my personal laptop (the one I'm on now) along with their VPN. Adding Upper case, Special characters and Numbers into your password is key. I would say at least 12 characters if you can but certainly 8. Also, I sit down once every 6 months and take an hour to go through all of the sites that I know I have passwords on and change them all at the same time. Tedious but worth it. The industry spec would say don't use the same password at all sites but that is virtually impossible without a tool to do it for you - like you mentioned.

I like your suggestion of using different passwords for a bank vs rig-talk.

Lastly, the email and text phishing is going to be the worst - especially for older folks who are not as hip to all of this. The Bad Actors have this down to a science and they can devise an email so close to an original, that you can't tell. It will have the correct Logos, information, etc and possibly even a few correct URLs and phone numbers etc to give that sense of security. Hover over the link with your cursor and then look at the actual URL in the bottom left of the browser (if you are on Windows machine running Chrome for example). Yours may be different.

DO NOT click on a link that does not have the correct URL domain.

For example, you ordered some guitar strings through Amazon and you need them badly for an upcoming gig.

You get an email that says "Your Package Could Not Be Delivered" - click here. We've all seen these right? Look at the domain.

Correct: www.********.amazon.com/******
Incorrect: www.amazon.yourpackage.com/*****
Incorrect: www.youpackage.com/amazon
Incorrect: www.yourpackage-amazon.com/****

You get the idea...


PS: Yeah, "Bad Actors" is an industry term to describe a blanket of behavior designed to trick or hack you. Doesn't have to be an actual person either, could be software or a Bot, etc.
 
Last edited:
denialist said:
Thanks for the suggestions. As a tech pro, let me pick your brain. Almost every online service requires at least an eight digit password, and the more sophisticated providers, like Google/Facebook/Twitter/etc. detect and thwart brute force attacks. My iPhone is set to erase after 10 attempts. So how are people getting hacked, apart from literally giving their password to bad actors?
Click to expand...
Great question. Unfortunately, there are other ways than having hands on a device. Hashing passwords from system cookies or saved passwords is one way. keyloggers on fake websites that people are unaware of paying attention to. You'd get an email from customerservice@amazon.service.com telling you that your account is about to be suspended if you don't log in with a link in the email, someone who doesn't know better would click on the link and input their username/password..

Some poorly designed websites store your passwords in insecure cookies that would display clear text... and the one I see most often is people just using common weak passwords that would be on a common blacklist that would be the first guess for people to use.. passwords like passwords, or 1234.

hope that helps
 
311splawndude said:
Great post Bash_Man :cheers: and good to see you 'back' :yes:

I am in the IT Services & Consulting biz and everything you said looks accurate to me and a great baseline. The 2 Factor fix is a great method IMO as a 'bad actor' would have to have your password and probably your laptop AND your phone. I like MS Authenticator. I use Kaspersky on my personal laptop (the one I'm on now) along with their VPN. Adding Upper case, Special characters and Numbers into your password is key. I would say at least 12 characters if you can but certainly 8. Also, I sit down once every 6 months and take an hour to go through all of the sites that I know I have passwords on and change them all at the same time. Tedious but worth it. The industry spec would say don't use the same password at all sites but that is virtually impossible without a tool to do it for you - like you mentioned.

I like your suggestion of using different passwords for a bank vs rig-talk.

Lastly, the email and text phishing is going to be the worst - especially for older folks who are not as hip to all of this. The Bad Actors have this down to a science and they can devise an email so close to an original, that you can't tell. It will have the correct Logos, information, etc and possibly even a few correct URLs and phone numbers etc to give that sense of security. Hover over the link with your cursor and then look at the actual URL in the bottom left of the browser (if you are on Windows machine running Chrome for example). Yours may be different.

DO NOT click on a link that does not have the correct URL domain.

For example, you ordered some guitar strings through Amazon and you need them badly for an upcoming gig.

You get an email that says "Your Package Could Not Be Delivered" - click here. We've all seen these right? Look at the domain.

Correct: www.********.amazon.com/******
Incorrect: www.amazon.yourpackage.com/*****
Incorrect: www.youpackage.com/amazon
Incorrect: www.yourpackage-amazon.com/****

You get the idea...


PS: Yeah, "Bad Actors" is an industry term to describe a blanket of behavior designed to trick or hack you. Doesn't have to be an actual person either, could be software or a Bot, etc.
Click to expand...
Hey 311.. great advise as well. Thanks for adding

Password changing is not a fun task. Having your tech (software, online or hardware) compromised is not a joyful part of life. it frustrates a lot of people and leaves them lost. Sadly a lot of the victims are folks of older age. the last person I helped get access to their Hotmail account and stop emails from being forwarded was in their mid-70s.

I felt bad for them as when I mentioned we needed to check their online banking to ensure it had not been compromised, they started to cry as they thought if they were then their life savings would be good. luckily the "bad actors" didn't get that far.

A password manager also has a premium (I think $10/year) to unlock additional features such as detecting weak passwords, Reused passwords, exposed passwords and other nifty features. It also has a browser extension for Chrome and Edge that allows you to auto-fill passwords into websites as well as recommend and save passwords to your password vault directly.

Cheers
 
Bash_Man said:
Great question. Unfortunately, there are other ways than having hands on a device. Hashing passwords from system cookies or saved passwords is one way. keyloggers on fake websites that people are unaware of paying attention to. You'd get an email from customerservice@amazon.service.com telling you that your account is about to be suspended if you don't log in with a link in the email, someone who doesn't know better would click on the link and input their username/password..

Some poorly designed websites store your passwords in insecure cookies that would display clear text... and the one I see most often is people just using common weak passwords that would be on a common blacklist that would be the first guess for people to use.. passwords like passwords, or 1234.

hope that helps
Click to expand...
I see, thanks for clarifying. I have another question: why is it that we can't seem to get systems that are secure, and instead we have to do update constantly. It kinda feels like either a racket to get you to eventually upgrade or these software engineers are incompetent.
 
denialist said:
I see, thanks for clarifying. I have another question: why is it that we can't seem to get systems that are secure, and instead we have to do update constantly. It kinda feels like either a racket to get you to eventually upgrade or these software engineers are incompetent.
Click to expand...
Another great question... Security costs lots of money and because of the ever-evolving risks, it requires constant attention and upgrade, which is why a lot of consumers don't pay attention to it and a lot of enterprises/businesses are static with security for so long.

A lot of companies are also doing what's called Software as a Service and they require you to license EVERY single item, which can end up costing a lot of money. For example, if you buy a firewall piece of hardware, it'll cost about $2500 for a small business unit that comes with nothing else but the firewall feature to build your policies.. but if you want Antivirus scanning at the firewall, its a separate license, IPS (Intrusion Prevention Services), updates, etc.. all end up costing extra money..

you also have to have the knowledge for all this stuff. Gotta know how to set up firewalls and policies, proper secure access internally, etc.. Sometimes the biggest threat to an enterprise is internal, not external.

The other issue with security is vendors/companies can't and won't agree on things because of $$. A prime example is the whole RCS (Rich Communication Services). it's the new protocol that is replacing legacy insecure text messaging on Android devices which also adds encryption and secure communication similar to iMessage but on Android Devices. While Apple has iMessage to be used within their own ecosystem, an iOS user messaging outside the ecosystem to message a non-iOS device user would revert them to legacy insecure text messaging. Apple refuses to implement RCS within their iOS echo system to provide their own end users with an additional level of security because it means that if they do that, then they can't entice people to buy their devices to leverage iMessage.

Cheers
 
I want to add to this post:
With app recommendations above for 2FA, another app I recommend is called "2FAS Auth".

Can be found here:
https://2fas.com/

It works on both iOS and Android, and you can backup to your own cloud such as iCloud or Google drive without needing another account to setup similar to Microsoft Authenticator and Google Authenticator.

For Browsers, Brave browser is great. It's secure and has a lot of functions built in such as trackers blockers, Adblock, and other advanced features. None of the advanced features need to be configured to use the browser, it can be used as is. It also has its own secure encrypted channel to sync your data such as passwords, bookmarks, etc.. across your multiple devices.

It's based on the Chromium project, which what drives Google Chrome browser.

Cheers
 
You must log in or register to reply here.
Back
Top